A Case Against Author Archives In WordPress

Author Archives in Wordpress

What Are Author Archives?

Author Select FieldWhen you write posts or pages (or any custom post type) for your WordPress site they are linked to you as the author.  The authors that get associated with posts are actually the back end users of your site.  There is a select box (left) on each post edit screen that allows you to select which user is the author of the piece of content.

The author archives are just dynamically generated pages that allows site visitors  to see all of the posts associated with a particular author (user). The author archives are pretty helpful in that if you read a piece of content that you really like, you can click on the author and review other content created by them.  From a site visitor’s perspective, this is a great thing (especially when there is a bio and links to the authors social media, so you can follow them for more great content).  Here is an example of an author archive: Author Archive Example.

 

So Why Is This A Bad Thing?

Looking through a simple Google search using search operators to expose these pages, you will find a pretty nicely done author archive here (Props Joe Hall). But, the vast majority are more like here, here, and here (Boo Majestic). This is because most owners of blogs care very little about these pages (if they even know they exist).  These are dynamically generated out-of-the-box from WordPress.  In the bad examples above, this can add pages and pages of really crappy content to your site (Panda say NO!).

That is not the worst part.  The really bad thing about author archives is that they can let malicious persons potentially gain access to your site if you are not careful.  Let’s take a look at the Majestic blog example linked above.  If you pull up their sitemap.xml file, you will find linked the author-sitemap.xml.  Perusing through that list, I see what the usernames are for all of their users — admin, barrie, rstlamedia-dk, etc. So if I wanted to, I could create a script that would send POST requests to their wp-login.php page, say 20 at-a-time increments over the course of the next month, until I found the correct password for one of their usernames.

A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization’s network security.

Source

 

This is what it looks like in the wild:

In the above server log, you will see that the last POST request worked.  The hacker gained access. The level of harm this can bring to your site, depends on the level of permissions (author, editor, admin, etc) of the user that is selected for the brute force hack shown above.  At the very minimum, a malicious seo can get access and silently add links at will to the content of your pages.  At worst, the attacker could access your server and wreak havoc on your site (or sites).

 

What Can Be Done To Help ?

The WordPress Team

First off, this would be a very easy fix for the WordPress.org team.  Instead of using author archive urls that include the username (ie. http://blog.majesticseo.com/author/admin/) they could use a compound of the display_name column to produce the author pages (similar to the way they process post slugs currently).  This could be overridden on the user settings for users that wanted to hide their real name. Second, author archives could be off by default and only activated if using them on the Settings > Reading section of the admin area.

 

What You Can Do

The easiest first step would be to make sure you are not using an obvious username for your Administrator account.  admin is used by wayyyyy too may people and if your password is not really, really strong, you are asking for it.

The second thing is to install a useful plugin called Limit Login Attempts by  Johan Eenfeldt (please update the plugin Johan).  It allows you to specify a lockout period if someone tries to login too many times.  It will also alert you with an email (if checked) if someone is trying to brute force hack into your site.

Last, is to use Yoast’s WordPress SEO plugin to disable your author sitemap and/or author archive if you are not using them.

Disable Author Archives in WordPress SEO

Disable Author Archives in WordPress SEO

Disable Author Sitemap in WordPress SEO

Disable Author Sitemap in WordPress SEO

 

 

 

 

 

 

 

 

In Conclusion

I am only bringing this up because I have seen this happen and I want to try to get the word out to take some proactive steps to keep from being a victim.  I could probably write another 10 posts on WordPress security, but this is a big one that is happening now.  If you have any feedback or improvements to the article please drop them in the comments below.

How To Install Skype on a Chromebook Using Digital Ocean and VNC

skype on chromebook

I picked up a Google Chromebook a few weeks ago because I was looking for a cheap lightweight laptop we could use around the house.  I enjoy using tablets but I miss the keyboard and  form-factor with a laptop.  Chromebooks offer a good compromise and peace-of-mind (in that if one of my kids were to drop it, I would not totally freak out).

The only thing really missing from Chromebooks is access to some windows (and Android) applications like Skype.

I am going to show you how to use a Digital Ocean Droplet (server) and Chrome Store’s VNC program to help you add that missing link  to your Chromebook. So let’s get started….

 

Skype On Chromebook

This is what you are after. Click to enlarge.

How To Install Skype on a Chromebook

First off, Log in to Digital Ocean (it is very cheap to test this out) and set up a new account (or use your existing).

 

1. Create a new Digital Ocean droplet

digitaloceanThe domain can be anything, but I like to name it a sub-domain of my website domain so I can access the server by that instead of the IP address that Digital Ocean will assign.  I also like the 1GB / 30 GB drive so that I have enough RAM to run it. The more the better, but Skype ran well for me on this plan.

