We are pleased to announce that we have released new versions of plugins for WordPress, XenForo, phpBB 3.1, SMF, Bitrix.
In the new version, we have added some new checks for spam to improve anti-spam service.
Mouse tracking and Time zone monitoring give good results against spam bots which simulate the behavior of real visitors.
These checks for other CMS will be added soon.
Please, update your anti-spam plugins for latest version:
As we informed CleanTalk launched its website security project. The service protects administrator control panel from brute-force attacks and records users’ actions.
Since the 29th of November Security by CleanTalk has become the Cloud Service and now all main data will be available in The Service Dashboard. The cost of the service is $20 per year for 1 website.
Switching to Cloud Data Storage allows to show more data and use the information more flexible thanks to different filters in your Dashboard.
In the previous versions all data were being stored in a website database and big amount of information alongside with its operations would affect website speed, all this could give a result of bad website ranking of search engines. Cloud Data Storage is safer than website database. If an intruder could get access to your website then he could delete all data he might be traced with.
Cloud Service provides data storage for the last 45 days including users action log, brute-force attacks statistics and successful backend logins and you can always get to know who and what actions were made if it is necessary.
This year the conference WordCamp Europe 2016 took place in Vienna and attracted more than 2300 guests. The capital of Austria is an excellent choice for such events, there are all conditions: convenient location, large meeting halls, and an active WordPress community. And there is something to see after the conference. Several of our developers have been on WordCamp Europe 2016. Under the cut – their story about the most interesting presentations and events.
The conference lasted three days: the first two days we listened to the speeches, and the last day was given to the contributors. The reports were in different categories: Development, Design, Business, Content, Community, and took place in three streams, so everyone can find something interesting for yourself. Much attention speakers paid to high load questions, Continuous Integration, REST APIs, and the project Calypso.
On the day of contributors signed up about 600 volunteers. On this day it was possible to take a direct part in the development of WordPress, to learn how to work the kernel developers, translators, as well as the team checking the plugins and themes to the official catalog. You can even get advice on the organization of WordPress community in your city.
A nice bonus was the performance of Matt Mullenweg, the developer and the founder of WordPress, the founder of Automattic, WordPress.com, Akismet. But more on that below.
PHP7 and WordPress
The release of PHP7 could not remain unnoticed at WordCamp Europe: how to provide the work of WordPress on PHP7, said Dan Blows in his report What’s New in PHP7 and what to expect in PHP7.1.
The core of WordPress and many plugins already support PHP7. Quoting the author, we can say: “Upgrade to PHP 7 easily, and probably everything will work immediately”. But he raised the points that should pay attention if you decided to migrate your website to PHP7.
The speaker told about innovations in PHP and the benefits that you can get when going to the seventh version. Dan showed impressive statistics of speed up of work WordPress on PHP7 compared to PHP 5.6.
Especially important were the reports about REST API. This is one of the most important and actively developing directions. News from the developers WordPress rest API, about the difficulties and decisions is incredibly valuable information. Thanks Joe Hoyle and Adam White! Look at their performances The Ultimate REST API talk and Using the REST API and JavaScript to create better WordPress interfaces.
The reports disclosed the questions associated with use of the API and its development and expansion.
Now REST API is not yet part of the core, it exists in the form of a plugin. Adam in his report underlines the benefits that will get WordPress with integration of REST in its core. However, we now have the opportunity to build our apps using the new API.
The REST API gives unprecedented flexibility and expression “WordPress is limited only by your imagination” becomes a reality.
Due attention has been given to the relatively new development — Calypso. This is the administration panel of WordPress-sites, written in JS and running using WordPress REST API, which will definitely become popular.
Designer Calypso told about the project in general, and about what it cost for the team this his development and shared approaches in organization effective communication in the project. As Davide Casali said: “Communication is the oxygen”. It is impossible not to agree.
WordPress has long been used for the development of high-load news portals. Such giants as TED, TechCrunch, CNN, NBC built their sites on it. Yes, to build a high-load website is not easy, but speakers from NewsCorp Australia told how to do everything correctly.
