Upgrading Your WordPress Installation

Recently, the WordPress team has been pushing out new releases rather quickly, making it advisable to upgrade your installation fairly regularly. The WordPress wiki includes some pretty good instructions explaining how to backup your install and how to upgrade. However, with the EZ WordPress Backup plugin, you can backup and upgrade with even more ease.

Installing the EZ WordPress Backup plugin is just as simple as installing any other plugin. Simply go to your Plugins menu and click the “Add New” link. In the search box, type in “EZ Backup” and the EZ WordPress Backup plugin will be the only result that appears. Click the Install link and then activate the plugin.

WordPress 2.8.5 Upgrade Available

Curtiss noticed that WordPress has posted a new version of their downloadable blog software today. The update takes the latest public version of WordPress to 2.8.5.  WordPress employee Peter Westwood calls this a “hardening release” and is mostly related to security.

From the announcement, the headline changes in this release are:

  • A fix for the Trackback Denial-of-Service attack that is currently being seen.
  • Removal of areas within the code where php code in variables was evaluated.
  • Switched the file upload functionality to be whitelisted for all users including Admins.
  • Retiring of the two importers of Tag data from old plugins.

WordPress suggests that you update your WordPress installations to the 2.8.5 release. You can update manually by downloading the update and reinstalling all of the files or by clicking the upgrade button inside of the WordPress admin. Always make sure to backup your database before you upgrade your blog.

One Awesome WordPress Plugin: WordPress File Monitor

As many of you know, this site was hacked several times over the past year. Upgrading to WordPress 2.8.4 seems to have calmed the attacks. One of the things I do every day is to verify that the templates in WordPress haven’t been hacked or exploited.

Last week I installed a new plugin that monitors the file system and sends an email anytime there is a change. It’s called WordPress File Monitor and should be acquired by WordPress and provided by default.  You can select how often the plugin should check for changes, whether it should email you when there is a change, choice to check based on modify date or hash, and paths to exclude (like cache directories). The WordPress File Monitor can monitor files outside of the WordPress install as well.

Just one word of caution as my friend and uber programmer Till notes…it’s a WordPress plugin so if someone gains access to your admin, they can just disable the plugin and have their way with your system. So consider the plugin one level of security for your blog.

Latest WordPress Version 2.8.4 Exploited

This evening I did my twice-weekly check to see if any of my WordPress blogs have been exploited and what do you know…CenterNetworks has been exploited. I was checking every day but moved it to twice a week checks after the last security patch for WordPress that moved the blog to 2.8.4. The exploit took place last night as far as I can tell and has already been indexed in Google so there goes my traffic and earnings.

When the “big hacker” event happened earlier this month, WordPress founder Matt Mullenweg noted, “The only thing that I can promise will keep your blog secure today and in the future is upgrading.” As of this evening, I can only assume his promise no longer stands valid.

I can’t tell whether the exploits are coming through WordPress or my host, Rackspace. Rackspace always says it’s on the WordPress side. I am happy to provide whatever I can to WordPress to help them figure out what happened and I can only hope that eventually they get this fixed. Rackspace personnel called me this evening and noted that the permissions are all set correctly on the server. If it’s something on my end, I’d like to know that as well.

Update Midnight: Rackspace is now running a XSS checker on this site.

Update 4:30pm Saturday: Rackspace is now saying that they believe someone logged into CN and manually changed the template file. They are supposed to be sending over some logs soon.

Update: 8pm Saturday: I’ve received the log files – unfortunately they don’t show much beyond someone editing the footer include. If someone from WordPress would like the files, please contact me.

Each and every time that my WordPress sites are exploited and/or hacked, I seriously regret moving away from Drupal where in over three years I wasn’t hacked once.

Related: The Good, The Bad and The Exploited – My Move from Drupal to WordPress

iPhone OS 3.0.1 – Does It Really Fix Anything?

On Friday, Apple released iPhone OS 3.0.1 for iPhone devices. The release was apparently put out in response to a vulnerability pointed out during the Black Hat Security Conference. To install the “patch” for this vulnerability, iPhone owners must download an entirely new version of the iPhone operating system (230 megabytes) rather than just being able to install a smaller patch.

However, there are rumors floating around the Web that the patch only fixes one of two separate vulnerabilities exposed at the Black Hat conference. The first vulnerability, known as the Miller hack, is apparently what the new OS patches. However, another vulnerability, referred to as the Miras/Lackey hack is still open and can potentially effect any phone on a GSM carrier (not just the iPhone). About the Miras/Lackey hack, @musclenerd says “3.0.1 doesn’t begin to fix them.”

It will be interesting to see if any patches or fixes come out to close the hole exposed by Miras and Lackey, how long it takes to do so, and from where the patches will come (will the phone companies themselves release them, or will they come from the manufacturers).

April Fool’s Infection – Conficker C

Stock Image courtesy of iStockphoto.com
Stock Image courtesy of iStockphoto.com

One of the most sophisticated and dangerous malware applications in the history of computers is set to unleash its fury on April 1, 2009. Conficker C is nasty enough to warrant a $250,000 bounty from Microsoft for any information leading to the identification and prosecution of the worm’s authors.

From the limited research I’ve been able to do, it appears that, on April 1, any computer infected with Conficker C will automatically and immediately come under the control of the worm’s controllers. Little is known as of yet what those individuals intend to do with that control, but the possibilities are nearly endless. The implications could range from simply popping up annoying adware windows to reading your entire computer history (passwords, bank information, etc.) to completely wiping your hard drive.

In my research, I did find that this worm presents itself as a dynamic link library (DLL), which is strictly a Windows entity. Therefore, at this time, the worm is not a threat to Linux or Macintosh computers.