I’m pretty sure most bloggers out there are already aware of the latest growing incidents of WordPress hacking. As always, the old versions are the ones affected and even if you thought you’re always updated, don’t forget the other less important blogs and the subdomains you’ve set up before but abandoned. They could the doorway to hacking your main blog.

WordPress has that built-in system to alert you if ever you’re not updated (WP 2.8.4 is the current/latest version) and there’s also that automatic upgrade feature that makes it easier to do so. Just go and hit the upgrade button and spare yourself a lot of headaches later on.

Follow YugaTech on Twitter: http://twitter.com/abeolandres

Related posts:

1. WordPress 2.7 out with new Admin UI A new version of WordPress is now out at 2.7....

Let me break down some of the advantages and dis-advantages of WP-SuperCache and DB-Cache so you can see which of the two plugins is better for your blog.

WP SuperCache

• Creates static version of each cached pages so it can easily eat up a lot of web space though that will depend how many pages your blog has (remember that tags, archives, and paged comments are also separate pages). I’ve seen WP-SuperCache easily eat up 300+MB of webspace for larger blogs.
• Very effective for blogs that experience high surge in traffic for a single page (like being Dugg, SlashDot or Stumbled Upon) as the target page is automatically cached for a given period of time. That page basically serves static HTML sparing all database queries (unless of course visitors on that page comment a lot).
• Additional features like Lock Down adds a layer of protection for high-trafficked pages that keeps on getting updated by visitor comments. This feature delays the display of new comments so it can just serve a single static page for that period.
• Has some page delivery problems when enabled with WP-Mobile. The mobile version of the blog homepage is sometimes cached and served as the static page.
• Leaves some stale pages. The cache does not refresh unless content on a page is edited. That leaves the Sidebar stale when new contents are added to it.

WP DB Cache

• Caches DB queries instead of entirely making the page static. Reduces the number of DB queries on all pages but not all.
• Does not save individual pages as static files so it doesn’t use a lot of web space for caching.
• Might not be able to handle a sudden surge of traffic on a single page (in case of Digg or Slashdot flood).
• Blog elements stay fresh (sidebar, widgets, etc.)
• Effective for blogs that have hundreds or thousands of actively viewed pages.

I think the main difference between WP SuperCache and WP DB Cache is that the latter’s caches are re-used on all pages of the blog while WP-SuperCache only serves cache on a per page basis.

Best caching benefit for WP DB Cache: 1,000 pages of a blog are visited just once but all at the same time.

Best caching benefit for WP SuperCache: 1,000 visitors view a single page of a blog all at the same time.

Depending on which of the two scenarios best fit your blog, you can choose between the two caching plugins.

Follow YugaTech on Twitter: http://twitter.com/abeolandres

No related posts.

If you are running the WP Auto-Upgrade, it should show on your admin panel. The new panel UI looks better and has the ability to move panels/sections around.

Again, please be reminded that several plugins/extensions might be affected by upgrading to this version so better check the compatibility list first before making the move.

More information about the recent update here.

Follow YugaTech on Twitter: http://twitter.com/abeolandres

Related posts:

1. Is your WordPress blog updated? Sometimes, it takes a huge/serious security alert like the one...

For this blog alone, Akismet had 936,274 spams caught with 31,680 legitimate comments. That’s and an overall accuracy rate of 99.862%. That’s a really good accuracy but even dealing with the remaining 0.138% of the spam has been already tedious. Had it not been with Akismet and other plugins like Spam Karma, blogs would suffer spam fatigue.

If you look at the rate of spam attack, they range from about 1,000 to 3,000 a day.

There’s also the problem with false-positives.

Spammers always find ways to go around and circumvent the system. And since Akismet is a centralized system, the worst they could do is attack the “central nervous system” itself and the whole thing breaks down (hack, DDOS attacks, etc). I’m fairly certain there have been numerous attempts at this in the past.

There must be some way to decentralize this to avoid that possible catastrophe or every WordPress blog would go down in flames when that happens.

Follow YugaTech on Twitter: http://twitter.com/abeolandres

No related posts.

It’s free and works with any version of iPhone or iPod Touch (as long as you have the version 2.0 of the iPhone software).

It’s not yet fully functional as one would expect when using WP. Items missing are adding links or remotely hosted images and using the usual paragraph formatting features. This App is more useful for editing entries rather than creating new ones.