Their experience – another precedent, proving the possibility of building on WP portals with millions of page views per day. Speakers gave valuable information about the development team and working process, talked about continuous integration, environment and visitor statistics. They also shared information that will help you to calculate the necessary costs for such a project.
Incredibly useful report, including from the point of view of communication with clients: How NewsCorp Australia scaled WordPress to host Australias largest ‘news’ websites on WordPress VIP.
Andrew Nacin — Lead-developer of WordPress core. With years of experience in the development of such a popular CMS system, the kernel developers have identified and summarized the key points of the philosophy of WordPress, which adheres and Andrew.
Get the big project “inherited” from people who have not really thought about the future is always difficult. And even painful. If you have such a project, the Andrew report will help to understand how to transform it in a stable and not require inappropriate investment product. Video of the report is available at the link.
Full text search for MySQL databases by itself is not the best solution. But on high load sites and sites with large volumes of data — even more so. Elasticsearch is one of the solutions to implement an efficient search. How it works, how to configure Elasticsearch, how to protect data, and finally how to use it in your projects? These questions are answered by Taylor Lovett in the report Modernizing WordPress Search with Elasticsearch.
Taylor also tells about the plugin ElasticPress. The speaker is one of the developers of this plugin and knows what he’s talking about. In general, meetings with the developers of the components is always a unique opportunity to get information about the details of the use and future development plans.
Of course, the most popular platform for developing websites in the world is one of the most attacked. So you need to constantly pay attention to the issue of information security.
Maurizio Pelizzone gave a presentation about securing WordPress websites: WordPress Hardening – Ten tips in ten minutes. The lecturer gave useful tips on how to reduce the risk to be hacked and sleep well.
At the end of the first day of the conference was the author of the best SEO-plugin for WordPress Joost de Valk and his wife Marieke van de Rakt. The report Beyond SEO – Copywriting for professionals, they told about the next stage in the evolution of search engines and the importance of high-quality texts.
Speakers against the “scorched earth tactics”. Joost and Marieke prefer sustainable and holistic approach to SEO, which involves focusing on all areas of optimization:
The basis of this approach is the high-quality content. And the principles of such content were presented in the report. In addition, the speakers spoke about a new functionality of their plugin, which allows you to make recommendations for improvement of the texts on your website.
Special attention deserves an interview with Matt Mullenweg: Interview and Q&A. the speech of Matt is a traditional part of WordCamp Europe. Right on the stage there is a sofa and provided almost homely atmosphere. In the second part of the perfomance, Matt talked to the audience.
They discussed potentially leading role REST API and interfaces on JS. Talked about the most successful and promising projects: Jetpack, WooCommerce and WordPress.com that do a lot for the success of WordPress in particular, and for an open Internet in general. Remembered about competitors, but Matt doesn’t consider them dangerous.
And much more
There were other interesting presentations, which we did not visit because we could not be simultaneously on all three streams. A complete list of video, as always, loaded on wordpress.tv.
The conference was not limited by two days, full of interesting presentations and communication. For special interested was scheduled Contributor Day, which signed up about 600 people. It was held at the University of Vienna, Faculty of Informatics.
Each of the participants chose the direction in which he can get acquainted with the process of open-source development and to assist in the development of WordPress. Among the areas were: the development of the core, development of plugins and themes, internationalization, design, marketing, and support. Each group was coordinated by an experienced supervisor. The motto for the day was “Thank WordPress”. You could join the community, gain new experience, improve your professional level and make WordPress better.
WordPress is actively developed. The most interesting and promising areas — REST API and JavaScript interfaces. And the last were possible thanks to partly all the same REST API.
A lot of improvements in the core, for example, in recent releases significantly improved internationalization. Technology stack, development approaches, tools, and more — all have changed greatly since the advent of the first version of WordPress. There is movement forward, we are seeing regular releases that add something new.
Good news is that the core already supports PHP7. We already develop projects at NIX Solutions on a fresh PHP. But as for a full transition to the seventh version, here the prospect is not very encouraging. The fact that plugins and themes are supported by the community and by individual companies and not all of them in a hurry to implement support for PHP7.
