Black Friday Sale! 40% OFF all books & plugins w/ code: FRIDAY22
Web Dev + WordPress + Security
22 posts related to: Encoding & Decoding PHP Code

How to Fix _blank Target Vulnerability

[ _blank Target Vulnerability ]

In this article, I am reposting part of my recent tutorial, WordPress and the Blank Target Vulnerability. That post is aimed at WordPress specifically, however most of the article applies to HTML in general. So the tutorial below explains how to fix all “blank target” links, regardless of whether or not WordPress is involved. Continue reading »

ALL Security is Security Thru Obscurity

[ Stormtroopers Keeping Things Secure. ]

obĀ·scure adjective 1. not discovered or known about; uncertain. In the purely literal sense, the concept of obscurity applies to every transaction on the Web. The HTTP request knows not, nor could possibly know, the actual response it will receive from the server. There is only expected response. Online nothing is certain until it is. Continue reading »

Automatic IP Blacklist

[ Automatic IP Blacklist ]

Recently a reader going by the name of Rock Star sent me a cool little PHP script that automatically updates your site’s .htaccess with a current list of bad IP addresses. This is useful because it gives you better “real time” protection against attacks and malicious requests. This tutorial shares the code and explains how to implement in two easy steps. Continue reading »

WordPress and the Blank Target Vulnerability

[ WP Visual/RTE Insert Link Dialog ]

For those who haven’t yet noticed, WordPress now adds rel="noopener" attributes for any external links added via the link Quicktag in the Visual/RTE. So if you enable the option, “Open link in a new tab”, WordPress automatically will add the rel noopener attribute to the link. This is to protect against CORS and other exploits that take advantage of blank-target links. It’s a smart move that may escape many in the WordPress community. So in an effort to help foster […] Continue reading »

Watch Cyber Attacks Online

[ Watch Cyber Attacks Online ]

Taking a quick break to watch cyber attacks happening in real time. Continue reading »

Examples of Nested Encoding

Typically malicious scans use some sort of encoding to obscure their payloads. For example, instead of injecting a literal script, the attacker will run it through a PHP encoding function such as base64_encode(), utf8_encode(), or urlencode(). So if and when you need to decode some discovered payload, you can use whichever decoding function will do the job. For example, base64_decode(), utf8_decode(), or urldecode(). Sounds straightforward, but let’s dig a little deeper.. Continue reading »

Protection for WordPress Pingback Vulnerability

It was recently reported about a WordPress Pingback Vulnerability, whereby an attacker has four potential ways to cause harm via xmlrpc.php, which is the file included in WordPress for XML-RPC Support (e.g., “pingbacks”). In this post, I offer a simple .htaccess technique to lock things down and protect against any meddling via the xmlrpc.php file. Continue reading »

Tale of a Hacked Website

[ Prise de la Bastille, by Jean-Pierre-Louis-Laurent Houel (Detail) ]

I love a good story. Almost as much as I enjoy securing websites. Put them together and you’ve got suspense, intrigue, and plenty of encoded gibberish. But no happy ending this time, in this case the smartest decision was to “pull it” and rebuild. The site was just wasted — completely riddled with malicious code. Without current backup data, it would’ve been “game over” for the site, and possibly the business. Continue reading »

Stream Video Player / swfobject Hack

[ Screenshot: malicious iframe injected into web page ]

During the recent redesign, I discovered that my newer WP installation (v3.3.1) had been hacked. I get this email first thing in the morning: Continue reading »

Best Method for Email Obfuscation?

