Websites. Wordpress. Genesis.

WordPress admin cracking script shows importance of security

I stumbled on a very interesting article floating around Twitter this morning, one worth pointing out I believe.

The short write up, titled Distributed WordPress admin account cracking, exposes a malicious script which was written specifically to crack WordPress admin passwords.

The acquired script is written in PHP and performs brute force cracking attempts to WordPress admin accounts

[...]

Now, the interesting thing about the script is that it allows distributed cracking. Information is saved in a MySQL database and the script actually connects directly to the main database. This allows the attacker to run many simultaneous scripts – each of them will take 200 new URLs and mark them with the brute forcer’s ID ($colo).

There is nothing new or revolutionary about this script. If you have a beefy password and are up-to-date (2.8.6 as of today!) there’s no reason to worry. But I believe this illustrates the importance of doing everything possible to secure your website.

In my last post, I embedded Brad’s WordPress security presentation he gave at WordCamp NYC. It contains simple yet effective ways to secure your WordPress installations – definitely worth a quick look.

I’ve had a few people ask me what are the quickest/easiest ways to get started securing their WP site. Almost every single thing in Brad’s presentation is important, but in my mind 2 things are the most important and can be executed in a matter of minutes.

Delete your ‘admin’ account. Yes, that’s right. Nuke it. Scripts such as the one mentioned above try to gain access to your website by logging into the admin account – the account with the user name ‘admin‘. Create a new account, something like RobSmith (or anything other than admin!), give it admin privileges, and then delete the default admin user. You will thank me later.

Don’t use wp_ as your default prefix. You probably don’t remember, but when you were flying through WordPress’s famous 5 click install one of the options it asked you for was the default WordPress prefix to use with the database. That’s right, I figured you didn’t remember. By default it’s set to wp_ – this should be changed. If you have already setup your blog, you can change it using some phpmyadmin trickery, but make sure you know what you are doing first.

As WordPress becomes even more mainstream (gasp!) it will continue to be attacked by script kiddies and other nefarious characters. However by staying up to date and taking the appropriate steps to secure your site, you really don’t have anything to worry about.

November 30, 2009 1 Comment
Topics: Wordpress Tags: ,

WordPress Security Tips

WDS-Brad from WebDevStudios had a good presentation on WordPress Security at Wordcamp NYC. Here’s the slideshow:

November 19, 2009 Comment
Topics: Wordpress Tags: ,

WordPress 2.9 beta 1 and WordPress MU 2.8.6

Hot off the trails from last week’s Wordcamp NYC, the official 2.9 Beta 1 release is now available for download.

From Mark via the wp-hackers mailing list:

Big features to test:

  • Basic image editing (rotate, flip, resize, crop)
  • Post/Page image thumbnails. Enable the admin UI by declaring support
    in your theme: add_theme_support(‘post-thumbnails’);
  • Trash, with undo functionality, for posts, pages, comments
  • Comment Meta table and functions — like Custom Fields/postmeta but
    for comments
  • Easy media embeds, oEmbed — paste a URL on its own item and have it
    turn into embed code
  • register_theme_directory() which enables plugins to bundle their own
    themes, without copying (BuddyPress, primary example)
  • Combo upgrader — get notified of plugin updates in the WP core
    upgrader, as well as being informed of crowd-sourced compatibility
    information for the plugins.

It’s bug-fixing and polishing time! Our priorities should be, in this order:

1. Fixing regressions in old features/behaviors
2. Squashing bugs in the new features
3. Polish

Additionally, today WPMU has caught up and released 2.8.6. From the website:

This is a security release with the same fixes as WordPress 2.8.6 plus quite a few MU specific bug fixes too.

November 18, 2009 1 Comment
Topics: Wordpress, Wordpress MU

WordPress 2.8.6 released

Just about an hour ago WordPress 2.8.6 was finalized and released. Nothing exciting with this release – just a few security fixes.

From the WordPress.org blog:

2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges.  If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

On another note, WordPress 2.9 is still scheduled for a final release at the end of November/early December. You can still download and test the latest WP 2.9 nightly build here.

Finally, WordPress MU received a few updates last week and is now up to 2.8.5.2.

