Home » Website Administration (Page 20)
Category Archives: Website Administration
WordPress 2.2 Security Issue, patch it now
WordPress 2.2 has a security issue that requires immediate patching by anyone using this version. There is not an official new download available from the wordpress.org site yet, but you can get information on how to fix the vulnerability on their support forum here: http://wordpress.org/support/topic/120857?replies=12.
It requires you to replace a file (xmlrpc.php) with a new version, details are in the thread linked to above. This vulnerability affects any WordPress 2.2 install that allows comments and allows users to register. (which is probably a large number of websites). The vulnerability will allow a hacker to get your admin password, so this is bad.
Go check now and fix this if you are using this version!
Thanks Steve, More Work for Web Designers
If you have not heard, Apple has just released it’s Safari browser for Windows. Apparently Steve Jobs wanted in on The Firefox/Opera alternate action to Internet Explorer. So now he has gone and made all of our web designer jobs even more annoying because now we need to be aware of how something will look on Safari for Windows as well as all of the other browsers. Yay! More compatibility issues to worry about. I feel so empowered.
Seriously though, this does cut to the heart of needing to know what your site looks like in all major web browsers and the need for cross platform testing. We just have even more choices now :)
So you want a Store…
Much like my previous post on setting up a forum site, I also think it’s best to separate a store function from the rest of your main site. The highest prize in hacking is really things like credit card records or other money oriented information–so to reduce the chances of all of your stuff getting destroyed in one shot you want to keep things separated as much as possible.
There are many stand alone store website packages out there. Quite a few are based on the grand daddy of open source commerce: OsCommerce. Zencart is an adaption of OsCommerce to be a bit easier to set up than the original. It honestly used to be somewhat hard to find a open source shopping cart program, but with the explosion in open source development it’s now actually difficult to figure out the reverse: which of the millions are actually any good.
I actually like a surprising choice: X-cart, which is NOT open source. But it has almost every benefit. It’s very inexpensive ($200), they give you the source code, allow you to make mods, and provide support and free upgrades forever (and have actually been producing many). It also has one of the best things I’ve ever seen in ANY website development software: Webmaster Mode. This is an Ajax sort of thing that once activated lets the admin literally click any text element of the site–which opens an editor box and allows instant editing of the content. You can speed through setting up your site in record time.
Of course the absolute easiest choice is to set up a Paypal or Amazon store, but those make you look kinda crappy in the long run. Whatever your choice, remember you need to always be on the watch for security updates, and always upgrade if there is a security issue.
So You Want A Forum….
At some point down the line most webcomic websites realize it would be a good idea to set up a forum for their readers. It keeps them talking and interested in your stuff on days you don’t have a post going up, and allows your readers to connect to each other to form a stronger community. Plus it’s just fun to see what will be posted and what kind of feedback you will get.
I have seen many attempts to make a forum plugin for WordPress, but surprisingly I think it’s a bad idea.
Why? Because most hack attempts on sites originate from privilege escalation, where a regular user can somehow trick the site into thinking they’re an administrator. Most of the big content management systems that also work as forums (phpnuke, drupal, joombla, mambo) have had security issues related to this. I think it’s best to separate things like a forum, store, and other visitor login stuff from your main site to reduce the chances this can happen.
I like and use phpbb, but there are many others out there. The main differences come down to how they look, what features you can add (and how easy it is to do this), and how easy they are to administer. Phpbb for me sort of hits the middle spot for all of these. Whatever you do though, keep up on any updates or security patches that come out and add them as soon as you can–no one wants to see some porn spam as their main page of their site after getting hacked.
While I don’t really post much about phpbb here, I’ll definitely monitor it and post about updates and such to it also.
Critical WordPress Exploit in Version 2.1.3
A critical exploit has been discovered in WordPress 2.1.3 related to the way WordPress admin cookies are accessed. A malicious user could possibly steal your admin password cookie and gain admin rights to your website. This is only an issue if you are using the default WordPress prefix of wp_ or are using an easy to figure out prefix. Unfortunately the only fix currently available is to upgrade to WordPress 2.2–which has it’s own set of major issues due to the widget changes and other new coding conventions introduced in that version.
I wish I could provide an easy fix, but there isn’t one. If you have a WordPress 2.1.3 site with a standard setting for the prefix (in the wp-config.php file) then you really should think about upgrading–do research on the upgrade though, its not very straightforward.