CleanTalk's blog

    Sign up

    Tag: wordpress

    • Access key rotation for Anti-Spam and Security

      Access key rotation for Anti-Spam and Security

      In case your website is connected to CleanTalk it uses a special Access key to exchange information. We have improved its functionality to guarantee you the safest user experience.

      Connect your website to CleanTalk in 5 minutes and forget about spam.

      Improved Access key safety

      Your Anti-Spam and Security Access keys don’t have any expiration date. So don’t worry, you don’t have to do anything about it.

      Access key doesn’t need to be manually renewed except several cases:

      • In case you gave your website access to web developer or a freelancer and it may be compromised.
      • When your website had been hacked.
      • When you expect your CleanTalk access being given or copied to a third party.
      • In case you have any other issues and risks with CleanTalk account access.

      Also you can always change your password or email in CleanTalk dashboard.

      How to update your Access key

      Step 1: Add your website to dashboard using the button below. If your site is already connected to CleanTalk pass to Step 3.

      Step 2: Input your website URL in “Site URL” field.

      Step 3: Click on “Settings” button under your website name.

      Step 4: Go to “Change the Access key”.

      Step 5: Click on “Generate key” to create new safe Access key.

      Step 6: Then Apply the key by pressing the button below.

      Step 7: And just close the window after you are finished.

      Well done! Your new Access key is successfully generated and applied to your website. From now it will be active and if needed, you may change it again to guarantee its safety.

    • New Options: CleanTalk Anti-Flood and Anti-Crawler

      Hello,

      Recently we added new options for SpamFireWall.
      They are Anti-Flood and Anti-Crawler. They are meant to block different bots. Most of the visiting bots are not being shown in the statistics of Google Analytics so you can’t see the exact number of their visits. Nevertheless, bots can create a big load on your website and be a big part of the overall statistics of visits. They can gather various data about your website, links, pictures, text and so on. More aggressive bots can copy your website information to use it later for themselves.

      Anti-Flood and Anti-Crawler options are intended for blocking unwanted bots, content parsing, shop goods prices parsing or aggressive website scanning bots. Web crawling bots such as Google, Bing, MSN, Yandex, Ahrefs are excluded and will not be blocked.

      Anti-Crawler — is designed for blocking any bots (with the exceptions) on your website. The initial visit launches the checking process whether it’s a bot or a human. If the checking fails then visiting the second page will return a blocking screen. The IP address will be added to the blacklist for 10 minutes and when this time period expires the data about that IP address will be deleted.
      This option helps in blocking any parsing and HTTP DDoS attacks.

      Anti-Flood — is designed for preventing any aggressive behavior of bots (with the exceptions). The option checks how many pages were visited by one IP in 1 minute. If the amount of visited pages exceeds the set threshold then that IP will see a blocking screen. The blocking screen is active for 30 seconds and when this time period expires the IP address will be able to visit the website until it exceeds the threshold again.

      By default, the threshold is set to 10 pages per 1 minute. This number was picked based on the statistics. Usually, a normal visitor does not open 10 pages at once, it’s about 3-4 pages so the threshold is set with a margin.
      You can set your own threshold at any time: https://cleantalk.org/help/anti-flood-and-anti-crawler

      Thank you!

    • CleanTalk Web Application FireWall for WordPress Security Plugin

      Hello,

      We are happy to announce CleanTalk Web Application FireWall for WordPress Security Plugin. The main purpose of WAF is to protect the Web application from unauthorized access, even if there are critical vulnerabilities.

      It allows you to protect Web applications from known and unknown attacks. Its use is transparent to all visitors to the website and does not require knowing how is HTTP working and allows very accurate filtering, supports both GET and POST methods, requests to dynamic resources.

      So, hackers use additional HTTP parameters to use vulnerabilities that allow them to get access to a website or prevent changes on your website.

      WAF catches all requests to your website and checks HTTP parameters that include: SQL Injection, Cross Site Scripting (XSS), uploading files from non-authorised users, PHP constructions/code, the presence of malicious code in the downloaded files.

      So, if HTTP request contains these parameters then this request will be blocked. The special page and reason for blocking will show for blocked requests.

      In addition to effective information security and information security applications are required to know what is quality of protection and CleanTalk is logged all blocked requests that allow you to know and analyze accurate information. You can see your Cleantalk Logs in your Control panel. https://cleantalk.org/my/logs_firewall

      CleanTalk Web Application FireWall for WordPress is the proactive defense against known and unknown vulnerabilities to prevent hacks in real-time.

