Problem:

The “Insert into Post” button is missing when trying to insert a product image into a WP e-Commerce Product Page

Solution:

File: root/wp-content/plugins/wp-e-commerce/wpsc-admin/includes/display-items-functions.php

Line 1102:

Change

td.savesend input.button {
display: none;
}

To

td.savesend input.button {
display: block;
}

WARNING: I have no idea what type of consequence this edit will have on your WordPress installation or if it will conflict with your theme.

Tutorial: http://digitalraindrops.net/2010/08/the-second-menu/

Files affected:

1. functions.php
2. header.php
3. navigation-2.php (new file)
4. style.css

Note: Since I didn’t want the second menu to look different from the main menu, as the tutorial instructs, I altered some of the PHP code in the navigation-2.php file.

Change:

<?php /* Start add our second page menu */ ?>
<div id=”pagemenu” role=”navigation”>
<?php wp_nav_menu( array( ‘container_class’ => ‘page-header’, ‘menu_class’ => ‘page-menu’, ‘theme_location’ => ‘secondary’, ‘depth’ => 0, ‘fallback_cb’ => ” ) ); ?>
</div>
<?php /* End lower page menu */ ?>

To:

<?php /* Start add our second page menu */ ?>
<div id=”access” role=”navigation”>
<?php wp_nav_menu( array( ‘container_class’ => ‘menu-header’, ‘theme_location’ => ‘secondary’, ‘fallback_cb’ => ” ) ); ?>
</div>
<?php /* End lower page menu */ ?>

Client:

Overview: Produce a 60-80+ page Website for hyper-local news in Placer County that was also easy to edit through the back-end. A lot of functionality was required to cover all of the client’s criteria.

Process: Working with the client, we researched pre-designed “news” WordPress templates from Template Monster that best matched the criteria for the site. Multiple screen-shot instructions for owners to make their own back-end edits.

WordPress customization included:

• Header graphics & custom link placement
• Home page layout edits
• Restaurant listing: searchable & dynamic alpha-numeric display
• Events calendar
• Custom Category templates
• Custom Single-Post templates
• Custom Page templates
• Custom sidebars
• Table-based data layout
• Constant Contact signup integration
• Customized Registration page
• CSS text and link colors
• Social Media links
• Advertising modules
• Contact form
• External menu links
• RSS integration for data display

WordPress plugins used:

• Ad Squares Widget
• Advertising Manager
• Akismet
• All in One Video Pack
• AP Style Dates and Times
• Category Posts Widget
• Contact Form 7
• Current Date & Time Widget
• Custom Post Templates
• Duplicate Post
• Google XML Sitemaps
• Lightbox 2
• Pie Register
• Platinum SEO Pack
• Really Simple CAPTCHA
• Secondary HTML Content
• Sidebar Login
• SimplePie Core
• SimplePie Plugin for WordPress
• Smart Ads
• Smart Youtube
• Sociable for WordPress 3.0
• Social Media Widget
• The Events Calendar
• TinyMCE Advanced
• TweetMeme Retweet Button
• WP-DBManager
• WP-PostRatings
• WP-RSSImport
• WP-Table Reloaded
• WP-Table Reloaded Extensions
• WP125
• WP Category Post List Widget
• WP Security Scan
• WP Super Cache

Software used:

• WordPress
• Photoshop
• Dreamweaver
• Dashcode

Running:
WordPress 3.0.5
NextGEN Gallery, v1.7.4
WP e-Commerce Plugin, v3.7.8
Lightbox 2, v2.9.2

I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well.

If you are a security researcher, we’d appreciate you taking a look over this changeset as well to review our update. We’ve given it a lot of thought and review but since this is so core we want as many brains on it as possible. Thanks to Mauro Gentile and Jon Cave (duck_) who discovered and alerted us to these XSS vulnerabilities first.

Original post: http://wordpress.org/news/2010/12/3-0-4-update/

14 Steps to Installing a WordPress Site with Hacker Protection, Part 1:

NOTE: Although most hosting companies offer automatic WordPress installation, we prefer a manual installation of WordPress, as it gives us more control over the setup.  For those of you who use an installations script provided by your hosting company, you may not be able to apply all of these steps.

Step 1:  Install the latest version of WordPress into a subdirectory, instead of your root.

