Amidst all the fuss about what it takes to find out when there is an upgrade available for WordPress, Konrad Karpieszuk took advantage of the situation and created a plugin that provides email notifications on when an upgrade is available. The plugin sends a check to WordPress.org every day to see if the version installed is different from the version available although Donncha has informed the plugin author that he could use the wp_version_check() function instead. This would cut down on the one request a day to WordPress.org. Amazingly, there is nothing to configure. Just install the plugin and once a new version of WordPress is released, it will send you an email.
Now you might be wondering, didn’t WordPress itself have some sort of mailing list that would be used for announcements such as this? The answer is yes, but they have done a terrible job utilizing the list for that function. The last time that list was used was around the release of WordPress 2.7. I know a few people chimed in on Twitter that because of the mailing list, there was no need for this plugin but since we know the mailing list isn’t being used, this plugin ‘plugs‘ the gap.
Even though I don’t need to use a plugin like this, I’ve decided to install it just to see if it works. As someone mentioned on Twitter, if you maintain a large number of sites, this could be used as a reminder tool that a particular site needs upgrading. Personally, I’m waiting for the plugin that calls me on my cell phone using a robotic voice to tell me that a new version is available and that if I don’t upgrade the site, I will be terminated.
Let me know in the comments if you have installed this plugin on all of the sites you operate.
This weeks edition of WordPress Weekly will be an open mic roundtable centered around the topic of security. We’ll talk about security practices, things to avoid doing to make upgrading a harder process, the entire situation surrounding the worm that hit older versions of WordPress, ideas for what WordPress can do better, etc. I highly encourage you to call in and speak your mind if you’re interested in the topic of WordPress and security.
I also wanted to take this opportunity to remind you of a few things regarding the show. If you would like to receive an email reminder for when the next episode of WordPress Weekly will be recorded, you need to register an account with Talkshoe.com, visit the WordPress Weekly Talkshoe page and click on the Follow button. This will add your accounts email address to the list.
If you have a Talkshoe account, I’d appreciate if you would stop by the WordPress Weekly Talkshoe page and not only rate the show, but also chime in with a review. On the right hand side, you’ll see five purple bubbles 1-5. Just click on the one that matches the rating you want to give the show. For example, click on the third bubble if you want to rate the show 3 out of 5. Below the rating, you can click on the Write A Full Comment link to give me feedback regarding the show.
Last but not least, if you can review the show on iTunes with a comment I’d appreciate that as well. Hope to see you tune in this Tuesday to chat security with us.
Considering all of the security talk of the past week, I figured the poll question ought to deal with the subject. Plain and simple, do you think WordPress is secure? Let’s talk about it.
Over the weekend, news quickly spread throughout the WordPress community of a worm that was taking advantage of older versions of WordPress. I found out about the problem through Lorelle’s twitter account where she linked to an article on her blog covering the details of the attack. Mark Ghosh of WeblogToolsCollection.com quickly followed up with a post of his own acknowledging that the plugin competition blog had been compromised. News of the attack quickly spread with over 150 posts in this WordPress support forum thread alone, but unlike so many people, I had no need to panic since this site is upgraded within a day or two of a release whether it’s security related or not.
I spent most of the weekend reading all of the coverage this series of attacks was gaining. Most notable was a post by Robert Scoble, a tech evangelist who forgot to apply the basics of security to his self-hosted WordPress site and ended up burned. Even more interesting was the series of exchanges between Robert Scoble, his followers on FriendFeed and Matt Mullenweg which you can read here.
While reading all sorts of comments published on blogs discussing the attacks, I couldn’t help but notice how many short sighted WordPress users there are in existence. I must have read over a dozen different excuses for why a particular site was not upgraded in a timely fashion. It seems functionality trumps security. However, Dave Coveney made a great point in the forums yesterday in that although everyone was being told to upgrade to solve their problems, being secure goes far beyond keeping WordPress up to date. Just because WPTavern is running WordPress 2.8.4 doesn’t mean that I’m safe. I’m just ‘safer‘.