      Learn more, how to set up and test
      https://cleantalk.org/help/security-waf

    • CleanTalk Security for WordPress: More informative log

      We added new parameters in the Security FireWall Log.

      CleanTalk WordPress Security Log shows a list of all the network requests blocked in the course of loading the page. Each request is displayed in its own row.

      All of these requests will have next string:

      -Page URL to which the request was sent.

      Security FireWall blocks all requests from the most active IP addresses where massive spam and brute force attacks come from.
      Security FireWall may significantly reduce the risk of hacking and reduces the load on your web server. All security logs are stored in the cloud for 45 days.

      Your security log is here https://cleantalk.org/my/logs?cp_mode=security

      Notice: Page URL is available starting with plugin version 1.17
      Download the latest version here:
      https://wordpress.org/plugins/security-malware-firewall/

      Don’t hesitate to let us know if you have any questions or comments.

    • Feature update for spam comment management in WordPress

      Feature update for spam comment management in WordPress

      We launched the update for possibilities to manage spam comments.

      The new option “Smart spam comments filter” divides all spam comments into Automated Spam or Manual Spam.

      For each comment, the service calculates probability — was this spam comment sent automatically or was it sent by a human.

      All automatic spam comments will be deleted permanently without going to the WordPress backend except for comments with Stop-Words. Stop-Word comments will be always stored in the “Pending” folder. Both blocked and banned comments can be seen in the Anti-Spam Log.

      To manage the actions with spam comments, go to the Control Panel, select the website you want to change the actions for and go to “Settings” under the name of the website. On the website settings page, select the desirable item from the “SPAM comment action” menu and click “Save” button at the bottom of the page.

    • New anti-spam checks for WordPress, XenForo, phpBB 3.1, SMF, Bitrix

      We are pleased to announce that we have released new versions of plugins for WordPress, XenForo, phpBB 3.1, SMF, Bitrix.

      In the new version, we have added some new checks for spam to improve anti-spam service.

      Mouse tracking and Time zone monitoring give good results against spam bots which simulate the behavior of real visitors.

      These checks for other CMS will be added soon.

      Please, update your anti-spam plugins for latest version:

      WordPress
      XenForo
      phpBB 3.1
      Simple Machines Forum
      Bitrix

    • New version of the Security Service by CleanTalk

      New version of the Security Service by CleanTalk

      As we informed CleanTalk launched its website security project. The service protects administrator control panel from brute-force attacks and records users’ actions.

      Since the 29th of November Security by CleanTalk has become the Cloud Service and now all main data will be available in The Service Dashboard. The cost of the service is $20 per year for 1 website.

      Switching to Cloud Data Storage allows to show more data and use the information more flexible thanks to different filters in your Dashboard.

      In the previous versions all data were being stored in a website database and big amount of information alongside with its operations would affect website speed, all this could give a result of bad website ranking of search engines. Cloud Data Storage is safer than website database. If an intruder could get access to your website then he could delete all data he might be traced with.

      Cloud Service provides data storage for the last 45 days including users action log, brute-force attacks statistics and successful backend logins and you can always get to know who and what actions were made if it is necessary.

    • WordCamp Europe in Vienna and the vector of development of WordPress

      WordCamp Europe in Vienna and the vector of development of WordPress

      This year the conference WordCamp Europe 2016 took place in Vienna and attracted more than 2300 guests. The capital of Austria is an excellent choice for such events, there are all conditions: convenient location, large meeting halls, and an active WordPress community. And there is something to see after the conference. Several of our developers have been on WordCamp Europe 2016. Under the cut – their story about the most interesting presentations and events.

      The format of the conference

      The conference lasted three days: the first two days we listened to the speeches, and the last day was given to the contributors. The reports were in different categories: Development, Design, Business, Content, Community, and took place in three streams, so everyone can find something interesting for yourself. Much attention speakers paid to high load questions, Continuous Integration, REST APIs, and the project Calypso.

      On the day of contributors signed up about 600 volunteers. On this day it was possible to take a direct part in the development of WordPress, to learn how to work the kernel developers, translators, as well as the team checking the plugins and themes to the official catalog. You can even get advice on the organization of WordPress community in your city.

      A nice bonus was the performance of Matt Mullenweg, the developer and the founder of WordPress, the founder of Automattic, WordPress.com, Akismet. But more on that below.

