Tag Archives: WordPress

I’ve Been Hacked! WP-Lytebox Sucks

Hacking WordPressThis is the third time I’ve had to spent serious time “fixing” WordPress.  Say what you will about my old “Small Axe” or “Flip” solutions, but I never had a problem.  With WordPress, I have found regular issues.

This time, I traced the problem back to wp-lytebox, and I’m ashamed to say I’ve had to fix the same problem before.  It all started when I couldn’t load the post page in the backend of firsttube.com.  Digging in, I eventually found a file called sys.php in the root of the site, and it listed the contents of my site and had a form that allowed someone to add a page, chmod a page, or delete a page.  Killer!

I found that it was defaulting to /path/to/WP/wp-includes/plugins/wp-lytebox, and sure enough, digging into that directory revealed several other fun scripts, all of which gave someone the ability to access all the files on my site.  Fun!

I found that I already had replaced this plugin before, so I decided to get rid of it altogether, this now proving it wasn’t a misconfiguration, but rather, a problem with the wp-lytebox itself.

In this process, however, I was unable to fix my issue.  Visiting /wp-admin/post-new.php still rendered only a page footer, and nothing more.

So I starting fooling around in my directories looking for files that had been modified more recently than when I did my 2.9.2 upgrade.  One of the files? My .htaccess file.

This be odd,” I thought to myself, “I’ve changed this not, methinks.

Sure enough, there was a rogue line within: RewriteCond ^/default/$ /wp-admin/includes Huh?

I dug into that folder, and the .htaccess file there was recent too? It’s contents? DefaultIndex users.php

Of course, I immediately opened users.php and found, as you might have guessed, a bunch of Russian crap. Savvy WP hackers will know, it’s not a real file, there is no users.php in the real wp-admin/includes directory.

I also found a folder that had two large files, both named core.XXXX where XXXX was a 4 digit number, and a massive 40 MB error_log.  Yikes.

I thought I had everything cleaned out, and I truly believed that the way in was wp-lytebox.  Then I found this.  And sure enough, all of the listed files were compromised.  So I nuked all the files, and replaced them all.  D’oh!

So, if you’re arriving via Google or Bing or Yahoo!, do NOT use wp-lytebox.

Tagged , ,

Microsoft’s Web App Gallery FAIL

Giving Microsoft, IIS, and PHP.exe the benefit of the doubt, I decided to try installing WordPress on Windows via Microsoft’s new Web Application Gallery.   The install is simple and straightforward: install MySQL, go to the web app gallery, click on the download, choose what you want, poof! Done.

I got the first few steps knocked out, I selected WordPress,  gave it my MySQL username and password, and let it go.  It installed PHP for Windows, the MySQL connector, and WordPress.  Then I launched my browser and pointed to http://localhost:81 and… no.  Error 402.  I monkeyed with the site in IIS and was able to generate an error that simply says:  Parameter not found.

PHP is installed.  IIS assicates .php files with PHP.exe.  But WordPress no worky.

Fail.

Tagged , ,

Posting Your Latest Tweet in WordPress

Although I posted yesterday how to add your latest tweet to WordPress without a plugin, I made several changes to the script before I posted it to make it more “generic” and re-usable. Since I’ve changed it quite a bit, I decided to repost it. This new script also autolinks @usernames and #hash tags.

Directions are this easy: set the path of $tw_File with a static, writable file.  Set $tw_userid to your Twitter user id.  Done. 

Download firsttube.com “get latest tweet” php snippet.

Tagged , , ,

Thank a Plugin Developer Day

Matt Mullenweg, creator of WordPress and skipper of Automattic, has declared today, January 28, “Thank a Plugin Developer” Day. In thanks, I will list all of the plugins I use in my firsttube.com WordPress install.

