Update: The specific versions of WordPress affected have been 2.9.2, 2.9.1, 2.9, and some version of 2.8 which I wasn’t specific on checking.

Last week, I noticed my blogs were acting up – they’d hang when trying to upload an image, post a blog… random things.  I fired up Firebug and noticed I had several requests going to a jumbled mess of letters and a domain associated with spam.

I opened up my header.php file in the Theme Editor and a massive block of injected PHP was there to greet me. Balls. As it turns out, this is a massive exploit in the WordPress text editor that causes admin pages to re-direct to spyware sites. So far, every one of my sites and my clients’ sites have been hit – sometimes you can’t even log in.

Basic instructions to fix an affected site:

• Download your wp-content folder and your wp-config.php file via FTP
• Replace all of your wordpress files with a clean version (replace any of a different size)
• Then for each .PHP file in your wp-content folder and also the wp-config file, look for a big block of encrypted text at the top… delete that block – it will be in every theme file, every config file, etc.
• Upload the newly cleaned files (replacing any of a different size)
• To prevent this type of attack, add everything between the –’s (NOT including the –’s) to your .htaccess file in the wordpress main directory (after any # END statements and a blank line.

–
# BEGIN Stop Bots

RewriteEngine On
RewriteCond %{THE_REQUEST} .*['"`!$<>;].* [OR]
RewriteCond %{THE_REQUEST} .*%22.* [NC,OR]
RewriteCond %{THE_REQUEST} .*%27.* [NC,OR]
RewriteCond %{THE_REQUEST} .*%60.* [NC,OR]
RewriteCond %{THE_REQUEST} .*%3C.* [NC,OR]
RewriteCond %{THE_REQUEST} .*%3E.* [NC,OR]
RewriteCond %{THE_REQUEST} .*%3B.*
RewriteRule $ – [l,F]

SetEnvIf Request_URI “‘” bad_bot=1
SetEnvIf Request_URI ‘”‘ bad_bot=1
SetEnvIf Request_URI ‘`’ bad_bot=1
SetEnvIf Request_URI ‘%22′ bad_bot=1
SetEnvIf Request_URI ‘%27′ bad_bot=1
SetEnvIf Request_URI ‘%60′ bad_bot=1

<Limit HEAD GET POST>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</Limit>

# END Stop Bots
–

If your blog has been affected by this and you have no clue how to fix it, feel free to contact me and I’ll help walk you through it.

I just installed WordPress 2.9 and among the list of features are some new sweet image editing capabilities.

Having played around with a few images already, I’m really pleased with how easy it is to flip images, crop images, rotate… anything.

Among other additions, you can also now add a URL to a video file on its own line, and WordPress will automatically add the correct code for you.

According to Matt, they’re going to be adding many more multimedia tools into WordPress.  I can’t wait to see what’s next!

I take my blog security VERY seriously.  Your blog is an extension of yourself – the next closest thing to DNA and diapers.  It only makes sense if you’re pouring that much time into something you protect it.

With every new installation, I start with the same three plugins:

1. Limit Log-In Attempts – Limits the amount of times someone can enter incorrect log-in information before that IP address is restricted from logging in.  It has a bigger, meaner, older brother: Login Lockdown – which bans all IP addresses in that RANGE.
2. WP Spam-Free – If you’re not non-profit or using your blog for personal use, you won’t be able to use Akismet (you know, unless you’re dishonest) – bummer, but there’s some really good spam guards in existence beside Akismet.  One of the best – WP Spam-Free.
3. WP SuperCache – No matter what kind of traffic your blog gets, if someone wants to take you down, a DDOS attack is really only a click away.  I use SuperCache on all my blogs.  It makes your site much more resilient against massive amounts of Diggs or if some punk decides to DDOS you.

Those plugins will protect you from most threats.  If you’re really concerned about your blog’s security, here’s four more tips you can pick up on:

• Pick a good password (at least one upper-case letter, one lower-case letter, one number and one symbol),
• Change the default display for your username to your nickname,
• Remove the Admin username (through the database), and
• Change the default database prefix from ‘WP_’ to something else

What are your must-have plug-ins or security tips?  Let us know by leaving a comment!

Blogging, as it turns out, is a lot like owning a car.

Most people are perfectly content to pick out a general style and color that suits them.  Most people approach WordPress themes the same way.  They pick one, maybe customize it a little, and then contentedly blog their little hearts out.

Then there are the gear-heads.  The car enthusiasts.  The ones who want something completely different from anything else that’s ever been done before.  These are the people who all eventually ask themselves the same question when it comes to WordPress: To use a Premium Theme or not.

My answer: premium – if you have the time, knowledge, and (sometimes) wads of cash to throw at it.

Premium themes are great.  They have all sorts of crazy built-in options that most WordPress themes can only dream of.  Two of my favorite examples are Thesis and Thematic.  Thesis will set you back $70-150 depending on if you just have a single site or if you’re a developer.  Thematic is free.  Like most paid options, Thesis is light-years ahead of Thematic.  Both have all sorts of widget areas and options and functions that can be added to make your site like no other.  Both also require you to do most of the CSS and styling work yourself.  Thesis is somewhat easier to leave unmodified, whereas Thematic takes a more sandbox approach.

The downside: the premium cost, the time involved, and the expertise involved.

Non-Premium themes can sometimes give you a great advantage: a head-start on a new design.  Premium themes usually have a lot of customization options, but usually involving heavy delves into the CSS or PHP behind the scenes (Thesis’s hooks, for example).  Non-Premium themes usually put you in a good spot to tweak only a little CSS or a little PHP to get the desired look.  This is a great learning tool for new developers and new themers – heck, it’s how I got started.

The downside: the lack of customization, the grody feeling of modding someone else’s code, SSDS (same s**t different site).

The most important thing is having fun with the option you choose. It may sound kind of funny, but I always feel REALLY limited when I work with Thesis – it does too much for me.  Some days I’m perfectly content to build a new site from an existing theme.  Whatever you choose, have fun!