What version of WordPress is behind that website?

Hi all, Dion here, Recently there’s been a few “security through obscurity” discussions going around, I’m sick of them, It doesn’t work, and this is my proof.

There are a few Plugins out there which hide the version number of WordPress, The first example i found was  Secure WordPress, It has over 170k downloads, But does it actually do what it claims?

Hiding the version number is Security through obscurity, You’re not making the install any safer, you’re merely not advertising the fact of which version you’re using.

But, do i hear you ask, “But if they dont know the version, doesnt that mean I’m safer?”
The answer to that is 3 fold:

  1. Just because they (the mystical hackers) cant see the version of WordPress you’re using, doesnt mean they’re not going to try the same attacks anyway, afterall, its only an extra 3 mouseclicks to run every exploit against every plugin known to man..
  2. Most  exploits in the WordPress world will be related to plugins, this is only due to the sheer number of them out there
  3. And finally, because hiding the version number doesnt hide the version of WordPress you’re using, which is the point of this tool/site

To use an example, It’s like walking through a battlefield with your gun hidden, just because they cant see your gun, doesn’t mean you’re going to be able to walk through the middle fo the battle, chances are, you’ll be shot anyway. Exploits are the same, they’ll attack anything that moves, the number of Joomla! or Drupal exploit attacks i see against my WordPress installs daily is enormous, & I’m sure Joomla! and Drupal installs see significant exploits thinking that the site is running WordPress. My point is, Exploits dont care, they’ll attack anyway.

Type the URL of a site below, be it advertising the fact its WordPress or not, and I’ll tell you instantly which version, or which version its most likely to be running:

Example sites:

PLEASE NOTE: This tool uses NOTHING PRIVATE, This is not connected to any WordPress.org infrastructure or otherwise secret data, All information that this tool uses is gleamed from your WordPress installation, just the same as anyone else can do.

Second Class Citizen

Occasionally someone will pipe up and make you realise the sad truth amongst web developers, or for that matter, programmers. We are second class citizens in the eyes of many.

Gone are the days where making a computer do something different is cool, No, Now its a job, anyone can do it, you’ve just got to learn to code..  heck, some people are purely programmers for a day job, with no outside interest in it.

There Are No Famous Programmers – Zed A. Shaw (http://sheddingbikes.com/posts/1275989245.html)
Let me tell you about this cool new web server. I figured out how to merge the ZeroMQ event polling system with the libtask coroutine library so that you can use libtask to handle tons of TCP/UDP and ZeroMQ sockets in a single thread. I then took this very cool hack, and started building a web server using my Mongrel HTTP parser, but I modified the parser so that the same server on the same port can handle HTTP or Flash XMLSockets transparently. The next step is to get this server to route HTTP and XMLSocket JSON messages to arbitrary ZeroMQ backends. I was inspired by this so much that I registered utu.im and may try to bring it back. Not sure how or when though.

Sounds cool right? Totally doesn’t matter one bit. I could hack on projects like this and nobody would care at all because I’m a famous programmer, and there is no such thing as famous programmers. I don’t exist. I’m an enigma.

And he’s right, Name a “sucessful” startup who you can think of the name of the current CEO, I’m sure you can think of one, Did they write the product you’re associated with them however? In most cases, No. They’re just the ones with the vision, The one with money, The one with the guts to say “This could work!”. Being a programmer isnt enough anymore, you need a masters degree in marketing, A bucket load of cash, and a face to put forward – and face it, you’re not it.

Gone are the days when a single person can be a superstar, without the help from others, you’ll never reach gold; and if you do, be sure your programming days are long gone..

A Call to Arms

WordPress 2.9 was just released, And several users have run into a bug. Surprising? Not really. Theres one simple reason for this, While thousands of people Test each and every WordPress release, These users are not You.

I’d like to use this as an example to all here, Why WordPress needs your help. No, I’m not talking about Coding help specifically, I’m talking about Testing. WordPress requires that users test the product throughout the development period.

WordPress is an open source application written by hundreds of contributors. While those hundreds probably use the Development version of WordPress every day, They do not use the same webhost as you, nor do they have the same theme, nor do they have the same requirements, They use different functions of WordPress than you.

During The beta and RC stages, thousands of people download and test, These testers are end users like you, In order to prevent these bugs getting into a released product, It requires that users actually take part in the developement of WordPress and report the bugs encountered.

