Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: wordpress

  • Hotlink Protection

    Hotlinking is putting a link to someone else’s webpage’s graphic on your site. This is also called bandwidth theft. Directly linking to a website’s files (images, video, etc.) means that when someone accesses your website, they draw bandwidth from another. If you use an IMG tag to show a picture from someone else’s page on your blog, forum post, or website, that’s hotlinking. You’re stealing their bandwidth.

    There is a case in which this sort of ‘theft’ is ethically permissible, though some webhosts don’t like it. If you have multiple Yahoo! sites, and one is low on bandwidth, you can shuttle some of your content to the other site, and thus split up the bandwidth. This isn’t always a good idea, as if it’s against the Terms of Service on your host, they can kill you. Which is why you should always back up your websites on your on computer. If you own your own domains (like I do) and have multiple ‘subdomains,’ then it’s okay to share an image. ipstenu.org is considered a different website that photos.ipstenu.org, so I have to tell my server it’s okay to share between the two. But that’s code geeky.

    What the common websurfer needs to know is this: direct linking to a picture, movie file, or any other content on someone else’s site, unless it’s a simple URL link to that site, is bad form, ethically asinine, and impolite. It’s akin to stealing electricity from your neighbor by plugging into their outlets.

    But what do you do when someone’s hotlinking to your server? Most of us find out about this via a nastygram from our webhost saying we’re using too much bandwidth. Bandwidth controls how fast you can view the net from your home, as well as how much data a website can share with the world each month. Having more bandwidth is better all the time, but forcing users to use more bandwidth with image heavy sites and poorly coded web pages is not cool. Still, sometimes you have a moderate site and one image becomes super popular.

    This is where you need to learn about hotlink protection. The most basic code is this:

     
    # Simple Hotlink Protection
    
    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com(/)?.*$                   [NC]
    RewriteRule \.(gif|jpe?g?|png)$                             - [F,NC,L]
    
    

    This basically says ‘If you’re not from yourdomain.com, and you’re trying to see an image, you’re not me, go away. Sometimes I make that last line something like this:

    RewriteRule \.(gif|jpe?g|png)$ http://mydomain.com/hotlink.gif         [NC,L]
    

    Which shows them a ‘No, don’t do that’ image. If you’re going to do that, use a SMALL image, since that will use up some of your bandwidth.

    For most people, that works just fine, but I’ve run into a couple situations that were weird.

    Multiple Subdomains

    If you’re using a lot of subdomains (like, say, with WordPress MultiSite) you’ll find pretty quickly that the normal hotlink protection rule will block subdomain.yoursite.com from getting images from www.yoursite.com and we don’t want that! For one subdomain, it’s an easy fix:

     
    # Simple Hotlink Protection
    
    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com(/)?.*$                   [NC]
    RewriteCond %{HTTP_REFERER} !^http://(subdomain\.)?yourdomain.net(/)?.*$               [NC]
    RewriteRule \.(gif|jpe?g?|png)$                             - [F,NC,L]
    
    

    But what about multiple sites? At 12 subdomains, you don’t want to have to add these links in manually every time! Thankfully, the geniuses at Perishable Press have created the Ultimate htaccess Anti-Hotlinking Strategy. You can read the whole post for the details, but here’s the basic code:

     
    # ultimate hotlink protection
    
     RewriteEngine on
     RewriteCond %{HTTP_REFERER}     !^$
     RewriteCond %{REQUEST_FILENAME} -f
     RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$           [NC]
     RewriteCond %{HTTP_REFERER}     !^https?://([^.]+\.)?domain\. [NC]
     RewriteRule \.(gif|jpe?g?|png)$                             - [F,NC,L]
    
    

    Simple. Elegant. Genius. All you have to do is change domain to whatever your domain is. Notice there’s no .com or .net in there? There doesn’t need to be. This is the one I use for this site:

     
    # ultimate hotlink protection
    
     RewriteEngine on
     RewriteCond %{HTTP_REFERER}     !^$
     RewriteCond %{REQUEST_FILENAME} -f
     RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$           [NC]
     RewriteCond %{HTTP_REFERER}     !^https?://([^.]+\.)?ipstenu\. [NC]
     RewriteRule \.(gif|jpe?g?|png)$                             - [F,NC,L]
    
    

    That’s it. Just change domain to ipstenu and I’m done.