November 12, 2009 2 Comments
Topics: Wordpress, Wordpress MU Tags: ,

Rotating banners in WordPress with jQuery

Recently I had a project that needed to have a rotating banner on the main page. Most rotating banners out there are connected to feature posts or articles. WooThemes and some of Matt Brett’s projects often use this method.

This wasn’t going to cut it for me. I needed to have rotating banners that were not associated to any posts, could link off site, be updated/maintained by the client, and preferably not use any custom field voodoo. The last thing I wanted to do was use a post category since it would be major over kill.

So I came up with a solution that fit all my requirements above and works great. Figured I would share what I did in case anyone else needs a similar solution.

The rotating banners were accomplished using:

Let’s get started here.

Step 1: setup a link category

When you’re logged into the WP admin panel, click on Links on the left (under Media, above Pages). The Links section will expand and now we need to create a Link Category.

add_link_cat

Add your Banner category

After you have added your Banner category (or whatever you decide to name it) you want to find the ID for that category. There are 2 ways you can do this. First, place you cursor over the category and look in browser status bar.

find_cat

The second option is to use Sivel’s Simply Show IDs plugin which will tell you the ID. Either way, just make sure you note what the ID is for your category since we will need it later.

Step 2: add some banners

Now we will add some links to the category. Click Add New under Links.

add_link

The name and description is for your reference and will not be shown or used. Make sure you place the link in the category you created. Lastly you will need to put the location of the image in the Image Address field. The easiest way is to upload your banners using the WordPress Media manager. If you go that route your image location will be something similar to http://yoursite.com/wp-contents/uploads/11/09/banner.jpg.

Step 4: downloading  and moving jQuery Carousel

Now that we have the banner category created and some links/images in the category we need to get things setup behind the scenes.

First, download jQuery Carousel.

Secondly, unzip the files. You will see a bunch of files, most of which we won’t need.

Open up your theme folder (/wp-contents/themes/yourtheme/) and create a folder inside called js.

Now we need to move jquery.jcarousel.pack.js or jquery.jcarousel.js (look in the /libs/) to this folder. The path should be similar to /wp-contents/themes/yourtheme/js/jquery.jcarousel.pack.js

Note: It is up to you which version of jCarousel you use. I prefer the packed version since it is smaller and we will not need to do any editing.

After the jCarousel javascript file has been moved we need to move over the CSS. Open jquery.jcarousel.css, copy the contents, and paste it into your theme’s style.css.

So to recap, you should have:
/wp-contents/themes/yourtheme/js/jquery.jcarousel.pack.js
/wp-contents/themes/yourtheme/style.css (should contain the CSS from jquery.jcarousel.css)

Step 5: setting up jCarousel and jQuery

Once you have added the necessary jCarousel CSS to your theme’s style.css you will need to edit it to meet the dimensions of your banner.

/* @group jcarousel */

.jcarousel-banners {
 border: 1px solid #cfcfcf;
 margin:0 0 30px 0;
}

.jcarousel-container {
 position: relative;
}

.jcarousel-clip {
 z-index: 2;
 padding: 0;
 margin: 0;
 overflow: hidden;
 position: relative;
}

.jcarousel-list {
 z-index: 1;
 overflow: hidden;
 position: relative;
 top: 0;
 left: 0;
 margin: 0;
 padding: 0;
}

.jcarousel-list li,
.jcarousel-item {
 float: left;
 list-style: none;
 /* We set the width/height explicitly. No width/height causes infinite loops. */
 width: 578px;
 height: 130px;
}

/**
 * The buttons are added dynamically by jCarousel before
 * the <ul> list (inside the <div> described above) and
 * have the classnames "jcarousel-next" and "jcarousel-prev".
 */
.jcarousel-next {
 display: none;
}
.jcarousel-prev {
 display: none;
}

.jcarousel-banners .jcarousel-list li,
.jcarousel-banners .jcarousel-item {
 position: relative;
 float: left;
 list-style: none;
 width: 578px;
 height: 130px;
}

.jcarousel-banners .jcarousel-container-horizontal {
 width: 578px;
}

.jcarousel-banners .jcarousel-clip-horizontal {
 width: 578px;
 height: 130px;
}

.jcarousel-banners .jcarousel-item {
 width: 578px;
 height: 130px;
}

Above is what the CSS looks like for my website. The size of the banners is 578x130px. Change this to the size of your banners. You might need to do some further tweaking later.

