1 Minute fix for WordPress XML-RPC Pingback Vulnerability to Quadratic Attack

At 3PRIME, we are stewards for quite a few hosting customers, many of whom love wordpress. As such, we support that platform so that we may support the efforts of our disparate clientele.

By now everyone has heard of XML Quadratic Blowup Attack vulnerability in wordpress.

The WordPress Core Team has done there due diligence and have submitted a patch for the vulnerability. You can implement it readily by updating your wordpress runtime to the latest greatest version (or the latest greatest patch build of your current installation). If you haven’t already, you should absolutely update your installation the next chance you get.

XML-RPC is a Problem

Something that bears mentioning here is the WordPress XML-RPC itself.

Unless you are using a plugin that requires using this now nearly ancient form of site access and control, XML-RPC is otherwise extra baggage that you need not carry around.

Given the utter lack of usage of XML-RPC throughout our client sites, the best fix for the current vulnerability, a great preventative measure against similar attack vectors, is to simply disable XML-RPC altogether.

In our case, we did this server-wide. Setting up a directive for Apache couldn’t be easier.

In your configuration file (httpd.conf or, preferably, a pre-VirtualHost Include file), simply include the following snippet:

Apache – Disable xmlrpc.php

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

For the Nginx crowd out there, you can use the following:

Nginx – Disable xmlrpc.php

server {
    # stuff
    location = /xmlrpc.php {
        deny all;
    }
}

If your site (or your clients’ sites) are not coupled to WordPress XML-RPC, disabling XML-RPC altogether is a great way to reduce one attack vector that is often overlooked, exposed, and effectively exploited.

Marketing By Zip Site Launch

3PRIME has recently launched the new website for Marketing By Zip(MBZ). MBZ is a marketing company which focuses on creating simple solutions and ideas for businesses. It’s always encouraging to work with a company that has similar values and we were happy to help their upgraded site come to fruition. The site that we set up at MarketingByZip.com is easy to use and a great example of functional and attractive web design. It features a CMS which will allow them to update content on the site as they see fit. This was important for MBZ because it allows them to communicate special deals and opportunities to their client base as they become available. Continue »

Your Website and eCommerce

There are some great options for adding eCommerce to an existing website but all involve a variety of considerations

1) How many products are you selling? If it’s just a few, you can skip custom cart development and use PayPal buttons. Make a great product page, and get the code from Paypal. No worries about security certificates and it’s easy to add new products just by adding new pages and generating new buttons. The major downside of this is that there is no “customer management” built into the website and PayPal’s merchant fees are high on a per-transaction basis. But it is by far the easiest way to set up eCommerce on a site. We also set up a payment page for consultants so their clients can pay online through their website.
Continue »

aio-seo pack for wordpress and the %post_title% as text

I ran into this issue for someone this week when cleearing out issues from Google webmaster tools. specifically I was trying to remove the problem of duplicate descriptions for web pages from their blog posts. here’s what All-in-One-SEO has for the meta description setting:

normal-description

Here’s what I wanted it to do:

description-with-%post_title%

But what it did was put add this text to the beginning of my meta description tag!

I tried several other combinations, no luck. so I contacted the plugin developer and said:

Referring to this thread:
I have a client using this plugin, the free version, and I cannot get the meta description in posts to display the %post_title%. I was wondering if this bug was fixed in the pro version.

In their second response I gleened the following solution! Put this as your description:

description-with-%wp_title%

And Viola! My post title, pulled in using the variable “%wp_title%” is included in my meta description. Thanks Semper Fi Web Design, great plugin and valueble support responses!

The Gamification of Science

Videos are somewhat of a recent phenomenon but anyone who’s a fan of them know that they’re really hard to stop playing once you get started. There are plenty of reasons for this, many are immersive and are the perfect escape from realty. Others feed off of people’s natural competitive nature with scoreboards and incentives like achievements, rewards and badges. The reason games are so appealing is rooted deep in human psychology and there has been a recent trend to take advantage of this called gamification.

The definition of Gamification taken from Wikipedia: the use of game design techniques and mechanics to solve problems and engage audiences. This is the idea behind Foldit. It’s a game which researchers have developed in order to enlist the help of gamers in deciphering the structure of a key protein in the development AIDS. It’s a structure which scientists haven’t been able to identify for years but now have thanks to the online game Foldit. And it only took gamers three weeks to come up with the answer. This is a great story of games being used to solve real world problems and you can read more about Foldit here.

WordPress.com Hacked

A few days ago WordPress announced that they had been hacked. Someone was able to gain deep access into several of the company’s servers which holds information of their VIP accounts. We’re talking the big boys like TechCrunch and CBS. The unknown hacker could now have access to sensitive information like Twitter and Facebook passwords. So you can imagine how much trouble could come of this.
Continue »