    Letting Other Sites Use Your Images

    The other major gotcha to this is what about other sites where it’s okay if they link to you? For example, I have a livejournal site (I know) that’s a mirror of another blog. To take care of that, I added in this as my last condition:

     RewriteCond %{HTTP_REFERER}     !^http://ipstenu.livejournal\.   [NC]
    

    Here I specified the URL a little more, since I don’t want all of livejournal nabbing my images. Of course, ironically enough, the line where I call ipstenu has the funny side effect of allowing any URL with the name ‘ipstenu’ in it to access my site. Which is a risk I accept right now.

    If you’re using my first example, the simple protection, then just like you added in a subdomain, you add in your other URLs

     
    RewriteCond %{HTTP_REFERER} !^http://ipstenu\.livejournal\.com(/)?.*$               [NC]
    

    This will save you some headaches down the road, but just remember which one your using. Otherwise, like me when I made a new subdomain, you’ll sit there wondering why the heck the images are broken!

  • Why doesn’t the WordPress auto-upgrade work?

    This came up recently with the WordPress upgrade to 3.0 (and subsequent 3.0.1 bug fix). A lot of people had problems upgrading from WordPress 2.9.2 to 3.0, and for the most part, the fixes were simple.

    There was a known ‘memory bug’, where WordPress didn’t request enough memory from the server when upgrading and, since 3.0 is a bit bigger than 2.9.2, it failed. This was fixed with the plugin Memory Bump. Once you upgraded to 3.0, you could remove this plugin, because the new WordPress version took care of it on it’s own. There were other issues, though most of them seemed to be plugin conflicts or people using weird versions of PHP. I even had a note I kept handy:

    Memory Issues
    Per naicin

    We’re in the process of pushing out a plugin for this: http://wordpress.org/extend/plugins/memory-bump/

    In the meantime, you can also add this to your wp-config.php file:
    define('WP_MEMORY_LIMIT', '256M' );

    The issue is that WP *may* need more than the default 32 MB to upgrade to 3.0, due to the increased package size over 2.9. This is a “known issue”.

    3.0 handles this by always bumping you to a very high memory limit in the admin area, so you won’t see this once you’ve hit 3.0.

    Weird Errors and blank screens
    Rename your plugins folder to plugins-old (via FTP or SSH) and see if that fixes it. If so, name the folder back to plugins and reactivate your plugins, one at a time, testing between each copy.

    Believe it or not, those two answers were probably 90% of what I posted on the WordPress forums for the better part of a week. That and ‘Yes, these plugins don’t work on 3.0 yet’ (and I had a list for that too!).

    Then came Zarathustra — I mean WordPress 3.0.1 — and people began to have new issues. The most common was something like this:

    Downloading update from http://wordpress.org/wordpress-3.0.1.zip…
    Unpacking the update…
    Verifying the unpacked files…
    Installing the latest version…
    Could not copy file.: [some file]
    Installation Failed

    The file would be different for pretty much everyone.

    As far as I know, we’ve not found a fix yet, however I pointed out that when the auto-upgrade fails, you should try installing the update manually. It’s not that hard. It’s basically copying files to a server and if you can’t do that, I don’t think you should be running your own self-hosted site. This is why I run the techside of a site for someone else. Know your limits, I always say (my limits self-tests haven’t always been non-destructive, by the way).

    In this support post for the failed install, riddle said:

    I’d like to get back to the original poster’s point: 3.0.1 automatic upgrades are too unreliable for the very WP admins who most need one-click upgrades.

    ipstenu’s reply (“This is a problem with your server setup, most likely, not WP. The most likely reason would be that your PHP setup doesn’t like the way WP 3.0.1 is unzipping and copying files.”) misses the point. If there are common PHP configurations under which the automatic upgrade won’t work, then at a minimum the upgrade script should test for them before breaking the site.

    And I replied:

    You just hit the nail on the head as to WHY automagic upgrades fail.

    There aren’t config standards for PHP and server software that are across the board on every server known to man. Each company has their own settings and standards, and even then (as I pointed out to a coworker yesterday), unless you clone a machine onto the exact hardware, you’re still going to have an inexact copy.

    Servers are snowflakes, man. It sucks, but that’s it.

