Author: Alexander

Reader mode: Pagination in mobile emails

Development of responsive design make reading emails on mobile devices easier. On the other hand, the side effect is the fact that to read the massive letters now you need a lot of scrolling. As a result, to the end of the message get only the most persistent readers. If you give people the ability to quickly navigate through email, it would greatly improve the situation.

The described technique works only in the email application Mail for iPhone (Android version in development).

Reader mode

The described technique allows the user to independently control the content of the letter – with a special button letter transforms in version for reading divided into several pages that can be accessed with a click.

Activation

A button to enable “reader mode” is wrapped in a label that switches the checkbox with the id of the cell navigation. To display items in this mode, use the pseudo-class :checked, the menu in the top of the panel is set to position:fixed:


<style>

.toolbar-container{

position:fixed;

top:0px; left:0px;

display:none;

...

}

 

#navbox:checked ~ .toolbar-container{

display:block!important;

}

 

#navbox:checked ~ .articles-container{

height:100%;

overflow:hidden;

position:fixed;

top:50px;

left:0px;

}

</style>


 

<input id="navbox" type="checkbox">

<label for="navbox" >Activate Reader Mode</label>

 

<div class="toolbar-container">...hidden toolbar content ... <div>

<div class="articles-container">

article1, article2, article3...

</div>

Pagination of articles

Article wrapped in two containers. When activated the selector :checked, outer container displays the content on the full width and height of the visible area of the screen. The outer container is also set at a fixed value at the top of email messages minus the space occupied by the menu.

The inner container occupies the width of the visible area multiplied by the number of articles. Articles also occupy a width in the viewport and shifted to the left. This allows you to organize them in a horizontal position, displaying one article at a time.

Then you create a radio-element for each article, when the selector :checked is set in a certain radio-element, the inner container is shifted left or right by the number of “width crane” (vw) of each article. Adding a transition allows for the “sliding effect” while browsing articles:


#navbox:checked ~ #a1radio:checked ~ .articles-cont .articles{  left:0px;}#navbox:checked ~ #a2radio:checked ~ .articles-cont .articles{  left:-100vw;}#navbox:checked ~ #a3radio:checked ~ .articles-cont .articles{  left:-200vw;}

The value of vw does not work on Android, so you’ll have to arrange the articles one above the other and show the right, hiding or changing its z-index.

Moving on articles

To navigate through the articles, create labels of arrows, which will be activated by clicking the appropriate radio-element. These labels are hidden by default and displayed only a couple associated with the currently visible article.


<style>#navbox:checked ~ #a1radio:checked ~ .toolbar-cont .a1nav,#navbox:checked ~ #a2radio:checked ~ .toolbar-cont .a2nav,#navbox:checked ~ #a3radio:checked ~ .toolbar-cont .a3nav{  display:block;}</style> <div class="nav-arrows a1nav">   <label> </label><label for="a2radio">»</label></div><div class="nav-arrows a2nav">   <label for="a1radio">«</label><label for="a3radio">»</label></div><div class="nav-arrows a3nav">   <label for="a2radio">«</label><label> </label></div>

Index menu of articles

Index menu contains a list of labels associated with articles in a hidden and absolutely positioned div, and is displayed when the user clicks on a menu, use the selector :hover.

Interesting point, often if the menu is hidden right after selecting the element, the mail client just ignores the selection. To cope with this problem you can add the transition and delay.

Code

To work with the code of the example you can in the builder of one of the email services. In text form it is presented under the spoiler:

The code of the example


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="viewport" content="width=device-width" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style>
* {
margin:0;
padding:0;
font-family: "Helvetica Neue", "Helvetica", Helvetica, Arial, sans-serif;
font-size: 100%;
line-height: 1.5;
color:#333333;
}
img{
max-width:100%;
}
body {
-webkit-text-size-adjust:none;
width: 100%!important;
height: 100%;
}
h1,h2{
margin-bottom:15px;
line-height: 1.3;
font-weight:300;
}
h1 {
font-size: 32px;
}
h2 {
font-size: 22px;
}
.toolbar-cont{
max-height:none!important;
overflow:visible!important;
z-index:10;
width:100%;
position:fixed;
top:0px;
left:0px;
display:none;
height:50px;
background-color:#eeeeee;
border-bottom:1px solid #222222;
}
.toolbar{
height:50px;
line-height:50px;
display:block;
text-decoration:none;
}
.toolbar-menu{
z-index:10;
text-align:center;
position:absolute;
top:51px;
overflow:hidden;
transition: all 0.3s;
-webkit-transition: all 0.3s;
transform: rotateX(90deg);
-webkit-transform: rotateX(90deg);
transform-origin: top;
-webkit-transform-origin: top;
-webkit-transition-delay: 0.5s;
transition-delay: 0.5s;
}
.toolbar-menu label{
display:block;
padding:5px 20px 5px 20px;
}
.toolbar:hover + .toolbar-menu{
display:block;
transform: rotateX(0deg);
-webkit-transform: rotateX(0deg);
}
.articles-cont{
background-color:#ffffff;
}

#navbox:checked ~ .articles-cont{
width:100%;
height:100%;
overflow:hidden;
position:fixed;
top:50px;
left:0px;
}
#navbox:checked ~ .articles-cont .articles{
position:absolute;
left:0px;
width:303vw;
transition: all 0.3s;
-webkit-transition: all 0.3s;
height:100%;
}
#navbox:checked ~ .articles-cont .articles .art{
width:100vw;
float:left;
height:1000px;
overflow:hidden;
}
#navbox:checked ~ .articles-cont .articles .art div{
width:90vw;
padding:20px 5vw 10px 5vw;
}
input{
max-height:0;
display:none;
}
.nav-arrows{
float:right;
display:none;
}
.nav-arrows label{
cursor:pointer;
display:inline-block;
vertical-align:middle;
text-align:center;
height:50px;
width:50px;
font-size:30px;
font-weight:bold;
}
#navbox:checked ~ #a1radio:checked ~ .articles-cont .articles{
left:0px;
}
#navbox:checked ~ #a2radio:checked ~ .articles-cont .articles{
left:-100vw;
}
#navbox:checked ~ #a3radio:checked ~ .articles-cont .articles{
left:-200vw;
}
#navbox:checked ~ #a1radio:checked ~ .articles-cont .a1,
#navbox:checked ~ #a2radio:checked ~ .articles-cont .a2,
#navbox:checked ~ #a3radio:checked ~ .articles-cont .a3{
height:100%;
overflow-y:scroll;
}
#navbox:checked ~ #a1radio:checked ~ .toolbar-cont .a1nav,
#navbox:checked ~ #a2radio:checked ~ .toolbar-cont .a2nav,
#navbox:checked ~ #a3radio:checked ~ .toolbar-cont .a3nav{
display:block;
}
.closer{
display:inline-block;
vertical-align:middle;
text-align:center;
height:50px;
width:50px;
font-size:30px;
font-weight:bold;
float:left;
}
#navbox:checked ~ .opener{
display:none;
}
#navbox:checked ~ .toolbar-cont{
display:block!important;
}

@media screen and (max-width: 480px) {
#cbox-capable:checked ~ .opener div{
margin:10px auto;
background-color:#1abc9c;
color:#ffffff;
border-radius:5px;
display: block !important;
max-height:50px !important;
line-height:50px;
text-align:center;
vertical-align:middle;
}
}
</style>
</head>
<body>
<div id="main-cont" style="padding:20px;">
<h1>FreshInbox</h1>
<div style="dislay:block;width:350px;margin:0px auto;max-width:100%">
<img src="http://placehold.it/350x150">
</div>
<!--[if !mso 9]><!-->
<input id="cbox-capable" type="checkbox" style="display:none!important;max-height:0;visibility:hidden;" checked>
<input id="navbox" type="checkbox" style="display:none!important;max-height:0;visibility:hidden;">
<label for="navbox" class="opener">
<div style="display:none;max-height:0px;overflow:hidden;cursor:pointer">Reader Mode</div></label>
<input id="a1radio" name="qradio" type="radio" checked style="display:none!important;max-height:0;visibility:hidden;">
<input id="a2radio" name="qradio" type="radio" style="display:none!important;max-height:0;visibility:hidden;">
<input id="a3radio" name="qradio" type="radio" style="display:none!important;max-height:0;visibility:hidden;">

<div class="toolbar-cont" style="display:none;max-height:0px;overflow:hidden;">
<label for="navbox" class="closer">x</label>
<div class="nav-arrows a1nav">
<label> </label><label for="a2radio">»</label>
</div>
<div class="nav-arrows a2nav">
<label for="a1radio">«</label><label for="a3radio">»</label>
</div>
<div class="nav-arrows a3nav">
<label for="a2radio">«</label><label> </label>
</div>

<a href="#" class="toolbar">Article Index...</a>
<div class="toolbar-menu" style="text-align:left;background-color:#C8DEFA;border:1px solid #888888;font-size:15px;">
<label for="a1radio">Yahoo! Mail Fixes Media Query Bug. Yahoo!!!</label>
<label for="a2radio">Outlook.com and Background Images</label>
<label for="a3radio">Gmail iOS Increases Email Font Sizes – Again</label>
</div>
</div>
<!--<![endif]-->

<div class="articles-cont">
<div class="articles">
<div class="art a1"><div>
<h2>Yahoo! Mail Fixes Media Query Bug. Yahoo!!!</h2>
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

<HR>

</div></div>
<div class="art a2"><div>
<h2>Outlook.com and Background Images</h2>
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

<HR>

</div></div>
<div class="art a3"><div>
<h2>Gmail iOS Increases Email Font Sizes – Again</h2>
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

<HR>

</div></div>
</div>
</div>
</div>
</body>
</html>
<b>

This text is a translation of the article “Режим читателя: Пагинация в мобильных email-письмах” published by @lol_wat on habrahabr.ru.