What’s more surprising at the conference in Vienna is the maturity of the European community and a serious attitude to WP. We are sure that with such a large, active and talented community, WordPress has a great future.
At the end of the conference, according to tradition, was announced the next city for WordCamp Europe, it became the capital of France. See you in Paris!
This text is a translation of the article “WordCamp Europe в Вене и вектор развития WordPress” published by @NIX_Solutions on habrahabr.ru.
About the CleanTalk service
CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).
Accelerated Mobile Pages — it’s the tool for static content web-page creation with almost instant load for mobile devices. It consists of three parts:
When you choose what AMP plugin to use keep in mind the following:
— Integration with SEO plugin for attaching corresponding metadata.
— Analytics gathering with traffic tracking of your AMP page.
— Displaying ads if you are a publisher.
Available plugins in the WordPress catalog:
As example let’s install and activate AMP by Automattic and create a new post with multimedia content. Please, take note that not page but post. Pages and archives are not currently supported.
AMP by Automattic plugin converts your post into accelerated version of the post automatically and you don’t have to duplicate by yourself. Just add /amp/ (or ?amp=1) to the end of your link and that would be enough.
Please, make sure that the option “Use AJAX for JavaScript check” is disabled as it will prevent regular JavaScript execution.
The option is here:
WordPress Admin Page —> Settings —> CleanTalk and uncheck SpamFireWall.
Then, click on Advanced settings —> disable “Use AJAX for JavaScript check” —> Save Changes.
Other options will not interrupt AMP post functioning. The CleanTalk Anti-Spam plugin will protect all data sending fields that were rendered after the conversion.
For now, most AMP plugins remove the possibility to comments and send contact form data on accelerated pages.
Now you need to validate your website structured data using the tool “Google Validator”:
https://search.google.com/structured-data/testing-tool/
If you don’t do this a search bot will not simply pay its attention to your post and no one will see it in the search results.
Copy and paste the link to your AMP post and see the result. Fix the problems you will be pointed at.
After that your AMP version of the post will be ready to use.
AMP project:
https://www.ampproject.org/
AMP blog:
https://amphtml.wordpress.com/
AMP plugins in the WordPress catalog:
https://wordpress.org/plugins/search.php?q=AMP
Google Search recommendations of how to create accelerated mobile pages:
https://support.google.com/webmasters/answer/6340290?hl=en
Until the moment when CleanTalk launched a security plugin, I didn’t pay much attention to the security of the admin account of WordPress and relied only on the complexity of the password.
The most dangerous thing is when the bots use brute-force; pick up the password to the administrator account of the site. This can lead to very serious problems, as the attacker gets full access to the administrator account. On your website can be added malicious code, the site can be added to a botnet and participate in other attacks or the spread of viruses. The consequences for the reputation can be very sad.
When the security plugin was launched I began to receive reports on the work of the plugin in which specify the statistics of failed login attempts to the admin account of WordPress. And for each day of such attempts was from 4 to 25, from different IP addresses. These were attempts of bots password guessing.
What I noticed:
Wondering how the bots found out my account and why not try to hack other accounts of administrators? Quite simply, under my account I place posts and write comments, and other accounts are made for employees, host and other people that perform actions only in the dashboard of the website.
Based on this, I realized that the bots find out the login via the parsing of pages. Many publish posts and comments from the admin account.
For example, you publish a blog post; the link to the author will be like this http://example.com/author/admin***/. Bots browsing the code of your website looking for recordings of this type on all pages of the website and collect links from all accounts.
The same thing will happen if you write a comment from the admin account, only the link will be a bit of a different kind http://example.com/members/admin***/
Even if you once published a post or comment from admin account, then the bots will find it and will try to crack it.
I described one of the possible scenarios of obtaining a list of accounts for hacking, there may be others. But experience has shown that if the WordPress administrator account is not used for publications and comments on the website, its bots do not know.
What to do in order to minimize the possibility of hacking the account of the administrator of the website.
You will need to create a new user with administrator rights and a user with another role such as Author. Login to the dashboard with the new account and test the capabilities of the Administrator to manage site, settings and users.
