Author: Adam Fowler

My WordPress Site Was Hacked!

Yep, this site.

I’d been a bit quiet here for a few months due to some other commitments going on, but I was finally getting to a point where I could start blogging again. Upon trying to log in to WordPress Admin, my username/password wouldn’t work. After a few attempts I left it for the time being to come back later, figuring my browser had an incorrect password cached or I’d forgotten something about my credentials.

A few days later, I received an email alert from my hosting provider saying malware was detected on my website, from the ImunifyAV plugin running on plesk:

My WordPress Site Was Hacked

Yikes, I tried to log onto my website again unsuccessfully, but then tried the wordpress.com login option which worked – weird.

First thing I thought to do was to update my password, maybe my account had been compromised? I was still using the username ‘admin’ (yes I know), but I had a unique password in place, as well as a plugin installed called ‘Limit Attempts by BestWebSoft‘ which was configured to block an IP after 5 bad attempts for 1 1/2 hours. With a unique password and that in place, I thought it was still unlikely someone worked out the unique passsword here.

What I did notice in WordPress after going to the users section, was that there were 4 accounts, none that I recognised and none called admin. All the usernames had been changed to try and lock me out – which it had, but they’d not bothered dropping the wordpress.com login link.

I immediately created a new admin account (not called admin) and deleted the other accounts.

Next step was to work out what had been changed or infected. If I’d been running daily backups then it’d be easy (probably), roll back until the usernames weren’t changed. I had backups, but going back too far and I didn’t want to do the rework. All I really care about here is the content anyway, and I’m cheap so I wasn’t paying for a daily backup service, or the storage costs associated with that.

Since I don’t know PHP, the next step was on plesk to see what ImunityAV could do – it had an option to scan and repair these files, and at this stage I’d taken a new backup so had nothing to lose and let it do it’s thing. After a few passes it claimed it couldn’t find anything malicious and my site was all good. I checked over a few other things and couldn’t find anything wrong, so thought I was done. I also decided to de-activate a few plugins I didn’t think I needed any more, as that was a possible and common entry point to WordPress too.

A few days later someone told me they were seeing questionable content when clicking a link going to my site. Obviously my site wasn’t repaired, so I needed to sort it out or shut it down – the last thing I want is to be dealing up bad content. Just in case, I thought I’d go look at the user list again, and the usernames had been changed AGAIN. OK, it definitely wasn’t compromised credentials anymore – and sure maybe they’d put a backdoor in somewhere, but I pruned a few other WordPress addins and again cleaned up the accounts.

The owner of my hosting provider Expeed had suggested I try something like Wordfence as a WordPress plugin to help protect my site in the future. I found that this also had a scanning option, which I ran – and this found more malicious code within PHP files, as well as a bunch of HTML files around replica watches.

Several passes of scanning cleaned up all the PHP detections, but the html files weren’t getting removed.

I had a look at a few of the files out of interest, and if nothing else, it makes me feel better about the quality of the writing in my own posts here. The links were going back to different but non-reputable looking stores.

I’m guessing the idea of this attack was to purely drive purchasing traffic through to certain websites – if you wanted a replica watch, or a real life … doll, I was apparently helping you with that choice. Sorry.

Weirdly, they’d put all of the HTML files in the uploads folder for WordPress, so I manually went through and cleaned them out. That part didn’t take too long.

My site seems OK now, and wanted to be as comfortable as I could that it was now safe before posting up this explanation but how do you ever know if it’s fully safe? If anything else does come up I’ll either look at paying WordFence to clean it up professionally, or just rip the content out and start with a fresh WordPress instance, and import my posts. I’m pretty sure the culprit was one of the several abandoned plugins I had – about 12 or so were active, I didn’t need half anymore and a few of those hadn’t been updated for a couple of years. Just updating plugins isn’t enough, as all plugins were patched apart from one, but that was only two weeks outdated.

The real take-aways from this is have more frequent backups and an easy recovery process; there is no foolproof way of protecting anything online. Also, don’t feel too bad if your personal blog has been compromised – you’re the victim here. You can still do some things to protect yourself, here’s a reasonable article that lists 25 Simple WordPress Security Tricks to Keep Your Website Safe in 2021.

This really isn’t a good selling point overall for WordPress. You shouldn’t have to do this much work to protect what should be a platform to share content on.

