Smashing Magazine
10 Useful WordPress Security Tweaks
Security has always been a hot topic. Offline, people buy wired homes, car alarms and gadgets to bring their security to the max. Online, security is important, too, especially for people who make a living from websites and blogs. In this article, we’ll show you some useful tweaks to protect your WordPress-powered blog.
[Offtopic: by the way, did you already get your copy of the Smashing Book?]
1. Prevent Unnecessary Info From Being Displayed
The problem
When you fail to log into a WordPress blog, the CMS displays some info telling you what went wrong. This is good if you’ve forgotten your password, but it might also be good for people who want to hack your blog. So, why not prevent WordPress from displaying error messages on failed log-ins?
The solution
To remove log-in error messages, simply open your theme’s functions.php file, and paste the following code:
add_filter('login_errors',create_function('$a', "return null;"));Save the file, and see for yourself: no more messages are displayed if you fail to log in.
Please note that there are several functions.php files. Be sure to change the one in your wp-content directory.
Code explanation
With this code, we’ve added a simple hook to overwrite the login_errors() function. Because the custom function that we created returns only null, the message displayed will be a blank string.
Source
2. Force SSL Usage
The problem
If you worry about your data being intercepted, then you could definitely use SSL. In case you don’t know what it is, SSL is a cryptographic protocol that secures communications over networks such as the Internet.
Did you know that forcing WordPress to use SSL is possible? Not all hosting services allow you to use SSL, but if you’re hosted on Wp WebHost or HostGator, then SSL is enabled.
The solution
Once you’ve checked that your Web server can handle SSL, simply open your wp-config.php file (located at the root of your WordPress installation), and paste the following:
define('FORCE_SSL_ADMIN', true);
Save the file, and you’re done!
Code explanation
Nothing hard here. WordPress uses a lot of constants to configure the software. In this case, we have simply defined the FORCE_SSL_ADMIN constant and set its value to true. This results in WordPress using SSL.
Source
3. Use .htaccess To Protect The wp-config File
The problem
As a WordPress user, you probably know how important the wp-config.php file is. This file contains all of the information required to access your precious database: username, password, server name and so on. Protecting the wp-config.php file is critical, so how about exploiting the power of Apache to this end?
The solution
The .htaccess file is located at the root your WordPress installation. After creating a back-up of it (it’s such a critical file that we should always have a safe copy), open it up, and paste the following code:
<files wp-config.php> order allow,deny deny from all </files>
Code explanation
.htaccess files are powerful and one of the best tools to prevent unwanted access to your files. In this code, we have simply created a rule that prevents any access to the wp-admin.php file, thus ensuring that no evil bots can access it.
Source
4. Blacklist Undesired Users And Bots
The problem
This is as true online as it is in real life: someone who pesters you today will probably pester you again tomorrow. Have you noticed how many spam bots return to your blog 10 times a day to post their annoying comments? The solution to this problem is quite simple: forbid them access to your blog.
The solution
Paste the following code in your .htaccess file, located at the root of your WordPress installation. As I said, always back up the .htaccess file before editing it. Also, don’t forget to change 123.456.789 to the IP address you want to ban.
<Limit GET POST PUT> order allow,deny allow from all deny from 123.456.789 </LIMIT>
Code explanation
Apache is powerful and can easily be used to ban undesirable people and bots from your website. With this code, we’re telling Apache that everyone is allowed to visit our blog except the person with the IP address 123.456.789.
To ban more people, simply repeat line 4 of this code on a new line, using another IP address, as shown below:
<Limit GET POST PUT> order allow,deny allow from all deny from 123.456.789 deny from 93.121.788 deny from 223.956.789 deny from 128.456.780 </LIMIT>
Source
5. Protect Your WordPress Blog From Script Injections
The problem
Protecting dynamic websites is especially important. Most developers always protect their GET and POST requests, but sometimes this is not enough. We should also protect our blog against script injections and any attempt to modify the PHP GLOBALS and _REQUEST variables.
