Category Archives: News

Two new sites

The WordPress software comes with several default designs, and for the past few years they’ve been called ‘Twenty Ten’, ‘Twenty Eleven’ etc etc according to when they were introduced.

After some design choices that aren’t suitable for any YES site (and most others!) the latest, imaginatively called ‘Twenty Seventeen’, can work well.

For two examples, see DeepTissueSensual.co.uk’s site for ‘massage with a happy ending in Belfast, Dublin, Glasgow, Aberdeen, Inverness, York, Chester, Preston, Euston and many other areas in the UK and Ireland’ and MatureIndian.co.uk’s site for very naughty times in London, Hertfordshire, and Bedfordshire.

In both cases, there was a picture that worked as the featured image on the front page and not too complicated a menu for other pages. Speaking of which, one of the disadvantages is the way that new pages are not added to the menu in their correct order – they’re always added at the end, so you need to move them manually if that’s not what you want. As the new default theme, it may also become overused by other people.

But at the moment, it’s a quick and easy (and therefore cheap) way of having a good looking site that adapts very well to different screen sizes.

Not all ‘upgrades’ are good

WordPress software is behind a large chunk of the web – over a quarter of the top ten million sites, apparently. The good thing about this is that you can find easily someone who knows WordPress and can at least to try to help with any problems. The bad thing about this is that breaking into WordPress-based sites is a very popular activity for hackers and the attempts are both endless and automated.

It would help if the authors of WordPress software took security a bit more seriously: unless you do something about it, anyone can attempt to login to your site as many times as they like, as fast as they like – they even made it easy for attackers to try hundreds of user names and passwords at the same time* – with nothing to go ‘Hang on, you’ve tried a thousand different user name and password combinations in the past minute, I don’t think you’re really a human with legitimate access to this site…’** Allow this and eventually the right combination will be found, and the attacker can do anything they like on your site.

So there’s a bit of software on Your Escort Site websites that looks out for repeated failures to login and blocks access to the site for a while if that happens. The ‘try hundreds at once’ attack is blocked too.

But just trying a user name and password involves the software remembering how to check them, looking through a database and doing some maths to see if they’re correct. When this is happening hundreds of times a second, it can slow everything down for real users.

So Your Escort Site websites have another check to see if someone attempting to login is real. The web server expects a password before it will show the web page used to login to your site. Get it wrong, and the WordPress software never knows it happened. It’s proved very useful whenever there’s a major attack on WordPress-based sites.***

As merely having a password on this page defeats the vast majority of ‘bots’ trying to break in, it doesn’t need to be a good one. So it’s a simple three letter word. But even that can be forgotten, so the web server sends a message to the browser telling the visitor what it is! This should be displayed in the small pop-up asking for the password. (Bots tend to be very stupid and can’t read the message.)

Different browsers show this login different. Here’s Firefox getting it right:

Firefox showing the initial popup correctly

Firefox gets it right – can YOU guess what the user name and password are?

Chromium, Google Chrome and Opera (both of which are based on the Chromium software) used to show the message in a slightly different way, but since a recent upgrade no longer do so:

Chrome not showing the message from the web server

Chrome gets it wrong

Why this was thought to be an improvement, I don’t know.

Either way, once the short user name and password are entered, the user gets to the real login screen which looks like..

An example of the real login page

The real login page

.. and that’s where the real user name and password is entered.

* The feature that allowed that is used in another bit of software they wrote, but there is zero legitimate use for this aspect of it. It’s still there, sigh.

** They have, finally, stopped suggesting sites have one particular name for an account that can do anything on the site, with the result that it was the one that most hack attempts tried. It only took several years of pointing this out before the change was made too, sigh.

*** Every few months, basically.

Amazon gift certificates no longer anonymous to send

As far as we know, they’re still anonymous to receive for things like deposits – all the sender needs is your email address – but Amazon have just changed things so that when they’re redeemed the recipient is invited to ‘Send a thank you message to (what Amazon thinks they’re called)’.

Argh.

Buying one from a shop and sending the string of letters and digits (something like CL86-3UP8WF-XM7Q) will still be anonymous, but those only come in specific denominations.