    WordPress is able to say ‘Your server must be able to do these things to RUN WordPress’, but even then, someone may have a wildly weird setup where stuff works poorly. It’s the nature of the beast and it’s impossible to test everything.

    If the automatic upgrade fails, do it manually. It’s not that hard (copying files). Heck, it’s easier than installing manually the first time!

    And really this is the problem with all software, web or otherwise. There’s a reason software has ‘minimum requirements.’ It’s the bare minimum someone tested on and the software worked. WordPress says ‘To run this software, you need PHP 5.2 and MySQL 5.0.15’ (as of of 2011, so get on that now!) and that’s pretty much it. That’s all you need to have WordPress run, but that’s not all you need to do everything you could possibly do with WordPress, and this includes those pretty auto-magical upgrades.

    For what it’s worth, I come at my viewpoint from someone who spent 3 years doing application testing. I had to make sure all the apps used together worked together on every computer. Which is impossible. There’s no way I could promise that every app someone might use will always work on a computer with every other app. To make our goal realistic, we ‘certified’ applications, and would list any known conflicts, as well as everything we knew it worked well with or needed tweaks.

    Knowing that, and knowing that servers are setup with just as much variation as desktops, means that when someone says that WordPress should have standards it works on I think they’re just naive. There’s really no such thing as a ‘standard.’ There’s no standard location for temporary files, there’s no standard location for a home folder, and there sure as hell is no standard setup for installing PHP on a Red Hat box. There are variables galore that could cause all sorts of issues. There are application conflicts, configuration miss-matches, setup issues and, of course, the fact that there are so many different types of ‘standard *nix servers’ that are used, with hundreds of patches and tweaks, that the target’s moving so fast, I think it just hit you in the head.

    So why doesn’t your automated upgrade work when you click the button on WordPress? The possibilities aren’t endless, but they’re pretty thick. You’re better off learning how to do the manual upgrade if you have wild errors no one’s seen before.

    And I hold by my belief that if you can’t perform a manual upgrade, you need to rethink your capabilities of running a website on your own. If you’re running MultiSite and you can’t do it, you’re going to be in a world of hurt one day, and I will do the ‘Told you so’ dance.


  • Child Themes – Learn them, love them

    As a general rule, I don’t do much help with themes. Not because I can’t, but because themes are a style and preference issue, which means what I think looks good, you may not. Once I find a theme I like, I prefer to spawn a child there-of to modify and customize. I’m going to step a little outside my comfort zone to discuss child themes.

    The parent/child relationship in code is something that shows up everywhere. A child inherits from a parent, and only the aspects of the child you change will be different. This is most simply understood in the realm of WordPress themes. The official WordPress Codex doc on Child Themes is mostly straight forward for anyone who’s looked at a theme and played around a little. But the novice can get easily overwhelmed.

    The easiest way to get started is to make a new folder in wp-content/themes for your theme. /wp-content/themes/child-of-2010 for example. I like to name my children something that will remind me right away of their parent. For example, on another site, I have a news-style theme, taken from Justin Tadlock’s Hybrid Theme, which I called ‘Hybrid News ala JFO – Blogging’. The folder name is ‘hnj-blog‘ to differentiate it from a very similar, but functionally different ‘hnj-video‘ and ‘hnj-plain‘. Each of the three themes is a small variation on the parent theme, but because of the way I wanted to call things, I decided that it was better to have three themes instead of an extensive functions hack and slash. This was after a lot of testing and tweaking and changing, but in the end, this worked for me.

    For a proper child theme, you only need one file in that folder: style.css

    You heard me right, just one. That Style file will be what tells your code where to look for your parent theme. Here’s what Child looks like:

     
    /*
    Theme Name: Child of 2010
    Theme URI: http://Ipstenu.org
    Description: This is a child theme of Twenty Ten (2010), the 'new' default WordPress Theme.
    Version: 1.0
    Tags: fixed width, widgets, valid CSS, valid XHTML, SEO, SEO friendly, adsense, custom header, three columns, clean,  right sidebar, blue,white, photoblogging, widget ready, simple, gravatars
    Author: Mika Epstein
    Author URI: https://ipstenu.org/
    Template: twentyten
    */
    
    /* Get base CSS */
    @import url('../twentyten/style.css');
    

    There are two really important parts to this. First is the line Template: twentyten — This is what defines the theme as a child theme. Period. Without this, you have nothing. The second is @import url('../twentyten/style.css'); which tells your CSS to pull down all the CSS from Twenty Ten and use it.

