Make Your Own Themes

Otto42 of OttoDestruct, a key WordPress developer and supporter, reports that there is an “attack” on older versions of WordPress right now. The number of sites hit by this is growing every hour. Protect your WordPress blog now: UPDATE NOW!!!

Update your WordPress blog before you continue reading this post. That’s how critical this issue is.

Things You Need to Know Now

Here is what you need to know right now, constantly updated with news as we get it.

1. UPDATE NOW! Reports are that this attack impacts ALL versions of WordPress up to 2.8.3 and 2.8.4, the most recent release.
2. Report from WordPress on Attack: How to Keep WordPress Secure. Information on the most recent update of WordPress that prevented this attack on updated WordPress sites: WordPress 2.8.4: Security Release.
3. Which Version of WordPress is Secure? I’ve just talked to Matt Mullenweg and have a better understanding of the version confusion. When this worm first hit the web, WordPress released 2.8.3 to deal with it. Since then, WordPress 2.8.4 was released, unrelated to the worm. Once the worm has infected your site, surface fixes do not remove the “back door” the worm injects into your database and system, as happened with Robert Scoble. Once infected, upgrading does not fix the issue, so those reporting they were now infected after upgrading, were infected before upgrading. Versions after WordPress 2.8.3 are safe, but upgrade to 2.8.4 anyway as it included other fixes.
4. What Version Am I Using? If you are using a WordPress version after 2.7, the nag screen on the WordPress Administration Panels will alert you to upgrade. If you are using an older version, upgrade now. Don’t know what version you are using? Without a nag screen to tell you to update, you’re using an old version. Checking the Administration Panels footer will help, but don’t waste time looking. Just update now!
5. Use a WordPress Plugin for Protection: Do not rely upon a WordPress Plugin to protect you. There are many reports of Plugins that will “help” in the comments. While they might help in other ways, please upgrade now. That is the only solution if your site has not been impacted.
6. How Does This Worm Work? We’re awaiting details from security experts on how this worm works. Personally, I’m waiting for the name of this thing since that does make searching for details on this worm easier. Anyone got a name for it yet? Since it isn’t exclusive to WordPress, calling it the WordPress Worm would not be appropriate.
7. WordPress is Not Secure: WordPress is incredibly secure and monitored constantly by experts in web security. This attack was well anticipated and so far, WordPress 2.8.4 is holding. If necessary, WordPress will immediately release a update with further security improvements. WordPress is used by governments, huge corporations, and me, around the world. Millions of bloggers are using WordPress.com. Have faith they are working overtime to monitor this situation and protect your blog.
8. Fear of Upgrading: This attack is serious enough to overcome all your fears of updating. If older WordPress Plugins are holding you back, update them to the latest version or replace them with new. If your Theme might break, contact the Theme author and update or replace it. There are thousands of free Themes to choose from, probably some better than what you are using. If you are using a recent version of WordPress, updating is as easy as clicking a couple buttons. If you are using an older version, download the most recent version and upgrade now.
9. Other Issues? Whatever your issue is that keeps you from updating WordPress, get over it and update now to protect your site.

When we have updated news, we’ll add them to this post and/or post a new article.

How Do I Know If My Site Has Already Been Attacked?

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.

WordPress.com blogs are not impacted as they are up-to-date. Only versions prior to WordPress 2.8.4 are impacted.

To Prevent Your WordPress Blog from Attack

To prevent this form of attack, update your WordPress site IMMEDIATELY to the latest version. Change ALL passwords to a strong password immediately, including WordPress blog access for all users, database, FTP, control panels, everything.

See the articles below for more helpful information on how to harden and protect your WordPress blog.

If Your WordPress Blog Has Been Attacked

If your site has already been attacked, it appears that the hack attacks the database, going deep. You can find help in the WordPress Codex article on how to deal with a hacked WordPress site.

We’re looking for specific solutions, but the easiest appears to be to export all your content with the built-in XML WordPress export (pre 2.1 versions, try the WordPress-to-WordPress Import WordPress Plugin) and literally remove your WordPress installation totally (save images and general files). DO NOT EXPORT YOUR DATABASE! Install the latest version of WordPress and add the “clean” backup of your WordPress Theme, then import the XML export. The export will contain your posts, Pages, and comments, and hopefully no other hacked code.

“How To Completely Clean Your Hacked WordPress Installation” by Smackdown is a good article on how to reinstall WordPress after being hacked, but take care to keep your export limited to the post content and comments (and Pages), not the entire database as the hack goes into the database.