Giving your WordPress its own directory will not only keep the clutter out of your root directory, if someone does hack into your site, your root directory is protected.

You can find instructions for a manual installation at http://codex.wordpress.org/Installing_WordPress

Some hackers target WordPress sites specifically, when installing WordPress, consider changing the default table prefix from wp_ as an advanced strategy for protecting your site.  If you use the Wp-Security-Scan plugin we mention later, it will also suggest this when evaluating your site for security holes.

Step 2: Change Your Index.php location

Changing your index.php location allows your blog to remain in the root directory, and creates a cleaner url.

Sign in to your wordpress site, and go to Settings, then General and change your “Blog address (URL) to the root url.  For example:  www.mywebsite.com.

Open your FTP client and copy the index.php file to from the subdirectory (where you installed WordPress), into the root directory.

Edit your index.php file to add in the WordPress subdirectory.  For example:

/** Loads the WordPress Environment and Template */
require(‘./subdirectoryname/wp-blog-header.php’);

If you have questions about this, there is link right next to this field that will give you all the details you need to do this right.

Step 3:  Protect Your wp-includes folder

This step is simple, just copy your .htaccess file in to the wp-includes folder.  You may need to set your FTP client to view hidden files in order to see this file.

Step 4:  Protect your wp-admin folder

Upload your .htaccess file into the wp-admin folder

Upload .htpasswd into the root directory

Go to http://www.htaccesstools.com/htpassword-generator/ to create a password.

Edit the .htaccess file to have the proper path to your .htpasswd file.

Step 5:  Upload and activate security plug-ins

Currently, we use the following security plug-ins to protect our site.

Login-Lockdown: this plugin helps prevent “brute-force password discovery” by disabling the login function if a certain number of login attempts and failures are detected from a given IP address.

WP-Db-Backup:  this plugin will backup your core wordpress database and other tables (usually created by the plugins you are using).  You can schedule your backup or issue an “on-demand” backup when needed.

WP-Security-Scan: this plugin will scan your wordpress site for security vulnerabilities (most of which should be fixed by following the steps we have posted here.

Wp-MalWatch:  This plugin scans your site every night for signs of foul-play and will alert you where to go look if it finds a problem.

We are also evaluating WordPress Backup by Blog Traffic Exchange, as it will backup the upload directory, the plugin directory, and the current theme directory.  It is important to note that the database backup plugin we listed only backups databases, and that backing up the theme and images, etc should not be overlooked (see step 11 for more)

14 Steps to Installing a WordPress Site with Hacker Protection, Part 2:

Step 6:  Change your Admin User

“Admin” is the default user that is assigned when installing WordPress.  To change it you must use phpMyAdmin and then update your config.php file.

Step 7: Use a Strong Password

You’ve heard it before, but it must still be said.  Use a strong password, that includes letters, numbers, and even punctuation where appropriate.

Step 8: Choose a supported theme

There are a lot of WordPress themes available that are free, but before you use it make sure you can get help if you need it.  This also is an indicator that the theme will be updated and not become a problem when upgrading to the latest version of WordPress.

Step 9:  Choose Plug-in’s wisely, the fewer the better

WordPress plug-in’s are available by the truckload, but that doesn’t mean you need to use all of them.  The fewer you use, the better.  Plug-ins tend to be more vulnerable to hackers than your WordPress software, so hackers go there to infiltrate and take you down.

Step 10:  Hide your Plugin directory

Anyone can see a list of your plug-ins by going to http://mydomain.com/wp-content/plugin. To hide this folder, just open your text editor, create a blank index.html page, and upload it via FTP into the wp-content/plugin folder.

Step 11: Setup your Backup!

There are two things you need to backup, your database (all your posts and pages) and your design (your theme, layout, etc).

How often you backup is determined by how much you are willing to use. We recommend that you set your auto-backup for as often as you post.  So if you post weekly, backup weekly, etc.

You should also run an “on-demand” database backup prior to upgrading software (both WP and plugins), just in case something breaks.

In addition, plan on using your FTP to download your site periodically – especially before and after you make significant changes to your site structure, theme, etc (this kind of backup does not include your database).

Ask your host how often they backup as well, there have been times that we have been able to go directly to the host and have them restore the entire site from a specific date.  Some guarantee their backup, others do not, so go find out!

