I stumbled on a very interesting article floating around Twitter this morning, one worth pointing out I believe.
The short write up, titled Distributed Wordpress admin account cracking, exposes a malicious script which was written specifically to crack Wordpress admin passwords.
The acquired script is written in PHP and performs brute force cracking attempts to Wordpress admin accounts
[...]
Now, the interesting thing about the script is that it allows distributed cracking. Information is saved in a MySQL database and the script actually connects directly to the main database. This allows the attacker to run many simultaneous scripts – each of them will take 200 new URLs and mark them with the brute forcer’s ID ($colo).
There is nothing new or revolutionary about this script. If you have a beefy password and are up-to-date (2.8.6 as of today!) there’s no reason to worry. But I believe this illustrates the importance of doing everything possible to secure your website.
In my last post, I embedded Brad’s Wordpress security presentation he gave at WordCamp NYC. It contains simple yet effective ways to secure your Wordpress installations – definitely worth a quick look.
I’ve had a few people ask me what are the quickest/easiest ways to get started securing their WP site. Almost every single thing in Brad’s presentation is important, but in my mind 2 things are the most important and can be executed in a matter of minutes.
Delete your ‘admin’ account. Yes, that’s right. Nuke it. Scripts such as the one mentioned above try to gain access to your website by logging into the admin account – the account with the user name ‘admin‘. Create a new account, something like RobSmith (or anything other than admin!), give it admin privileges, and then delete the default admin user. You will thank me later.
Don’t use wp_ as your default prefix. You probably don’t remember, but when you were flying through Wordpress’s famous 5 click install one of the options it asked you for was the default Wordpress prefix to use with the database. That’s right, I figured you didn’t remember. By default it’s set to wp_ – this should be changed. If you have already setup your blog, you can change it using some phpmyadmin trickery, but make sure you know what you are doing first.
As Wordpress becomes even more mainstream (gasp!) it will continue to be attacked by script kiddies and other nefarious characters. However by staying up to date and taking the appropriate steps to secure your site, you really don’t have anything to worry about.
Posted 101 days ago | Topics: Wordpress | Tags: Wordpress, wordpress security | 1 Comment »
Just about an hour ago Wordpress 2.8.6 was finalized and released. Nothing exciting with this release – just a few security fixes.
From the Wordpress.org blog:
2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.
On another note, Wordpress 2.9 is still scheduled for a final release at the end of November/early December. You can still download and test the latest WP 2.9 nightly build here.
Finally, Wordpress MU received a few updates last week and is now up to 2.8.5.2.
Posted 119 days ago | Topics: Release, Wordpress, Wordpress MU | Tags: Wordpress, wordpress 2.8.6 | 2 Comments »
Recently I had a project that needed to have a rotating banner on the main page. Most rotating banners out there are connected to feature posts or articles. WooThemes and some of Matt Brett’s projects often use this method.
This wasn’t going to cut it for me. I needed to have rotating banners that were not associated to any posts, could link off site, be updated/maintained by the client, and preferably not use any custom field voodoo. The last thing I wanted to do was use a post category since it would be major over kill.
So I came up with a solution that fit all my requirements above and works great. Figured I would share what I did in case anyone else needs a similar solution.
The rotating banners were accomplished using:
Let’s get started here.
Step 1: setup a link category
When you’re logged into the WP admin panel, click on Links on the left (under Media, above Pages). The Links section will expand and now we need to create a Link Category.
Add your Banner category
After you have added your Banner category (or whatever you decide to name it) you want to find the ID for that category. There are 2 ways you can do this. First, place you cursor over the category and look in browser status bar.
The second option is to use Sivel’s Simply Show IDs plugin which will tell you the ID. Either way, just make sure you note what the ID is for your category since we will need it later.
Step 2: add some banners
Now we will add some links to the category. Click Add New under Links.
The name and description is for your reference and will not be shown or used. Make sure you place the link in the category you created. Lastly you will need to put the location of the image in the Image Address field. The easiest way is to upload your banners using the Wordpress Media manager. If you go that route your image location will be something similar to http://yoursite.com/wp-contents/uploads/11/09/banner.jpg.
Step 4: downloading and moving jQuery Carousel
Now that we have the banner category created and some links/images in the category we need to get things setup behind the scenes.
First, download jQuery Carousel.
Secondly, unzip the files. You will see a bunch of files, most of which we won’t need.
Open up your theme folder (/wp-contents/themes/yourtheme/) and create a folder inside called js.