WordPress is web based software. The speed at which things move is incredibly fast. I expect new versions of WordPress on a regular basis. If there is a new version that fixes one line of code to combat a security vulnerability, I want that code released ASAP so I can have it running on WPTavern. WordPress has added the ability to do a one click upgrade which to this day has worked flawlessly for me. I know it doesn’t work for 100% of the people out there but even if it works, it’s as if people can’t even press a button to initiate the process. It’s getting to the point where the only way to make it easier to upgrade WordPress is for someone to do it for them, probably without a price.
Broken plugins are no excuse to stay on a particular version of WordPress, especially when it comes to security. If your website truly depends on a particular plugin to function, send a note to the plugin author to let them know it’s broken or better yet, hire a developer to build and maintain the plugin for you. Plugins and to a lesser extent themes have to continuially evolve with their parent software. That’s just the way it is. Unfortunately, there is a perception amongst the general WordPress userbase that upgrading is most certainly going to break plugins. While that is a risk, I don’t think it’s as bad these days as it once was. Besides, there are hundreds of guides that have been written which explain how to create a test environment to mimick a public site to test new releases to see if plugins break or not. Although if it’s a security release, I would upgrade now, test later.
What I think this all boils down to is a lack of responsbility from a lot of WordPress users. Everything can not be handed on a silver platter. Running a WordPress powered site requires effort as well as the responsibility to make sure everything is on the up and up. Quite frankly, if you’re running a WordPress powered site or multiple sites, you should be tuned into the WordPress development blog as that is where all the information is published regarding new releases. Speaking of the development blog, please read Matt’s latest post which is a breath of fresh air regarding the latest round of attacks and why upgrading is an important step in the grand scheme of things.
Before I let you go, it’s important to note that had the majority of people actually upgraded their sites to 2.8.4 prior to the worm being released on the web, we wouldn’t be talking about the attacks that took place during this past weekend. Oh and if you have yet to upgrade, get 2.8.4 now.
In this episode, David and I get you caught up on the news of the week which includes a few stories from the WordPress.com side of the world. We give you the 411 on the latest version of WordPress to be released, WordPress getting it’s own URL shortener, and much more. We were also joined by special guest Jane Wells who provided us some great information regarding the happenings with WordPress.
Ad Copy:
This episode of WordPress Weekly is sponsored by, WebDevStudios.com WebDevStudios is a WebDevStudios.com is a New Jersey based software development company specializing in website development, social network applications, search engine optimization, e-commerce solutions and more. Check out webdevstudios.com for more information
What is the name of the company that does the server hosting for WordPress.com?
WordPress Trivia Answer:
LayeredTech
This Weeks Trivia Question
What is the name of the new part fulltime employee Automattic recently hired?
Announcements:
On Thursday August 27th at 2PM Eastern Daylight Time, we’ll be interviewing Adii of WooThemes. The special date and time is due to Adiis geographic location.
This is a guest blog post written by Brad Williams, author of the blog, Strangework.com. He’s also a developer for WebDevStudios.com
I recently gave a presentation at WordCamp Montreal on WordPress Security. While doing research for my presentation I came across a bunch of great WordPress Security tips that all WordPress users should use. Surprisingly, a good majority of these tips are not usually followed. Below is a list of the top 5 tips that most WordPress administrators do not do, but should:
1. Don’t use the admin account – The default user account that is created with every installation of WordPress is the admin account. Unfortunately the entire world knows this, including hackers, and can easily launch a dictionary attack on your website to try and guess your password. If a hacker already knows your username that’s half the battle. It’s highly recommended to delete or change the admin account username.
2. Move your wp-config.php file – Did you know since WordPress 2.6 you can move your wp-config.php file outside of your root WordPress directory? Most users don’t know this and the ones that do don’t do it. To do this simply move your wp-config.php file up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.
3. Change the WordPress table prefix – The WordPress table prefix is wp_ by default. You can change this prior to installing WordPress by changing the $table_prefix value in your wp-config.php file. If a hacker is able to exploit your website using SQL Injection, this will make it harder for them to guess your table names and quite possibly keep them from doing SQL Injection at all. If you want to change the table prefix after you have installed WordPress you can use the WP Security Scan plugin to do so. Make sure you take a good backup before doing this though.