New templates

Someone recently asked about having all their blog posts on the front page of the website. (Usually, they’re accessible from a special page of the site that displays the blog posts.) One of the advantages of using WordPress is that changing how a site looks is easy and this got me looking at themes that do that in a nicer way than usual.

After some tweaking,* there are now three more options for YES sites:

Cards on the table – ideal if you have plenty of pictures you are happy with, this uses a horizontal scroll on wide screens and a vertical one on phones etc.

All up front – again good for showing off your pictures. They are slightly smaller but scroll nicely up and down, including on mobiles, and there’s a menu to the right.

Coin – circles this time! The square picture on the top left is optional.

In all of them, the font and colours can be changed as desired…

* The changes to the themes these are based on available on request.

Using Yahoo! for mail?

There’s yet another rash of emails from hacked Yahoo! accounts today. What happens is that the hackers build up a stock of passwords for accounts over a month or two, then spend a day or two using them to spam people with assorted crap. They typically CC random names from your contact list to cut down on the number of emails necessary to spam everyone.

So if you don’t want to bother people, including outing clients / contacts to each other, change the password now, and ideally every month or so. You may also want to consider where you access your webmail from. Computers in libraries are usually ok because the terminals are reset between users (but they typically block escort-related sites) whereas random web access points may not be.

The same applies if you’re using Hotmail / Live /Outlook /whatever Microsoft are calling it this month. Interestingly, it is much rarer with Gmail and their optional two-stage authorisation can eliminate it entirely*.

* Whenever your Gmail account is accessed from a new device, you get a text on your phone with a code. Without the code, you – or anyone else – doesn’t get in. It can be a pain if you’re just having a quick email check on someone’s laptop, but that may be the one that’s reporting every key press to someone nasty.

Plugin policy

If you log into your site with your admin account* you will see that there’s a menu item called ‘Plugins’. These are small programs that add functionality to a WordPress site.

Some do it behind the scenes (like the one which is installed to help stop your site being hacked by limiting the number of times anyone can get your password wrong without being prevented from accessing your site for several days) and some are more visible, providing assorted superwhizzo features (but like much other shiny stuff, you almost always don’t actually need them!)

Or at least that’s the promise. In practice, some of them are a complete pain: plugins installed by some of the people who have used YES have..

  o   Deleted all their pictures (something that promised to help optimise them)

  o   Slowed their site to a crawl (it was continually trying to back it up)

  o   Completely locked them – and us – out of their site entirely (an overzealous security plugin). Update: this has now happened twice.

Some plugins also carry a nasty payload: plugins can do almost anything, including turn your site into a toxic mess. Ones you install via your site come from a WordPress-run resource that means they should be ok in that regard, but people still make mistakes and one of the basic rules of computing is ‘never be one of the first people on your block to try a new program’ – let other people find out it’s a buggy pile of crap!

So we suggest** that you talk to us before installing any of them, especially if the authors want you to pay for them.

Now that two people have been screwed over by it, we recommend*** that you do not install the plugin ‘Better WP Security’.

It may be a good time to remind people of one of the aspects of the YES support policy: if you mess things up, it may cost you money to have it sorted out. Specifically people who ignore the above recommendation will be charged****.

Update: A rather neat trick means that you won’t be able to install Better WP Security now, even if you try :)

Update2: The same applies to WordFence, a similar ‘security’ plugin which looks just as dangerous if you don’t know the implications of what it does.

* Which obviously isn’t called ‘admin’ – that’s the one 95% of hackers try when looking to break in!

** Remember, this is consultancy speak for ‘Have a very good reason for not doing it this way’ :)

*** .. similarly, this means ‘Do it this way or else!’

**** Told you.

Email to and from Hotmail/Live & Yahoo!

For some reason, the usual suspects two popular but troublesome webmail services seem to be worse than usual having problems at the moment.

If we don’t reply to an email within 24 hours (usually sooner) we probably haven’t got it. If this is affecting you let us know (for example via a PM on SAAFE) and we can sort out another way to communicate.