The benefit of using GIT in the way below is that it maintains version history AS WELL as offering a managed host, i.e. it deals with uploading as well as versioning (in 1 git bash push.)

So here’s the scenario – there’s one of you, or maybe a few core founders/dev’s and you want to use GIT to version control your developments of a new web app or site. You already have a shared hosting account with 1and1 which works fine up to 20k hits a day or so, is there really need to have the thing scalable on demand from day one? No? Great, read on. If you REQUIRE scalability off the bat (I bet you don’t, really) then go find a PaaS/jump on AWS, for now here’s how to get GIT versioning (with automatic publication) working on your 1and1 shared hosting.

Firstly go read this, its a great guide that pretty much* got me there (95% of the credit to Abhijit), there’s just a few changes to get it to work on 1and1.

How I did it: GIT on 1and1

Load up your FTP, get to the root of your hosting and make your main site dir, in this case we will call it AppDev1:
/AppDev1
Next make two directories underneath it: “repo” and “live”, I shall explain these after you have made them:
/AppDev1/live
/AppDev1/repo
What these two are going to do is give you a live “root” for your web app/site as well as a GIT repository (which stores all the changes.) By separating them you keep everything simple. [live = web root folder, repo (or whatever you call it) = git bare repository.]

Next locally (on your machine) create a folder which you want to develop in:
C:/EpicNewApp

…And load up GIT BASH (assume you have) and enter the following:
cd "C:/EpicNewApp";
git init;

Next go ahead and load your SSH client (putty) and log into your 1and1 Account (there is guidance on 1and1 under SSH accounts, if you need it.) Once logged in enter the following:

cd "/AppDev1/repo"
git init --bare
cat > hooks/post-receive
#!/bin/sh
GIT_WORK_TREE="../live" git checkout -f
chmod +x hooks/post-receive

*note: This differs from the aforementioned guide in the address entered under GIT_WORK_TREE, this is the only way I could get this setup to work on 1and1.

You can also simply stick these lines into a file called post-receive and upload the file to the “hooks” folder of your new bare repository (repo), if you are so inclined.

That’s it, your done with the SSH, now you can bind a remote location in GIT BASH (replace the obvious:)
$ git remote add web "ssh://u99999999@yourMain1and1Domain.com/~/AppDev1/repo/"
…And go ahead and push to 1and1 (you will need your SSH password to do so.)
$ git push web +master:refs/heads/master
All being well this should have pushed a version to your /AppDev1/repo folder and also updated the live files as per your changes!

Happy Ghetto Versioning!

Note: As per comments, removed .git reference from link, thanks Ano.

It was a busy November, but it paid off – completed a good few projects for some great clients, and whats more I won no# 1 Top Freelancer @ people per hour!

You can read more about some of my recent projects here, although there’s only a few case studies up, the most public of the projects was a great life planning app that I built to first iteration, you can check it out (DO IT NOW!) @ 5years.me – built in the cloud on PaaS, behind the scenes I have also helped develop a social media analytics platform that is a marketeers wet dream, maybe as it gets properly released I will divulge more on that. Needless to say November was a great month of good work for great clients – off the radar now until my big project in early 2012

Was saving down facebook data into a database from the graph api, wanted to save the urls in a mixed url table but didn’t want to bother saving the whole http://www.facebook.com every time, what a waste of data. Initially I lazily abbreviated this too: fb.com/whateverthepagewas, left the acquisition stuff to its job and then went off to do something else. Coming back to the management system I accidentally clicked one of these fb.com/ links, and it worked! Facebook have set it up as a redirect. Maybe this was common knowledge but I hadn’t heard of it before…Anyhow a useful biproduct of dataspace savings!

So check it out: fb.com/hayday

That will redirect you too http://www.facebook.com/hayday (my page.) – just like fb.me, but traditional-like, lol. Neat eh? Anyone else know any facebook quick wins?

Clock Face by tibchris
Facebook Time in PHP, who the what where?

