Wednesday, July 21, 2010

.ftpaccess files and ftp hacking

A number of my sites have been hacked recently. Lots of dodgy links have been hidden in the html behind the scenes, only visible when you look at 'view source'.

The main vulnerabilities in the approach I use to managing websites comes from FTP (or so I am finding out) though I also use php 'includes' sometimes, which is another no-no.

Anyhow, my provider, 34sp has come up with a suggestion for resellers to protect their FTP uploads. This seemed like a reasonable idea but has not worked out that well for me, so here's my take on how to adapt their approach.

Despite having an .ftpaccess file in place, a charity site I run has again found itself with lots of dodgy hidden links in its pages. I suspect the problem may be because I created the .ftpaccess file using Dreamweaver 4 with the wrong Line Feed characters - these files apparently MUST have a Unix line feed or they will not work.

I have another problem though. With these .ftpaccess files we are advised to use the enum range if we are not on a static IP address. This seemed reasonable but my ISP's enum ranges seem to change with great frequency so this whole approach is not going to be very reliable for me.

So, I've been wishing I could just turn OFF ftp access until I need it. And that is what I have decided to do, like this.

1. Create an .ftpaccess file as above but leaving only 'Deny all' in the file, no other valid IP addresses and put it in the appropriate directories (httpdocs, httpsdocs and cgi-bin)

2. Using Plesk file manager, change the permissions on the .ftpaccess file to what I think is called 644 or rw- r-- r-- (which seems to be generally recommended for .htaccess files as a secure permission setting)

3. If I want to FTP to the site I first go in to Plesk file manager and move the .ftpaccess file to a special purpose built directory called ftp-off

4. Do whatever FTPing I need to do

5. Go back into Plesk and move the .ftpaccess file into httpdocs (I move the file rather than rename it to retain the permissions settings)

This is a rather belt and braces approach but as far as I can tell it locks off FTP so that only the person with Plesk access can use it.

Now, none of my customers do any FTPing for themselves. But, if they did perhaps the solution would be to allow 127.0.0.1 to allow them access through siteadmin.

Monday, May 10, 2010

How to Password Protect a Folder or some Files on the web

Placing files .htaccess and .htpasswd into the directory you wish to protect is apparently a good way to put some password protection on folders on the web. So if you want someone to type in a password before they can access a web page, these .ht files are what you would use. There is a good explanation of how you do this here... http://davidwalsh.name/password-protect-directory-using-htaccess - Dave also has a nice tool to let you MD5 encrypt the password too!

Well, I tried it and I got a '500 internal server error' on the page when I tried to access it. After some head scratching I found this post which reminded me that sometimes the presence of non Unix line breaks can cause problems in files like this: http://www.oreillynet.com/cs/user/view/cs_msg/6238.

Rather than immediate reach for BBEdit, I found a nice article explaining how to ensure Dreamweaver uses Unix Line Breaks...
http://livedocs.adobe.com/en_US/Dreamweaver/9.0/help.html?content=WSc78c5058ca073340dcda9110b1f693f21-7bdd.html - I don't know why you'd want it any other way!

So, I'm now happy that I have a password protected web page for one of my customers!

Monday, February 09, 2009

Lightbox 2 Problem - Progress Indicator on left instead of centred

I've been scratching my head over this for a while but have finally found an answer.

If you are using Lightbox 2 (see huddletogether.com) you might see the progress indicator or 'loading icon' off to the left instead of centred. This is confusing and looks a bit sloppy.

It turns out that if you have used
Display:block
for images in your main CSS this will cause a problem for the Lightbox. Simply edit the jquery.lightbox-0.5.css file adding
Display:inline;
to the
#jquery-lightbox a img { }
statement and that should fix it for you.

Described in less detail on the
forum

Monday, September 29, 2008

Cheap / Free Stock Photos - SXC / Fotolia

Dan told me about this cheap/free photo library (you need to check royalties on a photo-by-photo basis).