About the CleanTalk service

CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).

October 24, 2016

WordCamp Europe in Vienna and the vector of development of WordPress
This year the conference WordCamp Europe 2016 took place in Vienna and attracted more than 2300 guests. The capital of Austria is an excellent choice for such events, there are all conditions: convenient location, large meeting halls, and an active WordPress community. And there is something to see after the conference. Several of our developers have been on WordCamp Europe 2016. Under the cut – their story about the most interesting presentations and events.

The format of the conference

The conference lasted three days: the first two days we listened to the speeches, and the last day was given to the contributors. The reports were in different categories: Development, Design, Business, Content, Community, and took place in three streams, so everyone can find something interesting for yourself. Much attention speakers paid to high load questions, Continuous Integration, REST APIs, and the project Calypso.

On the day of contributors signed up about 600 volunteers. On this day it was possible to take a direct part in the development of WordPress, to learn how to work the kernel developers, translators, as well as the team checking the plugins and themes to the official catalog. You can even get advice on the organization of WordPress community in your city.

A nice bonus was the performance of Matt Mullenweg, the developer and the founder of WordPress, the founder of Automattic, WordPress.com, Akismet. But more on that below.

The most interesting report

PHP7 and WordPress

The release of PHP7 could not remain unnoticed at WordCamp Europe: how to provide the work of WordPress on PHP7, said Dan Blows in his report What’s New in PHP7 and what to expect in PHP7.1.

The core of WordPress and many plugins already support PHP7. Quoting the author, we can say: “Upgrade to PHP 7 easily, and probably everything will work immediately”. But he raised the points that should pay attention if you decided to migrate your website to PHP7.

The speaker told about innovations in PHP and the benefits that you can get when going to the seventh version. Dan showed impressive statistics of speed up of work WordPress on PHP7 compared to PHP 5.6.

A couple of reports about WordPress REST API

Especially important were the reports about REST API. This is one of the most important and actively developing directions. News from the developers WordPress rest API, about the difficulties and decisions is incredibly valuable information. Thanks Joe Hoyle and Adam White! Look at their performances The Ultimate REST API talk and Using the REST API and JavaScript to create better WordPress interfaces.

The reports disclosed the questions associated with use of the API and its development and expansion.

Now REST API is not yet part of the core, it exists in the form of a plugin. Adam in his report underlines the benefits that will get WordPress with integration of REST in its core. However, we now have the opportunity to build our apps using the new API.

The REST API gives unprecedented flexibility and expression “WordPress is limited only by your imagination” becomes a reality.

Dashboard Calypso

Due attention has been given to the relatively new development — Calypso. This is the administration panel of WordPress-sites, written in JS and running using WordPress REST API, which will definitely become popular.

Designer Calypso told about the project in general, and about what it cost for the team this his development and shared approaches in organization effective communication in the project. As Davide Casali said: “Communication is the oxygen”. It is impossible not to agree.

Experience of building a highly loaded WP-site

WordPress has long been used for the development of high-load news portals. Such giants as TED, TechCrunch, CNN, NBC built their sites on it. Yes, to build a high-load website is not easy, but speakers from NewsCorp Australia told how to do everything correctly.

Their experience – another precedent, proving the possibility of building on WP portals with millions of page views per day. Speakers gave valuable information about the development team and working process, talked about continuous integration, environment and visitor statistics. They also shared information that will help you to calculate the necessary costs for such a project.

Incredibly useful report, including from the point of view of communication with clients: How NewsCorp Australia scaled WordPress to host Australias largest ‘news’ websites on WordPress VIP.

About legacy-projects

Andrew Nacin — Lead-developer of WordPress core. With years of experience in the development of such a popular CMS system, the kernel developers have identified and summarized the key points of the philosophy of WordPress, which adheres and Andrew.

Get the big project “inherited” from people who have not really thought about the future is always difficult. And even painful. If you have such a project, the Andrew report will help to understand how to transform it in a stable and not require inappropriate investment product. Video of the report is available at the link.

Elasticsearch and ElasticPress

Full text search for MySQL databases by itself is not the best solution. But on high load sites and sites with large volumes of data — even more so. Elasticsearch is one of the solutions to implement an efficient search. How it works, how to configure Elasticsearch, how to protect data, and finally how to use it in your projects? These questions are answered by Taylor Lovett in the report Modernizing WordPress Search with Elasticsearch.

Taylor also tells about the plugin ElasticPress. The speaker is one of the developers of this plugin and knows what he’s talking about. In general, meetings with the developers of the components is always a unique opportunity to get information about the details of the use and future development plans.

The report about security

Of course, the most popular platform for developing websites in the world is one of the most attacked. So you need to constantly pay attention to the issue of information security.

Maurizio Pelizzone gave a presentation about securing WordPress websites: WordPress Hardening – Ten tips in ten minutes. The lecturer gave useful tips on how to reduce the risk to be hacked and sleep well.

Copywriting for professionals

At the end of the first day of the conference was the author of the best SEO-plugin for WordPress Joost de Valk and his wife Marieke van de Rakt. The report Beyond SEO – Copywriting for professionals, they told about the next stage in the evolution of search engines and the importance of high-quality texts.

Speakers against the “scorched earth tactics”. Joost and Marieke prefer sustainable and holistic approach to SEO, which involves focusing on all areas of optimization:
- The technical quality.
- Good UX & UI.
- Impeccable security.
- Great PR & Social
The basis of this approach is the high-quality content. And the principles of such content were presented in the report. In addition, the speakers spoke about a new functionality of their plugin, which allows you to make recommendations for improvement of the texts on your website.

Interview with Matt Mullenweg

Special attention deserves an interview with Matt Mullenweg: Interview and Q&A. the speech of Matt is a traditional part of WordCamp Europe. Right on the stage there is a sofa and provided almost homely atmosphere. In the second part of the perfomance, Matt talked to the audience.

They discussed potentially leading role REST API and interfaces on JS. Talked about the most successful and promising projects: Jetpack, WooCommerce and WordPress.com that do a lot for the success of WordPress in particular, and for an open Internet in general. Remembered about competitors, but Matt doesn’t consider them dangerous.

And much more

There were other interesting presentations, which we did not visit because we could not be simultaneously on all three streams. A complete list of video, as always, loaded on wordpress.tv.

Day contributors, how to develop core of WP

The conference was not limited by two days, full of interesting presentations and communication. For special interested was scheduled Contributor Day, which signed up about 600 people. It was held at the University of Vienna, Faculty of Informatics.

Each of the participants chose the direction in which he can get acquainted with the process of open-source development and to assist in the development of WordPress. Among the areas were: the development of the core, development of plugins and themes, internationalization, design, marketing, and support. Each group was coordinated by an experienced supervisor. The motto for the day was “Thank WordPress”. You could join the community, gain new experience, improve your professional level and make WordPress better.

The future of WordPress

WordPress is actively developed. The most interesting and promising areas — REST API and JavaScript interfaces. And the last were possible thanks to partly all the same REST API.

A lot of improvements in the core, for example, in recent releases significantly improved internationalization. Technology stack, development approaches, tools, and more — all have changed greatly since the advent of the first version of WordPress. There is movement forward, we are seeing regular releases that add something new.

Good news is that the core already supports PHP7. We already develop projects at NIX Solutions on a fresh PHP. But as for a full transition to the seventh version, here the prospect is not very encouraging. The fact that plugins and themes are supported by the community and by individual companies and not all of them in a hurry to implement support for PHP7.

What’s more surprising at the conference in Vienna is the maturity of the European community and a serious attitude to WP. We are sure that with such a large, active and talented community, WordPress has a great future.

