As a loyal an avid Prosper202 user…I thought in light of the recent news of an exploit found with Prosper202, that I’d post some suggestions on hardening your ever-so-sensitive Prosper202 data. As I am not a programmer, nor a database expert, this won’t be an end-all solution to securing Prosper202. This post is simply a list of “best practices” that I came up with through my own research and testing, and with the help of the Prosper202 forum. Feel free to comment with your own findings or suggestions as I’ll continue to update this post as new protection methods are found.

Without getting into too many of the technical details, last week a security vulnerability in the Zend files (encryption engine) in Prosper202 was exploited. Basically through scouring the search engines for Proser202 footprints, a malicious user was able to find vulnerable installations of Prosper202 and steal sensitive campaign information from a few unlucky targets. Hopefully you weren’t one of them.

Luckily, Wes Mahler and team were fast on the defense and quickly released an update that fixed the vulnerability, as well as ceased using the Zend encryption engine. With release 1.1.2, Prosper202 has officially become open-source, which opens a world of exciting new possibilities (think how Wordpress has exploded).

I am for one excited to see what the affiliate community with come up with. Also, in all likeliness, an open-source version should officially put an end to the paranoia of Wes and his team stealing your keyword data. I know Wes and Steven personally. They’re honest guys. They aren’t stealing your data, and never were. But you can now look through the source code yourself if you’re still an unbeliever.

Moving on to the point of this post, here a just a few of the best practices that I came up with for securing your Prosper202 installation, and hopefully preventing your domain from ever being found by yet another malicious affiliate. (We should be helping each other, not hurting each other)

1) Changing Your Prosper202 Passwords: This may seem obvious, but you’d be surprised at how many people DON’T change their passwords on a regular basis. Treat the information in your Prosper202 installation as you would your bank account, because essentially it’s just as important. (if you’re making money).

  • Change the default username/password to something more secure
  • Set a reminder in your email program to change this password every 30-60 days
  • Also change the MySQL database password on the same schedule. Once you do, remember to also update your “202-config.php” file accordingly.
  • To assist with generating secure passwords, you can use: StrongPasswordGenerator.com

2) Don’t Use Obvious Names For Your Install: Since Propser202 requires a dedicated domain or subdomain, but sure to choose something that isn’t obvious to its purpose. For example, don’t use a domain name called “ppctracking.com”, or a subdomain called “prosper202.domain.com or p202.domain.com”. These are huge dead giveaway footprints to your Prosper202 installation, that can easily be found with a few advanced search operators.

3) Always Run The Most Current Version of Prosper202: You should currently be running Prosper202 version 1.1.2, to ensure you’re not vulnerable to the security exploit. If not, do it! Perhaps in the future auto-upgrades (similar to Wordpress) will be made available, but in the meantime, manually stay updated with the lastest build.

Download Prosper202: http://prosper202.com/apps/download/

4) Lock Down Your Prosper202 Domain To Your Own IP: There are a few ways to do this lockdown.

  • Either use .htaccess to lock the installation down to your own IP address, which is probably the more secure solution (server-side). This mod is simply blocking access to the login page “202-login.php”. If you locked the entire domain to your IP, then obviously none of your redirects would work for your traffic.

    • Add additional IP’s if you login from more than one IP address. Here’s the code you’d need to add to your .htaccess file and upload to the root directory of your Prosper installation.

    #202 Block
    <Files 202-login.php>
    order deny,allow
    deny from all
    allow from 0.0.0.0
    ErrorDocument 403 http://somemaliciouswebsite.com/
    </Files>

  • Or add the following to the top of your “202-login.php” file:

    • if($_SERVER['REMOTE_ADDR'] != 0.0.0.0 || $_SERVER['REMOTE_ADDR'] != 0.0.0.0) { header( ‘Location: http://somemaliciouswebsite.com’ ); }

    In both examples, replace the “0.0.0.0″ with your own IP address(es). And for a bit of well deserved punishment for those daring enough to snoop around trying to access your Prosper202 install…simply replace “http://somemaliciouswebsite.com” with a website of your choice, preferably something containing adult material, viruses, or other malicious content. I’ll let you use your imagination on this one.

    Personally, I’ve set mine to a page that logs their IP address, presents the FBI warning, then redirects the perp to the FBI’s website for “further analysis”. (10 years working in computer security for the US Government can’t go to waste, bwahahaha!!!)

5) Preventing / Removing Existing Indexed Pages: You might be one of those unlucky enough to not have protected your Prosper domain from getting indexed from the day you registered it. To find out if you’re site is currently being indexed by Google, check here: Google Webmaster Site Status Tool. If Google reports your site in their index, you can request an entire site removal by:

  • Logging into Google Webmaster Tools
  • At the dashboard, click the site you want to remove. If you’re site isn’t listed, add it so you can remove it. (You will have to verify that you are the site owner before you can make modifications in Webmaster tools)
  • Then click on Tools, Remove URL –> Submit a New URL Removal Request, and be sure to select the option that says “your entire site”.
  • Other search engines should have similar tools.

Another method of preventing and removing your site from search engine indexes is to create a robots.txt file.  You can block your entire site from being indexed (no reason to have your Prosper202 domain indexed anyway) by creating a text file called “robots.txt”, and adding the lines below, and uploading to the root directory of your Prosper202 installation:

# Disallow Web Bots
User-agent: *
Disallow: /

# Disallow Archive Bots
User-agent: ia_archiver
Disallow: /

I believe that Prospe202 comes with a robots.txt file by default that prohibits the indexing of your domain, but unfortuntely some search engines will totally ignore robots.txt and index your site anyway. Another line of defense is using meta tags. Do the following:

  • Edit the file “template.php”, which can be found in: yourdomain.com/202-config/
  • Add the following code snippet in the <head> section of the file (near the existing meta tags):   <meta name=”robots” content=”noindex, nofollow” />

If you’re site is currently indexed, you’ll have to wait for the search engine bots to revisit your site, from which they’ll see your robots.txt and meta tags, and should remove you from their index. If you’re not seeing your site deindexed after a couple of days, you may need to contact the support team directly.