    Once you’ve done that, you have a working theme and you can activate it. I know! It’s so easy, a caveman could do it! Any CSS changes you want to make go in your new child theme and, because of how inheritance works in code, they override anything imported from Twenty Ten, so your changes magically take effect, without having to reproduce the whole theme!

    But what if you want to change a template file? I wanted to add one line to my comments.php file to turn on a subscription checkbox. This is done by copying the comments.php file from the twentyten folder into your child-of-2010 folder, and making the edits. It works almost the same way that the style.css. The main difference is that with template files, you can’t just have it contain only your changes, it must be the whole file, with your changes added in. This trips people up sometimes.

    Now that you’ve seen how easy they are to make, you may wonder what the point is? After all, they are easy, but it’s easier still to tweak the parent theme. Yeah, it is. It’s also easy to lose all your changes when you upgrade WordPress.

    For better of for worse, and yes, people argue about this all the time, WordPress upgrades overwrite the Twenty Ten theme, just like they used to overwrite the Default theme. I can’t begin to tell you how many times I’ve see angry posts ‘The upgrade blew away my theme changes!’ And for every one of those, someone’s posted ‘Yeah. It does that. Restore your theme from backup, and by the way, try a Child Theme.’ Now that WordPress lets you upgrade themes from inside the admin screen, you’re going to run into this more and more often. That’s why we’re always saying ‘Don’t change core! Don’t edit themes! Make functions/plugins/children!’ More on the other stuff later.

    A child theme is smaller than a copy, and it’s just as fast. A child theme will never be overwritten when your theme is upgraded. Your child theme is safe even from a manual upgrade. Remember the directions for that? Even when we tell you ‘delete your WordPress folders…’ we always say ‘except for wp-content!’ That’s because your uploads, plugins and themes are in that folder, and you should NEVER delete them for an upgrade. And by making your own theme folder, no one but you will use it and no other theme will overwrite it.

    So yes, use Child Themes. Learn them. Love them. Your life will be better the next time you upgrade WordPress.

  • The dangers of an unchecked MultiSite?

    Blogetery was shut down, mysteriously, over the weekend. It was a WP MultiSite setup, with around 70k blogs. Not terribly abnormal to have an install that big, but the thing as an unnamed law enforcement agency shut them down. Details, such as they were, were posted at ReadWriteWeb: 70,000 Blogs Shut Down by U.S. Law Enforcement. Their shutdown reminded me of the hazards of running a website where anyone can register and make their own site and how important it is to be vigilant about what shows up on your website.

    Discussion of the situation spun up on Web Hosting Talk where it was determined that Blogetrey had been accused of hosting inappropriate content before. That probably meant they were hosting torrents or other illegal but not shut-down worthy. Copyright infringement. The site owner claimed that every copyright violation was removed within 24 hours. By the way, if you ever get slapped with a DMCA notice (i.e. a notice that your site has content copyritten to someone else), in order to be safe from a law suit, all you have to do is remove it. Done.

    So what on earth would cause BurstNET, their host, to shut down the site without warning or notice? That’s right, he had to ask ‘What happened to my site?’ and was told it was shut down, terminated, and here’s his money back.

    Turns out he had a link.

    From BurstNET’s statement:

    “It was revealed that a link to terrorist material, including bomb-making instructions and an al-Qaeda “hit list”, had been posted to the site. “

    That’s it. A link. One link. But it was enough for a warrant which then showed this:

    “Upon review, BurstNET® determined that the posted material, in addition to potentially inciting dangerous activities, specifically violated the BurstNET® Acceptable Use Policy. This policy strictly prohibits the posting of “terrorist propaganda, racist material, or bomb/weapon instructions”. Due to this violation and the fact that the site had a history of previous abuse, BurstNET® elected to immediately disable the system.”

    Now the previous ‘abuse’ was copyvio, which was all handled legally, but clearly BurstNET was feeling the pinch. They probably got slapped with a wwarrent and did the legal thing: They shut it down.

