Going to look at it some more, but I may be upgrading this blog to WordPress 2.6 tonight. The SVN update I just did say wp-includes/version.php is 2.6.
Tag: WordPress (page 9 of 13)
Woo hoo, I see that WordPress 2.6-RC1 came with today’s SVN updates.
So far it looks and feels like 2.5.1 with some tweaks. The Google Gears portion, better plug-in management, and now arranging widgets works. When it is released as 2.6 I’ll upgrade this blog.
I’ll also get ready for the cries of support forum users who insist 2.5.1 get upgraded and maintained.
Over a week ago I complained about WordPress users crying security wolf and not being able to recover their blog when the “Bad Thing(tm)” happens.
Since then a real brawl developed on the support forum that could be summed up like so:
- One or more users is insisting that there is an XMLRPC exploit in 2.5.1.
- The same one or more users refuses to back this claim up with data, or apparently send the WordPress security e-mail alias any info (maybe, how would other people know what was sent via e-mail?)
- Many people tried to reasonably explain that such an exploit may exist but without data there is nothing to solve.
This discussion was just plain nuts and went around in circles. Complaining about a problem without providing any proof and then getting all pissy about it is totally useless. It is entirely possible that such an exploit exists and many people replied so. But without any providing data other than saying “I can assure you that the hack occurs via XMLRPC”, then everyone’s time gets wasted.
Fortunately, Donncha provided a page that covers the issue succinctly and today he added another post on setting up aide. His two posts are good and anyone considering monitoring their WordPress files for modification should give this a try.
Aide will let you see if your installation files and directories have been tampered with. It won’t protect you against HTTP POSTS or database attacks but it’s very good if someone succeeds in modifying your files.
There are ways to log what’s being sent via an HTTP POST and examine that information; if (or even when) I get hacked, I’ll try to start looking at that data. MYSQL database monitoring, that could be interesting but for now I’m not aware of a good tool to do that.
On my OpenSuSE installation, installing aide is simple. As root run
zypper install aide aide --init mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db aide --check cp /usr/share/doc/packages/aide/examples/etc/cron.daily/aide.sh /etc/cron.daily/
All of which I just did. I ran the check option to make sure I did not create any issues with the aide.conf file. I’ll play with the aide.conf file and see what kind of output I get when the daily cron job gets run. If I add and modify files and I set it up correctly then I should see that in daily cron job’s output.
Update: this worked but in /etc/aide.conf change the line verbose=1 to verbose=5. That will get you a useful output of which files and directories changed.
If you are not running the latest version of WordPress and you get hacked, don’t go to the WordPress forum and tell the world. Odds are you invited the disaster yourself.
When WordPress 2.5 came out I was disappointed to find that the old version 2.3.x was basically abandoned. There would be no more planned patches for 2.3.x just the current 2.5. The 2.0.x branch would continue to be supported as part of the commitment to the Debian version model.
So as of right now versions 2.0.11 and 2.5.1 are supported. If you are running 2.2.x, 2.3.x, 2.5(.0), or any other version then you run the risk of being exploited.
So why do users continue to use the old versions? Everyday there are posts in the support forum that (so far) always deals with someone’s blog getting hacked and they are not using the current 2.5.1 version (as of this writing). Eventually someone writes “I’ve been hacked” and some other user writes “Is this a vulnerability of insert current version HERE?!? Why are the developers not doing SOMETHING?!”.
It’s like there is some axe to grind and the first one to find the axe gets 1000 gold points. The moderators usually show great patience; I’d get ticked if I were them. These users seriously should just avail themselves of WordPress.com and stop trying to self host a blog.
The freely available WordPress from WordPress.ORG is not commercially supported, and commercial support if often not that good anyway. So for anyone who is thinking about using WordPress.org’s software, they should be able to do the following by themselves.
You need to be able to make backups.
Read this Codex article for backing up your WordPress installation.