Grab the App here {via}.

Follow YugaTech on Twitter: http://twitter.com/abeolandres

Related posts:

1. Why the iPhone Nano doesn’t make sense? For a couple of weeks, there’s been a growing number...
2. iPhone Elite: What the iPhone should have been? This is what the original iPhone should looked like if...

Follow YugaTech on Twitter: http://twitter.com/abeolandres

No related posts.

The TypePad Anti-Spam will have the ff. features:

* Plugins for Movable Type 3 & 4, WordPress 2.5. Yes, it works for WP too! There’s no usage fee for commercial use. Akismet charges $5 per month if your blog earns at least $500 a month.

* Open Source. You can download the source code and modify it to your liking to extend its features and functionalities. Akismet has an open API but is not open source so you don’t have access to its codebase.

* 100% Akismet API compatible. Works with Automattic’s Akismet too.

I’ve tried switching from Akismet to Defensio then back to Akismet, then now to TypePad Anti-Spam too see which of them will filter out the most number of comment spam on this blog.

We’ll see in a few weeks. Download the WordPress plugin here.

Follow YugaTech on Twitter: http://twitter.com/abeolandres

No related posts.

If you download the entire WordPress 2.5.1 release, you will be getting over 70 other fixes. This update focuses on fixing the most annoying bugs and improving performance. Here are some of the highlights:

• Performance improvements for the Dashboard, Write Post, and Edit Comments pages.
• Better performance for those who have many categories
• Media Uploader fixes
• An upgrade to TinyMCE 3.0.7
• Widget Administration fixes
• Various usability improvements
• Layout fixes for IE

http://www.yugatech.com/blog/wp-admin/post-new.php

Most importantly, a security fix is included in this update:

An attacker, who is able to register a specially crafted username on a Wordpress 2.5 installation, is able to generate authentication cookies for other chosen accounts.

This vulnerability exists because it is possible to modify authentication cookies without invalidating the cryptographic integrity protection.

If a Wordpress blog is configured to freely permit account creation, a remote attacker can gain Wordpress-administrator access and then elevate this to arbitrary code execution as the web server user.

If you’ve just updated to WP 2.5, you need to get the update to fix this risky security hole.

Follow YugaTech on Twitter: http://twitter.com/abeolandres

No related posts.

The attack is simple yet effective — flood wp-trackback.php with HTTP requests. It’s like a DDOS actually. There could be several ways to do this:

• Software-driven. I’ve seen some softwares that can do 1,000 HTTP simultaneous requests to a site or specific webpage.
• Code embed. Add the target page (in this case, wp-trackback.php) into a popular page or site which requests for it at every page load. Replicate that on many other high-traffic sites and viola, instant slashdot effect.
• Bots. Similar to a GoogleBot or Yahoo! Metacrawler but these type have malicious intent only goes after a specific page — wp-trackback.php.

It’s hard really. Took me about 6 hours monitoring one of our servers where a blog was attacked. The attack would seem like a Digg-effect or a slashdot effect. However, any anti-Digg solutions would not work — even WP-SuperCache could not fend it off. Then it struck me, maybe the page is not being cached.

A check with the analytics showed this:

WP-Shortstats was tracking it. Thousands of trackback requests for almost all pages in the blog in a matter of hours.

What made it worse is that the wp-shortstats plugin is also recording this — meaning for each page request, there’s a corresponding SQL query executed by Shortstats that’s aggravating the situation.

The result — slow, crawling blog; eventually, an overloaded or crashed server.

The solution? Deactivating trackbacks won’t help. You need to delete wp-trackback.php or CHMOD it to 000. If you can identify the IP, block them too.

Your blog won’t be able to send/receive legit trackbacks but it’s the only solution for now.

Follow YugaTech on Twitter: http://twitter.com/abeolandres

No related posts.

Follow YugaTech on Twitter: http://twitter.com/abeolandres

No related posts.

Two of the most important feature upgrades for me are Automated Plugin Updates via FTP and the introduction of an integrated Media Gallery.

Automated Plugin Updates allows you to view which installed plugins are obsolete and needs to be updated with newer versions. The system will give you the link to the plugin repository if you want to download it or you can automatically update the installed plugin from within WP Admin. All you need to do is supply the FTP access codes for your hosting account.

This is a landmark development, IMO, as it helps resolve the problem of unsecured and buggy plugins. See my previous entry on why “WordPress Plugins should be Regulated“.

