Skip to content
accelerando

Tag Archives: Wordpress

Patching wp-cache for more security

04-Apr-08

I use wp-cache on all my blogs all the time. No need waiting for being slashdotted or heised.

But wp-cache comes with a security flaw. It requires the webserver to have write access on $WP_HOME/wp-content/cache and $WP_HOME/wp-content. The first part is perfectly reasonable, the second not.

wp-cache creates it’s wp-cache-config.php in that place and edits this file consequently while being configured.

wp-cache comes with a sample config you can put in place. After that, chmod this file to 660 or something else that allows your webserver to edit it. Please don’t give your webserver write access to $WP_HOME/wp-content, especially not facing the current attacks on wordpress bloggers as described here.

I assume you know what your doing in the next step. All recommendations are tested and working with wp-cache 2.1.2. Open the file file wp-cache.php in your favorite editor, navigate to line 471 in function wp_cache_verify_config_file and change the following code

if ( !is_writable($dir)) {
    echo "<b>Error:</b> wp-content directory (<b>$dir</b>) is not writable by the Web server.<br />Check its permissions.";
    return false;
}

to

/*
if ( !is_writable($dir)) {
    echo "<b>Error:</b> wp-content directory (<b>$dir</b>) is not writable by the Web server.<br />Check its permissions.";
    return false;
}
*/

Alternatively, you can use the file i prepared: wp-cache.php. Rename it from *.php.txt to *.php and replace the old file with it.

Read more about the attack on wp blogs here. It’s shown that the attackers create a subfolder in your wp-contents. So it’s essential to chmod this folder to 0755 or even better to 0555 if you’re paranoid and only change it if you upload updates.

Share This

Filed in English posts, Wordpress | Comments (0) »

Wordpress 2.5 and http error codes

30-Mar-08

Am i the only one who’s annoyed that Wordpress 2.5 sends a http 500 code if a commentor doesn’t fill in all required fields? Any Internet Explorer 6 or 7 user won’t see any error message but a “this page cannot be displayed!” page. Stupid decision.

Otherwise, the update went smooth as far as i can tell.

Edit: Oh dear… To me it seems that IE6 shows a browser default page everytime and IE7 sometimes displays the WP error page and sometimes not. If anyone can confirm this?

Edit 2: It’s silly. The Internet Explorer masks all 500 pages if their content is below a threshold of 512bytes with “User friendly messages”. User friendly your mom. The user can turn this off as described here but i don’t think that all IE users will do this just for the WP bloggers.

Summarizing it: It’s a plain stupid idea to use the http error 500 code for errors generated by user input as some users just cannot read them as the messages are not displayed to them.

Share This

Filed in English posts, Wordpress | Comments (6) »

A muzzle for Wordpress 2.3 and the Akismet Plugin

26-Sep-07

As reported here and elsewhere, Dexter is somewhat talkative.

I recommend the following 2 steps program:

Stop sending your url

If you already have used Wordpress 2.3, use the 123 Anonymer Versionscheck 0.10. It will anonymize your data, but a minimum of 1 request with personal data will happen, that is while using the plugin page.

If you do a fresh install of Wordpress 2.3, i’d go with the my-hacks.php solution, because that way, no personal info will be send.

Lots of unnecessary Akismet informations

After finding the update problem this morning at Lumières dans la nuit, i read the following group. To my surprise i’ve learned, that the Akismet Spamchecker sends all of the $_SERVER environment variables from your server to the Akismet server. W T F?? I myself use Akismet in a custom project, there is absolutely no need to send this information. To stop sending this information, open akismet.php in your favorite editor, search and remove the following lines:

foreach ( $_SERVER as $key => $value )
    if ( !in_array( $key, $ignore ) )
        $comment["$key"] = $value;

Share This

Filed in Wordpress | Comments (1) »

Wordpress uptodate checker

26-Sep-07

Yesterday i’ve installed Wordpress 2.3 without too much problems. The new uptodate check for plugins is nice, out of question, but already yesterday i thought: hm, everybody is whining about Microsoft products phoning home, nobody gives a shit about wordpress doing the same.

The Nighwatchman has an in depth analysis about the data transferred to api.wordpress.org, read it here: Datenschutzproblem in WordPress 2.3 (Privacyproblem in Wordpress 2.3).

I will use the following hack to omit my URL. Alternatively, uptodate checking can be completely disabled with this plugin.

Share This

Filed in Wordpress | Comments (1) »

Upgrading to Wordpress 2.3 “Dexter”

25-Sep-07

In the first place, i wanted to wait to here some more news about the latest release of Wordpress, called “Dexter” (I don’t think about some saxophonist, but about Dexter Morgan). But, as you know, curiosity killed the cat, i couldn’t wait and with the announcement yesterday, i created a patch file (they forgot the link at wordpress.org) and patched my blog.