  • Akismet is a comment filter that uses a “karma” type algorithm to analyze comments and separate ham from spam. According to my internal stats, Akismet reports 37,512 spams caught, 284 legitimate comments, and an overall accuracy rate of 99.934%. Not too shabby. As a result, this site no longer has a captcha.
  • Blip.It iPhone Handler is a neat little tool that creates a method to display embedded flash as Quicktime on-the-fly, ideal for iPhone compatibility.
  • Cache Images, another Mullenweg gem, let me fetch remote images and store them locally. I prefer to host all images locally if possible, so this is fantastic.
  • “ftBlogrollerWP (ft)” is my own modified plugin that creates a page with all of my links, as seen here.
  • Google XML Sitemaps is a tool for creating a sitemap that Google and other search engines can use to spider your site. This would take forever by hand and would be very hard to keep up manually, but this plugin makes it effortless.
  • Limit Login Attempts. No sense in letting someone hammer your WordPress admin login eternally. Basic security that ought to be part of WordPress core.
  • Similar Posts is a snazzy little plugin that tries to find similar posts to any given post. I use this on each post’s page. In pre-Wordpress firsttube, I did this by searching for other articles with the same tags. In WordPress-era ft, I do this via a plugin. Similar Posts requires the Post-Plugin Library.
  • Tangofy is a simple plugin to modify icons in the stock WordPress admin pages.
  • TTFTitles is a sweet little plugin that creates images from text. I do this on entry titles and sidebar titles. It allows you to add a dimension of professional typography and to use fonts that aren’t in the eight “web safe.”
  • WordPress Database Backup: you’ll never guess what this one does!
  • WordPress Hashcash does the spam filtering in conjunction with Akismet. Whatever Akismet misses, Hashcash catches. Essentially, it catches *everything* Akismet misses and only really reports problems when users have javascript turned off.
  • WordPress Popular Posts provide me view counts, plain and simple. I used to keep track pre-Wordpress, but sadly, I lost my hit count (many of which were in the thens of thousands of views) and only started again this month. Nonetheless, it’s in the sidebar.
  • wp-cache is a caching program, but I’m not currently using the cache.
  • WP-Lytebox automatically adds a lytebox effect to inline images, which is spectacular.
  • WP-Optimize is a database optimizer that does optimization not only of MySQL overhead, but also removes autosaves and other space wasters from your database.
  • WP-Syntax makes my code pretty, and that’s all.
  • WP iPaper is a plugin for embedding scribd stuff.
  • Lastly, WPtouch iPhone Theme is a stylesheet that makes this site look native on the iPhone. It’s truly a beautiful skin.

That is all. Thank you to all the above developers. As a reward, please accept this pingback!

Tagged ,

WordPress “Press This” 404 Problem

WordPress › Support » Press This 404 issue.

“Press This” hasn’t worked for me for ages.  I am so happy to have it back!

Tagged ,

firsttube.com Upgraded To WordPress 2.7

So far, one problem, two gripes.  My problem is that I can’t seem to get posts with dots in the slug title to work right, even though I once solved this problem before.  What’s worse is that it won’t fetch those posts anymore, which really sucks.

Onto my gripes. I can’t get inline replying/threading to work.  There is very little documentation on it so far. The functions are called comment_reply_link() and get_comment_reply_link(), and there’s nothing anywhere in the codex that helps, there’s little on the internet, the only place to get any real detail is the code itself, which explains:

from wp-includes/comment-template.php starting at line 949 on WP 2.7.0

 * Retrieve HTML content for reply to comment link.
 *
 * The default arguments that can be override are 'add_below', 'respond_id',
 * 'reply_text', 'login_text', and 'depth'. The 'login_text' argument will be
 * used, if the user must log in or register first before posting a comment. The
 * 'reply_text' will be used, if they can post a reply. The 'add_below' and
 * 'respond_id' arguments are for the JavaScript moveAddCommentForm() function
 * parameters.
 *
 * @since 2.7.0
 *
 * @param array $args Optional. Override default options.
 * @param int $comment Optional. Comment being replied to.
 * @param int $post Optional. Post that the comment is going to be displayed on.
 * @return string|bool|null Link to show comment form, if successful. False, if comments are closed.

It doesn’t matter much, because it doesn’t work, period, even though I’ve followed the instruction here to a t. So I’ll have to fix that in time.

My last gripe is with the new wp_list_comments() routine. I understand this is all new, but the idea that templating comments requires a callback function as a wrapper to all comments, pings, and trackbacks is clumsy at best. The codex on wp_list_comments() have nothing to explain it to people, so while I’ve dug in and gotten things working, it’s not for the feint of heart just yet, since you need to build a PHP function in your theme in your functions.php file (or create one if it doesn’t exist, which cannot be done via the Dashboard). I’m a little sad, since the theme system is so flexible and the new plugin system is just incredible, to see the new comment loop be so manual compared to the single file approach used so successfully in the past.

I know that Scoble says WordPress 2.7 rocks, and it does. Scoble doesn’t realize the shortcomings because he hasn’t tried to play with the new features, and fortunately, it very gracefully degrades. But it’s got some work to do to be perfect, for me at least.

