The benefit of using GIT in the way below is that it maintains version history AS WELL as offering a managed host, i.e. it deals with uploading as well as versioning (in 1 git bash push.)

So here’s the scenario – there’s one of you, or maybe a few core founders/dev’s and you want to use GIT to version control your developments of a new web app or site. You already have a shared hosting account with 1and1 which works fine up to 20k hits a day or so, is there really need to have the thing scalable on demand from day one? No? Great, read on. If you REQUIRE scalability off the bat (I bet you don’t, really) then go find a PaaS/jump on AWS, for now here’s how to get GIT versioning (with automatic publication) working on your 1and1 shared hosting.

Firstly go read this, its a great guide that pretty much* got me there (95% of the credit to Abhijit), there’s just a few changes to get it to work on 1and1.

How I did it: GIT on 1and1

Load up your FTP, get to the root of your hosting and make your main site dir, in this case we will call it AppDev1:
/AppDev1
Next make two directories underneath it: “repo” and “live”, I shall explain these after you have made them:
/AppDev1/live
/AppDev1/repo
What these two are going to do is give you a live “root” for your web app/site as well as a GIT repository (which stores all the changes.) By separating them you keep everything simple. [live = web root folder, repo (or whatever you call it) = git bare repository.]

Next locally (on your machine) create a folder which you want to develop in:
C:/EpicNewApp

…And load up GIT BASH (assume you have) and enter the following:
cd "C:/EpicNewApp";
git init;

Next go ahead and load your SSH client (putty) and log into your 1and1 Account (there is guidance on 1and1 under SSH accounts, if you need it.) Once logged in enter the following:

cd "/AppDev1/repo"
git init --bare
cat > hooks/post-receive
#!/bin/sh
GIT_WORK_TREE="../live" git checkout -f
chmod +x hooks/post-receive

*note: This differs from the aforementioned guide in the address entered under GIT_WORK_TREE, this is the only way I could get this setup to work on 1and1.

You can also simply stick these lines into a file called post-receive and upload the file to the “hooks” folder of your new bare repository (repo), if you are so inclined.

That’s it, your done with the SSH, now you can bind a remote location in GIT BASH (replace the obvious:)
$ git remote add web "ssh://u99999999@yourMain1and1Domain.com/~/AppDev1/repo/"
…And go ahead and push to 1and1 (you will need your SSH password to do so.)
$ git push web +master:refs/heads/master
All being well this should have pushed a version to your /AppDev1/repo folder and also updated the live files as per your changes!

Happy Ghetto Versioning!

Note: As per comments, removed .git reference from link, thanks Ano.

It was a busy November, but it paid off – completed a good few projects for some great clients, and whats more I won no# 1 Top Freelancer @ people per hour!

You can read more about some of my recent projects here, although there’s only a few case studies up, the most public of the projects was a great life planning app that I built to first iteration, you can check it out (DO IT NOW!) @ 5years.me – built in the cloud on PaaS, behind the scenes I have also helped develop a social media analytics platform that is a marketeers wet dream, maybe as it gets properly released I will divulge more on that. Needless to say November was a great month of good work for great clients – off the radar now until my big project in early 2012

Was saving down facebook data into a database from the graph api, wanted to save the urls in a mixed url table but didn’t want to bother saving the whole http://www.facebook.com every time, what a waste of data. Initially I lazily abbreviated this too: fb.com/whateverthepagewas, left the acquisition stuff to its job and then went off to do something else. Coming back to the management system I accidentally clicked one of these fb.com/ links, and it worked! Facebook have set it up as a redirect. Maybe this was common knowledge but I hadn’t heard of it before…Anyhow a useful biproduct of dataspace savings!

So check it out: fb.com/hayday

That will redirect you too http://www.facebook.com/hayday (my page.) – just like fb.me, but traditional-like, lol. Neat eh? Anyone else know any facebook quick wins?

Get last day of last year – obvious, but still (+1 this for first day):

SELECT DATE(CURDATE()- INTERVAL DAYOFYEAR(CURDATE()) DAY);

And how useful… FROM_UNIXTIME takes a unix timestamp and makes it a friendly datetime, its like they KNOW I am coding for facebook data acquisition…Anyhow…

To make a GMT UNIX time-stamp for the first day of this month:

SELECT UNIX_TIMESTAMP(CONVERT_TZ(DATE(CURDATE()- INTERVAL DAYOFMONTH(CURDATE()) DAY), '+0:00', 'SYSTEM'));

You can switch out the dates obviously, and there are probably other ways, still, mostly pain free.

