wordpress

Wordpress 2.6 was released a couple of days ago. I’ve held back posting about it until I had it installed on all of my blogs.

Installation was painless. The longest part of the process was backing everything up, but then that’s something you should be doing regularly anyway.

There’s a ton of new features and bug fixes. The following video will explain it better than I can

My favourite new features so far are the updated image handler - everything seems much more intuitive now - and Gears support. This makes a tremendous difference to the speed of the site. Handy when creating posts within the web interface, which is my preferred method. I’m looking forward to see what else they can do with Gears with coming releases.

One thing to watch out for if you post from a desktop application: XML-RPC publishing is now OFF by default, so you’ll have to go and switch it on if you want to use your blogging application to post.

There are a bunch of “proactive security enhancements, including cookies and database interactions”, so, as always, I’d recommend the upgrade even if you don’t want the new features.

Wordpress 2.5.1 has been released. As well as including a number of enhancements, it also includes a major security fix. I’d therefore recommend upgrading as soon as possible before the vulnerability is made public.

Following my early post about Wordpress sites being hacked, I’m making sure I now keep an eye on all updates.

Here’s a curious thing. You probably wouldn’t know it, unless you specifically went looking, but there appears to be a tremendous attack being made on self-hosted Wordpress powered blogs right now.

The curious part is that the news doesn’t appear to be making it to many mainstream blogs or tech news sites.

This is potentially very serious to anyone running such a blog (I myself run many Wordpress installations, including this one). Your blogs reputation (especially with search engines) could be severely damaged if your site is hacked the way mine recently was. From the limited number of stories made public so far, it appears that many thousands of sites may already have been compromised.

I was recently the victim of such an attack and the only reason I got to find out about it was when one of my RSS subscribers kindly advised me that the feed was getting thousands of porn links injected into it. I think (hope) that I’ve now fully recovered and secured my installations against further attack, although I’m still getting significant hits from search engines from people looking for some very unpleasant stuff.

Technorati sent me an email yesterday saying they were going to stop indexing sites that exhibited signs of being hacked in the way my site was. Hopefully that won’t now apply to me, as my sites are, as far as I can tell, now clean.

So, how do you know you’ve been hacked? When I was told about the link injection, I took a look at the source code for the site in question. The site itself looks fine when you view it in a browser, so you need to look deeper. In my case, I found a large amount of extra code at the end of the posts with the “invisible” attribute. So, they wouldn’t appear on the page to the human eye, but the search engines were picking them up. In one day, I got over 20,000 hits from Google alone from people searching for stuff that, quite frankly, they should be locked up for. The only way I could get rid of these was to edit the database entry directly for the posts in question.

I dug a little deeper and found that there was a file in the root of my Wordpress installation named “more.php”, which was an encrypted file containing thousands of very dodgy links.

Protect yourself

If you’re running a Wordpress installtion, I would check the following:

• UPDATE your installation to the latest version (2.5). Yes, I know everyone should do this all the time. But people forget. I forgot and look what happened to me.
• Check the source of your own site, looking for anything that shouldn’t be there.
• Fire up your FTP software and check through ALL your directories, including the root, looking for anything that doesn’t look right. If need be, download the latest version of Wordpress and compare what’s in a new installation to what you’ve got installed. You’ll likely have more than a vanilla install if you’ve got any plug-ins or modifications, but it’ll give you an idea.
• Once you’ve upgraded and checked your files, clear out any caches.
• If you’re site has been comprimised in any way, change all your passwords (Wordpress admin and database).
• Again, if you have been comprimised, it may be worth letting Google know about it to hopefully stop them blacklisting you for all those bad links. You can do so via Google Webmaster Tools.
• Protect your wp-config.php file. This contains the user name and password to your database. At the very least, set it’s permissions to 644, but also try and use other methods to protect it. Again, do a Google for the details.
• Check out the many sites available for securing your installation in general. Do a search for “secure wordpress” and you’ll find tons of useful stuff.

I can’t stress enough that you need to check at least the things I’ve mentioned above if you’re currently using a self-hosted Wordpress blog.

I love Wordpress and will continue to use it. I can put all of the problems I had down to my own failure to check for and apply updates when they became available. Don’t fall into the same trap I did.

I see that Google are now showing the scrolling AdSense ads on all their text ad blocks now. I’m not a great fan of the arrows - they stand out like a sore thumb. Worse still, you don’t even get paid if a visitor clicks on anything other than the initially loaded ads! Seems like a win-win for Google and a loss for web site owners!

What do you reckon? I think they’re plain ugly.

Following on from my post about Wordpress 2.5, I’m loving it more and more as I get to know it. There are some teething problems, as you’d expect of anything this size. The latest gotcha is that the WP-ContactForm breaks the image uploader. Instead of the nice new whizzy uploader, you now get:

Which is not terribly useful. The workaround is to disable WP-ContactForm if you need to upload an image, then re-enable it once you’re done. I’m using cformII here on Psionmark, so will look at integrating that into my other blogs.

Wordpress 2.5 was released over the weekend. This is a major upgrade, including the most extensive reworking of the admin interface I’ve seen since I started using WP about 2 years ago.

I’ve so far upgraded 2 of my blogs to the new version, including this one. The upgrades went without a hitch and only took a few minutes.

So, what’s it like? As I mentioned, the admin interface has been completely overhauled, and it works beautifully. I particularly like the new image uploading. Very slick. In fact, the new post editor in general is so good, I’m reasonably confident that I’ll now be using it as my main method of posting to my blogs. This is a double-bonus for me. I’ve been after a good blog editor for the Mac for some time, but now it looks like I don’t need one.

A couple of odd things, though. Firstly, Gzip compression. I swear after I installed the update on my first blog that I saw the option to enable/disable it under the Reading section. I also swear I selected it! Can I find it again? Nope! The weird part of it is that apparently they’ve removed the option allowing the blog owner to alter the Gzip setting, so did I imagine the whole thing?

This only came to light when I tried to enable WP Cache. It wouldn’t let me, because Gzip was enabled, but there was no way for me to switch it off from the admin panel. I found the setting in the database and disabled it from there.

This leads me to the second problem, and that’s with WP Cache. I’ve never had much luck with this in the past, and it still seems to be the case for me. I enabled it, but the site started behaving oddly, by which I mean that sometimes it would just refuse to load. No errors, but no site either. I disabled WP Cache and emptied the cache and all now seems fine. I’m not too sure I’ll even bother with trying to enable it, as it seems pretty fast as it is, and my new host seems to be handling the load admirably. I’ll stick it on my “some day” list.

Anyone else upgraded yet? If so, what do you think?