Is Your WordPress Site Hackable?

o

Today I want to ask all the web masters out there “Is your site hackable?”. I’m a test hacker, and I’ve seen some very popular sites get hacked in some of the simplest ways. Hacking wordpress is actually quite easy if you know what your doing. Two words my friend, “SQL Injections”, most people bypass this thought when they make a blog. Even know wordpress login forms prevent SQL Injections but what about form making plugins? Always check to see if your site is hackable through SQL Injections, for more information on simple hacking with SQL Injection visit my post about it by clicking here.

Also if you have a “robots.txt” file in your home directory, keep in mind that disallowing search engines doesn’t disallow people! Never leave directories with password’s in them, even if it is encrypted. If you have to password protect the director and/or password file. Also always keep your cgi-bin password protected because a lot of file management systems use it to keep passwords that you use. I know some cPanel file management systems do. So always check your site for rogue password files and SQL Injection prevention.

Editor’s Note: If you aren’t very familiar with some of this terminology, your best bet is to always keep your WordPress blogs upgraded to the latest version of WordPress.

Learning More About Javascript Injections

Ok, for those of you who don’t know what javascript injections are, they are ways to manipulate the page source of any web page. Some very simple javascript injections are to simply display an alert box with any text you want. To execute any form of javascript injection enter “javascript:” in the URL bar in your browser, then after the colon you can enter any javascript code in the same way you would in a normal web page. For example if you type in “javascript:var a = “hello world!”; alert(a)” in the URL bar an alert box would pop-up displaying the value of the variable “a”.

Now that you know the basics to javascript injections lets learn how to hack with them, as you should know javascript can manipulate anything on a web page. Here is a simple way to hack into a username on a website. Although the site you try to hack you have to be logged into that site. Once logged in type in the following javascript injection in the URL bar: “javascript:alert(document.cookie)”. This will display the cookie information that the site has on you, look for something like “user_id=xxx” or “PHPSESSID=xxx”. Typically you want to change this string’s value to 1, because the administrator is usually user_id number 1. To change it type in the following in the URL bar: “javascript:void(document.cookie user_id=1);alert(document.cookie);”. Now the user_id’s value should be 1, so refresh the page and you should be logged in as the administrator.

Please remember that you should never mess around with someones site. Always contact the administrator if you find a security hole in their site. Now remember how I said javascript can manipulate anything on a webpage? Well lets start manipulating stuff, for the basics we can just start with forms. Lets say a web page has a form to buy something using a debit card or something like that. Lets say the price for this item is fifty dollars, now lets manipulate this price. Lets say the submit button is a form itself, and it has no other values. In the URL bar type the following: “javascript:void(document.forms[0] = $1.00)”. Ultimately this will change price to one dollar, yes! The “[0]” represents the form number on the page, for example if there are 3 forms on a page. The first one would be labeled “0″ the second one “1″ and the third one “2″.

Does WordPress Need Trackbacks Any More?

o

Sometimes it is fun to look back, and today I want to take a quick look back at the early stages of blogging, and examine the relevance of a term that many of you are probably familiar with…trackbacks. Flash back six years ago when blogging was a very new idea and had yet to develop into what we have today.

Before comments really caught on, it was common for a blog post’s conversation to spill over to several blogs, because bloggers would post their “comment” on their own weblog and give their takes. The problem was, this often made it difficult for a reader to follow conversations. As a result, the trackback was invented by the team over at Six Apart for their Movable Type software (and eventually Typepad, etc.). Eventually, other blogging software (include WordPress) adopted this method so readers could see a post, then see who was talking about it.

In the years since then, pingbacks were created to be easier to send are less vulnerable to spam. People that don’t have a blog will usually leave comments. To me, this begs the question…do we really need trackbacks any longer? When was the last time you received one that wasn’t spam? In my opinion, blogging has outgrown the trackback and the pingback has made it irrelevant.

