Archive for the ‘Blog Publishing’ Category

File Under: Blog Publishing, Web Apps

Massive WordPress Attack Targets Weak Admin Passwords

Image: CloudFlare

If you’re using the popular open source blogging tool WordPress to power your website, you may be vulnerable to a new web-based attack.

If your WordPress admin pages suddenly become sluggish, unreachable or you’re unable to log in there’s a good chance your site is being attacked.

According to CloudFlare CEO Matthew Prince, the attack is using brute force against WordPress’ admin pages using the old default username “admin” and then trying thousands of passwords. There’s nothing new about that approach, but what makes this attack different, and particularly potent, is that the attackers have some 90,000 unique IP addresses at their disposal.

For its part CloudFlare has pushed out an update that “detects the signature of the attack and stops it.”

Popular WordPress Host HostGator reports that it too has “seen over 90,000 IP addresses involved in this attack.”

WordPress creator Matt Mullenweg has also weighed in, pointing out that it’s been over three years since WordPress used the username “admin” as the default for new installations.

However, there are no doubt a great many sites that still have — whether they use it or not — the “admin” user account hanging around in WordPress. It’s also worth noting that, while this attack appears limited to trying the “admin” username, a more sophisticated approach could do the same thing, but with unique usernames — for example, find the most frequently used account name on the public site, assume it’s an admin account and run the same attack against the admin pages. So far that hasn’t happened.

“Here’s what I would recommend,” writes Mullenweg on his blog, “if you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up to date on the latest version of WordPress.”

Unfortunately, given the number of IP addresses that seem to be at the attackers’ disposal, other common security measures — like tools that limit logins by IP address — aren’t going to be terribly effective against this attack. Short of getting rid of the default “admin” account (if it still exists), there isn’t a whole lot you can do to stop the attacks (unless you want to use a web application firewall like CloudFlare or ModSecurity). Be sure to contact your hosting company if you think your site has come under attack.

Find Tweetable Sentences With ‘Save Publishing’

This post with tweetable sentences highlighted by Save Publishing. Image: Screenshot/Webmonkey

Ever wish you could quickly scan an article and find all the 140 character or less sentences so you could figure out which to post to Twitter? The idea had never occurred to me, but now that I’ve used the Save Publishing bookmarklet I have to admit, it actually is pretty darn useful.

Save Publishing is a bookmarklet that highlights any tweetable sentences on a given page. You can grab it from SavePublishing.com or head over to GitHub if you’d like to see the source (Save Publishing is written in CoffeeScript).

The bookmarklet is the work of former Harper’s editor Paul Ford, perhaps better known as @ftrain. Ford says the project started as a joke, but “now it’s serious and I use it all day.”

I expected the novelty to wear off quickly after I used it a few times, but now it’s been a few days and I still find myself using it. Sometimes the faintly ridiculous manages to become useful. What would make Save Publishing more useful is a way to use it within Twitter clients like Tweetbot, but thus far that’s not possible.

‘Interactive Guide’ Teaches the Basics of Good Web Typography

Good web typography needn’t be difficult, but typography can be a complicated and sometimes intimidating subject for newcomers.

To help you understand typography a bit better — and create better-looking websites with your new understanding — developer Tommi Kaikkonen created his Interactive Guide to Blog Typography. The guide offers a nice hand-holding walk through of the elements that make for good typography on the web, helping you not just make more readable sites, but understand why they’re more readable.

For most suggestions in Kaikkonen’s guide there’s an interactive button to toggle different line-heights, fonts and measures so you can see for yourself why those elements matter and how they contribute to making your site easier to read.

Among the suggestions in Kaikkonen’s guide are to set a readable measure (the number of characters on a line), frame content with white space (to put emphasis on the main part of the page), avoid pure black for text and, unless you really know what you’re doing, stick with just two different fonts.

There is one part of the guide we can’t totally endorse — the last suggestion, which is to use font-variant: small-caps; even if the font you’re using doesn’t actually have a small-caps variant. With some fonts — the traditional six fonts of web design, for example — you can get away with this, but if you’re using fancier fonts like those from Google Web Fonts or TypeKit this can make for some really awful results; proceed with caution on that one.

WordPress Brings Bitcoin to the Blogging Masses

WordPress earns a Bitcoin merit badge. Photo: Ben Ostrowsky/Flickr.

Upgrading your WordPress.com blog no longer requires a credit card or PayPal account. Starting today you can raid your virtual piggy bank to pay for WordPress upgrades with the digital currency Bitcoin.

The move makes WordPress one of the largest, most reputable online services to accept the fledgling Bitcoin currency.

