By Jeffro on May 5, 2010
Over the weekend, numerous users on GoDaddy shared webhosting accounts reported that their sites had been hacked with injected malware. Neowin.net was able to get a hold of GoDaddy’s security expert Todd Redfoot who explained what happened:
GoDaddy reassures customers that the attack was via WordPress and not an attack on the GoDaddy servers themselves. The coordinated attack on WordPress was formed in a botnet-like attack, which targeted outdated versions of WordPress, however, the exploit was not found in version 2.9.2. In some instances, users not running WordPress were also hacked, but did have an active or inactive WordPress installation on their account. In as many cases, users were unaware that an installation of WordPress was present on their account.
So in this instance, GoDaddy was not specifically attacked but sites using WordPress on their servers were. This is another lesson that upgrading ASAP to lessen the chance of these types of exploits affecting your site is imperative in maintaining a healthy website.
On a related note, a couple of the U.S. Department Of Treasury websites have been hacked as well. These sites are located within the Network Solutions hosting system which explains the compromise. According to NetSol:
This past weekend, an application that we support on our hosting platform was exploited as we were in the process of fixing it. We believe we have fixed the issue and we were able to contain the number of potentially affected websites to less than 250.
Discussion regarding the hacks affecting the various webhosting companies is ongoing in the following WPTavern forum thread.
Posted in News | Tagged godaddy, hacks, hosting, security |
By Jeffro on April 26, 2010
April has been a troubling time for a couple of well known web-hosts security wise. Ipstenu wrote a post on the various hacks that took place this month and I thought it was a well written piece that explains the variables that needed to happen for those events to occur. I’m not sure if she coined the phrase but I like her idea that security is a tripod.
* The Web Host is responsible for making sure the server itself is up to date with the latest patches etc, and that the server is configured in a safe way.
* Web-apps are responsible for not unleashing needless insecurities to the system.
* The end-user we pray to the flying spaghetti monster that they’ve not done something to violate security out of ignorance.
We’ve also been chatting in the WordPress Tavern forum on whether WordPress should ship with a built in set of security tools. Based on feedback within the thread, the majority don’t feel as if that is necessary. When thinking about this topic, it’s important that we try to figure out how far the responsibility of the WordPress codebase goes in terms of security. Should WordPress make sure that the code is secure out of the box and that’s it? Or should it have built in mechanisms to protect users in certain use cases? Security only goes so far on the application level and as has been discussed on the forum, if the server that is hosting a WordPress powered site becomes compromised, then it’s all over. The only glaring security issue I’d like to see tackled in WordPress is a built in login lockout system where password crackers can’t sit on the WP-Admin page and try out as many passwords as they want.
I think the biggest part of security as it relates to WordPress is using a competent host, especially if it’s shared hosting because you as a customer can’t configure anything on that server as it relates to security. Therefor, when hosting with them, you are putting your eggs in their basket hoping they don’t break. I think what I’ll do is try to put together a guide or questionnaire with the help of the Tavern community that you can use for potential webhosts you’re interested in to see if they meet certain requirements for secure hosting.
Keep an eye on the following thread as the responses come in.
Posted in News | Tagged hacks, security, tripod, wordpress |
By Jeffro on April 26, 2010
Jean-Baptiste Jung who runs CatsWhoCode.com has compiled a list of what he considers to be the top WordPress hacks so far in 2010. Among the list are code snippets to allow contributors to upload files, display ‘time ago‘ dates, WordPress navigation outside the loop, and disallowing the ability to switch themes. One of my favorite tips in his list is the MySql query statement that makes it easy to remove specific shortcodes from posts. However, can anyone verify if I could use the search and replace plugin to search every post for the short code and just replace it with blank space? Wouldn’t that do the same thing but without going into phpMyAdmin?
Posted in News | Tagged hacks, tips, wordpress |
By Jeffro on February 26, 2010
Back in July of 2009, I wrote about my experience of deleting a field within my database that unknowingly, was important for WordPress to have. The field is called comment_karma. At the time, I had no idea why this field was important to WordPress. Today, I stumbled across an article on True/Slant that explains their use of this particular field with AJAX to curate and filter comments. They provide the code snippets along with explanations as to what the code does.
Posted in News | Tagged comments, hacks, karma, tips |
By Jeffro on August 4, 2009
The folks over at WPBeginner.com have a great list of 15 different hacks for WordPress that they consider to be extremely useful, and I’d tend to agree. Their first hack which enables you to link to an external source from the post title sounds like something Matt Mullenweg could implement on his personal site. One of the useful hacks I found was the ability to use a custom image for the default Gravatar. Simple, but nifty. I’m also starting to see more of this thing called rand which is used to randomize something.
The most useful hack on that post which I’m thinking of implementing myself is the ability to delay the post from being published via RSS for a period of time so that I have a small window in case I need to make a change or edit the post. Couple of other good ones on the list as well so go check them out and bookmark it.
Posted in News | Tagged hacks, tips, tricks, wpbeginner |
By Jeffro on May 20, 2009
John Pratt over on WPHacks.com has published a great guest post explaining the ins and outs of WordPress Theme Template Pages. These pages are what make up a WordPress theme. Although most theme designers end up doing things their own way, it’s a good idea to figure out the basic flow of a theme in case you want to make one yourself or add template pages to your current theme.
Every time a WordPress page is called the WP ‘engine’, if you will, determines (through process of elimination) what kind of page it is. It’s kind of like a “where am I?” function. WordPress says “what page am I…” and in turn tries to call pages in a specific order. If WP doesn’t find the PHP file it needs it just defaults to the “index.php” file and uses it instead.
If you’re an aspiring theme author, definitely give this post a read, print it off actually and use it as a reference.
Posted in Themes | Tagged hacks, pages, templates, Themes
Over the weekend, numerous users on GoDaddy shared webhosting accounts reported that their sites had been hacked with injected malware. Neowin.net was able to get a hold of GoDaddy’s security expert Todd Redfoot who explained what happened:
Comment_Karma In Action
By Jeffro on February 26, 2010
Share this:
Posted in News | Tagged comments, hacks, karma, tips | 6 Responses