As for the pingback, I think it is great for now. I do think, however, that we are headed towards blogs using something like a Google Blog Search or Technorati to display on each individual blog page a ”who is talking about this post” module, which would make the pingback fairly irrelevant as well. All it would take is for Google to put a little more focus in improving their Google Blog Search or Technorati to narrow their focus in this type of area so that page load times wouldn’t take a drastic hit.

Anyway, sorry for the ramble, but I figured I would throw it out there and get your thoughts on trackbacks and where blogging is headed in the future.

WordPress Talk - June 4, 2008

o

It has been awhile since I’ve done a batch of WordPress Talk links, so here are a few WordPress links for you to enjoy:

• How to Avoid Duplicate Posts in the WordPress Loop - This post by Weblog Tools Collection explains how to avoid duplicate posts in both a single WordPress loop and a double WordPress loop.
• How to Get Rid of the WordPress Visual Text Editor - I know a lot of people do not like using the visual text editor when writing posts. If that sounds like you, Leland does a great job of providing the steps you need to take to remove yours.
• Get the Image WordPress Plugin - Justin Tadlock has released his newest plugin, which was designed to help people with images that use Magazine WordPress themes.

You Can Now Demo WordPress 2.6

o

Now that WordPress 2.5.1 is out and people are pretty much used to all the new stuff we got from the double release, I think we can now start to look forward to WordPress 2.6.

If you are someone who likes alpha testing, you can now check out a live WordPress 2.6 alpha demo.

As of the publishing of this post, it looks like the newest feature is Google Gears support. For those unaware of what Google Gears is, it allows you to work offline. Several services including Google Reader already use it.

Thanks to Gabfire for the heads up on this!

What to Expect with WordPress 2.6

o

As we all try to get used to WordPress 2.5 and the changes it brings, I think it is only natural for our eyes to turn towards August 2008 when WordPress 2.6 is currently scheduled to be released. I’ve been reading some posts around the blogosphere lately from people that have had conversations with members of the WordPress team about WordPress 2.6, but I haven’t really seen any details about what we can expect with this new version.

At least this was the case until yesterday when I noticed John managed to track down some information about what is new in WordPress 2.6. Here is the information John provides as of today:

• Post Revisions — Wiki-style revisions management for blog posts: a cool new power-feature, just announced on the WordPress Development Updates blog.
• The Meta Bookmarklet - Okay, so that’s not the official name, but that’s what I’m calling it until there is one. Matt talked about this at WordCamp Dallas — the idea is to have a bookmarklet that would pre-fill information from sites like YouTube, etc. For example, imagine clicking the bookmarklet when you’re watching a YouTube video and then having a new blog post setup for you with the video already embedded. Cool, huh?
• Post Word Count — A WordPress.com feature that might be making its way into WordPress 2.6.
• Shift-Click Checkbox Selection — In WordPress 2.6, you should be able to select a range of checkboxes in the category, comment, tag, post, page, and media administration sections by checking the “start” checkbox, holding the Shift key, and then checking the “end” checkbox… Gmail style.

It looks like John will be continuing to update this post as more WordPress 2.6 information comes available, so make sure to check it out!

While we wait for WordPress 2.6, I figured it would be fun to discuss some possible features you’d like to see in the next big release, or at least some changes you’d like to see to the current setup. I’ll get us started with my short list:

1. More Plugins Integrated - Not only can plugins sometimes open up security holes in your website, they also can require maintenance. There is also the concern of poorly coded plugins that can cause way to many database queries and other problems. I think when WordPress integrated tags into WordPress 2.3, it was a really great move, and one I hoped they would continue going forward. There are quite a few plugins that are “must use” for pretty much any blog, so I’d like to see many of these built into the core WordPress installation.
2. Move Categories Box - WordPress 2.5 moved the category box down below the tags. I’d like to see it back on the right side just above the “Related” menu. This is a quick and easy change and I would quit forgetting to assign a category when I write posts.

What would you like to see in WordPress 2.6?