I'm working on a Drupal 6 site, and one of the requirements is for the company to be able to upload videos and whitepapers. No problems there.
The tricky part of the requirement is that when a site visitor tries to download one of these files, they need to be prompted to fill out a basic information form with the usual stuff; name, email address, business sector etc. If they've already done this before to download another file, then the site needs to pick up the cookie etc attached to the user and register them as downloading another file.
I've done this before on another site and it was a simple enough bunch of PHP with a database attached. I know I could easily do the same thing here, but it just doesn't feel very 'Drupal' to me.
Any Drupal-esque recommendations for the best way to tackle this (modules, plugins etc)?
Thanks
Froogle
There are more sophisticated (and complicated) ways to accomplish it, but the following would meet your basic requirements:
Under Admin > Site configuration > File system, set the Download method to Private.
On the Admin > Site building > Modules page, enable the core Uploads module
On the appropriate content pages, under the File attachments option, upload the videos and whitepapers
Under Admin > Site configuration > Error reporting, set the Default 403 (access denied) page to user/register.
Related
My apologies in advance if I am posting it in the wrong forum.
I have a WordPress site. Every couple of days, a new user is added as an "Administrator" as shown below
I have changed my password many times using complex passwords but to no use. I even searched on Google and have read links like this one.
I have also unchecked the option "Anyone can register"
However, I am unable to stop them from registering.
Fortunately, no malicious activity has been noticed (Ex: Deletions/Unwanted posts etc)
Please advise me on what I can do to stop these?
You clearly have a more serious compromise, like an uploaded malicious script or an unpatched vulnerability. You need to rebuild your site from scratch (clean install of the current versions of WP and any plugins and themes, using a known-good database export) ASAP before something really bad happens.
Unfortunately, it's impossible to say what happened without digging through your server. My guess is that somebody exploited a vulnerability and uploaded a script. It could be anything - an hole in the WP core, a plugin, or a theme; a malicious plugin or theme; a stolen password; a breach of another site on the same server; or a number of other things.
Regardless of what happened, the only safe fix is to rebuild the site. If you have data backups, you can achieve this in a few hours.
I strongly recommend installing the security plugin WordFence to help prevent similar problems in the future. (I have no affiliation with WordFence, but use it on a number of sites.)
Finally, you might want to read this discussion on security.stackexchange.com. The consensus in this situation is "nuke it from orbit." Good luck!
Someone is making a SQL injection in your site.
If you want to prevent this in future, you should do some things.
Rebuild your website from scratch.
Install some of the security plugins, like Bulletproof Security, Wordfence, iThemes Security. I suggest you to buy the license of Bulletproof, or use the free version + one of the others. And be careful for the equal settings.
The most common attack are with SQL Injection XSS, Plugin exploits and of course brute-forcing the admin pass. You should upgrade every plugin and Wordpress every time when you see a new version.
Use less plugins. They are one of the main reason for hacked websites. If you use Linux, Ican tell you how to scan your website for vulnerabilities. Or just tell me the url, and I will tell you the results.
Also change your /wp-admin path, there are a lot of bots who search the web and make bruteforce attacks.
Also is important to use different admin username from admin or Admin. And use strong passwords. It's a good practice when you make a new Wordpress installation, to do two more users. The first will be an Author and will post everything in the site, the second you should make with Administration role. After that delete the first admin user and start the new one.
Hackers knows that almost every time the user with id:1 is the admin, so they can try to access again. So in this case your admin will be with id:3, and again don't use username like admin and etc.
Best regards and wish you luck.
Kasmetski
Check index.php, wp-admin/index.php to see if they have been modified. Usually the following line of code is added to the top of the index.php file. A code starting with 'required' is usually added.
The file being ‘required’/’included’ here contains malicious code which is executed along with each run of WordPress. Such code can generate fake pharma pages, Japanese SEO spam pages and other malware infections.
Delete the #require code from the file after comparing it with the contents of the core WP files from it’s GitHub repository.
Check if there are any new files in the root of the server or /wp-admin folder that were not created by you. Some of the files that you may find are:
Marvins.php
db_.php
8c18ee
83965
admin.php
buddy.zip
dm.php
If you find any of the above suspicious files, take a backup and delete them.
Source: https://www.getastra.com/blog/911/fix-wordpress-admin-dashboard-wp-admin-hack/
If I buy a theme from a website, can I read the source code from it?
If I can, how can I protect the source code?
You can view any of the theme's source code either from the Appearance>Editor menu in the Admin control panel of Wordpress, or by downloading the theme to your local machine via FTP, and just opening up the files in a text editor.
Now your question about protecting the source code of the theme. Who are you trying to protect it from? The source code is only visible from the admin side of Wordpress (which you need a username/password to get into) or via an FTP client connecting to your web server (which also would need a login account to do).