Next WCEU 2017 in Paris

At the end of the conference, according to tradition, was announced the next city for WordCamp Europe, it became the capital of France. See you in Paris!

This text is a translation of the article “WordCamp Europe в Вене и вектор развития WordPress” published by @NIX_Solutions on habrahabr.ru.

About the CleanTalk service

CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).
October 24, 2016
“Write letters”: Three techniques of a good layout of emails
To the layout of letters and mailings devoted to a huge amount of tutorials. In this volume of information is very easy to get lost, and to write letters and do mailings still need. So today we have prepared material, which was collected three popular techniques for effective layout of emails, suitable for beginner web designers.

Interactive writing

Interactive elements dilute the monotonous text and save the reader’s time, and therefore are easy tool for creating sales letters and beautifully designed texts.

As an example, let’s look at a simple way of creating interactive images. It consists of three steps:

1. Create a table of one cell and set an background image that is displayed immediately after page loads.
```
<table cellpadding=0 cellspacing=0 border=0><tr>
<td width=240 background="http://.../alternate-image.jpg">
</td></tr></table>
```
2. Set the main image and “hide” it in a link with the class img-swap. This will create a hover-effect: when you hover over the background image, the main image will be in its place.
```
<table cellpadding=0 cellspacing=0 border=0><tr><td width=240 background="http://../alternate-image.jpg"><a class="img-swap" href="http://../link"><img src="http://../primary-image.jpg" width="240" height="170" border="0" style="display:block;" alt="the product"></a></td></tr></table>
```
3. Set up a command :hover and set the styles for the class img-swap.
```
<style>.img-swap {  display: block;  width: 240px;  height: 170px;} .img-swap:hover img {  height: 0px;}</style>
```
This version of the creation of interactive images is supported by services like: Mail, Outlook, Yahoo! and Gmail (with modifications).

Progressive enhancement

Progressive enhancement is a strategy involving the gradual creation of web pages – from simple to complex. First is the structure of the letter, and then to work on improving the appearance and usability.

First, the content of email is marked up using HTML to form the structure, to build the layout. After that comes the debugging of the design by tools of CSS – sets the CSS styles improve the design and presentation of the document – here you can set background image, set font options, and so on. In the third stage apply the new capabilities of CSS3. After marking the content, and bring it in order, comes time of JavaScript that is responsible for communication with the interface and dynamic elements.

Step-by-step work with a document allows you to track bugs and fix them on the spot, because the appearance of a single defect can affect the result of all the work. If you want to look at progressive enhancement in action, then pay attention to the example from html academy.

Media queries

Media query is the component of the CSS language, allowing you to select different sets of CSS styles. Sets of styles – the key to creating an attractive appearance of the document (illustrative practical example of CSS in action you will find the link).

A media query consists of three sequential components that are configured step by step:
- Media type – identifies the environment the application of the rules. There are such types, as all, print, screen (used for email) and speech
- Expressions is a list of device properties describing, for example, the width and height of the screen, the color
- Rules of styles are used when you open a message in an environment appropriate to the type and properties in the expression
Media queries are indispensable for optimizing the display format of emails on mobile devices. They allow you to move from a fixed design to a “floating” – the document will look good on different platforms.

Moreover, the technology of media queries can be used for targeting of services (selection services that meet the specified criteria) and adapting to them. By analogy devices are targeted, where it is important to take into account the size of the screen. For example, the standard code for the iPhone 6 Plus is as follows:
```
@media screen and (max-device-width: 414px) and (max-device-height: 776px) {    /* Insert styles here */
```
Media queries allow you to create beautiful and, most importantly, adaptive emails that look good on any device, but you need to be prepared for the fact that many email clients do not support this technology.

Interactive writing, progressive enhancement and media queries – it’s quite common techniques that can turn your electronic message into small works of art, moreover, they are a good basis for further development of your layout skills.

This text is a translation of the article “«Пишите письма»: Три техники верстки хороших email’ов” published by @mailman on habrahabr.ru.

About the CleanTalk service

CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).
October 21, 2016
How-to: Techniques of creating interactive e-mail using CSS
In our blog, we have already talked about how to implement pagination in a letter, but this is not the only version of interactive e-mailing. In some cases, you can create eye-catching emails using the hover-effect when the content changes when you hover over it.

Today we present to your attention a selection of FreshInbox blog articles about how to create an interactive email.

The first method involves three simple steps.

Step 1: the table and background image

First, you need to create a table that will contain one cell with the image as the background:
```
<table style="height: 31px;" border="0" width="389" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td width="240"></td>
</tr>
</tbody>
</table>
```
Step 2: link and image

For hover- effect you need two images — one is shown initially and the other appears when you hover. The second step is to define the main image to be “wrapped” by link. Also, add to the link the class “img-swap” and apply to the image property display:block.
```
<table cellpadding=0 cellspacing=0 border=0><tr><td width=240 background="http://../alternate-image.jpg"><a class="img-swap" href="http://../link"><img src="http://../primary-image.jpg" width="240" height="170" border="0" style="display:block;" alt="the product"></a></td></tr></table>
```
Step 3: style and hover

The final step is to add to the link styles and setting for it pseudo-class :hover, “targeted” on the image. Set the height of the image to 0px in that case, when the cursor hovers over a link, you can hide the image that the “background” image of the cell. Style display is set to :block for the link kept the width and height, even if concluded in it hidden image.
```
<style>
.img-swap {
display: block;
width: 240px;
height: 170px;
}
.img-swap:hover img {
height: 0px;
}
</style>
```
This method is supported in Yahoo! Mail Outlook.com (and Outlook 2003). There is a modification for Gmail, which we have discussed in detail in a previous article.

Click to see a surprise

Another technique allows you to create interactive emails using the hover-effect, and for mobile users to show “surprise” after a click on the picture.

This method is similar to the one described above but it differs in that, initially, for unsupported clients is not shown the original image, and the picture appears. This allows users with unsupported email programs not to miss the very meaning of the letters (although all the interactivity they will not be available).

Supported clients: iOS Mail, Android 4.x Mail, Yahoo! Mail Outlook.com and Gmail.com (with described at the link above hack with attribute selectors).

Unsupported clients: desktop, Outlook, mobile Gmail and Gmail for business

What is the difference from the previous method

To make it possible to display the opened image, you need to implement small changes compared to the previous version of the technique. Instead of using image-cover as overlay, and opened the pictures as a background, we need to do the opposite:
```
<table border=1 cellpadding=0 cellspacing=0 background="http://freshinbox.com/examples/rollover-reveal-simple/images/reveal-close-l.jpg"><tr><td><a class="reveal" lang="x-reveal" style="display:block;width:500px;height:400px;"   href="#">  <img src="1450830627199316115658"   style="display:block;" height=400 width=500 alt="A surprise!" border=0></a></td></tr></table>
```
Opened the image will be the main, and the original “cover” will become the background. Then on supported email clients, we initially hide the overlay, showing only the cover (i.e. the background). When the user hovers the cursor over the image, he has to be shown the hidden image.

So, instead of:
```
rollover:hover img{    max-height: 0px;    height:0px;}

 

The code will look like this:

.reveal img{max-height:0px;height:0px;}.reveal:hover img{  max-height: none;  height: auto;}
```
Thus, if your email program does not support interactivity, the user will see the image, which eventually opens on hover. In this case, the wow-effect is lost but retained the meaning of the message.

Besides, the image is wrapped in a “dead link” – it is necessary in order to effect triggered by tap on iOS and Android. The link may be active, but then the Android users will be redirected to it. In principle, interactivity on mobile devices you can even turn off with a special media query:
```
@media screen and (max-device-width: 1024px){  .reveal img{    max-height: none !important;    height: auto !important;  }     }
```
Under the spoiler presents the full code for the example (to work with it, you can on Codepen):

This text is a translation of the article “How-to: Техники создания интерактивных email-писем с помощью CSS” published by @lol_wat on habrahabr.ru.

About the CleanTalk service

CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).
```
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=EDGE" />
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<title>Rollover to Reveal</title>

<style>

/* wrapping in media query prevents styles from activating in OWA */
.yfix{}

@media screen and (max-width:9999px) {
.reveal img{
max-height: 0px;
height:0px;
}
.reveal:hover img{
max-height: none;
height: auto;
}

* [lang=x-reveal] img{
max-height: 0px;
height:0px;
}
* [lang=x-reveal]:hover img{
max-height: none;
height: auto;
}
}

</style>
</head>
<body style="margin:0px; padding:0px;">

<table border=1 cellpadding=0 cellspacing=0 background="http://freshinbox.com/examples/rollover-reveal-simple/images/reveal-close-l.jpg"><tr>
<td><a class="reveal" lang="x-reveal" style="display:block;width:500px;height:400px;" href="#"><img src="1450830627199316115658" style="display:block;" height=400 width=500 alt="A surprise!" border=0></a></td>
</tr></table>

</body>
```
October 21, 2016
Magic project builds on WordPress with package managers and a file
Today I want to share with the audience of Habra my approach to the organization of the automated project build on WordPress, which saves time when creating new sites.

