Enabling WordPress Automatic Background Updates after using Version Control (svn)

Today I decided to enable automatic background updates on my WordPress blog. Previously I had been using SVN to keep WordPress up to date, but this was a manual process and meant that I could sometimes be a few weeks behind when a security update was released.

Since version 3.7, WordPress has been able to keep itself up to date whenever a new version is released. By default, it only applies minor security releases which theoretically shouldn’t break your blog.

So if, like me, you have previously checked out your WordPress via version control, and you wish to enable auto updates, you will need to follow these steps.

WARNING – THIS WILL REMOVE ALL TRACE OF SVN FROM YOUR WORDPRESS INSTALL, AND WILL MAKE YOUR SCRIPTS WRITEABLE BY THE WEB USER. DO THIS AT YOUR OWN RISK.

First make a backup of your WordPress, in case this goes wrong!

cp -Rp /path/to/wordpress /path/to/wordpressBACKUP

Next remove .svn folders

find /path/to/wordpress -type d -name .svn | xargs rm -rf

To set the permissions to make the files and folders writeable by apache. BE VERY CAREFUL

chown -R apache /path/to/wordpress

Now go to your WordPress admin and install the WordPress Background Update Tester plugin. If all has gone well, all it’s test should pass, and give you an output like the following:

  • PASS: Your WordPress install can communicate with WordPress.org securely.
  • PASS: No version control systems were detected.
  • PASS: Your installation of WordPress doesn’t require FTP credentials to perform updates.
  • PASS: All of your WordPress files are writable.

Has your WordPress been hacked?

There have been a number of vulnerabilities discovered in WordPress since it started, including one earlier this month. They all have pretty much the same objective: to try to get access to your blog in order to post links to their own sites.

In this post I am going to look at ways you can tell if your blog has been hacked, suggest some ways to fix it, and then discuss techniques to prevent being hacked again.

Before we start, the most important thing you can do to prevent being hacked in the future is to regularly update your blog software. The easiest way is to use subversion. I’ve written how to upgrade your blog with subversion in an earlier post.

Symptoms

So firstly, you’ll probably want to find out if your blog has been compromised. There are a few things to look out for:

Unauthorised Admin Users

Disable JavaScript in your web browser, then navigate to the Users page in the WordPress admin panel. If you see some additional administrator users there that you didn’t expect, you have probably been hacked. They sometimes use an e-mail address like [email protected]

Strange Files in the Uploads Folder

Strange files may also appear in your WordPress uploads folder, including ones that have hidden PHP code inside them (try grepping for “events or a cale” or php).

grep -R -l "php" wp-content/uploads/

The files might have random names like:

faceboutique-spot-less-150×150.bak.php
mandseyeshadowpalette.bak
cliniqueblusher_old.jpeg
.wp-cache.cache.php

The uploads folder is writeable by apache, so hackers use this area to save malicious code to your server. They may then include such code as a plugin.

Strange Records in the Database

Check for suspicious data in wp_options by running the following queries:

SELECT *
FROM  `wp_options`
WHERE  `option_name` LIKE 'active_plugins';

Hackers use the plugin system to include their rogue scripts. You may see some strange files being listed as a plugin. You can delete this row and manually re-activate any plugins via the admin.

SELECT *
FROM  `wp_options`
WHERE  `option_name` LIKE  'permalink_structure';

This will show you the permalink structure – the most recent vulnerability modified this so look out for anything abnormal.

SELECT *
FROM  `wp_options`
WHERE  `option_name` LIKE  '_transient_rewrite_rules';

You can delete this row if it exists (it should be rebuilt dynamically)…. it may contain cached

SELECT *
FROM wp_posts
WHERE post_content LIKE  '%iframe%' OR post_content LIKE  '%noscript%' OR post_content LIKE  '%display:%';

This will look for posts that contain iframes, or hidden links.