If you haven’t tried pulling anything time-sensitive out of the graph API yet, don’t, that’s my advice. There is not a single bit of coherent explanation as to how the API hand’s out times, when I first researched it I had written on my pad “Pacific time”…great, did my past (possibly beer holding) self not remember that Pacific time is one thing half the year and another the other half? PDT/PST? Obviously not. What’s more, now when I check (post something on a page, grab it with graph API) – its giving me GMT+00 times, WHEN I’M IN GMT+01.

All I can work out is facebook have either been pleasant enough to convert the time to the users original registration locale (likely, and pleasant) and not noted it down ANYWHERE publicly, or they have chosen to use GMT. Probably the former, either way – facebook developers – we need a better solution for working with facebook times.

As I have been dabbling with facebook fan pages I thought I would share a few of the take-away’s, in this case purely to do with the branding of your facebook page, increasingly an important outward factor in all web developments – facebook fan pages are perhaps the building blocks of a good social sprawl. I will post later about the technicalities of using fan-gated iframe apps (hosting them on 1and1/Amazon S3 for no extra cost) and similar but for now lets focus on the looks.

Take a look at these few examples:

You have probably noticed straight away what I am getting at. Coherence. Branding coherence is an eternal battle for marketing departments, making your brand appear coherent to the corporate strategies laid down to be long term principles. In the realm of smaller web projects though its not such a huge deal. The first thing I do when setting up a new facebook page is get the overall branding planned and implemented. In short I make/contract 6 Images. These 6 images will either work well together, leaving a mark in the mind of an already bombarded potential fan or they’ll excite no one and be forgotten along with the other mediocre half-attempts. Get these 6 images right.

So here’s how it is. You are allowed a facebook profile pic for your page, this image can be just a logo (check out HP) or it can be utilised as any ad space might be, stick up an exclusives offer deal, some shocking message etc. This image can be up to 200 px x 600 px and you can upload a higher resolution, baring in mind the width will always be proportionate.

Your other 5 images come in the form of Tagged/Wall posted/Album images. These are shown across the top of your wall (where ultimately you wan’t your fans to be hanging out) and are sorted in a RANDOM order by facebook. That’s right, however you upload them they will occasionally appear in a completely different order unlike the ones on your personal profile page. These stick to normal photo proportion ratio’s and can be uploaded via the “upload photos” option on the pages’ wall. Remember they don’t have to be photo’s, use these 5 images to extend (coherently) the brand of the page you are trying to promote.

Take a look around, check out some pages of your favourite brands, I have no doubt they will be using the images in clever ways, ways that can improve like rates, conversation and overall brand image.

Facebook Fan Page Branding Template



(Adobe Illustrator CS4, 600kb Rar’d)

Its an Adobe Illustrator file with a dummy facebook page laid out with artboards setup for each of the 6 images I talk about above, it should let you create all your images in a single space so you can really get a feel as to how well they gel together. Once you have constructed your images, switch to artboard view and click each image in turn, remember when exporting the main profile pic image that it needs to be 200 pixels wide, this way you won’t suffer any of facebooks image downscaling nasties.

Do you use Auction2Post [A2P]? If you don’t its a wordpress plugin which automatically implants listings from ebay as wordpress posts, including affiliate links through the ebay partner network from which you earn a commission. Its quite useful. Read my post about it here. Anyhow if you don’t use the plugin you can pretty much skip this post, unless you use a similar thing which is generating all kinds of nasty strings you don’t want in your posts

This post will show you how to sanitise your auction2post posts for annoying (and contract breaking) ebay auction strings, it even has 125 rules already in a file for import!

The problem

Auction2Post is great in lots of respects, its well written and does a prescribed job. Where it caused irritation for me is arguably after its done its job, after the wordpress plugin had created its posts. You see you can create posts via templates, which is great, it allows enough customisation for most, however I wanted a bit of text processing as often you are left with irritating auction footers and garbage text which make the user hit back or close at a displeasing rate (some of these ebay strings might actually make your Auction 2 posts sites break ebay partner network terms of service, its really worth sanitising your posts as I describe below!)

The Solution

This problem with Auction 2 Post and wordpress is one of the reasons Automated Editor was born, to give a bit more freedom in text processing, wordpress filters are great but I don’t think filtering hundreds of ebay phrases like that is effective.

