Category Archives: Wordpress

Hacked!

It seems this blog got hacked recently. A couple of posts had the following code inserted into them:

	 
/*  */
 
 
	 edToolbar() 
	 
...(post text)...
	 
	edCanvas = document.getElementById('content');

This was on WordPress 3.2.1. I've now updated to 3.5; hopefully this won't recur, but it's something to watch out for if you're running blogs using older versions… a quick Google search indicates plenty of people have been hit but haven't noticed.

zp8497586rq

Working on the server

Upgrading to WordPress 3, that kind of thing. Hold off new comments and posts until done. I’m also moving servers.

If you can see this, it’s done!

Here’s the process I’m following for moving these various sites:

Take an export of the database.

Run the SQL: update wp_posts set comment_status = ‘closed’ so nobody comes in and writes a comment subsequently lost.

Import into the new site and upload the new WP installation and the old theme and images etc onto the new site.

(I’ve found my new web ISP’s DDOS protection gets antsy if I use the default Filezilla setting of two simeltaneous connections.)

Hack the hosts file to look at it while getting it perfected.

Run /wp-admin/upgrade.php and let it upgrade the database

Go into the Admin screens, to the Permalink settings and save the default so the .htaccess file is updated

Apart from then switching the registrar so the domain looks at the new IP address, that’s about it.

Will also re-load the old .htaccess settings like the deny list for the big-hitting bandwidth thieves.

And I’m installing the W3 Total Cache plugin to optimise the site a bit. (I used to have WP set to deliver gzip-compressed pages; sometime before version 2.9, that option’s been removed.)

Update: Finally, WP3 seems to have fixed the weird bug that caused some comments and posts to be rejected dependent on particular words being present.

Don’t panic

This is not a Towel Day post. Rather, it’s just to say I’m upgrading WordPress tonight to 2.9.2, so things may be a little weird.

Update 10:07pm. Done. The big question is: have they fixed this bug?

If they have, I’ll be able to say Lynx with a space after it (in a post or a comment) and not have it give me back an error.

No. It still does it. (I’ve used a   above.)

Hello to Sam Hamilton and James Dee

So I was looking at the comments awaiting moderation. Two showed up on this post: Why Facebook sucks, a rollicking read about over-bearing security dialogues just to use Facebook’s video application.

Here’s the first comment — I’ve zapped the email address, but one was left:

Sam Hamilton 76.243.71.190
Submitted on 2009/05/29 at 9:37am

If you are tired of facebook but want a way to connect with artists and musicians
then you should check out http://www.putiton.com
If you are tired of facebook but still want to connect with your friends then pick up the phone…

Fair enough.

Here’s the second:

James Dee 75.85.9.225
Submitted on 2009/06/03 at 3:16pm

I’m an artist and I haven’t been satisfied using facebook or myspace to promote myself… too slow and too much junk. I’ll give putiton a try… it looks clean

The problem here is that the first comment is still awaiting moderation. (Yes, it’s several days old. I don’t check as often as I should.)

So why would “James” decide to try putiton, a social networking site which basically nobody has heard of (well at least I haven’t) if nobody else has suggested it (eg the first comment isn’t visible to anyone)?

Curiously, “Sam” and even “James” have left similar messages on other, similar posts on other blogs.

(Sam has a profile on the offending site.)

Slowing down WordPress spam

I noticed a lot of my WordPress spam is coming from a handful of IP address ranges. I’ve checked, and in the five-ish years I’ve been using WordPress, no valid comments seem to be coming from there. (Just tap the relevant IP address into the WP comment admin search box.)

Time for a little .htaccess magic, I think.

order allow,deny
deny from 194.8.75.
deny from 194.8.74.
deny from 87.118.112.
deny from 194.8.75.
deny from 194.8.74.
deny from 87.118.112.
deny from 61.18.170.
deny from 196.12.36.
deny from 219.64.175.
deny from 69.59.137.
deny from 80.88.242.
allow from all

By the way, in cPanel File Manager, to see .htaccess you have to switch on the option to view hidden files on the options page when you go in.

Anyway, the result is less spam, though there appears to be a rash of new attacks from a wide variety of IP addresses, with a shirtload of embedded links to upcoming.yahoo.com

Has my WordPress blog been hacked?

At some stage, some weird text seems to have inserted itself into a bunch of my links on my personal blog… a Get parameter referencing phpMyAdmin and a long hexadecimal string, which appears to be the same every time.

So for instance the link:
<a href=”/1995/12/22/the-bill/”>

became:
<a href=”/1995/12/22/the-bill/?phpMyAdmin=3bceb1b20913e8babce341325e13bf76″>

And this one:
<a href=”http://www.ptua.org.au/myths/energy.shtml”>

became:
<a href=”<a href=?phpMyAdmin=3bceb1b20913e8babce341325e13bf76″http://www.ptua.org.au/myths/energy.shtml”>

A Google search suggests that this specific parameter appears to be unique to my blog.

It mainly appears to have hit internal relative links, but has hit some external ones too. But it hasn’t affected all the links, by any means. Maybe a few dozen posts. And for the most part they are like the first example, above, and don’t actually break the links.

At first I thought it was a hack back at some time when I might have had a vulnerable version of WordPress on my blog. Though I’ve been unable to find any other examples of it (not that it’s the easiest thing to search for), and now I’m wondering if it was some mistake during a migration of the database.

Weirdness.