WordPress uses two components. The easy one is the file system and backing that up should be trivial. I use a shell script that creates a tar.gz archive every night. Another cron job deletes backups that are older than 30 days. Why fill up my disk? The backups are not for historical use, just to get me back to the state I was 24 hours ago if need be. 30 days is too much but hey, disk space is cheap.
The mysql database is the other component. The same backup script also creates a text dump of my entire WordPress database. This copy gets gzipped and added to my file backup. The mysqldump command is your friend and should be used.
You need to be able to know how to restore those backups.
The Codex has a good article on how to restore your blog database here.
Making the best backups is pointless if you don’t know what to do with them when the “Bad Thing” happens. Take your backup and restore it to a WAMP or LAMP installation on your own PC. If you need a Windows Apache Mysql Php setup, use Google and install the one you feel comfortable with. In Linux just add the packages (See this link for Ubuntu).
Once you have the Apache web server, Mysql, and PHP running locally on your PC then start playing. Install WordPress locally, restore your backup and just change the name of your installation in wp-config.php to localhost and test. To adjust your local installation to run on your PC just add these two lines to the copy of the wp-config.php on your PC:
define('WP_SITEURL', 'http://localhost');
define('WP_HOME', 'http://localhost');
Then on your PC point your browser to http://localhost/ and test it. Beat it up; it’s a local copy on your PC. Go nuts on it and confirm that your posts, categories, tags, comments, etc. are all there. Anything on your PC that you mess up in WAMP or LAMP should be no big deal. Just start over if you get lost.
Play with it until you understand what you are doing, because when you DO lose your blog you’ll need to do this for real.
Practice performing an upgrade on your PC’s local copy.
That sounds like a plan right? Some plugins don’t work with the latest and greatest version. If the version you are running is vulnerable to an exploit then you don’t need that plug in.
Security updates are the number one driver for minor number version releases such as 2.5 to 2.5.1. Yes, there are bugs but they usually are tolerable. Exploitable code is serious business and usually gets fixed quickly.
Once you are comfortable with upgrading and testing your local installation, upgrade your real blog. I personally keep good backups and know how to restore them so I never bother with this step.
If you know how to backup and restore your blog, then even if the upgrade is bad, you will be able to put it back the way it was before the upgrade.
The current version of ATPP is 5.1 and it works really well. But occasionally I get speed bumps from Babelfish and Google translation engines so I end up turning it off for a while.
Without the plugin, when someone goes to the translated version of a posting, they get redirected to the home page.
For example the German pages for Andre’s trip to Disneyland is
http://blog.dembowski.net/2008/01/30/andres-trip-to-disneyland/de/
When I turn off the plugin users get sent to
http://blog.dembowski.net/
Here is where .htaccess comes to the rescue. By adding lines at the top of my .htaccess file I can send the request for a translated post to the English version:
RewriteRule ^de/ http://blog.dembowski.net/ [R=302,L] RewriteRule ^zh/ http://blog.dembowski.net/ [R=302,L] RewriteRule ^ko/ http://blog.dembowski.net/ [R=302,L] RewriteRule ^ja/ http://blog.dembowski.net/ [R=302,L] RewriteRule ^pt/ http://blog.dembowski.net/ [R=302,L] RewriteRule ^it/ http://blog.dembowski.net/ [R=302,L] RewriteRule ^es/ http://blog.dembowski.net/ [R=302,L] RewriteRule ^(.*)/de/ http://blog.dembowski.net/$1/ [R=302,L] RewriteRule ^(.*)/zh/ http://blog.dembowski.net/$1/ [R=302,L] RewriteRule ^(.*)/ko/ http://blog.dembowski.net/$1/ [R=302,L] RewriteRule ^(.*)/ja/ http://blog.dembowski.net/$1/ [R=302,L] RewriteRule ^(.*)/pt/ http://blog.dembowski.net/$1/ [R=302,L] RewriteRule ^(.*)/it/ http://blog.dembowski.net/$1/ [R=302,L] RewriteRule ^(.*)/es/ http://blog.dembowski.net/$1/ [R=302,L]
The request from /some/url/here/de/ results in the Apache server sending back a 302 temporarily moved to the same URL minus the two letter language code.
