Tag Archives: WordPress

Defending Against the Ongoing Attack on Joomla! and WordPress

Be aware that there is a major attack underway aimed at WordPress and Joomla! websites. If you are having trouble accessing the admin system of your site, contact your web hosting company for support; they may have restricted access to help discourage the attack. This would also be a good time to change & beef up your passwords.

How secure is your admin access? One of the easiest changes you can make to boost security is to use a less common admin system username. The top five user names being targeted by attackers are admin, test, administrator, Admin, and root. Do not use those names! Set up something unusual for your admin system username — and a solid password.

The other half of the puzzle: Passwords. The most recent spate of attacks was using some heavy password cracking tools, and they are hard to escape, but not impossible. The bottom line: The longer the password the better (as long as it is not to be found in the dictionary). You can, however combine words. For example, pinkcloudfishmask is a better password than 8jk#BB simply because it is longer. Gibberish is NOT more secure than readable text, assuming your readable text string is not to be found in the dictionary. The top five passwords being attempted in the most recent attacks against WordPress and Joomla! sites were admin, 123456, 111111, 666666, and 12345678. Please be smart and do not make your site vulnerable to password hacks.

You can learn more about the recent cyber attacks aimed at WordPress and Joomla! website by going to: http://securitywatch.pcmag.com/none/310350-wordpress-joomla-sites-under-brute-force-password-attack

The Necessity of Patch Management

One aspect of site security is neglected more often than any other: Keeping your CMS software patched and up to date. We see this problem occur over and over again. Clients purchase websites with content management systems, then once we hand it off to them they do not keep it patched.

We’ll say it again: You must keep up with your website’s CMS software patches! A large number of Joomla! sites were recently compromised by a bot that specifically searched for a very commonly-installed extension which had been the subject of a security patch. The hackers knew that many people would have failed to install the path, so the bot looked for unpatched versions of the extension as a doorway into the site. It worked very well; a number of sites fell victim.

Your CMS software is no different than the software on your desktop, your notebook, your smart phone: There will be patches and maintenance releases and you must install them to keep your site safe from attackers. Also, don’t forget, many times those patches also bring with them new functionality or improved performance, so if you fail to take advantage of the upgrades, you may be missing out on enhancements that also add value to your site.

If you are not comfortable doing upgrades yourself, find someone to help, or contact us. Charges for this type of work are very low — unless of course you have neglected it for too long and you already have a problem — then it gets expensive!

The Lights Beyond LAMP

The 2009 Open Source CMS Market Share Report showed clearly the ongoing dominance of PHP-based content management systems. While the LAMP stack may be the leader in the arena of web content management, it is certainly not the only game in town. For the 2009 Open Source CMS Market Share Report we looked at not only the PHP-based systems, but also the Java and .NET-based systems.


The LAMP stack is populist in nature. Not only does the stack carry the cost advantages of open source, but there also exists a wide assortment of low-cost hosting and a ready (and growing) supply of developers. These characteristics create low barriers for entry and an attractive choice for individuals, hobbyists and small to medium sized enterprises.
While few would dispute that there are numerically more deployments of the common LAMP stack systems, it would be a mistake to assume that this is the only platform that matters. The web content management space is not homogenous. A hobbyist building a personal site, a small company building an online marketing presence, and a medium sized enterprise building a portal for customer relationship management are just three examples of widely disparate, yet common, uses. And while it is possible that all three of those groups might be looking at the same systems, it is more likely that those who require higher level functionality will look beyond the most common PHP-based systems. The argument becomes even more persuasive when you look at enterprise level clients.

For users who demand more functionality, higher security and more robust platforms, Java-based and .NET-based content management systems hold a strong attraction. Indeed, in the enterprise space, those platforms are more likely to be the first choice. Though it is certain that The Big Three — Joomla!, WordPress and Drupal — continue to improve their offerings and are more capable of supporting robust websites, I think it is fair to state that at this point in time few enterprise clients put them on their shortlist.


We included 4 Java-based systems in the survey: Alfresco, Jahia, Liferay and OpenCMS. Of the four, Alfresco topped the set in virtually all the metrics, in many cases ranking behind only The Big Three PHP systems. It was a very strong showing for a system that is not normally thought of in the context of web content management.

Alfresco had a strong lead in brand recognition and brand familiarity ratings. While Alfresco lead Liferay in many metrics, it did not do so across the board; Liferay also performed very well. Liferay showed significantly greater strength in third party support, website popularity metrics and social media prominence. Both Alfresco and Liferay ranked highly in the brand sentiment metrics, with Alfresco coming in third overall in the survey — one of the clear leaders in this key metric. Liferay was not far behind, coming in sixth overall.

Alfresco and Liferay lead OpenCms by a large margin in almost all categories and Jahia not only lagged relative to the other Java based systems, but was one of the weakest performers of the entire survey group. Most troubling for Jahia has to be the brand sentiment data which showed Jahia fourth from last in the survey set, with negative sentiment running very close to 50%.

In sum, from my perspective those interested in implementing Java-based open source content management systems for their web sites have a lot to cheer about. There exist several viable choices and at least two strong, growing players. This is a space that is set to grow and remain competitive in both the short to medium term.

