All posts tagged ‘WordPress’

File Under: Blog Publishing, Web Apps

Massive WordPress Attack Targets Weak Admin Passwords

Image: CloudFlare

If you’re using the popular open source blogging tool WordPress to power your website, you may be vulnerable to a new web-based attack.

If your WordPress admin pages suddenly become sluggish, unreachable or you’re unable to log in there’s a good chance your site is being attacked.

According to CloudFlare CEO Matthew Prince, the attack is using brute force against WordPress’ admin pages using the old default username “admin” and then trying thousands of passwords. There’s nothing new about that approach, but what makes this attack different, and particularly potent, is that the attackers have some 90,000 unique IP addresses at their disposal.

For its part CloudFlare has pushed out an update that “detects the signature of the attack and stops it.”

Popular WordPress Host HostGator reports that it too has “seen over 90,000 IP addresses involved in this attack.”

WordPress creator Matt Mullenweg has also weighed in, pointing out that it’s been over three years since WordPress used the username “admin” as the default for new installations.

However, there are no doubt a great many sites that still have — whether they use it or not — the “admin” user account hanging around in WordPress. It’s also worth noting that, while this attack appears limited to trying the “admin” username, a more sophisticated approach could do the same thing, but with unique usernames — for example, find the most frequently used account name on the public site, assume it’s an admin account and run the same attack against the admin pages. So far that hasn’t happened.

“Here’s what I would recommend,” writes Mullenweg on his blog, “if you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up to date on the latest version of WordPress.”

Unfortunately, given the number of IP addresses that seem to be at the attackers’ disposal, other common security measures — like tools that limit logins by IP address — aren’t going to be terribly effective against this attack. Short of getting rid of the default “admin” account (if it still exists), there isn’t a whole lot you can do to stop the attacks (unless you want to use a web application firewall like CloudFlare or ModSecurity). Be sure to contact your hosting company if you think your site has come under attack.

WordPress Brings Bitcoin to the Blogging Masses

WordPress earns a Bitcoin merit badge. Photo: Ben Ostrowsky/Flickr.

Upgrading your WordPress.com blog no longer requires a credit card or PayPal account. Starting today you can raid your virtual piggy bank to pay for WordPress upgrades with the digital currency Bitcoin.

The move makes WordPress one of the largest, most reputable online services to accept the fledgling Bitcoin currency.

Bitcoin is an online currency that allows buyers and sellers to exchange money anonymously. According to a post on the WordPress blog, the appeal of Bitcoin for WordPress is that, unlike credit cards and PayPal, “Bitcoin has no central authority and no way to lock entire countries out of the network … merchants who accept Bitcoin payments can do business with anyone.”

The anonymous aspect has made Bitcoin a target for law enforcement agencies, but for WordPress it means that users living in any of the over 60 countries currently blocked by PayPal (and many credit card companies) now have a way to pay for WordPress upgrades and services.

While setting up a basic blog on WordPress.com is free, there are paid upgrades available for custom themes, custom domains or to remove ads from your site.

Bitcoin is in your WordPress. Image: Screenshot/Webmonkey.

Automattic, WordPress’ parent company, accepts Bitcoin payments through Bitpay.com, which has now been integrated into the WordPress.com payment interface alongside the PayPal and traditional credit card options. WordPress is foregoing the Bitcoin “confirmations” process, which would help protect the company against fraud. Here’s an explanation from the FAQ:

We could wait for the first confirmation (typically 5-10 minutes) but we prefer to make the customer experience as smooth as possible. Making you wait for confirmations would virtually eliminate our risk but we’re confident that with digital products like ours the risk is already acceptably low.

Note that while WordPress is accepting Bitcoin payments, it may not work for everything just yet. The option to pay with Bitcoin appears to be limited to upgrade bundles at the moment. Purchasing custom themes or domains by themselves is not currently possible due to what WordPress calls “technical complications.”

WordPress adopting Bitcoin is good news for users in countries like Haiti, Ethiopia, or Kenya, which are often blocked by traditional payment systems. It’s also good news for Bitcoin supporters who now have another, very large, every legitimate company on their side.

WordPress Embraces Responsive Design With New ‘Twenty Twelve’ Theme

Meet Twenty Twelve, the latest default WordPress theme. Image: Screenshot/Webmonkey.