The Media Gallery is another new feature that was lacking with WP before. Now, you don’t need a 3rd party plugin to manage your photos in your blog. There’s a screencast flash video demo on how to use this feature.

Here’s a gallery demo I’ve just uploaded. This was during our recent visit to Lago de Oro at Calatagan, Batangas.

Yes, the Lightbox plugin is still way cooler but this one’s much better in photo management.

Update: Problem though is that there’s a bug in the attachment permalinks so that browsing thru the gallery images results in a 404 error. This happens when you’re using ‘category’ in your permalink structure. The WP Bug Tracker has logged this and said to have been fixed. Not on this blog.

Follow YugaTech on Twitter: http://twitter.com/abeolandres

No related posts.

I have had some experiences with vBulletin forums getting concurrent connections in the vicinity of 500 but a WordPress blog clocking in 1,000 concurrent connections is something else. Btw, I’m talking about Rickey’s blog on Americal Idol.

The blog peaks at 1,161 concurrent users during peak hours.

Here are some stuff I’ve learned so far and I hope will be of good use to other bloggers who reaches this level of traffic:

• If you can afford it, get two separate dedicated servers to host Apache and mySQL. So we’ve got a Pentium 4 2.8GHz Dual Core with 3GB of RAM to run Apache and all static files and another Pentium 2.8GHz with 4GB of RAM to run mySQL. This set up seems better than my own Dual Xeon server with 4GB of RAM.
• Upgrade to PHP5 and mySQL5 if you haven’t done so. Both newer versions have general performance benefits over the older ones.
• Optimize server configurations. Most new owners of dedicated servers will have to face the challenge of having a good mix of settings in their php.ini, httpd.conf and my.cnf. Here is where you set connection limits, time outs, and memory caching/allocation. Making the most of your available server memory will determine whether your server will conk out or not when the moment strikes and the barrage of traffic comes in.
• PHP Opcode Caching. There are several free ones available such as eAccelerator, Alternative PHP Cache (APC), and the XCache. These are basically frameworks for caching and optimizing PHP intermediate code and really helps if you run a lot of WP plugins.
• For WordPress blogs, running WP Super Cache is highly recommended. You can also use PHP Speedy to compress and speed up page deliveries.
• Monitor. Tweak. Optimize. Wash, rinse and repeat. You won’t hit it the first time and it’s gonna be frustrating. Just watch out for the peak hours, log the volume of traffic, watch their behavior (commenters vs. viewers) and tweak again based on that volume.

As for the cost, it depends and will vary between a hundred dollars to a couple hundred. Server management is the most expensive IMO as they charge as much as $75 per hour just to take a look at your server.

And no, a 500GB + 5 terabyte $20/month shared hosting will not cut it. They’ll kick you out before your blog can even reach 1TB.

Follow YugaTech on Twitter: http://twitter.com/abeolandres

No related posts.

There’s the usual prevention methods most bloggers do — going partial feeds instead of full feeds. I’ve never really got worried with it even though I’m publishing full feeds. However lately, I’ve noticed that the scraper sites (splogs) sometimes even ranked higher than mine which has caused alarm.

Search engines promises publishers their system can intelligently identify the original from the dupes but I don’t think their success success rate is any good either. So, I thought getting a back link from the splogs will solve that dupe issue.

Lately, I’m using the Feed Footer plugin which adds custom footers (copyright, notices, advertisements) to the bottom of blog posts in the RSS feed. I’m sure most of you have seen them already.

However, if that’s not enough, you can try the AntiLeech plugin:

AntiLeech produces a fake set of content especially for them that includes links back to your site and sends it only to them. When they steal this content, it appears online just like normal, except now you’ve turned the tables on them and have provided them with useless content.

AntiLeech can detect a splogger bot using its User-Agent string (an identifier that some bots send when they are collecting data), or by IP address. You can enter a User-Agent or an IP address into the Options panel of your WordPress blog. When a visitor with a qualifying (any checked option on the options page) User-Agent or IP address visits your site, they will see only the generated content. They will see it in your page layout and in your feeds. Anywhere you’re normally outputting content, that’s where the fake content will appear to them.

Regular users whose browsers do not match these strings will see your normal content. RSS aggregators should be able to display your content normally, too.

You can download the plugin here. AntiLeech does not really prevent the splogger bots or the splogger themselves from accessing your site, they can still manually do a copy and paste. Still, you have one less to worry about.