Now we need to move jquery.jcarousel.pack.js or jquery.jcarousel.js (look in the /libs/) to this folder. The path should be similar to /wp-contents/themes/yourtheme/js/jquery.jcarousel.pack.js
Note: It is up to you which version of jCarousel you use. I prefer the packed version since it is smaller and we will not need to do any editing.
After the jCarousel javascript file has been moved we need to move over the CSS. Open jquery.jcarousel.css, copy the contents, and paste it into your theme’s style.css.
So to recap, you should have:
/wp-contents/themes/yourtheme/js/jquery.jcarousel.pack.js
/wp-contents/themes/yourtheme/style.css (should contain the CSS from jquery.jcarousel.css)
Step 5: setting up jCarousel and jQuery
Once you have added the necessary jCarousel CSS to your theme’s style.css you will need to edit it to meet the dimensions of your banner.
/* @group jcarousel */
.jcarousel-banners {
border: 1px solid #cfcfcf;
margin:0 0 30px 0;
}
.jcarousel-container {
position: relative;
}
.jcarousel-clip {
z-index: 2;
padding: 0;
margin: 0;
overflow: hidden;
position: relative;
}
.jcarousel-list {
z-index: 1;
overflow: hidden;
position: relative;
top: 0;
left: 0;
margin: 0;
padding: 0;
}
.jcarousel-list li,
.jcarousel-item {
float: left;
list-style: none;
/* We set the width/height explicitly. No width/height causes infinite loops. */
width: 578px;
height: 130px;
}
/**
* The buttons are added dynamically by jCarousel before
* the <ul> list (inside the <div> described above) and
* have the classnames "jcarousel-next" and "jcarousel-prev".
*/
.jcarousel-next {
display: none;
}
.jcarousel-prev {
display: none;
}
.jcarousel-banners .jcarousel-list li,
.jcarousel-banners .jcarousel-item {
position: relative;
float: left;
list-style: none;
width: 578px;
height: 130px;
}
.jcarousel-banners .jcarousel-container-horizontal {
width: 578px;
}
.jcarousel-banners .jcarousel-clip-horizontal {
width: 578px;
height: 130px;
}
.jcarousel-banners .jcarousel-item {
width: 578px;
height: 130px;
}
Above is what the CSS looks like for my website. The size of the banners is 578×130px. Change this to the size of your banners. You might need to do some further tweaking later.
Now the CSS is done and jCarousel is in place we need to tell Wordpress to use jQuery and jCarousel when it loads a page.
Open up functions.php inside your theme directory. You may have to create it if your theme does not have one. Now add this:
if (!is_admin()) {
wp_enqueue_script('jquery');
wp_enqueue_script('jcarousel','/wp-content/themes/yourtheme/js/jquery.jcarousel.js',false,false);
}
Wordpress includes many scripts out of the box, one of them being jQuery, so there is no need for us to download it. The code snippet tells Wordpress – as long as we are not in the admin panel – to load jQuery and the jCarousel script.
Step 6: finishing things up on the front end
Your banners have been created, the files have been moved, and Wordpress now knows to use jQuery and jCarousel when a page loads – almost done!
The last thing we need to do is add the code to grab the banners and make them work.
Open up index.php or home.php (the location you want to place your banners) in your theme directory and use this snippet:
<div id="banners">
<ul>
<?php wp_list_bookmarks( 'categorize=0&category=49<&title_li=&before=<li>&after=</li>&show_images=1&show_description=0' ); ?>
</ul>
</div>
This snippet will grab links you created earlier and only show the images. Make sure you change category=49 to your category ID.
Lastly, open header.php in your theme directory. Place the code snippet below in between the <head> </head> tags – usually right after you see wp_head();
jQuery(document).ready(function($) {
$('#banners').jcarousel({
scroll: 1,
auto: 4,
wrap: 'last',
animation: 'slow',
buttonNextHTML: null,
buttonPrevHTML: null
});
});
The jQuery that comes with Wordpress runs in non conflict mode, which is why do not use the typical document ready call. jCarousel is very configurable, so I suggest you check out all the different options and make sure your settings are set for the functionality you desire.
Step 7: Profit.
That’s it! If you followed all the steps right you should have a rotating banner on your site.
I found this to be a better solution that any of the plugins I found. We didn’t have to do anything crazy, use posts, or write any plugins. Normally I would provide a demo of this in action but I have a feeling the client I did this for would rather not be mentioned.
If you have an questions or problems, feel free to leave a comment.
