Author Archive
Secure File Permissions Matter
Posted by: | CommentsSummary: A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files, and some members of the “security” press have tried to turn this into a “WordPress vulnerability” story.
WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?
A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.
I’m not even going to link any of the articles because they have so many inaccuracies you become stupider by reading them.
If you’re a web host and you turn a bad file permissions story into a WordPress story, you’re doing something wrong.
P.S. Network Solutions, it’s “WordPress” not “Word Press.”
WordPress 2.9, oh so fine
Posted by: | CommentsI want to make you mine, all the time… oh wait. Hello. I’m here on behalf of the entire WordPress development team and community to announce the immediate availability of WordPress version 2.9 “Carmen” named in honor of magical jazz vocalist Carmen McRae (whom we’ve added to our Last.fm WP release station). You can upgrade easily from your Dashboard by going to Tools > Upgrade, or you can download from WordPress.org. And of course, it wouldn’t be a major release without a short video summarizing some of the cool things about the new version:
The coolest new stuff from a user point of view is:
- Global undo/”trash” feature, which means that if you accidentally delete a post or comment you can bring it back from the grave (i.e., the Trash). This also eliminates those annoying “are you sure” messages we used to have on every delete.
- Built-in image editor allows you to crop, edit, rotate, flip, and scale your images to show them who’s boss. This is the first wave of our many planned media-handling improvements.
- Batch plugin update and compatibility checking, which means you can update 10 plugins at once, versus having to do multiple clicks for each one, and we’re using the new compatibility data from the plugins directory to give you a better idea of whether your plugins are compatible with new releases of WordPress. This should take the fear and hassle out of upgrading.
- Easier video embeds that allow you to just paste a URL on its own line and have it magically turn it into the proper embed code, with Oembed support for YouTube, Daily Motion, Blip.tv, Flickr, Hulu, Viddler, Qik, Revision3, Scribd, Google Video, Photobucket, PollDaddy, and WordPress.tv (and more in the next release).
2.9 provides the smoothest ride yet because of a number of improvements under the hood and more subtle improvements you’ll begin to appreciate once you’ve been around the block a few times. Here’s just a sampling:
- We now have
rel=canonicalsupport for better SEO. - There is automatic database optimization support, which you can enable in your
wp-config.phpfile by addingdefine('WP_ALLOW_REPAIR', true);. - Themes can register “post thumbnails” which allow them to attach an image to the post, especially useful for magazine-style themes.
- A new
commentmetatable that allows arbitrary key/value pairs to be attached to comments, just like posts, so you can now expand greatly what you can do in the comment framework. - Custom post types have been upgraded with better API support so you can juggle more types than just post, page, and attachment. (More of this planned for 3.0.)
- You can set custom theme directories, so a plugin can register a theme to be bundled with it or you can have multiple shared theme directories on your server.
- We’ve upgraded TinyMCE WYSIWYG editing and Simplepie.
- Sidebars can now have descriptions so it’s more obvious what and where they do what they do.
- Specify category templates not just by ID, like before, but by slug, which will make it easier for theme developers to do custom things with categories — like post types!
- Registration and profiles are now extensible to allow you to collect things more easily, like a user’s Twitter account or any other fields you can imagine.
- The XML-RPC API has been extended to allow changing the user registration option. We fixed some Atom API attachment issues.
- Create custom galleries with the new include and exclude attributes that allow you to pull attachments from any post, not just the current one.
- When you’re editing files in the theme and plugin editors it remembers your location and takes you back to that line after you save. (Thank goodness!!!)
- The Press This bookmarklet has been improved and is faster than ever; give it a try for on-the-fly blogging from wherever you are on the internet.
- Custom taxonomies are now included in the WXR export file and imported correctly.
- Better hooks and filters for excerpts, smilies, HTTP requests, user profiles, author links, taxonomies, SSL support, tag clouds, query_posts and WP_Query
All of this and more is reflected in the over 500 tickets, bugs, and enhancements that WP developers in this release cycle.
