Development of Artist’s Gallery Shop

It was a great honour to have been asked to re-develop this website. The artist Danny Pockets sadly lost his fight with cancer earlier in the year.

His website had been developed with classic ASP and had security holes that were allowing hackers to compromise it.

We chose to use the WordPress plugin WooCommerce to replace the online shop with the default theme, Twenty Seventeen as the foundation for this project. We applied design changes (most prominently the header slider) retrospectively using our plugin “Options for Twenty Seventeen” and other bespoke code.

The result is a website that is future-proofed through its use of a theme that will be supported for many years to come.

Redesign in Chinese

We were brought in on this project by our colleagues and friends at Starfish Creative to realise a new design for their client.

The most obvious issue from the outset was that the site’s only language was to be in Chinese.

So we used WordPress which delivers language support out of the box and the default WordPress theme, Twenty Seventeen as the foundation for this project, applying required design changes retrospectively using our plugin “Options for Twenty Seventeen” and other bespoke code.

The result is a website that is future-proofed through its use of a theme that will be supported for many years to come.

Holiday Company Web Redesign

“Ditch your mates!” is HOFNAR’s recent tag … perhaps “Ditch your web designer!” should be ours! 😀

Dan at HOFNAR had tried several different development agencies and avenues in vain to bring to fruition his requirements for his Ski and Snowboarding holiday website.

So we headed out to the mountains to get him sorted out …

They were already using WordPress so we were able to “re-skin” the existing site using the default WordPress theme, Twenty Seventeen as the foundation for this project. We applied design changes (most prominently the responsive, full screen video header) retrospectively using our plugin “Options for Twenty Seventeen” and other bespoke code.

The result is a website that is future-proofed through its use of a theme that will be supported for many years to come.

Artist’s Gallery Website Development

We were brought in on this project by our colleagues and friends at Starfish Creative to realise a new design for their client and to implement a bespoke requirement for product enquiries.

We integrated features of WooCommerce with features of Contact Form 7 so that categories and products would automatically populate and pre-populate drop down menus on the purchase options page.

Bed and Breakfast Website Development

Rosemary Cottage had had the same static website for decades and we were delighted to be instructed to bring this bed and breakfast into 2018 with a responsive WordPress website that the owner could easily update themselves.

Reverse Engineering Hacker’s Code

Yesterday a client came to us with a compromised website. It was a very familiar story. They used WordPress and hadn’t updated their plugins, theme or WordPress core for probably years. A lot of the plugins were abandoned or removed from the WordPress plugin repository and some weren’t even being used.

So it was no surprise really.

We signed in and noticed very quickly that the usual admin ability to add new plugins or perform updates had vanished. This has become the first sign that all is not well with a WordPress site. More on that later.

Taking a quick look at Wordfence’s latest scan log revealed that wp-config.php (the main WordPress configuration file, more on this later too) was flagged as compromised.

Quick look at this file and we found the following injected code (we have changed it slightly so it can’t harm your computer) …

Most developers will remove the code (which we did) and notice that the site admin functions return to normal (if you don’t have any other modified files). The site can then be cleaned, upgraded, patched, etc and most will think that that hopefully will be the end of the problem. But it isn’t. And we will show you why.

So we decided to take the time to see what this code actually does; and we were secretly quite pleased to find it was a bit of a challenge!

The first thing the script does is create an anonymous function using the php command create_function(). Eagle eyed readers will see they have hidden this command (because it’s probably searched for by security plugins) putting “create_” at the beginning and ‘function’ towards the end of the script.

But what is the function it creates? Well that’s all hidden in the encrypted text which takes up the bulk of this code.

To decrypt the text (rather than run it) we found the line which read “$ebalew[2]=gzuncompress(mitagov(235^552,1316^3087));” and changed it to echo the result rather than put it in the array $ebalew[2]. This renders the code safe to run as it breaks the create_function command.

And this is what we discovered …

We quickly realised that our job wasn’t done yet; the script was still riddled with hidden, encrypted variables like mitagov(24+185,9).