Something I don’t like about WordPress

I love WordPress.

But not 100%.

Something I don’t like is how it decides arbitrarily when to decide to re-authenticate you.

I had logged in here to write a post, and it happily let me type it all out, until I hit the Publish button, when it decided to double-check who I was. Which was fine, but by the time it had done that, it revealed that the draft of the post that had been saved was from several minutes before I’d hit Publish, and I’d lost a couple of links I’d put in which now I’ll have to find again.

Blargh.

Twitter widgets

I used Twitter Tools for a while with WordPress, and it worked well until recently, when it stopped.

While pondering what went wrong, I noticed Twitter now has an official set of widgets for web pages.

Twitter / Get a Widget for your site

They’ve got customised ones for MySpace, Blogger, Facebook, Typepad, and a generic one (in HTML or Flash) for everything else.

The Triple J question

Trust Josh to ask a curly question for the StackOverflow podcast: “Why did the Stack Overflow schedule blow out?” and quoting back Jeff and Joel's own previous forecasts at them.

Made for an interesting discussion though. I certainly agree with the point that until you're actually working on something, you d

on't have a great deal of confidence in just how much there is to do … that becomes apparent as you go.

Transcript.

(So I can find it later: WordPress URL parameters, for example for showing all posts by Josh.)

zp8497586rq

Recent finds

Ever wonder how they fitted an entire computer language into just a few kilobytes, back in the 80s? Documented disassembly of BBC Basic 4.

How to highlight author comments in WordPress … but it relies on the author being user ID 1, so it won't work here, where we have several people posting. Could easily be customised to look for other user IDs though.

how to get your ex boyfriend back when he dumped you over textritatedvowel.com/blogs/pete_browns_blog/archive/2008/04/11/Vista-and-Local-Administrator.aspx”>Some developers are throwing in the towel and running Vista as Admin.

The excellent Secret Life of Machines not only has a web site, but is available freely (and legally) via BitTorrent. And the theme tune is available on iTunes.

zp8497586rq

Unicode: Not just a character set

Some Unicode symbols have surprising effects but… ways to make someone want you back26/wtf-is-this-character/#comment-10″>u?op ?p?sdn ?u????? s? un? s? ?l???u ?ou s,???? -, or, if WordPress doesn't support Unicode properly, you miss out.

zp8497586rq

Twitter to WordPress to Facebook

(Skip the lecture, go straight to the instructions — but note the update.)

I’m yet to be convinced that microblogging (eg Twitter, or those status updates in Facebook) is genuinely useful. Maybe, maybe not. But I’m willing to try it out.

Problem is of course that if you use multiple services, you don’t want to be having to update them all individually. If such a concept is going to work, you’ve got to be able to update once and have it cascade to everywhere.

Facebook has an app to push updates out to Twitter. Which would be fine, but for those outside North America, you can’t update your Facebook status from anywhere except within Facebook. (North Americans can use SMS from a mobile, but others can’t.) Okay, so maybe you’d want to do it mostly when in front of a computer anyway, but I do like about Twitter than you can update from anywhere… anybody can SMS a number (it’s based in the UK, so for me it’s costing 50 cents… so I’d better not go mad using it) so no fiddling with mobile web access just to post an update. Twitter also takes updates via IM (such as GTalk and Jabber). I also like that it’s open; people can see what’s going on without registering.

I normally hate words like synergy and leverage and convergence, but that’s what’s gone on here. Alex King has written code that updates WordPress from Twitter every 15 minutes. Christian Flickinger has written code that updates Facebook using PHP, with a hack using the Curl library (since Facebook doesn’t actually accept inputs like this) that logs into Facebook’s mobile web page and does the business.

And Blake Brannon has put the two together, so a Tweet (that’s Web 2.0 talk for a Twitter post) will cascade to your WordPress blog, and then on to your Facebook status.

Neato, huh? Now that really is leverage. If it works. Which it does for many people, but it didn’t for me. I was having problems with Blake’s code; probably an issue with my Web ISP’s configuration. I ended up splitting it off to a separate WP plugin, which was messy, but allowed me to use the code in isolation, and figure out the problem.

It may be an issue that only affects particular versions of PHP or Apache or something — I’m no expert — but the problem was the Curl call couldn’t write to the cookies file. Creating the my_cookies.txt file and making it writable (777) and modifying the code slightly to specify where the file lived solved it. Another issue involved Curl being unable to use the FollowLocation flag, but it turned out this wasn’t needed.

I also ended up with Blake’s (modified) code in a separate file to Alex’s, rather than inserted into it as Blake intended.


So in summary

Update 2007-08-31: Blake’s been told that automated access into Facebook is against the Terms of Service. It’s unclear if Facebook will actively go chasing those who use or distribute code like this, but it would seem to pay to be cautious. Sorry.

  1. Download Alex King’s Twitter Tools and put in your wp-content/plugins directory
  2. Download twitter-wp-fb.txt. Put your Facebook details in where shown, then put it into your wp-content/plugins directory
  3. Create an empty wp-content/plugins/my_cookies.txt file and make it writable (777)
  4. Go into your WP Plugins page and activate both Twitter Tools and WP/Twitter to Facebook
  5. Go into the Twitter Tools config page and enter your Twitter credentials
  6. Cross your fingers and post something in Twitter

I think that’s all the steps. Good luck.

Thanks to Blake for his assistance on this. And to Alex and Christian, whose code this is all built on.