Recently it has come to my attention that there are some serious security issues with the default RSS to Blog installations.
In my manual I recommend that everyone name the folder RSS2B3. This common folder name is part of
the security issue.
When your RSS to Blog installation becomes indexed in the search engines it is very easy to find and hack into it even without the password.
One of my customers pointed out to me exactly what hackers are doing when they find RSS to Blog folders. He made a very interesting set of videos that shows step by step how this happens and how to protect yourself.
Here is what I learned by watching his videos …
Anyone who finds your RSS to Blog folder can simply look at the ’settings.php’ file or the ’settings’ folder from the browser and see all of your blog settings.
If you go to your installation right now and type in http://domain.com/RSS2B3/settings.php
Or http://rsstoblog.com/RSS2B3/settings/
You will see all of your blog settings, URLs and even passwords. Anyone who can see that file can use that info to log into all of your blogs and do what ever they want. That possibility makes it very important that you update and add the .htaccess file to your folders immediately.
There is a simple way to prevent this. And I am going to explain how.
The first step is to make sure your RSS to Blog folder does not get indexed. Dont link to your installation from forums, or any where public.
If you have the RSS to Blog installation on a domain that does not have a frontpage this is a problem. You should always add an index page to every domain. Even if you are only using the domain to host the software. It is not very uncommon for a domain to get indexed even if you never submitted the domain to the search engines. If you do not have a index page on that domain, then every folder on that domain is visible to the world.
The next step is to make your installation harder to find. Name your RSS to Blog folder something other than RSS2B3 or RSS2B or RSS.
You can rename your folder at anytime, it will not effect your files, but you will need to change the path in your cron jobs if you choose to rename the folder.
The next step is to use something called an .htaccess file on your server. In this file you can add code that will block people from seeing your settings.php file or the contents of your folders.
I am including a link to a small update that includes the .htaccess file you need for your installations Download and install it today.
If you need help further understanding anything I wrote here The customer who told me about this (Eric Grigsby) actually created a set of videos that I thought were very good. It explains exactly how the security flaw was discovered and how to install the .htaccess file to your folder and test it.
If you need you can watch Eric’s great videos
If you purchased RSS to Blog in the last few days the security patch has already been put in the package for you. So you do not need to update.
Everyone else should update immediately.
Michelle Timothy
I like that Michelle is proactive on the security front. It gives me a little more confidence in the product, RSS to Blog.
RSS Feed
Twitter
March 22nd, 2006 
QuadsZilla 
Posted in 
Free Cloaking Script
You’re broke as a joke but want to cloak: So what can you do? How about a free cloaking script?
Let’s say you’ve used widgetbaiting or the markov chain to create 30,000 pages of unique content about bacon polenta recipes. Of course, no human surfer wants to read those pages but they are great spider food.
Well if you don’t want to use IP delivery like you’re supposed to, you can use this code to send your surfers to a sell page with text written for human consumption.
Now, this is not some unsneaky java redirect that will get you banned in the Search Engines. * If you use this code, you may get banned in some search engines.* Rather, it’s a error loophole designed for you to exploit:
<img src=nofilehere.gif onerror=window.open(’http://seoblackhat.com’,'_top’)>
Just make a page with any kind of spider food / keyword spam that you want on it and then add that line to the page.
When surfers visit the page, they will be sent to “seoblackhat.com” because the requested image file does not exist (therefore there will be an error). The spiders and search engines, on the other hand, will all see the original page.
This free cloaking script is inferior to premium cloaking software for many reasons. If you are scraping content, this method does nothing to help you get past duplicate content filters. This free cloaking code does not protect your code from surfers or your competition. Surfers will briefly see these spider food pages load. They may, in turn, report you to the search engines who could decide that using this code in the manner described is abusive. So, I would not recommended it for sites that you cannot afford to have banned.
Many high profile sites and fortune 500 companies use Cloaking to send different content to different IP addresses. But they don’t use code like this or cheesy redirect scripts – they use sophisticated cloaking software – IP delivery is the safer and preferred way to cloak. Honestly, I’ve never even heard of someone actually getting banned just for IP cloaking. I know that people do get banned for using crappy JavaScript redirects but in my opinion, getting banned for IP Cloaking is one of the great Black Hat SEO myths; it just doesn’t happen.