I have been working with Ken for over 10 years and his web support and attention to detail keeps my website organized, material accessible, and ready for all types of web, tablet and mobile device layouts. His skills also make sure my site is protected, ready for my usage spikes, and synced with my ISP to head off any potential issues.

I highly recommend Ken for taking care of your ISP, web material, and website issues.
Dave Beulke

WordPress XMLRPC pingback vulnerability

WordPress XMLRPC pingback vulnerability

Well, it seems that a new vulnerability has been found and exploited in WordPress, I’m afraid.

A WP core file, XMLRPC.php, is used for pingbacks. A serious vulnerability was discovered almost a year ago and many sites were hacked because of it. I was under the impression that the problem was completely addressed and fixed in WordPress 3.5.1. (you *do* keep your WordPress up-to-date don’t you??) But evidently that’s not the case.

It’s come to my attention that there is another WordPress XMLRPC pingback vulnerability that is being taken advantage of and is being used for DoS (Denial of Service) attacks. The good news is that your WordPress site doesn’t actually get hacked in this exploit (to the best of my current knowledge) but the DoS could bring your site to a screaching halt or be used to DoS attack other sites and also make your hosting company very unhappy with you.

There are a number of ways to deal with the problem, but the quick and easy one is to install and activate the “Prevent XMLRPC” plugin. There are no settings that need to be made.

If you have a site that depends on pingbacks, or if you use a service like Windows Live Writer with your WordPress, the plugin will be a problem as it completely shuts off the XMLRPC function in WordPress. There are other ways of skinning the cat, but they start taking more technical expertise.

Here are a couple of links about this…

I strongly recommend installing the Prevent XMLRPC plugin ASAP!

WordPress 3.5.1 has been released - Time to upgrade WordPress

WordPress has announced the release of their Maintenance and Security update, WordPress 3.5.1 and its time, once again, to upgrade WordPress.

While WordPress 3.5 was released not too long ago, there were a number of issues that caused some people to have problems with their WordPress site. This release addresses those issues and also includes important security updates to the WordPress core. You can be assured that hackers will try to exploit WordPress sites that have not upgraded and have known vulnerabilities.

Remember that you should always backup your website (both files and database) before upgrading WordPress. While updating WordPress almost always works flawlessly, in the event something should go awry, having a backup will allow your site to be restored with a minimum of hassle.

Don’t forget to upgrade your WordPress themes and plugins as well. There have been some significant changes to the way WordPress does things and your old versions may not be compatible the new WordPress. Outdated WordPress themes and plugins can also pose a security risk.

In the case of themes, especially with older WordPress themes, you should do a little research before you update.  You want to be sure that your theme is compatible with the new versions when you upgrade WordPress. Also, remember that if your theme has had customizations made to it, updating can cause those customizations to be lost. Another good reason to backup before updating!

If you are worried about making the updates to your WordPress yourself, contact The Web Mechanic to take care of it for you!

From the wordpress.org website, here is what’s new in WordPress 3.5.1.

WordPress 3.5.1 is now available. Version 3.5.1 is the first maintenance release of 3.5, fixing 37 bugs. It is also a security release for all previous WordPress versions. For a full list of changes, consult the list of tickets and the changelog, which include:

  • Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
  • Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
  • Networks: Suggest proper rewrite rules when creating a new network.
  • Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
  • Work around some misconfigurations that may have caused some JavaScript in the WordPress admin area to fail.
  • Suppress some warnings that could occur when a plugin misused the database or user APIs.

Additionally, a bug affecting Windows servers running IIS can prevent upgrading WordPress from 3.5 to 3.5.1. If you receive the error “Destination directory for file streaming does not exist or is not writable,” you will need to follow the steps outlined on the Codex.

WordPress 3.5.1 also addresses the following security issues:

  • A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
  • Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
  • A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.

WordPress Upgrade to 3.5: Problems and Solutions

A WordPress upgrade is generally pretty easy and effortless. However, sometimes things just don’t work out as planned and problems may arise. I’m going to let you know of a few problems I have found and how they may be solved.

Before Your WordPress Upgrade

First, you should always backup WordPress before upgrading. While automatic updating during your WordPress upgrade usually works flawlessly, should something go very wrong you’ll be able to restore your site. You should backup your database and your wp-content folder at least, if not all of your site.

