What version of WordPress is behind that website?

Posted on 31 July, 2010 by DD32

Hi all, Dion here, Recently there’s been a few “security through obscurity” discussions going around, I’m sick of them, It doesn’t work, and this is my proof.

There are a few Plugins out there which hide the version number of WordPress, The first example i found was  Secure WordPress, It has over 170k downloads, But does it actually do what it claims?

Hiding the version number is Security through obscurity, You’re not making the install any safer, you’re merely not advertising the fact of which version you’re using.

But, do i hear you ask, “But if they dont know the version, doesnt that mean I’m safer?”
The answer to that is 3 fold:

  1. Just because they (the mystical hackers) cant see the version of WordPress you’re using, doesnt mean they’re not going to try the same attacks anyway, afterall, its only an extra 3 mouseclicks to run every exploit against every plugin known to man..
  2. Most  exploits in the WordPress world will be related to plugins, this is only due to the sheer number of them out there
  3. And finally, because hiding the version number doesnt hide the version of WordPress you’re using, which is the point of this tool/site

To use an example, It’s like walking through a battlefield with your gun hidden, just because they cant see your gun, doesn’t mean you’re going to be able to walk through the middle fo the battle, chances are, you’ll be shot anyway. Exploits are the same, they’ll attack anything that moves, the number of Joomla! or Drupal exploit attacks i see against my WordPress installs daily is enormous, & I’m sure Joomla! and Drupal installs see significant exploits thinking that the site is running WordPress. My point is, Exploits dont care, they’ll attack anyway.

Type the URL of a site below, be it advertising the fact its WordPress or not, and I’ll tell you instantly which version, or which version its most likely to be running:

Example sites:

PLEASE NOTE: This tool uses NOTHING PRIVATE, This is not connected to any WordPress.org infrastructure or otherwise secret data, All information that this tool uses is gleamed from your WordPress installation, just the same as anyone else can do.

Posted in Opinion, PHP, WordPress | Tagged , , | 6 Comments

A Few photos from USA

Posted on 30 June, 2010 by DD32
IMG_1762

This gallery contains 18 photos.

Just a few pics.. :) Lots more to come..

More Galleries | Leave a comment

WordPress, What cant it do?

Posted on 12 June, 2010 by DD32

WordPress can do almost everything thanks to its great Plugin API system.. But now and then.. You just have to hack the core code to get what you want..

Left Bank Pictures has taken it a step further however, Welcome to Military hacking.. Strike Back style.

If you’re wondering where/when, It appears at the start and end of Episode 5 of Series 1. The changes have since been merged to WordPress as well/

Posted in WordPress | 3 Comments

Second Class Citizen

Posted on 8 June, 2010 by DD32

Occasionally someone will pipe up and make you realise the sad truth amongst web developers, or for that matter, programmers. We are second class citizens in the eyes of many.

Gone are the days where making a computer do something different is cool, No, Now its a job, anyone can do it, you’ve just got to learn to code..  heck, some people are purely programmers for a day job, with no outside interest in it.

There Are No Famous Programmers – Zed A. Shaw (http://sheddingbikes.com/posts/1275989245.html)
Let me tell you about this cool new web server. I figured out how to merge the ZeroMQ event polling system with the libtask coroutine library so that you can use libtask to handle tons of TCP/UDP and ZeroMQ sockets in a single thread. I then took this very cool hack, and started building a web server using my Mongrel HTTP parser, but I modified the parser so that the same server on the same port can handle HTTP or Flash XMLSockets transparently. The next step is to get this server to route HTTP and XMLSocket JSON messages to arbitrary ZeroMQ backends. I was inspired by this so much that I registered utu.im and may try to bring it back. Not sure how or when though.

Sounds cool right? Totally doesn’t matter one bit. I could hack on projects like this and nobody would care at all because I’m a famous programmer, and there is no such thing as famous programmers. I don’t exist. I’m an enigma.