Precondition

So, you make websites on WordPress, and with each new project you have to go to wordpress.org to download from there, in fact, WordPress itself + set of plug-ins that you use constantly. Or install the plugins you do right from the admin panel, or worse — copying them from the directory of the previous site. I always hated it, something is not elegant or does not satisfy the aesthetic needs. Besides, it takes a little bit, but all the time. So I wondered how to improve this process. Download everything I need, folded neatly in file and executed a “git init” and “git push”. Well, now I have a repository on Bitbucket, where is my build of WP with everything I need. From this point on in the beginning of the development process, you can run “git clone” and get something ready. Method pleased me not long – revealed “shortcomings”. Namely:
- excessive use of the repository (contains all the source code of the plugins and CMS);
- always keep old version of all (of course ,you can periodically update, but too lazy);
- I want to store in the same repository the source code to SCSS/SASS/LESS, not a minified JS code and other important components, which in theory should not interfere with the production version of the project;
Then I and my laziness consulted and came to the conclusion that at the beginning of work on a new website we are willing to expend energy for no more than the input one (max two) console commands for organizing of everything and go directly to the development process. Then laziness apart from me thought and continued: “and that in Git stored all at once, and that did not have a new version to roll (originally the new should be), and that it was possible on the server to pull correctly perform (you then is to serve all) and that to do all work itself, and do it quickly, while I rest.”

Satisfied laziness wishlist

Initially, I formalized the problem in a short list:
1. automate the installation of WordPress core, and current versions of plug-ins wandering from project to project;
2. to realize the dependence of the settings of the project from server environment;
3. separate the source code of the client part of the project;
4. automate builds of client-side;
5. create not redundant storage in Git-repository.
And I started to implement. First, I went to read the WP documentation and found there a beautiful thing that allows you to separate the CMS core from what changes the developer. Sketched on that occasion the following project structure:
```
content/
wp/
index.php
wp-config.php
```
In the directory “wp” keep the core files of WordPress, “content” folder for themes, plugins, language versions, etc. “wp-config.php” — a standard file of settings of WP, and in “index.php” guided by the documentation I put the following:
```
define('WP_USE_THEMES', true);

require( dirname( __FILE__ ) . '/wp/wp-blog-header.php' );
```
Launched on the server, checked, OK, it works. Now we need to do so that would be downloading the latest version of WP. For this I used Composer (how to install it, you can read here). All the files that I created earlier, I put in the folder “app”, in order to make all service files level up from the executable “index.php”. In the future my site will be run from this directory (remember to modify the host configuration for your server). And the folder “wp” was cleaned of all content. In project root I have placed the file “composer.json” with the following content:
```
{

"require": {

"php": ">=5.4",

"johnpbloch/wordpress": "*",

},

"extra": {

"wordpress-install-dir": "app/wp",

}

}
```
“johnpbloch/wordpress” – fork WP, suitable for installation via Composer, and “wordpress-install-dir” specifies the directory of the core installation of the CMS. Writing in the console:
```
composer install
```
I made sure that everything works. Fresh WordPress download in the “app/wp”. What about the plugins? With them everything is fine, thanks to the project wpackagist.org they also can pull through Composer. To do this, just modify the “composer.json”:
```
{
  "repositories":[
    {
      "type":"composer",
      "url":"https://wpackagist.org"
    }
  ],
  "require": {
    "php": ">=5.4",
    "johnpbloch/wordpress": "*",
    "wpackagist-plugin/rus-to-lat-advanced": "*",
    "wpackagist-plugin/advanced-custom-fields": "*",
    "wpackagist-plugin/all-in-one-seo-pack": "*",
    "wpackagist-plugin/google-sitemap-generator": "*",
    "wpackagist-plugin/contact-form-7": "*",
    "wpackagist-plugin/woocommerce": "*",
    "wpackagist-plugin/saphali-woocommerce-lite": "*"
  },
  "extra": {
    "wordpress-install-dir": "app/wp",
    "installer-paths": {
      "app/content/plugins/{$name}/": ["vendor:wpackagist-plugin"],
      "app/content/themes/{$name}/": ["vendor:wpackagist-theme"]
    }
  }
}
```
In the section “repositories” specified the address “wpackagist”, in the section “installer-paths” specified the path where to install plugins and themes, and in the section “require” added the names of WP-plugins as “wpackagist-plugin/{{plugin_name}}”. In “wpackagist” available almost all plugins with wordpress.org, the availability of plugins you can look in the search on the site wpackagist.org.

Completed:
```
composer update 
```
saw in the directory “app/content/plugins” had all the required plugins. Now we have to deal with the settings, let me remind you that the goal is to make the settings of the database and debug dependent on development environment, one on the local server and at the working others. To do this, squeeze them into a separate file “local-config.php”:
```
define( 'DB_NAME', '%%DB_NAME%%' );
define( 'DB_USER', '%%DB_USER%%' );
define( 'DB_PASSWORD', '%%DB_PASSWORD%%' );
define( 'DB_HOST', '%%DB_HOST%%' ); // Probably 'localhost'

ini_set( 'display_errors', true );
define( 'WP_DEBUG_DISPLAY', true );

define( 'AUTH_KEY',         'put your unique phrase here' );
define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
define( 'NONCE_KEY',        'put your unique phrase here' );
define( 'AUTH_SALT',        'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
define( 'NONCE_SALT',       'put your unique phrase here' );
```
and change “wp-config.php” in the following way:
```
if ( file_exists( dirname( __FILE__ ) . '/local-config.php' ) ) {
	define( 'WP_LOCAL_DEV', true );
	include( dirname( __FILE__ ) . '/local-config.php' );
} else {
	define( 'WP_LOCAL_DEV', false );
	define( 'DB_NAME', '%%DB_NAME%%' );
	define( 'DB_USER', '%%DB_USER%%' );
	define( 'DB_PASSWORD', '%%DB_PASSWORD%%' );
	define( 'DB_HOST', '%%DB_HOST%%' ); // Probably 'localhost'

	ini_set( 'display_errors', 0 );
	define( 'WP_DEBUG_DISPLAY', false );

	define( 'AUTH_KEY',         'put your unique phrase here' );
	define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
	define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
	define( 'NONCE_KEY',        'put your unique phrase here' );
	define( 'AUTH_SALT',        'put your unique phrase here' );
	define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
	define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
	define( 'NONCE_SALT',       'put your unique phrase here' );
}
```
Now, if there is a file “local-config.php” settings will be picked up from it. This file needs to add in “.gitignor” (why do we need passwords from the database in the repository?). It’s time to enter data to access database “local-config.php” to launch the installation procedure of WordPress and visit the admin area.

In the admin area you need to visit “Settings -> General” and there to fix the address, as follows:

