By Jeffro on April 30, 2012
As if WooThemes.com being attacked was not bad enough, there is also a critical security issue that’s been fixed in the latest release of the WooFramework. The issue dealt with the shortcode generator.
The latest version (and most likely many previous versions) of the WooThemes WooFramework has a bug that allows any website visitor to run and see the output of any shortcode. This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. WordPress installations with unsecured shortcodes (such as [php] which allows raw PHP code to be run) are vulnerable to serious attacks if WooThemes are installed, even if they are not the selected theme for the site.
While the Gist author for that post took some heat for releasing the information the way that he did, others chimed in and stated the vulnerability should have never existed in the first place. According to Jason Gill who is a WooThemes paying customer and also the one who announced the vulnerability on the Gist website explained that he made every effort to try and contact WooThemes or at least, see if the patch was already in existence but was unsuccessful.
While at the time of writing this article WooThemes.com is offline, I advise you to check back often to update your themes as soon as possible.
Posted in Themes | Tagged security, update, woothemes |
By Jeffro on April 24, 2012
ManageWP, the service that makes it a breeze to manage multiple websites from one location has announced that they are currently developing an iOS application specifically for ManageWP. This move takes the ease of managing multiple websites to the next level. While the app is not yet available, there are a couple of screenshots of what the final product might look like.
The first screenshot shows a concept of what the dashboard might look like. I have not tested the app itself but it will be interesting to see if they manage to pack all of their sites functionality into the iPhone app while still maintaining ease of use.
ManageWP Dashboard Concept Image
What may be the most exciting part of this news is that the app will also be available to use on the iPad. With more screen real estate and the retina display on the newest version of the iPad, this combination should make for a great experience.
Pricing has yet to be determined and in some aspects, this could get tricky. While the app is no use to non ManageWP customers, will the company end up charging for the app for existing customers? Considering there are three different service plans, I could see them offering the app for free to those who are middle and top tier plan customers. I know that the folks from ManageWP monitor this website so if you have feedback on how they should go about this, please offer your feedback within the comments.
While there are alternatives to ManageWP, they are certainly experiencing healthy growth. Earlier this year, they hit the 100,000 managed websites milestone. They have also obtained 2,000 paying customers. Speaking of paying customers, I encourage you to read through the comments of a post I published about a week ago where a number of folks chimed in that while ManageWP is awesome, their prices are a bit too high to digest. Based on feedback I have observed, there are two camps. One that says ManageWP is worth every penny that they currently charge and one that says the prices are just too high.
If you believe their prices are too high, consider the following. They currently have a staff of 20 or so people with plans to add more. They are an international bunch and the company is growing rapidly. There is the infrastructure, hardware, etc that they have to pay for. In my opinion, they shouldn’t price themselves out of business. They should simply charge what they feel is right for the service.
Posted in News | Tagged apps, ios, ipad, iphone, managewp |
By Jeffro on April 18, 2012
As part of their Make Waves series, iThemes will be conducting a free webinar with Dre Armeda of Sucuri.net to discuss how to lock down a WordPress installation. In this webinar, viewers will learn how to reduce their risk of being attacked by hackers and malware threats. The webinar takes placed on Wednesday, April 25th at 1 P.M. CDT. I’ve linked to Sucuri a number of times during the year because these guys know what they’re talking about when it comes to website security.
Posted in News | Tagged securi, security, webinar |
By Jeffro on April 17, 2012
WordPress’ biggest challenge over the next two years, and where we’re focusing core development, will be around evolving our dashboard to be faster and more accessible, especially on touch devices. Many of our founding assumptions about how, where, and why people publish are shifting, but the flexibility of WordPress as a platform and the tens of thousands of plugins and themes available are hard to match. We might not always be the platform people start with, but we want to be what the best graduate to.
Via WordPress And The Top 100
Posted in Quotes | Tagged challenge, Quotes, stats, wordpress |
By Jeffro on April 17, 2012
A few weeks ago, I posted a link to an article Lorelle put together showcasing the various stats surrounding WordPress and its community. Joost de Valk has taken those stats as well as some others that his team discovered and generated an infographic that visually represents the data. One of the stats that I find impressive is the fact that Freelancer.com reported that 100,000 WordPress developers across the world are listed on the service with reports of over 3.6 million dollars of WordPress projects completed.
What’s even more impressive is that WordPress has yet to reach a saturation point. There are still plenty of people out there that some day could potentially become WordPress users. So while the numbers we see today are huge, I imagine they’ll be even bigger in the next 2-3 years.
