Tag Archives: security

Are AdRotate Free and AdRotate Pro GDPR compatible?

TLDR;

Yes, Both AdRotate Pro and AdRotate Free are compatible with GDPR.
Just make sure you inform your audience what you’re doing and what’s going to happen when they access your website.

What GDPR is all about

GDPR stands for General Data Protection Regulation. Which is forced onto the world by the lovely governance of the European Union.

These regulations have been years in the making and started years ago with the dreaded and Cookie Regulations. Now they’ve taken it a few steps further to include any data that may be personally identifiable in a similar scheme.

In short, GDPR is yet another useless attempt to control data and seemingly protect the user.

How does AdRotate fit into this

People visiting your website will leave a trace, that trace is at the very least an IP address. But often involves a user account or some kind of record. Often cookies are thrown at visitors. There is session data. Servers collect logs that contain all kinds of information about visitors.

Here are 3 things AdRotate does with user data:

1. IP Addresses

AdRotate (Pro) stores IP addresses for up to 24 hours to track impressions and clicks. If the plugin is working properly this data is removed after 24 hours. These records are not easily accessible by end-users. Website administrators also have no direct access to this data. The cleanup is governed by wp-cron.

If you don’t want AdRotate (Pro) to store IP addresses at all. Turn off stats or use a 3rd party tracker. You can use Google Analytics or Piwik Analytics.

If you wish to not share the IP address to a 3rd party you should turn off Statistics.

2. Geo Targeting

If you use Geo Targeting each visitor will get a cookie that lasts up to a week, depending on your settings.
This cookie stores the approximate location of the visitor. This data is not stored on the server but the visitors IP address is sent to a Geo Lookup service.

Currently AdRotate Pro supports the following Geo Targeting services; AdRotate Geo (my own lookup service), MaxMind and ipstack.
If you use Cloudflare you can get the visitors country via that as well.

All services use the visitors IP Address to get the location information.

Do these services store the IP address? AdRotate Geo does NOT store the IP address. As for the others, I do not know.
Check their Terms of Service. Email their support staff to find out.

If you do not want to share the IP address to a 3rd party you should turn off Geo Targeting.

3. Statistics

As mentioned before, AdRotate (Pro) stores the visitors IP Address for a limited time. Other than that, statistics are anonymous and just dumb numbers.

So there you have it, both AdRotate Pro and AdRotate Free are compatible with GDPR.

Why GDPR is pointless

While the intentions of GDPR may be a good idea. It won’t work as long as free service businesses such as Facebook, Google and the like make it a business to sell your data. You are their product. Your data is their product.

Earlier this week I was presented with a load of convoluted questions and settings updates on Facebook, trying to convince me that personal data gathering is a good thing. They showcased it under the guise of security and defrauding accounts. It helps against spam and fake news and more such nonsense. And to make it more appealing to me, some other benefits like auto tagging and checking in if I let them store my data and track my movements.

The little survey they forced me to click through implied consent and I ended up clicking “yes” and “agree” a bunch of times because I don’t want my account impeded or limited if I don’t agree. No matter my decision, they’ll get what they want anyway.

Google has sent out similar notifications a few weeks ago, simply telling me what is going to happen, offering a security audit and a easy way to some new settings to review, but really I had no say in the matter at all.

Thus, the 2 larger companies in the world that these regulations are meant for are already covering themselves with recorded evidence of consent, rendering the regulations mostly useless. I imagine most people won’t even read or care about these settings and (unknowingly) give consent.

Most people are stupid that way.

AdRotate Pro Nulled

A “nulled” piece of software is a hacked and modified version of that software. It is made suitable for use without a license. Using it is illegal and there are some big risks using such software.

You are looking to safe a few bucks, at great cost

You are looking for ways to run your website the cheapest way possible. Often that results in cheap hosting and using free software and plugins. Some even go as far as using nulled or hacked versions of paid plugins.

As with lots of paid plugins, there is a nulled version of AdRotate for WordPress floating around. This, “fortunately”, is an older version of AdRotate Pro. Therefor it lacks newer features and has some bugs that have been fixed since.

As far as I can tell the nulled version of AdRotate Pro has a backdoor kind-of-thing built in which has your website enter a botnet.

Obviously that means that when you use this kind of software you are taking huge risks. Being a cheap ass will cost you revenue this time around.