If I have to turn off the ATPP plugin for an extended time, I can do so knowing that search engine visitors will still find the original post.
Update: added portion for languages off of the root i.e. http://blog.dembowski.net/es/ becomes http://blog.dembowski.net/
I’ve been using a modified version of the FastTrack theme by Sadish for a couple of years now. It’s a good theme but it’s designed for a 800×600 resolution screen. Most of the visitors to this website use 1024×768 and on my screen it looked narrow. I felt like I was wasting screen real estate.
So after trying out lots of different WordPress themes, I settled on one called “The Journalist” by Lucian E. Marin.
This new theme has two columns with the main column wide for text. It’s easy to read and I did not change much except add some plugins and a banner at the top.
Adding the image at the top was easy. I took a version of a rotating script that I put together for Stefan’s blog and made it a separate file and where ever I wanted to put the image I just inserted this line into the php file:
<?php include(TEMPLATEPATH . '/rotate.php'); ?>
A copy of the php script can be found here. This one line was inserted into these files 404.php, archive.php, index.php, and single.php. I also create come page templates by copying the index.php and removing the post code inside and replacing it with code for the sitemap, archives page, etc.
In the journalist/images directory I made a new directory called random and placed some 700×175 jpegs there. When the rotate.php is called, it creates a list of images and populates it into a javascript. It’s convoluted but guarantees a random image with every page load.
The images were lifted from Stefan’s Flickr account with permission. If you like one check with him before you use it. I used the Gimp and set the rectangle select tool to a fixed aspect ratio of 700×175. Loading up the highest resolution image available, I was able to cut what I wanted, crop it, and resize it.
In the past I’ve made all my changes to the sidebar in sidebar.php. Widgets are lots easier, so rather than keep beating at the sidebar.php, I just use widgets now and it’s all good.
With this theme I’m using XHTML Transitional 1.0 instead of Strict. It’s easier to work with and more forgiving. I still switch to HTML in the blog editor to fix the image layout by hand and upload the images seperately. With WordPress 2.5.1 TinyMCE adds CSS classes to the img tag so I may just add those tags to my style.css and leave it at that.
So far so good. Once I stopped using version 2.3.3 and switched to 2.5 I got the hang of the new admin interface.
The old Admin-SSL plugin stopped working because the cookie code was from the old wp-includes/pluggable.php. The cookies are different so the old plugin failed.
There is a replacement but it does not set the cookies for use with SSL pages only, which was a huge part of the old plugin. I’m going to see if I can get the old one working with the new auth cookie code. My PHP is horrible so I’m not feeling too optimistic.
Mostly WordPress 2.5 worked right out of the box for me. Since I’m using the translation plugin, I get lots of Mysql database timeouts. With 2.3.x I implemented this fix and the translation pages have no issues with database timeouts. The fix has been updated for 2.5 so my database is not complaining anymore.
Thanks to 2.5 I was able to get rid of 2 fix plugins, Optimal Titles and Full Feed. Both are no longer needed. I did modify Bad Behavior slightly and added the Remove Max Width plugin but that’s mostly it.
This is a useful Q&A for common WordPress 2.5 questions.
Image upload does not work on my Ubuntu 7.10 laptop and WordPress 2.5. I’ll check using my Vista box. I’ll also setup a new scratch blog and see if it’s some setting or plugin I’m using. The 1.5 development version of Simple Tags seems to work with 2.5 now.
I’d gotten a surprise when I went to the WordPress.org support forum. To go with the new release of 2.5, WordPress.org has a new look.
Because I have weakness of working with possibly broken software, I backed up my database, all my files, and upgraded to WordPress 2.5. I’ll see how it goes.
