The Power of PHP, both Good and Evil

Posted on January 18th, 2008 in PHP by Ashish Tagged Frameworks, JavaScript, MySQL, PHP, SEO

Good and Evil of PHP

Generally, clients and developers are using many different programming languages to facilitate the needs of their customers and their applications. These applications include shopping carts, forums, content management system, blogs, and community portals. Over time you can see trends develop and fall in what types of applications are most popular and what languages are used most to write these applications. Some languages are popular for a while by both programmers and end users and then the popularity diminishes leaving only the hardcore developers. One language, however, that still maintains its popularity from end users to developers alike is PHP.

PHP (PHP HyperText Preprocessor) was first released in 1995 however, PHP 3.0, released in 1997, is the first version of PHP which can be considered an ancestor to today’s version. PHP 3.0 offered new features such as the ability to easily connect to different database types, API’s for ease of programming and many tie-ins to other popular functions and applications known as modules or extensions. With PHP 3.0’s object oriented nature, developers were able to easily build applications for the masses. By the end of 1998 PHP was installed on over 10% of the servers on the Internet. The most common version of PHP, PHP 4.0 was released officially in 2000. This version was rewritten from the ground up, building a new and more powerful core that could handle many different functions including sessions, output buffering, and advanced security features, as well as, wider support for web servers. This improvement in the core allowed more powerful, interactive applications to be developed with the ability to port them across numerous web servers. Today PHP is used by millions of sites worldwide due to its ease of use and ability to develop powerful, feature rich applications. According to Netcraft’s April 2006 PHP usage report over 20 million domains on the web use PHP in some form. TIOBE publishes a programming community index in which languages are ranked by developer popularity. This index shows that PHP is 4th in developer popularity, up from 5th place this time last year, so PHP is clearly on the rise, and with PHP5 gaining more support both from developers and end users, it shows no signs of slowing down.

However, there is an ugly side to PHP and its rise over the years. With PHP’s immense popularity and accessibility to inexperienced website owners through pre-built scripts and do-it-yourself auto-installers, it will come as no surprise that PHP coded applications are a favorite target of hackers and script kiddies. It does not help that PHP has regularly had numerous vulnerabilities and exploitable function throughout its life. These vulnerabilities, due to PHP’s popularity, are magnified as the exploitation of them spread like wildfire from one server to the next by automated attacks searching for the vulnerabilities. These vulnerabilities and the resulting attacks have long been a headache for web hosts trying to keep their servers from getting attacked or being hacked. In addition to the vulnerabilities, PHP has functions such as fopen(), include(), and exec() which in and of themselves are great tools for building dynamic applications. However when code is not written properly, a hole in which these functions can be exploited emerges, allowing script kiddies and what would normally be considered other low level attacks to run DOS attacks, PHP Shells, download exploits and execute other malicious code from your server that might otherwise be fairly secure. The wonderful nature and ease of deployment with PHP that does so much good, is the same reason that it’s a common tool for evil. One with malicious intent does not need high level experience or heightened permissions in order to inflict harm upon your systems. So what can you do to protect your servers and possibly you business before it gets hit by an attack?

PHP’s default installation is pretty liberal on what it allows out of the box and could use some tweaking for security. However PHP only really offers the “safe mode” option which essentially locks the PHP installation down and restricts users from using most functions, which is a difficult proposition for shared hosts wanting to allow their clients some flexibility and control of their code. Therefore you have to take a different approach to security. What is seen that the layered security model is much more effective compared to a “fix it all” application that you can buy, and most other methods.