Risks when using nulled software:

  • Unknown advertisers
    Your website may show adverts controlled by a hacker group on which you do NOT get revenue.
  • Backlinks to other illegal or dangerous websites
    Backlinks are considered very important for SEO. Hackers can put links from your blog to low ranking sites.
  • Destruction of your blog
    Nulled scripts sometimes send your username and password information out to hackers.
  • Legal action by Theme and Plugin developers
    Software developing companies could take action against you.
  • Search engines such as Google and Bing may derank your website
    Search engines hate illegal activities. Your site may be ranked lower. Or worse, be removed completely.
  • Your web host may suspend your hosting
    Spotting a threat in your website, your hosting provider may decide to take your site offline.
  • Viruses and botnets
    Your site, using your own software, such as WordPress, may enter a botnet to do all kinds of bad stuff.

All of the above will cost you a lot of time, stress and often times money.

What if you can not afford to buy premium software?

Running a website costs money. Those costs can add up, I know. With AdRotate for WordPress you can start earning money without using a illegal version. You can use our free plugin available in the WordPress directory.
Download AdRotate for WordPress for Free here »

However, AdRotate Pro is one of the cheapest ways to monetize your website. The moment you start installing it and you have some campaigns active on your website, you start earning money.

AdRotate Pro works with a license key, but unlike some other plugins there is no subscription or yearly renewal. This makes AdRotate Pro the cheapest ad-plugin for WordPress.

What does the license key do?

With AdRotate Pro you get free updates for life. Straight to your dashboard. Updates often include new features or improvements to current features.

The license key also unlocks AdRotate Geo. A Geo Targeting service exclusively for AdRotate Pro users. This allows you to target your advertisers in specific countries or cities all over the world. Making running one campaign in 6 or more languages very easy to manage.

And, equally important, the License Key unlocks the support form. Which is a contact form in your dashboard that allows you to directly contact Arnan, the developer of AdRotate Pro. You’ll usually get a reply within 1 business day, often with a solution.

When you use a illegal version of AdRotate Pro, you’re missing out!

Do you have comments or questions about this article? Feel free to comment!

Are you already using AdRotate (Pro)? Please visit the support forum and the AdRotate manuals.

6 ways to a faster and safer WordPress

Having a WordPress website is often great, but it also makes you vulnerable for all kinds of attacks and mischief – Or maybe not vulnerable, but it invites many wrong doers to try and attack you. You’re an easy target. Let’s make it a bit less easy for them without using plugins!

Recently I’ve been plagued on another website by slowness, the occasional downtime and other annoying stuff. Paying more attention to usage stats and the error_log it turns out there was a bunch of stuff going on. A few of IP Addresses constantly tried something with wp-login.php and some other pages and files being loaded over and over again for no apparent reason.

Another issue was the RSS feed WordPress generates. Sure, it works fine. But if you get almost 10000+ requests on it per hour, that’ll slow things down, too. Sometimes.

So I did some research and have come up with a few things to try and prevent this kind of behavior. Of-course it’s no use blocking IP addresses but you can prevent access to things or if they access those things lessen the load on your server a great deal.

Note: In this article we’ll edit a few files essential to your WordPress site. Namely the .htaccess file and wp-config.php. Doing this wrong will cause your site to malfunction in one way or another. So be sure you make a backup of these files before doing anything.

If you’re not comfortable editing such files or you’re not sure how any of this works ask someone to help you!

.htaccess file

The .htaccess file is not a WordPress file, but an important file none-the-less. It allows you to manipulate the server configuration without actually changing the server. This file allows for advanced control over who access what and in which way. This file is therefor very important to your website and server.

wp-config.php file

This is the main configuration file for WordPress. Without it, WordPress doesn’t know what WordPress is. Your login details to the database are in here, as well as security salts and you can manipulate advanced settings and variables here.

Here are 6 ways to keep your WordPress website safer and more faster without using plugins. Because plugins slow your site down as well.

1. Protect your dashboard

Because WordPress is so visible there is a high chance you experience this too. People trying to log in to your site. The occasional dumbass trying a common password on the Admin account is no big deal, but bots and botnets trying this all day long, hundreds of times per hour. That IS a problem.