Tagged , , , ,

WordPress 2.7 RC1

I just downloaded and installed WordPress 2.7 RC1. The upgrade took about 3 minutes, end to end, and the “several moments” database upgrade took less than 2 seconds. All in the all, there’s very little to notice on the front end that is different, I haven’t been able to test comment threading yet. However, the new admin site is really nice looking. The Dashboard is a HUGE improvement over the <2.7 series.

Themes were entirely unbroken. Upgrading firsttube.com may be a bit more of a challenge since I’ve manually changed a few fore WordPress files, which may prevent in place automatic upgrades.  However, all in all, I think the 2.7 release is looking really great.  

When 2.7 final is released, I expect to be updating my live site pretty quickly.

Tagged ,

BePress: A WordPress Theme

BePress: A WordPress theme

BePress: A WordPress theme

Chasing a random whim, I decided to check if there was an existing WordPress theme to mimic the BeOS 5 desktop. If there is one, I can’t find it. As I’ve detailed before, I’ve been learning to hack WordPress. So I thought, perhaps this is a chance for me to write my first WordPress theme.

Enter BePress. At first, I began this project as a 100% table-free CSS/XHTML project. After a few hours of tinkering, however, and after looking into some old code Eugenia wrote, it became clear to me that going table-less will not render the result I’d like to see. Perhaps for a 2.0 version I’ll pursue that goal. In the meantime, for my 0.2 roll I replaced my divs and spans with tables and got a nice, smooth BeOS table-like interface. Behold, BePress.

BePress

Although far from complete – complete to me means all pages of the theme are present and rendering properly – I’m feeling that it’s a nice start. I’m also getting more comfortable digging into WordPress. It turns out that writing a theme is exceptionally easy once you understand how The Loop works.

I expect to continue to mess with this for another week or two before I look into WordPress hosting it for download. I don’t see any reason why not to share it with the world, if there’s actually still anyone out there with a nostalgia for the BeOS who wants to theme their WordPress blog.

Tagged , ,

My First Plugin

I recognize that I’ve been a little wordy about WordPress lately – no pun intended – but I’m afraid that it’s really interesting to me, and probably will be for the next few days. So, if you’re growing weary of the WordPress related posts, I’m sorry.

Today I took my first stab at writing a WordPress plugin. Turns out, it’s really easy. I’m mean really easy. The plugin is pretty simple: it just searches through every post and turns the unlinked words firsttube.com into a hyperlink. However, it seems like it might be a useful plugin for some, even just as a text-replacement plugin. So we’ll see if I publish it. In the meantime, though, it took me about 15 minutes to write and then it was recognized by WordPress, which was very cool.

I have a few ideas for more involved plugins too that I may write, one day. But in the meantime, this one is pretty cool.

Tagged , ,

OSNews vs. WordPress

I’ve spent quite a bit of time, over the last 5 or 6 days, diving into WordPress and learning what makes it tick.  Parts of WordPress are really impressive – just flat out cool. The way some of it works is fairly complex and deciphering it sometimes means reading page after page after page to understand an entire routine.  But sometimes, when you finally see, end to end, how something in WordPress works –  I mean really see individual bits of the engine – you have to admit it teaches you a little about PHP.  WordPress, underneath it all, is a pretty big beast and its strength and ubiquitous presence comes largely, I think, from the fact that it can do virtually anything.  The really sweet plugin system, the ways hooks work, “The Loop,” the dynamic options panel – it’s all very educational.  

The interesting thing here is that I’ve browsed the source of Slash, Scoop, phpNuke, and now WordPress, and all of them are definitively more complex and much heavier than the entire OSNews codebase. Now, before you jump all over me – firstly, Slash and Scoop are Perl, and I don’t really read Perl, so I can’t speak as an expert there.  Secondly, WordPress and Nuke both are very portable and dynamic, whereas OSNews has a narrow focus and, location-wise, is very static.  But that aside, OSNews has withstood simultaneous link bombs from Slashdot and Digg.  As amazing as WordPress is, it’s mostly amazing that it functions at all and loads in less than 2 minutes per page with as much going on as I can see behind the scenes.   That’s not a cut on WordPress, by the way.

In fact, if anything , what is really impressed upon me is how smooth and simple OSNews code is, if I may be so bold.  OSNews runs superfast due, in part, to lots of creative caching, some on-demand, some via cron.  But it also does so because of highly efficient queries that are measured for speed on their JOINs, meaning in some cases, it’s faster to do 20 simple queries than one complex one, or build a long and scary chain of “OR x=a OR x=b OR x=c OR x=d…”  Watching WordPress code in action is really fun for me, but watching OSNews work knowing what I now know about how much work PHP can cram into its threads is even more fun.

Tagged , , , , , ,