Go to the “Users” and delete the previous admin account, WordPress will ask you to whom to reassign the articles and comments, here is useful pre-created user Author. Reassign articles on it and in the future use to publish posts and comments.
These actions can be done for other accounts administrators. But for most WordPress users would rather to install one of the plugins for protection from brute-force attacks, such as plugin Security & Firewall from CleanTalk.
In the process of developing anti-spam plugin CleanTalk for WordPress we faced with the problem of caching of dynamic JavaScript code on the frontend of sites. Namely, if you place JavaScript that contains any pieces of code that can be dynamically inserted from backend site, in the presence on the site of any plug-in caching pages, JavaScript code is not possible to use as directed.
In the backend we have the template of JavaScript code,
<?php
$html = '
<script type="text/javascript">
function ctSetCookie(c_name, value, def_value) {
document.cookie = c_name + "=" + escape(value.replace(/^def_value$/, value)) + "; path=/";
}
ctSetCookie("%s", "%s", "%s");
</script>
';
$ct_checkjs_key = rand(0,100); // The value of the variable dynamic
$field_name = 'ct_checkjs'; // The value of a static
$ct_checkjs_def = 0; // The value of a static
$html = sprintf($html, $field_name, $ct_checkjs_key, $ct_checkjs_def);
?>
An example of the output on the frontend,
<script type="text/javascript">
function ctSetCookie(c_name, value, def_value) {
document.cookie = c_name + "=" + escape(value.replace(/^def_value$/, value)) + "; path=/";
}
ctSetCookie("ct_checkjs", "455", "0");
</script>
Accordingly, the cache gets the JavaScript code in which parameter value of function ctSetCookie unchanged on all pages of the site and the same for all visitors, which leads to the impossibility of using JavaScript individually for each visitor. Consider options for solutions.
If the plug-in of caching of content on WordPress more or less popular, then it is bound to have a means to exclude a list of pages from the cache. For example, for the WP Super cache, you can specify in your plug-in code line,
define( "DONOTCACHEPAGE", true );This will be enough for your pages with dynamic code were not included in the cache. The disadvantages of this approach,
It is necessary to integrate and test your plug-in with popular caching plug-ins.
Still there will be cases when your code incorrectly works off due to the fact that one or another site is set rarely used plug-in of caching.
And most importantly, this approach virtually eliminates the use of caching plugins, if your JavaScript code is placed on all pages of the website, or on the most loaded pages.
Let’s look at other option solutions.
The essence of this approach is that on the frontend place only a static JavaScript code, and all that is required to use dynamically obtain the backend of the site through an AJAX call. The example code on frontend,
//
// Making a call to admin-ajax.php
//
function sendRequest(url,callback,postData) {
var req = createXMLHTTPObject();
if (!req) return;
var method = "GET";
req.open(method,url,true);
if (postData)
req.setRequestHeader('Content-type','application/x-www-form-urlencoded');
req.onreadystatechange = function () {
if (req.readyState != 4) return;
if (req.status != 200 && req.status != 304) {
return;
}
callback(req);
};
if (req.readyState == 4) return;
req.send(postData);
return null;
}
var XMLHttpFactories = [
function () {return new XMLHttpRequest()},
function () {return new ActiveXObject("Msxml2.XMLHTTP")},
function () {return new ActiveXObject("Msxml3.XMLHTTP")},
function () {return new ActiveXObject("Microsoft.XMLHTTP")}
];
function createXMLHTTPObject() {
var xmlhttp = false;
for (var i=0;i<XMLHttpFactories.length;i++) {
try {
xmlhttp = XMLHttpFactories[i]();
}
catch (e) {
continue;
}
break;
}
return xmlhttp;
}
//
// Process the results of the AJAX call.
