Tag: WordPress

Update your WordPress

Updates are easy. They should be easier. Check out our proposal at the end of this post.

This week at Black Hat conference in Las Vegas, security company Qualys presented and released BlindElephant, a utility that scans web sites for insecure web applications. Their research identified that 70 percent of sites running Drupal are affected by critical vulnerabilities, and that the statistics only get worse for Joomla (92%), MediaWiki (95%), phpBB (100%). 1

I received a press release about BlindElephant earlier this week. At the time, I didn’t think much of it. It surely would have gotten my attention, however, had it included their WordPress statistic — 4 percent. (What did catch my attention was this IDG article.)

The application, the source for which Qualys released, isn’t about identifying critical vulnerabilities; it’s about identifying the versions of software that websites run. They made their own determinations which versions had “critical vulnerabilities.” 2 Check out their slides and white paper, both packed with great information and statistics.

For WordPress, they cited version 2.5.1 as the earliest release outside the critical barrier, which fixed an important security flaw in our secret key implementation.

In case you didn’t already know, that 2.5.1 is not secure. We’ve made countless incremental improvements to the security of WordPress in the four major versions and many maintenance and security releases over last two years.

Alas, WordPress has a security perception issue. It’s widely used and widely targeted. Plugins have extended it every which way. Of course, “My WordPress was hacked!!!!111” doesn’t mean that WP is the attack vector. It very rarely is.

But at the same time, WordPress is easy to use and easy to upgrade. Among major open source web applications, it quite possibly leads in both categories, and its developers and contributors have worked hard to make it that way.

That brings me back to BlindElephant. Their white paper says they checked more than 25,000 WordPress installs and found the vast majority of them to be running WordPress 2.9 or higher. Qualys cited the “application’s easy, reliable updating design” as why we have such a clear advantage. I’m down with that.

WordPress 3.0.1 and beyond

This post’s title comes from the 3.0.1 haiku. If you’re not running 3.0.1, please update. It’s easy, usually always painless, and will provide you (and me) peace of mind. But we do have goals to make it even easier. With that, I leave you with one such proposal, from Daryl Koopersmith (@darylkoop) and me: If you fall behind on your updates, we’re thinking a modal dialog box with a twist. What do you think? 3

Notes:

  1. The Drupal number may be slightly high, as this comment points out, as Drupal 5.22 may have been incorrectly classified as critical. (Their slides were not kind on Drupal, so I am unsure of the intention.)
  2. WordPress and Drupal in particular received additional attention of the researchers, as a few dozen popular plugins and modules were also inspected.
  3. Please know we’re not being serious. We do have plans, but this isn’t it. Well, probably.

Twenty Ten child themes and twentyten_the_page_number

Fatal error: Call to undefined function twentyten_the_page_number() in wp-content/themes/my-child-theme/header.php on line 8

Twenty Ten, the new default theme in WordPress 3.0, is a phenomenal theme that makes a great parent theme. This site indeed uses Twenty Ten, with a lightweight child theme that changes some of the styling and has a small functions.php file to add a few small touches of functionality.

When Twenty Ten was first committed to WordPress trunk, core contributors and committers swooped in and started making line-by-line incremental improvements. The new default theme was, by and large, why WordPress 3.0 had some incredible innovations for theme developers, with custom backgrounds, headers, and menus; get_template_part(); and other features. It’s because we became theme developers ourselves.

An pre-release version of Twenty Ten contained a function called twentyten_the_page_number(). It was redundant, and thus removed before WordPress 3.0 and Twenty Ten 1.1 were shipped. But a few child themes were already expecting this function to be available, causing them to break.

Today, 42 days after the release of 3.0, we’ve released WordPress 3.0.1. With it, we’ve packaged Twenty Ten 1.1. But there are still some individuals out there who want to leverage a child theme that still expects this function to exist. This a short plugin will fix it for you.

Simple Footnotes 0.3

I’ve released a small update to my Simple Footnotes plugin.

If you paginate your posts, you can now move your footnotes below your page links. Look under Settings > Reading for a simple toggle. Regardless of the setting, footnotes will still appear as normal for posts that are unpaginated.

This feature was requested by Chip Bennett, and he’s been using this update on his site for a few days. Rave reviews! 🙂

Feature requests welcome! I’d like to allow you to customize the markup a bit, if that is desired. Also, I have some code running on this blog that allows logged-in users to utilize footnotes in their comments, which I’m willing to integrate into the plugin as well.

The plugin is available in the WordPress Plugin Directory. Here’s the source. The new version is 0.3. I’ll be writing more about this plugin in the future, so you should probably bookmark the tag or subscribe to its RSS feed.

MediaTemple, WordPress, and attack vectors

WordPress has been mentioned a lot lately. Is this application specifically vulnerable?

No. WordPress is a high-quality project that updates their software whenever a security problem is found. The latest versions do not contain any vulnerabilities that we are aware of. If you are running an old version, please update yourself. This is a common practice and should be familiar to any Windows or Mac OS X desktop user.

This being said, due to the ubiquity as one of the world’s most popular open-source publishing systems, WordPress is often the target of the payload with code injections and backdoor entry points after the attackers have maliciously gained access to a user’s website. The fact that WordPress is frequently a payload target DOES NOT mean that WordPress itself is vulnerable. It just means it’s popular and very powerful. You should continue to use it and we think it’s great software.

I couldn’t have said it better myself. Thanks MediaTemple.

Thesis and the GPL

My opinions are quite clear on this, as evidenced by my Twitter feed. The story and arguments are evolving quite constantly, so I don’t have any intention to boil everything down to a single post at this time.

But let’s put aside the what-makes-a-derivative-work argument, and stick to what’s quite obvious: If Thesis incorporated WordPress code that is licensed under the GPL, it is clearly a derived work violating the GPL by not in turn being licensed GPL.

I’m not talking about using the WordPress functions and classes. I’m not even going to make the argument that all themes derive not only from the WordPress functions they utilize, interact with, and are built on top of, but that in many cases they derive directly from the original default theme.

I’m talking about actually taking GPL code from WordPress code and modifying it. It’s a textbook violation of the GPL, one no one can argue. Some are trying to argue “fair use” and well, that’s absurd, but that’s not what I am aiming to address here.

Thesis 1.8 is currently 9,000 lines of PHP. (WordPress is 200,000.) I spent my evening yesterday skimming each line, and some sections looked familiar. Honestly, I felt crushed. Having made my accusations clear on Twitter, I wanted to back it up.

Let’s go to the code. You know what, others have already done that. (Andy Peatling, Drew Blas.)

Even better, let’s go to Thesis’ own inline documentation.

* This function is mostly copy pasta from WP (wp-includes/media.php),
* but with minor alteration to play more nicely with our styling.

This isn’t even a debate anymore.

Update (July 19): You should read Mark Jaquith’s post, Why WordPress Themes are Derivative of WordPress. This is an excellent summation of the opinions of the core team and the issue of whether themes are derivative works.