DVD Guide Blog

My installation of WordPress was hacked last night. I have deleted the previous installation and installed the latest version, 1.5.1.2, but I do not know if it will be any more secure since the vulnerability 1.5.1.2 fixes from 1.5.1.1 may or may not be related (obviously, I have not been using the “default template” mentioned in the May 27th “Security Update” post in the WordPress Development Blog, but that does not mean that the same vulnerability may not also affect other templates, such as those in the Blix theme).

I am not yet certain about the point of entry, but I have had some suspicions. A new user account was created even though I have always kept the user-creation functionality of WordPress disabled. Thus, I first suspected the user-creation system because I received a user-creation notification e-mail marked 8:40pm and because hacker-uploaded files and hacker-modified files had modification times after that, but now I have my doubts because wp_users.user_registered was set to “1999-01-01 03:40:06″ for the new user account (the wp_users.user_registered value for my own account is “0000-00-00 00:00:00″, which is also rather odd, but probably normal for accounts created during WordPress installation) and because one of the hacker programs connects to MySQL itself.

Strangely, the user account created by the hacker does not show up for me when I click on “Users” in the main WordPress menu; when I do, I see only the “Your Profile” tab with my own profile and my “Level” set to 4. The corresponding field in the database, wp_users.user_level was set to 10 for the hacker. I do not know what my level was set to before, but I suspect it was higher since clicking on “Upload” then “options” results in the following unlikely message for an administrator:

You do not have sufficient permissions to access this page.

Could the breach have been through the upload system? I will continue to look into it, but if you have any further information, please feel to share what you know in the comments.

I have installed a new WordPress theme called “Blix” (version 0.9.1) by Sebastian Schmieg. So far, it seems very nice—clean.

After my first attempt to install WordPress 1.5.1.1—right over WordPress 1.5—failed with an e-mail from DreamHost’s “one-click” installation robot complaining about how the directory was not empty, I grudgingly deleted the contents of the directory (I had already saved a copy of my content to my local system) then repeated the series of clicks (”few-click” installation is more like it) necessary to try again. Now WordPress 1.5.1.1 is installed, but the .htaccess file is gone, so none of the links into the “wordpress” directory work. Oops.

I tried to edit the .htaccess file, hoping WordPress would generate a new one, but it did not; it merely complained about there not being one. I also tried editing a link category name (without actually changing it), but that did not seem to do anything either. Ugh.

I would ask if anyone knows how to regenerate the .htaccess file, but the comment links are among those that are not presently working. I wish I had saved a backup copy of my .htaccess file along with that copy of my content.

Update (Just Minutes Later): I got WordPress to rebuild the .htaccess file, fixing the links into the “wordpress” directory, by loading Options > Permalinks then clicking on the “Update Permalink Structure »” button (it was not necessary to actually make any changes, only to click on the button).

Update (4:40am): With all of the bug-fixing that the WordPress team did for version 1.5.1.1, they missed one that has already been mentioned on their Web site: changing a post slug does not change the value of wp_posts.guid (the URL) for that post. I discovered this while looking into a broken link that showed up in my index table. Curiously, the sidebar link to the same article had the correct URL.

WordPress 1.5 has been released and it reportedly offers many improvements over WordPress 1.2.1, which I was previous running at DVD Guide, so I have—as you may have guessed by my use of the word previously—upgraded to it.

With the new version of WordPress comes a new default page style, which looks much better than the old default page style aside from using right-pointing double-angle brackets as bullets. It seems cleaner overall. I will likely tweak it a bit, of course—after I have had some time to explore it.

I have started working on a new page style for WordPress-generated pages to improve their content presentation. It is currently posted as an alternate style sheet, but I do plan to make it the default when I have had some more time to work on it (this is, after all, final examinations week at school).

For now, can apply the new page style, “DVD Guide Custom Style: Untitled (A Work-in-Progress)”, by using your Web browser’s built-in alternate style sheet support as follows:

• In Firefox: You can select alternate style sheets from your “View” –> “Page Style” menu.
• In Opera: You can select alternate style sheets from your “View” –> “Style” menu.
• In Another Modern Browser: Check your “View” or equivalent menu and, if necessary, your browser’s documentation.
• In Internet Explorer: Alternate style sheet support is not built into Internet Explorer for Windows (I do not know about the Mac OS versions, some of which do offer some functionality that the Windows versions lack), but I may implement a style sheet switcher for you later. For now, I recommend using a different browser.

