LOCKDOWN – or ‘why the blog has been silent’

It may (or may not, depending how much you care!) have come to your attention that I’ve been bloody quiet over here for a couple of months. The reasons for that are twofold:

  1. Life happened
  2. Something far worse and more annoying happened

I’m going to throw this behind a cut, because it’s long and complicated. However, if you self-host your own WordPress blog (ie: you use your own domain and your blog isn’t hosted at wordpress.com) then you NEED TO READ THIS.

Follow me.

Continue reading

Admin: Site issues

I am aware of the issues that have been plaguing the site over the past few days, and I apologise for them. They’re due to the fact that the shared server Virtual Bloke is hosted on had suffered hardware failure and needed to be moved temporarily to another server, before finally being moved (sometime in w/c June 12th, or so I’m told) to a brand new server. That resulted in a day of the site looking like this:

This image was posted on Flickr, with annotation to show that I was aware of the problem.

It has also resulted in some slowness to load. Now, with a bit of luck, that won’t impact you at all, my dear readers. I have the site minified and cached, and most of it is served up through a CDN, so as outside observers you should  be seeing no difference in site load times, as it’s all being handled through cached files and the external CDN service.

However, it’s a different matter for me. Every single page load takes approximately a minute and a half for me, and that’s assuming it doesn’t time out. In fact, everything  is taking a minute and a half for me on this site right now, from accessing my dashboard, approving comments, replying to comments, making new posts (which is why I’ll be taking a copy of this one before I hit ‘publish’) etc. It’s like being back in the days of 56k dialup, and it’s making me want to tear my hair out in frustration.

We’ve all had those times when entire days (sometimes entire weekends) have been spent in trying to fix problems with our computers, so I hope you can understand where I’m coming from. I want  to blog, but right now I can’t. Just waiting for one image that I’ve uploaded to load in my browser so I can paste it into a post is going to take one and a half minutes, and on average I put about five to eight images into each post. Yeah, I’m going to spare myself the screaming on that one. The only other way I can do it is via Flickr: uploading the images there and then linking them into a post here, and I’d rather not spam my Flickr followers with as many views of a single outfit as I do in a blog post dedicated to that outfit.

My webhost is aware of the problems with the site, and they’re working on it. But, as it’s a shared server, obviously I’m not going to be the only one having issues. I’m in a queue to get this fixed, and I’ve no idea how far down the queue I am. At least I don’t have to listen to tinny muzak while I wait, nor spend a week’s wage on paying to be put on hold :p

In short: be prepared for a few more mostly-text posts and fewer image-heavy posts over the next, well, I guess week or so. If it lasts any longer than that, I’ll be putting in enough support tickets with my webhost to annoy  them into fixing it. And, again, be prepared for more site downtime/slowness around the week of June 12th. I’ll try and give some advance notice of that, as soon as I get a date and time for the server move.

Spanking your meat

Hrm? What? *butter wouldn’t melt* (No, seriously; it wouldn’t. It’d frazzle.)

If you hadn’t come to expect a smidge of innuendo from me by now, then I’ve been slacking. What sort of meat-spanking did you assume I meant? Most likely not this sort:

Yeah, since I’ve had this blog the number of spam comment attempts has risen and risen until they went through the roof. Thank fuck for the Askimet plugin, is all I can say. But, even with Askimet installed, I still had to trawl through the multiple spam attempts per day, to ensure that no legitimate comments had been filtered out (such as for including more than one link, which WordPress automatically flags as potential spam, by default).

I started Virtual Bloke in May of 2013. As of just now, these are my basic spam stats:

That’s a fuckton of delicious processed meat, y’all. Monty Python would’ve been proud. At which point, naturally, we must pause for this:

Anyhow. I’d noticed two things about all of these attempts to spam the blog:

  1. Invididual posts were getting hit at a rate of two or three comments per hour. It got so bad that I actually disabled commenting on the worst offenders (these ones were getting upwards of ten comments per hour). But it went in phases. Never the most-recent post; always one that was a couple of posts back (I guess in the hope that I wouldn’t notice it).
  2. Even though each of these individual posts was getting hit (example: my One of Our Lindens Is Missing post got hit by spam comment attempts almost 60 times over the course of two days) these hits weren’t registering in the blog stats.