So to counter this I have found and optimised these access rules to not only hide the real login url, but also require a semi secret hash to get in.
I’ve placed these in my .htaccess file, right above the ones from WordPress

RewriteEngine On
RewriteBase /

# Bruteforce Protection
RewriteRule ^signin wp-login.php?stealth_in=12345&redirect_to=http://www.YOURDOMAIN.com/wp-admin/ [R,L]
RewriteRule ^signout wp-login.php?action=logout&_wpnonce=a3d57642ab&stealth_out=67890 [L]
RewriteRule ^admin wp-admin/?stealth_admin=45678 [R,L]
RewriteCond %{HTTP_REFERER} !^http://www.YOURDOMAIN.com/signin
RewriteCond %{HTTP_REFERER} !^http://www.YOURDOMAIN.com/wp-login\.php
RewriteCond %{HTTP_REFERER} !^http://www.YOURDOMAIN.com/admin
RewriteCond %{HTTP_REFERER} !^http://www.YOURDOMAIN.com/wp-admin
RewriteCond %{QUERY_STRING} !^stealth_in=12345
RewriteCond %{QUERY_STRING} !^stealth_out=67890
RewriteCond %{QUERY_STRING} !^stealth_admin=45678
RewriteRule ^wp-login\.php - [R=403,NC,L]

RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule ^wp-login\.php http://www.YOURDOMAIN.com [L]

RewriteCond %{QUERY_STRING} !^stealth_cron=87654
RewriteRule ^wp-cron\.php - [R=403,NC,L]

Basically what this does is redirect anything (including you) away from the login page giving them a 403 Permission Denied error page. Unless you use the new url.

To log in: http://www.YOURDOMAIN.com/signin
To log out: http://www.YOURDOMAIN.com/signout
Dashboard: http://www.YOURDOMAIN.com/admin

Ofcourse, you should change the simple numeric codes (12345, 67890, etc.) to something more unique and advanced, too. Anything alphanumeric works, as long as it’s hard to guess, similar to passwords.

On top of this I have blocked ordinary wp-cron.php access. So nobody can flood your site with requests to that, which may overload your database. This may break actual wp-cron from working. But we’ll fix that in Item 6 on this page.

To use cron: http://www.YOURDOMAIN.com/wp-cron.php?stealth_cron=87654

Without the stealth_cron parameter, it just won’t work anymore.

Why is this useful? Because, even if nobody can log in or use cron – WordPress is still loading, using up a ton of resources. Now you block access BEFORE WordPress gets loaded, thus less resources are used.

2. Redirect RSS feeds

Having a lot of readers is great, having a lot of requests to your RSS feeds is not so great. Especially in WordPress, which doesn’t generate a feed file but generates a dynamic thing every time you load the url. While not super bad – It means that instead of just loading a file, WordPress has to process the request and compile the same thing over and over again from the database. A lot of resources are wasted that way – Resources better used to serve content to actual visitors.

My plugins all ping my RSS feeds from the dashboard. This gives me great exposure for new posts. But it also causes a lot of strain on my sites resources with tens of thousands of plugin users this amounts to /feed/ being one of the busiest things on my website.

I’ve redirected the bulk of that to Google Feedburner. But what about people who don’t know about feedburner and just enter www.YOURDOMAIN.com/feed/? Simple, redirect them too.

I’ve entered this right below the Bruteforce rules from Item 1, but still above the WordPress bit in my .htaccess file.

# RSS feeds
RewriteCond %{HTTP_USER_AGENT} !FeedBurner [NC]
RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds.feedburner.com/YOURFEED [R=302,NC,L]

This redirects anything but Feedburner to Feedburner. So Feedburner can grab the new content. But actual subscribers and readers are now forced to use Feedburner.

Simple and effective.

3. Use Browser caching

When you visit a site, part of it is downloaded and stored locally on your computer. To be deleted after you leave the site. From your server you can ask the browser to keep certain files for a longer period of time. For example common scripts or images, because they don’t change anyway. This saves bandwidth and requests on your server. Making your site load faster, but also reducing server load to some extent.

I’ve added these rules to my .htaccess file, above all the Rewrite rules stuff from Item 1 and 2. So right at the top of the file.

# Use UTF-8 encoding for anything served text/plain or text/html
AddDefaultCharset UTF-8
AddCharset UTF-8 .atom .css .js .json .rss .vtt .xml

# FileETag None is not enough for every server.
Header unset ETag
FileETag None

# Send CORS headers if browsers request them; enabled by default for images.
SetEnvIf Origin ":" IS_CORS
Header set Access-Control-Allow-Origin "*" env=IS_CORS

# Allow access to web fonts from all domains.
Header set Access-Control-Allow-Origin "*"
Header unset Pragma
Header append Cache-Control "public"
Header unset Last-Modified

