i.justrealized

Not long ago, word’s been going around to upgrade WordPress to its latest version 2.8.4. Robert Scoble suffered some loss, some hackers broke in and deleted some of his blog posts. In addition to that, the hackers also placed malicious code in his archive pages and Google sent him an email stating it has removed his blog from its indexes.

I would be terribly upset if such things happened to me. I keep updating WordPress just in case. But what happens when it did get hacked? Are the WordPress developers to be blamed? One of things brought up is custom plugins being incompatible with the new WordPress. I hate to say this but when it comes to security, it’s still more important to temporarily disable the plugin and fix it ASAP instead of not upgrading. The risk is just too much.

And backups. Do them frequently. If it’s hard to do backups, just pay your host to do so. I just pay them to settle those stuff for me. I’m not too clever with all the backup utilities. I never had the time to explore them.

One of the comments in Scoble’s Friendfeed caught my attention:

This recent wave of WordPress incidents shows the negative side of using open source software. Matt says that there are many people looking into WordPress’ source code, but the problem is that probably half of those people have malicious reasons for doing so. – Nikolay Kolev

To which Matt of WordPress fame replied:

Nikolay, it’s always better to have more people looking at the code, because a bug that’s been found is better than a bug that hasn’t. WordPress used to get almost no security problems and people thought it was because it was coded differently, when in fact it was coded far worse than it is today it just didn’t have enough users to make it worthwhile to target. Also where many commercial or proprietary companies try to minimize information about their problems or sit on a fix for months so they can package a bunch into one update, we put everything out there doing a new release as soon as possible after a problem has been reported. – Matt Mullenweg

Here’s another response from another user, Tim:

Nikolay: I would also push back against your assumption that using Open Source software equals less security. Microsoft Windows and OS X are both closed source and both have security holes – there is a competition each year to help MS and Apple find them and fix them. Both Apple and Microsoft came away with security holes to fix this year. So just because it’s open source doesn’t automatically make it more open to security holes. I agree with Matt and believe that have the source open to all makes fixing the holes much quicker. – Tim

I think I can relate to this…

Anyway, Matt also wrote an article on How to keep WordPress secure.

As planned, Apache is no more. Say hi to Lighty

Made a few silly mistakes along the way and almost accidentally deleted my folder of pictures even. Things got a little more responsive. I haven’t used any caching solutions for WordPress. Caching is going to be tough work.

I just let PHP CGI spawn happily:

Lighttpd don’t exactly take up a lot of resources too.

It’s been requiring almost a daily restart. I think it’s probably MySQL or Apache’s fault. Or perhaps it’s just my fault for being a miser not wanting to pay for more. Either way, I’m going to fix it. So far, I’m done with the virtual hosts. Lighttpd isn’t as hard as I thought. PHP is working fine already. I’m still in the midst of testing if WordPress works. Once I’m done with that, it’s “sudo apt-get remove apache2″.

WordPress 2.7 introduced a feature to perform automatic updating of plugins and WordPress itself. It annoys me endlessly that the automatic update refuses to work and require me to input a FTP username and password which I don’t have. This blog runs on a server that does not have FTP installed. I use SSH for that. The method is to change ownership of your WordPress directory to www-data (for Apache).

Run the following command in your WordPress directory (sudo required):

That did the trick for me by changing the ownership every folder and it’s files recursively to ‘www-data’. It is slightly risky and you may not like the idea of giving so much privileges to the WordPress directory. But before I can think of any way to attack the server, I guess this method is more or less safe. Unless there is a malicious plugin that you install. Always install proven plugins. That said, use it at your own risk.

Changing the ownership give Apache access to your WordPress directory allowing WordPress to overwrite its own files and automatic update works. Well not really automatic actually. Semi-automatic since you actually have to trigger something to continue the update.

Thanks jer for the hint.

WordPress starts WordPress.tv.

On WordPress.tv, you’ll find tutorials for both WordPress self-installs and WordPress.com to help you get blogging fast and hassle-free. We’ve kicked things off with the basics — now you can shape what comes next. Just drop us a line and let us know what you’d like to see added. (Source: WordPress blog)

This is like screencast to how to use the WordPress blogging platform. I think it’s great for new users when WordPress features aren’t entirely obvious.

Great new for WordPress users, 2.7 is now out. Coltrane is one of jazz’s greatest. 2.7 does not fall (too) short. It loads faster and the edit and reply in place features are great.

WordPress 2.7 “Coltrane”

The first thing you’ll notice about 2.7 is its new interface. From the top down, we’ve listened to your feedback and thought deeply about the design and the result is a WordPress that’s just plain faster. Nearly every task you do on your blog will take fewer clicks and be faster in 2.7 than it did in a previous version. (Download it now, or read on for more.)

Next you’ll begin to notice the new features subtly sprinkled through the new interface: the new dashboard that you can arrange with drag and drop to put the things most important to you on top, QuickPress, comment threading, paging, and the ability to reply to comments from your dashboard, the ability to install any plugin directly from WordPress.org with a single click, and sticky posts. (Source: WordPress)

I’ve upgraded, have you?

Huh no 2.7?

WordPress 2.6.5 is immediately available and fixes one security problem and three bugs. WordPress team recommends everyone upgrade to this release.

The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.

2.6.5 contains three other small fixes in addition to the XSS fix. The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests. For a list of changed files, consult the full changeset between 2.6.3 and 2.6.5.

Note that we are skipping version 2.6.4 and jumping from 2.6.3 to 2.6.5 to avoid confusion with a fake 2.6.4 release that made the rounds. There is not and never will be a version 2.6.4. (Source: WordPress)

Looks like an upgrade not to be ignored.