How to Protect Your WordPress From Attack

An ongoing brute-force attack on WordPress-based websites has compromised more than 90,000 blogs, but there are simple ways to make sure your blog won't be next to fall.

Brute-force attacks, as their name would suggest, are some of the least sophisticated hacks out there, rapidly cycling through common directory names, passwords and IP addresses in order to access private files through sheer dumb luck.

Given how many websites and blogs have fallen victim to the WordPress attack, the Menifee, Calif., security firm Sucuri wanted to find just how many brute-force attacks against the WordPress platform occurred on a daily basis, and how effective they were.

The bad news is that such attacks happen to WordPress blogs tens of thousands of times per day; the good news is that stopping them cold is simplicity itself.

SEE ALSO: Hackers Attack 90,000 WordPress Blogs

Sucuri examined the data logs from its own WordPress blog and discovered that between December 2012 and April 2013, hackers had launched almost 5 million brute-force attacks. Until they investigated, Sucuri's security experts had not even noticed these attempted intrusions.

The attempted hacks used very predictable patterns. To log into protected accounts, the hackers tried five usernames in overwhelming numbers: "admin," "test," "administrator," "Admin" and "root."

Tens of thousands of password attempts involved commonly used passwords like "admin," "qwerty," "123456" and "password."

The experts also investigated where the attacks came from, and discovered 30 IP addresses that stood out above the rest.

If you run a website that's been bombarded with hack attempts, check the list. Bringing attention to common attack origins is the first step toward getting them taken down.

The 90,000 WordPress blogs that got hacked and roped into joining the attacking botnetgenerally possessed easy-to-guess usernames or passwords, and their takeovers most likely could have been prevented with some creativity.

If you use common usernames or passwords for WordPress login credentials — or for any other information you store on the Web — simply changing them to something uncommon will prevent the vast majority of brute-force attacks. Making them hard-to-guess will render you all but immune.

One interesting bit of data that Sucuri gathered involved "common" passwords that didn't appear to be common at all. The attackers made thousands of brute-force attempts with passwords such as "#@F#GBH$R^JNEBSRVWRVW" and "RGA%BT%HBSERGAEEAHAEH." These strings of letters and symbols do not appear to have any kind of pattern, yet are too consistent and repetitive to be truly random.

Both the Sucuri experts and the commenters on its blog posting were stumped, and feared that brute-force hackers might know something they don't.

Our own efforts to discover the root of these supposedly common passwords came up dry. After breaking down the character strings into a binary code of 1s and 0s, we tried to translate them into other character formats, hoping that the passwords might mean something in non-Latin alphabets. Nothing recognizable came up.

Although brute-force attacks are as pervasive as Sucuri suspected, they are also very easy to avoid. If you're going to get hacked, at least make sure that the attacker has to put some effort into it.

Another Win For Flat Design As Facebook Gives Its F Logo & Other Icons A Flatter, Cleaner Look

Facebook has given its main “f” logo icon a makeover, flattening the design by removing the pale blue bar along the bottom, which gave the icon a reflective sheen/slight 3D effect, as well as moving the position of the f so it now bleeds right off the bottom. The overall effect is a simplified, unfussy and clean looking design with the f more clearly leaping out. Facebook posted the new logo as a downloadable resource for journalists today.

The refresh was flagged to TechCrunch by designer Tom Waddington who notes in a blog about the change that it appears to be part of a wider icon spring clean at Facebook, with a whole host of other icons used on various official Facebook pages also getting made over in the same flattened and more visually striking style. These icons including a developers icon, privacy- and security-related icons and a mobile icon, among others. Updates seem to have occurred last week.

Here are some of the other icon redesigns — see Tom’s blog for all the examples he’s noticed:

Flat design has spread its levelling influence all over the tech industry and its interfaces in recent years — from Microsoft’s flat, tile-based Windows Phone UI, to Google’s penchant for streamrollering its product interfaces, to scores of other apps and websites. Standing out — or rather above — all this levelling is of course Apple, which continues to prefer a skeuomorphic style of icon and interface design that tries to recreate the look of real-world objects or shapes, by incorporating shading and/or texture.

Cupertino has been roundly mocked for sticking out while the rest of the digital world is shedding pixels and going flat (there’s a great dissection of both sides of the flat vs skeuo debate here) but from a usability point of view, flat design can create confusion about which portions of the website or interface are designed to be clicked on, for instance. However when it comes to something as visible as Facebook’s f logo there seems no reason to hold onto the pale blue bar. As a marketing message, the new icon is much louder and prouder, even though it’s flatter.