# Cache Control
ExpiresActive on
ExpiresDefault "access plus 1 month"
# cache.appcache needs re-requests in FF 3.6
ExpiresByType text/cache-manifest "access plus 0 seconds"
# Your document html
ExpiresByType text/html "access plus 0 seconds"
# Data
ExpiresByType text/xml "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType application/json "access plus 0 seconds"
# Feed
ExpiresByType application/rss+xml "access plus 1 hour"
ExpiresByType application/atom+xml "access plus 1 hour"
# Favicon (cannot be renamed)
ExpiresByType image/x-icon "access plus 1 week"
# Media: images, video, audio
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"
# HTC files (css3pie)
ExpiresByType text/x-component "access plus 1 month"
# Webfonts
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType application/x-font-woff "access plus 1 month"
ExpiresByType application/x-font-woff2 "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
# CSS and JavaScript
ExpiresByType text/css "access plus 1 year"
ExpiresByType application/javascript "access plus 1 year"

# Add correct content-type for fonts
AddType application/vnd.ms-fontobject .eot
AddType font/ttf .ttf
AddType font/otf .otf
AddType font/x-woff .woff
AddType image/svg+xml .svg
# Add a far future Expires header for fonts
ExpiresByType application/vnd.ms-fontobject "access plus 1 year"
ExpiresByType font/ttf "access plus 1 year"
ExpiresByType font/otf "access plus 1 year"
ExpiresByType font/x-woff "access plus 1 year"
ExpiresByType image/svg+xml "access plus 1 year"

4. Gzip Compression

Gzip compression compresses the contents of your site when it’s sent to the browser. This reduces bandwidth and makes your site appear faster. Most modern browsers support this these days and most servers do, too.

I’ve added this to the .htaccess file right below the Browser Caching stuff of the previous item.

# Gzip compression
SetOutputFilter DEFLATE
# Force deflate for mangled headers
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
# Don’t compress images and other uncompressible content
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png|rar|zip|exe|flv|mov|wma|mp3|avi|swf|mp?g|mp4|webm|webp)$ no-gzip dont-vary

# Compress all output labeled with one of the following MIME-types
AddOutputFilterByType DEFLATE application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/html text/plain text/x-component text/xml
Header append Vary: Accept-Encoding
# Compress compressible fonts
AddOutputFilterByType DEFLATE font/ttf font/otf image/svg+xml

5. Increase the memory limit

Giving WordPress a little more wiggle room can be a good thing. Many hosting providers limit websites to 64MB ram or something similar. Sometimes you can configure this in your hosting dashboard (cPanel, Plesk or whatever). Often times you can not. That doesn’t mean you can’t change the memory limit.

In your wp-config.php, around line 52 (below the salts) I’ve added this line:

define('WP_MEMORY_LIMIT', '192M');

This ups the memory to 192MB. Similar to PC memory, this lets PHP do more stuff at the same time and work a little faster. This is more useful for larger sites, such as this one, or for sites with many plugins or if you use large plugins such as WooCommerce. For a basic, low traffic blog you probably won’t notice a difference.

Note: Increasing memory is fine, but only if you need it, upping the limit because your site is a unoptimized pile of junk code is not a valid reason of-course.

6. Disable WP-Cron

WP-Cron is a system where WordPress deals with background tasks. Plugins and themes can use this for all kinds of stuff. My AdRotate plugin for example cleans up stats with it for example. And my Analytics Spam Blocker plugin downloads new blocklists using wp-cron.

That’s all fine and useful, but does it need to run on every page load? Probably not. However, that’s how wp-cron works. Every time someone accesses your website, wp-cron is triggered and checks if there’s something to do in the background.

In wp-config.php right below the salts, where we added the memory limit from the Item 5 I’ve added this:

define('DISABLE_WP_CRON', 1);

This disables wp-cron. Removing the line, or changing the 1 to 0, enabled it again.

To schedule a real cron job you’ll have to log in to your hosting dashboard and schedule one there. Sometimes this is called simply ‘Scheduled tasks’, sometimes it’s called ‘Tasks’ or just ‘Cron Jobs’.

Schedule the job for whatever interval you want. This can be every minute to every hour, or even daily or weekly. It’s up to you really. I have mine set to every 15 minutes.

And for the command, you simply call: http://www.YOURDOMAIN.com/wp-cron.php.
If you use the Brute force protection from Item 1 you should add the secret key like so: http://www.YOURDOMAIN.com/wp-cron.php?stealth_cron=87654.
(Of-course with the right secret key)