Follow YugaTech on Twitter: http://twitter.com/abeolandres

No related posts.

I’ve already installed a WP plugin called Antispam Collateral Condolences which notifies people when their comments have been caught as spam. At least they can email me and I could act on it right away before it gets buried and completely forgotten or overlooked.

People have been asking why their comments were falsely identified by the system as spam. Since Akismet is not open-source and owned by Automattic, the algo and codes have not been seen by the public. We know the general idea but specific triggers are unknown.

I have some ideas though and some are based on other anti-spam system.

• Too many links in the comments post. Anything more than 2 links are likely spammers.
• Fast, successive comments. If you leave too many comments too fast. There’ usually a time gap (my hunch is 30 to 90 seconds) in between comments to identify if the commenter is a bot or a human.
• Very long URLs in the URI field.
• Use of blacklisted words.
• Domain on email used
• Use of dynamic IPs. When someone else who used to have that IP was flagged as spammer.
• Use of static IP. When you’re using a public terminal like an internet cafe and their IP has been previously flagged as spam source.
• Too many pings too often. Linking out to another blog/entry too often or in frequent succession (more than 2 trackbacks to the same blog).
• Very long comments.
• Browser settings (when you disable cookies and javascripts).

Half of the items in bullet points above will not really trigger a spam flag though a combination of them will raise the probability. The biggest advantage with Akismet’s centralized service is also becoming its biggest disadvantage. This is because once any of your comments get flagged as spam on any WordPress blog, you get the same treatment everywhere. It’s even worse now since Akismet is also being used with MT, Drupal, b2evolution and a slew of other CMS and forum softwares.

What do you do then?

Diagnose the extent of the damage:

• Are your comments being flagged as spam on just a single blog, a couple or all WP blogs (including yours)?
• Are you on a static or dynamic IP?
• Did you try using different browsers?
• Were you logged in as a Subscriber of the blog or just a visitor when you commented?
• Have you tried using a different nick, email address and URL when commenting?

Try out some solutions:

• Contact all the bloggers where you left a comment and was flagged as spam. make sure they un-flag it. I think Akismet’s algo is self-correcting — meaning the more people flagging you as non-spam, the more chances you get out of that sink hole.
• Try a different PC, a different browser, use a different name, email or domain when leaving a comment. Also clear the cache of the browser and the PC just to make sure.
• Contact Automattic and tell them about your problem.

If all else fails, blog about it and ping Matt (cool new domain, btw).

No related posts.

Hundreds of plugins, dozens of WP versions and varying webhost/server environment can give you thousands of possible ways to screw up your blog and your web host. Add to the fact that these WP plugins are always in development with newer bug fixes or compatibilities being released constantly, one can only imagine how much of a headache this is.

Here are a few of the weird things and problems I’ve encountered:

• Poor coding and half-baked plugins can strain the server especially if it makes multiple instances of mySQL requests for every page load.
• Plugins requiring you to make files/folders writable — prone to hacks!
• Plugins that modify or extend default WP tables — you’re likely to screw a new WP upgrade that modifies these tables.
• Plugins that eat a ton of database space — I’ve seen the WP-Shortstats plugin raking in 500MB of DB space.
• Plugins that are not compatible or doesn’t work well with other plugins.
• Plugins will similar names but are actually developed by different developers.
• Plugins that have not been updated for a long time and no longer worked well with newer versions of WP.
• Plugins that are created by malicious people trying to get backdoor access to your account/blog.
• The installed plugins just grows and grows in the blog that running all of them could be like running a 100 plugin-free blogs.

Just look at the official WP forums and all you’ll read about are problems related to plugins. It’s nice though that the recent version of WP has that nice “plugin update alert” for latest versions.

Because installing a plugin on a WordPress blog is so easy that everybody who knows FTP can just install anything they liked. However, that also opens it to a lot of wide-open doors to tragedy.

First, most bloggers don’t really know the inner workings of WP, much more PHP or mySQL. They’re not familiar with phpMyAdmin which comes with their control panel. Half the time, problems are caused by bloated DB tables.

Second, there’s an activate/de-active option inside WP Admin but the deactivate option does not actually un-install the plugin. Deactivating a plugin does not really excuse it from being the culprit. Plugins should have un-install options. Some are really hard to un-install manually, like that WP Cache and its variance.