Irritating when the thing looks so pretty out of the box. So rather than opt for one of the non-pretty options I just hacked it. Brutally I just added code to maintain an input as a csv, it needs fixing really but this does work, for now.

Click here to download my hack/fixed version which maintains a separate csv (in a designated ID – search replace “csvHolder” if you want to change its ID.)

Hopefully Drew can update his plugin so it works out of the box, its a really useful plugin.

Note: This rar includes my csv quick maintaining functions which are required.

You can host facebook apps on any host, but hosting somewhere unsecure (not accessible via https) will flag up the following prompt for anyone browsing to the page with secure browsing turned on (high proportion of fb users.) You CAN also use amazon cloud storage (S3) for free https file storage, up to a level, however you cannot run server side code (php/ASP.NET) without setting up a server with their EC service.

Not pretty eh? What will that do to your conversion rates? Yep nothing good.

Its not just the mavericks either, for example brands like banana republic are still running http stuff, prompting the user with this message on loading their like-capture pages.

Set up 1and1 shared hosting to host Secure SSL facebook apps/applications/tab pages

So anyway here’s the cheap, quick way to hosting your facebook apps SECURELY using 1and1 shared hosting.

1. Log onto admin.1and1.co.uk (or .com)
2. (Optional) Register a domain name which you don’t mind generically hosting your fb content. For me this is www.whfb.co.uk – this will only show up if users looked at the information for the frame, probably wont ever matter, but if you are running a whole host of different niche pages it might be worth it for simplicity/segmentation.
3. Go to domain management section and click “Shared SSL Encryption” under SSL option
   
4. Assign the Shared SSL Encryption to your generic domain/main domain you want to use
   
5. Setup a folder under your domain like you would with any facebook page, use the facebook php api to fangate or just put some html up there, bare in mind all objects referenced in what you put up should direct resources to “https” not http. That is if you reference “http://www.example.com/someimage.png”, switch the http for https (save your own copy of the file if you need to. Referencing images locally in the folder should work fine for http/https if you use the same domain.
6. Setup your facebook app (theres thousands of guides on this…) and set the following (under “Select how your app integrates with Facebook -> Page Tab”)
   
7. Add the app to your facebook fan page and visit it, (setting it as default landing page perhaps ) – you should not get any security messages, if you have you need to go back and check your html is pointing to any external elements via https.

Chances are if you are running 1and1 shared hosting (or any other major) then you will have SSLRelays free of charge with your package, what’s more this takes about 1 minute to setup, so test with this before you stick stuff in the cloud!

If you want to read more about the plugin you can check out this post on, What is the point in Automated Editor or go right ahead and get it from wordpress.org or buy the professional version at AutomatedEditor.com.

Watch this space for a few posts on how I use the plugin, (it works fantastically well when rigged up with Auction2Post.)

So its moved, re-branded and been closed off. That is close off for free querying/use. I can understand why this has happened, being a successful domains generation site it was probably getting heavy traffic, perhaps badly converting traffic as webmasters/domain purchasers are likely to be saavy, likely to not click through affiliate links to godaddy and likely to load a few hundred pages (each with a hundred calls to whois registries) per click through (if they do click through.) Also the dreamer kids just messing about with domain names probably added to the load. So now it costs, $9 a month to be precise, not a shocking amount but probably enough to allow its owners at least break even.

Namestation, Worth $9 a month?

At first I just bailed out and found a few alternative sites, nameboy first (which I remembered was far too unhelpful to bother with) then a few others, the best I found was domainsbot, which offers the basic kind of service namestation (makewords, w/e) used too. For a start it did the job, but the fence now up around namestation made me inquisitive.

So I signed up. First for free, allowing use all of the services makewords used to have, bar the most important/validating feature, domain availability. You can generate all of the domains like GiantBasketballChickens.com you want but you wont know if they are available or not without checking elsewhere, unless you pay. So yeah, jump to the premium plan, $9 a month. I do wonder how they got to that price point.

