WordPress Security Warning

Posted on Sep 14, 2011 by Taylor to General, Web Development

Despite increased security in versions 3.1.4 and 3.2, there are still risks in running WordPress – as there are to running any CMS, particularly those that are open-source. WordPress recently warned users to watch out for three malicious plug-ins that were available from the WordPress site for more than 24 hours.

WordPress users often depend on plug-ins to extend the functionality of the platform, and, in fact, there are scores of great choices that allow you to do everything from optimize for mobile to analyze search behaviors. It is impossible to harness the potential of WordPress without trying plug-ins, but caution is essential. WordPress recently required all of its users to change their passwords after three popular plug-ins, AddThis, WPtouch, and W3 Total Cache, were discovered to contain “cleverly disguised backdoors.” Hackers could then access accounts, according to WordPress developer Matt Mullenweg.

“We determined the [suspicious] com,mitts were not from the authors, rolled them back, pushed updates to the plug-ins, and shut down access to the plug-in repository while we looked for anything else unsavory,” Mullenweg told users in a blog post. Each of the three affected plug-ins was very popular: AddThis and W3 Total Cache were downloaded about 500,000 times each, and WPtouch, which was free, was downloaded more than 2 million times.

There is no evidence that hackers were able to compromise the WordPress site, but Mullenweg and staff were taking all possible precautions. According to HP DVLabs, 80 percent of all WordPress-related vulnerabilities are due to plug-ins. One of the culprits is weak or reused passwords. Mullenweg says, “make sure to never use the same password for two different services.”

Paul Ducklin, head of technology for Sophos-Asia Pacific, says, “If you’re a WordPress user, you’ll know that the WordPress platform includes a complete and powerful administration interface, password-protected, via a URL such as ‘site.example/wp-admin.’ A WordPress backdoor might offer something with similar functionality, but using a different, unexpected, URL, and using a password known to the hacker, instead of to you.” Use caution and always scrutinize plug-ins for suspicious behavior.

Tags: wordpress, Wordpress Hacks

WordPress hacks you can actually use

Posted on Sep 25, 2009 by Rich to Web Development

Lately I have been on this wordpress theme kick. I have created a couple of new themes currently in the process of being added to the wordpress themes section. And since I never really worked with wordpress too much, I spent some time looking at “how to’s” and other peoples theme development. Some I found great, some I didn’t. All in All the power of wordpress is amazing and with that being said, I decided to put a little list together. A small roundup of some hacks and enhancements that I found useful and hopefully you do too.

Adding Author Avatar to posts

the ’55′ is basically the width. So you can change that to what you want according to your design.

1

<?php echo get_avatar( get_the_author_email(), '55' ); ?>

Adding User Comment Avatars

the ’40′ is basically the width. So you can change that to what you want according to your design.

1

<?php if(function_exists('get_avatar')) { echo get_avatar($comment, '40'); } ?>

Highlight Admin Comments

Replace this:

1

<li <?php echo $oddcomment; ?>id="comment-<?php comment_ID() ?>"></li>

For this:

2

<li class="<?php if ($comment->user_id == 1) $oddcomment = "authorCommentBox"; echo $oddcomment; ?>"></li>

CSS:

2

.authorCommentBox{ background-color: #ecf584 !important; }

Simple Social Network Links

Had some issues with the title of the post including

%20

and such, so wrote something quick to handle that Plus creating a bit.ly URL on the Fly for the post:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

<?PHP
/* make a URL small */
function make_bitly_url($url,$login,$appkey,$format = 'xml',$version = '2.0.1')
{
	//create the URL
	$bitly = 'http://api.bit.ly/shorten?version='.$version.'&longUrl='.urlencode($url).'&login='.$login.'&apiKey='.$appkey.'&format='.$format;
 
	//get the url
	//could also use cURL here
	$response = file_get_contents($bitly);
 
	//parse depending on desired format
	if(strtolower($format) == 'json')
	{
		$json = @json_decode($response,true);
		return $json['results'][$url]['shortUrl'];
	}
	else //xml
	{
		$xml = simplexml_load_string($response);
		return 'http://bit.ly/'.$xml->results->nodeKeyVal->hash;
	}
}
/* usage */
//$short = make_bitly_url('http://yoursite.com','USERNAME','API-KEY','json');
//echo 'The short URL is:  '.$short; 
// returns:  http://bit.ly/11Owun
?>
<?php
$permaURL = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; 
$post_url = make_bitly_url($permaURL,''USERNAME','API-KEY','json');
?>

Add This:

1
2
3
4
5
6
7

<a href="http://twitter.com/home?status=@that_agency <?php the_title();?> <?php echo $post_url; ?>">Twitter</a>
<a href="http://www.facebook.com/sharer.php?u=<?php the_permalink();?>&t=<?php the_title(); ?>">Facebook</a>
<a href="http://delicious.com/save?url=<?php the_permalink() ?>&title=<?= urlencode(the_title()); ?>">de.licio.us</a>
<a href="http://digg.com/submit?phase=2&url=<?php the_permalink() ?>&title=<?= urlencode(the_title()); ?>" rel="external">Digg</a>
<a href="http://stumbleupon.com/submit?url=<?php the_permalink() ?>" rel="external" title="StumbleUpon">StumbleUpon</a>
<a href="http://technorati.com/faves?add=<?php the_permalink() ?>" rel="external" title="Technorati">Technorati</a>
<a href="http://scriptandstyle.com/submit?url=<?php the_permalink() ?>&title=<?= urlencode(the_title()); ?>">Script&amp;Style</a>

Using Normal Quotes Instead of Curly Quotes

Add this to your functions.php (If you don’t have one, then create one.)

1

<?php remove_filter('the_content', 'wptexturize'); ?>

Display Feedburner Subscriber Count

via (wprecipes)

1
2
3
4
5
6
7
8
9
10
11

<?php
	$fburl="https://feedburner.google.com/api/awareness/1.0/GetFeedData?uri=feed-id";
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch, CURLOPT_URL, $fburl);
	$stored = curl_exec($ch);
	curl_close($ch);
	$grid = new SimpleXMLElement($stored);
	$rsscount = $grid->feed->entry['circulation'];
	echo $rsscount;
?>

As you can see, wordpress offers a wide variety of integration to customize your own theme. This list is just the tip of the iceberg. There are so many other things, that wordpress is able to do.

Do you know of any more? Let me know.

Tags: wordpress, Wordpress Hacks