Testing WordPress is not just something that Developers should do. If you use WordPress and enjoy using it, Please take some time once every few months to test WordPress, Its announced on the Dev blog when Beta’s are available, On a default install of WordPress, The Dashboard should have a RSS feed mentioning the releases too.

So please, For 3.0, When a Beta is released (Theres generally ~2-3 weeks of beta, with 2-3 beta’s from my quick recolection) Install it on your website, It doesnt have to be your main one, it can be in a subdirectory (ie. your usual one at http://my-site.com/ and the test at http://my-site.com/testing/), and test that things works ok for you, and your plugins, This does take an hour out of your time, and i realise not everyone can afford it, But it may spare you 2-3 hours of your time, when after a release, a bug that affects you is found, that a Developer had not noticed.

WordPress requires your input, Whilst I agree there are some downfalls in reporting bugs sometimes (Please do not flame me with related messages here, I’m not after that, This is mearly a request for more contributions) overall, your contributions would be greatly appreciated by all.

In order to make it easier to test Beta’s and nightly versions, Westi wrote this great plugin It allows you to use the inbuilt upgrader to upgrade to a beta, to make it easier for you, to be involved with the project you love using.

You’re doing it wrong #2

 

Welcome to part #2, If you missed #1, go check it out.

As i mentioned in the last posting, This time wp125 is featured again, No, Please dont get me wrong, i’m not just targeting certain plugins here, It’s merely the plugins which I use, which i have to modify  and/or cleanup for whatever reason, I’ve chosen WP125 to be used for this project, so here i am cleaning up some code. Also featured in the 2nd part of this posting, is TDO Mini Forms.

Who has ever seen an error message like this one?

Notice: Undefined index: wp125action in G:\www\nrtt\wp\wp-content\plugins\wp125\adminmenus.php on line 9
Notice: Undefined index: wp125action in G:\www\nrtt\wp\wp-content\plugins\wp125\adminmenus.php on line 13
Notice: Undefined index: wp125action in G:\www\nrtt\wp\wp-content\plugins\wp125\adminmenus.php on line 22
Notice: Undefined index: wp125action in G:\www\nrtt\wp\wp-content\plugins\wp125\adminmenus.php on line 26

I’m willing to bet  a lot of people would’ve seen this one time or another, It comes down to a very very VERY lazy developer in my opinion, Simply because its best programming practice to never actually hit this case..

The code which is causing this:

function wp125_write_managemenu() {
…<snip>…
//Handle deactivations
if ($_GET[‘wp125action’] == “deactivate”) {

Doesnt look too harmful really, now does it? Thats because, By itself, Its not harmful at all other than an annoying message, The harmful part, is where similar code is used, and its merely assumed that certain array items exist, The issue arises that it can make bugs slip by unnoticed..

So, Whats the correct way? Simply check that the Array item exists before comparing it against something else.

The simplest method would be:

if ( isset($_GET['wp125action']) && ($_GET['wp125action'] == "deactivate") {

Or alternatively, If you never want to fire when the array item is empty:

 if ( !empty($_GET['wp125action']) && ($_GET['wp125action'] == "deactivate") {

Now, that wasnt too hard was it? Much cleaner, reduces warnings, and potentially reduces the risk of bugs.

Once again, All changes made are available as a Diff, This diff also includes the changes made in par #1, This has been written as of version 1.3.6.

Now, Onto the second plugin, TDO Mini Forms, This isnt actually a half bad plugin overall,  However, The code can be a bit messy for lack of a better word thanks to the many many many options and defines it uses.

Most of the issues i’ve got with this plugin, boils down to mis-use of constants, for example:

Notice Use of undefined constant TDOMF_OPTION_WIDGET_MAX_HEIGHT - assumed 'TDOMF_OPTION_WIDGET_MAX_HEIGHT' in G:\www\nrtt\wp\wp-content\plugins\tdo-mini-forms\admin\tdomf-options.php on line 604

Upon actually looking through he code, The Define was used in many places, but never actually defined. However, TDOMF_OPTION_WIDGET_MAX_WIDTH, and TDOMF_OPTION_WIDGET_MAX_LENGTH were, But guess what, The latter was never actually used, other than during option creation.. It’s a simple typo really.. But a quick fix never the less.

