Just noticed that the latest WordPress.org update has been out since Thursday. This time round the update does the following:
- Certain themes were calling get_categories() in such a way that it would fail in 2.8. 2.8.1 works around this so these themes won’t have to change.
- Dashboard memory usage is reduced. Some people were running out of memory when loading the dashboard, resulting in an incomplete page.
- The automatic upgrade no longer accidentally deletes files when cleaning up from a failed upgrade.
- A problem where the rich text editor wasn’t being loaded due to compression issues has been worked around.
- Extra security has been put in place to better protect you from plugins that do not do explicit permission checks.
- Translation of role names fixed.
- wp_page_menu() defaults to sorting by the user specified menu order rather than the page title.
- Upload error messages are now correctly reported.
- Autosave error experienced by some IE users is fixed.
- Styling glitch in the plugin editor fixed.
- SSH2 filesystem requirements updated.
- Switched back to curl as the default transport.
- Updated the translation library to avoid a problem with mbstring.func_overload.
- Stricter inline style sanitization.
- Stricter menu security.
- Disabled code highlighting due to browser incompatibilities.
- RTL layout fixes.
If you’re into that sort of thing, you can read all about the changes between 2.8 and 2.8.1 here, and more details are here. I upgraded using the auto-upgrade feature in the dashboard and it took under a minute.
If you read this blog regularly (or even semi-regularly) you will know that I recommend upgrading
WordPress whenever the dashboard tells you to. Quite apart from grabbing the latest features built into the latest releases, you also pick up any patches and security updates. If internet history tells us nothing else, it tells us that sites that aren’t serious about security end up getting taken over.
It seems that there is a site offering a seemingly legitimate version of WordPress.org which is actually a backdoored version. Which is a bit cunning and a lot malicious. So what can you do to protect yourself?
Firstly (and most importantly), only ever get your copy of WordPress from the official WordPress sites: WordPress.org (for the single blog edition) or WordPress MU (for the multi blog edition). Being the real deal, WordPress will only offer the genuine article and will not knowingly make you install software that will trash your system or will leave you open to attack. And they will patch when they know about a bug or security issue. Other sites may seem faster or better somehow, but the only way to be sure that you are downloading the genuine version is to go to the official sites.
Next, themes and plugins. If you want to be completely secure, you will only go via the WordPress plugin page and theme page. I have a small issue with this: the theme page has a limited selection, from memory I found this theme after going to the theme directory. With plugins, I tend to start from the plugin directory and then navigate to the plugin’s web location – that way I get the latest version and access to any more documentation. The natural caveat on this, though, is that you navigate away from the tested versions at your own risk.
If you do not understand what a non-official patch or hack does, don’t use it until you have run it past someone who does. Personally, I know enough to be dangerous and know that tweaks I have applied will only, at worst, give me a blank page if they fail. The WordPress.org support forums are a good place to go to if you need help – in fact, this is a good rule to follow for any computer changes. I would also advise taking a backup of the site to ensure that if anything does go horribly wrong you can still roll back the changes.
None of this is rocket surgery (or brain science). Stick with the official releases and upgrade when the message appears and you are making yourself as safe as you can be. If you fail to follow the advice and you do get compromised you only have yourself to blame.
So, if you are running WordPress 2.6.2 or earlier (especially if you are running an earlier version) then you should upgrade soonest.
Being tech-savvy, smart and (statistically speaking) a good looking reader of this site, you will have no doubt heard of Open ID. Open ID was created to allow you to have just one ID which can beused on multiple websites meaning that you don’t need to remember lots of different user names and passwords. In the words of the site:
OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.
You get to choose the OpenID Provider that best meets your needs and most importantly that you trust. At the same time, your OpenID can stay with you, no matter which Provider you move to. And best of all, the OpenID technology is not proprietary and is completely free.
For businesses, this means a lower cost of password and account management, while drawing new web traffic. OpenID lowers user frustration by letting users have control of their login.
For geeks, OpenID is an open, decentralized, free framework for user-centric digital identity. OpenID takes advantage of already existing internet technology (URI, HTTP, SSL, Diffie-Hellman) and realizes that people are already creating identities for themselves whether it be at their blog, photostream, profile page, etc. With OpenID you can easily transform one of these existing URIs into an account which can be used at sites which support OpenID logins.
OpenID is still in the adoption phase and is becoming more and more popular, as large organizations like AOL, Microsoft, Sun, Novell, etc. begin to accept and provide OpenIDs. Today it is estimated that there are over 160-million OpenID enabled URIs with nearly ten-thousand sites supporting OpenID logins.
Open ID >> What is Open ID?.
So how does a single sign on affect us here and now? Well, if you browse down to the comments section (bottom of the page), just as you go to put in a witty, insightful comment you’ll see a small addition to the “website” field:
Put your Open ID into it (for example, <user ID>.pip.verisignlabs.com) and submit your comment. If you don’t have one and really want one, go to the information page How Do I Get One? and sign up with a provider of your choice. To make life even easier, once you have an Open ID and if you go via Verisign, get the Verisign Seatbelt Firefox Plugin which will autosign you in to the relevant enabled websites.