Fixing a hacked WordPress Installation

The cleanest way is to re-install WordPress, re-import your posts and comments via the import tool and then to copy in any files that you know are safe…

  • Back up your database and site code.
  • Export your posts, comments, tags and categories in a WordPress WXR File (Tools – Export).
  • Set up a new mysql database, username and password. Ensure the user only has access to the WordPress db.
  • Install a fresh copy of the latest version of WordPress (with the correct permissions), and configure it to point at the new db.
  • Delete any files that include PHP from the uploads folder.
  • Import your posts, comments etc from the WordPress WXR XML file. There is an option to get WordPress to fetch image uploads, but I haven’t had that much luck with this. To get it to work, you will need to install your new blog in a parallel location so that it can access the old blog. When I tried, it seemed to grab the files, but not update the location urls in posts, thus requiring a script to update the urls in the db. Instead, you might find it easier to just copy your uploads folder across – but they won’t then show in the media gallery. Neither route seems ideal!
  • Re-install your themes and plugins.
  • Move the old blog to a location outside your web root as a backup, or delete it all together.
  • Set up new WordPress users with secure passwords.

It’s not a fun job!

Securing WordPress

  • Ensure you have the right permissions set on your WordPress scripts. Only the uploads folder should be writeable by the web server.
  • Use a separate database, db username and db password for WordPress.
  • Add an additional layer of authentication above the WordPress admin area, e.g. http authentication in Apache. NB: When I did this, it seemed to stop uploads from working with the flash uploader (gave a HTTP ERROR), so I had resort to using the basic browser uploader.
  • Some people also recommend removing the default “admin” user, and setting up an administrator with a new name – to make it harder to brute force crack your passwords.

Further Information

Here’s some of the pages I read while researching this article….

A WordPress YouTube Plugin – The FuTube Player

Recently we were looking for a Flash video player to use on our websites. Youtube’s default player was a little bloated, so one of our developers at Fubra built an alternative youtube flv player, which looks a bit like this:

[futube video=”gE1KGHUb9zw” author=”by Fubra Limited” color=”#336699″ hd=”true” height=”300″ title=”FuTube Player” width=”400″]

We’ve also released this as a wordpress plugin. You can install it via subversion if you prefer using the instructions below.

Installing the WordPress Plugin via Subversion

From the command line, navigate to your WordPress plugins folder and then edit the svn externals for the folder.

cd wp-content/plugins/
svn propedit svn:externals .

This should open the file in your favourite text editor (I use vim). You should add a line like:

futube http://svn.wp-plugins.org/futube-video-player/trunk/

Save and exit, then run:

svn update

Mollom beats Akismet at blocking spam

I’ve been using the WordPress Mollom plugin for about 6 months now, and I have say that I’m very impressed. In that time, I can count on one hand the number of spams that have slipped through the net. When I was using Akismet, spam comments were getting through daily.

Here are the stats that Mollom produced for my blog:

mollom-statistics

Which anti-spam plug-ins do you use on your blog? and how successful are they? Let us know by posting a comment!

Granting site administrator permissions with WPMU

It took us a while to work out how you grant additional users the Site Administrator permission in WordPress MU. We were expecting this to be in the users page, but actually it’s hidden on the Site Admin > Options page.

WPMU Site Administrator Permissions

However, once you realise where the option is, it’s actually incredibly simple. You simply specify all the administrator usernames in a space separated list, and press save.

On the edit user page you should then see that the users have Additional Capabilities: Administrator displayed.

Fixing a blank screen with the WordPress Mollom Plugin

If you get a white screen after the Mollom Captcha step when trying to add a comment to your blog, then check your PHP errors logs. I was experiencing this problem, and looking into the logs showed the following:

[09-Feb-2009 11:11:53] PHP Fatal error:  Call to undefined function mb_convert_encoding() in /sites/pyrosoft.co.uk/http/blog/wp-content/plugins/wp-mollom/wp-mollom.php on line 1371

The mb_convert_encoding() function is part of the PHP mb_string module, so fixing this was relatively easy. As my server was running Centos 5, I could just use yum to install the mb_string functions:

yum install php-mbstring

And then finally, I restarted Apache:

apachectl graceful

Install WordPress and WP plugins with Subversion

In my opinion, the best way to install WordPress (WP) is by using subversion (svn). This can also be used to install WP plug-ins. Subversion makes it incredibly easy to upgrade / update when future versions of the software is released. You simply run either svn update or svn switch.