Now the CSS is done and jCarousel is in place we need to tell WordPress to use jQuery and jCarousel when it loads a page.

Open up functions.php inside your theme directory. You may have to create it if your theme does not have one. Now add this:

if (!is_admin()) {
wp_enqueue_script('jquery');
wp_enqueue_script('jcarousel','/wp-content/themes/yourtheme/js/jquery.jcarousel.js',false,false);
}

WordPress includes many scripts out of the box, one of them being jQuery, so there is no need for us to download it. The code snippet tells WordPress – as long as we are not in the admin panel – to load jQuery and the jCarousel script.

Step 6: finishing things up on the front end

Your banners have been created, the files have been moved, and WordPress now knows to use jQuery and jCarousel when a page loads – almost done!

The last thing we need to do is add the code to grab the banners and make them work.

Open up  index.php or home.php (the location you want to place your banners)  in your theme directory and use this snippet:

<div id="banners">
<ul>
<?php wp_list_bookmarks( 'categorize=0&category=49<&title_li=&before=<li>&after=</li>&show_images=1&show_description=0' ); ?>
</ul>
 </div>

This snippet will grab links you created earlier and only show the images. Make sure you change category=49 to your category ID.

Lastly, open header.php in your theme directory. Place the code snippet below in between the <head> </head> tags – usually right after you see wp_head();

jQuery(document).ready(function($) {
$('#banners').jcarousel({
scroll: 1,
auto: 4,
wrap: 'last',
animation: 'slow',
buttonNextHTML: null,
buttonPrevHTML: null
});
});

The jQuery that comes with WordPress runs in non conflict mode, which is why do not use the typical document ready call. jCarousel is very configurable, so I suggest you check out all the different options and make sure your settings are set for the functionality you desire.

Step 7: Profit.

That’s it! If you followed all the steps right you should have a rotating banner on your site.

I found this to be a better solution that any of the plugins I found. We didn’t have to do anything crazy, use posts, or write any plugins. Normally I would provide a demo of this in action but I have a feeling the client I did this for would rather not be mentioned.

If you have an questions or problems, feel free to leave a comment.

If you do expereince problems, a few things to double check/tweak:

  • view your source to make sure WP is calling jQuery and jCarousel
  • check to make sure you have the correct category ID
  • modify the CSS if things don’t render correctly
November 12, 2009 1 Comment
Topics: Wordpress, how to, jQuery Tags: , , ,

Veterans Day

Today is the day were we all take time to honor all of the veterans of this great country.

I have friends in all areas of the service – Army, Navy, Air Force, National Guard – so it means a lot to me.

To all the veterans out there and those currently serving, thank you. Words cannot describe the respect and gratitude I have for y’all.

flag

The flag in our front yard today.

Gig ‘em, God Bless, and stay safe.

November 11, 2009 Comment
Topics: Uncategorized

Leopard, Entourage, and Exchange out of sync

I work at a rather large place with hundreds of PCs and only a handful of OSX machines. Luckily, I happen to be one of the few OSX people.

We use Entourage, which is Microsoft’s wanna-be Outlook app for OSX, along with Exchange for all our e-mail needs. Normally things work without a hitch, however recently a few people using Entourage started experiencing some oddities.

What started happening:

  • Inbox will not sync. At all. A quick check to the webmail interface shows all the mail is there.
  • Other folders such as Deleted Items, Spam, Drafts synce without issues.
  • E-mail can be sent without errors.
  • No errors, warnings, dialogs, etc shown.
  • Other users with the exact same config experienced no problems.

After doing some quick research there is a quick fix:

  • Right click  the Inbox Folder (in your Exchange account) and choose “Folder Properties”.
  • Locate the “Empty Cache” section in the middle of the window.
  • Click the “Empty” button.

That’s it. It will take a few minutes to resycn but once it is done things should be back to normal. Since this has only happened – randomly – to a few users I’m still not sure what caused/causes it.

Now if only Entourage wasn’t so terrible.

November 8, 2009 1 Comment
Topics: Apple, Microsoft, Software Tags: ,