The Robservatory

Robservations on everything…



Behind the scenes: WordPress plug-ins, take three

This marks the third (one, two) in a continuing series of occasional posts about the plug-ins I use to run the site. Since the last update, things have changed a bit.

  • For various reasons, I've had to disable GrowMap Anti-Spambot and Stop Spammers. Anti-spam services are now provided by Akismet, JetPack's comments plug-in, and Sabre.
  • Sliding Read More also bit the dust, because it wasn't compatible with WordPress' built-in Gallery feature.

So much for out with the old…read on to see what's been added…


Behind the scenes: plug-ins revisited

The last time I redid these pages' appearance, back in 2007, I wrote about the WordPress Plugins and Widgets that I was using to run the site.

After seven years, quite a lot has changed. I've gotten rid of all but one of the items on the original list, and found some very useful new additions that help both me and visitors

From that original list, the one leftover Plugin is Ajax Comment Preview, which implements a true click-to-view comment preview function. The others went away either because I wasn't using them any more (weather in the sidebar, how quaint), or because WordPress' built-in features made them redundant.

Keep reading to see what's keeping the site ticking now…


Out with the (very) old, in with the new…

As you can see (unless you're using RSS, in which case, visit the site to see), there's a new look around here. According to the datestamp on the folder, my old theme (which I named "macbar" for no obvious reason) went live in January of 2007. In internet years, that's like 300 years ago.

The age of the theme showed, too. Graphics were heavy, textures overbearing, and (worst of all) the site was entirely fixed in size, which made for a horrid mobile experience (and it wasn't great on big screens, either). As a reminder of the "good old times," click the image at right for a flashback.

So say hello to "macbar2014," if only because I'm too lazy to think up an exciting new name. The new theme is responsive down to iPhone size, and also expands to fill 1400 or so pixels of width. Beyond that, the text field stops growing, as honestly, it gets hard to read if it's too wide. But that still gives a much wider reading area than the old theme.

With the new theme comes a renewed focus on keeping the blog up to date; it's my plan to post here more regularly post, including more detailed looks at some of the 140 character observations that I blast out on Twitter. I'll also link to my Macworld articles, as much for my easy future reference as anything else.

Read on if you're at all interested in the tech details behind the site do-over…

If your account here is gone, here’s why…

For the last few weeks, I've been getting hundreds of registrations here, and given (a) there's no reason to register except to post a comment, and (b) there aren't very many comments posted, I figured something was up. Until yesterday, though, I didn't know what was going on. Now, thanks to the WordPress 2.6.2 release, I do:

With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.

In other words, by registering often enough with specially-crafted usernames, you may eventually be able to force the admin user's password to be reset to something random, and you may know that random password. Scary stuff. So today, I upgraded to 2.6.2, and cleaned out the vast majority of recently-created accounts.

If you'd signed up for a legit account and I zapped it, please just register again -- and sorry for the inconvenience.

Blogging via the iPhone

photoToday, WordPress released WordPress for iPhone. So I thought I'd try it out--given how little I post here, any excuse to write something is worth a shot!

Anyway, we bought this electric pump to inflate our kids' pool. I found the combination of the warning and the left-hand image somewhat at odds with each other! (In case the image isn't clear, that's the pump being used to inflate a child's swimming pool, which is not generally considered an "indoor household" item.)

Now speaking WordPress 2.5

After a mostly-painless upgrade, we're now running WordPress 2.5. About the only hiccup is that the Addicted to Live Search plug-in (which I am addicted to) doesn't seem to work right with anything other than the default permalink style. (Permalinks are the URLs for individual stories.)

The default permalink style is ugly and doesn't necessarily work well with search engines, but I love the search feature so much I'm using them for now...hopefully the plug-in will be patched in the near future.

Update on WordPress attack…

After some investigation with help from a couple of very useful people (thanks, chays, Ryan, and Donncha), we've determined that the files I found on my server were placed there as a result of the WordPress 2.3.2 vulnerability, even though my site had been updated to 2.3.3.

To make a long story short, if your site was affected by the 2.3.2 vulnerability, you must change your admin passwords. While the attackers can't get the actual password, they can continue to login as admin ever after you upgrade to 2.3.3. That's because the cookie they received when exploiting the hole in 2.3.2 will still work in 2.3.3 -- unless you change your password.

In everything I read about the 2.3.2 exploit, I didn't see anything about the passwords being exposed, so I didn't change it when I upgraded to 2.3.3. Lesson learned...

New WordPress attack floating around…

I use a shell script to back up my web sites each day -- it exports and downloads a SQL file of the database contents, as well as rsync's the actual HTML files. When I was checking the log file for last night's downloads, I noticed something very strange in the output:

  receiving file list ... done

In total, there were 71 files in the newly-created 1 folder: 70 .html files, and one g.js file. There was also a new oddly-named backup folder, and the index.php file in wp-content (which is just a blank placeholder) had been replaced with basically the same file but with an added line break on the first line.

I googled on some of the .html filenames, and found a number of WordPress sites with the same issue (the "1" folder), but nobody who was talking about the cause of the problem. So I posted about it to the WordPress forums, where someone pointed me to this page, which contains at least a little more background on the issue. I'm also posting some of the html filenames here, in case others are searching for more information on the attack.

As of now, I don't know how they got in (though I suspect via one of the plug-ins), but I don't think it's through any sort of direct site access: none of the site's other files and folders were changed, nor were any posts or comments created. It also doesn't seem to be an automated attack, as the 1 folder hasn't returned after I manually removed it yesterday. But if you run WordPress, keep an eye on your wp-content folder for anything other than what should be there: index.php, plugins, and themes by default. If/when I find out more about this, I'll post a follow-up.

Site upgrade complete

We're now running the latest version of WordPress -- if you run WordPress and aren't on 2.3.3 yet, I strongly recommend upgrading, or at least patching your xmlrpc.php file. There's a security problem with that file in older WordPress releases, as detailed in this WordPress blog post:

If you have registration enabled a flaw was found in the XML-RPC implementation such that a specially crafted request would allow a user to edit posts of other users on that blog.

This actually happened here; two posts were modified to include links to malware and ringtone sites.

Most everything is back up and working as it was before, though sadly, the King Login widget, which allowed logins directly in the sidebar, doesn't work at all with 2.3.3, so it's been disabled. While working on the upgrade, my comment spam blocker was offline for all of 10 minutes or so. During that time, three anonymous spammy comments were submitted -- sheez!

Random header images for WordPress

I've finally migrated my family's site over to the latest version of WordPress, and installed pretty much the same batch of plug-ins and widgets as I use here. However, I wanted something else, too--a randomly-selected image for the header of the site that changes each time the page is loaded, as seen in these four sample pictures:


(The header images are just sections I've snipped out of photos we've taken, with an artsy Photoshop filter of some sort applied.)

I searched the web, and there are a few plug-ins that offer this ability, but they came either too feature-rich, or required some additional JavaScript to work properly. I wanted the most simple, basic, and functional header image rotation solution I could I wrote my own, which required all of two lines of code. I'm posting it here so that (a) I remember how I did it, and (b) in case anyone else wants a simple solution, they'll be able to find it with some help from Google (our family's site is access restricted, so posting it there wouldn't do much good...and it would confuse my relatives, who are used to only seeing pictures of our kids there!)

The Robservatory © 2023 • Privacy Policy Built from the Frontier theme