The first thing we recommend is that if you are a developer or coder, make sure the code you write is secure. If you are a messy coder who just codes without thinking about the implications of your code, there are resources out there to help you. The PHP Security Consortium is an international organization of PHP experts that are dedicated to researching and publishing vulnerabilities, how to avoid them and other pertinent articles. For developers, there are other resources out there for you as well that are worth looking into. One of the easiest to use is the Writing Secure PHP Cheat Sheet located at http://www.ilovejackdaniels.com/php/writing-secure-php/ and is a great desk companion for when you are writing code. It takes a down to earth look at many of the coding practices that cause PHP vulnerabilities that have given web hosts and users many headaches. As a developer, you must be mindful of what you are doing and think about the possibility that your code could at some time be compromised. Web hosts and server administrators know they can not anticipate what every client will do with PHP, and for this reason, it is only the first line of defense. However, education and regular updates on writing secure code and new vulnerabilities can go a long way.

Secondly, we recommend securing your system in a layered manner if you can, or use a web host that does. If you are unsure what your current web host does for security you can use this article as a basis of questions for them. The following are steps which can be followed to increase security and stability related to PHP by significantly measurable margins, and has helped reduce PHP security related incidents.

1. If you are not already subscribed, you should subscribe to the Security Focus newsletter. Not only do vulnerabilities for PHP get listed but other vulnerabilities pertaining to your entire server.
2. Regularly visit the PHP Security Consortium Website, it may be primarily for developers however web hosts and server administrators should be aware of many vulnerabilities so you can explain them to your customers. Education in many cases can be the key.
3. Setup a PHP security FAQ for those customers who do their own coding and for those customers who have developers. The Open Web Application Security Project has published a top ten PHP security blunders article which is a good start for a FAQ. (http://www.sklar.com/page/article/owasp-top-ten)
4. Implement a firewall solution. This can be either a software firewall or a hardware firewall. For a software firewall we recommend APF. Use both Cisco PIX hardware firewalls and software for added layering. This step will help out for other general security issues as well. In addition, a firewall is great for blocking sniffers when found as they tend to cause increases in load and resource consumption even if they ultimately do not find a vulnerability on your system. Closing off all unused access points and changing the way you connect to the ones you do use is always a good security idea.
5. Implement an intrusion detection package like BFD which will work with APF software firewall and will automatically block suspect IP’s.
6. Implement Mod Security for your Apache based web servers. Mod_security is a life saver in combating vulnerabilities, especially with the many PHPBB vulnerabilities that have existed in the past. Got Root has many custom rules that you can download and use to help protect the server.
7. In php.ini disable allow_url_fopen and only allow it on a per user basis so that you can control who uses this. Some shared hosting clients may take issue with this, but once the ramifications are explained, the vast majority is supportive. Ultimately, system administrators, clients and users want stability.
8. Restrict access to functions like phpinfo, dl, readfile, and exec.
9. Setup and configure Open BaseDir for your server users.
10. Ensure temporary directories such as /tmp and /var/tmp will not allow execution of scripts that could be created there due to insecure PHP code.
11. Disable register_globals in php.ini. If a customer needs this for their scripts to function it can be enabled on a per account basis.
12. Disable access to binaries on your system. By default, PHP allows an application to access any binary on the system through the system() and exec() functions. In many cases a web host cannot just disable access to these functions without breaking an application or two. However there are creative ways in which a system administrator can limit the binaries which PHP can see, thus reducing the number of binaries allowed to those that the system administrator wants to allow.

With the above steps you should be able to curb many of the most common and some not so common vulnerabilities that web hosts will encounter when customers use PHP scripts. Therefore its recommended that implementing them in your environment will ease frustration and increase security.

A new battlefront is beginning to grow with the spread of PHP5 outside of the development community into the mainstream arena. Although PHP5 is developed to take object oriented programming to the next level, allowing developers to write cleaner, friendlier and more optimized code, this does not mean that applications without holes will always be created. Just as with any new software version, there are going to be new hurdles, holes and problems to overcome. However, you are lucky due to the fact that the php.ini for PHP5 is not greatly changed so many of these processes can be duplicated in PHP5 allowing you to start securing even the newest PHP versions to a more suitable level.

