Category: WordPress

For WordPress users, checking existing comments for spam

CleanTalk offers more protection from spam bots to sites by WordPress. The new version provides a unique opportunity to test existing spam comments.

CleanTalk adds new features in CleanTalk Anti-Spam, our solutions are reliable, easy and efficient. Work of the module is absolutely invisible for visitors and allows to renounce forever the ways of protection complicating communication on the website (CAPTCHA, question and answer, etc.). CleanTalk allows you to automate protection from spam and registering of spam bots.

Cloud anti-spam service CleanTalk released a new version of the anti-spam plugin for WordPress, the new version has a unique function of automatic check for spam of the existing comments on the site.

This allows administrators of the Web sites automatically check and identify spam bots comments, which were not detected by conventional anti-spam tools.

This function is present only for WordPress, it will gradually be introduced for other CMS.

CleanTalk identifies spam bots, using its own algorithms to estimate the parameters visitor, on the basis of these tests is formed its own database of spam bots. Checking existing comments is made on the basis of the nearly 2 million of certain spam bots. Detailed statistic allows CleanTalk customers to control the whole process.

“The team CleanTalk has been developing a cloud spam protection system for four years and has created a truly reliable anti-spam service designed for you to guarantee your safety”.

Download the new version anti spam by CleanTalk for WordPress

April 7, 2015
84% of the WordPress site can be hacked: What’s Next?
```
CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.
```
If you often read IT-news, you probably already tired of the horror stories about another vulnerability that was found in the popular OS / database / CMS / coffee maker. Therefore, this post is not about the vulnerability and about monitoring how people react to it.

But first – a few words about “the villain of the peace”. Critical vulnerabilities in popular WordPress blogging engine was found in September by the Finnish specialists from companies with funny name Klikki Oy. Using this hole, the hacker can lead as a comment to the blog a special code that will be executed in the browser of the site administrator when reading comments. Attack allows you to secretly take over the site and do unpleasant things under the admin access.

Here’s how easy it looks like in practice. Go to the blog by WordPress and enter a bad comment:

Next we see a specially crafted comment allows to bypass checks and conduct XSS-attack:

After capturing admin permissions an attacker can run their code on the server that is hosting the attacked blog, that is, can develop an attack on a broad front. Now is the time to remember that just recently 800,000 credit cards were stolen by a bank trojan which was distributed across WordPress sites.

This vulnerability applies to all versions of WordPress 3.0 and higher. Problem can be solved upgrade engine to version 4, where no such problem.

And now about the actual reaction. Finnish security experts discovered a vulnerability reported it to the vendor on September 26. At the time of this writing, that is, two months later after finding renewed no more than 16% of users of WordPress (see diagram on the title picture post). What Finnish experts concluded that all the other 84%, that is tens of millions of users of this engine in the world, stay potential victims.

In fact, the victims will certainly be less because there is a small additional condition for the operation – need the opportunity to comment on posts or pages (default is available without authorization). However, we are interested in here is the lifetime of vulnerability, and in this case it is possible to observe in real time – to monitor the statistics update WordPress here. Although you probably already understand the meaning of these figures: don’t lock the barn door after the horse is stolen.

We also follow the intruders attempt to exploit this vulnerability “in the wild”. To do this, use a network attack detection based applications PT Application Firewall. The mechanism of intrusion detection based on the analysis of anomalies in this case worked well, and we did not have to add the signature. In other words, PT AF elicited this “0 day” from the very beginning:

At the moment, the vulnerability exploitation attempts is already found. They can not be called mass – but if you have an older WordPress, should still be updated.

This text is a translation of article “84% сайтов на WordPress могут быть взломаны: что дальше?” by ptsecurity published on habrahabr.ru.

Forums and blogs without spam

CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.
December 10, 2014

Little-known functions in WordPress

CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.

Has it ever happened that during parsing code-party plugin or theme you found quite useful standard function, which did not know before? At such moments, any developer feels a sense of worthlessness, remembering he reinvented the wheel in previous projects.

