It came to light recently that a vulnerability exists in a script used widely by WordPress Theme authors, including those by Elegant Themes, which I highly recommend.

This is an easy bug to fix, but that requires users to update their WordPress themes (not just the core installation), and we know that site maintenance is an easy thing to postpone in a busy world.

What’s the risk?

If attack.php is a hacker shell app like Alucar shell, you have access to the server with whatever priveleges the web server account has. e.g. you can read /etc/passwd

That is to say, the hacker could do anything – replace your site, mine your data, lock you out, anything. No doubt you’ve come across hijacked sites reduced to skulls and flames proclaiming ‘Hacked!’ in Russian or Brazilian?

The user reporting the vulnerability said:

My server was compromised earlier today. I tracked it down to timthumb.php and confirmed the attack script was in the timthumb cache directory.

A file containing a base64 encoded Alucar shell was uploaded, executed and the attacker used the shell to inject ads into my blog. He/she may have done a lot more damage that I’m not aware of yet.

What to do?

Verify your automated backup system, and keep your WordPress installation, your plugins and your themes updated!

Thanks to Nick at ET for the swift notice. Read the original report.

Wordpress Training Melbourne

Finally!  I’ve managed to get a satisfying development environment for WordPress on my local machine! I’ve had a semi-operational setup for a few years, but have just managed to meet all my needs!

I’m using XAMPP on Mac OSX to design my WordPress themes, and now my setup features:

• a sensible, unique hostname for my local site (eg. memelab.dev)
• prettylinks using url rewrite
• functioning WordPress and plugin updates
• a wp-config.php edit which eliminates the need to edit the database when uploading the site to the production server

Installation

Install XAMPP and WordPress.

This is pretty straight forward, but for the sake of completeness, I’ll mention this comprehensive guide from Six Revisions (which I haven’t examined too closely, but looks solid).

Configure prettylinks

I found that my prettylinks failed when I initially installed… I think this is fixed in later versions of XAMPP.  I’m running XAMPP 1.7.3, and I don’t recall needing to do anything on since upgrading, but if you’re having trouble, you may need to edit some config files.  You can open them in TextEdit.app if you don’t have a favourite editor (I love TextMate) by adapting the following:

sudo open -e “/Applications/XAMPP/etc/httpd.conf”

You may need to:

Enable URL rewrite) by opening xampp/xamppfiles/etc/httpd.conf and deleting the hash/pound sign at the front of the line to uncomment:
LoadModule rewrite_module modules/mod_rewrite.so
Fixing Permalink problems

When I intially had trouble (several years ago I think) the post which helped me out was:

“…Clean URLs do not work out of the box on XAMPP 1.5.x with PHP4 due to a problem in Apache’s module load order…
“Clean URL support in XAMPP

Bottom line – its working a charm now!

Configure local servers

To access your local site at an address like http://memelab.dev/, you’ll need to configure XAMPP.  XAMPP stores its virtual hosts configuration in a separate file called httpd-vhosts.conf, which is not actually used by default, so:

1. In /xampp/xamppfiles/etc/httpd.conf uncomment the line: Include /Applications/XAMPP/etc/extra/httpd-vhosts.conf
2. You can now make entries into httpd-vhosts.conf.  There is an example in there – adapt it to your needs!
3. Enter your hostname into /etc/hosts like so:
   127.0.0.1 yoursite.dev
   (Your hosts file is not visible in finder, and needs to be edited with admin privileges, so open the terminal and paste:
   sudo Open /Applications/TextEdit.app /etc/hosts
4. Reload apache, and you’re done! (XAMPP control > Modules > Restart Apache).

I adapted my solution from a post in the WordPress Codex.

Enable WordPress updates whilst using XAMPP

This is the breakthrough which has prompted this post, thanks to Ian at messaliberty.com.  If you’ve come this far, you’ll have no trouble returning to /xampp/xamppfiles/etc/httpd.conf and replacing

User nobody
Group admin

with:

User yourusername
Group staff

You can find more detailed instructions at the source:

edit the XAMPP apache config file to run it as your local user.
How to fix WordPress automatic upgrades and plugin installs on XAMPP

(And make sure that LittleSnitch, if you use it, is allowing httpd to access wordpress.org)

Tweak wp-config.php

Ordinarily, migrating your database to your local installation, and vice-versa requires that you the WordPress database – in particular the WP_HOME and WP_SITEURL.  Ian at messaliberty.com again has a solution!  This is working well for me:

“set-up the wp-config.php to check to see if it is a local server, if it is then set the configuration one way, otherwise set it using the production values”
create a single wp-config file for local and remote WordPress development

A bonus tip on whilst we’re here – Joost has offered this addition:

“a quick hack I do in almost all WordPress installs I manage, that allows me to quickly switch on debug mode when needed”
Joost – Simple WordPress debuggin

Next recommendation from me: use some versioning software – I use Versions.app, which is a simple SVN client for the mac.

Wordpress Training Melbourne

Kiva is a non-profit organisation which facilitate micro loans to entrepreneurs all over the world. It inspires me each time I revisit the site and its reports. I was moved again today to support an internet cafe in Peru.. my US$25 contribution contributes the mere $625 Mr Yuri requires to get his business off the ground.

Kiva provides a data-rich, transparent lending platform. We are constantly working to make the system more transparent to show how money flows throughout the entire cycle, and what effect it has on the people and institutions lending it, borrowing it, and managing it along the way. To do this, we are using the power of the internet to facilitate one-to-one connections that were previously prohibitively expensive.

I get some insight into the difference that these loans make when I read through field reports. When I first heard of Kiva, I watched a video by John Larson, a CNBC reporter; today, I watched a followup report on CNBC in which John visits the borrowers he supported in their communities in Kenya.

To learn more about microfinance, I recommend reading the following page at Kiva.org: About Microfinance.

At the moment, I am supporting this worthy fellow in Peru, who is setting up an internet cafe (maybe one day I might be able to post from there!).  Check Mr Yuri’s profile.

Wordpress Training Melbourne

I love the WordPress plugin Custom Admin Branding by Josh Byers..  who doesn’t love seeing their shiny, official name at the top of their admin panel?

I noticed, though, that when when I updated the plugin to 1.3.5, my custom files were overwritten.. Doh!  It defeats the purpose of auto-update if we have to resurrect our settings afterwards, clearly, but every journey progresses one step at a time, and I’ve been rapt to have such a great plugin, complete with annotated photoshop templates.

Still, it would be great if the custom files survived an update, so I’ve had a fiddle, and come up with a crude solution… and while I was at it, I’ve added an option to change the Header background colour (which is simpler than using the custom stylesheet which is currently an option hidden in the code of the plugin).

I’m hoping that he’ll like the changes, and we might get another update soon!

Wordpress Training Melbourne

..err, excuse the pun   I’ve been using the great PHPList Form Integration by Jesse Heap, and have come across his really simple way of reaping some SEO benefit from all the work he puts into the free plugin.

What have Cakes got to do with WordPress?

Jesse’s autoresponder notifies the folk seeking support that there are over 300 support requests in the works, and offers the opportunity to queue jump by linking to his site Pink Cake Box Wedding Cakes! Hats off to Jesse for the plugin.

There are a a few ways of showing gratitude to plugin authors for their work: making donation is the obvious one, but its possible to show appreciation on a tight budget, by rating a plugin at the WordPress Plugin Repository.

Wordpress Training Melbourne