This release included code from over 140 contributors, here’s everyone we were able to identify: aaroncampbell (Aaron Campbell), abackstrom (Adam Backstrom), aldenta (John Ford), alexkingorg (Alex King), [amilanov], antonylesuisse (Antony Lesuisse), apeatling (Andy Peatling), apokalyptik (Demitrious Kelly), arena (André Renaut), batmoo (Mohammad Jangda), Ben Dunkle, BenBE1987, Benjamin Flesch, bookchiq (Sarah Lewis), brianwhite, c0nstruct, caesarsgrunt (Caesar Schinas), CalebKniffen (Caleb Kniffen), chrisbliss18, chrisscott (Chris Scott), christoph179, coffee2code (Scott Reilly), [cross country flight], Curioso, davecpage (Dave Page), dcole07 (Dan Cole), dd32 (Dion Hulse), demetris (Δημήτρης Κίκιζας), Denis-de-Bernardy, dj-wp, dwright, eddieringle (Eddie Ringle), error (Michael Hampton), ewestp, fabifott, filosofo (Austin Matzko), greenshady (Justin Tadlock), gsnedders/link92 (Geoffrey Sneddon), hailin (Hailin Wu), hakre, hanilovesme, Harald Nesland, harrym, holizz (Tom Adams), ikonst, jacobsantos (Jacob Santos), janeforshort (Jane Wells), jamescollins (James Collins), jdub (Jeff Waugh), jeff_ (Jean-François “Jeff” VIAL), jeremyclarke (Jeremy Clarke), JeremyVisser (Jeremy Visser), jikamens, jmulley, Joern_W, johanee (Johan Eenfeldt), johnbillion (John Blackbourn), johnjamesjacoby (John James Jacoby), johnjosephbachir (John Joseph Bachir), JonathanRogers, joostdevalk (Joost de Valk), Jose Carlos Norte, josephscott (Joseph Scott), junsuijin, kevinB (Kevin Behrens), kometbomb, lilyfan (IKEDA Yuriko), [lostinlafayette], madhyde, MattyRob, mdawaffe (Michael Adams), Mittineague, miqrogroove, morfiusx, mrmist (David McFarlane), mtdewvirus (Nick Momrik), mysz, nacin (Andrew Nacin), nanochrome, nao (Naoko McCracken), nathanrice (Nathan Rice), nbachiyski (Николай Бачийски), niallkennedy (Niall Kennedy), nickohrn (Nick Ohrn), ninjaWR (Ryan Murphy), noel (Noël Jackson), Otto42 (Samuel Wood), pairg, peaceablewhale (Franklin Tse), prettyboymp (Michael Pretty), ProDevStudio, ramiy, redsweater (Daniel Jalkut), ruslany, sambauers (Sam Bauers), scribu, Sewar, Simek, simonwheatley (Simon Wheatley), sirzooro (Daniel Frużyński), sivel (Matt Martz), skeltoac (Andy Skelton), snakefoot, stephanreiter (Stephan Reiter), strider72 (Stephen Rider), taco1991, takayukister (Takayuki Miyoshi), tellyworth, tenpura, usermrpapa, utkarsh, Viper007Bond, vladimir_kolesnikov (Vladimir Kolesnikov), VoxPelli (Pelle Wessman), [voyou1], wahgnube, waltervos, westonruter (Weston Ruter), wnorris (Will Norris), xenlab (Eric Marden), yoavf (Yoav Farhi). Wowza!
2.9 has been an exciting development cycle, and I must say it has whetted our appetite for 3.0, which is coming next (probably this spring) and will include at the very least the merge of MU with the WordPress core, and a new default theme. We can’t wait to start working on it. But first, some Carmen McRae tunes and a beer. Join us! 
(After you upgrade, of course!)
I hope everyone is having a wonderful holiday season.
2.9 Release Candidate 1
Posted by: | CommentsWe’re at that exciting point in WordPress development where the dev team feels like version 2.9 is complete and ready for the world.
If you’ve been waiting for your moment to pitch in, it’s now. First we need tech savvy testers to upgrade their blogs and kick the tires, make sure everything is rolling like you expect it to. Here’s a list of all the fun and geeky new stuff in 2.9 to try out. Second, and more importantly, we need everyone to test out their plugin compatibility.
If you’re a user of plugins, there’s a groovy new compatibility feature on the plugin directory where you can vote on whether a plugin is compatible with a version or not and it’ll get registered in the new plugin compatibility checker. This is as a replacement to the old wiki-based lists we’d do before. To see it in action check out this Akismet plugin page, as you can see 14 people have already registered that it’s compatible with 2.9.
If you’re a plugin author, of course you should update your “Tested up to:” in the readme.txt for your plugin.
If all goes according to plan, WordPress 2.9 will be out before the end of the week. You can download the release candidate here.
