Frustrating day yesterday. Not only did I have an html form which would not display compiled JSON encoded data for the Royal Mail “Parcel API v1.”, but when I finally worked out that I needed to use a single apostrophe rather than a double on the POST-ing form because the browser was parsing a second double apostrophe as completing the data variable, the compiled data also threw out multiple errors when sent to the Royal Mail endpoint (or startpoint) (or whatever). A day – a whole day – on when to use a single apostrophe, a double apostrophe, a numeral, a null, a false or a string. Gah!
And then – then – in the final half-an-hour – also attempting to the issue I started with, which is to say the labels that Click & Drop deliver in PDF format do not have anywhere for a sender to add phone number or email of the recipient.
Its that extendedCustomsDescription variable …
Now, I know there are GDPR implications in this, but we have continual requests from Post operators in Europe particularly to include (a) IOSS numbers and (b) recipient’s email / mobile phone numbers on the address form or CN22. The only – the ONLY – space available for this using the API RM provides is in the Customs Description space.
So in the 50 characters we have we now print the following:
“PrintedPapers +44777000777 a.person@gmail.com”
Will this work? Will EuroPosties see the details? I know not.
What I do know is that it gives us a chance of reducing our present v. high return rate – 25% or so.
I’ll report back here if we manage that reduction!
Do get rid of all the excess .htaccess, but if they keep reappearing in directories where they aren’t necessary (a) delete the code and insert some harmless text eg. #boil your head wpyii2# to stop them affecting the function of your website and (b) you’ve definitely missed some of the fake app’s php files, see (2) below.
Fake php files are hidden in a variety of directories where you may not be familiar with what *should* be there. Obvious vector directories are in the plugins – particularly the ones everyone has. Akismet is an obvious one to examine. File names include a series of numerals, as well as the following that I’ve seen: index2.php, content.php, radio.php. The latter, non-numeral files, tend to be c. 4.41kb in size and will have a date last modified later that the files in which they sit. As previously mentioned wp-admin is also often used, particularly /wp-admin/css/colors/
Some recommendations for those of you that can’t upgrade to the latest (greatest) version of WP – which you should absolutely do if you haven’t a very VERY good reason not to.
Use a fully configurable firewall app such as WordFence – this has a bunch of very useful features straight out of the can. But it is subscription so you might want to also implement the plugins like following instead, or as well as:
Login No Captcha reCAPTCHA (Google) by Robert Peake and Contributors – this will stop hackers getting into the admin area by force – or at least it has so far.
WP Force SSL by WebFactory Ltd if you have SSL – which you should by now.
Make sure you have in your “define( ‘DISALLOW_FILE_EDIT’, true );” config file, and that this file is linked in to your WP install’s directory rather than hosted there.
I am happy to report all websites are now clear and functioning perfectly, even the ones on deprecated versions of WP, plugins and themes.
I’ve just spent a week disinfecting my server from this pernicious bit of ruskyhack. Not only has it completely derailed my working week, its meant that my team have had very little work over that period as my websites have been unable to process orders. Whoever the surnames Skorobogatov, Serebryakov and Biryukov refer to, well, they should be ashamed of themselves.
The context is this. On a server (not the one this blog is hosted on) I have c. twenty installs of WordPress, plus several apps which are collected in three or four directories. I’ve got a variety of domains and subdomains, as well as password-protected directories for particularly sensitive work apps.
Now if I say that some of these apps take data from my WP install DB repackage it and spit it out via the Royal Mail API into their Click and Drop app, you will get why this fake plugin has completely disrupted that workflow. And of course the problem with some of the WP installs I am using is that, because of its wide integration into our production systems, I cannot upgrade either the WordPress version or the plugins associated with it.
WPYII2 found its way onto the server mid-week last week and the first I knew about it was some code appearing at the top of the homepage of several of my sites.
The damage was extensive. I lost three separate bespoke apps we use regularly for business because the fake plugin deletes top level ‘index.php’ files when they are not associated with a WP install. Luckily I had different earlier iterations available on the server so I could cobble together replacements – which ended up improving on the earlier versions.
As for the WP installs, well, they all fell over, repeatedly. I ended up playing whack-a-mole for a couple of days while trying to understand what the hell was going on. It didn’t help that there were plenty of posts from security firms saying, yes, this is a thing, and we’re here to help you get rid of it, but very few saying this is how you do it. I *think* I have done it, and the solution has ended up being cobbled together through trial and error and some helpful non-specific security posts from a variety of sources [for example]
So how to rid your WP install of this vicious fakery?
Open top-level index.php and delete the machine code sitting in lines 1-3
Delete any ‘new’ files at top-level that you don’t expect to see.
In cpanel use phpmanager to flip between php version to disable the fake plugins chron jobs
Replace the .htaccess file text with the single or multiple install vanilla code from here: https://wordpress.org/support/article/htaccess/
Delete all .htaccess files below the top level on the WP install.
Delete any folder in plugins which isn’t something you have installed eg. the folder called “wpyii2”
Look for any folders / files which have a recent ‘last modified’ date which you don’t recognise as being something you did.