      The most interesting report

      PHP7 and WordPress

      The release of PHP7 could not remain unnoticed at WordCamp Europe: how to provide the work of WordPress on PHP7, said Dan Blows in his report What’s New in PHP7 and what to expect in PHP7.1.

      The core of WordPress and many plugins already support PHP7. Quoting the author, we can say: “Upgrade to PHP 7 easily, and probably everything will work immediately”. But he raised the points that should pay attention if you decided to migrate your website to PHP7.

      The speaker told about innovations in PHP and the benefits that you can get when going to the seventh version. Dan showed impressive statistics of speed up of work WordPress on PHP7 compared to PHP 5.6.

      A couple of reports about WordPress REST API

      Especially important were the reports about REST API. This is one of the most important and actively developing directions. News from the developers WordPress rest API, about the difficulties and decisions is incredibly valuable information. Thanks Joe Hoyle and Adam White! Look at their performances The Ultimate REST API talk and Using the REST API and JavaScript to create better WordPress interfaces.

      The reports disclosed the questions associated with use of the API and its development and expansion.

      Now REST API is not yet part of the core, it exists in the form of a plugin. Adam in his report underlines the benefits that will get WordPress with integration of REST in its core. However, we now have the opportunity to build our apps using the new API.

      The REST API gives unprecedented flexibility and expression “WordPress is limited only by your imagination” becomes a reality.

      Dashboard Calypso

      Due attention has been given to the relatively new development — Calypso. This is the administration panel of WordPress-sites, written in JS and running using WordPress REST API, which will definitely become popular.

      Designer Calypso told about the project in general, and about what it cost for the team this his development and shared approaches in organization effective communication in the project. As Davide Casali said: “Communication is the oxygen”. It is impossible not to agree.

      Experience of building a highly loaded WP-site

      WordPress has long been used for the development of high-load news portals. Such giants as TED, TechCrunch, CNN, NBC built their sites on it. Yes, to build a high-load website is not easy, but speakers from NewsCorp Australia told how to do everything correctly.

      Their experience – another precedent, proving the possibility of building on WP portals with millions of page views per day. Speakers gave valuable information about the development team and working process, talked about continuous integration, environment and visitor statistics. They also shared information that will help you to calculate the necessary costs for such a project.

      Incredibly useful report, including from the point of view of communication with clients: How NewsCorp Australia scaled WordPress to host Australias largest ‘news’ websites on WordPress VIP.

      About legacy-projects

      Andrew Nacin — Lead-developer of WordPress core. With years of experience in the development of such a popular CMS system, the kernel developers have identified and summarized the key points of the philosophy of WordPress, which adheres and Andrew.

      Get the big project “inherited” from people who have not really thought about the future is always difficult. And even painful. If you have such a project, the Andrew report will help to understand how to transform it in a stable and not require inappropriate investment product. Video of the report is available at the link.

      Elasticsearch and ElasticPress

      Full text search for MySQL databases by itself is not the best solution. But on high load sites and sites with large volumes of data — even more so. Elasticsearch is one of the solutions to implement an efficient search. How it works, how to configure Elasticsearch, how to protect data, and finally how to use it in your projects? These questions are answered by Taylor Lovett in the report Modernizing WordPress Search with Elasticsearch.

      Taylor also tells about the plugin ElasticPress. The speaker is one of the developers of this plugin and knows what he’s talking about. In general, meetings with the developers of the components is always a unique opportunity to get information about the details of the use and future development plans.

      The report about security

      Of course, the most popular platform for developing websites in the world is one of the most attacked. So you need to constantly pay attention to the issue of information security.

      Maurizio Pelizzone gave a presentation about securing WordPress websites: WordPress Hardening – Ten tips in ten minutes. The lecturer gave useful tips on how to reduce the risk to be hacked and sleep well.

      Copywriting for professionals

      At the end of the first day of the conference was the author of the best SEO-plugin for WordPress Joost de Valk and his wife Marieke van de Rakt. The report Beyond SEO – Copywriting for professionals, they told about the next stage in the evolution of search engines and the importance of high-quality texts.

      Speakers against the “scorched earth tactics”. Joost and Marieke prefer sustainable and holistic approach to SEO, which involves focusing on all areas of optimization:

      • The technical quality.
      • Good UX & UI.
      • Impeccable security.
      • Great PR & Social

      The basis of this approach is the high-quality content. And the principles of such content were presented in the report. In addition, the speakers spoke about a new functionality of their plugin, which allows you to make recommendations for improvement of the texts on your website.