According to Facebook’s logos & trademarks guidelines page, the “f” logo can be used for:

1. Your Facebook Page
2. Your Facebook Group
3. An application you offer via Facebook Platform
4. Your implementation of Facebook Connect

It’s also clearly one of Facebook’s most visible bits of brand furniture — appearing on its favicon, for instance, and its mobile app icons. The new look logo is already  up and running on Facebook’s own Facebook page. While an inverted version of the logo (white square, blue f) appears on the Facebook search bar (if you have Graph search enabled). In his blog Waddington notes that the new f logo download is fully transparent, ie with the f fully cut out — which may explain the inverted search bar version.

The original f icon was designed by New York-based design house Cuban Council back in 2006 which told TechCrunch it has not worked with the logo or with Facebook since. ”Cuban Council produced the primary word mark for Sean and Mark in 2006,” Mike Buzzard wrote us in an email, “and have not worked with the logo or the company since.” His speculation is that the new icon system could be the the result of Facebook’s 2011 Sofa acquisition. Mike and some others from Cuban Council joined Google last year in an acqui-hire to work on Google+.

Facebook declined to comment when we asked about the icon redesign.

In addition to the general industry push towards flatter design, TechCrunch’s in-house Facebook stalker, Josh Constine, suggests the decluttered design could be a sign of internationalisation — i.e. to better communicate the Facebook brand to non-English language users who may have been confused by the horizontal line apparently connecting and extending the f symbol. He notes that the original design was conceived when Facebook was a domestic company targeting just U.S. users.

LulzSec Member Sentenced to Year in Prison for Sony Hack

A member of the LulzSec hacker group was sentenced to one year in prison for breaching Sony's servers in June 2011, Reuters reports.

Cody Kretsinger, who pleaded guilty in April 2012 to charges of conspiracy and authorized impairment of a protected computer, will also have to perform 1,000 hours of community service once he gets out of prison.

The sentence is a part of a plea bargain that helped Kretsinger — also known by his online moniker "Recursion" — avoid a maximum sentence of 15 years in prison.

The Sony Pictures hack, which exposed more than 1 million user accounts, was the largest in a long series of hacks performed by members of LulzSec. The group took credit for the attack, posting the stolen user info on its (now defunct) website.

The attack caused Sony more than $600,000 in damage, prosecutors said.

8 Ways to Improve Your 'About Us' Page

Chances are, it's one of the most-visited pages on your site. It's probably also the weakest. Here's how to fix it.

Which page of your website gets the most visitors? If you're like most businesses, your About Us page is at or near the top of the list.

That's great--unless you treat your About Us page as an afterthought.

After your site gets potential customers interested in your products or services, they naturally head to your About Us page--often within three to four clicks--to make sure your company is the right choice to provide those products and services.  That's why your About Us page is often your website's make or break page.

Of course writing about yourself and your business is awkward, so many About Us pages read something like this:

"NextBigThing Technologies is a global solutions provider that redefines enterprise networking and connectivity by providing a unique blend of innovative world-class services and outstanding customer experiences."

Sounds impressive, especially if you like buzzwords. But it says nothing.

So take a different approach. Make sure your About Us page gives potential customers what they need to feel comfortable choosing you:

Start with the customer's needs.

Forget what you do. Customers don't care about what you do; they care about what they receive: solutions and benefits.

So what do potential customers want to know? At a basic level, first-time visitors want to know you own a real business with real capabilities. What questions do customers typically ask during sales calls? What information tends to seal a deal or win over a hesitant customer?

If I want to outsource product fulfillment, "providers of outstanding customer experiences" means nothing to me, but "99.7% on-time shipping with a .0021% error rate for the past five years" means a lot--because it means you care about, measure, and deliver a service critical to my business.

Think facts, not superlatives.

Many About Us pages are filled with words like visionary, outstanding, disruptive, excellent, world-class, cutting edge...

If your business really is outstanding, give me facts: I'll decide if you're outstanding. If your business really is visionary, tell me about cool products you've developed: I'll decide if they're visionary.

And if you're a new business and don't have facts and figures, don't make them up. Describe what your business hopes to achieve and how you plan to achieve it. Give me the chance to decide if I want to jump on board with you.

Never try to be something you're not.

Check out a few About Us pages: Generally speaking, the smaller the business the "fluffier" the content.

Fluff is boring. Candor is compelling. Be who you really are and make that your advantage.