Posted in WordPress | Tagged infographic, stats, yoast |
By Jeffro on April 16, 2012
Everyone has an opinion as to what WordPress needs and Dev4Press recently shared theirs on what they believe WordPress needs with regards to features. Any time I read a post like this, it’s as if I can hear the core team in my head yelling out “patches welcome“. But you know, just because you dedicate time to produce a patch that includes the functionality you would like to see in core that works flawlessly with WordPress does not guarantee that the functionality will end up within the core of WordPress. So in that sense, you’re damned if you do and damned if you don’t. Of course, there is always the plugin route.
I agree with Dev4Press when they mention that the built-in search functionality in WordPress sucks and needs a major overhaul. It’s something that many users have requested for over two years. Unfortunately, due to complexity or lack of resources, we have yet to see any overhaul on this part of WordPress. There are plugins that enhance this ability but nothing within the core that makes it better. The other issue I wanted to address with the post on Dev4Press concerns their request that Akismet be removed from the default WordPress package as they think it’s a commercial plugin and thus, unfair to commercial plugin authors. In my opinion, as long as Akismet has the free option, it’s not a commercial plugin. However, I’d still like to see it and all other plugins removed from the default installation package just to tidy things up.
Posted in WordPress | Tagged akismet, features, wordpress |
By Jeffro on April 13, 2012
VaultPress is a cool security service by Automattic, but if you take a look at the pricing and plans, some may think that this is the luxury line of data safekeeping. However, tons of people that have had to utilize the restoration feature of VaultPress say it’s worth every penny. Boles University.com has a non-profit WordPress multi-site installation with about 14 sub-domains under its belt. VaultPress supports multi-site but if the subscription is for the main site, only the main sites files and data will be backed up, sub-sites will be ignored. In order to backup everything, each site within the multi-site installation needs their own individual subscription. As you can imagine, it wouldn’t take long for that to be expensive. As David W Boles points out in his article, it would be nice to see VaultPress come up with some sort of plan that allows non-profits the ability to backup their main site along with their satellite sites for a much more affordable price. I’m not sure how VaultPress would be able to verify whether a multi-site installation is non-profit or not without paperwork validation but it certainly seems like this is a missed oppurtunity market segment for VaultPress.
This is the world of WordPress which means there are alternatives when it comes to safekeeping your data. A relatively new service called BackupPress performs many of the same functions as VaultPress but at a much more affordable price. In fact, taking a look at their comparison page, they support WordPress multi-site at just 25$ per year. At the time of publishing this article, I couldn’t locate any specific text that states restrictions similar to VaultPress in that each sub-domain within a multi-site network would need it’s own subscription. Hopefully, a representative from the service will stop by the comments section and fill us in on the details.
Posted in WordPress | Tagged backuppress, security, vaultpress |
By Jeffro on April 11, 2012
WordPress has a reputation of being very portable but after reading a recent article on WPGarage.com, there is a certain condition in which the data in WordPress can become non-portable. It has to do with the serialization of data. However, they offer up a few different ways in which to deal with the problem so that you don’t lose data via a database dump. ∞
Posted in Uncategorized, WordPress | Tagged code, database, serialize |
By Jeffro on April 10, 2012
Yesterday on Twitter, I was informed of a new WordPress code snippets library that sprang up called WPFunction.me. The site has an easy to use interface for grabbing code snippets. While at first, it seems as though you need to perform a lot of scrolling to select code snippets and get the code, you can alleviate the scrolling by clicking on the preview link.
However, if you decide that this snippets website is not your cup of tea, check out the list of WordPress Code Snippet repositories put together by CatsWhoCode.com.
Posted in WordPress | Tagged code, respository, snippets |
By Jeffro on April 9, 2012
For the second time in two years, Dan Tynans website, eSarcasm.com has been hacked, this time with code that redirected referrals from Google, Yahoo and other search engines to Viagra ad sites. After conducting a thorough security review with Code Garage.com, an online security scanning website similar to Securi, they discovered that the point of entry was with the zero-day Timthumb vulnerability discovered back in August of 2011.
Last August, a zero-day vulnerability affected TimThumb that allowed hackers to execute their PHP code on any site that was running it. As it turns out, the WordPress theme we bought for the site employs pieces of TimThumb code — including the flaws that were exploited.
Now we have to wait for the spammy search results to evaporate from Google’s cache before everything returns to normal.
Be sure to read the tips that Dan and his security adviser provides on protecting your site. Despite the vulnerability being patched soon after its discovery, sites are still becoming compromised. Because of the long tail effect and so many websites using WordPress these days, who knows when this point of entry will stop being taken advantage of.
Posted in News | Tagged pcworld, security timthumb |