Amazingly, these encrypted variables are extracted by referring to a function in the original code which uses the original encrypted text to hide these values. So we created a function that would allow us to decrypt these variables one by one …

And piece by piece we put the hacker’s code together. Changing the variable names from gibberish to make them easier to read and understand.

So here’s what it does 🙂

The first thing they do is save the error reporting level in PHP and turn off error reporting …

if (function_exists('error_reporting')) {
$error_level = error_reporting();
error_reporting(0);
}

… at the end they return error reporting to where it was in the first place …

if (function_exists('error_reporting')) {
@error_reporting($error_level);
}

The next thing causes the symptoms that you find in WordPress …

define('DISALLOW_FILE_EDIT',1);

This tells WordPress not to allow files to be edited which in turn prevents plugins from being installed or any updates from being applied. We assume this is to try to prevent WordPress users from being able to edit the files and remove the hacker’s code but for the life of us we’re not sure why they put this in as it immediately alerts WordPress users that there’s something not quite right!

Next there are a few functions. The first is the most worrying. It appears to be some kind of decrypting algorithm. We think to either decrypt double md5 hashed passwords or to extract an encryption salt or something else, we’re not 100% sure. So we’re not going to show it but it’s fired when a cookie is found on the user’s computer so we think it’s either to identify the hacker and show them something or it’s to identify a logged in user and capture their login cookie.

The code then runs though the page’s passed query variables, makes changes to them and saves them back to the query variable.

The following array of server directories …

$array_of_local_directories_to_test = Array( '/dev/shm', '/run/shm', '/run/lock', $directory_path.'/wp-content/cache', @ini_get('upload_tmp_dir'), @$_SERVER['TMP'], @$_SERVER['TEMP'], @$_ENV['TMP'], @$_ENV['TMPDIR'], @$_ENV['TEMP'], '/tmp/.font-unix', '/tmp/.ICE-unix', $directory_path.'/tmp', $directory_path.'/wp-content/uploads', '/tmp', @session_save_path() );

… is then tested to see if the script has permission to write to them!

It then tests to see if the user is in fact a search engine and then it contacts the following servers …

Array('u1.analytica.org','f1.argentum.pw','b4.foobar.net');

… and sends them everything it’s found including a copy of the WordPress wp-config.php file.

We have only looked at this code for a few hours and may not have got everything right … but … the upshot is that if you find anything similar to this in your WordPress installation then removing it and cleaning the site is not enough. You will need to do the following afterwards …

  1. Change all your user passwords
  2. Change your database password (and username and database name if you can)
  3. Change all the Authentication Unique Keys and Salts that are set in the wp-config.php file

We hope this hasn’t scared you too much but if there’s one thing we’d like you to take from this post, it’s to take the security of your website even more seriously!

Interior Designer Web Development

We designed this portfolio website for Rachel Webster for her to show her work to her future clients. Rachel wanted a site that would reflect her design skills whilst still being easy to navigate.

Event Management Website Development

We are often contacted by clients who are looking to have their existing website updated with new features and content. This event management company ask precisely this of us and we were able to help update their bespoke theme with all the design and feature changes they required.

Hospital Website Development

The Rye, Winchelsea and District Memorial Hospital required a new website that was responsive (able to be viewed on devices of all different screen sizes) and much more user friendly to edit and update content.

The client wished to keep the same design feel of their original existing website but with these additional features.

Festival Website Development

We’ve recently built a website for Rye’s new Festival of the Sea. This superb new event is the amalgamation of two previously suspended events namely Rye Maritime Festival and Rye Raft Race.

The website shows visitors what the festival is all about, what’s going on and how to get involved.

IMPORTANT: Projected Overage Charges – GPU

In the last few days and weeks we have had a lot of our clients who run WordPress saying they’ve received warnings and additional bills from their web hosting providers for excessive GPU usage. This article will explain what’s going on, how we sorted it out and how you can too.

Here is an extract from an example email from Media Temple …

IMPORTANT: Projected Overage Charges – GPU

This is a notice to inform you that your Grid-Service GPU (Grid Performance Unit) usage for the current billing cycle is projected to exceed the amount included with your purchased plan. Please review the information below as your account will be charged if you exceed the GPUs included with your Grid-Service.