    Reagrdless of if it was fair or not to the other 69,999 sites hosted by Blogetery, it brings up the inherent problems of running an unchecked MultiSite. Anyone can make a blog/site, anyone can update it, and anyone can get you in trouble.

    It’s been a few weeks, but finally news is coming out about the whole story. CNET’s article was invectively titled Bomb-making tips, hit list behind Blogetery closure. That said, it explained this in more detail which let everyone get a grip on what was actually going on.

    I’m not going to get into the ethics of free speech and how it does (and doesn’t) apply to your website. Instead I want to use this as a reminder of the trouble you can get into, hosting websites. I host four, three are ‘mine’ and one is a site I like and visit pretty often. I’m very much aware of what’s going on all these sites and I monitor them frequently. This is not just to my benefit, but to everyone else’s on my servers. My host would be 100% within their rights to say “Ipstenu’s got a site that has kiddie porn! Kill her account!” and that would shut down everyone on my server.

    As I mentioned before, WordPress MultiSite makes it a lot easier for someone to host a thousand blogs, unchecked, but that also means it’s a lot easier for someone to post questionable content. For copyvio cases, you’re covered when you remove the material in question, but for porn and terrorism, it’s not actually under the same purview. Again. I’m NOT going to get into the why of this, nor the right or wrong about it. If you have a website, you have to accept that your host really has no interest in being involved with a legal dispute regarding kiddie porn or terrorism.

    This means it’s down to you to constantly and consistantly monitor your site for sub-sites and domains that are questionable. For me, if a site I host gets one Cease and Desist about copyvio, I take down the material, explain to the person who runs the site why, and ask them not to do it again. At this point, it’s their job to monitor their site. Should they fail to do so a second time, I give them a final warning of ‘If you can’t keep tabs on your site and your visitors, you can’t stay here.’ Third time and I close their account, refund them what’s left on their time, and offer to give them a copy of their site and database, intact.

    For the rest, though, it’s a no-warning termination, specifically because porn and terrorism are hot button topics. I’m within my rights to do so (I own the server, I make the rules) and I owe it to the other people. My ISP is in their rights to do similar, because they own the … land my server is on. If that makes sense.

    If all this sounds like too much work for you, then you shouldn’t be running an open, anyone-can-register-and-blog, multisite. Or you should hire some staff. Multisite is not a quick money scheme, it’s a job, and you have to take it seriously.

    This is not endemic solely of WordPress, but with the advent of MultiSite becoming mainstream, it’s something that’s going to start coming up more and more. Don’t say you weren’t warned.

  • Moving Your Images For MultiSite (Updated)

    Moving Your Images For MultiSite (Updated)

    Updated after Andrew Nacin asked me “Why are you suggesting they replace ‘wp-content/blogs.dir/1/files/’ into their post content, instead of /files/?” (Answer: Because when I did this on my first site, about a year ago, I majorly goofed my SQL search/replace and shot myself in the foot For some reason, that made me think ‘files is bad! Blogs.dir is good!’ which … it’s not. Really, blogs.dir is fewer redirects, but that’s really about all I can say. So this has been edited. Thanks!)

    In generic WordPress single installs, your images are, by default, located in a folder called uploads off the wp-content folder, and tend to look like this: wp-content/uploads/YYYY/MM/image.jpg. When you use MultiSite WordPress, the files are now in wp-content/blogs.dir/#/files (where the # is the blog number). If you upgrade from Single to MultiSite, you can leave the files for Blog , i.e. your primary blog, where they are to no ill effects. Or you can move them.

    I’m not going to be using # as a placeholder, as for most people this blog will be 1. If for ANY REASON yours is not, change it.

    Also, I can’t stress this enough, you don’t have to do this! Your images will be just fine where they are, but if you want to move them, you can. Enough people have asked on the WordPress.org support forums that I bothered to consolidate my notes on this, however.

    Oh, and backup. Always backup before you start this sort of thing, otherwise you’re a reckless fool.

    Step 1 – Move the OLD files

    This is easy. Copy or move the files to wp-content/blogs.dir/1/files

    While you’re in there, remember to set the folder writable so you can update files later. Your images will now look like wp-content/blogs.dir/1/files/YYYY/MM/image.jpg – Make a note of this, you’ll need it in a second.

