Monthly Archives: April 2010

It’s a Hosting Issue, Not a WordPress One

There has been some misinformation going around about an alleged security vulnerability in WordPress 2.9.2. A bunch of websites were recently compromised, and some people have tried to assign the blame to WordPress. The issue, however, comes from shared web hosts not taking the proper precautions to prevent users from accessing configuration files they shouldn’t have filesystem permissions for.

The exploit, in essence, involves capturing a WordPress blog’s database details from wp-config.php by having a hosting account on the same server, and building malicious script to open files outside of the zone that should be permissible. (Think along the lines of ../../other_users_files/wp-config.php.)

Some misinformed publications are claiming that it’s a WordPress vulnerability stemming from wp-config.php’s plain-text storage of  database passwords…something that every database-using script has to do in order to function. Any reversible encryption scheme is just as easily reversible by someone who can access you filesystem, and the one-way hashing used for users’ passwords doesn’t work in this sort of situation. The file should never be directly accessibly by anyone other than the creator on a properly-configured server.

A new post on the WordPress development blog is attempting to clear-up the misunderstanding.

Twitter @Anywhere Launches

Twitter just launched their new Twitter @Anywhere platform. It lets you “Integrate Twitter seamlessly into your site with just a few lines of JavaScript,” in a manner that reminds me of Facebook Connect. It provides various enhancements that bring the Twitter experience into your…

WordPress 2.9 has Thumbnail Support. What Does This Mean for Existing Themes?

When WordPress 2.9 came out, one of the touted features was the “official” support for post thumbnails. Instead of storing URLs in custom fields, a new method with an easy UI was added. This is great for one major reason: now your thumbnails are…

Use Google-Hosted jQuery in Your WordPress Theme

How many sites use popular JavaScript libraries like jQuery? A lot. That’s why Google hosts many of them on their speedy CDN, so browsers only have to download jQuery or Prototype once in a day, instead of once per site. How can your WordPress-powered…

Amazon S3: A Cheap Podcast Host?

Podcasts are fun to create, but they can be expensive to host. Typically they’re larger than 10 megabytes, and when you have a thousand plus people downloading each of your weekly episodes, your bandwidth bill can get pretty large. (They can also eat up…

Twitter Acquires Tweetie

The big news story of the day, it seems, is that Twitter is acquiring Tweetie. You know, the popular (arguably the most popular) Twitter iPhone application? Yes, that Tweetie. The $2.99 app is going to be free from now on, and it will be…

BlogBuzz April 10, 2010

D&D Online Makes “Freemium” Model Work, Gets 500% Revenue Increase

Dungeons and Dragons Online, an MMORPG by Turbine, recently switched from the usual online game business model of charging a monthly subscription to a “freemium” model. Players get the game for free, but can pay for additional content or items with an in-game store.…

How OpenID Could Be More User-Friendly

OpenID is a good idea. While it may not be something you would want to use for financial sites or anything else requiring a higher level of security than your average web forum or social media site, it could potentially save a lot of…

VaultPress: Comprehensive WordPress Backup

I’ve said this many times: back up your blog on a regular basis. Unfortunately, not many bloggers keep daily backups. It’s time-consuming, and it’s something that should really be automated. Unfortunately, it’s not very easy to roll your own automated backup system. You need…