The solution
The following code blocks script injections and any attempts to modify the PHP GLOBALS and _REQUEST variables. Paste it in your .htaccess file (located in the root of your WordPress installation). Make sure to always back up the .htaccess file before modifying it.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Code explanation
Using the power of the .htaccess file, we can check requests. What we’ve done here is check whether the request contains a <script> and whether it has tried to modify the value of the PHP GLOBALS or _REQUEST variables. If any of these conditions are met, the request is blocked and a 403 error is returned to the client’s browser.
Sources
6. Fight Back Against Content Scrapers
The problem
If your blog is the least bit known, people will no doubt try to use your content on their own websites without your consent. One of the biggest problems is hot-linking to your images, which saps your server’s bandwidth.
The solution
To protect your website against hot-linking and content scrapers, simply paste the following code in your .htaccess file. As always, don’t forget to back up when modifying the .htaccess file.
RewriteEngine On
#Replace ?mysite\.com/ with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your "don't hotlink" image url
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]
Once you’ve saved the file, only your website will be able to link to your images, or, to be more correct, no one would link to your images, because it would be way too complicated and time-consuming. Other websites will automatically display the nohotlink.jpg image. Note that you can also specify a non-existent image, so websites that try to hot-link to you would display a blank space.
Code explanation
With this code, the first thing we’ve done is check the referrer to see that it matches our blog’s URL and it is not empty. If it doesn’t, and the file has a JPG, GIF, BMP or PNG extension, then the nohotlink image is displayed instead.
Source
7. Create A Plug-In To Protect Your Blog From Malicious URL Requests
The problem
Hackers and evil-doers often use malicious queries to find and attack a blog’s weak spots. WordPress has good default protection, but enhancing it is possible.
The solution
Paste the following code in a text file, and save it as blockbadqueries.php. Once you’ve done that, upload it to your wp-content/plugins directory and activate it as you would any other plug-in. Now your blog is protected against malicious queries.
<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
global $user_ID;
if($user_ID) {
if(!current_user_can('level_10')) {
if (strlen($_SERVER['REQUEST_URI']) > 255 ||
strpos($_SERVER['REQUEST_URI'], "eval(") ||
strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
strpos($_SERVER['REQUEST_URI'], "base64")) {
@header("HTTP/1.1 414 Request-URI Too Long");
@header("Status: 414 Request-URI Too Long");
@header("Connection: Close");
@exit;
}
}
}
?>
Code explanation
What this code does is pretty simple. It checks for excessively long request strings (more than 255 characters) and for the presence of either the eval or base64 PHP functions in the URI. If one of these conditions is met, then the plug-in sends a 414 error to the client’s browser.
Source
8. Remove Your WordPress Version Number… Seriously!
The problem
As you may know, WordPress automatically displays the version you are using in the head of your blog files. This is pretty harmless if your blog is always up to date with the latest version (which is certainly what you should be doing anyway). But if for some reason your blog isn’t up to date, WordPress still displays it, and hackers will learn this vital piece of information.
The solution
Paste the following line of code in the functions.php file of your theme. Save it, refresh your blog, and voila: no more WordPress version number in the header.
remove_action('wp_head', 'wp_generator');
Code explanation
To execute certain actions, WordPress uses a mechanism called “hooks,” which allow you to hook one function to another. The wp_generator function, which displays the WordPress version, is hooked. We can remove this hook and prevent it from executing by using the remove_action() function.
Source
9. Change The Default “Admin” Username
The problem
Brute force is one of the easiest ways to break a password. The method is simple: try as many different passwords as possible until the right one is found. Users of the brute force method use dictionaries, which give them a lot of password combinations.
But knowing your username certainly makes it easier for them to guess the right combination. This is why you should always change the default “admin” username to something harder to guess.
Note that WordPress 3.0 let you choose your desired username by default. Therefore, this tip is still usefull if you still use the old “admin” account from older WordPress versions.
The solution
If you haven’t changed the “admin” username yet, simply run the following SQL query to your database to change it for good. Don’t forget to specify your desired username.