The chart below shows the results of our query on brand familiarity to the survey group:

brand familiarity


.NET is not a platform most people traditionally associate with open source, but over the last couple of years that has begun to change. A large part of that credit has to go to DotNetNuke, who have been waving the open source flag and investing heavily in marketing to get that message out. Perhaps no other system in the survey has shown a more concerted marketing effort than DotNetNuke. That marketing has paid off in brand recognition and has opened the door for .NET as an open source alternative in the minds of many consumers.
This year’s survey found that DotNetNuke leads the .NET open source CMS race over the nearest rival, Umbraco, by a significant margin. However, the good news for DotNetNuke seems to stop right about there.

Our survey found an ongoing deterioration in DotNetNuke market interest; a slide that has continued across the last several years. The system also had one of the worst ratios of trial usage to actual usage, in other words, while they were successful in getting  prospects to try the system, they were less successfully in converting them into actual users. Most troubling of all were the numbers relating to brand sentiment. DotNetNuke finished last of the entire survey set in brand sentiment and was one of only two systems to show more negative than positive responses to the question “What is your general feeling about these companies or projects?” Further corroboration of this conclusion can be found at the Windows Web App Gallery which lists user rankings for four .Net-based content management systems. Of the four, DotNetNuke is ranked the lowest, lagging behind Umbraco, mojoPortal and Kentico CMS.

The chart below shows the results of the query to the survey group on brand sentiment: Do you feel positive or negative about the following brands/products?

brand sentiment

Aside from the brand sentiment metric, DotNetNuke lead Umbraco across the board. However, when you look at the trend in interest levels, there is a sharp contrast: Interest in Umbraco is strengthening. The improvement is slow but steady and the gap between the two systems seems to have closed significantly in the last 12 months. One has to wonder what would happen if Umbraco could match the marketing might of DotNetNuke.

In conclusion, the .NET-based open source CMS market is still wide open. DotNetNuke was certainly the early mover but seems struggling now to hold on to that advantage. The arrival of competing systems like Umbraco, and even more recently mojoPortal, shows that there is plenty of room for competition in this space and that things are only going to get more challenging for DotNetNuke.


The data underlying these conclusions can be found in the 2009 Open Source CMS Market Share Report, from water&stone and CMSWire. Download a free copy of the report at:http://www.cmswire.com/downloads/cms-market-share/
Note: This article originally appeared, in slightly different form, on CMSWire.com: http://www.cmswire.com/cms/web-cms/open-source-cms-market-lights-beyond-lamp-005849.php

Ric’s List of Incredibly Useful WordPress Plugins

:: Note: This article originally appeared on RicShreves.net and is reproduced here with permission. (Ric is one of the partners here at water&stone.)::

This post is one of my favorite kinds of articles: That is, those that arise from real world experiences. A good friend of mine recently moved his personal site over to WordPress. At about the same time I had reason to build a couple of promotional microsites on WordPress. As a result of these two projects I had time to refresh my knowledge of WordPress plugins – and in the process I found some really useful items I’d like to share with you all.

In addition to must-have classics like Akismet or the All-in-One SEO Pack, I discovered a number of newer extensions that address common real world problems. I took the best of the bunch, added it into the list of plugins that make up our standard WordPress deployment, and put together this short article.

If you have incredibly useful favorites that are not on this list, please use the comment form at the bottom of this post to share your experiences.
Without further adieu, I present to you, my dear readers, a list of incredibly useful WordPress plugins:



user rating (at wordpress.org): 4 stars
requirements: WordPress API key

The Akismet plugin provides protection against comment spam. If your site has comments enabled, you should seriously consider adding Akismet. The plugin works by checking comments submitted to your site against the Akismet web service. The plugin then marks those comments that resemble known spam. The administrator can review the spam determination under your blog’s “Comments” admin screen.

ReCAPTCHA For WordPress

user rating (at wordpress.org): n/a
requirements: reCAPTCHA Public & Private API keys

reCAPTCHA is an anti-spam technology from Carnegie Mellon. The system serves two purposes: Helping prevent spam comments on your site while at the same time using the CAPTCHA process to help validate and clean up scanned words from digitized print works (that’s the source of the reCAPTCHA text). This WordPress plugin is supplied by the people over at reCAPTCHA. It helps prevent comment spam and it also uses Mail Hide to prevent email spam.


All In One SEO Pack

user rating (at wordpress.org): 4 stars
requirements: none

The plugin author claims this is the “#1 Most Downloaded WordPress plugin.” While that statement may or may not be correct, there is no doubt that this plugin is incredibly useful. The All in One SEO Pack includes a suite of features all designed to optimize your WordPress site for search engines. The basic version is free (ad supported), while the Pro version is commercial and removes the donation and ad sections.

