For the last few weeks, I’ve been getting hundreds of registrations here, and given (a) there’s no reason to register except to post a comment, and (b) there aren’t very many comments posted, I figured something was up. Until yesterday, though, I didn’t know what was going on. Now, thanks to the WordPress 2.6.2 release, I do:

With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.

In other words, by registering often enough with specially-crafted usernames, you may eventually be able to force the admin user’s password to be reset to something random, and you may know that random password. Scary stuff. So today, I upgraded to 2.6.2, and cleaned out the vast majority of recently-created accounts.

If you’d signed up for a legit account and I zapped it, please just register again — and sorry for the inconvenience.

Today, WordPress released WordPress for iPhone. So I thought I’d try it out–given how little I post here, any excuse to write something is worth a shot!

Anyway, we bought this electric pump to inflate our kids’ pool. I found the combination of the warning and the left-hand image somewhat at odds with each other! (In case the image isn’t clear, that’s the pump being used to inflate a child’s swimming pool, which is not generally considered an “indoor household” item.)

After a mostly-painless upgrade, we’re now running WordPress 2.5. About the only hiccup is that the Addicted to Live Search plug-in (which I am addicted to) doesn’t seem to work right with anything other than the default permalink style. (Permalinks are the URLs for individual stories.)

The default permalink style is ugly and doesn’t necessarily work well with search engines, but I love the search feature so much I’m using them for now…hopefully the plug-in will be patched in the near future.

After some investigation with help from a couple of very useful people (thanks, chays, Ryan, and Donncha), we’ve determined that the files I found on my server were placed there as a result of the WordPress 2.3.2 vulnerability, even though my site had been updated to 2.3.3.

To make a long story short, if your site was affected by the 2.3.2 vulnerability, you must change your admin passwords. While the attackers can’t get the actual password, they can continue to login as admin ever after you upgrade to 2.3.3. That’s because the cookie they received when exploiting the hole in 2.3.2 will still work in 2.3.3 — unless you change your password.

In everything I read about the 2.3.2 exploit, I didn’t see anything about the passwords being exposed, so I didn’t change it when I upgraded to 2.3.3. Lesson learned…

I use a shell script to back up my web sites each day — it exports and downloads a SQL file of the database contents, as well as rsync’s the actual HTML files. When I was checking the log file for last night’s downloads, I noticed something very strange in the output:

  receiving file list ... done
  ./
  html/wp-content/
  html/wp-content/1/
  html/wp-content/1/3c-texas-holdem-poker.html
  html/wp-content/1/american-poker.html
  html/wp-content/1/bonus-code-party-poker.html
  html/wp-content/1/casino-poker-gratis.html
  html/wp-content/1/come-giocare-a-poker.html
  html/wp-content/1/come-giocare-poker.html
  ....
  ....

In total, there were 71 files in the newly-created 1 folder: 70 .html files, and one g.js file. There was also a new oddly-named backup folder, and the index.php file in wp-content (which is just a blank placeholder) had been replaced with basically the same file but with an added line break on the first line.

I googled on some of the .html filenames, and found a number of WordPress sites with the same issue (the “1″ folder), but nobody who was talking about the cause of the problem. So I posted about it to the WordPress forums, where someone pointed me to this page, which contains at least a little more background on the issue. I’m also posting some of the html filenames here, in case others are searching for more information on the attack.

As of now, I don’t know how they got in (though I suspect via one of the plug-ins), but I don’t think it’s through any sort of direct site access: none of the site’s other files and folders were changed, nor were any posts or comments created. It also doesn’t seem to be an automated attack, as the 1 folder hasn’t returned after I manually removed it yesterday. But if you run WordPress, keep an eye on your wp-content folder for anything other than what should be there: index.php, plugins, and themes by default. If/when I find out more about this, I’ll post a follow-up.

We’re now running the latest version of WordPress — if you run WordPress and aren’t on 2.3.3 yet, I strongly recommend upgrading, or at least patching your xmlrpc.php file. There’s a security problem with that file in older WordPress releases, as detailed in this WordPress blog post:

If you have registration enabled a flaw was found in the XML-RPC implementation such that a specially crafted request would allow a user to edit posts of other users on that blog.