SXC Photo

Fotolia.com

Don't forget you can also use some of the photos on Flickr too - just check the creative commons licences on each image.

Thursday, August 14, 2008

UK Legal Obligation to put Company Details on a Website

I have only been made aware of this today but there is a legal obligation for a company to put various details, such as it's address and company details, on its website.

Note that there are similar obligations relating to business letters and emails too.

The Google Link: operator

The 'link:' operator on Google is supposed to show you what sites link to yours. This is quite helpful when assessing SEO because as we know, the number of links in to your site helps your ranking.

IT DOESNT WORK
==============

Google is thought to report only 5% of backlinks that exist. This is apparently because if they revealed more links people would be able to figure out how their search algoritms work. So, the bottom line is that the 'Link:' operator is rubbish.
http://www.successful-blog.com/1/check-google-backlinks-through-yahoo/
http://www.seo-guy.com/forum/thread10675.html


Google recommends using Webmaster Tools instead of the link command
====================================================================
"you can get a much larger sampling of sites linking to yours using Google Webmaster Tools"
http://www.google.com/support/webmasters/bin/answer.py?answer=55281&ctx=sibling -

Google Webmaster Tools better than the Google Link: operator
http://googlewebmastercentral.blogspot.com/2007/02/discover-your-links.html


Google recommends another alternative approach to the 'link:' command
=====================================================================
"To obtain a comprehensive list of sites that point to a page, perform a Google search on the URL. From the search results page, select the "Find web pages that contain the term" link, and Google will provide you with webpages that mention that address. Note that in this case, Google will return all pages that mention this URL, not just those that link to it."
http://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=34453


Others recommend using the Yahoo link: command
==============================================
http://www.seo-guy.com/forum/thread10675.html - this thread mentions the approach but I think the yahoo operators mentioned no longer work as described.

Backlink checking tools
=======================
There are tools available to check backlinks, such as marketleap.com, but several of them, including marketleap, just report the results of a standard Google 'Link:' query, which is pretty poor.


A quick test looking at www.chrisbikes.co.uk
============================================
Google Link:www.chrisbikes.co.uk - 3 links shown
Google Webmaster Tools - 231 links shown
Google search on www.chrisbikes.co.uk - 42 occurences shown

Yahoo Link:www.chrisbikes.co.uk - 35 links shown
yahoo.co.uk linkdomain:www.chrisbikes.co.uk - 42 links shown


http://siteexplorer.search.yahoo.com - 263 links shown
http://siteexplorer.search.yahoo.com/uk/ - 35 links shown


Conclusions
===========
There seem to be 3 broad categories of results returned when it comes to looking for backlinks:

1. Absolute Rubbish
- results from google 'Link:' command

2. High Quality Links without much repetition
- results from a google search on the domain, or
- results from the yahoo link: or linkdomain: command

3. Comprehensive list of links with lots of repetition
- results from Google Webmaster Tools
- results from yahoo site explorer (US version - http://siteexplorer.search.yahoo.com)


Recommendations
===============
Do not use the google 'Link:' command.

Consider using the following:
Google Webmaster Tools or Yahoo Site Explorer
http://siteexplorer.search.yahoo.com to get a comprehensive list of links in.

To get a list of high quality links in try the yahoo link: or linkdomain: commands.

Monday, May 05, 2008

Better PHP Includes - php includes - solving "no suitable wraper could be found"

I've had a few problems with PHP Includes done at the directory level. Particularly with the $root variable I mentioned in a previous post.

34sp pointed out that, "If you simply use the $_SERVER['DOCUMENT_ROOT']."/path/to/file" it is more secure", so that's what I'm doing now.

Friday, April 04, 2008

Free webpages for Cambridge people & another Cambridge Index

www.colc.co.uk is Cambridge Online. They have so many links that they are almost another Cambridge Directory, and a good one too.

They have a great service helping Cambridge People to get on the web, letting you have a 1 page website for free. It's fantastic! These sites seem easy to find on Google too.