If your site is hacked, and you have a recent backup, you can have your site up and running in no-time.

Step 12: Protect Your Files and Folders

Setting proper file and folder permissions can make a big difference.  You may not realize this, but if a file or folder is writable, then it is also considered insecure.  Your host will have its own level of security, so you may want to consult with them.  In general, we use the following file permissions

• Directories permissions of 755
• All files should have permissions of 644
• Theme files 666 (if you want to use the built-in editor)

Occasionally a plug-in will require something else to function.  You can review that on a case by case level.

The simplest way to change these permission is to use your FTP client, like Filezilla.

Step 13: Change to “No Indexes”

Most people don’t realize this, but anyone interested can browse your directory and see all the files and folders you have, unless you change your index manager to “No Indexes.”  If you don’t see it, then contact your Host support.

You can also make changes to your .htaccess file.  This is a sensitive file, so make sure you download it completely off your site, make a copy, and then make the changes.

For more information on directory browsing and how to change your .htaccessfile, go read this article at “The Internet Patrol”.

http://www.dialme.com/m/articles/view/How-to-turn-off-directory-folder-browsing.

Step 14:  Keep Your Software Current!

If you don’t upgrade your site to the most recent version, it is vulnerable.  It really is that simple.  If you can only do one thing to protect your site, upgrading your WordPress and WordPress plug-in software should be it.

Some web developers are concerned about upgrading to a new version without testing it with the current sites functionality.  This is a valid concern, but it shouldn’t keep you from waiting too long to upgrade.  We have had very few problems doing immediate updates, but it is not impossible.

However, if you have a very sophisticated site, then I definitely recommend setting up a test site.  Upload your current site into a test site, and simulate the version updates to ensure everything is going to work smoothly.

If you have a good Virtual Assistant, or Virtual Programmer, they can do the testing for you.  Incremental testing is the best approach.  That means you update one thing at a time so if something breaks you can tell what triggered it.

Regardless of whether you do a live update, or test the software first, you should do a complete backup.  This will give you peace of mind and save you from potential headaches that could come up.

Summary

Although, following these steps does not guarantee that your site will never be hacked, if you follow them it will strengthen your WordPress site security and reduce the risks.

Since applying these steps to our WordPress sites at the end of 2009, we haven’t had to repair any sites due to malicious attacks.

Some of the Resources Reviewed for this

http://www.noupe.com/how-tos/wordpress-security-tips-and-hacks.html
http://www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/
http://blogbuildingu.com/wordpress/wordpress-security
http://how-to-blog.tv/security/wp-malwatch/
http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked

I’m going to say this one more time (that’s a lie, considering how stupid people have been at this, I’m probably gonna repeat it over and over again): when you sell links, nofollow them. If you don’t, you run the risk of being banned. If you knowingly run that risk, don’t be stupid and don’t get yourself caught. How you get caught? Well… Allow me to elaborate a bit:

Read the full post: Selling links? Don’t be Stupid!

Google and most other search engines use links to determine reputation. A site’s ranking in Google search results is partly based on analysis of those sites that link to it. Link-based analysis is an extremely useful way of measuring a site’s value, and has greatly improved the quality of web search. Both the quantity and, more importantly, the quality of links count towards this rating.

However, some SEOs and webmasters engage in the practice of buying and selling links that pass PageRank, disregarding the quality of the links, the sources, and the long-term impact it will have on their sites. Buying or selling links that pass PageRank is in violation of Google’s Webmaster Guidelines and can negatively impact a site’s ranking in search results.

Not all paid links violate our guidelines. Buying and selling links is a normal part of the economy of the web when done for advertising purposes, and not for manipulation of search results. Links purchased for advertising should be designated as such. This can be done in several ways, such as:

• Adding a rel=”nofollow” attribute to the <a> tag
• Redirecting the links to an intermediate page that is blocked from search engines with a robots.txt file

Google works hard to ensure that it fully discounts links intended to manipulate search engine results, such excessive link exchanges and purchased links that pass PageRank. If you see a site that is buying or selling links that pass PageRank, let us know. We’ll use your information to improve our algorithmic detection of such links.

http://www.google.com/support/webmasters/bin/answer.py?answer=66736