6) Install Prosper202 on an SSL (https) Secured Server: Some search engines won’t index https sites. Google does. MSN says they won’t, but I’ve seen otherwise.

But in addition to the indexing issue, having your key campaign data protected by SSL encryption would be ideal. An SSL install of Prosper202 would not only protect your login and campaign information from plain-text exploits; you would also have the sneaky advantage of totally blanking your referrer.

This is huge for affiliates worried about their CPA network stealing their hard earned money by cloning their campaigns. Prosper202 currently can cloak the referrer via redirects, but it doesn’t blank it so that your network sees “nothing” from the referring domain.

I’ve been experimenting with the HTTPS install, and once I’m 100% sure that it works, I’ll post a tutorial on how to do it (not for the technically challenged).

7) Redirect Your Landing Pages To Clean URLS: In Step 7 of your campaign setup (#7 Get Links), you would normally generate your ad (or keyword) destination URL. The problem with this though is that the variables in the URL (t202id, t202kw), etc…can give a lot away about your campaign structure.

This is especially true if you also use a tool such as Speed PPC in conjunction with Prosper202, which can add even more tokens to the URL (seed, adgroup, keywordtype, etc).

For example, take a URL such as:

“http://www.yourdomain.com/landingpage.php?t202id=1234&t202kw={keyword}&seed=seedkeyword&adgroup=adgroupname&match=broad”

If I saw this URL in the address bar of a landing page, I immediately know:

  • You’re using Prosper202 to track your conversions = potential profitable affiliate
  • You’re passing the bidded keyword in the URL {keyword}, which obviously reveals the actual terms you are bidding on.
  • Tokens like “seed or adgroup” reveal that you are probably using Speed PPC, shows the campaign structure, and the matchtype (broad) being triggered for the search.

This is simply much more campaign information than I want to reveal to my competitors. So using a few tricks, we can still capture the key tracking information, and then redirect the user to a clean URL like: “http://yourdomain.com/cleanpage.php”

(I gotta give props to Wes Mahler for helping me get this working)
Do the following to maintain your tracking, but redirect your destination URLS to clean (token free) URLs that spy affiliates can’t openly see:

  • Create a new file that will act as the redirect landing page. I suggest you name this file something like “lp1.php or landing.php” as to not alert its purposed (ie: don’t call it redirect.php)
  • In your new redirect landing page (we’ll use lp1.php), add the following:<html>
    <head></head>
    <body>
    <script>code from step#6 Get LP Code goes here</script><!– js script is called, the visitor is recorded, then redirected to the clean URL –!>
    <script type=”text/javascript”> window.location=’http://yourdomain.com/cleanpage.php’;</script>
    </body>
    </html>
  • In place of “cleanpage.php”, this will be the true destination where you want your visitors to ultimately end up. If it’s a directory, simply specify the directory path in the script above and add “index.php”.

    • Be sure to modify the Landing Page URL in Step#4 (Landing Page Setup) to reflect the path to your “lp1.php” file. For example, instead of setting the landing page URL to your former destination: http://yourdomain.com/destination.php, you’ll instead set it to: http://yourdomain.com/lp1.php

8)  Monitor Your Log Files For Login Failures / Suspicious Access: With your webhosts control panel, you should be able to get access to your raw log files. Unless you’re using third-world web hosting, you should be able to see your log file data in some fancy statistical interface. Ask your web host if you are unsure about how to locate your log files. You might also be able to schedule a job to email you the logs files on a regular basis.

Also, Prosper202 will show you the last 20 login attempts by simply clicking the “Administration” link in the top header.

9) More .htaccess Fun: A few more .htaccess mods to tighten things up, and to have a little fun with your intruders.

Disable showing the contents of directories that don’t contain an index.php file:

# Disable directory browsing
Options All -Indexes

Set error 403/404 pages to some site of your choosing. By resolving a page not found to a website you specify…you can have a bit of fun with where you choose to send your snooping intruder.

ErrorDocument 403 http://somemaliciouswebsite.com/
ErrorDocument 404 http://somemaliciouswebsite.com/

10) Implement a “Honeypot” Install of Prosper202: A honeypot in computer terms is somewhat of a trap or counteractive measure of defense. Logging a dummy admin account on an XP machine with the password of “password” could be considered a honeypot.

This step of course is only for those who have the time, knowledge, and resources to implement such extreme measures of protecting the Prosper202 community. But if we teamed up, we could certainly catch more than a few of the guys in the act, and call them out.

Basically, you would install Prosper202 on a “dummy” domain, with none of the best practices that I just mentioned in place. Set up a few fake campaigns that get indexed to throw the perp on a nice goose chase to make him think he’s hit pay dirt. Of course you’ll need to be logging all the activity secretly as to catch him in the act.

So after about 2 days of writing this post (and testing), there are about 10 best practices for securing Prospe202 that I was able to come up with. Again, this list certainly isn’t exhaustive, so be sure to comment in and let me know of any other findings and/or corrections you may have.

More Prosp202 tutorials to come!

Tagged with:

Filed under: Conversion TrackingProsper202Search EnginesTips & TricksTutorials

Like this post? Subscribe to my RSS feed and get loads more!

Possibly related posts