Awhile ago, Silvan Mühlemann conducted a 1.5 year experiment whereby different approaches to email obfuscation were tested for effectiveness. Nine different methods were implemented, with each test account receiving anywhere from 1800 to zero spam emails. Here is an excerpt from the article: When displaying an e-mail address on a website you obviously want to obfuscate it to avoid it getting harvested by spammers. But which obfuscation method is the best one? I drove a test to find out. After […] Continue reading »

Eight Ways to Block and Redirect with Apache’s mod_rewrite

[ #1 ]

With the imminent release of the next series of (4G) blacklist articles here at Perishable Press, now is the perfect time to examine eight of the most commonly employed blacklisting methods achieved with Apache’s incredible rewrite module, mod_rewrite. In addition to facilitating site security, the techniques presented in this article will improve your understanding of the different rewrite methods available with Apache mod_rewrite. Note: I changed the title of this post from “Eight Ways to Blacklist..” to “Eight Ways to […] Continue reading »

IE6 Support Spectrum

IE6 Support Spectrum

I know, I know, not another post about IE6! I actually typed this up a couple of weeks ago while immersed in my site redesign project. I had recently decided that I would no longer support that terrible browser, and this tangential post just kind of “fell out.” I wasn’t sure whether or not to post it, but I recently decided to purge my draft stash by posting everything for your reading pleasure. Thus, you may see a few turds […] Continue reading »

Content Negotiation for XHTML Documents via PHP and htaccess

[ Content Negotiation ]

In this article, I discuss the different MIME types available for XHTML and explain a method for serving your documents with the optimal MIME type, depending on the capacity of the user agent. Using either htaccess or PHP for content negotiation, we can serve complete, standards-compliant markup for our document’s header information. This is especially helpful when dealing with Internet Explorer while serving a DOCTYPE of XHTML 1.1 along with the recommended XML declaration. According to the RFC standards1 produced […] Continue reading »

Hacking WordPress: The Ultimate Nofollow Blacklist

[ Image: Death-metal rocker drunk with power ]

Several days ago, I posted an article explaining how to hack your own WordPress nofollow blacklist. Immediately thereafter, I published an elaborate article focusing on automatic methods of nofollow blacklisting via WordPress plugins. In this article, I expand on the original blacklist hack by incorporating functional differentiation between commentator links, trackbacks, and pingbacks. If anything, think of this as an exercise in hacking WordPress, rewarding in and of itself, if not otherwise entirely impractical. Of course, whenever possible, you should […] Continue reading »

Hacking WordPress: Dofollow Whitelist for Commentator Links

[ Image: Inverted Eye Detail ]

Before repenting of my filthy “nofollow” addiction, I experimented briefly with a “dofollow whitelist” for commentator URL links. The idea behind the whitelist is to reward frequent commentators, feed subscribers, site patrons, and other guests by selectively removing the automatically generated nofollow attributes from their associated comment-author links. For nofollow enthusiasts, a dofollow whitelist is a great way to show appreciation for people who support your blogging efforts. Now, before we go hacking away at WordPress, keep in mind that […] Continue reading »

Hacking WordPress: Nofollow Blacklist for Commentator Links

[ Image: Extreme close-up of an eye (send email  to purchase a full-size version) ]

Previously, in our unofficial “WordPress dofollow upgrade” series, we dished several techniques for removing the antisocial nofollow attributes from default installations of WordPress. After an exhaustive review of available dofollow plugins, we explained how drop-dead easy it is to transform any WordPress blog into a well-standing member of the dofollow community without relying on a plugin to do the job. Our next article detailed a nofollow removal hack that selectively targets pingbacks, trackbacks, and commentator links. Then, we went off […] Continue reading »

Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
WP Themes In Depth: Build and sell awesome WordPress themes.
Thoughts
Upgraded iMac to Ventura. Disabled "unsend mail" feature and found some (now) hidden wallpaper settings. Overall smooth upgrade.
( $this ) is bloat. ($this) is better.
The Legend of Zelda: Tears of the Kingdom coming May 12, 2023. Absolutely pumped.
Favorite thing for breakfast is a tall glass of cold water. Hits the spot every time.
Fall is my favorite season :)
Still a few days left before “Unlimited” pro licenses are no longer available.
Getting back into it after a nice mini vacation. Time to ramp up and get busy.
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.