This actually happened here; two posts were modified to include links to malware and ringtone sites.

Most everything is back up and working as it was before, though sadly, the King Login widget, which allowed logins directly in the sidebar, doesn’t work at all with 2.3.3, so it’s been disabled. While working on the upgrade, my comment spam blocker was offline for all of 10 minutes or so. During that time, three anonymous spammy comments were submitted — sheez!

Once again, I’ve fallen behind in posting summaries of my Macworld articles here. I’ve now rectified that, and you’ll find them all in the archives here on the proper date (i.e. the date that matches their appearance on Macworld.com). I’ve included both blog entries (rants, usually) as well as a couple of reviews and such that I’ve worked on.
More »« Less

I’ve finally migrated my family’s site over to the latest version of WordPress, and installed pretty much the same batch of plug-ins and widgets as I use here. However, I wanted something else, too–a randomly-selected image for the header of the site that changes each time the page is loaded, as seen in these four sample pictures:

(The header images are just sections I’ve snipped out of photos we’ve taken, with an artsy Photoshop filter of some sort applied.)

I searched the web, and there are a few plug-ins that offer this ability, but they came either too feature-rich, or required some additional JavaScript to work properly. I wanted the most simple, basic, and functional header image rotation solution I could find…so I wrote my own, which required all of two lines of code. I’m posting it here so that (a) I remember how I did it, and (b) in case anyone else wants a simple solution, they’ll be able to find it with some help from Google (our family’s site is access restricted, so posting it there wouldn’t do much good…and it would confuse my relatives, who are used to only seeing pictures of our kids there!)
More »« Less

Over the last couple of evenings, I created my first-ever WordPress plug-in, which I wrote to make it easier to customize the WordPress registration (and login) screen. As distributed, the stock version of WordPress uses a really not-very-nice registration screen–it features the WordPress logo (embedded in a background image), and links back to the WordPress site. If you wish to modify the login screen, you have to change some files in the WordPress core–and that means that every time you update, you have to remember to redo those customizations. Far from ideal…

So I took some time to read about creating WordPress plug-ins, then studied up on the available hooks to see if what I wanted to do was possible. The good news is that, as of WordPress 2.1, it was possible–and quite simple (even for my very-limited PHP skills).

After a few error-filled attempts, I wound up with a working plug-in that creates a nicely-customized registration screen, all without changing any core WordPress code–you can see the results on the registration page. (This is roughly what it looked like under WordPress 2.0, but I created that page by modifying the core WordPress files.)

If anyone wants this plug-in, feel free to grab it (36KB download)–there are some basic instructions in the customreg.php file, but I wouldn’t describe it as heavily documented. Also, I’m not sure how well it works with the default login screen, as I use the King Login sidebar widget for login in the sidebar. What I’d really like to do is figure out how to display the registration form with the header, sidebar, and footer–but after some basic investigation, I think that project is beyond my skills. So for now, this is officially good enough.

As much as I love WordPress, I’ve always found the administration screens to be somewhat difficult to follow–there are menus and buttons and form elements all over the place, it seems, and I always have to hunt a bit before I find the option I’m looking for.

As of today, though, that’s all changed. While looking around for an easy way to customize the WordPress registration screen (without resorting to modifying the core code, which is what’s seemingly required today), I stumbled up Steve Smith’s WordPress Tiger Administration plug-in. This amazing plug-in–and it’s 100% CSS and images; there are no code tweaks at all–completely changes the WordPress admin screens’ layout. Here’s a shot of the new look (click for a much larger and clearer view):

Ah, much nicer! Main categories go down the left side, and any menus within a category go across the top. I find this a much more logical layout, and much simpler to use. Highly recommended, and about as easy as it gets–download, expand, upload the folder, enable the plug-in, done. The admin layout changes the instant you activate the plug-in (and changes back when you deactivate it).

If you use WordPress, I highly recommend this plug-in–and I’ll be sending a donation to Steve Smith later today, to thank him for his efforts!