4. Use Secret Keys – This is probably the most followed security tip on the list, but still I’m amazed at how many people don’t do this. A secret key is a hashing salt that is used against your password to make it even stronger. Secret keys are set in your wp-config.php file. Simply visit https://api.wordpress.org/secret-key/1.1 to have a set of randomly generated secret keys created for you. Copy the 4 secret keys to your wp-config.php file and save. You can add/change these keys at any time, the only thing that will happen is all current WordPress cookies will be invalidated and your users will have to log in again.
5. htaccess lockdown – This is actually my favorite tip from my presentation. Using a .htaccess file you can lockdown your wp-admin directory by IP address. This means only IP addresses you specify can access your admin dashboard URLs. This makes it impossible for anyone else to try and hack your WordPress backend. To do this simply create a file called .htaccess and add the following code to your file, replacing xxx.xxx.xxx.xxx with your IP address:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from xxx.xxx.xxx.xxx
You can add multiple “allow from” lines so make sure to add any IP addresses you plan on accessing your site from (ie Home, Office, etc). Remember most ISP use dynamic IPs so your IP address might change on occasion. If you get locked out just update your .htaccess file or delete it all together. This obviously is not a good tip if you allow open registrations as you need to allow your users access to wp-admin.
So, how many of these tips do you follow regularly?
You can view my full WordPress Security Presentation from WordCamp Montreal below and view my slides (Canadian flags and all!) here:
Were you surprised to see WordPress 2.8.3 released? I was, but I didn’t think it would be because of the same security related issue that 2.8.1 was supposed to address. I thought 2.8.3 was released as a bug fix version as a few annoying bugs have popped up that were giving people issues. It was inevitable that a 2.8.3 would be released before 2.9. I’m glad however to report that 2.8.3 does contain some bug fixes as well as completely fixing the security exploit. The bug I had in mind deals with editing comments and the URL field being blank even though there was a value represented in it, which has been fixed. The upgrade was easy peasy for me and I suggest you upgrade as well. But please, backup your data first before you even think about touching that upgrade button.
John Kolbert who authors a few different WordPress plugins has released an update to Absolute Privacy. The new update now allows XML-RPC protocols such as the iPhone App and also prevents subscribers from reaching any of the administration pages. Absolute Privacy provides a wealth of options for those wanting to really turn their blog into a private domain. Here is listing of the features currently supported.
Force registrants to enter first and last name
Allow registrants to choose their own passwords
Moderate users: new registrants cannot login until approved
Get emailed every time an approval is waiting (with a link for quick approval)
Lock out all non-logged in views from your website (configurable)
Prevent subscribers from viewing admin pages (like their profile page and the dashboard)
Perfect for family blogs, personal sites, and private communities!
In essence, it takes WordPress privacy settings to the next level without compromising ease of use for those that need it. While not directly related, I’ve used a simple yet effective plugin in the past from John Kolbert called WP Admin Favicon which enables people to provide a favicon strictly for the WordPress administration area. It can get hectic inside a browser with 10 tabs or more open and with only the favicon to go by, choosing the right tab that has your WordPress write panel in it is a nightmare without a custom fav icon. John tells me that his next project related to these two plugins is language localization support.
QuickOnlineTips.com has a list of what they believe to be the best nine security plugins to use with WordPress. Some of the usual suspects have made the list such as WP Security Scan. I’m not sure if it’s good to mention this or not, but I don’t use any of those plugins on the list. What I do use is a strong password, .htaccess blocking of folder indexes, a renamed admin account and a few other little quirks.
In the process of making your WordPress uber secure, I’m wondering if anyone out there has hosed their blog by making it too secure? Maybe you installed the wrong security plugin or perhaps the combination of security plugins created a recipe for disaster? If this has happened to you, please share your stories in the comments, I’d love to read them.
Unfortunately, I bet this is a common question. I should browse the WordPress.com forums to see how many people are inquiring about the recent security upgrade.
I have read that there is an important security update for the WordPress blogging software. Do I need to upgrade my blog www.anopensource.wordpress.com, if so how can I do this?
Loading ...
In this episode, David and I get you caught up on the news of the week which includes a few stories from the WordPress.com side of the world. We give you the 411 on the latest version of WordPress to be released, WordPress getting it’s own URL shortener, and much more. We were also joined by special guest Jane Wells who provided us some great information regarding the happenings with WordPress. 
This is a guest blog post written by Brad Williams, author of the blog, 