Remember security isn’t something you can just tack on; it’s a team effort involving users, developers, administrators and providers. If it is not integrated into the design of your overall processes and continually looked at, you are seriously increasing your risk of being attacked. That could mean potential disaster for you and your business.

Leave a comment... (0)

What a SEO Professional should know

Posted on January 18th, 2008 in SEO by Ashish Tagged SEO

To be a good SEO you need to know a lot of things and to be a professional SEO you need to know them well.

Let’s just list the things that are considered as a good SEO must know:

HTML

As an SEO, knowing HTML is a must. You need to see and understand how the search engines are reading the source code of the web pages. If you can produce nice web sites in Notepad and type HTML without looking at the keyboard then it’s good enough.

CSS

You don’t need to be a CSS-expert but you need to know all the basics fluently. Tasks can include transforming a JS menu to a CSS menu. Styling heading tags is a daily routine.

Web Design / Web Development

You should be able to produce nice web sites from scratch without help. At least a basic knowledge is needed and you can outsource the design tasks and use CMS‘es for your or your clients sites. To be honest, I myself suck at graphics. That’s the major reason why there are no images on this site. But you don’t really need graphics in your SEO work.

How search engines work

You need to know how search engines rank pages. That’s a simple sentence but you need to observe, study and test until you know and have a good grasp on how it works. It is a plus if you also know the differences between the major search engines in their ranking algorithms.

Keyword Research

You need to know how to find the best keywords by looking at popularity, competitiveness and relevance. This includes working with KEI.

Trust with Google

A basic understanding is required on what the sandbox is (a kind of filter) and is not (penalty for all new sites) and you need to know some basic things on how a site can gain more trust (trusted links etc.).

Knowing and understanding on-page factors

When you review or build a site you should have a checklist to tick off all the on-page factors (perhaps this will help). You should also know which CMSes are the best to use for different purposes.

Ability to write and craft link baits

A good SEO is a also a good writer. If you cannot write you cannot improve a web sites copy, make good guides, articles and other good content which serves as link baits. A good writer can get links much more easily and if you despise writing perhaps you should look for another job.
Basic knowledge of the social networks

With link baits you work with social networks (digg, reddit, furl, del.icio.us, netscape etc.) and you need to know the basics on how they work so that you can use them.

How to redirect pages

There is only one proper way of redirecting a page or site, the 301 redirect. You need to know how to do it in .htaccess, PHP and ASP and when to do it.
Using long-tail

The long-tail of search are all the non-competetive big volume of search queries you will get when using a lot of unique good content properly. You need to understand how this works and properly utilize it.

Handling duplicate content

Part of a SEOs job is removing duplicate content on a site. Any content that shows up same for more than 1 URL should be fixed. This includes the non-www redirect. Example with default WordPress.
Mod_rewrite with .htaccess

This is something you really need to know in order to make those clean nice URLs. A real bonus if you know how to do it on a windows server with IIS (I don’t …).

Link power and how it works (PageRank)

You need to understand such things like how link power flows through a site (so you can make good internal navigations) and how search engines uses links as a voting mechanism and how it works. This includes working with online SEO tools and querying search engines for measurements. You need to know the difference between toolbar PageRank and real PageRank and that PageRank is just one out of 100 factors used in ranking.
Link metrics

For each link there are several factors such as the anchor, link position, link relevance, age, surrounding text, C-class IPs and more. This is also important to understand when you start to build links.

Link Building methods

There are probably over 20 strategies in getting links. I listed some effective ones over here. You need to know them and know how to work with them. As an SEO it should be easy for you to get good links, links are vital for SEO.

Basic knowledge of penalties

To know what factors that can get give penalties or banning in the search engines are very important. If you don’t know these you can make big mistakes, even unintentionally.

Knowledge of and ability to set up backlink generators

As an SEO you need link power in order to power your network of sites, especially if you have many. You should have at least 5 of these running for a big network of 100 sites IMHO.