In this example I am using the region New York 2.

The Image used in this example is Ubuntu 14.04 x64.

Leave the rest of the settings as is and click Create Droplet**.

** Access details to your droplet will be emailed to you.

 

Once your droplet has been created you are ready to start setting it up.  You will receive an email with the IP address, Username, and Password for the droplet.  Make sure you have access to this.

 

2. Log Into Terminal

Digital Ocean - Console AccessClick on the Access tab of your droplet on Digital Ocean and then click Console Access.

 

 

 

Login Console - Digital Ocean

You may need to click on the empty area for the console to show up.  Once it does, use the login and password sent to you in the droplet creation email.

You should a line similar to root@vnc:~#
If you do, you have command line access to your new droplet.  Congrats!

 

3. Install the Desktop and VNC Server

Some of this was taken from an article by Fili Wiese on Installing on Screaming Frog Spider on the Google Cloud.  I picked a different desktop environment mainly due to aesthetics (this one is still very light weight)

At the command line type:

Type “y + enter” when it asks you if you want to continue. This installs the vnc server and a light graphic interface. Go get a cup of coffee. Actually, get two.

When it is finished, type:

Type in the password for the new user and click enter for all the questions.  Then type “y” to say the information is complete.

Next, switch to that user:

Then, type:

Enter and verify a password (it can only be 8 characters long).  Answer (N)o to the question about view-only password.  This will be the password you use to login via VNC.

 

4. Setting up Startup Scripts

Now that the VNC user has been set up, a few startup scripts need to be installed that will run the VNC server every time the instance gets started and/or rebooted. First change back to the root user by typing the following command:

Now download the first startup script by executing the following command:

Then download the second startup script by executing the following command:

Now that the startup scripts have been downloaded and installed, you can make the VNCserver work by executing the following commands:

Now reboot the instance by executing the following command:

Ubuntu Login - DIgital OceanThe SSH connection will be closed at this time. When the console returns (this time it will be a login UI where you will need to select “other”, log in again using root.

After you have logged, in launch Xterm from the System Tools in the menu in the lower left.

Continue on in the new terminal window….

Now let’s start the VNC service by executing the following two commands:

Congratulations, you can now use any VNC-capable program to access the instance using a VNC connection.

 

5. Installing Skype

The following comes straight from the Ubuntu website.

Users of 64-bit Ubuntu, should enable MultiArch if it isn’t already enabled by running the command

Since Ubuntu 10.04 (Lucid Lynx), Skype is part of the Canonical partner repository. To install Skype add the Canonical Partner Repository. You can do this by running the command

Then install Skype via the Software-Center or via the Terminal.

It is highly recommended to use the package provided in the Canonical partner repository, not the one distributed from the skype website, as the skype website currently points users to the wrong package for 64-bit systems of Ubuntu 11.10 and above.

Let’s reboot again by typing the following:

After the console has rebooted…  You have made it!!!

 

6. Launching VNC

Go to your Chromebook launcher (or install from the Chrome Store) the VNC Viewer for Google Chrome.

After it launches, type in the address of your droplet in the following format

111.222.333.444:5901 (where 111.222.333.444 is the IP address of your droplet that was mailed to you).
107.170.179.145:5901Pro Tip: You can go into your domain server and add an A record for vnc (or similar) and use your droplet IP address as the points to location.  This will make it much easier to remember.

Keep automatic selected for the Picture Quality.

A modal window will pop up asking for your password, enter the one that you created on the vncpasswd step above.

You should now see the desktop.

Go to the menu in the bottom left (I have no idea what that icon is), and hover over internet. Then right-click on Skype to add it to your desktop.

You can play around with some of the settings for the Appearance(Look and Feel) and Desktop background to make it look a little better.  I chose just a plain grey background and used the lubuntu-dark-panel appearance.

 

7. Success! You can now use Skype on your Chromebook

Enjoy…  You now have easy access to desktop apps from your Chromebook for only $10 per month.  If you have any tips or issues, please place them in the comments below.

Allow Users to Pick the Images They Share With Google+

So you have WordPress and you are a pretty good blogger.  You just came up with a great story idea and saw Mike King’s presentation that told you to hire a damn designer to make your fifteen paragraphs of text actually interesting to look at.

Mike King - Use a designer damnit

 

You are a good little sheep (like the rest of us) so you dust off  your bootleg version of Photoshop and create some engaging images to help visitors make it through the wall of words.  After a few hours of hacking, you end up with some really pimp images that are super cool and shareable.  You add them into the post and publish.