UPDATE wp_users SET user_login = 'Your New Username' WHERE user_login = 'Admin';
Code explanation
Usernames are stored in the database. To change one, a simple UPDATE query is enough. Note that this query will not transfer posts written by “admin” to your new username; the source post below shows you how to easily do that.
Source
10. Prevent Directory Browsing
The problem
By default, most hosts allow directory listing. So, if you type www.yourblog.com/wp-includes in the browser’s address bar, you’ll see all of the files in that directory. This is definitely a security risk, because a hacker could see the last time that files were modified and access them.
The solution (Updated)
Just add the following to the Apache configuration or your .htaccess file:
Options -Indexes
Code explanation
Please note that it’s not enough to update the blog’s robots.txt file with Disallow: /wp*. This would prevent the wp-directory from being indexed, but will not prevent users from seeing it.
Source
(al)
This guest post was written by Jean-Baptiste Jung, a 28-year-old blogger from Belgium, who blogs about Web Development on Cats Who Code, about WordPress at WpRecipes and about blogging on Cats Who Blog . You can stay in touch with Jean by following him on Twitter.
- 76 Comments
- 1
- 2
July 1st, 2010 10:12 pmHope so too…
- 3July 2nd, 2010 9:11 pm
hey, why so much hate!! Sore loser.
- 4July 3rd, 2010 7:27 am
hahaha…german win….. :P
Argentina is loser…. - 5July 3rd, 2010 10:26 am
Es ist vollbracht, por favor!
- 2
- 6July 1st, 2010 6:22 am
Thanks for the tips! Will roll some of these out on our existing and upcoming WordPress Blogs. ;)
- 7July 1st, 2010 6:23 am
Some cool tips here thanks.
I like using the Login Lockdown plugin too. But it isn’t fully compatible with WordPress 3.0 yet. - 8July 1st, 2010 6:23 am
Great post,
Will certainly follow several of these for my blogs!
- 9July 1st, 2010 6:29 am
Great article. A client of mine has been having some odd behaviors with their wordpress install. I’ve been looking for security features, outside of plugins, and this article pops up out of nowhere.
Thank you!
- 10July 1st, 2010 6:30 am
The “Disallow: /wp-*” (10. Prevent Directory Browsing) must be in your robots.txt file not in .htaccess file :)
- 11July 1st, 2010 6:33 am
Nice post. I’ll implement them on my blog.
- 12July 1st, 2010 6:42 am
Regarding: “Use .htaccess To Protect The wp-config File”
A properly configured web server will serve a blank page if some user or bot tries to access wp-config.php. True, if PHP becomes disabled, then that file could be served as clear text, so adding .htaccess rules to prohibit web access to the file would help.
The “code explanation” for that tip mentions blocking access to wp-admin.php. I think it should be wp-config.php, since there is no wp-admin.php.
Posts like this need to be triple-checked for accuracy though. The advice to add “Disallow: /wp-*” to you .htaccess file will break your site. Also, that advice does not disallow directory browsing. It just stops good robots from indexing the directory.
You should just add an index.php file into directories like this, to stop browsing.
- 13July 1st, 2010 6:46 am
I am not hacker, but i’m know which version use Jean-Baptiste Jung on Cats Who Code(2.8.4) and WpRecipes(2.9.1) and Cats Who Blog(3.0)
P.S. Sorry for my English - 14July 1st, 2010 7:03 am
Great post, thanks 4 the tips!
- 15July 1st, 2010 7:07 am
Tip # 10
Use:# disable directory browsing
Options All -Indexesin .htaccess
- 16July 1st, 2010 7:16 am
Very Useful for WordPress Developers !
- 17July 1st, 2010 7:17 am
These tips are really useful! Will definitely get round to using some of them.
The handy thing about most of these is that they can be implemented in only a few minutes, but can really help put your mind at rest. Perfect.
- 18July 1st, 2010 7:21 am
Disallowing access to wp-content will break any posts you have added attachments to.
Just so you know.
- 19July 1st, 2010 7:34 am
A fairly good collection of WordPress security tips. However, you should change the IP addresses in tip no. 4 to better reflect real addresses. (4 groups instead of 3, no value larger than 255)
- 20July 1st, 2010 7:37 am
Its awesome post about wordpress security. I will definitely use few for my blog.
