HelloARI logo: vinyl signs and identity design home«    web design«    sign design«    blog«    contact« 

web design and wordpress development 94114
san frnacisco web design

April’s war on WordPress security

This is a month that will go down in infamy. Well, at least as far as WordPress security goes. There is a massive worldwide “brute force” attack going on and servers far and wide are experiencing slowdowns and lockouts.

There is not alot of information yet.  The attack is known to be using forged or spoofed IP addresses. It is trying to guess passwords – that’s why it’s called a “brute force” attack.

Screen Shot 2013-04-12 at 3.57.48 PM


SOLUTIONS – server level

The solution I’ve opted for – at least for now – is to protect all WordPress login pages with HTTP authentication on the server level with 1 script. This should foil all attacks – they wont even load the login page – unless the attack script gets smarter that it is now. The nice thing about this solution is that I can easily edit or reverse it without editing all sites.

SOLUTIONS – via plugins

First of all, make sure you don’t have any users with the default username “ADMIN” – that’s what this attack is targeting. But even if you don’t have any users with that name the attack can still slow down your server.

Stealth Login Page
After much hunting for a plugin-based solution I finally found this. It will easily let you obscure your login page so these attacks won’t have a chance to slow your server down. I suppose the server has a small overhead when dealing with the redirect for requests for the default login URL but that must be much lower than having to serve the login page and bounce incorrect logins (and track IPs of incorrect logins). It allows you to redirect all requests to the default login page while preserving requests that add a short configurable code to the login URL.

The better solution is to block the default login URL via http authentication as mentioned above – but many users will not know how to set that up.

update: This URL is not working today (april 26) but the rest of the site works so hopefully will be fixed soon
this plugin is a paid version of what the free plugin above does  ($9.99). It integrates with a free “Custom login” plugin that allows you to customize the look of the login page. It allows you to redirect or “kill” all requests to the default login page while preserving requests that add a short configurable code to the login URL. This plugin requires Custom Login > version 2.x which can be downloaded for FREE in the WordPress repo.

Google Authenticator
I have not used thus one but it sounds like a good option yet needs more “stuff”.  The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. You need the Google Authenticator app installed on your smartphone.

This plugin will let you add a math CAPTCHA to the login page – and a variety of other locations as well. At this point the spam robots can’t get past even a simple CAPTCHA so it should do something to help with server slow downs due to frequent attacks – however the spam robots can still access the login page and therefore still slow down your server via many requests.

A better solution might be to block the submit button somehow – but I’m not sure such a plugin exists and if it did I’m not sure how easy it would be for the robots to still submit the form even if the UI blocked the submit button.



SOLUTIONS – other good plugins

These other plugins offer great features – but won’t help much for this particular attack…

1) Better WP Security
This plugin does alot more than limit your login attempts – so it has a chance of cleaning up whatever wil cause the next big security issue. it’s got a great ‘easy’ mode where it will highlight the 5 or so highest priority items that need attention. And it will clean those items with just a couple clicks. The plugin also has lots of useful information to teach you about security. The downside is that there are lots of tabs and lots of options and it takes time to find your way around.

2) Limit Login Attempts
This is nice and simple. as soon as you turn on the plugin it just starts working. It will escalate lockouts from 20min to 24 hours so that’s a nice feature. It’s default is 4 tries and in this current situation that might be a bit too many but it depends how many sites are on your server.




security side note: the Social Media Widget plugin (social-media-widget) is being used to inject spam into websites and is recommended to be removed.


Posted in WordPress | Leave a comment

GigPress vs “All in one event calendar”


AI1EC has many more features than GigPress—so I’ll start with a list of the advantages of  the “All in one event calendar” (aka AI1EC) vs GigPress:

  1. More layouts: gigpress has just a list view; AI1EC has poster board and many more (daily, weekly, monthly and list/agenda) and allows user to switch between them
  2. Categories: in any layout user can pick one or a few categories to view. Tags are another option for filtering – and with some custom work you can rename these to be “Bands” and “venues” or something like that.
  3. Subscription by category: both plugins offer iCal subscription but AI1EC offers subscription by category (so if someone wanted just one “band” to appear in their calendar that is possible – but takes a couple steps so only technically sophisticated folks will do that I think.)
  4. Widgets – the AI1EC widget has that date thing on the left with a hover card for each entry. It would take more work to have it spit out a really simple format like gig press. But the AI1EC widget can show just one category which is a powerful feature.
  5. Facebook: AI1EC has a feature where it can push your events to Facebook – not as posts to your Facebook wall but as Facebook “events”. I have not used this feature yet and saw some bugs with it in the last version of AI1EC.
  6. AI1EC makes a separate “page” for each event
  7. AI1EC makes recurring events easy

However, GigPress has an advantage with fewer features – it’s easier to use if it fits your needs. If you only need list views of events and don’t mind linking to separate posts (that you need to make as a separate step – if you even need a whole post/page for events) then GigPress might be a great choice for you.

