Category: Security

Online or offline security issues

WordPress 2.0.5-Ronan Released.

On By westiIn Security, WordPress

The latest update to the stable branch of WordPress has been released. This update includes a large number of bug fixes and some security fixes. Those of you interested in a sumary of the updates can read through Mark’s blog post which details the bigger fixes. Those of you interested in a simple upgrade using a set of changed files or a diff file can head over to another of Mark’s blog posts which provides these.

Hopefully this will be the last release on the 2.0 stable branch before WordPress 2.1 is released later this year.

Pervasive wireless networks

On By westiIn Rants, Security, Technology

The number of broadband providers in the UK providing free wireless routers with consumer broadband connections is leading to secured wireless networks popping up everywhere. This could be seen as a good thing, after all, at least they are all secured by default out of the box. However they seem to be very aggressive in trying to get the best channel for use to ensure that it always works for their end users. Recently this has meant that my personal wireless network which has had the airwaves to itself for the past 2.5 years has been struggling to cope with the competition. In the end the wireless router in question a Buffalo WBR-G54 has taken to dropping wireless network connections and randomly resetting causing wired network connections to drop as well.

I decided therefore to search out a replacement device with which to run my wireless network. After struggling with getting IPSEC pass through to work with the buffalo router I had already invested in a D-Link DI-604 so I decided to search for a small wireless access point to provide the wireless aspect of my home network. After a bit of research I settled on the Apple AirPort Express which seemed to provide the functionality I required. The small size was an added bonus and after my recent positive experiences with the MacBook I had purchased to replace my ageing 800Mhz Celeron laptop I felt an Apple product would be easy to use and reliable – lasting longer than the 2.5 years the previous wireless router had.

However, a small amount of research around the web lead me to a number of reports which implied that some, if not all, Airport Express routers seemed to last about 18 months of usage before giving up the ghost. After much deliberation I decided to bite the bullet and see whether the current product was up to scratch (Expect an update in a year or so when I see how well it lasts!)

A new kind of pingback spam

On By westiIn Security, WordPress1 Comment

Today I received the first of what I think might be a new kind of pingback spam. One which passes all the usual checks – i.e. the source site contains a link back to the post pingbacked (or at least does at the time the pingback occurs) and supports the pingback specification.

Basically what the spammers appear to be doing is creating the spammy article and then designating a paragraph at the end of the message to temporarily contain an outgoing link. They then automate the manipulation of this paragraph and the sending of pingbacks so as to get linkbacks to there article from multiple remote sites. This means that for approximately a five minute period around the time at which you receive the pingback your site is linked. Then they move onto another target and you are no longer linked but they hope are still linking back to them.

What can we do to fight against this type of pingback spam? I think a new spam rule for validating pingbacks is to ensure that the extracted pingback content contains more that just a link to your post and actually includes some texts as well. For example the following, as extracted pingback content, would be treated as possible spam:

[…] http://example.com/my-post […]

To conteract this new kind of pingback spam I’ve hacked together a simple Spam Karma 2 plugin which gives a -5 karma hit to pingbacks containing one link as there whole content to force them into moderation (by default pingbacks get a +4 bonus as they are harder to spoof than trackbacks).

You can download the Spam Karma 2 plugin here: sk2_pjw_pingback_plugin.0.01.zip

Installing is as easy as:

  1. Install Spam Karma 2
  2. Activate Spam Karma 2
  3. Unzip the plugin into the sk2_plugins directory within the SK2 directory in your plugins folder. (e.g. wp-content/plugins/SK2/sk2_plugins/)

WordPress 2.0.4 released (Security update)

On By westiIn Development, Security, WordPress

WordPress v2.0.4 has been released with a number of security updates so it is well worth upgrading.

To simplfy the upgrade process I decided again to try generating a diff file between 2.0.3 and 2.0.4 and using that to patch my sites rather than uploading a full set of new files. The process for generating the diff file is actually simpler than the one I used last time!

Here is the process I took on my local machine to generate the diif file:

  1. Generated the patch file with svn diff using the following command (all on one line):

    svn diff http://svn.automattic.com/wordpress/tags/2.0.3 http://svn.automattic.com/wordpress/tags/2.0.4 > ~/2.0.3-to-2.0.4.patch

I then uploaded the patch file to my server and placed it in my home directory and applied the patch as follows:
Continue reading “WordPress 2.0.4 released (Security update)”