The main thing that has been bugging me with this plugin however, are these splattered around:

Notice: Use of undefined constant REQUEST_URI - assumed 'REQUEST_URI' in G:\www\nrtt\wp\wp-content\plugins\tdo-mini-forms\admin\tdomf-form-options.php on line 15

It looks like the plugin is expecting some form of register_globals for  the $_SERVER items to be enabled, Well, Do i have news for you… Its not! To many programmers that  may have sounded like the actual problem, But the problem is actually a coding flaw.. (as expected)

if(preg_match('/tdomf_show_form_menu/',$_SERVER[REQUEST_URI])) {

May not see something wrong with that, But, You should. $_SERVER contains an array element called ‘REQUEST_URI’, which is what the author intended to access, But instead, what they have asked for, Is the $_SERVER array element whose name is within the REQUEST_URI definition.. PHP is smart enough to convert that REQUEST_URI into a string, and so the code works as expected, for now.. But it’s still sloppy, Adding 2 apostrophe’s into the mix fixes everything.. Quick and simple really..

if(preg_match(‘/tdomf_show_form_menu/’,$_SERVER[‘REQUEST_URI’])) {

And the final piece of the puzzle for this posting:

Notice: Trying to get property of non-object in G:\www\nrtt\wp\wp-content\plugins\tdo-mini-forms\admin\tdomf-edit-post-panel.php on line 36

Another common type of warning produced by PHP, Very similar to the first Array item above:

function tdomf_edit_post_panel_admin_head() {
   global $post;
   // don't show on new post/page
   if($post->ID > 0) {

Now, This wouldnt be all that bad really.. If it wasnt for this code:

add_action( 'admin_head', 'tdomf_edit_post_panel_admin_head' );

The end result, much like I explained in Post #1, Is that running code designed for a SINGLE page on EVERY page load, is not a good thing to do, eventually you’ll hit a road bump like this one..

While the most appropriate fix for this, would be to simply only hook the function to run on the post edit page, Due to this plugins insisting to be backwards compatible at one stage or another utilising the latest hook names is not always possible, So merely adding an is_object() call in there can silence and fix everything quickly:

function tdomf_edit_post_panel_admin_head() {
 global $post;
 // don't show on new post/page
 if(is_object($post) && $post->ID > 0) {

I should however note, That this plugin includes compat code for WordPress < 2.5, Whilst, It utilises WordPress 2.8 functionalities now. Plugin Authors: Keep an eye on your obsolete code, it increases complexity, and will eventually end up causing a bug. My methodology is to only support the latest WordPress release.. It’s not worth your time developing for users not upgrading their version of WordPress. Yes, You’re going to have people complain the plugin isnt compatible, but in reality, you’re doing them a favour, If they dont upgrade WordPress, they’ll have other bugs.. Your plugin not working is the least of their worries (Or should be) .

Thats it for now, TDO Mini Forms also contains many MANY uses of undefined variables, eg:

Notice: Undefined variable: edit in G:\www\nrtt\wp\wp-content\plugins\tdo-mini-forms\include\tdomf-form.php on line 387

But the plugin is too large for me to want to go in and fix everything,  what has impacted me the most has been fixed, i’ll leave it as that.

Until next time, The changes made to TDO Mini Forms is available as a Diff, as of version 0.13.5. Apologies for the Diff here,I’m having issues with Line endings, Tortoise SVN isn’t respecting its own setting – You’ll have to patch a local copy and set it to ignore line ending changes..

 

EDIT: Fixed typo’s and lack of English. Sorry, I need a new computer, this T key hardly ever works when i want it to..

You’re doing it wrong #1

Welcome to a new series of mine, You’re doing it wrong. Now, You may’ve guessed what this series is going to be about.. WordPress “Programmers” doing things wrong.

Right now, I’m writing a new theme for a website, utilising a few plugins,  one of them is WP125.