The default WordPress theme is quite possibly the most widely used design on the web; the minute you sign up for or install WordPress you have a website that uses the default theme. Every year WordPress unveils a new look that will grace every “just another WordPress site.”

This year’s theme, Twenty Twelve, is the first to embrace responsive design, adapting its layout to fit any screen. The WordPress admin pages are already responsive, and the last few default WordPress themes have accommodated small screens, even using some responsive design tools like CSS @media, but this is the first default theme to fully embrace responsive design and fluidly adapt to any screen.

Twenty Twelve marks something of a departure for the default theme. Gone are the banners and featured images atop posts. Instead Twenty Twelve sticks with a largely black-and-white look that puts the emphasis on typography and a new typeface, Open Sans.

If you’d like to use Twenty Twelve on your WordPress.com site, just head to the dashboard and select Themes, (under Appearance). If you’re hosting your own WordPress install, you’ll soon have access via the Extend theme directory. And of course the new theme will be bundled with WordPress 3.5 due later this year.

This year’s theme was designed by former NFL player Drew Strojny, though as with all things WordPress there was plenty of help from the WordPress community. The WordPress blog has more details about Twenty Twelve and there’s a live demo you can check out as well.

File Under: Blog Publishing

New WordPress 3.3: Less Flash, More Responsive Design

WordPress has released version 3.3. Dubbed “Sonny” after jazz saxophonist Sonny Stitt, WordPress 3.3 packs in a number of worthwhile upgrades, including a new responsive design that adapts the WordPress admin to smaller screens.

To get the latest version head over to the WordPress downloads page. If you’re already using WordPress you can update from the WordPress dashboard (naturally we suggest backing up your files and database before you upgrade).

Among the changes that make WordPress 3.3 well worth the upgrade is the new responsive admin design. While there are mobile apps from managing your WordPress site on the go, the actual web admin has never adapted to small screens. That changes with WordPress 3.3 and its new responsive admin page, which reflows content to fit the screen you’re using.

Responsive design — that is, using liquid layouts and scaling media to fit any screen size — is moving into the mainstream in a hurry. The past year has seen several high-profile websites relaunched with responsive designs, but WordPress 3.3 is likely the most widely used site yet to embrace responsive design.

Other changes in WordPress 3.3 include a slicker sidebar with “flyout” submenus which put everything in the admin site just a single click away. There’s also a new drag-and-drop uploader, which means you can drag and drop images from your desktop right into the media upload box in the admin (provided you’re using a browser that supports HTML5′s drag-and-drop API). Behind the scenes WordPress is using Plupload to handle the drag-and-drop features. In browsers that support it Plupload will use HTML5; for older browsers it falls back to Flash.

Anyone working on a site with numerous writers and editors will be happy to know that this release features much improved co-editing support. If you’ve ever seen messages like “Warning: [username] is currently editing this post,” you’ll be happy to know that it will now only appear when someone is actively editing a post. Previously the message would often appear even if your co-writer simply left the window or tab open in their browser.

For a complete list of changes and new features in WordPress 3.3, see the release notes.

File Under: Blog Publishing

WordPress 3.2: Write More, IE Less

WordPress has released an upgrade for the popular, self-hosted blogging platform. Unlike the last few WordPress upgrades, which focused on improving developer tools, WordPress 3.2 is primarily about changes ordinary users will appreciate. The revamped admin section, for instance, offers a new “distraction-free,” full screen editor, and, as we noted earlier, this version finally drops support for Internet Explorer 6.

If you’d like to upgrade, head over to the WordPress site and download a copy of WordPress 3.2.

The theme for WordPress’ latest incarnation is “faster and lighter.” That’s reflected in new tools like the simplified admin interface, which offers a fullscreen editor mode. The fullscreen mode is modeled on the interface found in writing apps like WriteRoom or OmmWriter, where the focus is primarily the text, and not the bells and whistles on the main new post page.

Another aspect of the faster and lighter motto for WordPress 3.2 means eliminating the cruft, also known as dropping support for IE 6. That won’t of course affect your site’s visitors (unless your theme has dropped IE 6), but it does mean that the WordPress 3.2 admin won’t work in IE 6, something to keep in mind if you’re upgrading a site that has numerous admin users.

For now WordPress hasn’t dropped support for IE 7, though an early outline of what to expect in WordPress 3.2 did say that this release will also start the end-of-life cycle for Internet Explorer 7.

For a full list of the new features found in WordPress 3.2, head over to the release notes page.

See Also: