Wordpress 2.1 includes a few extra hidden editor buttons
I’m sure many of you can relate to the problems involved with maintaining several websites: changing hosting providers, upgrading software, making content or feature updates, managing email accounts, etc. To complicate things, you probably have high-priority sites (client sites) and low-priority sites (side projects or hobby blogs) that demand different levels of your attention and skill. If your not careful and mindful of all this web baggage, you might just leave yourself wide open. I sure did.
One of the more convenient features of installing Wordpress is its ability to create the config file for you from the browser. This is also one of the more dangerous features, because it requires you to set that file or folder’s permissions to publicly writable. This is just fine unless you forget to set the permissions back to non-publicly writable. In my case, after staying up late transferring a bunch of websites from one server to another, I forgot to check all my folder permissions and had left a couple site’s main content folders wide open.
Just a few days ago while browsing the root of one of my sites, I found a peculiar file that I did not recognize ever uploading: faq.php. So, I opened that file up in my browser and found what appeared to be an all-in-one hacker’s tool kit for having their way with my website. After I calmed myself down from the shock, I deleted the file and searched for anything else out of place (or missing!). I changed the permissions back on all my folders and promptly upgraded to the latest version of Wordpress.
I believe my problem was due to a combination of leaving my front door wide open (folder permissions) and to having an outdated version of Wordpress installed that had known security flaws (only recently described on wordpress.org). It looks like whoever “cracked” my site pretty much left things alone and didn’t change or delete anything. I still changed all my passwords and gave the security a once-over anyway.
So, while this is basic security stuff for many, it’s always a good idea to keep a few things in mind in regards to securing your Wordpress install:
- Don’t screw up your file permissions.
- Be aware of any vulnerabilities of your current Wordpress version–upgrade if appropriate.
- Note: if you do upgrade, watch the Wordpress blog closely for a couple weeks to make sure no new security alerts are posted.
- Take a walk with your files. Periodically looking at your filenames and server details will help you catch something out of place faster.
- Back-up your files! This means your database, too.
Hardening Wordpress is a rather complete write-up on how to secure your Wordpress install. Following the advice in the article will go a long way to keeping your site secure, healthy, and running smoothly. I would recommend running down this article like a checklist every time you set up a new Wordpress site or move servers.
ThinkFree has just released a Wordpress plug-in that generates a preview of Microsoft Word, Excel and PowerPoint files that are linked to from within a Wordpress post. The plug-in scans your posts for links to such files and auto-inserts a “view” button next to it. Clicking the link opens up a lightbox-style window with an HTML and image-based preview of your file.
Check out an example here: Widgets Sales Report.xls
Now, I don’t post many Office documents to the web during normal blogging. However, I can see the usefulness of this plug-in if you needed to, say, throw a quick graph or tabular data up on your site. The ability to view PowerPoint files has some interesting possibilities.
I must say, I’m not a fan of the blinking “view” image they use. Though, I’m sure that could be modified by a little poking around at the plug-in code. The plug-in also seems to handle simple Office documents much better than more complex ones (which, even Google’s view as HTML feature for PDFs and Word docs has similar trouble sometimes). I’d also like to see the Mac-esque window used for the “pop-up” go away. I’m not hating on Macs, I would just much rather have a clean or customizable style. Again, probably fixable with a little code modification.
Has this ever happened to you? I’ve done a fair share of jumping from one web host to another. One of the biggest pains is moving a bunch of WordPress installs. Invariably, I’ll have at least one WP install that ends up with either two admin pages swapped or the buttons will look like this screen shot.
I can’t quite figure out what is causing it. My guess is that it is occurring during the FTP process and either a file gets a wrong name or somehow gets swapped with another. I can usually correct it by re-uploading certain sections of my WP install, but I’ve never really paid attention to which files fix it.
As for FTP clients, I’ve yet to find one I’m absolutely in love with. I have a love-hate relationship with both SmartFTP and Filezilla. Both seem to serve me well about 80-90% of the time. Filezilla seems to handle transfer problems better (giving me more ability to retry failures without just failing again every time like SmartFTP seems to do). I suppose I want an FTP client that can verify that all files were uploaded exactly as they should for me. Kind of like when I burn a CD or create a ZIP/RAR archive–the program verifies everything afterwards.
Next Entries »
WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.