WordPress address with “/wp” at the end, website address without the “/wp”.
Great, you can use the site. The next step I dedicated custom styles and scripts (and somehow not logical, on the server everything is going, and all sorts of jquery to manually download?). In preparation I edited the project structure:
```
app/
       content/
             theme/
                  mytheme/
                        build/
                        index.php
                        style.css
       wp/
       index.php
       local-config.php
       wp-config.php
src/
      fonts/
      js/
            main.js
      scss/
            style.ccss 
composer.json
```
The original font files, scripts and styles are stored in the folder “src/”. Next they’re going with gulp, minified and put in the folder “app/content/theme/mytheme/build”. As the preprocessor for CSS I use SCSS (how to install, I think we all know, but if not, here are instructions), to build JS — browserify. I considered logical that based on client side you need to pull up with nmp. The file “package.json” I get this:
```
{
  "devDependencies": {
    "bourbon": "*",
    "bourbon-neat": "*",
    "browserify": "*",
    "fullpage.js": "*",
    "gulp": "*",
    "gulp-clean-css": "*",
    "gulp-concat": "*",
    "gulp-sass": "*",
    "gulp-sourcemaps": "*",
    "gulp-uglify": "*",
    "jquery": "*",
    "normalize-scss": "*",
    "vinyl-source-stream": "*"
  }
}
```
Section except “devDependencies”, did not fill, because to publish it in npm I obviously do not plan to. I write in the console:
```
npm install
```
I wait few minutes and see that all these dependencies carefully appeared in “node_modules”. The icing on the cake was the file “gulpfile.js” with this content:
```
'use strict';

var browserify = require('browserify'),
    source = require('vinyl-source-stream'),
    gulp = require('gulp'),
    sass = require('gulp-sass'),
    uglify = require('gulp-uglify'),
    cleanCSS = require('gulp-clean-css'),
    sourcemaps = require('gulp-sourcemaps'),
    sourcePath = './src/',
    buildPath = './app/content/themes/mytheme/build/';

//scss
gulp.task('scss', function () {
    return gulp.src('./src/scss/style.scss')
        .pipe(sass().on('error', sass.logError))
        .pipe(gulp.dest(buildPath + 'css'));
});

gulp.task('scss:watch', function () {
    return gulp.watch(sourcePath + 'scss/**/*.scss', ['scss']);
});

//js
gulp.task('browserify', function() {
    return browserify(sourcePath + 'js/main.js')
        .bundle()
        .pipe(source('main.js'))
        .pipe(gulp.dest(buildPath + 'js'));
});

gulp.task('browserify:watch', function () {
    return gulp.watch(sourcePath + 'js/**/*.js', ['browserify']);
});

//fonts
gulp.task('copy:fonts', function () {
    gulp.src(sourcePath + 'fonts/**/*', {base: sourcePath + 'fonts'})
        .pipe(gulp.dest(buildPath + 'fonts'));
});

//minify
gulp.task('minify:js', ['browserify'], function(){
    return gulp.src(buildPath + 'js/*.js')
        .pipe(sourcemaps.init())
        .pipe(uglify())
        .pipe(sourcemaps.write())
        .pipe(gulp.dest(buildPath + 'js'))
});

gulp.task('minify:css', ['scss'], function(){
    return gulp.src(buildPath + 'css/*.css')
        .pipe(cleanCSS({compatibility: 'ie9'}))
        .pipe(gulp.dest(buildPath + 'css'));
});


//task groups
gulp.task('default', ['copy:fonts', 'scss', 'browserify']);
gulp.task('watch', ['copy:fonts', 'scss:watch', 'browserify:watch']);
gulp.task('production', ['copy:fonts', 'scss', 'browserify', 'minify:js', 'minify:css']);
```
The command “gulp” will copy the fonts, compile SCSS, JS glued and folded it all neatly in a folder build. “gulp watch” does the same, but at each change of file. “gulp production” additionally clean the file from comments and minified it.

What is the result?

In the end, you don’t need to repeat the above. I conveniently have uploaded all on GitHub: https://github.com/IvanZhuck/kosher_wp_seeder.

You must clone the repository and run the following commands (after adjusting the list of plugins and dependencies, if necessary):
```
composer install npm install
```
Me and my laziness satisfied, the projects are to start faster and work better.

This text is a translation of the article “Волшебная сборка проекта на WordPress при помощи пакетных менеджеров и напильника” published by @ivan_zhuck on habrahabr.ru.

About the CleanTalk service

CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).
October 11, 2016
DDoS on 600 GB/s as the democratization of censorship

Well-known American journalist Brian Krebs for a long time writes on the topics of information security, revealing the identity of dark speculators mainly from Eastern Europe. Over the years, Brian had to over pass through a lot. Evil Ukrainian hacker has gathered on the forums for two bitcoins to buy heroin and send it to Krebs by post, other hackers have sent a SWAT team into the house on call 911 supposedly his number, took out a loan for $20 thousand to his name, has transferred $1000 to his Paypal account with stolen payment card. The authors of malicious software mention Brian Krebs even in the code of their programs. What can we do, these are the costs of the work of journalists in the field of information security.

Now Krebs has been targeted with new attacks. This time the attackers organized the most powerful DDoS-attack 600 Gbps on the website KrebsOnSecurity.com. A few days later the company Akamai gave up. To protect other customers, it brought out KrebsOnSecurity.com from under its protection.

The attack began on the evening of Tuesday September 20. Initially, it had no effect thanks to the operational work of Akamai engineers. Traffic was filtered out, but experts Akamai have admitted that this attack was almost twice as powerful as the biggest DDoS ‘ and what they saw in life. And probably one of the biggest in the history of the Internet in general.

September 20 at 20:00 the flow of garbage traffic reached 620 GB/s. This is more than enough to drop any website. Up to this maximum DDoS -ttack on Akamai resources was 363 Gbit/s.

DDoS was not organized by the standard method with amplification of queries through DNS servers. Instead, most of the traffic consisted of packets of data generic routing encapsulation (GRE). Communication protocol GRE is used to establish direct P2-connections between network nodes. Such a large amount of traffic surprised the experts – it is not entirely clear hot the amplification is carried out. If amplification was not, it turns out that the attacker used to attack hundreds of thousands of infected machines. It’s some kind of record botnet. Perhaps it consists of IoT devices such as routers, IP-cameras and digital consoles (DVR).

Brian Krebs is not offended by Akamai. For four years they are many times together with a subsidiary firm Prolexic protect it from DDoS-attacks. Just the current DDoS was too large. When it became obvious that the attack will affect other customers, the company Akamai in advance on September 21 at 16:00 warned Brian Krebs that he has two hours to go to another network, and at 18:00 they remove the protection.

The company’s management later explained that otherwise the reflection of such an attack would cause them loss of millions of dollars. Perhaps the head is a bit exaggerated, but in fact protect against attacks of this scale really worth from $100 thousand to $150 thousand per year. They always defended Krebs for free.

In order not to fail their host, the journalist asked to redirect all traffic to 127.0.0.1, and he tried to use the services of Project Shield — Google’s charity project, designed specifically to protect journalists from DDoS attacks. It turned out that this is ideal, so that on 25 September the site was back online and still works flawlessly.

These events pushed Brian Krebs to philosophical thoughts about the nature of Internet censorship. He recalls the famous words of businessman and libertarian John Gilmore about the impossibility of censoring the Internet. Gilmore said: “the Network recognizes censorship as damage and avoids it.” Those are some great words that have been repeatedly confirmed by life. Even now in Russia can be clearly seen how ineffective censorship of the Internet. Attempts of Roskomnadzor and other censors to block specific network resources really perceives as damage to the integrity of its structure, as an anomaly in normal operation — and offers options to work around this anomaly.

But this principle applies only in the case of “political” censorship, which is traditionally implemented by governments of different countries, limiting free access of its citizens to information.

In the case of a DDoS-attack, we see another example of an attempt to “gag” an opponent, to silence him. Here the state is not involved. Censorship is implemented by the coordinated efforts of many people or bots. In this sense, we can say that a DDoS-attack is a “democratic” version of censorship when the majority imposes its will on the minority and silences the opponent (of course, to a true democracy, such actions are irrelevant).

Brian Krebs believes that currently the greatest threat of censorship are just not the toothless attempts by state officials to ban something on the Internet (officials still understand absolutely nothing about technology and are not capable of inflicting significant damage), and namely acts of experienced professionals. Underground hacker community in recent years quietly turned into a powerful transnational organization, in whose hands is concentrated the enormous computer resources. These resources under certain conditions can turn into cyber weapon.

It is difficult to imagine that the government of any country could organize a DDoS-attack with a capacity of 600 GB/s, it’s incredible. But transnational hacker community — can. In this sense, Brian Krebs speaks of “the democratization of censorship”.

This text is a translation of the article “DDoS на 600 Гбит/с как демократизация цензуры” published by @alizar on habrahabr.ru.

About the CleanTalk service

CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).

October 11, 2016
Vulnerabilities of CCTV systems allow hackers to create massive botnets

According to a statement from US-CERT, in the firmware of digital video products (DVR) AVer Information EH6108H+ found serious vulnerabilities that could allow attackers to easily get to them with remote access and even to form botnets.

Vulnerabilities

Security researchers have found three critical vulnerabilities. The first (CVE-2016-6535) is the presence of two hidden accounts to connect remotely. Each of them has root-rights, the password to access code written in the firmware — as a result, accounts cannot be disabled or removed from the system. As a result, an attacker who knows the IP specific camera can easily connect to it by Telnet.

In addition, attackers can gain access to the admin panel and all without administrator passwords through an error in the authentication system (CVE-2016-6536). To access the control panel, the hacker just need to go to the address [IP-device]/setup and choose the option “handle” — then the administrative page opens without a password. To access it, an attacker can change the device settings and even change the passwords for all users of the system.

The third vulnerability (CVE-2016-6537) leads to the disclosure of confidential information — the problem occurs because of an error in the mechanism of processing user credentials.

How to be protected

According to a statement from US-CERT, at the moment there are no patches to fix discovered vulnerabilities. Manufacturer of AVer firmware on its website describes it as “no longer supported” (discontinued).

The only effective way to prevent the attack using these holes is to limit access to devices through a firewall or network hardware setup.