Google+ CrinkleCut FormatAfter you publish the post, you review the page and test out your share buttons.  You notice that Google+ is picking one image for the page and you ask… I wonder if there is a way to have users share the cool images I just created individually as representative images of the page in the sweet crinklecut format(see left).

Well,  I will show you how to do just that.  Below you will find two test examples followed by the code that will allow you to do it.  A few prerequisites.  First off, read this. It is a Google Developers page telling you what is needed to produce the CrinkleCut Google+ posting.  You will also need to be able to edit your WordPress functions.php file, and have a cursory understanding of http://schema.org/Article.

 

 

The Examples

 
Click on the images below to open the Google+ share window. See how with each image, the same page is being shared, but a different images is used based on what the visitor clicked on? Pretty cool, huh?
 
Test 1

 

Test 2

 

How To Do It

 Edit Functions.php

Add the following code into your functions.php file.  This code does a few things.  It looks for ?gimg=02 at the end of a url.  If it finds it, then it replaces id=”02″ in the content of your page with id=”02″ itemprop=”image”

 

Link Your Images Or Share Button

In this example, I have just added a link to the individual  test images to simplify things.  You can add custom share buttons or use Sharrre (or similar) to make it fancier.

Here is the link URL that you should set as the href of your link:

https://plus.google.com/share?hl=en-US&url=http://www.domain.com/your-blog-post?gimg=01

Here is what the parts mean:

gimg-url

 

Match The Query String To Your Images

In the example above, we are sending a value of “01” in the “gimg” query string parameter. To make this work, you will need to add id=”01″ to the image associated with this share url. Repeat with each image that you want to make shareable (01, 02, 03, etc…) See below for what this looks like:

Image Markup Example

 

Make the Link Open In A Popup Window

Add the following code to the <a> element that is linking to the share url:

 
In the examples above, this is what it looks like:
onclick

 

Test It Out

The next step is to publish your post and test it out.  If it is not working there are a few common reasons.

  1. Make sure you have read the Google+ Developers link above and are using Schema.org/Article on your article.  All this technique does is allow you to specify a unique post image using the itemprop=”image” property of schema.org/Article.
  2. Your shared images must be at least 506px wide and  must have an aspect ratio no wider than 5:2 (width:height).
  3. Make sure you do not have any other schema markup that is conflicting with the article markup.
  4. Google caches image associations with a page, so you may need to change the slug and share links if they are still picking up an old image. You can also test using the Rich Snippets Tool to see if the Article > Image value changes correctly with the gimg value.
  5. It may be necessary to disable opengraph markup on the page if Google is picking that over the article > image declaration.

 
One Note: It is a good idea to go into WebMaster tools and let Google know that the new parameter does not constitute a unique page. Example.
 

Multi-Site User Replicator 3000

 

Description
This plugin will give you the ability to pull up any (non-Super Admin) user and in one click add that user(with a global role) to all sites in your MU install. Likewise, if you want to remove a user from all sites it is one click as well. CAUTION: WordPress has an optional mechanism when deleting a user from a site that will allow you to assign that users posts to another user. I have ignored this for this release. Please take a DB backups until you are used to this plugin and Multi-Site.

 

Name: Multi-Site User Replicator 3000
Contributors:  jroakes(me!)
Donate link: http://visiblecompany.com (here!)
Tags: user, multi-site, sites, mass edit,
Requires at least: 3.1 – Should work for previos versions.
Tested: 3.1
Stable tag: Trunk

** Please use this plugin at your own risk.  I offer no warranty or support.

WP3.1 multisite “mu-plugin” that allows you to add a user to all sites or no sites. Just drop in mu-plugins.


Installation
This section describes how to install the plugin and get it working.

1.  Upload `user-replicator-3000.php` to the `/wp-content/mu-plugins/` directory

2.  Find “Multi-Site User Replicator 3000” options at the bottom of Network Admin->Edit User

Frequently Asked Questions

– Will this plugin re-assign the posts of the deleted user? Not Now.

–  What will happen if I remove the plugin from the mu-plugins directory? Nothing. The users will still be assigned and the minimal data in the database will remain.

–  Can you bulk update a group of users at a time, but not all? Not Now.

–  The user has been deleted from some sites and I want to re-add to all. How do I do this? “Remove User From All Sites” and then “Add User to All Sites”

Screenshots

1.  Add User: Add user to all sites step.

2.  Delete User: Delete user to all sites step.

Changelog
= 0.1 =
* initial release (Just a fledgling)

Download
Click here