If you want somewhere just to do simple text posts, check out GitHub Pages – but doing anything that’s not very basic will require a lot of time and effort if you’re not a developer. If you want to type and don’t mind giving your content and traffic to someone else, just use a platform like Medium. If you want a WordPress alternative that you can host yourself or with a hosting provider, then Ghost is worth a look.

How to avoid being hacked on WordPress

  1. Install a login attempt limiter plugin
  2. Update WordPress and Plugins frequently (automatically ideally)
  3. Run regular backups saved somewhere outside your hosting provider (automatically ideally)
  4. Remove or replace outdated WordPress Plugins
  5. Use a unique username and password for WordPress, and enable 2FA (now supported natively)
  6. Use a WordPress.com account to have another path of entry to your WordPress site

Applies To: WordPress

MSPortals.io – A List of Microsoft Portals

I thought I should write up a little bit of information on a site I created; msportals.io and how it’s doing:

Being a Microsoft 365 Administrator at the time, I was looking for a list of all the Microsoft portals, particularly from an administrator point of view. A lot of lists were floating around, but nothing that was being maintained or comprehensive enough. I’d asked around a lot around it, others had the idea that they were going to create something – but nothing happened. It was a pretty simple idea and I was hardly the first to have it…

I also had the idea of creating this list on GitHub. I’d already been looking at GitHub Pages to move my blog to, but not being a programmer or developer, I was finding it too difficult to try and work out how to migrate and have feature parity with what I was using on WordPress. However, the GitHub Pages free tier, allowing 500mb of data in a public Github Repository sounded like a perfect fit for me, providing a platform for a list of URLs.

I started to collect and write up a list of portals. Just the name of the portal, and a link to it. I wasn’t using any GitHub client or command line things, purely using the web based interface for GitHub to start putting data in and seeing how it looked on the resulting msportals.github.io site. It seemed fine, so I started asking around for people to tell me of any links I might be missing. People jumped on board pretty quickly to help (read my thanks section here) to provide portals, but also to actually contribute to the project and provide features that would have taken me a very long time to work out myself.

I also bought a domain – msportals.xyz as it only cost a few dollars a year, and GitHub Pages supports bringing in your own domain. I had the site up, started using it.. and though I should throw it out there to see how much criticism it brought. I posted a tweet:

I didn’t expect to get much of a response – it was more of a test so I could properly launch later. Instead, as I expect what often happens on projects like this, it blew up. It turned out to be my most popular tweet of all time, with almost 100k views. My only annoyance of this was that I had no statistics to collect on how much the site was being used! Quickly I had help to add in Google Analytics to the site, so about a week later I had stats.

Since mid November 2020, the site has had 55,000 users hit it. As expected, the engagement time is tiny – you go to the site and click a link.

That peak is when The Register wrote an article on the site. The site changed from msportals.xyz to msportals.io after @SwiftOnSecurity bought it and handed it over, after some discussion around certain firewalls blocking xyz domains under some standard settings:

Updates and suggestions to the the portal of Microsoft portals came think and fast for a while – nice features like a filter so you can just type ‘teams’ and see the link to the Teams portal were implemented by others (mdjx), due to the way open source platforms like GitHub work.

I don’t see as many portal suggestions and updates these days, but they still trickle in. I still use the site frequently, and see people pop up time to time saying how much they like it which is awesome to hear; I really wanted something functional for myself, and if others also liked it, that was a bonus.

I actually had an idea for another site – a list of PowerShell modules with the commands to both install and connect to different things like Exchange Online and Microsoft Teams. Someone had beaten me to it (which is good!), and had done it a similar way; check out https://msshells.net/ by Andrés Gorzelany to have a look at what he’s done.

If you’ve got your own idea for something like this, go for it! You can do it entirely for free if you don’t care about your own top level domain, and it’s an interesting project to try.

Fifth and Sixth Generations of the Lenovo ThinkPad X1 Yoga

For the first four generations of the X1 Yoga click here

The Lenovo ThinkPad X1 Yoga is still my favourite all-rounder laptop. In 2021 we’re up to the 6th Generation of the X1 Yoga and I’d previously written up the first 4, so figured it was time to cover these two.