    Step 2 – Teach WordPress where the OLD files are

    There are two main ways to do this:

    Edit the Database
    If you have phpMyAdmin or are savvy at command line SQL, just go ahead and run the replace command:

     
    update wp_posts set post_content = replace(post_content, 'wp-content/uploads/', 'files/');
    

    Now someone here might go “Hang on, I put my files in blogs.dir/1/files and you’re saying to tell WordPress to look in files! What gives?” What gives is what Andrew reminded me! WordPress MultiSite parses files from ‘files.’ The shortest explanation is ‘It’s an .htaccess trick.’ The longer explanation is it’s own blog post.

    If you don’t like the idea of SQL, get a search and replace plugin like Search and Replace or Search RegEx and install it. Then search for wp-content/uploads/ and replace with wp-content/files/ to change the database.

    In both database cases, you’ll want to check changes all over the place. For wp_posts, check post_excerpt and post_content, and then go through wp_postmeta and edit the meta_value fields.

    .htaccess
    That’s a lot of work, and odds are you’re still going to miss something. You can also be really lazy and add this to your .htaccess file, before the WordPress stuff:

     
    # Moved Images
    RewriteRule ^wp-content/uploads/(.*)$ http://domain.com/files/$1 [L,R=301]
    

    That redirects things quietly. It’s probably not the best way, but like I said, I’m lazy. If I was doing this for a client, I’d probably do both the database fix and the .htaccess, to catch any stragglers.

    Step 3 – Tell WordPress where to put the NEW files

    Now the fun part! Go to your site’s wp-admin section, click on Super Admin and pick sites from the drop down. Hover your mouse just below the path to your main blog and click on Edit

    In that new screen, scroll down and look on the left for Upload Path – You want to change that to wp-content/blogs.dir/1/files

    You also want to change Fileupload Url to be http://domain.com/files (this will hold true even if you’re using subfolders or subdomains).

    If you see Upload Url Path, you can change if to http://domain.com/files as well, though it appears to be depreciated and no longer used.

    Step 4 – There is no Step 4

    That’s it! You’re done!

  • Hack’n’Slash Security

    I was intending on a totally different post, but, well, this came up instead.

    Recently, WordPress, my preferred blogging software, has been under attack by both hackers and critics. There were actually three attcks that all got lumped into one so I’ll try and break this down. If you’re of the ‘Too long! Didn’t Read!’ variety today, you can get by with knowing this: If your WordPress install is not secure and if your web host is not secure and if YOU do not follow security practices, then you will be hacked. Period. Security relies on you, your web host and your web apps all being sensible about the whole thing to be effective. Remember, it’s okay to ask for help!

    Also go read Hardening WordPress right now.

    Okay, so security.

    Back in Feburary/March, there was a sudden influx of users complaining their sites had been hacked by inii.info, whereby the hack was to edit the wp-blog-header.php and change it so any time a search engine bots visited your site, they went to inii instead. This matters because search engine bots collect information about your site and use it to rank your website against all the other sites about a given topic. There was a second hack where a file named ... (yes, three periods) had even more redirect code in it. And it was heavily encoded so you couldn’t read it without decoding.

    The reason I call this a Media Temple hack was that it seemed to be prevalent to Media Temple installs. While at first people jumped the gun and said ‘It’s WordPress!’ Media Temple came out with a detailed Q&A about the matter and the attack appeared to affect ALL webapps via compromised passwords. If Media Temple ever revealed what happened, I’m not aware of it, but it wasn’t just WordPress that was affected. They ended up changing DB passwords for every webapp, from Drupal to vBulletin.

    In early April, there was another rash of hacks, this time targeting Network Solutions. This time, it looked like a clear cut case of database changes. WordPress, like most PHP/SQL apps out there, uses a database to store all its information. In this instance, the database entry for the site’s URL was changed from (for example) https://ipstenu.org to an iframe link I’m not reproducing here.

    At the same time, there was a ‘Pharma’ hack, where links with ‘pharma’ in them were slipped into your site, in a rather genius fashion. Chris Pearson has a decent explanation on the matter, but I feel he’s barking at the wrong car for part of it.

    Chris and Media Temple and Network Solutions and a horde of people on Twitter and forums every where jumped up and said “AHA! It’s a WordPress hack!!!111!” Which … well, yes, but not exactly. As the very wise Andrea_r put it, there’s a difference between attacking WordPress installs and targeting WordPress installs.

