Hack defences: protecting wp-config

I have a suspicion about the cause of yesterday’s hack. devlounge.net had a similar infiltration, but by a friendly attacker who explained his methods: he accessed the wp-config.php file while the site was rendering in plain text (which I’m assuming can happen through an apache error / misconfiguration). PHP files weren’t being processed correctly, so their code was visible to all. As wp-config contains the mysql username/password, the attacker could then log into myphpadmin, change the admin email address and request a password reset.

How to protect against this? Well, WordPress 2.8 supports moving the wp-config file one directory higher (via @egwor). For sites in the root, like mine, that’s above the publicly-accessible directories, so wp-config is completely out of harm’s way. I’ve just done this, and all is working fine.

If the WP install is in a subdirectory, the wp-config can be protected by adding this to the .htaccess (from devlounge.net):

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all

That makes it inaccessible even in plain text mode. Got to be worth doing.

WordPress 2.5.1

I’ve upgraded to the latest WordPress. It’s quite different behind the scenes, but there shouldn’t be any differences up front. Please let me know if anything’s broken…

For other WordPress admins, the Remove Max Width plugin puts the Write page back to its former full-screen glory. Much nicer if you’re using a widescreen monitor.

Podcasting university lectures

This morning’s to-do list contained ‘set up podcast of university lectures’. It didn’t sound very difficult. A classmate uses a rather cool Olympus gadget to record each week’s talk, and I knew it should be easy enough to get these online. Of course, I also knew that ‘easy’ jobs always turn out to be way more complex than is reasonable. Except, not this time. In fact, it was worryingly easy.

  1. The original files were in WMA format, and I wanted MP3 to ensure maximum compatibility. Lame, the daddy of all MP3 encoders, just spat noise – possibly in disgust – so I used WinFF. It probably would have been possible to convert them straight to MP3, but I needed to edit first without losing quality so converted them to wave.
  2. Audacity handled the 600mb wave files without a problem, so I trimmed the lectures and stripped two 30min film excerpts, then re-saved as another wave.
  3. I like Lame, so I used its (undocumented) ‘voice’ preset to encode the wave files into roughly 56kbps MP3 files, which shrunk the 1gb .wav down to 30mb. That’s just silly. I couldn’t detect any quality difference, albeit only using computer speakers. Old stalwart Winamp handled appropriate ID3 tags.
  4. I knew little about setting up podcasts, but an easy solution presented itself when I remembered that WordPress can handle all the feed technicalities. I shoved a basic install onto an old domain name idling on a kind friend’s bandwidth-friendly server and created a post for each podcast, linking to the MP3 file in each. WordPress figures out from this that you’d like the file added as a media enclosure, and creates a podcatcher-compatible XML feed. In theory this was all I needed to do.
  5. Just to be sure, though, I dropped the feed into the I-can-do-anything-with-feeds FeedBurner, which cheerily provided browser interfaces etc., download numbers, etc.. I was able to subscribe in iTunes thirty seconds later – it worked first time!

It sounds more complicated than it was. The only problem was with the WMA conversion, but it took all of a minute’s googling to find WinFF. All the above is completely legal – rare, when working with video/audio encoding tools – and, apart from the web-hosting, free. I’ll have to watch the bandwidth – I reckon the 20 students in my class should be ok, but if the 60 full-timers find it I could be in trouble.

WordPress 2.3

Is out. Amongst other things, it adds tagging support and update notifications. Anybody using Ultimate Tag Warrior can import tags to the new (much faster) system (and should disable UTW before upgrading), but expect themes to break. I’ve had to remove ‘related posts’, and the tags page is a bit sparse. I expect new plugins in the next few days will fix these issues.

Speeding up WordPress

Just to recommend Jerome’s Query Diagnostics plugin for WordPress, which once enabled spits out a list of all the database queries used by a page, along with the time they took to complete. This afternoon I found that one plugin was doubling the processing time, and removing that has made the whole site snappier.  I was trying to do this by looking at mysql logs, but it seems such things don’t really exist on a per-user basis, so anybody sharing a server with x number of others is going to struggle to diagnose connection problems. People recommend other plugins, but JQD was the only one that worked for me.


I’m still enjoying using Twitter, by the way. The sidebar on the right-hand side might not last if it keeps stalling the blog whenever Twitter has a strop, mind.

I’ve set up Twessenger, which updates MSN’s ‘personal’ messages with your latest Tweet. It works, although I seem to have to manually enable it every time I restart. Hopefully there’ll be a Messenger Plus script with similar functionality before long.

I’m using Alex King’s Twitter Tools plugin for WordPress, which has various features including hourly backups of tweets, non-stalling display in the sidebar etc.. It also has an option to post an automatic Tweet whenever I create a new blog post. I’m in two minds about this. I like the idea, but I feel like it must be annoy to continually receive such messages via SMS. Right now I’m writing a bunch of posts now and have disabled it. Still, the implementation is great.

In other news, why can’t I ever type implementation without pausing?

Two useful plugins for the WordPress visual editor

I think they’re handy, anyway:

Enough procrastinating, Andrew. Back to work.

WordPress 2.1

Sensible things to do at 2330 probably don’t include upgrading blogging software, but the new WordPress 2.1 release has so many whizzy bits that I’m itching to try it out. Immediate notables include:

  • Autosave makes sure you never lose a post again [hooray!!]
  • Our new tabbed editor allows you to switch between WYSIWYG and code editing instantly while writing a post.
  • Much more efficient database code, faster than previous versions
  • Completely redone visual editor [wonder whether it’s any more user-friendly…]
  • More AJAX to make custom fields, moderation, deletions, and more all faster.
  • New version of Akismet.

Plus over 500(!) bug fixes. I’ll take the blog down while I upgrade, just to be safe…back in a bit, hopefully.

Update: All done. Looks most swish so far. I’ll properly try it out tomorrow, but the visual editor immediately seems far superior. The whole thing feels much snappier too, but that could be my imagination.