How to Respond to a WordPress Attack

WordPress has been requesting users update as soon as an update is released for several years. They also now have a excellent team to track down this issue and quickly protect WordPress with any necessary updates.

Please blog and Twitter about the attacks. It’s important that we spread the information throughout the WordPress Community as fast as possible, encouraging everyone to update WordPress. Take care not to promote rumors, just the facts, until we know more.

If you have pertinent information that will help the WordPress team track down and stop this attack, please report it to security@wordpress.org.

Check the WordPress Support Forums for more information and support. Also check for news and announcements on security issues and updates on the WordPress Development Blog and in your WordPress blog Dashboard Panel.

Please, keep your WordPress site constantly updated. You are now informed of updates directly through the Administration Panels. Act upon it.

Here are some other articles and information that may prove useful.

• WordPress Codex – FAQ – My Site Was Hacked
• Journey Etc – WordPress Permalink RSS Problems
• SmackDown – How to Completely Clean Your Hacked WordPress Installation
• Protect Your Blog With a Solid Password
• WordPress Codex – Hardening WordPress (security protection)
• Fear, Uncertainty and Disinformation About The WordPress Exploits and Spam
• BlogSecurity – WordPress Security Predictions in 2009
• WordPress Security Prevention, Reactions, and Scares
• Mark Jaquith – WordPress Security
• Matt Mullenweg – On WordPress Security
• Technorati: Vulnerable WordPress Blogs Not Being Indexed
• Weblog Tools Collection – Maximum WordPress Security
• The Correct Way To Report A Security Issue With WordPress
• WordCamp Toronto 2008 – WordPress Security with Mark Jaquith (video)
• Matt Cutts: Alerting Webmasters to Webserver Vulnerabilities
• WordPress Security Whitepaper
• Blog Security – Interview of a WordPress Hacker
• Guvnr – 10 Tips to Make WordPress Hack Proof
• Web Hacks, Worms, Infections, and Viruses: Is Your Blog Prepared
• Firewalling and Hack Proofing Your WordPress Blog
• Daily Blog Tips – Make Sure Your WordPress is Not Hacked
• Noupe – WordPress Security Tips and Hacks
• Vladimir Prelovac – Improving security in WordPress Plugins using Nonces
• Smashing Magazine – 10 Steps To Protect The Admin Area In WordPress

Via Feedburner

Subscribe by Email

Copyright Lorelle VanFossen, member of the 9Rules Network, and author of Blogging Tips, What Bloggers Won’t Tell You About Blogging.

Posted in WordPress News

My name is Jonathan Bailey and I usually blog at Plagiarism Today, where I write about content theft, plagiarism and copyright issues on the Web. Lorelle has asked me to fill in while she’s away with a few posts to keep things a little bit more active. So please pardon the change in voice and fret not as Lorelle will return soon.

The good news is that WordPress.com is a relatively spam and garbage-free site. The bad news is that, even on the best blogging sites, with the most vigilant admins, sometimes spammers, scrapers and other bad guys do manage to set up shop.

It’s easy to see why spammers would want to get on WordPress.com, with a PageRank of 9, great SEO and a built-in community, it could be haven for junk content. Many do try but the admins have been surprisingly effective, for the most part, at keeping them at bay.

This isn’t to say that they are perfect. They can’t pre-screen everything that is posted to the site and some do get through. The site depends on users to report spam, copyright infringements and other forms of unwanted content so it can be cleaned up.

However, there is a correct way to file such complaints. As great as Lorelle is, she is not an official representative of Automattic, the maintainers of WordPress.com, and Matt Mullenweg, though the founder and CEO, is not the person directly responsible.

If you want a quick resolution to a WordPress.com abuse complaint, all you have to do is follow the instructions on this page. However, if you want more details or advice, read below. 

Copyright Complaints

As someone who has filed hundreds of copyright complaints over the years, I can say without a doubt that Automattic has been very responsive to copyright complaints. However, there is a very strict protocol that one needs to follow in order to have their complaint acted upon.

Automattic is a U.S.-based company and its servers are located with in the country. As such, it is bound by U.S. law, most notable the Digital Millennium Copyright Act (DMCA). This law provides a safe harbor to Web hosts, such as Automattic, to prevent them from being held liable for copyright infringement perpetrated by their users without their knowledge.

The caveat is that hosts are required to “expeditiously” remove or disable access to infringing content once they receive proper notification. The law itself lays down strict requirements for what constitutes a proper DMCA notice.