#1 wasn’t surprising, since I’d been spotting (and deleting) pingbacks where those individual posts were getting spammed as links  on various forums and other blogs. But #2 could mean only one thing: it was referrer spam, because the bots that dish out referrer spam don’t actually hit the page itself; they simply access the comments.php form, and that doesn’t register a hit on your stats.

This was, weirdly, good news, because there’s something you can do about referrer spam, and it involves a simple edit to one file in your directory: the .htaccess file. Most sites have one, and it’s a bloody handy file. I wasn’t sure of the exact commands to insert into the file (only that I knew I could use it to block referrer spam) so I went a-googling.

I found what I was looking for in the WordPress Codex (click here and scroll down to ‘deny access to no referrer requests’, then down further to ‘deny access referrer spammers’). Note how, in the first instance, you’re sending the spam-bot back onto itself (in much the same way a good HOSTS file redirects your computer to itself when it tries to show ads and blocked sites, effectively rendering it unable to show said ads etc).

In the second instance you can actually block individual referrer URLs. The Codex states:

Once you know which referrer URL you’d like to block, and believe me you’ll know, you can keep them out [ etc. ]

Believe me, I did know. If you’re getting referrer spam, you’ll see the same URLs cropping up as the ‘personal websites’ of these spammers time and again, viz.:

It goes without saying that, if you try to visit any of those sites? You’re daft enough to deserve anything that happens :p

The [name].adsuse spam had stopped, but I was still getting hit multiple times by the [name].usabestads and [name].adsboards spammers. So I not only added the first section of the referrer redirect to my .htaccess file, I also blocked those URLs directly, like this:

# BLOCK referrer spam
SetEnvIfNoCase Referer usabestads.com spammer=yes
SetEnvIfNoCase Referer adsboards.com spammer=yes
Order allow,deny
Allow from all
Deny from env=spammer

NOTE: No, that’s not a mis-spelling of ‘Referrer’. It has to be spelled ‘Referer’.

Prior to doing this last night, I was checking the spam stats every two hours, and that Lindens post was getting two to three comments every single hour. I edited .htaccess, then went to bed. I checked again this morning.

Not a single spam comment.

I checked again at each of my work breaks. Again, not a single comment. If I’d not added those two sections to .htaccess then, going by history of two comments per hour, that post would have received (between 9pm and 12 noon the next day) approximately 30 spam comment attempts.

It was only when I got home and checked again at around 3pm that I finally had a spam comment attempt, and it wasn’t referrer spam. In short, this shit works. Granted, it’s only been one day, but every single day so far has seen at least 10-20 spam comment attempts from these referrers, and today I’ve had just one ‘traditional’ spam comment attempt.

If you’re enduring the same batshit-annoying referrer spam on your (self-hosted; sorry, but you don’t get an .htaccess file if you’re not hosting your blog on your own website) WordPress blog, I want to share this with you.

– Look in your root directory for your .htaccess file and use your FTP client to download it to your hard drive.
– Make a backup copy of the original and stash it somewhere safe.
– Open the file using Notepad or any other simple text editor (NOT Word!)
– If there’s already stuff in the file, add everything I’m about to paste below after it.
– First, add the following:

# BAN Spambots
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*YOURWEBSITE.COM* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

– Replace YOURWEBSITE.COM with your own website URL. Don’t include the www bit.
– Leave a line, and then add the following:

# BLOCK referrer spam
SetEnvIfNoCase Referer SPAMURL.COM spammer=yes
SetEnvIfNoCase Referer SPAMURL.COM spammer=yes
SetEnvIfNoCase Referer SPAMURL.COM spammer=yes
Order allow,deny
Allow from all
Deny from env=spammer

– Replace SPAMURL.COM with the URL of the referrer (example: usabestads.com – again, no www or anything).
– Save the file. It should begin with a period/fullstop and have no suffix, so make sure you just save it as .htaccess
– Upload it to replace the old .htaccess file.
– Check to make sure your site’s still working. If it’s all good, leave it be and just watch your spam stats. Hopefully, like mine, they will reduce drastically.

These are my full Askimet stats since I began the blog. I’ll be keeping an eye on this, to see if the totals for February are much lower than recent months:

The spam subjects come in waves. In November and early December (killer months, both) I was getting an insane  amount of spam about NFL jerseys. Interspersed with all of that is the usual kidney disease, diabetes, Vuitton/Gucci/etc handbags bullshit. Sadly, the side-effect of having a blog about fashion (even if it’s virtual fashion) means that you get a ridiculous amount of fake designer clothing and accessories spammers trying it on.