I am a member of a few forums. All of these forums are well moderated and are free of the outside influences such as spam, warez and cracking. But why?
It could be argued that simply by joining a forum, the members (or community) would feel bound by the rules and spirit of that online forum to “be good”. After all, if they didn’t want to abide by the rules, they wouldn’t have joined, surely. Unfortunately, in these days of internet saturation, that is a somewhat naive notion – sorry.
All forums have rules and regulations, from simple one liners to fully thought out terms of conditions (along with sub-clauses and roman numerals). However, if the owners do not take steps to ensure these rules are followed and adhered to absolute chaos ensues and the people you want to be on the boards abandon you and your forum is unusable and empty of real members.
I can only show you the differences by example. So, the first example is LinuxQuestions.org. This is a forum with over 250,000 members and around 20 moderators (I’m one of them). The site owner is around regularly and is also regularly in touch with the moderation team. This means that he is able to respond to our questions and make sure that we make decisions in keeping with the spirit of the site and community. The vast majority of the members are well-behaved and stick to the rules. It is also pretty self-policing as there is a clear way to alert the team to any problems. Added to this, there are also anti-spam measures in force in the background and this means that LQ is pretty problem free.
Example 2 is LiteraryForums.org. This is a much smaller community, but equally well-behaved. It could be argued that the size of the community means that is less of a target for spam as the audience is so much smaller. I have no logs, etc to back this up, but I would say that the owner has put his measures in place to prevent spamming – moderators and other measures. This means that those automated bots don’t get a foothold. Also, the members report any problems.
The third example is the Something Awful forums. They have a prevention measure that none of the other boards do – if you want to post there you have to pay $10 to register. This immediately kills off the automated spammers because if they have to pay to spam it’s immediately useless to them. They also have a moderation team (up to 40 mods I believe for around 100,000 members) and the mods regularly get in contact with each other and discuss problems on the boards and ways to stop them getting out of hand. It is a rarity these days to charge an entrance fee – I can’t think of any other forum that still charges – but it works for them. They do not have a spam problem.
Finally, a board I am not a member of and I only became aware of it through my spam logs: http://www.games2web.com/forums/index.php – because they are a spam haven, they get no clickable link. This appears to be a genuine forum, at least it seems to have begun that way. Looking at their earliest pages there are a few posts that appear genuine. The main site is for games to embed on websites, blogs and the suchlike and I have no doubt that they started out with the finest of intentions. They have no moderation team and their software appears to be outdated, unmodified phpBB forum software. Ouch. Also, their version appears to be 2 or more years old – which means unpatched security flaws and various bugs and gotchas which have probably been fixed. Effectively, the forums were set up and abandoned – assuming they were set up with honest intentions in mind. Pick any subforum and you will see wall to wall porn and viagra ads. If it is meant to be a genuine forum it should be shut down – there is no attempt to prevent bots from making it their home. Malice, incompetence or forgetfulness?
From just 4 examples, we can see the range of measures in place across multiple forums. The best forum to join is one which has a coder with some knowledge, an owner with some common sense and a team of moderators. I will discuss moderation styles across our first three examples in a later post. If you are planning to run a forum, as well as scalability and cost issues you should also think of security as one of the biggest issues.
I have been watching the debate over at WordPress Wank over the whole “is WP a bulky bloated blog tool or a fairly medium CMS tool?” question. Well, it sort of began as “whoopee a WP project is included in Google’s Summer of Code” but where nerds and geek abound…..
Anyway, that is pretty much by the by and not what I want to talk about. Read from this comment onwards. Ryan makes the throwaway comment that if that girl again is unhappy with the extra bloaty versions coming out, that it’s just as easy to revert back to version 1.5 or earlier. Yes, yes, you and I and that girl all know that that’s bollocks, particularly with the fact that WP normally updates to fix security holes. So yes, one could revert. But then you’d end up with security holes everywhere, themes not working, plugins not working and a generally crap experience for all. So that’s not a goer. But then it struck me: WP is a bunch of text files. So with this being GPL software surely there must be a method where we can be told that “a hole in version x.x.x can be fixed by changing line 4 from whatever to whatever in comments.php and so on or by installing version x.x.x+1“. That’s a naff way of putting it, but I find upgrading the whole system to be a real PITA. I would much rather just change the relevant lines by hand (or download just the required files) because that way my downtime is reduced, I know what needs to be backed up (or I can just comment out the current lines with an annotation to say “did this on x date because of y reason” and then add in the changed line from new. This means that my plugins don’t need to be switched off, I don’t need to reinstall everything and risk it all breaking. Again. And, more importantly with this being GPL software, I know what the changes are and can decide how to implement them.
Does this sound reasonable? I know there are people out there with far more PHP experience and knowledge (there can’t be people with less, surely) and people who know the inner workings of WP. So would this work or would it break something else. Would the lessened load on the WP servers be a good thing for people who have to download the whole thing because of inexperience or their own needs? Or am I just light headed from lack of sleep?