The extent of the problem

The presence of simple-to-use vulnerabilities and “backdoors” in DVR devices is not news. Previously, Positive Technologies experts have found critical vulnerabilities and the so-called “master passwords” that allow attackers to easily get access to these devices, hundreds of thousands of which are available from the Internet. For example, problems have been found in video surveillance systems Samsung, as well as popular firmware DVR-systems used by many vendors.

Also, not so long ago it became known that the worm BASHLITE were infected more than 1 million DVR devices — attackers formed them into botnets for DDoS attacks.

Also earlier this year, researchers from the company Sucuri found the botnet of 25,000 Internet connected devices for video surveillance. In addition, the botnet to conduct DDoS attacks, consisting of infected Webcams was found by specialists from the Security Engineering and Response Team of the company Arbor (ASERT).

It is important to understand that the attackers often do not need to apply a much effort to detect gaps in the protection of surveillance systems, because, as a rule, they contain the vulnerabilities which are very primitive.

The situation is aggravated by the fact that the manufacturers of DVR-system often not themselves fully create firmware for their devices, and use third-party development. Such firmware can be distributed in various dubious ways, potentially, they may contain a hidden undocumented logic, about which manufacturers of the final DVR cannot know nothing at all.

For example, our experts discovered vulnerabilities present in the popular firmware, which was used in its own way and complements many of the DVR manufacturers. Accordingly, vulnerabilities in these firmwares endanger a lot of different devices from different manufacturers.

However, many manufacturers do not pay enough attention to release updates and develop mechanisms to centrally deploy them on end-devices or user notifications. In the case of using firmware third party, the remediation process becomes more complicated: in such cases, the manufacturer of the DVR cannot fully control the firmware and not be able to change it.

For example, with one of the producers of such a popular and vulnerable firmware, we have not been able to establish contact, so they can correct any problems found. More detailed information was provided in the report at the forum Positive Hack Days III:

Vulnerabilities and hacking DVR devices are a serious threat to private companies. With access to the CCTV system, the attacker can use them as a springboard for further attacks invisible within the network of the company (APT). The typical remedies that are used in companies are often unable to detect such penetration (e.g., the classic antivirus approach is powerless here).

In fact, in the corporate network appears malicious device – a minicomputer, inside of which an attacker could install their software. Backdoor in such devices can be very long and imperceptible to exist.

What to do

In order to protect themselves, experts Positive Technologies advise to isolate access to digital video systems from the Internet (for example, the settings of the router and/or firewall). It is desirable for devices from the internal network to limit access to the DVR and give access to only those addresses, which it definitely needed (e.g., administrators only). And similarly to limit the network access of the DVR, giving him access only to the desired locations. It is best to place these devices in a separate isolated network.

In general, with the development of “Internet of things” opportunities for the creation of such botnets increase significantly, many new gadgets are developed and delivered to market without any regard for safety (on the contrary: connection schemes to the Internet are simplified as much as possible). In this situation, we can advise private individuals and companies to be more selective in the purchase of equipment and to carry out the security analysis of new devices.

Identifying botnets and investigating incidents is also more complicated when the infected are not personal computers, and many automated systems, the behavior of which no one is watching.

This text is a translation of the article “Уязвимости систем видеонаблюдения позволяют хакерам создавать масштабные ботнеты” published by @ptsecurity on habrahabr.ru.

About the CleanTalk service

CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).

October 7, 2016
Breeding Business: from ordinary blog to extraordinary magazine
Geek at heart, I always have been coding littles projects on localhost and a few failing websites. I guess I never really took Internet seriously.

Then, I realized these jobs I was doing in luxury hospitality were not making me happy. I just loved coming back home and writing, developing and designing. It’s just what I love. So I started looking at opportunities to generate a very small income that could make a website sustainable. And I had zero money to invest.

Over the last years, WordPress and blogging have been a huge hit and a lot of people go for it. They think about the monetization before having thought of their content, I took it the other way around.

Why Blogging About Dog Breeding?

When I set my mind to start an online blog, I looked at the usual ways of finding the perfect “keyword”, “topic”, “niche”. These include Google Keyword Planner, Google Trends and some paying softwares. I managed to have three topics that seemingly were searched for and that I was happy to write posts on.

Then, I picked the best topics and started writing. And this is when I realized I couldn’t write on anything else than what I truly loved — responsible and ethical dog breeding. I was writing one article after another. It just felt right.

Breeding dogs is something that has been running through several generations in my family and although I haven’t done it extensively myself, I am passionate by the canine genetics and mechanisms that make you have the best bloodline of all.

Dog breeding is a passion of mine and it would be hard for me not to write about it.

What Is Breeding Business?

Breeding Business was born after I wrote a few articles. I was going on Facebook Groups at the time to promote my articles (and eventually got suspended!) because Google wasn’t sending me enough traffic at first.

The website consists of a lot of articles written and published in different categories: how-to’s, interviews of breeders, reviews of dog breeding supplies, and obviously in-depth articles on how to breed dogs.

After just a few weeks, some visitors started asking what books were we recommending. Unfortunately most books are either too narrow in their topics or too breed-specific. A dog is a dog and the principles remain the same for a Chihuahua or a Rottweiler.

Therefore, we created our very own ebook, The Dog Breeder’s Handbook. It was created on iBooks Author since it’s a free application built by Apple and at the time, I didn’t know if the ebook was going to be a hit, or a miss. I like to be in motion, try things and if they fail, move on to the next one.

The Dog Breeder’s Handbook offers all the theoretical knowledge dog breeders need and a lot of actionable tips for them to put into practice. Yet, the launch was slow because the traffic was low. It was definitely generating a few hundred dollars every month. This is what kept me going and made me believe in it even more.

From then on, I thought I was going to add another product many visitors were hinting at: a WordPress plugin for dog breeders. I built it in few weeks and it is today a very good seller. I release updates using the feedback loop and have a similar project to be released soon.

Challenges When Growing a Simple Blog Into an Online Magazine

Being alone and seeing the traffic (and revenue) growing, questions start to pop in your mind.

It’s time for some business decisions

A blogger and solo-entrepreneur always strives for steady growth. I do not identify myself with mega-growth startups we read about everywhere. To each their own!

With Breeding Business, the growth has been great especially since Google sent traffic our way. No specific strategy that we followed, we just put out great content. Often.

Yet, we’re still asking ourselves a million of questions…
- Should I add another product or should I focus and grow these?
- Communities around blogs are hype, should I make one?
- Is the traffic growth normal or too slow?
- Subscriptions are so popular these days, but what to offer?
These are business decisions to make. I added another product: a course. It never took off mainly because it was kind of duplication what was in the ebook. We’re thinking a new use for courses for the future because I could see people were interested.

Communities are great but there is nothing worse than a dead forum so we never took that risk and are waiting to have a bigger email list to perhaps one day launch a community. Subscriptions are great but just not for us right now. A lot of blogs start charging a monthly or yearly fee for members to be part of a special club but most of them see a huge churn and give that model up after a few months.

Growth requires a technical overhaul, too

Our traffic has been growing very well thanks to search engines. This is why we needed a quality anti-spam and CleanTalk has been doing a sublime job at keeping these fake user accounts and comments away.

With traffic growth comes a whole new set of interrogations:
- Why am I not converting more visitors into optins or customers?
- GTmetrix and page speed tests are giving me low scores, how can I optimize my website?
- Why so many people read one article and leave?
These are technical issues that truly take time to be fixed. There are mainly two ways we could tackle these:
1. Patch each little issue one by one
2. Build a brand new website from scratch with these issues factored in
After a few months, we were patching issues one by one but today, I am almost finished with a brand new version of the website to be released in two or three months after extensive testing. We’re also pairing that new website with a move from cloud hosting to a VPS (ten folding the monthly hosting cost…)

Restructure the tree of information

Our current website was up and running when we had around 20-30 articles. We have over 300 articles today. People aren’t visiting other pages because the information is badly structured and they can’t find their way around.

Categories are being completely revamped. Stuff we thought was going to attract a lot of people, ended up being a graveyard and vice versa. So we’re cleaning the way the posts are categorized and tagged while updating old pages as well.

Speed and page load

Google is apparently using your website’s loading speed as a signal to decide on your ranking. My website is currently performing very poorly in terms of page load speed.

And these results are after several fixes here and there. So it’s the second main focus for the update. We’re also making sure the website loads much much faster on mobile devices thanks to wp_is_mobile(), the WordPress function to detect mobile devices. We load lower-quality images, less widgets.

Another WordPress optimisation is the use of the Transients API for our most repeated and complicated queries such as our top menu, footer, home queries, related posts, etc. The way it works is simple and allows you to store cached data in the database temporarily. Instead of retrieving the full menu at each page load, using a transient only requires a single database call for the menu to be fetched.