 Notice: Trying to get property of non-object in G:\www\nrtt\wp\wp-includes\general-template.php on line 366

Yep, You’re doing it wrong. First glance it looks like its caused by WordPress, but after a lot of debugging, Here’s a stacktrace:

#0 G:\www\nrtt\wp\wp-includes\general-template.php(367) stackTrace(Array ( ) )
#1 G:\www\nrtt\wp\wp-includes\script-loader.php(410) get_bloginfo(Array ( [0] => text_direction ) )
#2 unknown(unknown) wp_default_styles(Array ( [0] => CONVERTED OBJECT OF CLASS WP_Styles ) )
#3 G:\www\nrtt\wp\wp-includes\plugin.php(414) call_user_func_array(Array ( [0] => wp_default_styles [1] => Array ( [0] => CONVERTED OBJECT OF CLASS WP_Styles ) ) )
#4 G:\www\nrtt\wp\wp-includes\class.wp-styles.php(31) do_action_ref_array(Array ( [0] => wp_default_styles [1] => Array ( [0] => CONVERTED OBJECT OF CLASS WP_Styles ) ) )
#5 G:\www\nrtt\wp\wp-includes\functions.wp-styles.php(72) CONVERTED OBJECT OF CLASS WP_Styles->__construct(Array ( ) )
#6 G:\www\nrtt\wp\wp-content\plugins\wp125\adminmenus.php(8) wp_enqueue_style(Array ( [0] => thickbox ) )
#7 G:\www\nrtt\wp\wp-content\plugins\wp125\wp125.php(75) require_once(Array ( [0] => G:\www\nrtt\wp\wp-content\plugins\wp125\adminmenus.php ) )
#8 G:\www\nrtt\wp\wp-settings.php(566) include_once(Array ( [0] => G:\www\nrtt\wp\wp-content\plugins\wp125\wp125.php ) )
#9 G:\www\nrtt\wp\wp-config.php(109) require_once(Array ( [0] => G:\www\nrtt\wp\wp-settings.php ) )
#10 G:\www\nrtt\wp\wp-load.php(30) require_once(Array ( [0] => G:\www\nrtt\wp\wp-config.php ) )
#11 G:\www\nrtt\wp\wp-admin\admin.php(20) require_once(Array ( [0] => G:\www\nrtt\wp\wp-load.php ) )
#12 G:\www\nrtt\wp\wp-admin\edit.php(10) require_once(Array ( [0] => G:\www\nrtt\wp\wp-admin\admin.php ) )

Do you notice whats happening here?  A seasoned WordPress developer should.. But many will not, As it’s a huge problem amongst some plugins..

The issue at hand here, Is that the WP125 plugin, is running code as soon as its included, In this case, its registering styles and scripts as soon as the plugin is included. NOT a good thing to do.

A plugin should NEVER run any code as soon as its included*, All code should be placed inside actions.

Eg, Instead of this:

if(is_admin()){
 wp_enqueue_script('jquery');
 wp_enqueue_script('thickbox');
 wp_enqueue_style('thickbox'); 
}

It should be:

add_action('admin_head', 'wp125_enqueue_styles');
function wp125_enqueue_styles() {
 wp_enqueue_script('jquery');
 wp_enqueue_script('thickbox');
 wp_enqueue_style('thickbox'); 
}

*1: Obviously, there are some cases where running code is considered ok, but it should be avoided. I’m ignoring calls to add_action/add_filter as running code here, as thats the way things should happen.

There  is one more thing which should be noted as well.. another thing a plugin should NEVER do, Is enqueue Scripts and Styles for EVERY administration page, Only load them on the pages which require the script. So lets take that last semi-better-than-original  sniplet and convert it to something which is how ALL plugins should be registering their scripts and styles:

So, Now I’m going to introduce you to one more function which many developers seem to miss, the action admin_print_scripts-<slug>

This action is actually pretty simple, On every pageload of WordPress Administration, many dynamic hooks are fired, in particular interest today, is the admin_print_scripts-<slug> hook. This fires when WordPress decides its time to start printing the <script> and <link rel=”stylesheet” /> items into the head of the document. This is where plugins should be hooking their addition of styles and scripts, As well as printing any extra <head> content to fit into the WordPress admin pages for their plugin.