If you're a start-up, own it. If you're bootstrapping, own it. Start-ups are cool, and so is bootstrapping. Describe how new clients will benefit from the fact you're new or small: You can put more focus on individual customers, you can provide shorter lead times, you'll take relatively small orders so you can prove yourself in a new market, etc.

Speaking of being who you are...

Use real photos.

Always use photos of real people and places. If you can't, don't use any photos.

And don't let your Web folks convince you to use stock photos in order to add visual appeal to the page. We're all experts at spotting stock photos.

The pretty boy wearing an ill-fitting hard hat and pretending to read blueprints doesn't add visual appeal. He just looks silly.

Streamline your accolades.

Certifications are important, except when they're not.

If I want to build a sustainable facility, finding an engineer with LEED accreditation may be important. If I want a wedding photographer, finding one who is a member of the Wedding Photojournalist Association may not be so important, especially since the acceptance requirements are easy to meet.

Awards can also add credibility, but pick the few that make the most impact on potential customers. (If you can't stand the thought of leaving any awards out, create a separate "Industry Awards" page and get all crazy with your self-congratulatory self.)

So if you won a Tony award, it's probably okay to leave out your "Best Ensemble Dancer in a Comedy or Drama at Curly Joe's Dinner Theater and Swap Shop" award.

Never stop tweaking.

A great About Us page should be a work in progress. Whenever you land major customers, add expertise and capabilities, enter new markets, open new locations, etc., update your About Us page right away.

Make sure your About Us page always matches what you would say if I asked you about your company today.

Play pop quiz.

Ask people who know little or nothing about your business to read your About Us page and then describe what you do. If they can't answer most of the five Ws (who, what, when, where, why), get back to work.

By the way, that's a perfect task for all those social media connections you have but never actually seem to connect with. Asking for input is a great reason to reach out, and most people will be flattered by the fact you want their opinion.

Finally, get over yourself.

If you're fairly modest, writing your About Us page feels salesy and self-congratulatory, so you stop short of describing your business accurately. If you aren't particularly modest, writing your About Us page is really fun, so you go way over the top.

Either way, get over yourself. The end result is too important. Fortunately it's easy: Just focus on facts, figures, and accomplishments. Objective information is a lot easier to write.

It's more powerful, too. Simply think about the needs you fulfill and the problems you solve for your customers.

Then use plain language to describe how you fulfill those needs and solve those problems. Use plain language to describe who you really are.

That's the best way to establish credibility and help potential customers decide you're the best choice--because ultimately people do business with real people, not with companies.

5 Reasons to Blow Up Your Current Website

Be honest: Is that Web design as attractive as it was five years ago? Here are key signs it might be time to rebuild.

I've received a decent number of compliments on my website over the years. To be sure, it's a pretty good one and it has served me well, but I've decided that it's time for a makeover. In this post, I'll list five conditions that almost always necessitate building a new site.

You acquire a new--and sexier--domain.

This one is a no-brainer. After years of trying I recently acquired www.philsimon.com. What better way to announce the new site than redesigning it? (As of this writing, the new site is under development.) Related to this, what if your company is launching a new product? In my case, both things are true. (My new book will be out in about a month.)

Your current site can only host so many pages.

Far too many people think of websites and content management systems as one in the same. They're not. Static websites resemble brochures; they aren't designed to enable users to easily add content. On the other hand, CMSs were conceived with nearly unlimited capacity for content of all types: videos, podcasts, and text. For many reasons, SEO favors sites with many pages over sites with very few. Think about it.

Your current site appears long in the tooth.

A theme or design from 2006 might look a bit dated now. After all, the Web has changed a great deal over that time. It's folly to assume that Web design has remained static. I wrote a few months ago that Pinterest has had a significant impact on design. If your site is image-challenged, it may be time to consider redesigning it.

Your current site isn't mobile-friendly.

Fellow Inc.com columnist Hollis Thomases writes that "Mobile now accounts for 12% of global Internet traffic, and it's scaling faster than the desktop did." It doesn't take a sorcerer to see what's coming. Yes, there are WordPress plug-ins that effectively simulate a mobile site. That's a bit like getting a little bit pregnant. Why not embrace mobile completely and get a responsive theme?

The performance of your current site is suffering.

My old site, www.philsimonsystems.com, held its own for more than three years. However, I just had too many images and plug-ins running in the background, most of which I felt I needed for different reasons.

Fast forward to 2013 and new development frameworks like Twitter Bootstrap obviate the need for a great deal of Band-Aid functionality. That is, these frameworks "ship" with many neat features baked in.

Simon Says

Websites age over time--some better than others. Think about how your site looks relative to your competition. Are you really putting your best foot forward?