    An analogy if you please. There’s a rash of break-ins in a small town. The houses that are broken into are all bungalows. People shout ‘Aha! It’s a problem with bungalows not being secure!’ The police look into the matter and find out that in every house broken into, the bathroom window was left open. Now, is this the fault of the builder, who designed bungalows to have a window people could fit in through or is this the fault of the residents who didn’t close and lock their windows?

    If you said ‘It’s a little of each!’ then thank you, you can stay after class and clean the erasers.

    Security depends on many things, but to the topic at hand, server security is a tripod, and relies primarily on these three legs:

    • The Web Host is responsible for making sure the sever itself is up to date with the latest patches etc, and that the server is configured in a safe way.
    • Web-apps are responsible for not unleashing needless insecurities to the system.
    • The end-user we pray to the flying spaghetti monster that they’ve not done something to violate security out of ignorance.

    To understand how these hacks all worked, yes all of them, you have to look at the perfect storm. This is what had to happen in order for all these accounts to be compromised:

    1. Someone saved their wp-config.php file in a way that it was readable by the free world.
    2. Someone scanned for and found that file.
    3. The user was using their ID and Password, rather than creating a DB user just for the blog.
    4. That account had read access to other accounts on the same server
    5. The malicious user used the account to scan for other wp-config.php files, even if they were saved securely and compromised their accounts/databases as well.

    That’s a lot of wrong on one box. With most webhosts, you’re on what’s called ‘Shared Hosting’ which means a whole mess of people are on the same server, each with their own ID and password. Much like if multiple people have IDs on a desktop PC, the inherent security of the server does not allow Joe to look at Jane’s files, unless she saves them in a public space. Alas, one a couple sites, this was not the case. SO Joe, who saved his wp-config.php file with 777, and used his server ID and password to access his database in that file, was compromised. And once the hacker had Joe’s information, he scanned the entire server and hurt everyone.

    Ouch.

    But wait, doesn’t that mean it’s WordPress’ fault for saving passwords in the wp-config.php file in a way a hacker can read them!? Well, yes, it’s certainly WordPress’ ‘fault’ but you have to realize that doing so is an accepted risk of most PHP/SQL webapps, in that for the SQL DB to be read, the password to that database must be kept in clear text (i.e. not encrypted). This is in the wp-config.php file.

    Okay, so it’s Joe’s fault for saving his file in a readable fashion? Somewhat. By having their wp-config.php file set so that anyone can read it (bad permissions – 777 for example), Joe put himself at risk. This IS NOT a flaw in web-app or the ISP, it’s just … well, ignorant (unless the ISP is forcing the file to be 777 to run WordPress, at which point it’s their fault, and yes, there’s an ISP that does that!). In addition, I know a lot of people who, instead of making a DB user for their blog, will put their server ID and password in that file, which means once it’s been read, ANYONE can log into that server as them. I suspect this is done from ignorance as well. By the way, your server ID and password is the same as your FTP user ID and password in most cases.

    Back to WordPress, shouldn’t they check for that? Maybe. But it’s not that easy, since there are a lot of different ‘acceptable’ security settings for that file, and it all depends on the server. Maybe one day WordPress will figure that out, but right now they tell you to make it secure.

    What about the web server? They are responsible for making sure that if Joe User set his WP config file to 777, and put their server ID/Password in there, the worst they can do is shoot themselves in the foot by preventing them from reading anyone else’s user directory. Limit the destruction on a per-user basis. There are a lot of Shared Hosts out there with lax security policies, which makes this more prevalent than I’d like.

    Hopefully that made sense.

    All of these hacks seem to be looking for people with wp-config files that can be read, logging into the account as the user (or the database user), and either adding files that edit the database, editing the database, or both editing the database and adding the fake plugin files.

    Once your server is insecure, because of compromised IDs and Passwords, you have to go back to zero, reset ALL your passwords, scan your PC for viruses, and be careful. Remember, if they have your password, they can do everything you can do.

    Good luck out there. Be smart, be secure, be safe.

    Edited to add…
    Also check out Mark’s well written post about how your security? Is your responsibility. Because dude, is SO is.