Bitcoin is an online currency that allows buyers and sellers to exchange money anonymously. According to a post on the WordPress blog, the appeal of Bitcoin for WordPress is that, unlike credit cards and PayPal, “Bitcoin has no central authority and no way to lock entire countries out of the network … merchants who accept Bitcoin payments can do business with anyone.”

The anonymous aspect has made Bitcoin a target for law enforcement agencies, but for WordPress it means that users living in any of the over 60 countries currently blocked by PayPal (and many credit card companies) now have a way to pay for WordPress upgrades and services.

While setting up a basic blog on WordPress.com is free, there are paid upgrades available for custom themes, custom domains or to remove ads from your site.

Bitcoin is in your WordPress. Image: Screenshot/Webmonkey.

Automattic, WordPress’ parent company, accepts Bitcoin payments through Bitpay.com, which has now been integrated into the WordPress.com payment interface alongside the PayPal and traditional credit card options. WordPress is foregoing the Bitcoin “confirmations” process, which would help protect the company against fraud. Here’s an explanation from the FAQ:

We could wait for the first confirmation (typically 5-10 minutes) but we prefer to make the customer experience as smooth as possible. Making you wait for confirmations would virtually eliminate our risk but we’re confident that with digital products like ours the risk is already acceptably low.

Note that while WordPress is accepting Bitcoin payments, it may not work for everything just yet. The option to pay with Bitcoin appears to be limited to upgrade bundles at the moment. Purchasing custom themes or domains by themselves is not currently possible due to what WordPress calls “technical complications.”

WordPress adopting Bitcoin is good news for users in countries like Haiti, Ethiopia, or Kenya, which are often blocked by traditional payment systems. It’s also good news for Bitcoin supporters who now have another, very large, every legitimate company on their side.

What Kind of Blogging Do We Want?

Yesterday we got a look at a new software service called Branch, and a discussion between several people who used to work for Blogger, and Anil Dash (who, as far as I know, never did).

Daniel Bachhuber, a friend who works at WordPress, oohed and aahed. I asked him why he liked it so much and he said a couple of things.

The discussion was focused on this topic: How do blogs need to evolve?

I wasn’t asked to be part of the discussion, but since this is the open web, and they made their discussion public, I can say what I have to say. It’s up to them if they want to include it in their discussion.

I’ve even provided the “source code” for this post — just the text with a little bit of structure, and some attributes, with an open architecture for more attributes. So they can do more than link to it. They can “include” it.

The advantage of doing it this way is:

  1. I maintain the original.
  2. It can be included in as many places as it’s relevant.
  3. If I want to update it, I can, and it would update in all the places it is viewable.
  4. Because I can update it, that means relative writing will be kept to a minimum. People can say what they think without making an issue of who’s right and who’s wrong. Because they might not stay right or wrong for very long!

In the thread Evan Williams says that Twitter has a big advantage because it already has all the integration tools people want. It’s understandable he would think that, I suppose, having participated in creating Twitter, but I don’t agree. Here’s why.

  1. When I quoted Daniel in the second paragraph, you wouldn’t believe the dance I had to do to get a link to the tweet onto the clipboard so I could link to it from my post. Even though I’ve done it dozens of times, I still made three mistakes for every action that worked.
  2. Twitter has a 140-character limit, which means that for any kind of complex thought, beyond a grunt or snark (which is likely to be misunderstood because there wasn’t room to explain it) I’m going to have to include a link, which of course must be shortened.
  3. As they point out in the thread, Twitter is a company town. The archive belongs to them, to do with as they please. I have no say in the future uses of my own writing.
  4. Finally, the strongest point — even Twitter agrees it’s not self-contained, because they support oEmbed, which allows them to include content that’s hosted on other servers. However, they aren’t even open about being open. You can only participate if you’re a “partner.” I don’t know who pays who for this, or if anyone pays, but they admit that being open to content hosted elsewhere is necessary, but it isn’t available to the people. In other words, we’ve given up all the beauty of the internet, for what exactly? What did we get in return?

Anyway, even if I was invited to participate, all I would do is post a pointer to this blog post. Because here I own the editorial tools and can make them work any way I want to. There is no 140-character limit. There’s no problem getting a permalink. I own the archive. Sure if you want to participate it’s a bit of work, you have to set up a blog somewhere. That’s okay with me. For a little bit of work you get a whole lot of freedom. That’s a good deal.

This post first appeared on Scripting News.

Dave Winer, a former researcher at NYU and Harvard, pioneered the development of weblogs, syndication (RSS), podcasting, outlining, and web content management software. A former contributing editor at Wired magazine, Dave won the Wired Tech Renegade award in 2001.
Follow @davewiner on Twitter.