Repeat 1 through 4 if at anytime the website won’t display / shows the code at the top of the page again.
Check 5-7 if you have to repeat 1 through 4
Once you have a clean install, or at least as clean as you can make it, and you don’t have to maintain an outdated version of WP, upgrade to the latest version of WP.
Upgrade all your plugins and themes. If you have made bespoke versions of themes by changing the code, I’d recommend trying to find a different way of creating the same effect through the customization options for that theme rather than altering the php.
Protect the ‘wp-admin’ directory with a password (check to see whether this works for your install of WP – I’ve had mixed results)
Install a firewall plugin – eg. BBQ Pro or similar
Install a 2FA plugin
Install captcha on login plugin.
Install a SSL/HTTPS force plugin – assuming you have a live SSL certificate for the relevant domain.
For 13-15 remember to do this for all iterations of a multisite – although BBQ Pro will activate across the network without further configuration (which I like).
With your wp-config.php file, add the following code before the ‘Happy Blogging’ message –> “define( ‘DISALLOW_FILE_EDIT’, true );” – this stops all editing of php / css / html within the WP environment (see note 11 re: editing themes etc.)
Consider moving the config file to the top level of your server, ie. above the ‘public_html’ directory, using the php code ‘require_once ‘/home/username/wp-config.php’;’ on the ‘wp-config.php’ file within the WP install directory.
As of 15th June 2022 I seem to have reached a stable environment with the fake plugin effectively being locked out by the abovenoted steps. However, I continue to monitor the server, and use downnotifier.com to give me immediate intel if things go awry. Any recommendations on other steps to keep this stuff away, let me know!
The cost of all of this to my business? Who knows? My time / stress? The lost orders? The lost IP? Those who black hat hack should reflect on their lives and wonder whether their skills could be better used elsewhere.
For a while the design of the Forargyll.com website has been creaking. Obviously there’s the website’s popularity and its regular traffic above 3,000 unique visitors, but there’s also the increasing relevance of mobile devices as opposed to desktop. It is still the case that we get most traffic from PCs, but the proportion is declining and this or next year we expect mobile devices to take over.
So, we went looking for something that would give us two things: device flexibity and article readability, with also the capacity to include our red and green thumbs in the comments (among many other things). It also needed to be a light design, not using up too much bandwidth, as well as a more visually appealing layout.
Now, as a designer I’ve always enjoyed the pinterest model, particularly because it allows the reader to experience the serendipity of the newspaper reading experience – you never know what you are going to see next. Eschewing fixed sections and relying on presenting the freshest stories first, alongside putting the search facility front and centre, we think this should create a level of welcome variety for the reader which we hope will engage everyone further.
There are some other nice touches: the order of the articles changes on the homepage depending on their length – you actually see them move around sometimes. The comments section is a great improvement and all the new media icons are baked in, speeding up the website considerably. The ads are served as part of the design, and this means we no longer have to integrate cumbersome thirdparty applications, which is delightfuland we’ve done something fairly whizzy with the header image – it’ll take a minute or so of close observation to notice. You might ask why, and the answer will be, well, why not, because in a sense, that’s what it’s there for.
Silence on this blog over the last day or so, as I have been refining our production process – the Special Sauce of the title – by tinkering with the mix of PHP / MySQL / CSS which form the basis for the websites we run. That and using applescripts and folder actions to automagically print jobs saved from orders – a mouth-watering topping if you will.
If this sounds like unpalatable gobbledegook, then saying collation is my next challenge, and after that some insecure headers, might make you think I have lost it – either that or I am making headway with improving Scottish Laird’s online infrastructure. In any event, it is certain to ensure the business copes with the oncoming Christmas tsunami more elegantly than it did with the last …
And once all of these technical considerations have been broiled into an elegant soupçon, I’ll be heating up the latest iteration of our business plan for serving in a week or so to HIE – a very slow-cooked dish indeed!
As I was working on my Q2 VAT return I was wondering what I would post about today – I was using excel, textedit, MySQL, phpmyadmin and cpanel to create the documents I needed to send off to our accountancy firm and thought, well, what are the essential components of a successful online business?
One of the things that immediately struck me was that aside from a wide skillset, which is the IP we work from, everything we use is either open source / free or priced at a marginal cost to the business. In other words, for anyone to set up an online business, all they need are the skills and the time, the rest is readily available if they have connectivity and a computer or even a tablet.
My second thought was that actually we do have some software which we have had to purchase, mostly the Adobe Creative Suite (Photoshop, Illustrator, Indesign … ) but there are open source alternatives freely available.
I’ve listed everything below. Some of it is generic, some is specific – like the hosting solutions we use – how we knit it all together to create a market-leading business like Dunans Castle Limited, is another matter 😉
Foundation for online presence:
Open Source software – Linux / Apache / MySQL* / PHP*
Domain registrars: Bluehost.com (Top Level Domains) and 123-reg (UK domains)
Hosting solution: Mediatemple (US) and UnitedHosting (UK)