Understanding the supplemental results and know how to get out

Things like unique title and meta tags, placing big header information at the end of source code with CSS-P, deep links, better internal navigation, removing duplicate content and other factors has to be understood and used to take this action.
Basics of PHP / MySQL

Many sites are written with PHP and using MySQL. You should have a basic knowledge on how it works (in fact I know very little PHP) so that you can adjust existing code for better SEO. PHPMyAdmin can be your best friend when dealing with the database.

Statistics

Your web sites stats are a very important and useful tool, you need to understand how to use it in your SEO.

Competitive Research

You need to know what your competitors are doing, how they get their links and how well optimized their sites are. (this one was added by Lee Beirne in the comment below)

Other things

Google sitemaps, robots.txt and more.

Connections with people

If you are going big and plan to build an empire of own sites and handle a large amount of clients you should have a full list of partners, it will be needed. These includes Web Designers, Content Writers, Link Builders, Programmers, Directory Submitters, Cheap Brokers of PR 6-8 links, buddies that help you in social network sites, SEO Experts that you can ask for advice and more. But before you start to use a partner you need to know and understand the thing he is doing and test them on some of your own sites before using them on “real” work. Make sure to inspect and reject work that is not proper. The ideal is that they do the same thing you could have done but you use them to save time.

Leave a comment... (0)

Essential SEO Tips & Techniques, Best Practises

Posted on January 18th, 2008 in SEO by Ashish Tagged SEO

Small Business SEO Checklist:

The Do’s

1. Commit yourself to the process. SEO isn’t a one-time event. Search engine algorithms change regularly, so the tactics that worked last year may not work this year. SEO requires a long-term outlook and commitment.

2. Be patient. SEO isn’t about instant gratification. Results often take months to see, and this is especially true the smaller you are, and the newer you are to doing business online.

3. Ask a lot of questions when hiring an SEO company. It’s your job to know what kind of tactics the company uses. Ask for specifics. Ask if there are any risks involved. Then get online yourself and do your own research—about the company, about the tactics they discussed, and so forth.

4. Become a student of SEO. If you’re taking the do-it-yourself route, you’ll have to become a student of SEO and learn as much as you can.

5. Have web analytics in place at the start. You should have clearly defined goals for your SEO efforts, and you’ll need web analytics software in place so you can track what’s working and what’s not.

6. Build a great web site. I’m sure you want to show up on the first page of results. Ask yourself, "Is my site really one of the 10 best sites in the world on this topic?" Be honest. If it’s not, make it better.

7. Include a site map page. Spiders can’t index pages that can’t be crawled. A site map will help spiders find all the important pages on your site, and help the spider understand your site’s hierarchy. This is especially helpful if your site has a hard-to-crawl navigation menu. If your site is large, make several site map pages. Keep each one to less than 100 links.

8. Make SEO-friendly URLs. Use keywords in your URLs and file names, such as yourdomain.com/red-widgets.html. Don’t overdo it, though. A file with 3+ hyphens tends to look spammy and users may be hesitant to click on it. Related bonus tip: Use hyphens in URLs and file names, not underscores. Hyphens are treated as a "space," while underscores are not.

9. Do keyword research at the start of the project. If you’re on a tight budget, use the free versions of Keyword Discovery or WordTracker, both of which also have more powerful paid versions. Ignore the numbers these tools show; what’s important is the relative volume of one keyword to another. Another good free tool is Google’s AdWords Keyword Tool, which doesn’t show exact numbers.

10. Open up a PPC account. Whether it’s Google’s AdWords or Yahoo’s Search Marketing or something else, this is a great way to get actual search volume for your keywords. Yes, it costs money, but if you have the budget it’s worth the investment. It’s also the solution if you didn’t like the "Be patient" suggestion above and are looking for instant visibility.

