Category Archives: WordPress

I’ve Been Hacked! WP-Lytebox Sucks

Hacking WordPressThis is the third time I’ve had to spent serious time “fixing” WordPress.  Say what you will about my old “Small Axe” or “Flip” solutions, but I never had a problem.  With WordPress, I have found regular issues.

This time, I traced the problem back to wp-lytebox, and I’m ashamed to say I’ve had to fix the same problem before.  It all started when I couldn’t load the post page in the backend of firsttube.com.  Digging in, I eventually found a file called sys.php in the root of the site, and it listed the contents of my site and had a form that allowed someone to add a page, chmod a page, or delete a page.  Killer!

I found that it was defaulting to /path/to/WP/wp-includes/plugins/wp-lytebox, and sure enough, digging into that directory revealed several other fun scripts, all of which gave someone the ability to access all the files on my site.  Fun!

I found that I already had replaced this plugin before, so I decided to get rid of it altogether, this now proving it wasn’t a misconfiguration, but rather, a problem with the wp-lytebox itself.

In this process, however, I was unable to fix my issue.  Visiting /wp-admin/post-new.php still rendered only a page footer, and nothing more.

So I starting fooling around in my directories looking for files that had been modified more recently than when I did my 2.9.2 upgrade.  One of the files? My .htaccess file.

This be odd,” I thought to myself, “I’ve changed this not, methinks.

Sure enough, there was a rogue line within: RewriteCond ^/default/$ /wp-admin/includes Huh?

I dug into that folder, and the .htaccess file there was recent too? It’s contents? DefaultIndex users.php

Of course, I immediately opened users.php and found, as you might have guessed, a bunch of Russian crap. Savvy WP hackers will know, it’s not a real file, there is no users.php in the real wp-admin/includes directory.

I also found a folder that had two large files, both named core.XXXX where XXXX was a 4 digit number, and a massive 40 MB error_log.  Yikes.

I thought I had everything cleaned out, and I truly believed that the way in was wp-lytebox.  Then I found this.  And sure enough, all of the listed files were compromised.  So I nuked all the files, and replaced them all.  D’oh!

So, if you’re arriving via Google or Bing or Yahoo!, do NOT use wp-lytebox.

Microsoft’s Web App Gallery FAIL

Giving Microsoft, IIS, and PHP.exe the benefit of the doubt, I decided to try installing WordPress on Windows via Microsoft’s new Web Application Gallery.   The install is simple and straightforward: install MySQL, go to the web app gallery, click on the download, choose what you want, poof! Done.

I got the first few steps knocked out, I selected WordPress,  gave it my MySQL username and password, and let it go.  It installed PHP for Windows, the MySQL connector, and WordPress.  Then I launched my browser and pointed to http://localhost:81 and… no.  Error 402.  I monkeyed with the site in IIS and was able to generate an error that simply says:  Parameter not found.

PHP is installed.  IIS assicates .php files with PHP.exe.  But WordPress no worky.

Fail.

Posting Your Latest Tweet in WordPress

Although I posted yesterday how to add your latest tweet to WordPress without a plugin, I made several changes to the script before I posted it to make it more “generic” and re-usable. Since I’ve changed it quite a bit, I decided to repost it. This new script also autolinks @usernames and #hash tags.

Directions are this easy: set the path of $tw_File with a static, writable file.  Set $tw_userid to your Twitter user id.  Done. 

Download firsttube.com “get latest tweet” php snippet.

How to Add Latest Tweet to WordPress (Without a Plugin)

I decided to add my latest “tweet” from Twitter to the sidebar of my WordPress blog. Rather than use yet another plugin that adds yet another hook – and there are many that do this with lots of code, I decided to use a homegrown solution, dependant only on PHP4+ and cURL  (most webhosts already have cURL compiled in, if not, you should request it).  Adding the following to any of the files in your WordPress theme will print out your current Twitter status and cache the results so you don’t hammer their system.

First, snag your Twitter user id.  Then, open up your theme file.  I put mine in sidebar.php found in /wp-content/themes/<THEMENAME>/.    Use the below code.  If you want the output wrapped in a list, you would need to put <ul> and <li> tags around this code.

Carefully set your variables.  The cache file should be writable.  Note that you can use a decimal value for $tw_BlankAfter and $tw_Minutes if necessary.   That’s it.

Due to what must be a bug in WordPress, please ignore the closing “</text></created_at>” at the end of this post.  It’s trying be smart and “fix” broken tags, but the code is right.