A list of my AI1EC sample sites

These two are minimally modified:

Single events are using the built in AI1EC Google maps option:
This one has a ‘buy tickets’ option that I had to add manually:



Posted in Web Design, WordPress | 2 Responses

Gravity Forms for Ecommerce with tax and shipping options

I love Gravity Forms. It’s the best form building tool for WordPress and now it offers a new feature that allows more complex calculations between fields. Combine that with the PayPal Payments Pro and you have a really fast, simple and powerful ecommerce option for those times when a full WordPress ecommerce system/plugin is not needed. Easier to set up, easier to maintain and gets the job done.

The sample below allows for a variety of shipping prices based on order total (but you could base it on total number of items too). It also adds sales tax – but only if your shipping address is set to California. Of course you could set it to any state. Note that the shipping field disappears when selecting a different state. The key is to set up a “subtotal” field and put your calculations in there.

There are some notes in this form – let me know if you have further questions about how this is set up in the comments below and I’ll do my best to help explain the options. See screenshots at the end of this post.

UPDATE 8/2020: I found this bit of free code from GravityWiz that gives you a ‘subtotal‘ field – I tried it and it works. it is a simpler solution that saves lots of work if you need to edit your form products with any regularity or if you have lots of products.

see also: https://docs.gravityforms.com/gravity-forms-pricing-adding-tax

UPDATE 4/2014: I have had users ask me for a copy of this form. Here’s a XML export of the form – should be ready to import into your Gravity Forms. Let me know if it helps.

 Gravity forms admin screenshots

greavity forms shipping subtotal gravity forms gravity forms california sales tax


2020 update: screenshots of  GravityWiz ‘subtotal‘ field in a calculation field type. With conditional fields for only applying to California. 


Posted in WordPress, WordPress WooCommerce | Tagged | 9 Responses

Not For Sale: End Human Trafficking and Start Human Empowerment

Looks like a great non-profit – their goal is to fight the growing slave industry. I gave a donation and encourage my readers to check it out.

I want specifically to point out the design of their support page (they title it “empower”). It’s very impressive. They offer multiple ways to get involved in an interactive series of checklists. I’m not 100% convinced it’s what all visitors need – I would prefer a “quicklink” to just making a cash donation. But still it’s very innovative and other NGOs might find it inspiring. I can think of some other non-profits that I built WordPress sites for that could perhaps use a simper version of this kind of page to help communicate the many ways to promote their cause.

Want to get involved with Not For Sale? Want to be a part of the modern-day abolitionist movement? Not sure how to get started? This tool is designed to help identify which Not For Sale projects and programs are best suited for you.

By answering a few questions, the tool can tailor a list of action steps that will best help you get involved. Begin by choosing which areas of society you identify yourself, then you can refine your results by answering further questions about time commitment, community engagement, financial support and leadership. Let’s get started!

via Empower – Not For Sale: End Human Trafficking and Slavery.

Posted in Web Design | Leave a comment

WCSF: Notes From WordCamp 2012

Post “State of the Word” @WordCamp 2011


Well, this is long overdue but I finally cleaned up my notes from WordCamp.

Adding custom content types: I’ve always been on the lookout for a Drupal-like “views” module for WordPress. These tools come close:

Other fun things I learned about

  • SASS for CSS
  • REM not em for best responsive CSS
  • S2member for member and paid level management
  • Hellobar: a simple idea: use the top 30 pixels of yoru site for eye-catching messages. Hellobar includes A/B testing and it’s own analytics so it might be worth paying for on a ongoing basis. Other similar solution like Foobar are just a plugin with no extra fees. (let me know if you have a free version you use)
  • SlideDeck:  Slider & Gallery Plugin that gives a powerful UI and lots of sources and skins for building sliders
  • Flare social sharing bar
  • HappyTables: free restaurant website-building tool – developed around a customized version of WordPress

Chatting with Matt about new WordPress usage stats.

Notes from 2011

Posted in Web Design | Tagged | Leave a comment

Apple Mail “Letterbox” update fix

Apple Mail disabled the amazing “Letterbox” plugin after the recent Mac OS10.6.8 update. Here’s a link to an easy fix.

Letterbox is a plugin for Apple’s Mail.app that takes advantage of the full width of your monitor. It rearranges the interface into three vertical columns so the message pane is to the right of the message list, rather than below.

MailPluginFix is a free tool which will  fix any incompatible Mail.app plugin  after an update of Mac OS X.

via CODE2K:LABS – MailPluginFix.

Posted in Product Reviews | Leave a comment

Ari’s first Quirky invention: iPhone bike mount

After years of participating in the Quirky community I finally got motivated enough to submit my own invention idea.

Waterproof iPhone bike mount with integrated lens for wide angle video recording or “precording” while biking.



Some bikers want to record their ride for fun. Others want to record their ride for the insurance of having a record of a collision. Everyone wants a cool case that is waterproof and easy to use while biking for maps, music, chatting, reading SMS etc.

This recent NYTimes article talk about the popularity of recording video while cycling


You already have that iPhone in your pocket while you are biking so why not use it as a safety device?

READ MORE AND VOTE UP MY IDEA: Quirky ideations | Waterproof iPhone bike mount with integrated lens for wide angle video recording or “precording” while biking..