As danger is my second name, i didn’t backup or anything especially for upgrading (ok, honestly i have a nightly cron’ed backup) and run the patch with

patch -p2  diff-from-tags_2.2.3-r6166-to-tags_2.3-r6166.diff.txt

from my install dir and boom, i had 2.3 (get the patch file at the wordpress trac (for upgrading 2.2.3 to 2.3)).

Things, that didn’t work but didn’t break the blog either were: Ultimate Tag Warrior. It’s still there and still working. Things that didn’t work were my theme and the Extended Live Archives by Sons Of Skadi.

For testing purpose, i completely disabled wp-cache.

Luckily, someone had already patched ELA, you can download a modified version here, see it in action here. Be aware, you also need the original release from above. Before this thingy works, you need to clean it’s cache. Otherwise you’ll get some weird error messages.

Things i need to fix in my theme were UTW related. I imported my tags into the new taxonomic scheme and finally, dumped the warrior. The import worked well, but it killed the blanks in tags and replaced them with underscores. Thanks for that :/

I did the following replacement in my theme:

Purpose UTW WP
Show the current selected tag in archive view 
UTW_ShowCurrentTagSet
 
single_tag_title('');
Show the tags for the current post 
UTW_ShowTagsForCurrentPost("commalist")
 
the_tags('',', ');
Create a tag cloud 
UTW_ShowWeightedTagSet("sizedtagcloud")
 
wp_tag_cloud('smallest=70&largest=130&unit=%&orderby=count&order=DESC');

The arguments to the functions corresponds with my former UTW settings. Speaking of which: Wordpress 2.3 tagging system is completely naked. There are no settings and what is worse, there is no such thing as a dropdown thingy while writing, just a plain text field. As a first solution, i’ve tried the Advanced Tag Entry WordPress Plugin. Seems to work fine, but not as comfortable like UTW.

All other plugins i use, seem to work fine:

Advanced Tag Entry 1.02
Akismet 2.0.2
Chunk Urls for WordPress 2.0
Extended Live Archives 0.10beta-r18 (patched version)
FeedStats 3.0
Google Adsense widget 1.0
Google XML Sitemaps 3.0
Math Comment Spam Protection 2.1
Related Posts 2.04
Share This 1.4
Simple Trackback Validation 2.1
Subscribe To Comments 2.1.1
Tag cloud widget 1.0a (modified by myself)
Time Zone 2.2
wp-cache 2.1.2
WP-Syntax 0.6

In the meantime, i have the impression that 2.3 is somewhat slower than 2.2.3, but i can be wrong.

I’m in doubt about upgrading my other blog planet-punk.de. I like and do use tags a lot, but for the time being, the greatest db scheme doesn’t help a somewhat unusable ui. Don’t get me wrong, i really like the changes in the scheme going on, but for now, i see little benefit.

Another nice post with the same title as mine has some suggestions for people who ran into problems: read it at the Weblog Tools Collection.

Share This

Filed in Wordpress | Comments (3) »

Comment notification

18-Aug-07

I use Subscribe to Comments on all my wordpress blogs, even before Tante had askes so nicely for it…

The plugin broke with WP 2.2, if you try to change you subscriptions, you ended up with the following message: “You may not access this page without a valid key.”.

So please all your Wordpress users who updated to 2.2 (you really should do this!), get the latest version of Subscribe to Comments here for satisfied readers and subscribers ;)

Share This

Filed in Wordpress | Comments (2) »

Wordpress 2.2.1 Update / Security Fix

21-Jun-07

Some user don’t see the need to upgrade (“it’s just the third number, no new features” blah blah).

The developer blog mentions some severe security issues here so i recommend upgrading as soon as possible.

Share This

Filed in Wordpress | Comments (0) »

Blog by mail broken in Wordpress 2.2

28-May-07

Don’t bother using “blog by mail” in Wordpress 2.2, it’s broken:

Ticket #4337 (new defect)

And there went another sunny nice rainy morning…

Share This

Filed in Wordpress | Comments (0) »

Wordpress and UTW Upgrade

03-Apr-07

Why on earth has my ‘post_type’ column on my wp 2.0.x based blog no default value? Ultimate Tag Warrior UTW3-14159265 will break and show no tags.

If anyone else has this problem, add

$typelimitsql = "(post_status = 'publish' OR post_status = 'static')";  // From previous version of utw

in ultimate-tag-warrior-core.php right before the class definition. It’s taken from the previous UTW Version.

Edit:
Upgrading to WP 2.1.x changed the table structure… A little hint would have been nice in the utw changelog.

Share This

Filed in Wordpress | Comments (0) »
Close
E-mail It