In order to reduce the amount of frustration, I decided to describe a few little-known but very useful features:

make_clickable
Find in the text links and make them clickable.
Example:

$string = "This is a long text that contains some links like https://www.wordpress.org and https://www.wordpress.com .";
echo make_clickable( $string );

popuplinks
Adds target='_ blank' rel='external' to all the links in the text.
Example:

$string = "This is a long text that contains some links like <a href='https://www.wordpress.org'>https://www.wordpress.org</a> and <a href='https://www.wordpress.com'>https://www.wordpress.com</a> .";
echo popuplinks( $string );

wp_list_pluck
Takes out certain fields from the collection.
Example:

$posts = get_posts();
$ids = wp_list_pluck( $posts, 'ID' ); // [1, 2, 3, ...]

antispambot
Converts email addresses to symbols HTML for protection from spambots.
Example:

$email = 'ex*****@***il.com';
echo '<a href="mailto:' . antispambot( $email ) . '">' . antispambot( $email ) . '</a>';

checked / selected
Adds an attribute checked (selected) if the first argument is equal to the second.
Example:

<input type="checkbox" name="remember" value="1" <?php checked( $remember ) ?> />
<select name="options">
    <option value="1" <?php selected( $options, 1 ); ?>>1</option>
    <option value="2" <?php selected( $options, 2 ); ?>>2</option>
    <option value="3" <?php selected( $options, 3 ); ?>>3</option>
</select>

human_time_diff
Represents the difference in time in human-readable form.
Example:

$published = get_the_time( 'U' );
echo human_time_diff( $published ); // 2 days

wp_send_json_success / wp_send_json_error
Displays data in a JSON format for Ajax requests.
Example:

if( $success ) {
    $result = array(
        'message'	=> 'Saved',
        'ID'		=> 1
    );
    wp_send_json_success( $result ); // { "success": true, "data": { "message": "Saved", "ID": 1 } }
}
else {
    wp_send_json_error(); // { "success": false }
}

wp_remote_get / wp_remote_post
Receives data from a third-party web resource.
Example:

$response = wp_remote_get( "https://api.twitter.com/1.1/search/tweets.json?q=%23WordPress", array( 'timeout' => 10 ) );
$tweets = wp_remote_retrieve_body( $response );

wp_is_mobile
Specifies the user’s device.
Example:

if ( wp_is_mobile() ) {
    get_footer( 'mobile' );
}
else {
    get_footer();
}

wp_oembed_get
Converts a link to a media resource in the code of the player.
Example:

$youtube_url = 'https://www.youtube.com/watch?v=Lcvh0DgytH8';
$embed_code = wp_oembed_get( $youtube_url, array( 'width' => 800 ) );

wp_tempnam
Creates a temporary file with a unique name.
Example:

wp_tempnam( 'cache.log', get_temp_dir() );

zeroise
Complements the number with zeros to the specified length.
Example:

$tickets_count = 8;
echo zeroise( $tickets_count, 3 ); // 008

capital_P_dangit
Corrects common errors in brand name WordPress.
Example:

$string = "I Love WordPress";
echo capital_P_dangit( $string ); // I Love WordPress

get_num_queries
Shows the total number of SQL-queries to the database page.
Example:

<!-- Number of queries: <?php echo get_num_queries(); ?> -->

wp_text_diff
Finds the differences in the text and displays them in a convenient form for comparison.
Example:

$left_string = 'This is the original string';
$right_string = 'This is the revised string';
echo wp_text_diff( $left_string, $right_string );

submit_button
Generates code for the button.
Example:

<?php submit_button( __( 'Save Changes' ) ); ?>

enjoy 🙂

This text is a translation of article “Малоизвестные функции в WordPress” by Pingbull published on habrahabr.ru.

Forums and blogs without spam

CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.

November 23, 2014

Accelerate WordPress
```
CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.
```
WordPress in the standard setting is quite slow. By default, the engine does not use some features of modern web for significant acceleration. There are a whole bunch of plugins to optimize WordPress. Let’s put things in order and undergo a major optimization to accelerate WordPress.

Before we begin, let’s see what shows raw installing WordPress on Pagespeed:

Result 76 out of 100 is pretty low. Let’s see how you can increase this figure.