Thanks
- 21July 1st, 2010 7:56 am
you have to delete the following files in the root directory:
readme.html, install.php (and liesmich.html in the german version)
otherwise everyone can find the version there. - 22July 1st, 2010 8:02 am
you can also put the following lines in your .htaccess:
# protect readme.html
Order Allow,Deny
Deny from all
Satisfy all# protect liesmich.html
Order Allow,Deny
Deny from all
Satisfy all# protect install.php
Order Allow,Deny
Deny from all
Satisfy all - 23July 1st, 2010 8:11 am
There is some good stuff here. One tip I always see is to change your default “admin” username (#9). However, I think it should be mentioned that site owners, once this is done, should be careful not to post under this new admin account (posting or editing while logged in). If you’re showing the author, the administrative account name is pretty much right back into the open.
- 24July 1st, 2010 9:31 am
I have tried solution for Malicious URL Requests and this does not worked.
I activated the plugin and it did not do anything,
I tried adding eval, eval() and base64 also. no one has given any error or anything new. - 25July 1st, 2010 10:47 am
I’m sorry but I have some serious issues with this blog post. There are too many of them, so I’ve listed them on my company blog http://zippykid.com/blog/2010/07/how-to-secure-a-wordpress-site/
- 26August 20th, 2010 4:48 am
LoL – this post should be deleted as it’s nothing but spam. “all these suggestions are bad bad bad, listen to me oh and by the way sign up for my affiliate program”.
- 26
- 27July 1st, 2010 11:18 am
Perfect, was just looking for a post like this…site got hacked the other day.
- 28July 1st, 2010 12:05 pm
Not sure about some of the advice on here, but there’s an official “Hardening WordPress” page everyone should read:
* http://codex.wordpress.org/Hardening_WordPress
Also, wp-config.php should be moved up a directory from your WP installl (likely out of doc root), not blocked using an .htaccess file.
Also, also the WP-Security Scan plugin rocks and strips versioning and various other WP-specific info from your pages.
- 29July 1st, 2010 12:11 pm
Seems like the rewriting rules from 5. Protect Your WordPress Blog From Script Injections are easily subverted using %escapes
- 30July 1st, 2010 5:34 pm
The point 10, I think it is: Options -Indexes
You miss the s in Options.
- 31July 1st, 2010 7:21 pm
Good post. Thank you very much!
Something else which I believe is worth a mention is Akismet. It helps by keeping out (or reducing) comment spamming.
- 32July 2nd, 2010 12:34 am
Good to know some security loopholes on my WP sites. Immediately put some to use such as #3 and #10. Great help, thanks!
- 33July 2nd, 2010 1:08 am
Really a nice and informative article.
- 34July 2nd, 2010 1:21 am
I wish I had these tips last year, I was running 2.5 or something at the time and got hacked I am now very very very security concious. Every little change helps :)
- 35July 2nd, 2010 2:34 am
Hey, thanks for this. I just disabled directory browsing. I used to create blank index.php files but that used to take forever.
- 36July 2nd, 2010 5:54 am
It’s also helpful to enable cookie encryption on your WordPress site by using authentication keys. WordPress.org has a secret key generation service that generates a random set of keys to place in your wp-config.php file.
- 37July 2nd, 2010 6:33 am
For the tip #1: Remove Login Errors is removing -all- login errors, which could be bad because it also omits notices about disabled cookies, etc. A more effective approach would be to have the function return:
str_replace( array( ‘Invalid username’, ‘Incorrect password’ ), ‘Invalid username or password’, $str );
This keeps the user informed of potential errors while obfuscating which field the error actually occurred in. One thing to keep in mind is that if the username is correct, WordPress will auto-populate that field in subsequent login attempts. A hacker aware of WordPress operation would then know that the username was indeed valid. You can prevent this by commenting out the appropriate section in the wp-login.php file (lines 529-530 in version 2.9.2)–not ideal, I know, but there are no hooks at that point in the code.