//
function ct_callback(req)
{
ct_cookie=req.responseText.trim();
ct_setCookie('ct_checkjs', ct_cookie);
return null;
}
//
// Set cookie
//
function ct_setCookie(name, value)
{
document.cookie = name+" =; expires=Thu, 01 Jan 1970 00:00:01 GMT; path = /";
document.cookie = name+" =; expires=Thu, 01 Jan 1970 00:00:01 GMT";
var date = new Date;
date.setDate(date.getDate() + 1);
setTimeout(function() { document.cookie = name+"=" + value + "; expires=" + date.toUTCString() + "; path = /;"}, 500);
return null;
}
var ct_ajaxurl = 'http://wordpress.local/wp-admin/admin-ajax.php';
sendRequest(ct_ajaxurl+'?'+Math.random(),ct_callback,'action=ct_get_cookie');
Please pay attention to the structure
ct_ajaxurl+'?'+Math.random()This approach is used to avoid caching including an AJAX call.
Move to the last listing, look at the backend,
add_action( 'wp_ajax_nopriv_ct_get_cookie', 'ct_get_cookie',1 );
/**
* Returns a new cookie
*/
function ct_get_cookie()
{
global $ct_checkjs_def;
$ct_checkjs_key = ct_get_checkjs_value(true);
print $ct_checkjs_key;
die();
}
Disadvantage of this approach only in one thing – your plug-in does one call more in the backend of WordPress. Given the fact that the hosting service cannot be the fastest or the WordPress can be set more than a dozen plug-ins, such a call would increase the response time of the site.
Good luck in developing for WordPress!
There are many plugins to protect against spam, almost all of them have some disadvantages. In our view it is optimal to use the cloud service CleanTalk.
Since this is a cloud service, by obtaining and analyzing data from over 100,000 web sites, CleanTalk very effectively protects against spam. The algorithms analyze the behavior of spam bots increase service efficiency up to 99.998%. This is one of the fastest anti spam plugins and does not load the server and database.
To start use CleanTalk on your WordPress site, follow these steps:
Go to WordPress Dashboard->Plugins->Add New and in the search bar, type CleanTalk and click Install.
Activate the plugin and go to settings CleanTalk.
To connect the plugin to the service, you’ll need your Access key. To get the key click on the button “Get access key”.
You will be taken to the website CleanTalk. You can change your email to register for the service.
Push the button and get your access key.
Return to the plugin settings, insert the access key and click “Save Changes”. The installation and configuration of the plugin completed, changes in Advanced Settings needed in rare cases.
To test the plugin, log out of the account administrator and go to your website. Write a test review or make a test registration with e-mail *@cl*******.org, these messages will be blocked.
Next, you should get a message about blocking
Great, your website protected from spam bots!
Similarly you can check any form in your website.
To view service logs, go to CleanTalk Dashboard. Or log in to your WordPress Dashboard->Settings-CleanTalk and click “Click here to get anti-spam statistics”
If you have any questions you can always contact us. We will be happy to help you.
For more info
CleanTalk is dynamically developing cloud service of web-sites protection from spam. It is the powerful tool that becomes a serious competitor for leaders like Akismet and Mollom.
Spam is a big problem for Web sites or blogs. Even just launched WordPress Blog is likely to receive traffic from spam bots.
In 2013, the share of bot traffic was 61.5%. In comparison with 2012 the growth of bot traffic was 21% and this growth continues. This non-human traffic is search bots, scrapers, hacking tools, and other human impersonators, little pieces of code skittering across the web. (Source Incapsula)
Without effective automated counter measures, dealing with spam is time consuming, annoying and painfully slow.
CleanTalk seeks to provide reliable protection, thus contributing to strengthen information security in the world. Every day CleanTalk processes about 2.5 million requests. In general only 0.4% are comments, registration, etc. from real visitors and the remaining 99.6% are spam bots!
CleanTalk detects and stops spam witout CAPTCHAs or other math-based, human/bot testing techniques. Analyzing behavioral factors, the parameters of filling out forms and structure of the text, CleanTalk has a very high efficiency. According to the founder of the project Denis Shagimuratov “At 2.5 million queries the service makes a mistake in 40-45 cases, i.e. CleanTalk detects spam with 99.9982% accuracy. We constantly monitor these errors and make adjustments to our algorithms”, so the team is aiming to improve those figures over time.
All of this makes CleanTalk powerful tool against spam and it is easy for users at the same time.
Novadays CleanTalk is generally recognized by users who say CleanTalk is one of the best anti-spam services.