And he’s right, Name a “sucessful” startup who you can think of the name of the current CEO, I’m sure you can think of one, Did they write the product you’re associated with them however? In most cases, No. They’re just the ones with the vision, The one with money, The one with the guts to say “This could work!”. Being a programmer isnt enough anymore, you need a masters degree in marketing, A bucket load of cash, and a face to put forward – and face it, you’re not it.

Gone are the days when a single person can be a superstar, without the help from others, you’ll never reach gold; and if you do, be sure your programming days are long gone..

Posted in Opinion, Programming | Tagged | 3 Comments

Introducing: “TwentyTen: Remove Max Editor Width”

Posted on 1 June, 2010 by DD32

(Download Link)

The new TwentyTen WordPress theme is a pretty awesome theme if you ask me. Written by decent people who know what they’re doing (Unlike many other themes out there — Which whilst shiny on the outside, can be a rabbits nest underneath).

The theme only has one problem to me — and as i’ve noticed, to some other people as well. Infact, Its annoying me right now, just writing this post.

So, What is it?

Its the limitation of limiting your TinyMCE (Thats your visual text editor on the New Post screen) window to 640px. It does have some uses, but for someone like me, just writing text, and not caring about the benefits; can be downright annoying.

Oh, I nearly forgot, It also applies to fullscreen mode. So for people with a 1200px wide monitor.. well.. you get the idea (If you dont, it means, your post will be using the left most 53% of the screen). This is actually a limitation of TinyMCE not being able to distinguish between inline and fullscreen edit modes to be fair, but is still a PITA all the same.

Do try and use it yourself however, I quite like it for aligning images, but not for general purpose posts..

So, Whats the benefit exactly?

Floating images. When was the last time you were writing a blog post, and tried to insert an image, then hit preview, and found it was in a completely different place than you were expecting? And that the text was flowing badly around it? Well, this allows you to have a preview of how the actual post WILL look right in the WordPress new Post administration panel. Pretty cool in general, a downright pain to others.

So, What can i do about it?

I’ve written this short (Seriously, Theres more comments than code in this plugin) plugin which allows your editor to regain its innermost full content width.

You can download the plugin from the WordPress.org repository Here. But since the plugin isn’t actually live yet (awaiting creation) you may download it HERE instead.

Posted in WordPress Plugin | Tagged , , , | 6 Comments

1 week into the month…

Posted on 7 March, 2010 by DD32

..and the bots are going crazy:
-bash-3.2# cat /var/log/secure | grep "Failed password" | wc -l
72595

72 thousand invalid password attempts (most of those are against root, although theres a lot for <random 5 character usernames>).

Thats 10,000 a day, about one every 10 seconds..

Posted in General, Site | 4 Comments

Revision Control 2.0 Beta

Posted on 9 January, 2010 by DD32

The time has come for a Beta release of Revision Control 2.0. Would also like to announce that I’ve Cracked the 20k downloads on a plugin! currently its standing at 40,253.

Download 2.0-beta Now. Download POT file for Translations

Things to note of this release:

  • Fully rewritten from scratch
  • Better support for multiple post types
  • 100% api usage, less chance of breaking something
  • Revisioning of Categories and Tags (Well, Any taxonomy really!) – One limitation, It doesn’t restore this, thats for the next Revision :)
  • WordPress 2.9+ only.

Compatibility with older releases: I’ve not 100% tested backwards compatibility, That will come this next week, For new users, you’ll have no problems, for existing users, you should be warned that your settings may not be remembered, more testing needs to happen to verify that it works in 100% of cases.

If you’d like to submit a Translation of this plugin, or encounter a bug just send it along to wordpress@dd32.id.au

Thank you to all,
Dion

EDIT: Release Date: 24th Jan 2010 – approximately.
EDIT2: Updated the POT and .zip locations, There were a few translation issues.

Posted in WordPress Plugin | Tagged , , , , | 6 Comments