If your concerned about random website visitor seeing the php code for the site's theme, you needn't worry. Random website visitor won't have access to the php files that control your site's theme.
//Edited to add more info//
If someone buys your theme, and downloads the .zip of it in order to upload it to their own web server, there's virtually nothing you can do to prevent someone from seeing the .php code that runs the theme.
There might be some methods of encrypting code, and then having some 3rd party service decrypt the code before the web server runs it, but you'll be looking at some huge performance losses with something like that.
You would be better off building a solid theme with features people want, and would be willing to pay for, while maintaining good communication with your customers, and pushing bug fixes/updates in a very timely manner.
I'm new to wordpress and I need to create a wordpress that allow the administrators to share information and files with users (word, excel, pdf, images, etc).
Each user will have a password and the files are only shared between the user and the administrator (there's no sharing between users).
Maybe that can be accomplished with a post or page targeted for every user. The user would have to be logged to access the page/post and should be able to add content and files. That way the files and info will be only shared between that user and the admin.
Is this a correct approach or there is a better way to do it?
Thanks
Gonzalo
WordPress Download Manager helps you in managing, tracking and controlling your downloads in a more efficient way. You can set access levels, you can add/embed downloadable files anywhere in the post by copying and pasting the embed code.
For more info :
http://www.wpbeginner.com/plugins/how-manage-track-control-file-downloads-wordpress/
I have a hostgator website on which I installed Drupal. It was working fine until last weekend. I am primarily a .net developer and am not sure about the configuration of this open source application.
Recently, I noticed a large number of user accounts being created who never even logged in before. So, after setting up Google analytics, I determined that my site was hacked. I made this determination because the majority of the traffic and user flow is coming form RUSSIA, SERBIA and ROMANIA, hackers haven!
I realised that my website was not secure. So now I put the site into mainitainance mode, uninstalled the existing Drupal 7, and installed a new installation. It is very fresh now and I am on a mission to find some good security pratices.
I would like to know what security measures that I can implement other than these.
Also, how would I connect to my website's command line to change the file permission settings? Currently, I am using Filezilla and right clicking to change the properties.
Thanks, and apologies for the long question.
P.S. This is my website.
Hostgator provides SSH access. Use tool like WinSCP to transfer files and PuTTy to access command line. Once you get command line access, you will be hopefully able to install Drush on Hostgator. Drush will help you do many administrative stuff using command line and it is highly recommended to use. Since you are a .Net developer, I assume that you might be using Windows for development. Good news is that you can install Drush on Windows too.
Are you sure that your site was really hacked? Because, if you go to Account setting page (http://your-site/admin/config/people/accounts) and look under Who can register accounts?, you will see three options there. The default is "Visitors can create account". If you do not change this setting to something else, your new site will again face the same problem. Otherwise, you can select option Require e-mail verification when a visitor creates an account.
Another way to reduce number of spammers creating account on your Drupal site is to install CAPTCHA or reCAPTCHA module and configure it to show challenge to users when they create an account. This will block many spammers. You can also block specific IP range using Apache .htaccess file. You will find .htaccess file in your Drupal installation folder.
Another good practice is to periodically update Drupal core and contributed modules for security fixes. If you goto page admin/reports/updates, you will see what module requires an update. Command line and Drush will help you streamlining some part of this process.
If you regularly update Drupal (core & modules), use SSH for file transfer and apply correct file permissions, your site should be all secure. It is not that hard to maintain a secure Drupal site, given all the help is available for Drupal security team and Drupal community.
There is a Drupal Group (forum) that deals with Best Practices in Drupal Security that provides a number of excellent suggestions on how to secure Drupal sites. As for accessing your site via the command-line, I checked and Hostgator allows for SSH access on all of their hosting plans. You should be able to login via SSH, change to the sub-directory within your Drupal installation and change the permissions of a file or directory using the 'chmod' command.
Good luck!
I'm wondering is it allowed and also what's the best way to track how many users are currently using and running your WordPress plugin?
It's not really allowed without user permission, best bet is to check your plugin stats for active versions and download counts.
No "phoning home" without user's informed consent. This seemingly
simple rule actually covers several different aspects:
No unauthorized collection of user data. For example, sending the admin's email address back to your own servers without permission of
the user is not allowed; but asking the user for an email address and
collecting if they choose to submit it is fine. All actions taken in
this respect MUST be of the user's doing, not automatically done by
the plugin.
All images and scripts shown should be part of the plugin. These should be loaded locally. If the plugin does require that data is
loaded from an external site (such as blocklists) this should be made
clear in the plugin's admin screens or description. The point is that
the user must be informed of what information is being sent where.
Source: Detailed Plugin Guidelines - Wordpress.org
Why not just check how many people have downloaded your WP plugin?
You could make a callback to your server, but many users won't like it.