Lenovo ThinkPad X1 Yoga Gen 5

Coming out in 2020, we saw the jump from the 8th Generation Intel CPU to the 10th Generation (we skipped 9th Gen Intel for some reason). It was also the first with WiFi 6 which is now seeing wide adoption across markets.

Beyond that, there was very little difference between the 4th and 5th generations of the X1 Yoga. All the ports are the same, the layout the same, and the keys the same beyond a few different special functions above some of the function keys. There is a privacy shutter over the webcam though, which is a handy addition.

Lenovo ThinkPad X1 Yoga Gen 5

Beyond that, there was very little difference between the 4th and 5th generations of the X1 Yoga. All the ports are the same, the layout the same, and the keys the same beyond a few different special functions above some of the function keys. There is a privacy shutter over the webcam though, which is a handy addition.


Lenovo ThinkPad X1 Yoga Gen 6

This one is a bigger jump again. The screen bezel is smaller, and at a 16:10 ratio rather than 16:9, the base resolution has changed from the very standard 1920 x 1080 and is now 1920 x 1200, providing a little more screen real estate without making the unit bigger – it’s actually slightly smaller as you’ll see below. Also coming with an 11th Gen Intel CPU, Lenovo changed the entire laptop from one shade of grey to another (OK, it’s officially changed from Iron Gray to Storm Gray which sounds like a superhero name).

Lenovo ThinkPad X1 Yoga Gen 6

The trackpad itself is a lot bigger, and the power button has moved to being above the keyboard, instead of on the side as per all previous generations. This button doubles as the fingerprint reader, no more dedicated fingerprint square to press. There’s also speaker grills on each side of the keyboard instead of above, and no dedicated special NIC dongle port.


Here’s some photos of the Lenovo ThinkPad X1 Yoga Gen 6 on top of the Lenovo ThinkPad X1 Yoga Gen 5:

Left side – X1 Yogas
Back – X1 Yogas
Right side – Left side – X1 Yogas
Front – Left side – X1 Yogas
X1 Yoga Gen 5 top
X1 Yoga Gen 6 top

From the above, there’s little differences to the ports beyond what I’ve already mentioned – the grill for expelling air went from the right on the 5th Gen, to the back on the 6th Gen (which is better to blow hot air away from you), and the audio jack is on opposite sides which shouldn’t bother anyone either way.

I don’t have any complaints around either model of laptop – there is something that feels more modern about the 6th Gen X1 Yoga in it’s colour and stylings, so the better CPU and screen differences are the biggest deciding factors. As always, I’m keen to see how the X1 Yoga line progresses, and this is a solid entry in the lineup.

Migrating Phone System from Skype for Business to Microsoft Teams

I thought I’d document a few lessons learned in this migration. The migration was from Skype for Business Server 2015 and Skype for Business 2016 clients with Enterprise Voice, moving users across to Microsoft Teams.


The steps to migrate a user for me were:

  1. Add user to AD Group “Azure AD Licensing Telstra Calling for Office 365” as this allocates a Telstra Calling for Office 365 license. These licenses are bought from https://marketplace.telstra.com/ and feed into Microsoft 365. I believe this is unique to Australia.
  2. From Skype for Business Server Management Shell:
    $cred=Get-Credential
    $url="https://adminau1.online.lync.com/HostedMigration/hostedmigrationService.svc" (different links here for different countries)
    Move-CsUser -Identity [email protected] –Target sipfed.online.lync.com -MoveToTeams -Credential $cred -HostedMigrationOverrideUrl $url

    set-csuser -identity [email protected] -LineURI $null
  3. Form a machine with the Teams PowerShell Module installed:
    $Session = New-CSOnlineSession -OverrideAdminDomain yourdomain.onmicrosoft.com
    Import-PSSession $session –AllowClobber
    Set-CsOnlineVoiceUser -Identity [email protected] -TelephoneNumber 61812341234
    Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Identity [email protected]
  4. Configure call forwarding in Gateway (Pilot Users only that were being given a new number out of our normal number range)

EHR Error on Teams Portal

We can’t get details of EHR usage. Please try again. If you continue to have problems, contact Microsoft customer support.

Seeing this error everywhere on the Teams Admin portal, unsure what the cause/fix is yet. It ended up disappearing by itself after a few weeks *shrug* – you’ll see this theme is common around portal errors.


Dial Plans error


We can’t get the effective dial plan so the dial plan can’t be tested.