I also recommend updating your plugins before upgrading WordPress itself. Sometimes an older plugin version may not be compatible with a new WordPress version and stop working. This shouldn’t be much of a problem, after all you DO keep your plugins and themes always up to date don’t you?

Speaking of themes, you should check that your theme is compatible with the new version of WordPress before upgrading WordPress. Some themes may not be well maintained and could break in some manner when used with a new version of WordPress. Do some research, check with the author or the folks you got the theme from. Better safe than sorry!

NOTE: When a theme is updated, WordPress removes all of the old theme files and uploads new ones. If your theme has been customized, you will lose all of those customizations! If you are unsure, before upgrading your theme, check with your web person, or if they are no longer available, check with a knowledgeable WordPress pro who can find out if your theme is safe to update.

Without further ado, here are some problems and solutions I have found when performing a WordPress upgrade to Version 3.5.

NOTE: Some of these will be (hopefully) corrected in WordPress 3.5.1.

Common WordPress 3.5 Upgrade Problems

Next: After updating to WordPress 3.5, I can no longer update plugins or save pages!

Pages: 1 2 3 4

Basic SEO with Categories, Tags and Keywords in WordPress

SEO (Search Engine Optimization) is certainly the elephant in the room these days. And there is much conflicting information as to what you should do to have your website to be highly ranked in search engines like Google, etc. You know how the Real Estate mantra is “Location, Location, Location“? Well, when it comes to coming up in search engine results, it’s “Content, Content, Content. If you have well written content about what ever your subject is, you have done 80-90% of your SEO basics. Continue reading Basic SEO with Categories, Tags and Keywords in WordPress

10 Steps to WordPress Security Protection

Scripted websites/ blogs using WordPress are becoming more and more common. And as such they are becoming ever more tempting targets for hackers and trashers. It might be something as simple as putting a picture on your site that goes “phhpttttt!!! I was here!” Or it might go so far as to taking over your site, denying you access to it and then holding your site for ransom. Malicious code can be placed on your site that might infect visitors’ computers and not the least of your worries, get you banned by the search engines. Continue reading 10 Steps to WordPress Security Protection

Reset Your WordPress Admin Password via phpMyAdmin

Have you forgotten your WordPress Admin password? Do you need WordPress password recovery?  Did you lose access to your WordPress because you fell prey to the WP password vulnerability and your WordPress password was hacked? (Problem was corrected with WordPress 2.8.4.) Take heart, the recovery of your WordPress password can happen outside of WordPress by using phpMyAdmin. Continue reading Reset Your WordPress Admin Password via phpMyAdmin

Fix WordPress memory error when upgrading

With the issuing of WordPress 2.8.3 and 2.8.4 a lot of people have run into a WordPress memory error when upgrading–the dreaded “Allowed memory size error” when you try to run the automatic upgrade for your WordPress. (you did backup everything, just in case, yes?) Continue reading Fix WordPress Memory Error When Upgrading

WordPress 101 - Permalinks

So what the heck is a Permalink and why do I care?

Until fairly recently, when you looked at the top of your browser, where you can type in the URLs of sites you want to visit, what you saw up there likely made sense. If you were on the site’s “About” page, at the end of the URL you probably saw … /about.html. If you were on the “Contact” page it said /contact.html. Made sense, didn’t it?

Continue reading WordPress 101 – Permalinks

My WordPress Website Died

Yes, even The Web Mechanic can experience problems with WordPress!

Recently I thought my website (this website) was running a little slow… but it wasn’t anything that I was concerning myself about very much. Then yesterday, it slowed to a stop! I would try to access a page and my browser would just sit there trying to load the page. I didn’t think it was me, so I contacted my webhost service folks. They could see that there were a bunch of processes running that were gumming up the works. We both thought it was something spurious but also something to keep an eye on.

Continue reading My WordPress Website Died

The Web Mechanic's WordPress 101

Ok… You have decided to use WordPress for your website/blog, now what the heck do you do?

WordPress.orgThe Web Mechanic’s WordPress 101 will be a series of articles on setting up and using WordPress. I plan to write these articles on individual topics and will try to make them as “user-friendly” as I can. If something seems confusing or not explained clearly enough for you, please submit a comment and I’ll try to clarify things.

Continue reading The Web Mechanic’s WordPress 101