Server part

Ngnix

If you’re not already using Nginx, it’s time to move on it. Simple and powerful solution. Configuration for supporting permalinks and static caching:
```
server {
        server_name wp.com;
        root /var/www/wp; # way to WP
        index index.php;

        location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
                access_log off;
                log_not_found off;
                expires max; # statistics caching 
        }

        location / {
                try_files $uri $uri/ /index.php?$args; # permalinks
        }

        location ~ \.php$ {
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }
}
```
PHP cach

If you do not have any special reasons why you can not install APC, turn it necessarily. Checks for APC (in response to obtain a list of settings APC):
```
php -i | grep apc
```
In PHP versions after 5.5 has a built-in module opCache, so it will not have to put the APC.

Tuning Mysql

WordPress uses InnoDB, which means we can significantly increase productivity of MySQL, adjust the number of parameters (file my.cnf) under our hardware:

The size of the buffer InnoDB is better to put in half the available RAM:
```
innodb_buffer_pool_size = 256M
```
Do not forget to include the caching of MySQL:
```
query_cache_size = 32M
query_cache_limit = 1M
```
Caching

This is the most important point. Caching can give a significant acceleration of the site and save server resources. For clarity, we will use ab from Apache. Verify the standard install WordPress without caching. The request is sent through a local network, so the delay is nothing but itself does not create a WordPress:
```
ab -c 10 -n 500 https://wordpress/
```
Obtain the average time of about 50ms on request:
```
Total transferred:      4183000 bytes
HTML transferred:       4074500 bytes
Requests per second:    17.62 [#/sec] (mean)
Time per request:       567.421 [ms] (mean)
Time per request:       56.742 [ms] (mean, across all concurrent requests)
Transfer rate:          143.98 [Kbytes/sec] received
```
Chrome shows the average wait for the response at 150 ms (the server is in the Netherlands):

WP Super Cache

This plugin allows you to enable caching literally in one action. Besides the default settings, it contains a large number of settings for tuning the cache. Download plugin, activate it in the control panel and turn on the cache

With the included WP Super Cache obtain a reduction of the average time per query 25 times (!):
```
Total transferred:      4293500 bytes
HTML transferred:       4146500 bytes
Requests per second:    499.01 [#/sec] (mean)
Time per request:       20.040 [ms] (mean)
Time per request:       2.004 [ms] (mean, across all concurrent requests)
Transfer rate:          4184.61 [Kbytes/sec] received
```
Average absorption waiting for reply in Chrome decreased by 3 times:

As an alternative to server-WP Super Cache can use Varnish. It reduces the time to process a request for nearly an order of magnitude, but the solution is less flexible (well suited for blogs without elements of dynamics).

Styles, scripts and images

Minification and Compression

Minification CSS / JS can save 10 … 15% of their size. To enable a module minification statics WP Minify. Download it, activate, and the module starts. Gzip will reduce the size of the text files into several times. In Nginx activated as follows:
```
server {
...
gzip on;
gzip_disable "msie6";
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
...
}
```
Optimizing images

Pictures can be very large part of the overall page size. Lossless compression of images can save 30 … 40% of their size. This module is able to do EWWW Image Optimizer. For it to work you will need to install imagemagick and library gd:
```
apt-get install imagemagick php5-gd
```
Good practice and experience
- It is best to choose a VPS hosting for WordPress. Shared hosting on many of the above can be done. In addition, VPS now cheap enough
- Check the topics using Pagespeed before use
- Clean trash
- Delete old revisions of posts
- Remove spam comments
- Unplug trackbacks to moments when everything becomes very slow
- Share RSS via feedburner
As a result

We’ve got a raw install WordPress to disperse about 100 times on the page generation time (we included Varnish) and increase the rate at Pagespeed from 76 to 93:

This text is a translation of article “Ускоряем WordPress” by golotyuk published on habrahabr.ru

Forums and blogs without spam

CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.
November 11, 2014

Category: WordPress

For WordPress users, checking existing comments for spam

84% of the WordPress site can be hacked: What’s Next?

Forums and blogs without spam

Little-known functions in WordPress

Forums and blogs without spam

Accelerate WordPress

Forums and blogs without spam

CleanTalk

Solutions

Documentation

Contact us