Key features include:

  • Advanced Canonical URLs
  • Fine tune Page Navigational Links
  • Built-in API so other plugins/themes can access and extend functionality
  • SEO Integration for WP e-Commerce sites
  • Nonce Security
  • Automatically optimizes your titles for search engines
  • Generates META tags automatically
  • Avoids duplicate content

Google XML Sitemaps

user rating (at wordpress.org): 4.5 stars
requirements: none

This plugin, despite the name, generates an XML sitemap that can be indexed by a variety of search engines, including Google, Bing, Yahoo and Ask.com. XML sitemaps improve crawler efficiency and can increase the depth and accuracy of the indexing of your site. The plugin supports all kinds of WordPress generated pages as well as custom URLs and will notify all the major search engines every time you create a post, if you so desire.


Contact Form 7

user rating (at wordpress.org): 4 stars
requirements: none

Create simple or custom forms using the simple syntax of this plugin. Allows you to create and manage multiple forms and supports Ajax-powered submitting, CAPTCHA and Akismet. The Contact Form 7 syntax can even be used in text widgets.

Register Plus

user rating (at wordpress.org): 4 stars
requirements: WordPress API key

Incredibly useful plugin with an extensive set of options for improving your site’s user login and registration form. Want to get rid of that WordPress logo on the login page? No problem with this plugin. How about adding fields to user registration form? You can do that, too. Lots of choices here, including enhanced registration security and moderation.


WP Search Extracts

user rating (at wordpress.org): 5 stars
requirements: none

Improve the usefulness of search results on your WordPress site with WP Search Extracts. This plugin adds a filter to process search results and display the content on either side of the result.

Subscribe To Comments

user rating (at wordpress.org): 3.75 stars
requirements: none

Subscribe to Comments enables commenters to sign up for e-mail notification of subsequent entries. The plugin includes a full-featured subscription manager that your commenters can use to unsubscribe to certain posts, block all notifications, or even change their notification e-mail address. In short, incredibly useful (assuming your site permits comments!).

WP Ajax Edit Comments

user rating (at wordpress.org): 4 stars
requirements: none

A fast, simple tool for administering comments. Enables the administrator to quickly edit or deletecomments without having to go to the WordPress dashboard. Also enables users to edit / manage their own comments and has a variety of configurable options. Note that the developers seem to be moving this plugin to a commercial footing and a recent notice says upgrades will no longer be free of charge.


user rating (at wordpress.org): 4 stars
requirements: none

This plugin adds the ever-popular “Send to a Friend” functionality to your site (enabling users to quickly send a link to your article to someone else via email).


user rating (at wordpress.org): 4 stars
requirements: WordPress API key

WP-PageNavi adds pagination controls to the pages of your site. Displays page count as well as links for Previous, Next and Last, to help users navigate through your pages. The plugin’s functionality is a step up from the WordPress default installation and can be configured (somewhat) to suit your site’s needs.


Broken Link Checker

user rating (at wordpress.org): 4 stars
requirements: none

This plugin will monitor your WordPress installation for broken links and will let you know if any are found. Key features include:

  • Monitors links in posts, pages, the blogroll, and custom fields.
  • Detects links that don’t work and missing images.
  • Notifies you on the Dashboard if any are found and allows you to edit / unlink without having to edit the post.
  • Detects redirected links.
  • Link checking intervals can be configured.

Theme Tester

user rating (at wordpress.org): 5 stars
requirements: none

This WordPress plugin allows the site administrator to change and test new WordPress themes without worrying about changing the theme visible to site visitors. Once activated a new page called “Theme Tester” is linked from the Design page where you can activate the test. While activated you, as an administrator, can change themes as many times as you want without affecting what themes the site visitors see.

WordPress Automatic Upgrade

user rating (at wordpress.org): 4 stars
requirements: none

The secret to absolutely painless upgrades. The plugin backs up the site, downloads the new files, disables the plugins, installs the upgrade and then re- enables your plugins. It even makes a great cup of coffee. OK, that last part isn’t strictly true.


user rating (at wordpress.org): 4 stars
requirements: none

WP-DB-Backup allows you to easily backup not only your core WordPress database tables but also any other tables in the same database. The plugin allows you to schedule the backups and determine where they are kept and in the process delivers incredibly useful peace of mind.

WP Super Cache

user rating (at wordpress.org): 4 stars
requirements: none

WP Super Cache speeds your site by generating static html files from your dynamic WordPress content items. After an html file is generated, your web server will serve that file instead of processing the heavier WordPress PHP scripts. Site performance may not be an issue for most sites, but if you have heavy traffic or experience traffic spikes, this plugin is incredibly useful.


Tweetmeme ReTweet Button

user rating (at wordpress.org): 4 stars
requirements: none

The Tweetmeme button provides the ReTweet functionality you see on a lot of articles online these days. The plugin of the same name for WordPress includes hashtag support extracted from your post tags and the ability to control the length of the tweets. It displays the count of tweets and let’s you change the retweet source displayed.


user rating (at wordpress.org): 5 stars
requirements: a Twitter username

I tried a lot of Twitter plugins recently and at the end of the day I chose Tweet Blender. The author claims that it is “better than Twitter’s own widgets” and I think he may very well be right. Tweet Blender is tag-aware and has support for multiple authors, lists, hashtags, and keywords. Not only can the plugin show tweets from just one user or a list of users, but also it can show tweets for multiple authors AND multiple lists AND multiple keywords AND multiple hashtags all blended together into a single stream.