I love it when other podcasts interview employees of Automattic, especially ones I’ve never heard from before. WordCast Conversations, episode twelve features an interview with Maya Desai who is charge of operations for Automattic. She is also the one WordCamp organizers most likely talk to when it comes to planning an event or having Automattic employees show up. In the interview, we find out how she became an Automattic employee (it’s a funny story), what it was like to transition from a corporate environment to a virtual one, and some other experiences she’s had. One tidbit of information that I picked up in the interview is that the WordPress store will be moved and run in-house. No word yet if there will be any new products added to the store. I’m waiting on a hat or a long sleeve shirt.
WordCast Interviews Automattics Own Maya Desai
Akismet – State of Web Spam
There is a great post over on the Akismet blog talking about some of the newest trends they have noticed in web spam since 2005. Among them are Chinese wholesaler spam, human-posted spam, and malware spam. Considering the large volume of comments running through the Akisemet service, it’s always interesting to see what the trends are. I agree with them that Trackbacks and Pingbacks have been abused or used in the wrong way so much, that many large sites have abandoned using them altogether. Thankfully, Trackbacks apparently are so unpopular that many spammers have abandoned that tactic.
The one thing I’ve noticed on WPTavern.com is a large number of comments that specifically advertises the software that generated them. I’ve also noticed a large increase in the amount of human spam that is what I consider border line legitimate. I’ve even approved one or two by mistake. However, the most annoying aspect of spam is coming from websites that display 10 or more related posts from across the web. Some of these legitimate and illegitimate websites are showing 100 or so links generating a massive amount of pingbacks. I became a victim of a denial of service attack thanks to this method combined with a large splog network.
What are some of the specific trends you’ve noticed on your own site?
Does WordPress Need A Native Security Suite?
April has been a troubling time for a couple of well known web-hosts security wise. Ipstenu wrote a post on the various hacks that took place this month and I thought it was a well written piece that explains the variables that needed to happen for those events to occur. I’m not sure if she coined the phrase but I like her idea that security is a tripod.
* The Web Host is responsible for making sure the server itself is up to date with the latest patches etc, and that the server is configured in a safe way.
* Web-apps are responsible for not unleashing needless insecurities to the system.
* The end-user we pray to the flying spaghetti monster that they’ve not done something to violate security out of ignorance.
We’ve also been chatting in the WordPress Tavern forum on whether WordPress should ship with a built in set of security tools. Based on feedback within the thread, the majority don’t feel as if that is necessary. When thinking about this topic, it’s important that we try to figure out how far the responsibility of the WordPress codebase goes in terms of security. Should WordPress make sure that the code is secure out of the box and that’s it? Or should it have built in mechanisms to protect users in certain use cases? Security only goes so far on the application level and as has been discussed on the forum, if the server that is hosting a WordPress powered site becomes compromised, then it’s all over. The only glaring security issue I’d like to see tackled in WordPress is a built in login lockout system where password crackers can’t sit on the WP-Admin page and try out as many passwords as they want.
I think the biggest part of security as it relates to WordPress is using a competent host, especially if it’s shared hosting because you as a customer can’t configure anything on that server as it relates to security. Therefor, when hosting with them, you are putting your eggs in their basket hoping they don’t break. I think what I’ll do is try to put together a guide or questionnaire with the help of the Tavern community that you can use for potential webhosts you’re interested in to see if they meet certain requirements for secure hosting.
Keep an eye on the following thread as the responses come in.
The Best WP Hacks Of 2010 So Far
Jean-Baptiste Jung who runs CatsWhoCode.com has compiled a list of what he considers to be the top WordPress hacks so far in 2010. Among the list are code snippets to allow contributors to upload files, display ‘time ago‘ dates, WordPress navigation outside the loop, and disallowing the ability to switch themes. One of my favorite tips in his list is the MySql query statement that makes it easy to remove specific shortcodes from posts. However, can anyone verify if I could use the search and replace plugin to search every post for the short code and just replace it with blank space? Wouldn’t that do the same thing but without going into phpMyAdmin?
Sucks To Be A Network Solutions Customer Right Now
If I were operating Network Solutions right now, I’d be on my knees begging for mercy. Browsing through my feedreader today, I came across a post on ComputerWorld.com mentioning that customers hosted on Network Solutions.com have been attacked again. This time, it’s not targeted at WordPress users. Sucuri Security Labs has the most detailed information regarding the latest attack which again, uses an iFrame to point people back to a Ukranian server. Sites running Joomla, WordPress or no CMS at all have been affected. StopMalVertising has also reported on the issue.
Network Solutions has responded to customers in a public blog post that explains they are aware of the attack and are working hard to fix it. You don’t have to tell me twice that webhosting is a complicated business to do correctly and fighting hackers is a never ending battle but at what point will customers begin to jump ship? Going through a few attacks within the time frame of a few weeks is terrible PR and as a company, these guys will need some stellar months of performance and up time before reputation begins to come back and even then, the attacks have been documented pretty well on a number of websites which may never get out of the Google long tail.
Use The Media Library Or Hand Code?
DiggingIntoWordPress.com have released the poll results from January when they asked their audience, How Do You Use The WordPress Media Library? Interesting results to say the least. 30% of voters stated they loved the media library and used it for all media content. Following closely behind was the occasional use for uploading and editing media. The most surprising result of all is the preferred method of hand-coding and uploading images through FTP which had a voting total of 23%. Hard to believe that percentage is so high but I have a story I’d like to tell.