Lastly, there’s no quality control. If Matt was kind enough to weed out sponsored themes from their Themes DB, I guess he can do the same with plugins.

What I meant by regulating the plugins is adding a stamp of approval for “quality-coded* plugins. At least, bloggers will know what they’re getting into when they install their next plugin.

P.S. You can Digg this post to get more attention from the WP development community and Automattic.

No related posts.

Huge, huge props to Matt/Automattic and great news to all WordPress.com users. Obviously, they’re going the GMail way.

Matt adds that doing a 1GB upgrade on competing service TypePad would set you back about $300 a year.

Over the past year we’ve developed our file infrastructure, replication, backup, caching, and S3-backed storage to the point where we don’t feel like we need to artificially limit what you folks are able to upload just to keep up with growth. We’re ready for you.

What about the space upgrades? They’re still important. You still need a space upgrade to upload certain file types, like movies, and we’re also increasing the limits of the paid upgrades, so if you bought a 1GB upgrade before it now adds 5GB for no additional charge.

This upgrade is only limited to image and doc uploads only. If you want your audios and movies hosted by WordPress.com, you’ll need to buy credits from them for that. Others might take advantage of this if they have their own hosted blogs — they’ll just host their pictures/images on WordPress.com and hotlink them.

This development wouldn’t be fiscally possible if not for the Amazon S3 service, which means TypePad can also do the same thing later. What’s the Blogger limit on file uploads again? Was it 300MB? Still, IMO, it’s good way to start the competition going.

No related posts.

No related posts.

So, can we assume that this switch was made because Google BlogSearch has become technically superior over Technorati? Hmm, let’s see:

• Technorati is slower in crawling blogs and is now only limited to the last 6 months. Technorati confirms the recent deletion of all archived index older than six months and reasoned that they are in the midst of some economization, performance fixes and retooling that have required taking some data offline.
• The blog search engine is still suffering from search overload once in a while. Having millions of WordPress Dashboards pull data from Technorati on a constant basis may have contributed to that so they thought it’s better to link to somewhere else.
• Technorati has had some significant shakeups lately which includes several layoffs and the resignation of CEO David Sifry. WordPress must have thought of bailing out way before things get any uglier.

On the other hand, Google BlogSearch ain’t any better as well according to bloggers wanting to switch back to Technorati:

• And others thought Technorati was slow in indexing blogs? Google BlogSearch seemed even slower. Just did a comparison as of this writing and recent index from Google BlogSearch is 16 hours ago while Technorati came by only 42 minutes ago (and previous to that, 2 hours, 6 hours and 8 hours ago). Does that mean Google BlogSearch only indexes a blog once a day?
• Google BlogSearch shows a whole lot of spam. Tons of them. I don’t want to see them scraper sites leeching off my content. IMO, Technorati is more experienced in filtering out spam blogs and scraper sites.
• I see my blog listed as blogs linking back to me. Google BlogSearch considers your own blog linking back to you whenever you link to another post in your blog. Those are link counts I don’t want to see. This sometimes happens with Technorati but generally, it’s not part of their search algorithm.

And we haven’t touched the fact that a lot of people love the Technorati Rank and it’s been used by tons of sites to rate blogs. Same goes with the valuation of ad rates and blog sales. Besides, I didn’t hear any petition from the WordPress community to make the switch. Now, people have been developing hacks and plugins just to get back that Technorati Inlinks in their WP Dashboard again.

So why the move? Here’s my rather odd take — WordPress may be sweetening itself for some possible ad deal with Google. Clearly, having that incoming links in the Dashboard is a free traffic magnet. That could get people to actually switch blog search engines as well in the long run. We all know where Mozilla got its $66.8 million revenues in 2006 – Firefox search toolbar driving traffic to Google search. WordPress might be preparing for a similar arrangement in the future. But wait, there aren’t any ads on Google BlogSearch. Well, it’s just a matter of time.

What else could WordPress get in return? It’s a strategic business realignment. Having good relationship with Google could bring you tons of other business opportunities. One huge possibility is the adoption of Akismet into Blogger. And yes, Automattic is selling a $5/month Pro-blogger API Key and a $50/month Enterprise API Key.

These are just speculations but in the absence of an official statement regarding the switch, I am inclined to look for the motivation behind it — and one strong motivation that’s always at the top of any business is the revenue.

No related posts.