Please note that this is only a projection, as determined by an automated analysis of your Grid-Service. It is entirely possible that, if this pattern of high resource usage continues, you may be liable for substantially higher overages than those currently anticipated by this projection.

Whilst this notification is quite worrying to say the least, let’s break it down. What they are saying is that your website or websites are using more than your allotted GPUs and that it’s likely that if this continues you will be charged for the overage.

So, what is a GPU?

Well it’s not bandwidth (data your server uploads and downloads) or your storage limit, both measured in Gb (gigabytes). A GPU is a measurement of processor (CPU) use on your web server. Every time a page on your WordPress website is accessed, the page has to be created by the web server and this puts load on your web server’s processor.

So, what’s going on?

We had a look at the stats on the server for the websites in question and saw that a pattern quickly formed showing the following scripts that were being run hundreds (and in some cases thousands) of times …

  • /wp-login.php
    This is the login page for Wordpres; hundreds or thousands of hits to this page is not normal and is almost certainly a brute force attempt to hack the admin password. We needed to find a way to completely block this page without denying legitimate access to the WordPress control panel.
  • /wp-admin/admin-ajax.php
    This is a WordPress core feature which is used to provide functionality to the control panel when things happen without you going to another page. Features include (but are not limited to) automatic saving of posts, updating of plugins on the plugin page and viewing of the media library when adding media to a page. In theory this script can be blocked when the WordPress control panel is not in use but some WordPress Themes and Plugins also make use of this file.
  • /wp-cron.php
    This is a WordPress core feature which is used to perform scheduled tasks in the background. Tasks include (but are not limited to) scheduling of posts to go live in the future and automatic updates of the WordPress core. If you’re not too bothered about scheduled posts and you manually keep your WordPress core up-to-date, you can probably block this script however, popular plugins like Wordfence make use of it to keep an eye on your website and inform you when things need attention.
  • /xmlrpc.php
    This is a WordPress core feature which allows users to publish to their WordPress website remotely. This feature has been abused in the past and has been used to brute force admin passwords. If you don’t use another program to publish content to your WordPress website then we believe you should block this script.
  • /robots.txt
    This file tells search engines what can and can’t be crawled and indexed from your website. So excessive hits to this file are quite normal but can be very detrimental to the load on your server if the file doesn’t exist. Why? Because WordPress will create an automatic version of this file which fires up the entire WordPress core to in turn serve a very small file. So, if you don’t have a robots.txt file, you may as well block access to it.

So, how did we fix it?

Well, the most important thing to do was to prevent wp-login.php from being accessed. And we don’t mean limiting the number of times this file can be viewed before the system locks a hacker out (which other popular security plugins do) but actually stopping WordPress from showing the page at all when the default login page is accessed. This is because when hackers use multiple IP addresses to perform a brute force attack on a WordPress website, this has the same affect as a DDOS attack and so to prevent the server being overloaded the WordPress site has to completely ignore these requests.

We decided to develop a plugin (which you can download here) which would do exactly that. We did look at existing plugins but none did the job we required. Some would limit the number of login attempts, some would redirect the login page to the home page.

Our plugin, Block wp-login completely prevents WordPress from seeing any attempts to access wp-login.php by telling the server to put a “403 Forbidden” response on any requests to this page. The plugin then creates a completely new and “secret” login page and lets the WordPress administrators know what the new login is.

Installing and configuring this plugin immediately solves the problem of load on the server caused by multiple hits to the wp-login.php page and in turn helps to limit the hits on wp-cron.php.

The plugin also optionally lets you block access to admin-ajax.php, wp-cron.php, xmlrpc.php and robots.txt.

Feel free to use our plugin and to contact us if you run into problems, find a bug or want to suggest a new feature.

… and don’t forget to leave us a review if you like it!

Development of Estate Agent Website

We were set the task of developing a secure front end to a large chain of estate agents in the south east for them to promote their large portfolio of properties to their customers.

We created a website that exactly matched their design and feature requirements which hooked into their existing property management software which allowed their new properties and amended property details to be automatically displayed on the website without any requirement for them to have to do so themselves!