CleanTalk offers more protection from spam bots to sites by WordPress. The new version provides a unique opportunity to test existing spam comments.
CleanTalk adds new features in CleanTalk Anti-Spam, our solutions are reliable, easy and efficient. Work of the module is absolutely invisible for visitors and allows to renounce forever the ways of protection complicating communication on the website (CAPTCHA, question and answer, etc.). CleanTalk allows you to automate protection from spam and registering of spam bots.
Cloud anti-spam service CleanTalk released a new version of the anti-spam plugin for WordPress, the new version has a unique function of automatic check for spam of the existing comments on the site.
This allows administrators of the Web sites automatically check and identify spam bots comments, which were not detected by conventional anti-spam tools.
This function is present only for WordPress, it will gradually be introduced for other CMS.
CleanTalk identifies spam bots, using its own algorithms to estimate the parameters visitor, on the basis of these tests is formed its own database of spam bots. Checking existing comments is made on the basis of the nearly 2 million of certain spam bots. Detailed statistic allows CleanTalk customers to control the whole process.
“The team CleanTalk has been developing a cloud spam protection system for four years and has created a truly reliable anti-spam service designed for you to guarantee your safety”.
Download the new version anti spam by CleanTalk for WordPress
By the example of WordPress consider a method for enhancing security by limiting the number of HTTP-requests to the form of entering the password. This helps protect against brute force published a blog (search and crack the password by trying all possible scenarios of a particular set of characters, or the selection of a dictionary of common passwords). This method, in principle, can be used to protect other Web applications.
The task can be realized using Nginx module ngx_http_limit_req_module [1] acts as a front-end to the Apache Web server or FastCGI, or via HAProxy [2, 3], acts as a load balancer in front of web servers.
In both cases, the algorithm works as follows. When authentication browser refer to the addresses containing the substring “/wp-login.php”. It is necessary to keep track of it and to limit the number of requests from the same IP without affecting circulation to all other addresses. Block settings must be chosen in such way as not to create a normal user inconvenience. Especially attentively should be configured to lock when the authorization form uses a large number of users with the same IP-address.
Method №1: Nginx
http {
<...>
limit_req_zone $binary_remote_addr zone=login:10m rate=15r/m;
server {
listen 80;
server_name frontend.example.org;
location ~* /wp-login.php {
limit_req zone=login burst=4;
proxy_pass http://backend:8080;
<...>
}
location / {
proxy_pass http://backend:8080;
<...>
}
}Block settings:
limit_req_zone $binary_remote_addr zone=login: 10m rate=15r/m; Sets an area of shared memory, which stores the state for different IP-addresses. In our case, the state is stored in the zone “login” size of 10 megabytes, and the average speed of query processing for the zone can not exceed 15 requests per minute. The processing speed can be specified in requests per second (r/s) or requests per minute (r/m).
limit_req zone=login burst=4; sets the login area and the maximum size of the burst of requests. If the requests rate higher than described in the area, their processing is delayed so that the request is being processed at a given speed. Excessive requests are delayed as long as their number does not exceed the maximum size of the burst. When exceeding the request fails with the error 503.
Method №2: HAProxy
In this section of the backend, serving our blog, add the following lines [2]:
tcp-request inspect-delay 10s
tcp-request content accept if HTTP
# brute force protection
acl wp_login path_beg -i /wp-login.php
stick-table type binary len 20 size 500 store http_req_rate(20s) peers local
tcp-request content track-sc2 base32+src if METH_POST wp_login
stick store-request base32+src if METH_POST wp_login
acl bruteforce_detection sc2_http_req_rate gt 5
acl flag_bruteforce sc1_inc_gpc0 gt 0
http-request deny if bruteforce_detection flag_bruteforce
Upon detection of POST-request to the page /wp-login.php saved hash of three elements: header HTTP Host, URL-path and IP source. Identified on the basis of the hash the user can make requests for five to 20 seconds, the sixth request will be blocked.
Sourses
This text is a translation of the article “Ограничение количества попыток ввода пароля в веб-форме авторизации при помощи Ngnix или HAProxy на примере WordPress” published by foboss on habrahabr.ru.
