I have been doing a lot of work with Wordpress lately and have been working on a number of custom plugins that I already use with my own Wordpress blogs. My latest plugin is Strictly System Check which is basically a site monitoring plugin that allows webmasters to check that their Wordpress site is running at scheduled intervals. Not only does it check that the site is running, it will monitor the servers current load and investigate database problems which may result in missing content. The plugin is very customisable and runs totally independently from the Worpdress codebase so that if the site is down for whatever reason no more load is created from including the tens of files that the blog uses.

You can check out the plugin at its homepage - Strictly System Check

Another one of these plugins that I find very useful is AutoTags which automatically detects words within new posts to use as tags.

Unlike other smart tag plugins that add lots of functionality to manage existing tags this plugin only attempts to find relevant and useful words within posts to use as tags by utilising the power of regular expressions and some simple logic to determine which words and sentences are relevant to the post.

You can check out the plugin at its homepage - Strictly AutoTags.

I am currently working on a Javascript framework to help with loading and reformatting content loaded remotely. As a basis for this framework I have created an example called Getme.js which is discussed in detail at the following blog article, Build a CSS Selector Framework. This article shows how easy it is for anyone to create a library that allows for CSS Selectors and chainable method calls just like JQuery, Prototype, YUI or any of the other popular frameworks but without all the extra bloat that usually comes but is never used. If you are one of those people that tends to download and use any code that gets the job done you are probably duplicating functionality in numerous places and probably not using 90% of it anyway.

I have been working on my own compressor tool over the last year which was a very good way at learning regular expressions in detail as well as learning all the intricate quirks related to trying to get Javascript, HTML, CSS and server-side script such as ASP and PHP as compressed as possible and still functional. I have put a cut down version of this tool up on my site for others to use. You can either upload a file or paste in content as well as having some advanced options which allow you to set 20 functions and 20 objects to rename. This is good if you have a file that references global functions frequently such as event handlers, element getters and so on. Its regular expression based so not perfect but I have compared it against JSMin and YUI compressor and it holds it own with certain files reaching 70% compression ratios.

If you have been keeping up with my site lately you will have seen that I have been working alot with the free online translator tools that are available such as BabelFish and Googles Translator as well as the APIs provided by Bing and Google. Although not perfect in their translations they are valuable in getting your content spidered in multiple languages and therefore bringing your site to a potentially larger audience. I have just released a new online tool that allows you to translate your favourite Twitter feed into any of fourty plus langugages. Please visit this twitter translator tool and have a try.

I recently looked into Googles APIs which contain a number of very useful frameworks for quickly developing content for a site. With just a few lines of code you can add content such as videos, search facilities for numerous feeds and news, geo-location data and much much more. You can read my blog article about developing with the Google APIs here. You can also visit the site I developed using those frameworks which is a football based site called Hattrick Heaven that delivers regional based news, blogs, videos and league information from around the world.

I seem to be spending more and more time lately analysing my sites traffic trying to stop precious bandwidth slipping away to content scrappers andother bad bots. In the old days I didn't really give much attention to crawlers as the only bots were GoogleBot and other search engine bots and they were considered a good thing to let loose on your site. Nowadays you have Chinese Hackbots and Script Kiddies let loose with Paros type exploit finders. Then you have all the job rapists that hammer our sites trying to steal every possible job posted. Added to that all the content pre-fetchers from toolbars and other "security" based add-ons that bump up traffic with no benefit to the site as well as all the French goverment copyright and trademark infringment bots. Then you have the spoofers bots pretending to be IE7 and Firefox Users with agent switchers pretending to be Googlebot. At least the switchers give you an agent even if it is meaningless. A lot of my traffic, both malicious and harmless, is now coming from people hiding the agent which is really handy when you want to determine whether a user is a bot or not in real time rather than later from the log files. Its all getting very complicated which means a lot of homework. In fact I don't think I have read up so much on a web related subject since I made my own WYSIWYG editor and that was a hell of a lot of Javascript related articles I had to read.

I am currently devising a security policy for my new site which will take all this into account and come up with some basic rules to help me with my user related logic. Items such as:

• Banning Blank User-agents straight away. If you cannot identify yourself then you cannot use my site sorry!
• Treating all access to the robots.txt file as confirmation that the user is a bot. If you manaully access the file then tough no more flash movies for you.
• If your going to hit my pages so quickly that it causes high CPU and script timeouts then its off to the 403 sin bin for you.

Click the following link to see a full list of my rules that robots should obey and then read the following to see an example of one of the job rapist bots I banned here.

We have heard of SQL injection and also Denial of service attacks however you may not have heard of the specific term "SQL Denial of Service Attack" where the attacker tries to exploit the fact that a) Most sites use an SQL backend and b) Most sites allow the users to enter search criteria to bring back results. Therefore this particular type of attack exploits poorly written search queries that use the LIKE keyword to run CPU intensive queries that return no results and therefore search the whole database. These queries will max out the SQL servers CPU, take a long time to return results and therefore if the attacker can run a number of search requests they may also consume all available connections to the database making the site unusable. These SQL DOS Attacks could be a very effortless way for an attacker to take down a site. Read the details in my blog article here: SQL Denial of Service Attacks.

You will also find traces of SQL DOS attacks in the query statistics SQL keeps in memory with the DMVs (dynamic management views) they introduced in SQL 2005. Running a report such as this beast will help you find queries that have maxed out your servers CPU or caused huge wait times. Plus its a very handy one stop report for showing you a database or a whole servers worth of systems performance as it runs up to 20 specific reports (CPU, I/O, Wait times, Index Fragmentation etc).

More and more websites are falling victim to automated SQL injection attacks originating from China, Russia and other Eastern European countries. Even though the techniques hackers use to attack sites with SQL injection is widely known it seems from posts that I have read from developers who have suffered a successful attack that the first place to point the finger of blame is still browsers and operating systems and someone will always ask:

"Is there a patch for Internet Explorer that fixes this hole".

In truth the cause of a successful SQL injection attack is always going to be poorly written front end code. I don't know whether future developers are being taught about injection techniques at college (which they surely should be doing) However I personally think that a lot of sloppy code comes about not through ignorance but rather the developers natural inclination to copy and paste code from other sources and especially for newbies doing so when they have little or no idea about what the code they are using is actually doing. If the code being copied is from an old system or from an ancient but well ranked web page detailing how to write SELECT statements using string concatonation then the developer could be saving time now only for it to be taken up when the site goes live and gets hit by one of the thousands of hackbots around as soon as the page appears in Google. Nowadays a developer only has themselves to blame if they don't by now a) understand how SQL injection works and b) knows how to prevent it with correct parameter sanitisation.

View my blog to read articles detailing:

How to quickly clean up a hacked system and details of plasters which can be applied to quickly reduce the threat of future hacks.

View a list of SCRIPT URL references that you should be on the lookout for that the latest bots are using.

You've just been hacked by one of those automated hack bots. You're going to fix those gaping holes in the application but first you need to clean up your database and remove the thousands of links to those virus infected sites. You have no time to write your own script and no money to buy one of those clean up packages. If your stuck and you use SQL 2005 or 2000 for your backend then this clean up script will help you out by doing exactly what those costly database clean up applications will but without the GUI or the cost. Clean Up Script use this script to find out how much data has been corrupted by searching for one or multiple hack strings at a time. Once you know how much data has been affected you can run the script to output all the necessary clean up SQL statements or run them automatically.