Add new UX features

The new version of Breeding Business brings its own set of new UX features. More AJAX calls, less page refreshes. More white spaces and an easier scroll through our entire page. We’ve also decluttered the article’s footer so our calls to action can jump to my visitors’ eyes.

Conclusion is… One man can only do so much!

Everything is wrote here is what I do daily. Article writing, support emails, plugin updates, website updates, email outreach, designing illustrations, social media promotions, bookkeeping and accounting, strategizing and long-term planning, etc. And I’m not helping myself by adding a new recurring item to our new upcoming version: biweekly giveaways!

Over the last weeks, I realized how stupid it is to rely on your own self only. It’s self-destructive and counterproductive. I genuinely believe that delegating any of these tasks will result in a loss of quality and will cost me money.

Yet, I have to leave my ego at the door and put some faith in other people. Sure, I may work with some disappointing people at first but it is also my duty to teach them how I want them to work.

This is my focus for 2017 — learn how to surround myself with the right people (or person) to free some time for me to focus on what I do best.

About the author

Lazhar is the founder of Breeding Business, a free online magazine educating responsible dog breeders all around the world through in-depth dog breeding articles, interviews, ebooks and comprehensive guides.
September 27, 2016
What is AMP (Accelerated Mobile Pages)? How to setup CleanTalk for AMP
What is AMP?

Accelerated Mobile Pages — it’s the tool for static content web-page creation with almost instant load for mobile devices. It consists of three parts:
1. AMP HTML — it’s HTML with limitations for reliable performance and some extensions for building rich content.
2. AMP JS — is library which ensures the fast rendering of pages. Third-party JavaScripts are forbidden.
3. Google AMP Cache — is a proxy-based content delivery network for delivering all valid AMP documents. It fetches AMP HTML pages, caches and improves page performance automatically.
Advantages
- Lightweight version of standard web-pages with high speed load.
- Instant multimedia content load: videos, animations, graphics.
- Identical encoding — the same fast rendered website content on different devices.
- AMP project is open source, it enables free information sharing and ideas contribution.
- Possible advantage in SEO as page load speed is one of the ranking factors.
- There are plugins for popular CMS to make AMP usage easier in your website.
How to use it in WordPress

When you choose what AMP plugin to use keep in mind the following:

— Integration with SEO plugin for attaching corresponding metadata.

— Analytics gathering with traffic tracking of your AMP page.

— Displaying ads if you are a publisher.

Available plugins in the WordPress catalog:
1. AMP by Automattic
2. Facebook Instant Articles & Google AMP Pages by PageFrog
3. AMP – Accelerated Mobile Pages
4. AMP Supremacy
5. Custom AMP (requires installed AMP by Automattic)
As example let’s install and activate AMP by Automattic and create a new post with multimedia content. Please, take note that not page but post. Pages and archives are not currently supported.

AMP by Automattic plugin converts your post into accelerated version of the post automatically and you don’t have to duplicate by yourself. Just add /amp/ (or ?amp=1) to the end of your link and that would be enough.

How to setup CleanTalk for AMP

Please, make sure that the option “Use AJAX for JavaScript check” is disabled as it will prevent regular JavaScript execution.

The option is here:

WordPress Admin Page —> Settings —> CleanTalk and uncheck SpamFireWall.

Then, click on Advanced settings —> disable “Use AJAX for JavaScript check” —> Save Changes.

Other options will not interrupt AMP post functioning. The CleanTalk Anti-Spam plugin will protect all data sending fields that were rendered after the conversion.

For now, most AMP plugins remove the possibility to comments and send contact form data on accelerated pages.

Google validation

Now you need to validate your website structured data using the tool “Google Validator”:

https://search.google.com/structured-data/testing-tool/

If you don’t do this a search bot will not simply pay its attention to your post and no one will see it in the search results.

Copy and paste the link to your AMP post and see the result. Fix the problems you will be pointed at.

After that your AMP version of the post will be ready to use.

Links

AMP project:
https://www.ampproject.org/

AMP blog:
https://amphtml.wordpress.com/

AMP plugins in the WordPress catalog:
https://wordpress.org/plugins/search.php?q=AMP

Google Search recommendations of how to create accelerated mobile pages:
https://support.google.com/webmasters/answer/6340290?hl=en
September 26, 2016
How to protect a Linux system: 10 tips
At the annual LinuxCon conference in 2015 the Creator of the GNU/Linux core Linus Torvalds has shared his opinion about the safety of the system. He stressed the need to mitigate the effect of the presence of certain bugs by competent protection order in violation of one component to the next layer overlaps the problem.

In this article we will try to uncover this subject from a practical point of view:
- start with the presets and recommendations for choosing and installing Linux distributions;
- then talk about simple and effective item of protection — security update;
- next, consider how to set restrictions for programs and users.
- how to secure the connection to the server via SSH;
- we give some examples of configuring firewall and limit unwanted traffic;
- in the concluding part will explain how to disable unnecessary programs and services, as further to protect the servers from intruders.
1. To configure the environment preloading before installing Linux
Take care of the security of the system is necessary before installing Linux. Here is a set of recommendations for the settings of the computer, which should be considered and executed before the installation of the operating system:
- Booting in UEFI mode (not legacy BIOS –a sub-section of it below)
- Set a password on the UEFI setup
- Activate SecureBoot mode
- Set a password on UEFI level to boot the system
1. Select the appropriate Linux distribution
Most likely, you will choose popular distributions — Fedora, Ubuntu, Arch, Debian, or other similar branches. In any case, you need to consider the obligatory presence of these functions:
- Support of forced (MAC) and role-based access control (RBAC): SELinux/AppArmor/GrSecurity
- Publication of security bulletins
- Regular release of security updates
- Cryptographic verification of packages
- Support for UEFI and SecureBoot
- Support of full native disk encryption
Recommendations for installing distributions

All distributions are different, but there are moments that are worth to pay attention and perform:
- Use full disk encryption (LUKS) with reliable key phrase
- The process of paging needs to be encrypted
- Set a password for editing the boot-loader
- Reliable password on root access
- Use an account without the privileges, belongs to the group of administrators
- Set for user a strong password different from the password for root
1. Set up automatic security updates
One of the main ways to ensure the safety of the operating system – to update the software. Updates often fix found bugs and critical vulnerabilities.

In the case of server systems, there is the risk of failure during the upgrade, but, in our opinion, problems can be minimized if automatically install only security update.

Auto-update works only for installed from the repositories, not compiled independently packages:
- In Debian/Ubuntu for updates use the package unattended upgrades
- In CentOS to auto-update use yum-cron
- In Fedora for these purposes there is the dnf-automatic
To upgrade, use any of the available RPM-managers of packages by commands:
```
yum update
```
or
```
apt-get update && apt-get upgrade
```
Linux can be configured to send notifications of new updates by email.

Also , to maintain the security of the Linux core there are protective extensions, e.g. SELinux. This extension will help keep the system from incorrectly configured or dangerous programs.

SELinux is a flexible system of forced access control, which can work simultaneously with selective access control system. Running programs are allowed to access files, sockets and other processes, and SELinux sets limits so that harmful applications are unable to break the system.
1. Limit access to external systems
Next after the update method of protection is to limit access to external services. For this you need to edit the file /etc/hosts.allow and /etc/hosts.deny.

Here is an example of how to restrict access to telnet and ftp:

In file /etc/hosts.allow:
```
hosts.allow in.telnetd: 123.12.41., 126.27.18., .mydomain.name, .another.name  
in.ftpd: 123.12.41., 126.27.18., .mydomain.name, .another.name
```
Example of the above will allow you to perform telnet and ftp connections to any host in IP-classes 123.12.41.* and 126.27.18.*, and also the host with the domain mydomain.name and another.name.

Next, in file /etc/hosts.deny’:
```
hosts.deny 
in.telnetd: ALL 
in.ftpd: ALL
```
Adding a user with limited rights

We do not recommend to connect to the server as root user — it has the right to run any commands, even critical to the system. Therefore, it is better to create user with restricted rights and work through it. Administration can be performed through sudo (substitute user and do) – this is a temporary elevation to administrator level.

How to create a new user:

In Debian and Ubuntu:

Create a user, replacing administrator with the desired name and specify the password in response to the request. Input password characters are not displayed it the command line:
```
adduser administrator
```
Add the user to the sudo group:
```
adduser administrator sudo
```
Now you can use the prefix sudo when executing commands that require administrator rights, for example:
```
sudo apt-get install htop
```
In CentOS and Fedora:

Create a user, replacing administrator with your desired name, and create a password for his account:
```
useradd adminstrator && passwd administrator
```
Add the user to the group wheel for the transfer of the rights sudo:
```
usermod –aG wheel administrator
```
Use only strong passwords — minimum of 8 letters of the different register, digits and other special characters. To search for weak passwords among users of your server, use the utilities as “John the ripper”, change the settings in file pam_cracklib.so to set passwords forcibly.