If you want to cleanse your Auction2post posts of dirty ebay auction footers and the like here is how I currently do it:

1. Install Automated Editor plugin on the blog in question. (Get it here and install like a normal plugin.)
2. Go to the plugin (Auto Editor on its plugin menu) and read the disclaimer (big red box) and THEN accept it.
3. Download the rules file I have created (Get it at the bottom of this post) and unzip it somewhere.
   
4. Go to “Import/Export” on the Automated Editor plugin menu.
   
5. Choose the aforementioned rules file and hit import.
   
6. You should now have 125 or so rules in your rules list
7. Now go to Schedules on the plugin menu and then click Add New.
8. Scroll down and hit Select All (under the long list of rule checkboxes ebay1, ebay2 etc.)
   
9. Scroll down again and select Most Recent Post from the Target dropdown.
10. Make sure run option is on “After a post is published”.
    
11. Save it.
12. Turn on schedules.
    
13. Post a test post, either via A2P or manually, it should remove any of the 125 annoying (common) ebay auction strings it finds! Sorted.

Notes on this method:

• You will need the Full version (Ultra Pro) of Automated Editor, the free version is limited to 3 rules and this rules file alone has 125 ebay-string removing rules. It’s cheap though here.
• If you already have Auction2Post auction posts in the system you will have to setup a different schedule to operate on those, I usually set this up before I set any automation (it’s quite easy, just do the same thing and switch out “Most Recent post” for “all posts”, run it once then disable the schedule – you don’t want it operating on them all every time!)
• Currently this removes 125 strings I have found previously, mostly from uk auctions, I am considering writing a simplified version of this whole setup, an “Auction2Post Post Cleaner” which you can just activate and leave, perhaps with cloud rules, so watch this space. Good thing about the above setup though is you can continually improve your own rules file by adding your own strings.

Rules File

The link below offers a RAR’d version of my Automated Editor rules file which contains 125 x ebay string removal rules, yours for free Please however do use carefully, as with all automated-editor situations if you don’t understand what you are doing then don’t use it, this is for the people that understand the above problem and have the full version of the plugin.

Download Rules File
[Right click-Save as]

If you want to read more about the plugin you can check out this post on, What is the point in Automated Editor or go right ahead and get it from wordpress.org or buy the professional version at AutomatedEditor.com.

Watch this space for a few posts on how I use the plugin, (it works fantastically well when rigged up with Auction2Post.)

Website hacker entrance vectors (have any security holes?)

Common CMS, E-Commerce systems and forums (out of date or zero day, they all have or have had vulnerabilities) – WordPress, Drupal, OSCommerce, Gallery, PHPBB, VBulletin etc. etc. Particularly relevant here are the open source systems, but they are all susceptible – how many of these do you have installed where? For me these could of been answered with “a lot” and “some places”, clarity has now been restored but more on that later.

CMS Plugins (^^) – Often overlooked (especially by me), installed plugins can in themselves be entry vectors, often CMS’s push their communities to develop additional functionality for their system, which is a good thing, however if the system itself doesn’t deal particularly well with the security of folder structures or indeed how plugins are accessed they can offer ways in. Be careful with plugins which deal with file management and code execution (e.g. file attachers/uploaders etc.) Try to use late version highly rated plugins from reputable sources, with things like WordPress, plugins are low risk though as it has an excellent security model.

Bespoke server-side code and CMS’s – in my experience these is often LESS likely to get hacked, firstly “hackers” in this case are more likely to be script kiddies sitting in web cafes in some of the poorer world nations, they often use known exploits on common systems rather than trawl the web, searching for one off programmer mistakes. If you are behind the bespoke stuff leave out as many foot prints as possible and triple check everything. For bespoke stuff the most likely point of entry is simple SQL Injection, use SQL parameters.

FTP/WebDav – This really comes down to passwords as next indicated.

Passwords – Acquired by trojans or traffic sniffers, it becomes irrelevant what security you have in place across the whole setup if you don’t look after them properly. Avoid connecting to anything unencrypted (or at all if possible) on any network you don’t 100% trust, WIFI and wired, even if it’s a friends they could have a network sniffing Trojan on an idle machine. Install good anti-virus and protection software. Use Avast (free for private use) and Spybot Search and Destroy (these two are plenty.) Be careful with providing access to other users, whether it FTP, CMS, SSH, whatever – you may trust them but do you trust their computers?

