Update: 4.7.08 @ 2115h: Looks like ZDNet was hit, as per John’s comment below, via an xml-rpc hack, and no — they aren’t running an old version of WP either, which makes one wonder how vulnerable the newer versions of Wordpress are.

Just to recap: earlier, I documented how Tailrank’s “spam” was accidentally documenting some massive hacking efforts into blogs around the world. What I didn’t realize was that one of the “victims” were one of the more more well known tech blogs in the blogosphere, ZDnet.

Thanks to some intrepid screen capturing it looks like Allen Stern has shown that at one time ZDnet’s own blogs may have been hacked. If you head over to Tailrank, you’ll find that under the “technology” section (as of this writing) there is a ton of credit-card spam. However, as I mentioned yesterday, these are all legitimate blogs that have been hacked.

What’s surprising is that a lot of them are blogs from ZDnet, such as Steve Gillmor’s Inforouter, or ITFacts. As I mentioned yesterday, the probable reason why they are showing up as “spam” is because the security of those blogs were hacked and malicious ‘invisble’ code was inserted, which is what Tailrank is picking up (by accident!)

I was twittering with Matt Craven last night who wondered if Wordpress vulnerabilities were the issue. That, in fact, *may* be the case, as certainly ZDnet are running pretty old versions of Wordpress which are probably sensitive to security breaches — in fact, if you look up the source code, they are running, as of this writing, Wordpress 2.1.3, which, in fact is more than a year old.

addendum: As per John from CNet below, they are not.

As of this writing, it looks like ZDnet has scraped out all of the ‘invisible’ code / links through cleaning up their headers, but they’ll do to upgrade to a more secure version of Wordpress (and its a lesson we should all take heed!).

MORE: Wondering where some of the Wordpress hackers come from? (not all, of course) Abe Olandres, former editor of the BlogHerald, notes that some of them are Philipino. He’s worked on some security problems in Wordpress and has found some of the comments to be in Tagalog. Furthermore, he sheds some light on exactly the kinds of Wordpress exploits that some hackers are using. <Disclaimer: Again, I am not suggesting that all hackers are Philipino, I only use the post to illustrate the issue>

I’m embarassed to say that I actually knew this tip a while ago, but never got around to implementing it until I read about it *again* today.  Embarassed because this blog has been hacked a few times, and in a fairly devious fashion as well, sometimes perhaps because of an old Wordpress installation — or, perhaps because of insecure folders (which makes me think someone behind Wordpress should really fix it).

What’s this tip?  Oh, a simple fix to get around securing your Plugins folder.

If you’re running Wordpress, unless you’ve already locked down your Wp-content folder with some .htaccess fixes, you may not notice that your Wp-content/plugins folder is naked and bare to the world.  That is, navigate to http://www.yourblogname.com/wp-content/plugins and you may find a directory listing of your plugins folder, files and all.  How do you fix it?  Easy.  Just upload an empty index.html into the wp-content/plugins folder and its all fixed.

Just out of curiosity, I decided to check the plugins folders of some other bloggers that I knew — whole some did have this fixed, a surprising number did *not*.

If you haven’t locked down your plugins folder, please do so, because for many people its showing, and its just about as easy to fix as doing up your zipper.

So, if you’re like me and have updated to Wordpress 2.3, you may have also noted that on the Wordpress dashboard, the “inbound links” list is now being populated by Google’s Blogsearch and not Technorati.

There’s been some talk about how relevant Technorati has been (including a particularly shrill post by yours truly), and perhaps because it *hasn’t* been, getting Google to index inbound links, therefore, is a Good Thing.

But is it?

Is Google’s Blogsearch *good* at finding those inbound Blog links? 

Now, a quick look by myself shows that for Deep Jive Interests, the answer is resounding “HELL NO.”  The last time Google shows any inbound link is October 30th, but in fact I have inbound links all the way until yesterday.  In fact, Technorati is able to find blogs that have linked to me within the minute those posts (that have those links) are published.  Google looks like its about a week behind.
Now the caveat here is that I am still waiting for my blog to get re-indexed by Google after I was hacked.  So, maybe *that*’s the reason why Google doesn’t look so good, right?

Well, I had a few cursory looks at a few of my other favourite blogs, and the same sort of pattern emerges.  Technorati is able to find the “reactions” within minutes of those inbound links actually being published.

Google?  It has trouble.

Now, I don’t know the actual “why’s” for this happening; perhaps its because everyone and their sister who has a blog registers it formally *with* Technorati so they can follow their own Authority ranking and so on.  And furthermore, because by Default, Wordpress pings Pingo-matic, which by default usually pings Technorati.