And, seriously, if making this post means I can help one more frustrated blogger rid themselves of this fucking annoying shit, then it was worth it. Let me know how you get on, if you give it a go.

UPDATE #1

Since making this post, I’ve installed two further WordPress plugins. The first is Bad Behavior. Within half an hour, I could see exactly why  the blog has been loading so slowly for me. TENS of brute force attempts to log in via my wp-login.php file, to hack the site and gain access to it by using the default ‘admin’ username (HUGE hint: never, ever keep your WordPress login username as ‘admin’) and random passwords. We’re talking literally one attempt every second. Now, I know that WordPress regularly gets attacked in waves like that, but it was clearly the reason why the site was running so slowly for me. Here, this will give you an idea. Check out the times:

09:44:32, then 09:44:34, then 09:44:35. Every. Single. Second. In fact, between the times of 09:41:15 and 09:44:35 (read that closely: it’s a space of three minutes and twenty seconds) that IP address made 163 attempts to log into my site as the admin user.

Woah, mama. What the hell to do about that?!

I did some googling and found out how to block all access to my wp-admin files, unless the originating IP is my own personal IP. The article for how to do that is here (scroll down to ‘Limit Access to wp-admin by IP’). Or, you can just add the following to the .htaccess file you’ve already created, changing  YOURWEBSITE.COM to, well, your website.

NOTE: Even though I’ve used the <code> command to paste this text, WordPress has still stripped out some coding. Please ensure that you replace the bright orange [ with an opening caret < and the bright yellow ] with a closing caret >

# BAN access to wp-login
[IfModule mod_rewrite.c]
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.YOURWEBSITE.COM [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
[/IfModule]

Following on from that, I made some further .htaccess changes to deny access to wp-config.php. Again, substitute the [ and ] as before, with opening and closing carets.

[files wp-config.php]
order allow,deny
deny from all

Lastly, I installed the Wordfence plugin, as a final (and pretty damn awesome) security tool. This offers scanning of all files on your server, comparison of all themes and plugins and WordPress files against their up-to-date repository, to inform you if anything has been hacked or changed. It even has a live traffic tool. *waves* to the Baidu crawler which has accessed the site four times in the last 2 minutes*

So what’s happened after that? Well, after a heart-stopping moment when my entire site went pouf on me (after I forgot to change FTP directories and uploaded a rather important file in a place where it didn’t belong – oops?) overall, it’s suddenly started running like shit off a shovel for me. About ten times faster than it was before. Wordfence, plus the .htaccess edits, seem to be stopping all access to the hackers, as Bad Behaviour’s logs are no longer full of repeated attempts to login. I’ll keep monitoring over the weekend, and update this post with my findings.

UPDATE #2

Just 15 minutes of watching the live traffic tool told me that the Yandex bot (Russian search engine) was crawling my site every minute or so, and trying to access images as pages. This is another thing that is probably slowing the site, so I’ve blocked the Yandex bot via my .htaccess file, too. As before, replace the coloured square brackets with opening and closing carets.

SetEnvIfNoCase User-Agent "^Yandex*" bad_bot
[Limit GET POST]
Order Allow,Deny
Allow from all
Deny from env=bad_bot
[/Limit]

UPDATE #3

Well, it’s now Feb 2nd, and I’ve gone from Askimet catching up to 30 spam comment attempts per day, to… just three in three days. All thanks to my .htaccess edits, and those two WordPress plugins. It’s actually quite unnerving to see the attempts to hack your login page, in real time. One thing you MUST make sure you do is ensure that you don’t have an administrator account on WordPress called ‘admin’. If you log in as ‘admin’ then you’re asking to get hacked, as that’s what the hackers go for.

Once February is done (and if I remember) I’ll post a screenshot of my Askimet stats again, so you can see the dramatic drop in spam that’s getting through to be caught by the filter.

Further reading

WordPress Codex: Hardening WordPress
WordPress Codex: Brute Force Attacks
WordPress Codex: Combating Comment Spam/Denying Access

Dear Diary: Arse-end of the year maintenance post thingy

Dear Diary,

Since this is the last weekend in 2013, the arse-end of the year as it were, I’ve been doing some maintenance work on the blog over the past couple of weeks, viz. –

  1. There are now sharing buttons on each post. Pimp my pixel arse, why dontcha? ;-)
  2. There’s a ‘like’ button on each post (WordPress, not Facebook)
  3. I now have a full Review Policy linked in the sidebar. Yes, it’s detailed. You know me by now: garrulous bastard.
  4. I’ve linked my recent Flickr posts in the sidebar (since many of them don’t make it to the blog) and there’s also now a Subscribe by email option, also in the sidebar.