Detection and Fixing – Realising you’ve been hit and fixing it

So after they gain entry, what would a hacker really do? Often with web hacking the motivation is kudos, money or sabotage – all are achieved through defacing, deleting or modifying web pages/logic and/or altering/downloading databases. A nightmare from the point of view of shared hosting users.

Depending on how they gain entry a hacker (or their automated executing code) may search through all of the files they can access, through ftp or server-side scripts, built to identify possible files to manipulate. They may download copies of things (e.g. databases!) but will likely set about cycling through all available webpage files and doing things such as:

• Inserting code within the page (iframes to bad websites, links to their websites – designed to improve their search engine rankings, redirect code which just shuttles people on to their sites)
• Replacing the file with a predesigned page (kudos fronts ‘this website was hacked by…’)
• Replacing common server-side functions and variables (e.g. replacing all the send values on email scripts to forward emails to an account other than the owners)

If you have a single site, or 10 or something the chances are you personally check them all every now and again, getting a little facetime at least once a week say. In this case your opportunity for hosting a hacked site is 7 days, not awful, not great – Google and browsers will start blocking your site if the hacker has inserted any code going to malware or similar, and otherwise may start to drop you down the rankings if your site now displays a ‘hacked by..’ page instead of your wholesome site.

In the case of a lot more sites on the host this can mean no detection for a longer time, if no system is in place, often first recognised through a drop in statistics/earnings (more likely earnings as in the case of iframed malware a change in the number of hits can be not hugely obvious.)

To add confusion to the mix it’s not unknown for hackers to mask their changes to you, it’s very easy with .htaccess files and php/asp headers (for example) to show content relative to its viewer. E.g. the hacker could shuttle people coming in from Google to a hacked page but people that access the site directly (typing it in) get shown the normal site. Furthermore they may not hit every site you have, perhaps a handful of random choices, some folders not others, a smokescreen like attack which could change each time.

Chances are once you get all your pages fixed and get around to looking at where the security hole is that when you recheck your sites they would have been hit again. This tells you two things, 1. The hacker is relentless (or more likely has a relentless automated program, exploiting 24/7) and 2. You have not plugged the security hole. Or if you are really unlucky you are being hacker tag teamed.

So anyway, detection. How do you go about knowing the integrity of your web portfolio? What if it spans 10 shared hosting accounts or 4 servers? Well likely if you own your own server you have spent the time/cash in locking everything down, what I suggest here would be useful to you guys but you may already have a better solution in place.

Currently there are a bunch of services which will do this for you, of which I have tried zero. “Monitoring” services are available worldwide ranging in prices drastically, for me though even the high end services didn’t offer a full set of features and were mostly hugely overpriced but for the top 50% of the portfolio, not effective for me.

The good things about using external monitoring services are obvious but none seemed to be able to offer realistic change monitoring (e.g. WordPress blogs may change content between <div id=”whatever”> and </div> every hour but the rest of the page should stay almost the same.) It is important they see the addition of malicious code to good pages and not throw constant false alarms. For ‘this website was hacked by..’ pages though they probably do a good job (as well as malware detection.) Uptime monitoring is also common as part of the packages, useful without doubt.

I suggest another way though of monitoring an established portfolio, that is the way I have resolved my recent hacker attacks, a realistic option for shared host/anywhere-in-the-world-with-a-laptop client based use. Ultimately an extension of a few older applications I wrote to manage a growing portfolio, weathered by several hacks across accounts within the past 6 months – Hard checks of every important file.

At first I wrote my system to simply allow me to take stock of the sites and CMS’s I have in place, to work out possible security holes from behind the scenes – but it turns out it works surprisingly well in identifying breaches. By checking your actual live file structure (.htaccess, index.php, default.aspx, index.html etc.) against a known correct file structure snapshot, you take the whole http part of the checking out of the loop, effectively making it a higher level integrity check than external services can ever offer.