On the other hand, I’ve read that Google also monitors Pingo-matic, and should therefore also update whenever Pingo-matic updates.  If that’s the case, then, I don’t know — perhaps actually registering your site (and pinging) with Technorati makes it easier to work these kinds of relationships out and in a much quicker fashion.

In any case, I suggest you try and figure this out for yourself.

1. Go to Google’s BlogSearch at http://blogsearch.google.com/

2. For the search term, enter “link:URL_OF_YOUR_BLOG” –> and of course replace the URL of your blog as necessary.

3. Note the results which are sorted by default according to date.  Marvel at how dated some of these results are.

4. Then, go to Technorati at http://www.technorati.com (naturally)

5. Enter your own blog URL again, and note the number of reactions.  Marvel at how fresh these results are.

If you find that I’m totally off my rocker, let me know.  However, in the few blogs that I’ve checked I’ve come up with similar results.  Maybe I *will* install this plugin now. ;)

So I don’t know Paul Stamatiou. I’ve never met him. I only discovered his Blog yesterday. But he is now on The List.

Why?

For no other reason than his blogging success.
The guy starts out with a half-dead mac-mini one year ago, and starts blogging on Wordpress with a K2 Theme on Technology and other things. One year later after a helluva lot of sweat and tears:

1. Alexa Rank: 24 305
2. Feedburner Subscribers: 2284
3. PageRank: 5

Nice. :)

What’s interesting is that in his one year anniversary post, he makes an interesting comment:

I realize that many of you enjoy reading my content through RSS. That’s good and I wanted to say that I’ll always be providing full, ad-free feeds. However, I encourage you to minimize your RSS aggregator every once in a while and chime in on the conversation, or even start one up. That’s how I know if people are actually listening. Site metrics are one thing; actual, tangible involvement and engagement is another. How will I ever know if I got through to the 3,676 people that stopped by yesterday?

One of my other passing fancies is web metrics. And I think Mr. Stamatiou hit it right on the head with this one. At the end of the day, it doesn’t matter what your Alexa Rank, the number of posted subscribers, pagerank, or other magical forms of metrics you use.

(Well, perhaps if you try and sell advertising on your website it is — but I digress.)

I think the real measure of a site’s effectiveness is just that – how effective it is in garnering an action … a response.

(more…)

Yes, I’ve already written one post about “how to write for your blog”, but here’s the absolute laziest way to do it — and still be rather substantial and meaty (although with some caveats). Its something some A-list bloggers already do. Here’s another hint: it takes almost no extra effort at all. Have you figured it out yet?

It’s automating your del.icio.us bookmarks!
Yes, I’ll admit that its part of the “oldie-but-goodie” file, but for all newer bloggers, this trick is a must.

But why bother? There are at least TWO good reasons.

(1) Its great content.
Really? Ok, this is debatable – but not for me.

The answer to this lies in my RSS feed, which is handled through Feedburner.

Currently, I’ve set it up so that Feedburner automatically inserts my del.icio.us links through a script which they call a “feedflare”. Nevertheless these little insertions are great because they’re handled automatically

Although I used to have a “FeedFlare” to insert the del.icio.us links automatically, I can now do it through this automatic posting process. (Full details on how to manipulate your feed in a post to come)

I have also subscribed to their “Total Stats” Program which is pretty nifty.
It allows you to see how many people are actually clicking on the links in your feed — gives you almost like a click through rate … and more importantly, an idea of which items IN your feed are successful. Or interesting. Or worth clicking on.

For me, it was *VERY* telling.

(more…)

So, I use the wp-slimstat for purposes of tracking some statistics on this website, and I am lovin’ it although it is largely unsupported. I’d like to present a humble solution to a Local Timezone problem I’ve been having.

The problem: Wp-Slimstat’s time would be offset by a few hours, as it would only grab the server’s time. The problem is my server is in Los Angeles, and I am in Toronto. Result? The time for all the stats would be off by 3 hours. Bleh. :(

Well, there is a hack, if your Server has PHP5 (if you want to check out what version your server has, go here)

The Solution: Use the date_default_timezone_set function!
Basically, this will set a default timezone for a given script if you give it the proper location from where you are, rather than displaying the server’s default timezone. Luckily Wp-SlimStat is a single script — wp-slimstat.php — and so adding a single line of code with this function should affect the whole statistics package (and it did for me!)

This particular function requires a single argument, and that is the location.
It just so happens that there is an index for where you can find your own location, and how format that Argument.

For example, I am in Toronto, Canada. Therefore, I added “America/Toronto” to the arguments, so it ended up being:

date_default_timezone_set (”America/Toronto”);

Here’s how you can do it too:
(more…)