Without going into it in depth, I’m just going to give a chunk of code, The only thing worth noting, is if you’re not sure of the slug of your page, Quite handy is, that the add_menu_*() functions will return it.. So, Finally, Here we go:

//Add the Admin Menus
add_action('admin_menu', 'wp125_add_admin_menu');
function wp125_add_admin_menu() {
 load_plugin_textdomain('wp125', PLUGINDIR.'/'.dirname(plugin_basename(__FILE__)).'/translations', dirname(plugin_basename(__FILE__)).'/translations');
 $pages = array();
 $pages[] = add_menu_page(__("125x125 Ads", 'wp125'), __("Ads", 'wp125'), MANAGEMENT_PERMISSION, __FILE__, "wp125_write_managemenu");
 $pages[] = add_submenu_page(__FILE__, __("Manage 125x125 Ads", 'wp125'), __("Manage", 'wp125'), MANAGEMENT_PERMISSION, __FILE__, "wp125_write_managemenu");
 $pages[] = add_submenu_page(__FILE__, __("Add/Edit 125x125 Ads", 'wp125'), __("Add/Edit", 'wp125'), MANAGEMENT_PERMISSION, 'wp125_addedit', "wp125_write_addeditmenu");
 $pages[] = add_submenu_page(__FILE__, __("125x125 Ad Settings", 'wp125'), __("Settings", 'wp125'), MANAGEMENT_PERMISSION, 'wp125_settings', "wp125_write_settingsmenu");

 foreach ( $pages as $my_page )
   add_action('admin_print_scripts-' . $my_page, 'wp125_register_scripts_styles', 9); //Add it a little earlier.

 //Include menus
 require_once(dirname(__FILE__).'/adminmenus.php');
}

function wp125_register_scripts_styles() {
 wp_enqueue_script('jquery');
 wp_enqueue_script('thickbox');
 wp_enqueue_style('thickbox');
}

The main benefit of behaving yourself? Much less chance of screwing up another admin page’s styling or JavaScript :)

Stay tuned for the next edition of this, Where once again, WP125 will feature, along side TDO Mini Forms

See Attachment for a .diff of the changes made to the plugin. NOTE: This is as of version 1.3.6

Dear all commenter’s

Lately, I’ve been recieving a lot of comments from certain people annoyed at the fact that WordPress has included more features and functionalities which they find extra bloat. Usually, They’re poorly written and I Delete them (Yes, I have no need for their drivel on this blog).

Today however, Its time to make a stand, I am sick of people complaining that WordPress is not what they want.

Many people seem to be unaware of what is actually happening in the world of Warcraft WordPress, oblivious even. Now thats fair enough to me, Not everyone has the time to watch the project evolve day by day, But i would expect someone to read about whats new in WordPress before upgrading, And then upgrade anyway for security reasons.

Please people, read whats new, Suggest new features, WordPress is the free application YOU have chosen to use, Help shape its future into the product that YOU want, Many people seem to sit back and just complain about the new items and call it bloat; To those of you, Fuck off, Go find a different project which suits YOU, Drupal or Joomla! might be it, Or maybe some mostly unknown app which uses 200MB of ram, or 200Bytes of ram, It doesnt matter to me, Find something which suits what you want.

WordPress suits many people, The constant addition of new functionalities, constant patching of potential bugs, and of security issues. All applications MUST do this, else they die off in the background, or a new project which offers them appear, I class wordpress as an innovator,  for 2 reasons, The plugin and Theme options available continuously change and extend wordpress into new directions. New technologies and functionalities are included into WordPress Core every release, as they should be, a LOT of hard work is put in by a handful — a dozen or so — people who love WordPress, and yet, WordPress is used by a few million people i would imagine. Support the developers who develop WordPress and make it what it is.

I realise that last paragraph makes reference to a dozen people, I’m talking about the WordPress Core there,  there are many hundreds of developers who use WordPress and develop Plugins and Themes, They deserve recognition as well.

So please, If WordPress isn’t your cup of tea, Dont come to my blog to complain about it, Get off your arse and help shape the future. There are so many ways in which to do that:

  • Start to fix bugs in WordPress core – Browse Trac for that
  • Start to implement new functionalities for WordPress – Trac again, Search for a ticket, if nothing, Create a new one
  • Make plugins or Themes to do what you want – And then Release them on WordPress Extend
  • Help others in the Support Forums – One of the simplest ways to help
  • Help others in other ways – A talk at your local WordCamp Event about how and why you use it, Perhaps even at your local computer event, It doesn’t matter, It all helps others get to know what WordPress is.
  • Suggest Ideas on the Support Forums, Or Trac

If you’ve made it this far, You’re probably going better than many others, Thanks for reading this, and Please become involved in WordPress one way or another.