- 38July 2nd, 2010 6:41 am
The #8, Remove Your WordPress Version Number… Seriously! is not really serious :) You will be removing the version number from your site, but it will still be available to XML readers, like RSS or ATOM feed readers. The following snippet is the correct way to remove the WordPress version number from the website and RSS feeds.
add_filter(‘the_generator’, create_function(”, ‘return “”;’));
You can use it on your theme functions file (functions.php).
- 39July 2nd, 2010 8:43 am
Excellent!!! Thank you for this information!
- 40July 2nd, 2010 9:38 am
One of the most useful articles I’ve read about WP lately! Thanks for sharing!
- 41July 2nd, 2010 10:22 am
On tip #9 I’d rather recommend to create a new admin and delete the previous one, since it would still remain with the ID = 1 in database. I already suffered an attack on a blog who had a different admin username but it got hacked still. I had to manually delete the row in order to prevent it from happenning again. Luckily, I had other admin at usage on the blog.
- 42July 2nd, 2010 11:44 am
The best way to secure proof WordPress is to separate completely core/plugins files (wp-folders) from themes/assets/media files and then deny access to the firsts.
- 43July 2nd, 2010 1:11 pm
Will have to tweak my WordPress sites with these tips tonight
- 44July 2nd, 2010 1:44 pm
There is a better way to rename the admin user.
1) Create a new user. 2) Give them admin authority. 3) Log in under newly created users and delete the original admin user. 4) When asked, assign all posts to new administrative user.
This not only gives you a renamed user, but it also changes the user id # which is used internally. There is no longer a user id 1.
- 45July 2nd, 2010 2:14 pm
Great post, I almost forgot point 9 :)
- 46July 2nd, 2010 3:07 pm
I think tip #1, which suggests removing login error messages, is a bit misguided. Error messages are helpful feedback for users, so they really shouldn’t be disabled completely. Instead, you can check the actual text of the error message in your wp-login.php file and edit it so it is less descriptive.
- 47July 2nd, 2010 6:05 pm
Very useful info for anyone using wordpress, which is a lot of people !
- 48July 2nd, 2010 6:40 pm
All ready discussed topics but this is a nice collective information..thank you
- 49July 3rd, 2010 2:20 am
can you tell me how to avoid the blog to be fetched using file_get_contents() or CURL method ?
- 50July 3rd, 2010 3:20 am
Personnaly, i wrote in my .htaccess :
« protect me, god »
And it works fine ^^
Anyway. Nice tips for my limited knowledge. Thank you.
- 51July 3rd, 2010 8:23 am
Thanks for the tips. I just included 3 of them in my blog (which hasn’t been launched yet…).
- 52July 4th, 2010 8:27 am
I’m not able to get #6 above to work on WordPress sites. I changed URLs, etc., but still get a 500 error on the site.
Here’s a good post on how to correctly remove the generator tag (to remove from HTML as well as RSS feeds):
http://www.wpbeginner.com/wp-tutorials/the-right-way-to-remove-wordpress-version-number/
- 53July 4th, 2010 11:37 am
These sound very good. I just hope that I can do them correctly. lol Thanks.
- 54July 4th, 2010 4:09 pm
In #6 you did not say you need to create an image if you want to display a ‘nohotlink.jpg’ image. Perhaps, if you want to drive more visitors to your site, it would be fun to create an image of text that will give the name of your web site if people want to see the real image and that the site they are on tried to steal your image. It could be better for you, and make the site which tried to steal your content look bad.
- 55July 4th, 2010 5:12 pm
Nice tips with a lot of help. thanks Jean
- 56July 5th, 2010 6:02 am
Lovly Post !!
I really like Smashing Magazines articles !
Too good !!
- 57July 5th, 2010 7:23 pm
it’s very usefull for my blog :)
- 58July 5th, 2010 9:09 pm
Thanks for share
it’s time to protect our wordpress - 59July 6th, 2010 11:13 am
Great article for me (noob). Thanks.
Question though, would any of these .htaccess adjustments effect backing up of the database? (I\’ve used the codetree plugin and wordpress db backup) but none work now after adding some of these changes; i just get redirected to the home page.