Although the new page style is still a work-in-progress, I would love to know what you think about it, so please do not hesitate to post a comment about it.

Update: You can now select from the WordPress original page style, that plus my custom page style (so far, it extends the original style rather than replacing it), or my custom page style alone (for use primarily during further development until it is ready to replace the original entirely). I have changed the default page style to the combination of the original and custom page styles (listed among the available styles as “WordPress++”).

I just installed WordPress before going to bed earlier this morning then I awoke several hours later to be greeted by nearly fifty comment notification e-mails—all for spam comments about gambling sites—and more of them arrived while I was sorting through them for anything real, so I temporarily reposted the old page and started looking for an image-based system to prevent WordPress comment spam without stifling legitimate comments.

I found a plug-in that may do the trick, but I am not crazy about how it seems to rely upon PHP sessions* to store its temporary information, so I will have to keep looking and considering my options for now. In the meantime, since comment spam keeps showing up (even with times from several hours before their associated posts and no notification messages), I have added “casino”, “gambling”, and “poker” as keywords to trigger comment moderation, so my e-mail inbox may still be filled with notifications, but at least it should be more difficult for new ones to show up on the site.

Update: I just deleted 68 spam comments (one individually, three pages of twenty, then a page of seven more), but I received only 57 corresponding e-mail notifications, so it looks like WordPress let eleven comments through (possibly all associated with nonexistent posts) without notifying me.

* PHP sessions work by either embedding session information into URLs, which is both ugly and short-sighted (a threat to security, system resources, and even search engine operations), or by using cookies, which I am not crazy about requiring for unregistered commenters.

I have reinstalled WordPress under a “wordpress” subdirectory because of how it pollutes the installation directory (I didn’t want all that stuff in the root directory). I also changed the “Weblog title” on the “General Options” page to “DVD Guide » WordPress” because WordPress-generated page titles are misleading about the organization of the Web site if I use just the name of the site.

Although I have my own Web-publishing software in PageDrive, it is still under development and not yet ready to deploy at other people’s Web sites, so I have decided to try WordPress at DVD Guide to see if it might be good for friends and family who want to set up Web journals soon rather than waiting for PageDrive.

So far, everything seems to be working and WordPress seems to offer a lot of functionality and impressive attention to detail in some regards (automatic replacement of quotation marks with curly versions, for example). I do have some initial concerns, so I will document them here for easy reference (not presently in any strict order, but I may sort them later):