11. Use a unique and relevant title and meta description on every page. The page title is the single most important on-page SEO factor. It’s rare to rank highly for a primary term (2-3 words) without that term being part of the page title. The meta description tag won’t help you rank, but it will often appear as the text snippet below your listing, so it should include the relevant keyword(s) and be written so as to encourage searchers to click on your listing. Related bonus tip: You can ignore the Keywords meta altogether if you’d like; it’s close to inconsequential. If you use it, put misspellings in there, and any related keywords that don’t appear on the page.

12. Write for users first. Google, Yahoo, etc., have pretty powerful bots crawling the web, but to my knowledge these bots have never bought anything online, signed up for a newsletter, or picked up the phone to call about your services. Humans do those things, so write your page copy with humans in mind. Yes, you need keywords in the text, but don’t stuff each page like a Thanksgiving turkey. Keep it readable.

13. Create great, unique content. This is important for everyone, but it’s a particular challenge for online retailers. If you’re selling the same widget that 50 other retailers are selling, and everyone is using the boilerplate descriptions from the manufacturer, this is a great opportunity. Write your own product descriptions, using the keyword research you did earlier (see #9 above) to target actual words searchers use, and make product pages that blow the competition away. Plus, retailer or not, great content is a great way to get inbound links.

14. Use your keywords as anchor text when linking internally. Anchor text helps tells spiders what the linked-to page is about. Links that say "click here" do nothing for your search engine visibility.

15. Build links intelligently. Submit your site to quality, trusted directories such as Yahoo, DMOZ, Business.com, Aviva, and Best of the web. Seek links from authority sites in your industry. If local search matters to you (more on that coming up), seek links from trusted sites in your geographic area—the Chamber of Commerce, etc. Analyze the inbound links to your competitors to find links you can acquire, too.

16. Use press releases wisely. Developing a relationship with media covering your industry or your local region can be a great source of exposure, including getting links from trusted media web sites. Distributing releases online can be an effective link building tactic, and opens the door for exposure in news search sites. Related bonus tip: Only issue a release when you have something newsworthy to report. Don’t waste journalists’ time.

17. Start a blog and participate with other related blogs. Search engines, Google especially, love blogs for the fresh content and highly-structured data. Beyond that, there’s no better way to join the conversations that are already taking place about your industry and/or company. Reading and commenting on other blogs can also increase your exposure and help you acquire new links. Related bonus tip: Put your blog at yourdomain.com/blog so your main domain gets the benefit of any links to your blog posts. If that’s not possible, use blog.yourdomain.com.

18. Use social media marketing wisely. If your small business has a visual element, join the appropriate communities on Flickr and post high-quality photos there. If you’re a service-oriented business, use Yahoo Answers to position yourself as an expert in your industry. With any social media site you use, the first rule is don’t spam! Be an active, contributing member of the site. The idea is to interact with potential customers, not annoy them.

19. Take advantage of local search opportunities. Online research for offline buying is a growing trend. Optimize your site to catch local traffic by showing your address and local phone number prominently. Write a detailed Directions/Location page using neighborhoods and landmarks in the page text. Submit your site to the free local listings services that the major search engines offer. Make sure your site is listed in local/social directories such as CitySearch, Yelp, Local.com, etc., and encourage customers to leave reviews of your business on these sites, too.

20. Take advantage of the tools the search engines give you. Sign up for Google’s webmaster Central and Yahoo’s Site Explorer to learn more about how the search engines see your site, including how many inbound links they’re aware of.

21. Diversify your traffic sources. Google may bring you 70% of your traffic today, but what if the next big algorithm update hits you hard? What if your Google visibility goes away tomorrow? Newsletters and other subscriber-based content can help you hold on to traffic/customers no matter what the search engines do. In fact, many of the DOs on this list—creating great content, starting a blog, using social media and local search, etc.—will help you grow an audience of loyal prospects and customers that may help you survive the whims of search engines.

The Don’ts

1. Don’t reply to the SEO spam you get via e-mail. You don’t need to submit to 1,000 search engines or 500 directories. You can’t buy 2,000 quality links for $50. And no reputable SEO can guarantee a number one ranking on any search engine for keywords that matter. The kind of SEO company you want to hire doesn’t send out spam.