Friday, March 14, 2008

SEOmoz | Google Search Engine Ranking Factors

SEOmoz | Google Search Engine Ranking Factors - an excellent article which reports on a survey of SEO experts about which things are important to your web page for effective SEO. I know enough about all this to put quite a lot of faith in this survey - the things ranked as most important here correspond to my understanding.

Wednesday, February 13, 2008

Wordtracker - Keyword analysis

Word Tracker seems like a great tool for helping you figure out which keywords your customers might be typing in to find a business like yours. This is worth a good read.

Thursday, February 07, 2008

Don't let Nominet rip you off for a domain name

I was doing some work for Chris' Bikes today. He had got a domain name renewal letter from Nominet asking for £94 for 2 years. What a complete rip-off! He is not a web expert and might well have just paid it. I talked to the guys at www.34sp.com and we managed to renew the domain name for £10 for 2 years.

I was chatting with someone later who put me onto www.1and1.co.uk. They sell domain names for as little as £2.62 per year !

Tuesday, January 29, 2008

Telling Google WHERE you are in the world

Step 1. Go to http://maps.google.com
Step 2. Go to 'mymaps' tab and create a map, with a pushpin marking your location
Step 3. Hit the 'View in Google Earth' button and save the .kml file
Step 4. Load the .kml file into Google Earth
Step 5. Save the new .kml file from Google Earth (this one is cleaner)

(an alternative to the above 5 steps would be to use http://www.addressfix.com/ (I've just discovered that useful tool!)

Step 6. Edit the kml file in your favourite text editor making good use of the tags and links you can put in there.

Here is a nice example of a .kml file which indicates the kinds of things you can do with the <description> tag:
http://www.seo-expert-services.co.uk/seo-expert-services-london.kml
and in use here.

Step 7. Put a link to the kml file in the sitemap.xml file, like this...
<url>

<loc>http://www.userexperiencedesign.co.uk/userexperiencedesigncambridge.kml</loc>

<priority>0.5</priority>

<changefreq>daily</changefreq>

</url>


Refs:
http://weblog.millionpieces.nl/2007/4/how-to-get-your-information-into-google-maps


Some more advanced KML examples.

Sunday, January 20, 2008

Google Webmaster Tools

Google has some pretty handy Google Webmaster Tools - Dashboard to use to show you how it sees your website.

You can check your robots.txt file here and your sitemap and loads of other stuff.

Add a robots.txt page to tell search engines like google which pages to leave out of the index

There is a good summary of the robots.txt file here: The Web Robots Pages.

These days, you can add a reference to the location of your sitemap here too.

Adding a Sitemap

An interesting Google article asks - What is a Sitemap file and why should I have one?

It is worth adding one to tell google all about your website. It is also worth adding a robots.txt file if you have parts of your website that you would like Google to avoid, or indeed, would like to make really sure Google finds your sitemap!

Tuesday, January 08, 2008

base href does not work for php includes !! (and what to do about it)

Base href is very handy for organizing relative addressing on a website. You may, for example, be working on a project for a client with a directory structure like this:

www.userexperiencedesign.co.uk/projects/cambridge_motorcycles

The 'normal' root of this would typically be www.userexperiencedesign.co.uk but if you want the /cambridge_motorcycles part to be the root, you could define a base href so that all the sub-directories under it would refer to that as root instead. Like this...


<base href="http://www.userexperiencedesign.co.uk/projects/cambridge_motorcycles/\" />


This works GREAT for images and general relative addressing.

I was stumped for a while, trying to figure out why this didn't work for PHP includes. PHP experts would not be so stumped. PHP is handled server side, so the base href in the document is not used. After a lot of head scratching I figured that you could define an equivalent for base href to be used by the PHP includes.

First, you need to define the variable in PHP. Mine is like this...

<?php $root="http://www.userexperiencedesign.co.uk/projects/cambridge_motorcycles/\"; ?>


Then, when you call the include file you do it like this...