• Security Risk: The installer was publicly linked from the root of the installation directory, so if anyone had gotten to it before me, the user name and password would have been provided to that person rather than to me.
• Security Risk: Users are allowed to create their own accounts by default.
• The installer and the “General Options” page delete trailing slashes from the “WordPress address (URI)” and “Blog address (URI)” fields. It then seems to add one back when generating the link at the top of a content page if “Blog address (URI)” is the root directory, but not if it is a subdirectory.
• The”View site” links on the administration page go to index.php whether it exists or not. (WordPress seems to assume that the “Blog address (URI)” will have the index.php file it installed at the “WordPress address (URI)”.)
• Most of the links between WordPress-generated pages use file extensions—even the “View site” links to the site’s root.
• I am not in love with the query strings WordPress uses in so-called article “permalink” and search URLs, although they do seem to be editable to some yet undetermined degree.
• This form does not offer em dashes and en dashes.
• The default page layout seems rather cramped in some places.
• The default page layout seems rather bland.
• Every time I use one of the “Quicktags” with the post form on the “Write” page, the text area in which I am typing scrolls to the top. (I am presently using Firefox 1.0 on Windows XP Professional with Service Pack 2.)
• The TrackBack section of the form on the “Write” page says “TrackBack an URL” and it mixes “URL” and “URI” on the same line.
• There does not seem to be a way to replace deleted indentations in the post form.
• WordPress does not hyphenate “e-mail”.
• If the “Nickname” field is blanked (it is filled by default) on the “Profile” page, WordPress returns an error message after the user clicks the “Update Profile” button.
• If the “Email” field is left blank on the “Profile” page, WordPress returns an error message after the user clicks the “Update Profile” button.
• WordPress does not generate valid XHTML if “™” is entered in the “Weblog title” field on the “General Options” or in the post field on the “Write” page; it seems to just pass it straight through as XHTML, which browsers will display as “™”. This causes Firefox and Sage, an RSS plug-in for Firefox, to both halt and return error messages when parsing WordPress-generated feeds.
• If “™” is surrounded by quotation marks and followed by a period as in the item directly preceding this one, WordPress replaces the preceding quotation mark with a curly quotation mark, but leaves the following quotation mark straight.
• The post form sometimes refuses new text selections, keeping other text selected. For example, when I try to select part of the final item in an unordered list, the closing tag for the list (not the list item) stubbornly remains selected.
• Comment notifications come from a nonexistent e-mail address with a garbled name (”DVD Guideâ„¢”).
• New link categories auto-increment past numbers of deleted categories. (This may be due to how MySQL handles AUTO_INCREMENT fields.)
• WordPress automatically changes well-known XHTML tag names to lower-case, but it leaves their property names, such as “HREF” and “TITLE” however they were typed, which can cause XHTML validation to fail.
• Category names are numbered in a single sequence in order of creation regardless of their depths.
• WordPress uses the same title for the pages and feeds it generates and it generates its garbled e-mail notification sender name from that same title. Different titles might be nice (”Latest News”, “Category X”, etc.)—along with category-specific feeds.
• WordPress generates a link to the front page even on the front page (sans query string). Category and single-post pages also link to themselves.
• Upon posting a message at 2:21pm, there was immediately a spam comment with today’s date and the time “7:56 am”. This particular spam comment did not appear in my comment notifications.
• WordPress generates a .htaccess file that is incompatible with its archive (year-month) links when using hyphens as delimiters between year, month, and date values in permalinks.
• WordPress generates a .htaccess file that is incompatible with its archive (year-month, e.g. http://www.example.com/wordpress/2004-12) links when using hyphens as delimiters between year, month, and date values in permalinks.

I still have the following concerns regarding WordPress 1.5 (other items will be moved here when they have been confirmed for this version):

• I am not crazy about how WordPress dominates whatever directory it is installed in, creating category URLs without any apparent regard for whether those categories represent specific topics (e.g. defective DVDs or usability problems) or general content types (e.g. news, reviews, or interviews). Categories can be arranged as subcategories, but the resulting automatically-generated URLs may not be as desired and the default page style shows subcategories at the same level as their parent categories. I would prefer something that would better suit sites running multiple applications (indeed, enabling smooth, seamless deployment of multiple applications has been part of my own Web software plans since before I decided to bring some of my projects together into my PageDrive project), preferably with a common user-account and user-session system (users would create and use just one account for blogs, discussion forums, games, shopping, and whatever else a single site offers instead of being annoyed by multiple user name and password sets for each site that offers more than one type of service).
• The new default page style uses right-pointing double-angle brackets as bullets on the front page while it uses standard filled circles as bullets on other pages.
• The new default page style justifies text, creating wide, ugly gaps between words on some lines.
• I do not care for the “Archives” metaphor; it carries an odd temporal connotation for new content.
• So-called archive versions of articles do not appear in their entirety. (This may be adjustable, but this is the default behavior.)
• Per-month archive URLs are created by default.
• Per-category URLs display archive versions of articles.
• Post slugs and corresponding URL rewriting code are generated whether they are wanted or not.
• Automatically-generated post slugs omit ampersands and there does not seem to be any option to have solo ampersands converted to “and” instead.
• The default template says that every site “is proudly powered by WordPress” even if the owner of the site has no reason for pride in using WordPress. Slightly less annoyingly, that line isn’t followed by a period.
• Some WordPress generated links still lack trailing slashes when they should be there, but trailing slashes are included for rewritten URLs that do not require them (e.g. the feed links at the bottom of every page), which just seems silly.
• WordPress does not seem to allow category names to follow the blog directory directly in permalinks even when the custom prefix is set to “/” or the installation directory (e.g “/wordpress/”) . It still inserts the word “category” into category links (and it still deletes a trailing slash from the form field).