Going into any Dial Plan brings up this admin portal error, as well as trying to run a Test Dial plan test:

Something went wrong while testing this phone number. If you continue to have problems, contact Microsoft customer support.

This problem was another portal issue – logged a case which Microsoft confirmed was at their end, and a few weeks later they’d resolved it.


Create Resource Account error

We can’t save changes to ___

When creating a Resource Account used for Auto Attendant or Call queues, I was getting a very unhelpful error. I believe this is because I’m running in hybrid mode, so Teams can’t create an account on my primary domain – changing the domain to @contoso.onmicrosoft.com then let me create the Resource Account.

This problem also disappeared later and now I can create accounts on my primary domain – put it down to another portal issue.


Desk Phones requiring PIN

Phones would be registered in Intune, because they’re running Android – and that means any ‘all user’ Android policy would apply.

I’ve since created Dynamic Device Groups and filtered by DeviceModel and DeviceOSType – only testing the Poly CCX500 at this stage, but will add more models as we get them. Also filtering by OStype which is not really necessary, but does make sure it’s only Android devices affected.

(device.deviceModel -eq "CCX500") and (device.deviceOSType -eq "Android")

If you use a test account 20 times, that account will hit its device limit in azure and get locked out.


Skype for Business users unable to call Teams users

Early in migration, we tested interoperability between the two platforms, as it wasn’t going to be an overnight company wide migration. A Skype for Business user trying to call a migrated to Teams user would instead get diverted elsewhere. This was because we had Unassigned Number range rules in place, that were designed to send calls somewhere if it wasn’t allocated to anyone. Removing these rules immediately fixed this issue.


Home Screen on Desk Phones Laggy

The default experience if the phone supports it, is to show a home screen. More details on what the Home Screen is here. This is in CsTeamsIPPhonePolicy with the default value ‘AllowHomeScreen’ set to ‘EnabledUserOverride’. Changing this to Disabled via the PowerShell command:

set-CsTeamsIPPhonePolicy -allowhomescreen Disabled

removed this. I like the idea of the Home Screen, but not at the cost of a fast functioning phone vs a slow one.

I later found out this is due to the 1GB RAM on some devices, and Teams now (at the time of writing) uses > 1GB RAM, and then the Home Screen uses even more RAM. Trying a phone model with 2GB RAM this all worked perfectly.

I believe this is also fixed now, but it took Microsoft about 5 months to resolve.


New Desk Phones not signing in

Testing the Poly CCX500 model, some wouldn’t sign in to Teams out of the box. As soon as I tried to sign in, they’d say:

‘Error Could not sign in. You will need to sign in again. If you see this message again, please contact your company support. OK’

I spent so long on this, unsuccessfully trying to update the firmware via USB etc. In the end, turning off the ‘DHCP Time’ setting under ‘Device Settings’ made it work – I assume it had some problems contacting a NTP server (settings appeared correct in the DHCP scope of the phone). Someone else found the same issue here, but this was due to the phone running a very old v1 firmware. This shouldn’t affect most people, but worth noting.


Microsoft News and interests Taskbar Icon in Windows 10

Microsoft is now rolling out their News and interests taskbar icon, which was announced back in April on TechCommunity.

I’ve seen this turn up in the last day on both my home PC and work PC – the work PC being configured to get updates immediately from Windows Updates for Business.

If you don’t want this at all, you can disable via Group Policy or Intune.

Group Policy

If you want to disable this with a Group Policy setting, you’ll need to get the latest ADMX files updated 7th May 2021 from Microsoft. These will contain a new ‘feeds.admx’ policy definition file, but it’s just a single enable/disable setting:

You can do either of the registry settings recommended by Ben below – the first being a user config setting and the second being a machine policy that users couldn’t change in any way. The second registry setting is the same as what Group Policy is setting above.

For more granular control on disabling or enabling options in it, the registry entries live in:

Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Feeds

From here, if you wanted to disabled ‘Open on Hover’ you’d use this value:

ShellFeedsTaskbarOpenOnHover : 0 (off) or 1 (on)

Intune

Intune is covered on the TechCommunity article and is just setting ‘Enable News and interests’ to ‘Allowed’ or ‘Not Allowed’

Microsoft also has an end user support article on News and Interests, which covers end user configuration, how they can turn it off, personalisation options and other user advice.