When I started using WordPress and probably for a year after that, I manually uploaded my images through FTP. I manually organized them through folders and linked to them in the post editor. I even created thumbnails by hand using HTML code pasted into the editor. Upon tinkering around in WordPress, I eventually discovered the media library and figured out one day that all of the images I uploaded through it were able to be reused. Up until this point, I would sometimes upload the same image into the media library to use or I would find a link to an image via FTP. What a time saver it was to discover the media library. I wonder if those that voted for hand-coding have just never realized the benefits of using the uploader. Or, if they feel the uploader is inferior to their current methods.
I’m interested in hearing from you on the benefits or negative between hand coding images and using the media uploader, if there are any.
Adding Twitter Anywhere Into Your WordPress Site
WPBeginner has a great tutorial on how to add the Twitter Anywhere service into your WordPress powered site. Twitter anywhere is a service provided by Twitter that enables webmasters to add twitter to a website with just a few lines of Javascript. Not just an embeddable box, but a box that enables tweeting by visitors, a follow button that works, and a slew of other features. I’m not sure if I want to add something like this to the WPTavern website but I suppose if enough people talk me into it, I could give it a try.
Unlike many of the other sites, I don’t have a ton of social media icons strewn about. My line of thought is that if users want to share stuff with their network, they will already have the tools to do so.
Steps To Diagnose And Repair The Pharma Hack
Chris Pearson who’s personal site recently became infected with the Pharma Hack which took advantage of his sites popularity and back-links to cloak spam links in Google results has published an in depth piece on how to diagnose and fix the problem. Chris goes into detail into what the hack does and how to use tools such as php My Admin and FTP to locate if you’ve been infected or not. According to his analysis, this hack is pretty clever in the way it accomplishes its goals without being blunt about it. There is no telling how long the spam links would have existed had it not been for Pearson fans letting him know about it. Unfortunately, Chris Pearson has no idea how the hacked files got into his account.
At this time, there is still one huge unanswered question about the WordPress pharma hack: How in the hell did the hackers manage to get into your server in the first place? I’ve received reports of the pharma hack on a variety of different Web hosts and server configurations, so it’s clear that the main vulnerability extends beyond a single host/server platform. So far, the only common denominator between the sites I’ve examined is that they’re all running WordPress, but even this fact doesn’t mean that WordPress itself is the problem.
There is currently an ongoing thread in the Tavern forum where we are trying to piece together the various bits of information to locate a series of consistencies but with reports being spread out amongst different hosts and environments, the one commonality between them all is the use of WordPress. On the surface, this has everyone thinking there is some inherent flaw in the WordPress software causing this attack. Until deemed official, this is not the case, it’s just a similarity. If you have been hit with this attack, you are encouraged to participate in the thread and explain the circumstances that occurred in your case.
Kudos to Chris Pearson for diving deep into the issue and then providing a fix that hopefully, solves the problem for other people in the community.
Network Solutions Admits WordPress Is Not At Fault
Network Solutions has finally published a post on their blog that not only shows them accepting responsibility for what happened to their customers websites, but they also explain that WordPress was not the cause of the issue.
Recently, our customers have complained about malicious code on certain of their blogs hosted by Network Solutions. This was not an issue with WordPress. Sorry to the WordPress community and customers for any misunderstanding.
The post then goes on to say that what happened resulted from a complex set of circumstances that they have worked to prevent from happening again. No specific details regarding what these complexities are were revealed. While I still think it would be an awesome thing for them to highlight what exactly happened so others can learn from their mistake, I’m glad to see them own up to what happened and apologize to the WordPress community for jumping the gun. Unfortunately, I doubt all of the websites that reported about the incident will report follow up stories with correct information so the damage has been done.
I took some heat regarding the way I wrote about this story by highlighting the conflicting statements between Matt Mullenweg and Network Solutions. The post was not meant to fan flames but it was aimed at getting Network Solutions to tell us exactly what was going on and if it was not the fault of WordPress, to at least admit that much to the public. Thus in the end, Matt Mullenweg was right and Network Solutions was wrong.
While the discussion originally centered around Media Temple, there is a great discussion regarding security in general within this particular forum thread.
No More Unlimited Support Or Upgrades For GravityForms After May 1st
GravityForms recently made a big announcement that will affect new customers who make a purchase after May 1st. Currently, all customers who purchase a single or developer support license receive unlimited upgrades for life.
On May 1st we will be changing the Gravity Forms Terms of Service. Support and automatic updates will change to a 1 year term for all NEW purchases beginning on that date.
Customers who purchase before May 1st will NOT be impacted and will continue to receive lifetime support and updates for the license they currently own.
Not only will the 1 year of support and upgrades be tied to the single site license, but the developer license as well. Customers who make a purchase before May 1st will get lifetime support and upgrades as well as those who upgrade to a developer license. If you haven’t purchased your copy of GravityForms, now may be the best time to do it so that you’re set for life when it comes to support and upgrades.
If you need a reminder of what GravityForms is capable of doing, check out this recent review from BloggingPro.com.
Also for existing GravityForms customers, check out Joost De Valks GravityForms widget.