Matt Cutts: Gadgets, Google, and SEO

Earlier this month I went away for a week. Two big things broke while I was gone:

• WordPress had a hole that could expose drafts of posts
• Our home had a power outage, which caused serious issues with my network attached storage (NAS) box.

In each case, software or hardware that I maintain went badly off the rails. I try pretty hard to lock down my WordPress. I protect my /wp-admin/ so that only certain IP addresses can access that directory. But this was a weird vulnerability. If I had hosted my blog with WordPress as a web service, I wouldn’t have had to patch things up myself. And I’m pretty sure that at least a few of my draft blog posts leaked to folks who exploited the security hole on my blog.

My NAS box was even more painful. I have a Buffalo TeraStation, and it’s worked well for over a year. But they don’t always cope well with power outages. And the version that I have required me to undo 22 screws to replace the bad hard drive. Then I had to wait for five nervous hours to see whether the NAS could repair my RAID array. No data was lost, but suffice it to say that I’ve got much better backups now, plus an uninterruptible power supply (UPS) as well. Again, if I had storage somewhere in the cloud, it would probably be more reliable than my ham-handed attempts at backing up my data.

So there you go: I went on vacation for a week and came back to two scary reminders why hosted services and storing data “in the cloud” (on someone else’s servers) can be better than doing it yourself. In general, a well-run cloud service is going to be much more reliable than any average person would be.

Here are three easy but important ways to protect yourself if you run a WordPress blog:

1. Secure your /wp-admin/ directory. What I’ve done is lock down /wp-admin/ so that only certain IP addresses can access that directory. I use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what mine looks like:
   

   AuthUserFile /dev/null
   AuthGroupFile /dev/null
   AuthName “Access Control”
   AuthType Basic
   order deny,allow
   deny from all
   # whitelist home IP address
   allow from 64.233.169.99
   # whitelist work IP address
   allow from 69.147.114.210
   allow from 199.239.136.200
   # IP while in Kentucky; delete when back
   allow from 128.163.2.27

   I’ve changed the IP addresses, but otherwise that’s what I use. This file says that the IP address 64.233.169.99 (and the other IP addresses that I’ve whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. Has this saved me from being hacked before? Yes.

2. Make an empty wp-content/plugins/index.html file. Otherwise you leak information on which plug-ins you run. If someone wanted to hack your blog, they might be able to do it by discovering that you run an out-of-date plugin on your blog and then they could exploit that.
3. Subscribe to the WordPress Development blog at http://wordpress.org/development/feed/ . When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.

And here’s a bonus tip: in the header.php file for your theme, you might want to check for a line like

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /> <!-– leave this for stats please -->


I’d just go ahead and delete that line or at least the bloginfo(’version’). If you’re running an older version of WordPress, anyone can view source to see what attacks might work against your blog.

Hat tip to Reuben Yau and Shoe.

Update: In the comments, Joshua Slive pointed out that the .htaccess file shouldn’t have a <LIMIT GET> around the IP addresses. That would have allowed IP addresses to POST, for example. Joshua, thanks for the pointer to the Apache docs on this point.

I’ve got some pent-up techie/gadget blogging in me, and I know that not everyone wants to read that. I’ve mentioned before how to get just my Google/SEO posts, but I’ll repeat in case you didn’t see it the first time.

The short answer is to subscribe to

http://www.mattcutts.com/blog/type/googleseo/feed/

instead of my main blog feed at

http://www.mattcutts.com/blog/feed/

This trick works with any category, so you could (for example) subscribe to my Movies/Videos category by clicking on the “Movies/Videos” category over on the right-hand side of my blog and then adding “feed” to get http://www.mattcutts.com/blog/type/movies/feed/ . (This trick works with lots of WordPress blogs, by the way. Ain’t WordPress great?)

Now that you know how to get only the SEO/Google posts, I refuse to be guilt-tripped about doing some non-SEO posts, especially when my top-two traffic posts in 2007 were geek/Linux/iPhone posts instead of SEO posts.

Suppose you want to include a child iframe on your page. You’d like to resize the height of the child iframe so that it doesn’t show a scrollbar. That is, you want something that looks like this:

Here’s one way you can do it. First, make the iframe that you want to include. I made a file “child-frame.html” that looks like this:

<html>
<head> <title>Child frame</title> </head>
<body bgcolor=”#000000″>

<font color=”#ffffff”>
<p>Child frame.</p>
<p>Child frame.</p>
<p>Child frame.</p>
<p>Child frame.</p>
<p>Child frame.</p>
<p>Child frame.</p>
<p>Child frame.</p>
<p>Child frame.</p>
</font>

</body>
</html>

Now in the parent frame, you can make code like this:

<html>
<head> <title>Parent frame</title> </head>

<body onload=”resizeFrame(document.getElementById(’childframe’))” bgcolor=”#cccccc”>

<script type=”text/javascript”>
// Firefox worked fine. Internet Explorer shows scrollbar because of frameborder
function resizeFrame(f) {
f.style.height = f.contentWindow.document.body.scrollHeight + “px”;
}
</script>

<p>Parent frame.</p>
<p>Parent frame.</p>
<p>Parent frame.</p>
<p>Parent frame.</p>

<p>
<iframe frameborder=0 border=0 src=”./child-frame.html” name=”childframe” id=”childframe”>
</iframe>
</p>

</body>
</html>

You can also see a live example of resizing an iframe height dynamically.

What does this code do? When the body of the parent frame loads, it looks up the document element “childframe” which corresponds to the iframe. Then the page calls a function resizeFrame(). The function sets the height of the frame to be the scrollHeight, which effectively removes the scrollbar.

The only tricky bit is the “frameborder=0 border=0″ attributes on the frame. If you leave off the frameborder attribute, Internet Explorer will assume that the frame should have a nonzero border, but it won’t include the frame border in the value it returns for scrollHeight. The net effect is that IE will show a scrollbar unless you add “frameborder=0″.

It always annoys me to dive into cross-browser development when it feels like things should be standardized. Looks like it annoys other people too.

Anyway, feel free to rip on my code in the comments, but I was looking for a simple, working example of setting an iframe’s height so that the iframe wouldn’t have a scrollbar.

Time to post my stats from 2007. I did a similar stats post last year. In 2006, I had 1.7M visits and about 2.9M pageviews. In 2007, I had about 2.3M visits and 4.8M pageviews:

My top five posts in terms of traffic were:

• http://www.mattcutts.com/blog/unboxing-the-everex-200-linux-computer/
• http://www.mattcutts.com/blog/hack-your-iphone-install-applications-with-installerapp-and-apptapp/
• http://www.mattcutts.com/blog/five-things-you-didnt-know-about-googles-search/
• http://www.mattcutts.com/blog/how-to-report-paid-links/
• http://www.mattcutts.com/blog/seo-advice-url-canonicalization/

My RSS subscriber stats look like this:

What else can I easily check as far as stats? I’ve done 580 posts since I started my blog with 38,990 comments, or about 67 comments per post, on average. Oh, and my browser breakdown in 2007 was 48% Firefox and 44% Internet Explorer.