The following instructions assume you have shell access and subversion installed on your system.

WordPress

Installing WordPress with Subversion

Run the following command to check out the WordPress code to your blog directory:

svn co http://svn.automattic.com/wordpress/branches/2.7/ /path/to/blog/

Follow the 5 minute installation instructions, ignoring steps 1 & 5.

Updating WordPress to the latest minor release with Subversion

Navigate to your wordpress installation directory and run:

svn update

Upgrading WordPress to a new major release with Subversion

Navigate to your word press installation directory and run:

svn sw http://svn.automattic.com/wordpress/branches/2.8/

Replacing the repository url with the version you wish to upgrade to.

Plugins

Installing a plugin with svn:externals

If you install WordPress using subversion, it should already be set up with akismet as an svn:external plugin. If you want to install any other plugin this way, just follow these steps:

cd wp-content/plugins
svn propedit svn:externals .

If this command complains about not having an editor set you may need to run something like

export SVN_EDITOR=vim

before trying again. Otherwise, you should now be in your favourite text editor with the svn:externals file open for editing. Add an additional line for the plugin you wish to install. In this example, I’m going to use the Mollom comment spam protection system. The line should look like:

wp-mollom http://svn.wp-plugins.org/wp-mollom/trunk/

Save and exit the text editor, then run:

svn update

This should check out all the plugin files. You can then configure the plugin in the WordPress admin panel.

Updating a plugin with svn

The beauty of using subversion to install your plugins is that it’s a breeze to update them. From your the top level WordPress directory, just run:

svn update

This will update all of your plugins along with your main WordPress installation. If you want to update the plugins on their own, then just run that command from inside the plugins folder.

Hosting multiple blogs on a single WordPress installation

As you can probably tell from this blog, WordPress is my favourite blogging tool. I’ve been using it for a couple of years now, and during that time I’ve been really impressed by it. So when I was recently asked if a single copy of WordPress could be used to power several blogs, I was optimistic that it would be up to the job.

And it didn’t disappoint me…

There are a number of ways you can host multiple blogs with WordPress:

  • WordPress MU (multi-user) – This is system that powers all blogs at wordpress.com, Le Monde, Harvard Univeristy etc…
  • Batch management of blogs with WP-Create and WP-Upgrade – These scripts let you install multiple blogs in parallel, however each one would get it’s own installation.
  • Modifying wp-config.php to choose a different database per hostname. This uses the standard wordpress scripts.

Since I wanted to use a standard wordpress installation, and I didn’t want to install it multiple times, I chose the 3rd option. WordPress stores most of it’s configuration in it’s database, so all you need to do is modify wp-config.php to point at a different database depending on the hostname of the site being accessed:

// Ignore the www. part of a hostname
$host = eregi_replace('^www\.', '', $_SERVER['HTTP_HOST']);

switch ($host) {
        case 'site1.co.uk';
                $db = 'site1';
                break;
        case 'site2.co.uk';
                $db = 'site2';
                break;
        default:
                header("HTTP/1.0 404 Not Found");
                exit();
                break;
}

// ** MySQL settings ** //
define('DB_NAME', $db);    // The name of the database
define('DB_USER', 'user');     
define('DB_PASSWORD', 'password'); 
define('DB_HOST', 'hostname'); 

Simply add the existing database settings code with the code above, and then create a new empty database for each blog you want to host. You will need to run the install scripts for each blog, e.g. http://www.site1.co.uk/blog/wp-admin/install.php

References:

Testing out wordpress for the iphone

This is my first post using my iPhone. I’ve installed the wordpress app and now I’m typing on the phone itself!

First thoughts: it’s great! I was a little concerned that the iphones spell checker wouldn’t work but it does (although not in the post titles).

I’ve tried to attach a photo of brendan so let’s see if that works…