For more details on the changes since Beta please review the revision log on Trac, and happy testing!
WordPress Wins CMS Award
Posted by: | CommentsI was very excited last week to learn that WordPress has been awarded the Overall Best Open Source CMS Award in the 2009 Open Source CMS Awards. This is a landmark for us, as it is the first time we’ve won this award, and it marks a shift in the public perception of WordPress, from blog software to full-featured CMS. No small contest, the Open Source CMS Awards received over 12,000 nominations and more than 23,000 votes across five categories.
As Hiro Nakamura said when he first bent time and space to land in Times Square: “Yatta!”
In addition to winning in the Overall Best Open Source CMS category, WordPress was named first runner-up in the Best Open Source PHP CMS category. This is significant because we weren’t even in the top 5 last year, and now we’re #2, ahead of Joomla! As is stated on the Award site, “WordPress made its way into the top five for the first time. The fact that it was outranked by Drupal by a very slight margin indicates how popular it has become with users as well as developers over the past year.”
Every day thousands of new people are embracing WordPress to power not just their blogs but entire sites and communities without compromising on usability or scalability (as would be the case with a legacy CMS). Every member of the WordPress community, from core developer to beginning user, should be proud to be part of this momentum: congratulations to us all!
How to Keep WordPress Secure
Posted by: | CommentsA stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well — a little bit of work on an upgrade now saves a lot of work fixing something later.
Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.
The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.
I’m talking about this not to scare you, but to highlight that this is something that has happened before, and that will more than likely happen again.
A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)
2.8.4, the current version of WordPress, is immune to this worm. (So was the release before this one.) If you’ve been thinking about upgrading but haven’t gotten around to it yet, now would be a really good time. If you’ve already upgraded your blogs, maybe check out the blogs of your friends or that you read and see if they need any help. A stitch in time saves nine.
Whenever a worm makes the rounds, everyone becomes a security expert and peddles one of three types of advice: snake oil, Club solutions, or real solutions. Snake oil you’ll be able to spot right away because it’s easy. Hide the WordPress version, they say, and you’ll be fine. Uh, duh, the worm writers thought of that. Where their 1.0 might have checked for version numbers, 2.0 just tests capabilities, version number be damned.
The second type of advice is Club solutions; to illustrate, I’ll quote from Mark Pilgrim’s excellent essay on spam 7 years ago, before WordPress even existed:
The really interesting thing about these approaches, from a game theory perspective, is that they are all Club solutions, not Lojack solutions. There are two basic approaches to protecting your car from theft: The Club (or The Shield, or a car alarm, or something similar), and Lojack. The Club isn’t much protection against a thief who is determined to steal your car (it’s easy enough to drill the lock, or just cut the steering wheel and slide The Club off). But it is effective protection against a thief who wants to steal a car (not necessarily your car), because thieves are generally in a hurry and will go for the easiest target, the low-hanging fruit. The Club works as long as not everyone has it, since if everyone had it, thieves would have an equally difficult time stealing any car, their choice will be based on other factors, and your car is back to being as vulnerable as anyone else’s. The Club doesn’t deter theft, it only deflects it.
Club blog security solutions can be simple (like an .htaccess file) or incredibly complex (like two-factor authentication), and they can work, especially for known exploits. Club solutions can be useful, like using a strong or complex password for your login — no one would recommend against that. (Another club solution is switching to less-used software on the assumption or more like the software’s claim that it’s perfect and more secure. This is why BeOS is more secure than Linux, ahem.)
In the car world, if someone figured out how to teleport entire cars to chop shops, The Club wouldn’t be so useful anymore. Luckily for manufacturers of The Club, this hasn’t happened. Online and in the software world, though, the equivalent happens almost daily. There is only one real solution. The only thing that I can promise will keep your blog secure today and in the future is upgrading.
WordPress is a community of hundreds of people that read the code every day, audit it, update it, and care enough about keeping your blog safe that we do things like release updates weeks apart from each other even though it makes us look bad, because updating is going to keep your blog safe from the bad guys. I’m not clairvoyant and I can’t predict what schemes spammers, hackers, crackers, and tricksters will come up with with in the future to harm your blog, but I do know for certain that as long as WordPress is around we’ll do everything in our power to make sure the software is safe. We’ve already made upgrading core and plugins a one-click procedure. If we find something broken, we’ll release a fix. Please upgrade, it’s the only way we can help each other.