2. Don’t wait too long to implement SEO. Whether you’re launching a new Web site or upgrading your current site, SEO considerations should be part of the discussion from day one.

3. Don’t take your decision to hire an SEO company too lightly. Hiring an SEO company is not like choosing a company to service your copy machine. Online marketing can make or break your company, so choosing a vendor should involve a lot of research and questions with the companies you’re considering.

4. Don’t hire an SEO company and then divorce yourself from the process. It’s your job to know and understand as much as possible about the strategies and tactics your SEO company will be using. If your SEO company uses high-risk tactics and your site gets caught, you’ll be the one paying the price.

5. Don’t spread your content over several domains. There are times when sub-domains or an additional domain might make sense, but those occasions should be dominated by user and content considerations, not an attempt to get multiple domains/sites listed in the SERPs. Know the pros and cons of using sub-domains and additional domains.

6. Don’t waste your time submitting your URL to search engines. The crawler-based search engines will find your site more quickly as soon as you get a link from another web site already being crawled. Search engine submission died a few years ago.

7. Don’t make your web site uncrawlable. This can result from an incorrect robots.txt file, having session IDs or too many variables in your URLs, using a convoluted navigation menu that spiders can’t (or won’t) follow, or developing an all-Flash, all-graphic, or all-AJAX site.

8. Don’t target overly general keywords. A real estate agency in Wichita has no shot at ranking for the phrase "real estate;" a lawyer in Fresno has no shot at ranking for the word "lawyer." Optimize for relevant, specific keywords that will bring targeted traffic.

9. Don’t stuff keywords in your meta tags, image alt tags, etc. That is so 1996-97. Today, it’s called spam.

10. Don’t stuff keywords in your page footer with lightly-colored or hidden text. That is so 1998-99. Today, it’s also called spam.

11. Don’t have the same title element on every page. Variety is the spice of life and, combined with relevance, is a pre-requisite to avoiding duplicate content issues and Google’s supplemental index.

12. Don’t allow both www.yourdomain.com and domain.com to resolve to your home page. Those are two separate addresses to a search engine, and that means you have the same content at two addresses. On a related note, don’t link to your home page with a URL like www.yourdomain.com/index.html—that’s also a separate address from www.yourdomain.com and will also look like duplicate content.

13. Don’t ignore usability. Things like proper site structure, logical navigation, descriptive link text, etc., are good for both users and search engine spiders.

14. Don’t give up on creating great content because you think your customers don’t need or want it, or because your product or service doesn’t lend itself to great content. No matter what business you’re in, you can add great (linkable) content to your web site. A glossary is an easy way to create a page of great, keyword-rich content. Also consider a frequently asked questions page, a testimonials page, how to articles, product support manuals and so on.

15. Don’t develop an unbalanced link profile. Too many small business owners, knowing links are important, immediately begin trading links with any and every site they can find. Not a good idea. Reciprocal links aren’t bad by default, but if most of your inbound links are the result of link trades, they won’t help much. Reciprocal links should only be made with quality, relevant web sites, and should only represent a fraction of your overall link profile.

16. Don’t request the same exact anchor text on all links to your site. This is an obvious sign of unnatural link building. Your link building should look natural, and varied anchor text will help.

17. Don’t plaster your link all over blog comments, guestbooks, etc. That’s called spamming, not SEO.

18. Don’t fret over keyword density. Yes, your target keyword and closely-related terms should appear in the page title, description meta tag, and page copy. No, a calculator is not an SEO tool.

19. Don’t obsess over Google PageRank. What you see in the toolbar is several months old, and doesn’t affect rankings like it used to. PageRank is now more about crawl frequency and depth, and whether a page is stored in the main index or supplemental index.

20. Don’t check your rankings every day. They’re going to change whether you look or not. Better to spend time improving your web site rather than watching it flutter up and down the SERPs.

Leave a comment... (0)