There’s more. By far the best new feature addition of namestation is contests. Contests allow people to post their site idea and let others suggest available domain names that they could use. Contests are a fantastic idea. Contests will only work should the people wanting the ideas actually pay the people competing, but still contests are a nice addition. I should add it doesn’t cost to enter contests (suggest domain names.)

After you have the premium plan its mostly business as usual, makewords was good with its wordlists, namestation is better, quicker and mostly simple to use. There are a few other additions, compound words allows you to mash up two phrases nicely (although I couldn’t get much useful out of it for the first contest I challenged myself to enter) and being able to check “all extensions” for a domain is very useful for example.

There is a few things which aren’t so great. If you go about generating lists of domains, using say, the top 1000 words list, if you use a fairly common word then the chances are 85% of the top 1000 words have already been mixed with it (e.g. carShop, carOnline etc.) but with the current gui namestation just queries a page size at a time, which may leave you clicking nextpage and waiting on ajax 15 times before you see any Available domains. You can up the page size to 100 (see “set page size” link bottom left of results) – of course if your a premium plan user. It may reduce strain on the server this way, but loading blank pages is no fun.

Advanced settings are useful too, but they only appear on some of the wizards, you can’t for example use compound words and limit the character count. This would be win win for both users and server strain.

And still there is the age old problem of .me and false firing. Its happened about 5 times in the last hour, namestation says the .me is available, godaddy/whois disagrees. This has always been a problem though, with almost every domain checking facility since .me’s were released, the problem is probably the registrars side.

Anyway seeing as what should of been a 20 minute search for a short url domain has somehow transformed into a long ass review and no short url domain name I thought I would throw it up there as a contest. So go dump your inspiration on this, while I go and make some coffee.

Website hacker entrance vectors (have any security holes?)

Common CMS, E-Commerce systems and forums (out of date or zero day, they all have or have had vulnerabilities) – WordPress, Drupal, OSCommerce, Gallery, PHPBB, VBulletin etc. etc. Particularly relevant here are the open source systems, but they are all susceptible – how many of these do you have installed where? For me these could of been answered with “a lot” and “some places”, clarity has now been restored but more on that later.

CMS Plugins (^^) – Often overlooked (especially by me), installed plugins can in themselves be entry vectors, often CMS’s push their communities to develop additional functionality for their system, which is a good thing, however if the system itself doesn’t deal particularly well with the security of folder structures or indeed how plugins are accessed they can offer ways in. Be careful with plugins which deal with file management and code execution (e.g. file attachers/uploaders etc.) Try to use late version highly rated plugins from reputable sources, with things like WordPress, plugins are low risk though as it has an excellent security model.

Bespoke server-side code and CMS’s – in my experience these is often LESS likely to get hacked, firstly “hackers” in this case are more likely to be script kiddies sitting in web cafes in some of the poorer world nations, they often use known exploits on common systems rather than trawl the web, searching for one off programmer mistakes. If you are behind the bespoke stuff leave out as many foot prints as possible and triple check everything. For bespoke stuff the most likely point of entry is simple SQL Injection, use SQL parameters.

FTP/WebDav – This really comes down to passwords as next indicated.

Passwords – Acquired by trojans or traffic sniffers, it becomes irrelevant what security you have in place across the whole setup if you don’t look after them properly. Avoid connecting to anything unencrypted (or at all if possible) on any network you don’t 100% trust, WIFI and wired, even if it’s a friends they could have a network sniffing Trojan on an idle machine. Install good anti-virus and protection software. Use Avast (free for private use) and Spybot Search and Destroy (these two are plenty.) Be careful with providing access to other users, whether it FTP, CMS, SSH, whatever – you may trust them but do you trust their computers?

Detection and Fixing – Realising you’ve been hit and fixing it

So after they gain entry, what would a hacker really do? Often with web hacking the motivation is kudos, money or sabotage – all are achieved through defacing, deleting or modifying web pages/logic and/or altering/downloading databases. A nightmare from the point of view of shared hosting users.