As such, though Automattic does comply with the DMCA and remove content very quickly when properly notified, it is filing the proper notification that is tricky.

If you find that a blog on WordPress.com is infringing YOUR copyright. You can file a DMCA takedown notice by using the email address at this page and using the stock DMCA notice to host available on my site.

If you properly fill out and send in a DMCA notice, most likely the content will be removed in 1-2 business days.

Spam, Spam, Spam

If you find a spam blog operating on WordPress.com but it isn’t infringing on your copyright, either posting excerpts, using gibberish or someone else’s content, you can still be able to report them to Automattic and get the blog removed if it is a violation of their terms of service.

The Spam blog reporting tool is extremely simple to use. All you have to provide is the URL of the blog, ensuring that it is a WordPress.com blog, and stating the reason that you think it is a spam blog.

If it’s scraping content from another site, link to the original site. If it is posting junk content, say so. Provide any evidence you can that the site is a spam blog and try to make it easy for the person processing the complaint to understand what the issue is. A few sentences of clarification can help speed up the process greatly.

Other Content

WordPress.com has a strict policy about protecting user freedom of speech. Though Automattic may remove defamatory content, Section 230 of the Communications Decency Act does not require them to do so.

WordPress.com also allows mature content on the site, so long as it is properly flagged and removed from public searches.

In short, unless the content is illegal or threatening, Automattic will be very hesitant to take any action. Still, if you wish to report something that you feel is a violation of the site’s terms of service, you can file your report by emailing the support@ address.

Caveat

It is important to remember that this only applies to sites that are hosted on the WordPress.com servers. Just because a site users WordPress as the blogging platform does not mean that they are on the WordPress.com servers.

Millions of blogs use WordPress as the platform but are hosted on other servers and are beyond Automattic’s control. In those cases, they merely produce the software that used to make the blog work, they do not run the blog or the servers it is on. It would be like blaming Microsoft for unwanted content generated using Word.

Before filing a complaint with Automattic, make sure that WordPress.com is in the URL of the site. You can also double check the host of the site by using Who Is Hosting This?.

Though the confusions is understandable, it is important to make sure that it is a WordPress.com site, not a WordPress.org (meaning self-hosted) before reporting to Automattic.

Bottom Line

When it comes to matters of copyright and spam, Automattic does a great job in removing the garbage when properly notified.

The difference in the time it takes to file a complaint the right way and simply shouting to the first person who will listen is negligible. However, it can be the difference between getting a swift response or no answer at all.

Any time you report abuse to a site, you should take a moment to familiarize yourself with that site’s policies and act accordingly. A few minutes of preparation and planning can literally save days in response time.

Posted in Blogging Tips, WordPress News, WordPress Tips, WordPressdotcom

The best Plugin competition, The Weblog Tools Collection WordPress Plugin Competition 2009 (3.0), is underway. WordPress fans rejoice.

The annual WTC WordPress Plugin Competition has rocked the WordPress Community since 2005. Each event brings out the best and most creative WordPress Plugin authors competing for prizes, and many of the award winners and entrants are now among the most popular WordPress Plugins in the world.

Some popular past winners and submissions include WP Easy Uploader, OneClick, Who Sees Ads, WP Comment Remix, WordPress Automatic Upgrade, and Popularity Contest.

As most of you know, I’m a huge WordPress Plugin fangirl. Jonathan Bailey of Plagiarism Today recently covered “5 WordPress Plugins I Never Blog Without” on the Blog Herald, with some great recommendations, and in 2007, I spent an entire month writing daily about WordPress Plugins, including showcasing your favorite WordPress Plugins and a huge list of your lists of WordPress Plugin recommendations, since users often say more about WordPress Plugins then those who write them.

Please lend Weblog Tools Collection your support by helping to spread the word and the love, and help test the Plugin submissions and have your say on the ones you enjoy the most. If you would like to help sponsor the event, you are also welcome as this is a fantastic way to give back to the WordPress Community, especially to the Plugin authors who make our blogs run better and faster with little or no compensation.

I expect to see some WordPressMU and BuddyPress Plugins in addition to single hosted WordPress Plugins in the list this year. It should be one of the most exciting WordPress Plugin Competitions ever!

Subscribe Via Feedburner Subscribe by Email

Copyright Lorelle VanFossen, member of the 9Rules Network, and author of Blogging Tips, What Bloggers Won't Tell You About Blogging.

Posted in WordPress News, WordPress Plugins