If you do expereince problems, a few things to double check/tweak:
- view your source to make sure WP is calling jQuery and jCarousel
- check to make sure you have the correct category ID
- modify the CSS if things don’t render correctly
Posted 119 days ago | Topics: Wordpress, how to, jQuery | Tags: Banners, jcarousel, jQuery, Wordpress | No Comments »
I’m throwing around the idea of possibly making a trip up to NYC for WordCamp in a few weeks.
The sessions are are lined up, there are a ton of great speakers, and many of the characters from #wordpress will be in attendance (*cough* sivel, ansi, jdingman, etc).
Not worried about airfare (Go Southwest! ha) or registration, however I am looking for help on lodging.
There is a hotel within walking distance that has a 15% discount, bringing it down to ~ $210/night. I wanted to see if anyone who was thinking about attending would want to maybe slplit a room.
Alternately, anyone have any other recommendations for places to stay? I’d prefer to not shell out $210 a night by myself unless I must. After all in Texas $210 a night would damn near get you a suite! Stupid inflation. 
Posted 133 days ago | Topics: Events, Wordpress | Tags: new york city, wordcamp, wordcamp new york city, wordcamp nyc, Wordpress | No Comments »
The current project I am working left me needing to access the category ID (parent) and sub category ID for the sidebar.php
I have several sections in the sidebar for posts using is_single() that get the most popular posts, recent posts, etc. The problem using the code below – which works if you don’t deal with sub categories – is it only gets the parent category ID.
$categories = get_the_category();
$this_cat_ID = $categories[0]->cat_ID;
$this_cat_name = $categories[0]->cat_name;
$this_cat_url = get_category_link($this_cat_ID);
For example:
I have News category that has an ID of 6, a Press Release sub category with the ID of 7, and a TV Coverage sub category with the ID of 8.
The sidebar.php contains a block that displays the most recent posts.
If I am viewing a press release post (single.php) I want to see the the only latest Press Release posts. Using $this_cat_ID, which is the parent category ID, it is going to show all the posts in the News including not only Press Release but also TV Coverage.
It’s easy to get the parent category id as I showed above, and while it isn’t difficult to get the sub category ID (or IDs if you have more than one), most examples I found on the WP.org forums didn’t do what I needed. You need to add a few lines to get the sub cat.
$categories = get_the_category();
$this_cat_ID = $categories[0]->cat_ID;
$this_cat_name = $categories[0]->cat_name;
$this_cat_url = get_category_link($this_cat_ID);
// get the sub category if we have them
foreach ($categories as $cat) {
$parent = $cat->category_parent;
if ($parent != 0 ){
$sub_cat_ID = $cat->cat_ID;
$sub_cat_name = $cat->cat_name;
$sub_cat_url = get_category_link($sub_cat_ID);
}
}
With this code you still have access to the parent category ID but also gain the sub category ID.
All that is left is to just write a quick function that checks to see if there is a sub category, something that contains:
if (!$sub_cat_ID) {
echo $this_cat_ID;
} else {
echo $sub_cat_ID;
}
Problem solved! Now viewing a post filed under News will show the most recent News posts, a post filed under Press Coverage will show the most recent Press Coverage posts, and so on.
FYI – this method only works if you are going to have a post in one sub category at a time, otherwise you will have to modify things so the sub category info gets stuck in an array.
Posted 135 days ago | Topics: Wordpress | Tags: Wordpress, wordpress categories, wordpress sub categories | No Comments »
Around 9am (CST) this morning we were alerted via the wp-hackers mailing list that there is an exploit out that affects the latest version of Wordpress, v 2.8.4.
If you want to read more about all the technical stuff you can find the original blog post detailing the exploit here.
I wouldn’t say this is critical since your data is not at risk but anytime someone can put heat on your server it is not good.
No word yet if a patch is going to be released in the form of Wordpress 2.8.5. There are a few fixes out already however.
There is a chunk of code you can paste into your theme’s functions.php file.
function ft_stop_trackback_dos_attacks(){
global $pagenow;
if ( 'wp-trackback.php' == $pagenow ){
// DoS attack fix.
if ( isset($_POST['charset']) ){
$charset = $_POST['charset'];
if ( strlen($charset) &gt; 50 ) { die; }
}
}
}
add_action('init','ft_stop_trackback_dos_attacks');
There is also already a fix on trac.
Posted 142 days ago | Topics: Wordpress | Tags: Wordpress, wordpress exploit, wordpress fix | No Comments »
In my last post, I embedded Brad’s Wordpress security presentation he gave at WordCamp NYC. It contains simple yet effective ways to secure your Wordpress installations – definitely worth a quick look.