I also really need to sit said pixel arse down inworld and get stuck into some serious inventory maintenance. I’ve been in the habit, for most of 2013, of creating new folders for each major purchasing day (not just the occasional ‘here and there’ thing) so that I can keep track of stuff. However, with a new year looming I’m already finding it nigh on fucking impossible to find anything, since there are at least 25 of those folders and – while my memory for what I actually have  in my inventory is very good – my memory for where the hell everything actually is… isn’t.

Another thing I need to work my way through is my Received Items folder. Holy shit, is that ever a mess. I promise not to become an inventory maintenance bore through 2014, but I suspect that’s going to take a lot of my focus in the early weeks. Or months. I have 100k of stuff. Aiya.

My basic filing system is solid. If I find my snapshots folder filling up, I whip out the copy of my Kinex Texture Organiser that I keep solely for snapshots and I file them away, then delete the inventory copies. The added bonus of that thing is that you can wear it as a HUD, so – if you need to find one snapshot (or texture) – you don’t need to rez it. Plus, it’s expandable (oh, joy!) It’s one product that I will always recommend to anyone who has an excess of textures and/or snapshots, as it’s worth its weight in gold. Or L$. Whatever. Go buy one ;-)

Note: Try to rename your snapshots before filing. If you don’t, then whatever you do: don’t use the ‘dupe scan’ option on the organiser, otherwise it will weed out all snapshots with duplicate names. If you stood in one place and took multiple different snapshots, you’ll lose all but one of them.

Update: Mea culpa. Apparently it sorts dupes by UUID, so you’re safe there. Phew!

Something rather neat that I spotted on Flickr today was this post by Zib Scaggs, owner of the Zibska jewellery store. It initially caught my eye because I thought it was the upcoming 52 Weeks of Color challenge, but in fact she’d just used a random colour generator (this one) to choose 52 individual colours ‘for her own amusement’. I kind of liked that idea, specifically to use as inspiration for maybe making one new item each week with a specific colour theme. So, I had a go myself. These are the first four colours that came up, so – if I can find the time and inspiration – these will be my colours for January 2014 (for making stuff, not for the fashion blog posts!)

You might think those two bright greens are a bit, well, lurid. I guess they are, but it’s not as if I haven’t created things in those colours before. 2012’s New Year gift was a limited edition spring skybox in exactly those colours:

If you think that’s lairy, wait until you see February’s colours…

Lastly, I’m going to do a meme of my own in my next post. I’m not generally one for summarising my year inworld (for one thing, unless I write stuff down as it happens, I usually forget it!) but friends and I used to have fun with what’s known as the iTunes Meme at the end of each year, so that’ll be coming in the next post.

See you in 2014!

(Oh, who am I kidding. Like I won’t be making at least two more posts before then…)

Admin stuff: What gets Photoshopped (and what doesn’t)

Let’s get it out there: I’m a vain bastard, okay? I like to look good (I wouldn’t have a 150K inventory otherwise) and I want to look good here. However, there’s one thing you won’t find on this blog, and that’s Photoshoppery out the fucking wazoo.

There are some awesome blogs out there; ones that focus as much on the graphic design talents of their owners as they do on the items (regardless of what they are) that are being featured. Some blogs are true works of art, and I adore those blogs… for being works of art. Hell, I love beauty (look at my boyfriend!) and I have a strongly-developed aesthetic sense.

What I also have, though, is a strongly-developed sense of honesty. And no, I’m not saying those Photoshopped blogs are dishonest; rather I’m saying that – like most of you – I’ve seen an item featured in a beautiful blog post and purchased it, only to be slightly underwhelmed because it looks nothing like the way it looked on the blog. It’s happened to me – and probably to you – rather a lot.

What I hope to give you in this blog is what stuff actually looks like. I’m no Photoshop expert. I dabble a bit, but I have nowhere near the skills of some of the top bloggers who can smooth and liquify until their avatar looks almost real. There are some things that I will edit, and some things that I won’t. This post will show you exactly what those things are, and what you can expect from me when I come across those things that aren’t quite as they seem.

Continue reading