      Interview with Matt Mullenweg

      Special attention deserves an interview with Matt Mullenweg: Interview and Q&A. the speech of Matt is a traditional part of WordCamp Europe. Right on the stage there is a sofa and provided almost homely atmosphere. In the second part of the perfomance, Matt talked to the audience.

      They discussed potentially leading role REST API and interfaces on  JS. Talked about the most successful and promising projects: Jetpack, WooCommerce and WordPress.com that do a lot for the success of WordPress in particular, and for an open Internet in general. Remembered about competitors, but Matt doesn’t consider them dangerous.

      And much more

      There were other interesting presentations, which we did not visit because we could not be simultaneously on all three streams. A complete list of video, as always, loaded on wordpress.tv.

      Day contributors, how to develop core of WP

      The conference was not limited by two days, full of interesting presentations and communication. For special interested was scheduled Contributor Day, which signed up about 600 people. It was held at the University of Vienna, Faculty of Informatics.

      Each of the participants chose the direction in which he can get acquainted with the process of open-source development and to assist in the development of WordPress. Among the areas were: the development of the core, development of plugins and themes, internationalization, design, marketing, and support. Each group was coordinated by an experienced supervisor. The motto for the day was “Thank WordPress”. You could join the community, gain new experience, improve your professional level and make WordPress better.

      The future of WordPress

      WordPress is actively developed. The most interesting and promising areas — REST API and JavaScript interfaces. And the last were possible thanks to partly all the same REST API.

      A lot of improvements in the core, for example, in recent releases significantly improved internationalization. Technology stack, development approaches, tools, and more — all have changed greatly since the advent of the first version of WordPress. There is movement forward, we are seeing regular releases that add something new.

      Good news is that the core already supports PHP7. We already develop projects at NIX Solutions on a fresh PHP. But as for a full transition to the seventh version, here the prospect is not very encouraging. The fact that plugins and themes are supported by the community and by individual companies and not all of them in a hurry to implement support for PHP7.

      What’s more surprising at the conference in Vienna is the maturity of the European community and a serious attitude to WP. We are sure that with such a large, active and talented community, WordPress has a great future.

      Next WCEU 2017 in Paris

      At the end of the conference, according to tradition, was announced the next city for WordCamp Europe, it became the capital of France. See you in Paris!

      This text is a translation of the article “WordCamp Europe в Вене и вектор развития WordPress”  published by @NIX_Solutions on habrahabr.ru.

      About the CleanTalk service

      CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).

    • What is AMP (Accelerated Mobile Pages)? How to setup CleanTalk for AMP

      What is AMP?

      Accelerated Mobile Pages — it’s the tool for static content web-page creation with almost instant load for mobile devices. It consists of three parts:

      1. AMP HTML — it’s HTML with limitations for reliable performance and some extensions for building rich content.
      2. AMP JS — is library which ensures the fast rendering of pages. Third-party JavaScripts are forbidden.
      3. Google AMP Cache — is a proxy-based content delivery network for delivering all valid AMP documents.  It fetches AMP HTML pages, caches and improves page performance automatically.

      Advantages

      • Lightweight version of standard web-pages with high speed load.
      • Instant multimedia content load: videos, animations, graphics.
      • Identical encoding — the same fast rendered website content on different devices.
      • AMP project is open source, it enables free information sharing and ideas contribution.
      • Possible advantage in SEO as page load speed is one of the ranking factors.
      • There are plugins for popular CMS to make AMP usage easier in your website.

      How to use it in WordPress

      When you choose what AMP plugin to use keep in mind the following:

      — Integration with SEO plugin for attaching corresponding metadata.

      — Analytics gathering with traffic tracking of your AMP page.

      — Displaying ads if you are a publisher.

      Available plugins in the WordPress catalog:

      1. AMP by Automattic
      2. Facebook Instant Articles & Google AMP Pages by PageFrog
      3. AMP – Accelerated Mobile Pages
      4. AMP Supremacy
      5. Custom AMP (requires installed AMP by Automattic)

      As example let’s install and activate AMP by Automattic and create a new post with multimedia content. Please, take note that not page but post. Pages and archives are not currently supported.

      AMP by Automattic plugin converts your post into accelerated version of the post automatically and you don’t have to duplicate by yourself. Just add /amp/ (or ?amp=1) to the end of your link and that would be enough.

      How to setup CleanTalk for AMP

      Please, make sure that the option “Use AJAX for JavaScript check” is disabled as it will prevent regular JavaScript execution.