By making Checksums of every critical file (often hackers just hit index.php, index.html, default.aspx etc.) within a given ftp/file structure and then automatically rechecking at scheduled points it becomes easy to minimise your window for financial fallout from hackers. This may seem like a time/bandwidth/processor consuming task but in actuality 100 websites with WordPress installed could be checked in a few Mb of download – in terms of modern data use that’s a few browses of a facebook photo gallery. What’s more it can run in the background, only prompting you on changes to files, as frequently as you want.

The side benefit of producing complete hosting account checksum snapshots is you are also able to accurately backup a working copy of your hosting account. Built into the checking process this means that you can then correct hackers’ malicious changes with a click of a button.

This of course does not take into account more hard-file based websites, database changes or regularly altered sites. I recommend automated screenshots to cover these or the combination of external monitoring services and integrity checking.

I have written an alpha release of this system (named Website Integrity Checker for now) and will gladly distribute/discuss it if you drop me a comment below. A beta copy might make its way out sometime.

First underestimation: Scale
Write a book, yeah I could do that, what is it like a hundred pages? probably 6 months and I will have something. No. Not for me at least. I know the pro’s can pull a lot out of the bag but in my haphazard way of writing up mountains in Nepal or in notepads in bars it’s not going to be so straightforward. Just actually setting a scale seemed difficult for me. I went with the standard, not to be caught up in the masses of writers but just to set myself a goal, some boundaries. Somehow this equated to a goal of between 80,000 and 100,000 words, which in fact has worked out really well for this novel, however I can see how easily things can go astray and I am all for writing shorter/longer pieces after this, or this series (perhaps .)

As I side note I guess I could put pace and planning under scale, as the scale of interest I showed them at the beginning was negligible, tiny. This was a big fail for me, I decided to write the book in chunks, jumping about the story but in doing so did create a little confusion and fragmentation. I probably lost a few months to fix up, re-correlation and re-planning, in the end it will still work but next time I am going to plan it conscientiously and write from start to finish.

Second underestimation: Enjoyment
There’s this funny kind of wall I have just hit in taking on this challenge, a kind of breakthrough point that I hope is not false thought. Once I had got the book to a state it was printable, once I had that big wodge of a4 paper in my hand emblazoned with a title no one has ever seen or read before it dawned on me. I guess it’s just a positive success thing, but for all I know the book could be atrocious. Either way, at the start when all that was keeping me going was stubborn discipline and coffee I never thought about what it would feel like to actually finish the thing. But then again it’s the last push, I don’t expect an easy time yet.

So now it’s the case of a bit more writing, a lot more editing and then the answer to the dubious question of publication. Along the way I have been reading around the niche and I can see that the book should hopefully fit snugly into it, at least as much as I can subjectively tell, after all I had always intended to get the thing out there. Having spent years learning the benefits of leverage and importance of self sufficiency I also hope it to be a business success. I have the marketing and online experience so at the moment I am leaning towards self publication, it seems ludicrous to give up such a proportion as 50+ % to a publisher ultimately for the namesake of being “published” traditionally. I set out to write a book to entertain, to hit shelves, and it might still do that (eventually – fingers crossed), but what’s more important to me is that it hits retina’s, cerebral cortex’s and maybe even stimulates mouths to discuss, after all there is only ever one first novel, if it helps support the writing of more all the better.

Self publication seems to be the better horse to back, as well as being the bigger challenge, or at least a challenge not a gamble. Here’s to Joe Konrath, Barry Eisler, Dean Wesley Smith and M J Rose for giving me the belief enough in the market to start planning.

Want to know if I have put you in the book? Well watch this space….

This time however, with a new push for near as possible to 100% outsourcing I have found a good writer on ODesk, along with some supporting staff to deal with some other *secret* processes – so far so good – I took the time to interview, had one issue out of 6 or so employees but I guess I could of put more time in to harder interviews, in this case the cost was negligable.

The best bit? While away exploring Denmark I was more effective than any normal 10 days, plus I had a great time. Win. Next up I am going to find somewhere to live, probably in London – With a bit of luck this new batch of sites will help

Question is – how big of a human/bot machine can you build using Amazon Mechanical Turk, Odesk Employees, csharp bots (sometimes actually providing orders..lol) and the web at large?