NOTE (2/20/09): I have updated the below code.  The new version can be found at “Posting Your Latest Tweet in WordPress“.

/* ~~~~ Custom Twitter Bit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */
/* ~~~~ Adam S, firsttube.com, twitter @sethadam1 ~~~~~~~~~~~~~~~~~~~~ */
 
$tw_File = '/path/to/a/static/writable/file/twitter.html';
$tw_Userid='XXXXXXX'; //set to your Twitter user id
$tw_BlankAfter = 30; //blank out status if it's older than this many days
$tw_Minutes = 10; //minutes between reloads
 
$tw_Offset = FALSE; //leave as is
// uncomment below time if you want to allow a manual reset via ?twitter-reset
// if($_SERVER['QUERY_STRING']=='twitter-reset') { $tw_Offset=0; } 
 
/* Do not edit below this line */
if(filemtime($tw_File)&gt;time()-floatval($tw_Offset)) {
	include $tw_File;
} else {
	if(is_writable($tw_File)) { $tw_iswritable=1; }
	$tw_time = (86400*floatval($tw_BlankAfter));
	if($tw_Offset) { $tw_time=$tw_Offset; }
	$tw_hyperlinks = true;
	$tw_c = curl_init();
	curl_setopt($tw_c, CURLOPT_URL,
		"http://twitter.com/statuses/user_timeline/"
		.intval($tw_Userid).".xml");
	curl_setopt($tw_c, CURLOPT_RETURNTRANSFER, 1);
	$tw_src = curl_exec($tw_c);
	curl_close($tw_c);
	preg_match('/(.*)&lt; \/created_at&gt;/', $tw_src, $tw_d);
	if(strtotime($tw_d[1]) &gt; time()-$tw_time) {
		preg_match('/(.*)&lt; \/text&gt;/', $tw_src, $tw_m);
		$tw_status = htmlentities(str_replace("&amp;","&amp;",$tw_m[1]));
		if( $tw_hyperlinks ) {
			$tw_status = ereg_replace(
			"[[:alpha:]]+://[^&lt;&gt;[:space:]]+[[:alnum:]/]",
			"<a href="\">\\0</a>",
			$tw_status);
		}
		$tw_output = $tw_status;
	} else {
		if($tw_iswritable==1) {file_put_contents($tw_File,''); }
	} 
 
	if($tw_iswritable==1) { file_put_contents($tw_File,$tw_output); }
	echo $tw_output;
}
/* ~~~ /Custom Twitter Bit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */

Please note that portions of this code come from the twtter_status() function that was not written by me, but is available from various sources online.

Update: Removed function and put code inline.

WordPress 2.7 RC1

I just downloaded and installed WordPress 2.7 RC1. The upgrade took about 3 minutes, end to end, and the “several moments” database upgrade took less than 2 seconds. All in the all, there’s very little to notice on the front end that is different, I haven’t been able to test comment threading yet. However, the new admin site is really nice looking. The Dashboard is a HUGE improvement over the <2.7 series.

Themes were entirely unbroken. Upgrading firsttube.com may be a bit more of a challenge since I’ve manually changed a few fore WordPress files, which may prevent in place automatic upgrades.  However, all in all, I think the 2.7 release is looking really great.  

When 2.7 final is released, I expect to be updating my live site pretty quickly.

BePress: A WordPress Theme

BePress: A WordPress theme

BePress: A WordPress theme

Chasing a random whim, I decided to check if there was an existing WordPress theme to mimic the BeOS 5 desktop. If there is one, I can’t find it. As I’ve detailed before, I’ve been learning to hack WordPress. So I thought, perhaps this is a chance for me to write my first WordPress theme.

Enter BePress. At first, I began this project as a 100% table-free CSS/XHTML project. After a few hours of tinkering, however, and after looking into some old code Eugenia wrote, it became clear to me that going table-less will not render the result I’d like to see. Perhaps for a 2.0 version I’ll pursue that goal. In the meantime, for my 0.2 roll I replaced my divs and spans with tables and got a nice, smooth BeOS table-like interface. Behold, BePress.

BePress

Although far from complete – complete to me means all pages of the theme are present and rendering properly – I’m feeling that it’s a nice start. I’m also getting more comfortable digging into WordPress. It turns out that writing a theme is exceptionally easy once you understand how The Loop works.

I expect to continue to mess with this for another week or two before I look into WordPress hosting it for download. I don’t see any reason why not to share it with the world, if there’s actually still anyone out there with a nostalgia for the BeOS who wants to theme their WordPress blog.