Depending on how they gain entry a hacker (or their automated executing code) may search through all of the files they can access, through ftp or server-side scripts, built to identify possible files to manipulate. They may download copies of things (e.g. databases!) but will likely set about cycling through all available webpage files and doing things such as:

• Inserting code within the page (iframes to bad websites, links to their websites – designed to improve their search engine rankings, redirect code which just shuttles people on to their sites)
• Replacing the file with a predesigned page (kudos fronts ‘this website was hacked by…’)
• Replacing common server-side functions and variables (e.g. replacing all the send values on email scripts to forward emails to an account other than the owners)

If you have a single site, or 10 or something the chances are you personally check them all every now and again, getting a little facetime at least once a week say. In this case your opportunity for hosting a hacked site is 7 days, not awful, not great – Google and browsers will start blocking your site if the hacker has inserted any code going to malware or similar, and otherwise may start to drop you down the rankings if your site now displays a ‘hacked by..’ page instead of your wholesome site.

In the case of a lot more sites on the host this can mean no detection for a longer time, if no system is in place, often first recognised through a drop in statistics/earnings (more likely earnings as in the case of iframed malware a change in the number of hits can be not hugely obvious.)

To add confusion to the mix it’s not unknown for hackers to mask their changes to you, it’s very easy with .htaccess files and php/asp headers (for example) to show content relative to its viewer. E.g. the hacker could shuttle people coming in from Google to a hacked page but people that access the site directly (typing it in) get shown the normal site. Furthermore they may not hit every site you have, perhaps a handful of random choices, some folders not others, a smokescreen like attack which could change each time.

Chances are once you get all your pages fixed and get around to looking at where the security hole is that when you recheck your sites they would have been hit again. This tells you two things, 1. The hacker is relentless (or more likely has a relentless automated program, exploiting 24/7) and 2. You have not plugged the security hole. Or if you are really unlucky you are being hacker tag teamed.

So anyway, detection. How do you go about knowing the integrity of your web portfolio? What if it spans 10 shared hosting accounts or 4 servers? Well likely if you own your own server you have spent the time/cash in locking everything down, what I suggest here would be useful to you guys but you may already have a better solution in place.

Currently there are a bunch of services which will do this for you, of which I have tried zero. “Monitoring” services are available worldwide ranging in prices drastically, for me though even the high end services didn’t offer a full set of features and were mostly hugely overpriced but for the top 50% of the portfolio, not effective for me.

The good things about using external monitoring services are obvious but none seemed to be able to offer realistic change monitoring (e.g. WordPress blogs may change content between <div id=”whatever”> and </div> every hour but the rest of the page should stay almost the same.) It is important they see the addition of malicious code to good pages and not throw constant false alarms. For ‘this website was hacked by..’ pages though they probably do a good job (as well as malware detection.) Uptime monitoring is also common as part of the packages, useful without doubt.

I suggest another way though of monitoring an established portfolio, that is the way I have resolved my recent hacker attacks, a realistic option for shared host/anywhere-in-the-world-with-a-laptop client based use. Ultimately an extension of a few older applications I wrote to manage a growing portfolio, weathered by several hacks across accounts within the past 6 months – Hard checks of every important file.

At first I wrote my system to simply allow me to take stock of the sites and CMS’s I have in place, to work out possible security holes from behind the scenes – but it turns out it works surprisingly well in identifying breaches. By checking your actual live file structure (.htaccess, index.php, default.aspx, index.html etc.) against a known correct file structure snapshot, you take the whole http part of the checking out of the loop, effectively making it a higher level integrity check than external services can ever offer.

By making Checksums of every critical file (often hackers just hit index.php, index.html, default.aspx etc.) within a given ftp/file structure and then automatically rechecking at scheduled points it becomes easy to minimise your window for financial fallout from hackers. This may seem like a time/bandwidth/processor consuming task but in actuality 100 websites with WordPress installed could be checked in a few Mb of download – in terms of modern data use that’s a few browses of a facebook photo gallery. What’s more it can run in the background, only prompting you on changes to files, as frequently as you want.

The side benefit of producing complete hosting account checksum snapshots is you are also able to accurately backup a working copy of your hosting account. Built into the checking process this means that you can then correct hackers’ malicious changes with a click of a button.

This of course does not take into account more hard-file based websites, database changes or regularly altered sites. I recommend automated screenshots to cover these or the combination of external monitoring services and integrity checking.

I have written an alpha release of this system (named Website Integrity Checker for now) and will gladly distribute/discuss it if you drop me a comment below. A beta copy might make its way out sometime.