      The option is here:

      WordPress Admin Page —> Settings —> CleanTalk and uncheck SpamFireWall.  

      Then, click on Advanced settings —> disable “Use AJAX for JavaScript check” —> Save Changes.

      Other options will not interrupt AMP post functioning. The CleanTalk Anti-Spam plugin will protect all data sending fields that were rendered after the conversion.

      For now, most AMP plugins remove the possibility to comments and send contact form data on accelerated pages.

      Google validation

      Now you need to validate your website structured data using the tool “Google Validator”:

      https://search.google.com/structured-data/testing-tool/

      If you don’t do this a search bot will not simply pay its attention to your post and no one will see it in the search results.

      Copy and paste the link to your AMP post and see the result. Fix the problems you will be pointed at.

      After that your AMP version of the post will be ready to use.

      Links

      AMP project:
      https://www.ampproject.org/

      AMP blog:
      https://amphtml.wordpress.com/

      AMP plugins in the WordPress catalog:
      https://wordpress.org/plugins/search.php?q=AMP

      Google Search recommendations of how to create accelerated mobile pages:
      https://support.google.com/webmasters/answer/6340290?hl=en

    • How to reduce a possibility of brute force attacks on WordPress

      How to reduce a possibility of brute force attacks on WordPress

      Until the moment when CleanTalk launched a security plugin, I didn’t pay much attention to the security of the admin account of WordPress and relied only on the complexity of the password.

      The most dangerous thing is when the bots use brute-force; pick up the password to the administrator account of the site. This can lead to very serious problems, as the attacker gets full access to the administrator account. On your website can be added malicious code, the site can be added to a botnet and participate in other attacks or the spread of viruses. The consequences for the reputation can be very sad.

      When the security plugin was launched I began to receive reports on the work of the plugin in which specify the statistics of failed login attempts to the admin account of WordPress. And for each day of such attempts was from 4 to 25, from different IP addresses. These were attempts of bots password guessing.

      What I noticed:

      1. Bots knew my login and password was selected to it.
      2. I do not use the default username Admin and changed it.
      3. In the blog there are other admin accounts, but attempts to break them for a few days of observation did not happen.

      Wondering how the bots found out my account and why not try to hack other accounts of administrators? Quite simply, under my account I place posts and write comments, and other accounts are made for employees, host and other people that perform actions only in the dashboard of the website.

      Based on this, I realized that the bots find out the login via the parsing of pages. Many publish posts and comments from the admin account.

      For example, you publish a blog post; the link to the author will be like this http://example.com/author/admin***/. Bots browsing the code of your website looking for recordings of this type on all pages of the website and collect links from all accounts.

      The same thing will happen if you write a comment from the admin account, only the link will be a bit of a different kind http://example.com/members/admin***/

      Even if you once published a post or comment from admin account, then the bots will find it and will try to crack it.

      I described one of the possible scenarios of obtaining a list of accounts for hacking, there may be others. But experience has shown that if the WordPress administrator account is not used for publications and comments on the website, its bots do not know.

      What to do in order to minimize the possibility of hacking the account of the administrator of the website.

      1. Not to publish posts and comments from the administrator account.
      2. Create an account for each administrator with another role such as Author or Editor. It all depends on your needs.
      3. Change the current administrator user. Attention! Before that, you need to backup your website and databases. I can’t recommend this and if you do this at your own risk, as this may lead to undesirable consequences.

      You will need to create a new user with administrator rights and a user with another role such as Author. Login to the dashboard with the new account and test the capabilities of the Administrator to manage site, settings and users.

      Go to the “Users” and delete the previous admin account, WordPress will ask you to whom to reassign the articles and comments, here is useful pre-created user Author. Reassign articles on it and in the future use to publish posts and comments.

      These actions can be done for other accounts administrators. But for most WordPress users would rather to install one of the plugins for protection from brute-force attacks, such as plugin Security & Firewall from CleanTalk.

    CleanTalk

    About

    Dashboard

    Pricing

    Sign up / Sign in

    Solutions

    Anti-Spam for websitee

    Blacklists

    Filter fake emails

    Gantt charts

    Hide contact data

    Stop spam emails in Contact form 7 (CF7)

    Stop spam in Elementor form builder

    Stop spam in WPForms

    Website malware scanner

    WordPress Security & Firewall Plugin

    Documentation

    API

    Help

    License agreement

    Privacy Policy

    Refund Policy

    Signs of Malware

    Contact us

    Create a support ticket

    Telegram

    Contact us