Posted in Inventions | 1 Response

WordPress security plugins: Wordfence

Anyone who has had their site hacked or blacklisted knows how important it is to stay on top of WordPress Security.

Yes, you should use the lastest versions of WordPress core and for the most part the latest version of plugins. But of course incompatibilities arise so be careful when updating.

The #1 security measure I suggest is to remove “admin” user – many robots will assume you have a “admin” user and try to guess the password. By keeping this default user name you are giving away half of the username+password puzzle that is the barrier between your site getting hacked and your site staying safe.

Another concept is that some plugins change the way WordPress works so it’s more secure while others focus on malware scanning to see if anything has been hacked. Sucuri is a great plugin that scans for hacks – you can do the same free scan from their website. You can also pay them to actively scan and they will actually fix any issues that come up.  Code Garage does backups as well as malware monitoring so that’s a good option to explore also.

Plugins that do many security tasks

  • WordFence: This is a great new plugin I’m testing out that offers a complete solution for free with an optional paid upgrade that actively scans your site from the outside to make sure it has not been hacked. So it combines security edits with malware monitoring.
  • Better WP Security: I’ve been using this one for a while and it’s great. It has a “one-click” feature that will harden a number of security features very quickly.
  • A good handful of features: Secure WP
  • WP Security Scan
Plugins that solve smaller pieces of the security puzzle 
  • Login LockDown an older simple plugin that works well but has not been updated recently. Getting the many emails it sent help me learn how many bots were randomly attacking my sites.
  • Login Lock: like the above with with a few extra useful features like a button to force logout for anyone logged in. This plugin is no longer supported. another replacement option:  Login Security Solution
  • Limit Login Attempts: yup, another plugin with similar features.
  • The name says it all: the Replace WP-Version plugin
  • Updated SSL Plugin: forces ssl anywhere passwords are asked for
  • Timthumb vulnerability scanner: does a bit more than just check for that one giant security issue…

WordPress Ecommerce folks at instinct.co.nz have a great checklist for how to secure WordPress

Posted in Web Design, WordPress | Leave a comment

GoodSync for Mac


GoodSync is a utility that provides all the tools you need to keep your data safe and up-to-date. It works by synchronizing (and backing up) files such as MP3s, Office docs, photos, financial documents,  between desktop HD/SSD, laptops, servers, and all manner of thumb/external drives.

GoodSync is very user-friendly—its’ got a geeky but usable UI and is full of functionality. If you need a too to backup your data to protect it from crashes or need to synchronize complex data on a network, this tool makes it simple to keep you data current and safe.

Compare to:

  • Syncables 360
  • SugarSync
  • Allway Sync


GoodSync for Mac

Works amoung Mac OS devices or between Macs and cloud services like Amazon S3 and Google Drive. Connect to other computers and devices by using GoodSync Connect , which finds other devices installed with GoodSync on the internet or over a local network in a peer-to-peer style. Performs syncs over a number of other networks, including (s)FTP and WebDAV. Or sync with clouds including Amazon S3, Amazon Cloud Service, Microsoft SkyDrive, Google Drive (Docs), MobileMe iDisk, and Windows Azure. You can also sync with mobile systems like WinMobile and BlackBerry devices.

Important notes about GoodSync for Mac

  • Free version gives 3 or fewer jobs and 100 or less files and folders in each job.
  • You need one license per computer
  • You do not uninstall the old version of GoodSync before installing a new one  unless you want to install into a different folder. The new version will keep the options and settings of the previous one.
  • Any data stored in a file can be synchronized


  • GoodSync Desktop for Mac license for $39.95
  • Other plans for PC, Mobile…

GoodSync for Mac review and tips

Tip: It’s important to create a folder at the destination first. I wanted to synchronize a folder “C:\testfolder” to a second drive (F). When I just set Good Sync “C:\testfolder” as the source and point it to F (as root) I thought Good Sync would create the folder for me but that’s not what happens. You will get  a message indicating the folder on F drive does not exist. If you tell it to go ahead and synchronize no files are copied.

Tip: The default is for Good Sync to only synchronize  when you manually tell it to. You can change that under View – Options-  Job name. You can tell it to synchronize automatically under a number of different schedules.

Bottom line: A great option for syncing data, a mature tool that can cover the bases for many use case scenarios.

Posted in Web Design | Leave a comment

Soft-launch: Shrub & Co cocktail mixers

I just soft-launched this new site. Their product is not available quite yet but will be sold on the site soon. It’s a new kind of cocktail mixer – but also used for non-alcoholic drinks like sodas. Based on a traditional “shrub” : It is prepared with an acidic fruit base  pickled in vinegar and then sweetened with sugar and finally used as a mixer with spirits such as rum or vodka to make a rum-shrub or vodka-shrub.  

Shrub & Co elixirs add depth and complexity to your drinks with a clever combination of sweet and savory notes. Rescued from the obscurity of the colonial era and reimagined for today’s craft cocktail enthusiast, our shrubs enhance your favorite concoctions.

visit: Shrub & Co | Cocktail mixer


Posted in Web Design | Leave a comment
© 2021
contact  |  links  |  rss