Also not sure if this is causing the problem:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\\.php*
RewriteCond %{HTTP_REFERER} !.*.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]from http://codex.wordpress.org/Combating_Comment_Spam/Denying_Access
Or could it be the blockbadqueries.php?
Thanks
- 60July 6th, 2010 3:22 pm
I removed the blockbadqueries plugin and I was able to backup the database again.
- 61July 6th, 2010 10:34 pm
Just to set the record straight, it\’s not the blockbadqueries.php that is causing the problem it is the wordpress firewall. If you whitelist *wp-admin/tools.php* and *wp-admin/edit.php* it fixes it.
Odd thing is the problem happens at home but not on the work computer.
- 61
- 62July 6th, 2010 6:36 pm
GERMANY SUCKS
from: css-tricks.com with LOVE !
- 63July 7th, 2010 1:28 am
Very good post – tips like this bring the real value to designers as tools such as WordPress are the most commonly used :D
- 64July 7th, 2010 6:43 am
No need for function at number 8 (remove WordPress version). You could just remove one line responsible for version number from header.php
Otherwise, good list – thanks!- 65July 22nd, 2010 2:27 am
Nooo. Marko don’t do this! This will break other things!
- 65
- 66July 7th, 2010 11:15 pm
Sorry but this post is completly USELESS, like Vid Luther said…
zippykid.com/blog/2010/07/how-to-secure-a-wordpress-site/I’m a real developer (not a designer) so, please Smashing Magazine, dont allow post like that…
- 67July 11th, 2010 10:17 am
Nice post. MIght be worth taking a look at the awesome gdpress tools plug in that will do quite a lot of this for you.
- 68July 12th, 2010 7:56 pm
One of the most helpful wordpress post I have come across! Things you never know possible can be prevented. Time to block those evils off your site. Much appreciate your effort in writing this post!!
- 69July 15th, 2010 9:17 am
Hi,
Nice tips, but since my WordPress blog is on IIS, and I dont have an .htaccess file, how should I implement these tips?? - 70July 19th, 2010 1:52 pm
The plug-in tutorial seems not to be working for me, is this because of wp 3.0?
- 71July 22nd, 2010 11:49 pm
good team,i’ve spent so much time here
- 72July 27th, 2010 7:12 am
a must read for all wordpress users!
- 73July 28th, 2010 11:15 pm
Thanks for the tips. I will definitely add these to my blog.
- 74
- 75August 4th, 2010 1:13 pm
Really useful … thanks
- 76August 12th, 2010 1:08 am
Thanks SM for pressing on with quality and relevance. Articles that explain clearly how to do what they suggest should be done are very useful. This one does it well.
Leave a Comment
Make sure you enter the * required information where indicated. Please also rate the article as it will help us decide future content and posts. Comments are moderated – and rel="nofollow" is in use. Please no link dropping, no keywords or domains as names; do not spam, and do not advertise!
- @sazzy yaaay, happy birthday, Sarah! And congratulations to the wedding! You are a great couple!
- Good News: Dual-Core CPU Opens Door To 1080p On Smartphones - http://bit.ly/a0KowT
- Man Who Destroyed the Boring Interface and Lived - http://bit.ly/c2SjIh - Very interesting read. #graphic #design
- @simoncollison Happy Birthday, Simon. Have a good one, a don't work too much ;-)
- Fresh on SmashingMag: Designing and Producing Creative Business Cards: Techniques and Details - http://bit.ly/ceOKDd
- Google Instant Search Is Released - http://bit.ly/drRq8U
- Web Project: Weighing Cost vs Speed vs Quality - http://bit.ly/ap9IIl
- CSS3Menu: create CSS3-based menus with this free library - http://bit.ly/bJfj1l
- Web Wireframe Kit (a free PSD file) - http://bit.ly/d14tll
- A step to be ahead: start designing for mobile devices - http://bit.ly/dv6DQN
I just write to say I really loved your smashing cartoon, I know you guys are german and I hope Germany DESTROY!!!!!!!!!… Argentina
cheers from Mexico