May 26th, 2009
I was reminiscing today on what the world was like when I released my WordPress version check plugin back in 2005.
What a different world it was, upgrading WordPress took time and people just didn’t bother even though new versions which contain security fixes had been released.
Now we are just about to get WordPress 2.8, people can upgrade with the click of a button and there hasn’t needed to be a security release for WordPress 2.7 how things change.
In celebration of this I have decided to take down the web-service which supported the plugin and have started the shutdown process by changing the message returned to point to this blog post. So please un-install the plugin and rely on the notification that has been built in to WordPress for a few releases now.
Oh and don’t forget if your one of those people who has been ignoring these messages and are still running v1.5.2 (yes you know who you are) then please upgrade.
Posted in Development, Security, WordPress | Comment on this post
October 18th, 2008
It’s great to see that the habari guys are committed to security as well as functionality and are providing security updates for there pre-1.0 software. It is a pity to see that they don’t disclose much in there security announcements.
For me, responsible open security practises should mean that as well as providing a quick response to security issues you provide enough detail about the issue to your users to allow them to make a judgement call about how important the upgrade is to them. Do they need to do the upgrade immediately because the issue is easy to exploit or can it wait till the weekend when they have more time to ensure they have a backup and a plan for when the upgrade goes wrong.
Read the rest of this entry »
Posted in Development, Security, Web dev | Read 3 Comments
September 18th, 2008
Due to hardware issues this site has seen some unplanned downtime of late. The server that was hosting this site (and providing smtp/imap/dns/ircbot services for ftwr.co.uk) started playing up and would randomly lockup hard. After a few days of trying to resolve these hardware issues I decided that it was time for a two pronged response – build a new server to replace the current one and start to move some of the services off onto a VPS.
I had been planning for a while to get a slicehost vps server to move all the web properties onto so as to have more bandwidth available for visitors – this site was shifting 5G of traffic a month up my adsl connection on it’s own!
Hopefully all of this site should be running fine now I have got apache2/mysql tuned to run in the limited environment of my 256M slice and wp-super-cache up and running.
Please let me know if anything is broken!
Posted in Rants, Security, Technology, WordPress | Join the discussion
July 22nd, 2008
WordPress seems to have had the dubious pleasure of been nominated for the 2008 Pwnie Awards in the “Mass 0wnage” category:
It seems like hardly a week goes by without a new vulnerability in WordPress or one of its many plugins. Many of them are actively being exploited to own popular WordPress blogs and use them to serve spam or client-side exploits to unsuspecting visitors. The popularity of WordPress combined with the abysmal security practices of WordPress plugin developers places the entire Internet at risk and is worthy of a nomination.
To be fair many of the vulnerabities that are reported are within plugin code rather than the core. For more information on the CVEs reported for WordPress and WordPress plugins this year you can head over to the codex.
Posted in Development, Security, Technology, WordPress | Read 5 Comments
October 6th, 2007
For WordPress v2.4 I have introduced some changes to the way in which all of the generator tags present in the output from WordPress are generated.
The generator tags/comments were previously hard coded in the following items: Theme’s header.php, all of the feed generation files, the export generation process. I have now centralised the generation process into three functions in wp-includes/general-template.php: get_the_generator, the_generator and wp_generator. The new functions provide an array of filters to enable you to modify the generator output or remove it completely if you so wish. The standard WordPress xhtml generator tag is now generated on the wp_head hook rather than needing to be hard coded into the themes files – this does mean that themes with a generator tag in them will now have two but it does reduce the number of things a theme author need to remember to include in the theme files.
For example, if you are creating a HTML theme rather than an XHTML theme then you will want to add the following to your themes functions.php file which will ensure that the default generator tag output by WordPress on the wp_head hook is the HTML one:
function i_want_html_generator()
{
return 'html';
}
add_filter('wp_generator_type','i_want_html_generator');
Another use of the newly available filters is, for example, to enable you to hide the fact that your site is running WordPress or to mask the version of WordPress that you are running. In order to do this the new functions have a variety of filters available. As we have already seen there is a filter to enable you to determine the type of generator output in your theme, the other filters available are: the_generator, get_the_generator_$type where $type is the name of the specific generator type you want to filter/hide. You can hide all of the generators on your blog with one simple plugin containing the following code:
function i_want_no_generators()
{
return '';
}
add_filter('the_generator','i_want_no_generators');
If you want to read more about the reasons behind these changes then please see the related trac tickets, #4803 and #5085, or read the code itself in the changeset [6195].
Posted in Security, WordPress | Read 12 Comments
