Posted this in quiet thoughts, but should be here.

Stats are in better control now, after making stats password protected and adding the referer controls in htaccess. Only one suspect referer source this month. Most other referers are from kb, plus a few from the 404 webring, now that one’s FUN.

Some of the search phrases that somehow get linked here:

• seoul tourist souvenir shop opens is insa-dong
• aeron chairs australia brisbane
• spare nokia7280

Strange what people search for …

I’ve been getting hit by referer spam for a couple of months. At first I noticed in my site stats that I’m being linked to by a lot of those stupid poker, pay-day loan uri’s. So much so that I have no idea about the genuine people who come to the website.

I added these to MT-Blacklist, knowing that isn’t the source of the problem. I didn’t even know what it is. Gradually I figured it out and there’s even a name for it.

Lots of articles on how to combat referer spam, mostly passive. But that’s the best we can do now. Someone’s written a perl script to get rid of bad referers in the log file but I haven’t figured out how to run perl scripts yet.

So I’ve done as much as I know how to.

1. Password protect the stats log file. Easily done in the control panel. Username is admin, password the usual bxxxxxx.

2. Block the offending root domains using .htaccess. I got the fomat and a list of banned referers from Tom Raferty, it’s uncanny how I’ve encountered most of the offenders in his list.

3. I have to check site stats regularly and update the htaccess file. Small steps though.

Anyway my htaccess file is viewable here.

When I first set up bullko, I got hit by the stupid poker guy comment spam, where seemingly profound but basically useless comments were left on every single entry, with a link to his website of course. A quick visit to the wordpress support forums yielded a couple of preventative measures.

Do this for all wp powered sites.

wp-blacklist

Like mt-blacklist this is a plug-in that is copied and pasted into wp config. Last updated 21 Sept 2004, I just downloaded it. I'm not sure if it's as good as mt-blacklist (I mean, Jay Allen, wow) but someone has obviously made a huge effort so kudos.

comments file
First I renamed wp-comments-post.php to wp-stopcmts.php. The name doesn't matter, it can be a random jumble of letters like asdfasd.php.

Then I renamed occurences of wp-comments-post.php in the other comments files to the new name. Apparently this is called in 3 files, so I went in and made the changes:

• wp-comments.php
• wp-comments-popup.php
• wp-comments-reply.php

Boy I hate spammers.

This started off as an exercise to password protect a section of the bullko website. Lots of scripts and software available, but either they cost money, or is too advanced for me.

Most recommend protection using .htaccess and .htpasswd.

I already know how to use .htaccess to prevent directory listing and hotlinking. Here's what to do.

htaccess
Place .htaccess in the same directory that needs a password. If the entire site needs to be protected, place in root directory. Use this code:

AuthUserFile directory/path/to/.htpasswd AuthGroupFile /dev/null AuthType Basic AuthName "Please enter username and password"

<LIMIT GET POST>
require valid-user
</LIMIT>

In the case of directory path, for all my sites it's the same except for the username, so for invisiblecompany it is:

home/invisibl/www/www/.htpasswd

htpasswd

The .htpasswd file can be located anywhere, the more secure the better. The password must be encrypted and there are a lot of sites where it can be done, just google it, for instance here or here or here.

Generate as many usernames and passwords as necessary and put them all in the .htpasswd file. Don't forget the hard return at the end of the file. It should look a little like this:

user1:sdDHLKJ1asg
user2:FD3lkjdf24fGh
user3:3Tgvpo5VQgd

In the weblog I added a script from orange haired boy which password protects entries.

It involves setting a restricted category so all entries there need a password to get in. It has to be implemented on all pages that show individual entries, meaning main index and all the archive pages.

I also highlight weblog entries on the homepage, but I get a php parse error, probably because I'm trying to run a php script where part of it is on an include. I need to fit it.

Once the password is entered it works until cookies are deleted so I'll have to be careful about reading on other people's machines.

Cool script though.

I made some changes to the templates today, cos I learnt a bit more about plug-ins. All of this with much help from Learning Movable Type.

My god I have to much to learn.

As a reminder to myself, here's what I did.

1. category archive

To put a menu at the top of the category archive that points the readers to the previous and next category, I got a plug-in from bradchoate.

After installation, add this to the category archive template:

<div id="menu"> <MTCategoryPrevious> <a href="<$MTCategoryArchiveLink$>"> « <$MTCategoryLabel$></a> | </MTCategoryPrevious> < a href="<$MTBlogURL$>">Main</a> <MTCategoryNext> | <a href="<$MTCategoryArchiveLink$>"><$MTCategoryLabel$> »</a> </MTCategoryNext> </div>

2. blacklist

Then I got the mt-blacklist plug-in from jayallen. It's dead easy to install and configure.

To maintain, execute from here:

http://invisiblecompany.com/cgi-bin/mt/mt-blacklist.cgi

3. comments & trackback files

Renamed mt-comments.cgi to mt-cmts.cgi, similarly mt-tb.cgi to mt-tbk.cgi and changed mt-cfg.

Replaced:

# CommentScript mt-comments.pl
# TrackbackScript mt-tb.pl
# SearchScript mt-search.pl
# XMLRPCScript mt-xmlrpc.pl
# ViewScript mt-view.pl

with (don't forget delete the #):

CommentScript mt-cmts.cgi
TrackbackScript mt-tbk.cgi
# SearchScript mt-search.pl
# XMLRPCScript mt-xmlrpc.pl
# ViewScript mt-view.pl

4. close comments

This plug-in from rayners that closes comments and pings for entries x days old.

To maintain, execute here

http://invisiblecompany.com/cgi-bin/mt/mt-close.cgi

Hey it's fun to be a beginner.

I already took out mailto links to prevent harvesting. The public email address is displayed using [at] instead of @. A human can understand but not a bot.

For further security, I added a couple of .htaccess files. These are strange beasts, initially when I tried I get 404 errors on every page, so I quickly took that out. This time round I started simple.

A reminder to myself, there must always be a "." at the start of the file name, and it's always in plain text format. The trick I find is saving and loading it as htaccess.txt, then changing the name to .htaccess (no suffix) in control panel.

1. Disable hotlinking
Hotlinking is when someone links to an image directly on the source website. So when other people view the page or click on the image, the source server has to send the image over. This is bandwidth stealing. The person who wants to show that image should save the file on their own server and use their own bandwidth.

Place the .htaccess in the same folder as the images that should not be hotlinked. Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?invisiblecompany.com(/)?.*$ [NC]
RewriteRule .*\.(gif|jpg|jpeg|bmp)$ - [F,NC]

This will deal with gif, jpg, bmp files. If other file formats need to be blocked, like png, just add "png" to the list.

I've created a public images folder on the website so if I ever need to make an image available that's where it will go. Like putting avatars or images on some forums, or for whatever reason.

2. Directory listing
Sometimes people enter urls like http://domain.com/folder/ to get a listing of the files in that folder. Most of the time it's harmless but why let them know so much? To prevent directory listing, place the .htaccess file in the applicable directory, or in root for the entire site. Very simple code for the file:

IndexIgnore *

.htaccess can also be used to impose a password for particular folders. This seems pretty neat. I'll get round to it eventually.