Protect your site with the fastest firewall plugin for WordPress: BBQ Pro »

Stop User Enumeration in WordPress

This tutorial explains how to block user-enumeration scans in WordPress. As explained in greater depth here, user enumeration happens when some malicious script scans a WordPress site for user data by requesting numerical user IDs. For example, requests for ?author=1 through some number, say, ?author=1000, may reveal the usernames for all associated users. With a simple enumeration script, an attacker can scan your site and obtain a list of login names in a matter of seconds. Read more »

WordPress Performance Issue Revisited

Following up on my recent performance report with essentially some conclusive results. Turns out that the reported issue is related more directly to the version of PHP than to the version of WordPress. So in other words, WordPress runs a bit faster on newer versions of PHP. As explained previously, after I upgraded my sites to WordPress 4.4, Googlebot reported slightly longer load times for my pages. The slower loading average was seen across numerous sites, and it looked like the WordPress 4.4 update was to blame. Read more »

WordPress Performance Issue?

Just wanted to share a mysterious trend reported for my sites by Google Webmaster Tools, and ask if anyone else is seeing the same pattern. It looks like it’s related to the WordPress 4.4 update, but I’m not 100% sure, so putting the data out there in hopes that others can help shed some light on the issue.. Read more »

Protect Against WordPress Brute Force Amplification Attack

It seems the WordPress xmlrpc.php file is the target of another type of attack. Before, it was the XML-RPC Pingback Vulnerability. Now, it is the Brute Force Amplification Attack. This post explains what you need to know and then cuts to the chase with several ways to protect your site against this new malicious exploit, as well as all other related threats. Read more »

WordPress Enable PHP Strict Error Reporting

When developing WordPress themes and plugins, I like to enable PHP’s strict error reporting. That way all errors and notices can be recognized and dealt with accordingly. Plus, enabling PHP strict error reporting is pretty easy to do using a simple must-use plugin. Here’s how to do it.. Read more »

Encoding & Decoding PHP Code

There are many ways to encode and decode PHP code. From the perspective of site security, there are three PHP functions — str_rot13(), base64_encode(), and gzinflate — that are frequently used to obfuscate malicious strings of PHP code. For those involved in the securing of websites, understanding how these functions are used to encode and decode encrypted chunks of PHP data is critical to accurate monitoring and expedient attack recovery. Read more »

Roll Your Own “What’s My IP Address?” Page

My current ISP likes to keeps things spicy by changing my IP address every few months or so. There are a million ways to get this changing IP information, but as an obsessive web developer, I like to roll my own whenever possible. That means using my own resources instead of spending time and energy elsewhere. So the goal for this project is to create a web page that does one thing very well: display the visitor’s current IP information. In this tutorial, we use PHP, HTML, CSS, and JavaScript to roll our own sleek & stylish “What’s my IP” […] Read more »

Huge Collection of Code Snippets: HTAccess, PHP, WordPress, jQuery, HTML, CSS

Please excuse this self-serving, miscellaneous post, but I’ve just got to purge all of these code snippets and scraps collected over the years. Whenever I update this site, I place any removed/unused code snippets into a giant note file for future reference, just in case. There’s all sorts of different types of code and snippets that just keep growing and growing and.. and finally it gets to a point where I just need to dump everything and start fresh. That is the purpose of this post. Read more »

Block Tough Proxies

If you want to block tough proxies like hidemyass.com, my previously posted .htaccess methods won’t work. Those methods will block quite a bit of proxy visits to your site, but won’t work on the stealthier proxies. Fortunately, we can use a bit of PHP to keep them out. Read more »

Ajax-Powered Error Logs

Update: Check out the new and improved Ajax Error Log Version 2.0! As an obsessive website administrator, I like to keep a keen eye on my error logs. Once a week, I download my PHP, 404, and other error logs, and analyze them as closely as time allows. Monitoring site errors and other traffic patterns leads to many of the security-related articles I post here at Perishable Press, including resources such as the 5G Blacklist, Ultimate HTAccess Blacklist, and the Blacklist Candidate Series. Easily, one of the best ways to protect your site is to understand the different types of […] Read more »

Upload Large Files or Die Trying

I recently spent some time wrestling with various e-commerce/shopping-cart/membership plugins. One of them was of course the popular WP e-Commerce plugin, which uses a directory named “downloadables” to store your precious goods. I had some large files that needed to go into this folder, but the server’s upload limit stopped me from using the plugin’s built-in file uploader to do so. Read more »

Ajax RSS Feeds with More Sidebar

After implementing Chris Coyier’s More Sidebar technique here at Perishable Press, I needed a good source of “filler” content for the “more” blocks. After experimenting with multiple loops and template tags, the idea of sliding in RSS feeds seemed like a better solution. Replacing some empty space with great content is a win-win for everyone. For example, I display a few of my recent tweets in the sidebar to help fill a lil’ space. It’s a great way to share stuff, and it’s pretty easy to do. Read more »

PHP Tip: Encode & Decode Data URLs

Converting small images to data-URLs is a great way to eliminate HTTP requests and decrease loading time for your pages. Using PHP‘s base64_encode() and base64_decode() functions, we have the power to convert images to data-URLs and vice-versa. Read more »

Display Latest Tweet with Show/Hide Cookies

Update (2013/08/03): This simple technique no longer works thanks to the 2013 Twitter API, which makes it much more complicated to grab your latest tweet. For WordPress, check out the Latest Tweets Widget. My previous theme displays my latest tweet at the top of every page. It turned out to be an excellent technique for getting more followers – visitors see the tweet, click the link, and possibly follow me on Twitter. There is even a cookie-powered “Hide” link for uninterested visitors to hide the tweet for awhile. I received quite a few requests for a tutorial on the technique, […] Read more »

HTTP Headers for ZIP File Downloads

You know when you you’re working on a project and get stuck on something, so you scour the Web for solutions only to find that everyone else seems to be experiencing the exact same thing. Then, after many hours trying everything possible, you finally stumble onto something that seems to work. This time, the project was setting up a secure downloads area for Digging into WordPress. And when I finally discovered a solution, I told myself that it was definitely something I had to share here at Perishable Press. Apparently, there is much to be desired when it comes to […] Read more »

Latest Tweets In the studio at Lynda recording my video series on developing secure WordPress sites :)