<?php include ($root."include/header.html\"); ?>


This gives us a neat way to fake up a base href equivalent for PHP includes. Neat!

If you are an efficiency expert you might worry about how many server calls are made by the PHP includes and whether, when defining $root, you should give the whole path or something relative. My sites are very small so this is not a big deal for me but if anyone wants to leave comments on efficiency (or anything else) I am always happy to learn!

Sunday, December 09, 2007

embedd a flickr slideshow set to allow good control of display order

I always seem to struggle with embedding flickr photos into my web pages and I'm not sure why really. If you want a lot of control of the order your photos will display, you should create a flickr set and put the photos in there and order them.

Then you'll need to use your flickr user id number (see idgettr.com) and the set id number for your photos (shown in the URL when you view the set).

Then replace the user_id and set_id in the following bit of code, showing my Impington Swimming Club set.

<iframe align=\"center\" src=\"http://www.flickr.com/slideShow/index.gne?group_id=&user_id=79364623@N00
&set_id=72157594394097360\" frameBorder=\"0\" width=\"500\" height=\"500\" scrolling=\"no\"></iframe><br/><small>Created with <a href=\"http://flickrslidr.com\" title=\"flickrSLiDR\">flickrSLiDR</a>.</small>



Created with flickrSLiDR.

Sunday, December 02, 2007

Aardvark Maps - An easy way to add pushpins to Google Maps

Aardvark Map - a simple tool for building a map for your website with a few pushpins on it. A bit like this...



Wednesday, November 21, 2007

Putting code into a blogger post

It can be a bit of a faff to put code onto a blogger post. I have just found a nifty utility to convert it into the right format to make it easy.

Check out http://www.accessify.com/tools-and-wizards/developer-tools/quick-escape/.

This adds the escape characters you need to put code onto a blog. You can put the results between <pre></pre> tags.

How to hide your email address from spammers if you have to put it on the internet

When you put an email address on the internet, computer programs called 'spam robots' will find it by trawling over all the web pages they can find. Over the years these 'spam robots' have become more sophisticated but they can be thwarted to some degree. There are various ways to thwart them, one of which is to make your email address into an image which has no code equivalent that can be read by the programs. This is a bit nasty from an accessibility perspective - how do people with disabilities access this information?

Another way to do it is to assemble the email address with a snippet of javascript. Whilst a computer program could interpret this ('parse it'), it probably won't bother since there are plenty of other email addresses out there which are not protected at all and they may as well sell Viagra to those people.

Here is how my email address is protected. You will see how it appears at the end bottom of my website, www.userexperiencedesign.co.uk.

The code looks like this. It's a little more complicated looking than I would like because I have had to ensure that it is still valid XHTML. The comments in the code reference the sources of information I used in coming up with this.

You should note that this is NOT a foolproof way of ensuring you don't get spam but it should reduce the amount you get.

<!-- This Javascript hides an email address from spam robots -->
<!-- See The JavaScript Source!! http://javascript.internet.com -->
<!-- I got this to validate following advice from here http://www.geocities.com/wb7crk/ -->

<!--The 'noscript' tag provides alternative contact info for people with Javascript switched off-->

<div>
<script type=\"text/javascript\">
<!--//<![CDATA[
var user = \"carl.myhill\";
var site = \"userexperiencedesign.co.uk\";
document.write(\"<a href=\\\"mailto:\" + user + \"@\" + site + \"\\\" accesskey=\\\"9\\\" \\>\" + user + \"@\" + site + \"<\\/a> <em>[9]</em> \"); //]]>-->
</script>

<noscript>
<p><em>Contact carl.myhill at userexperiencedesign.co.uk</em></p>
</noscript>
</div>

NOTE: This bit of code also activates accesskey 9 for your email address. This is the standard (in the UK government at least) accesskey for 'feedback' and allows users to hit Alt+9 to send you an email instead of needing to navigate to the link.