Set the expiration period of the password with the command chage:
```
chage -M 60 -m 7 -W 7 UserName
```
Disable password aging with the command:
```
chage -M 99999 UserName
```
Find out when a user’s password will expire:
```
chage -l UserName
```
Also, you can edit the fields in the file /etc/shadow:
```
{UserName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}:
```
where
- Minimum_days: the Minimum number of days before the expiration of the password.
- Maximum_days: the Maximum number of days before password expiration.
- Warn: Number of days before expiration when the user will be warned of the approaching day shift.
- Expire: the exact date of the expiration of the login.
Also it is necessary to limit reuse of old passwords in module pam_unix.so to set a limit on the number of failed login attempts of the user.

To see the number of failed login attempts:
```
faillog
```
Unblock account after failed login:
```
faillog -r -u UserName
```
To lock and unlock accounts, you can use the command passwd:
```
lock account

passwd -l UserName
```
```
unlocak account

passwd -u UserName
```
To make sure that all users set passwords with the command:
```
awk -F: '($2 == "") {print}' /etc/shadow
```
To block users without passwords:
```
passwd -l UserName
```
Make sure that the UID parameter was set to 0 only for root account. Enter this command to see all users with UID equal to 0.
```
awk -F: '($3 == "0") {print}' /etc/passwd
```
You should see only:
```
root:x:0:0:root:/root:/bin/bash
```
If there are other lines, then check whether you have installed for them UID to 0, delete unnecessary lines.
1. Set access rights for users
After you install the password is worth to make sure that all users have access appropriate to their rank and responsibility. In Linux you can set access permissions on files and directories. So there is the ability to create and control different levels of access for different users.

Access categories

Linux is based on work with multiple users, so each file belongs to one specific user. Even if the server is administered by one person for various programs created multiple accounts.

To view users in the system with the command:
```
cat /etc/passwd
```
The file /etc/passwd contains a line for each user of the operating system. Under services and applications can be created separate users who will also be present in this file.

In addition to the individual accounts there is a category of access for groups. Each file belongs to one group. One user can belong to several groups.

View the groups to which belongs your account, use the command:
```
groups
```
Display a list of all groups in the system, where the first field indicates the name of the group:
```
cat /etc/group
```
There is a category of access “other”, if the user does not have access to the file and does not belong to the group.

Types of access

For categories of users there is the ability to set types of access. Usually it’s right to run, read and modify the file. In Linux, access types are marked by two types of notations: alphabetic and octal.

In alphabetic notation, permissions are indicated by letters:

r = reading

w = change

x = start

In octal notation the level of access to files is determined by the numbers from 0 to 7, where 0 indicates no access, and 7 means full access to modify, read and execute:

4 = read

2 = change

1 = start
1. Use the keys to connect via SSH
To connect to the host via SSH is usually used password authentication. We recommend a more secure way – input a pair of cryptographic keys. In this case, the private key is used instead of a password, which will seriously complicate the selection by brute-force.

For example, let’s create a key pair. Actions should be performed on the local computer, not on a remote server. In the process of key generation you can specify a password to access them. If you leave this field blank, you will not be able to use the generated keys to store them in keychain-manager of the computer.

If you have already created the RSA keys before, then skip command generation. To check the existing keys for a start:
```
ls ~/.ssh/id_rsa*
```
To generate new keys:
```
ssh-keygen –b 4096
```
Download of the public key to the server

Replace administrator with the name of the key owner, and 1.1.1.1 with the ip-address of your server. From the local computer, type:
```
ssh-copy-id administrator@1.1.1.1
```
To test the connection, disconnect and re-connect to server — login must occur with the created keys.

Setting up SSH

You can disable connect via SSH as root-user, and to obtain administrator rights to use sudo at the beginning of the command. On the server in the file /etc/ssh/sshd_config you need to find the parameter PermitRootLogin and set the value to no.

You can also deny SSH connection by entering the password so that all users use keys. In the file /etc/ssh/sshd_config, set for parameter PasswordAuthentification value no. If this line doesn’t exist or it is commented out, respectively, add or uncomment it.

In Debian or Ubuntu you can enter:
```
nano /etc/ssh/sshd_config

... PasswordAuthentication no
```
The connection can also additionally secure with two-factor authentication.
1. Install firewalls
Recently was discovered a new vulnerability, allowing to carry out DDoS attacks on servers running Linux. A bug in the core system came with version 3.6 at the end of 2012. The vulnerability allows the hackers to embed viruses into boot files, web page and open up the Tor-connection, with no need for hacking a lot of effort to make — work the IP-spoofing method.

Maximum damage for encrypted HTTPS connection or SSH – termination of the connection, but in the unsecured traffic, the attacker can put new content, including malware. To protect against such attacks is suitable firewall.

Block access using Firewall

Firewall is one of the most important tools for blocking unwanted incoming traffic. We recommend you to skip only really need the traffic and fully deny all the rest.

To filter packages in most Linux distributions there is iptables controller. Usually it is used by advanced users, and to simplify configuration, you can use utilities UFW on Debian/Ubuntu or FirewallD in Fedora.
1. Disable unnecessary services
Experts from the University of Virginia recommend to disable all services that you don’t use. Some background processes installed on the startup and operate to shutdown the system. To configure these programs, you need to check the initialization scripts. Starting services can be done using inetd or xinetd.

If your system is configured with inetd, in the file /etc/inetd.conf you can edit the list of background programs “demons”, to disable startup of service enough to put in the beginning of the line the sign “#”, turning it from the executable to comment.

If the system uses xinetd, its configuration will be in the directory /etc/xinetd.d. Every file in the directory defines a service, which can be disabled by specifying the item disable = yes, as in this example:
```
service finger

{

socket_type = stream

wait = no

user = nobody

server = /usr/sbin/in.fingerd

disable = yes }
```
Also worth checking out an ongoing processes that are not managed by inetd or xinetd. To configure the startup scripts in the directories /etc/init.d or /etc/inittab. After done the changes, run the command under root account.
```
/etc/rc.d/init.d/inet restart
```
9.Protect the server physically

It is impossible to completely defend against malicious attacks with physical access to the server. It is therefore necessary to protect the premises where your system is located. The data centers seriously monitor the safety, restrict access to servers, install security cameras and assign permanent guards.

To enter the data center all visitors must pass certain stages of authentication. Also, it is strongly recommended to use motion sensors in all areas of the centre.
1. To protect the server from unauthorized access
System of unauthorized access or IDS collects data about system configuration and files, and further compares these data with the new changes to determine whether they are harmful for the system.

For example, tools Tripwire and Aide collected a database of system files and protect them with a set of keys. Psad is used to track suspicious activity by using reports firewall.

Bro is created for network monitoring, tracking suspicious schemes of actions, collection of statistics, perform system commands, and generating alerts. RKHunter can be used to protect from viruses, most rootkits. This utility checks your system by database of known vulnerabilities and can identify unsafe settings it applications.

Conclusion

The above tools and settings will help you to partially protect the system, but safety depends on your behavior and understanding of the situation. Without care, caution and constant self learning all the safety measures might not work.

This text is a translation of the article “Как обезопасить Linux-систему: 10 советов” published by @1cloud on habrahabr.ru.

About the CleanTalk service

CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).
September 26, 2016

Author: Alexander

The format of the conference

The most interesting report

A couple of reports about WordPress REST API

Dashboard Calypso

Experience of building a highly loaded WP-site

About legacy-projects

Elasticsearch and ElasticPress

The report about security

Copywriting for professionals

Interview with Matt Mullenweg

Day contributors, how to develop core of WP

The future of WordPress

Next WCEU 2017 in Paris

Step 1: the table and background image

Step 2: link and image

Step 3: style and hover

Precondition

Satisfied laziness wishlist

Vulnerabilities

How to be protected

The extent of the problem

What to do

Why Blogging About Dog Breeding?

What Is Breeding Business?

Challenges When Growing a Simple Blog Into an Online Magazine

It’s time for some business decisions

Growth requires a technical overhaul, too

Restructure the tree of information

Speed and page load

Add new UX features

Conclusion is… One man can only do so much!

What is AMP?

Advantages

How to use it in WordPress

How to setup CleanTalk for AMP

Google validation

Links

To configure the environment preloading before installing Linux

Select the appropriate Linux distribution

Set up automatic security updates

Limit access to external systems

Set access rights for users

Use the keys to connect via SSH

Install firewalls

Disable unnecessary services

9.Protect the server physically

To protect the server from unauthorized access

CleanTalk

Solutions

Documentation

Contact us