A worm is circulating that can post malware and spam to some WordPress blogs using outdated versions of the blogging software, according to a post by Matt Mullenweg, founding developer of WordPress.

The worm can be tough to catch, as Mullenweg explains: "it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts."

The vulnerability allowing the attack was discovered August 11, at which point WordPress encouraged users to upgrade to version 2.8.4. However, many people have yet to upgrade, and reports online indicate the worm is making dubious progress by the hour.

The worm does not affect the current version 2.8.4 and the one prior to it. And it only affects people who host their own WordPress blog. Blogs hosted on WordPress.com are unaffected.

Users can find upgrade links and instructions here. WordPress has also posted an FAQ for people who think their blog has been hacked.

Otto42 of OttoDestruct, a key WordPress developer and supporter, reports that there is an “attack” on older versions of WordPress right now. The number of sites hit by this is growing every hour. Protect your WordPress blog now: UPDATE NOW!!!

Update your WordPress blog before you continue reading this post. That’s how critical this issue is.

Things You Need to Know Now

Here is what you need to know right now, constantly updated with news as we get it.

1. UPDATE NOW! Reports are that this attack impacts ALL versions of WordPress up to 2.8.3 and 2.8.4, the most recent release.
2. Report from WordPress on Attack: How to Keep WordPress Secure. Information on the most recent update of WordPress that prevented this attack on updated WordPress sites: WordPress 2.8.4: Security Release.
3. Which Version of WordPress is Secure? I’ve just talked to Matt Mullenweg and have a better understanding of the version confusion. When this worm first hit the web, WordPress released 2.8.3 to deal with it. Since then, WordPress 2.8.4 was released, unrelated to the worm. Once the worm has infected your site, surface fixes do not remove the “back door” the worm injects into your database and system, as happened with Robert Scoble. Once infected, upgrading does not fix the issue, so those reporting they were now infected after upgrading, were infected before upgrading. Versions after WordPress 2.8.3 are safe, but upgrade to 2.8.4 anyway as it included other fixes.
4. What Version Am I Using? If you are using a WordPress version after 2.7, the nag screen on the WordPress Administration Panels will alert you to upgrade. If you are using an older version, upgrade now. Don’t know what version you are using? Without a nag screen to tell you to update, you’re using an old version. Checking the Administration Panels footer will help, but don’t waste time looking. Just update now!
5. Use a WordPress Plugin for Protection: Do not rely upon a WordPress Plugin to protect you. There are many reports of Plugins that will “help” in the comments. While they might help in other ways, please upgrade now. That is the only solution if your site has not been impacted.
6. How Does This Worm Work? We’re awaiting details from security experts on how this worm works. Personally, I’m waiting for the name of this thing since that does make searching for details on this worm easier. Anyone got a name for it yet? Since it isn’t exclusive to WordPress, calling it the WordPress Worm would not be appropriate.
7. WordPress is Not Secure: WordPress is incredibly secure and monitored constantly by experts in web security. This attack was well anticipated and so far, WordPress 2.8.4 is holding. If necessary, WordPress will immediately release a update with further security improvements. WordPress is used by governments, huge corporations, and me, around the world. Millions of bloggers are using WordPress.com. Have faith they are working overtime to monitor this situation and protect your blog.
8. Fear of Upgrading: This attack is serious enough to overcome all your fears of updating. If older WordPress Plugins are holding you back, update them to the latest version or replace them with new. If your Theme might break, contact the Theme author and update or replace it. There are thousands of free Themes to choose from, probably some better than what you are using. If you are using a recent version of WordPress, updating is as easy as clicking a couple buttons. If you are using an older version, download the most recent version and upgrade now.
9. Other Issues? Whatever your issue is that keeps you from updating WordPress, get over it and update now to protect your site.

When we have updated news, we’ll add them to this post and/or post a new article.

How Do I Know If My Site Has Already Been Attacked?

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.

WordPress.com blogs are not impacted as they are up-to-date. Only versions prior to WordPress 2.8.4 are impacted.

To Prevent Your WordPress Blog from Attack

To prevent this form of attack, update your WordPress site IMMEDIATELY to the latest version. Change ALL passwords to a strong password immediately, including WordPress blog access for all users, database, FTP, control panels, everything.

See the articles below for more helpful information on how to harden and protect your WordPress blog.

If Your WordPress Blog Has Been Attacked

If your site has already been attacked, it appears that the hack attacks the database, going deep. You can find help in the WordPress Codex article on how to deal with a hacked WordPress site.

We’re looking for specific solutions, but the easiest appears to be to export all your content with the built-in XML WordPress export (pre 2.1 versions, try the WordPress-to-WordPress Import WordPress Plugin) and literally remove your WordPress installation totally (save images and general files). DO NOT EXPORT YOUR DATABASE! Install the latest version of WordPress and add the “clean” backup of your WordPress Theme, then import the XML export. The export will contain your posts, Pages, and comments, and hopefully no other hacked code.

“How To Completely Clean Your Hacked WordPress Installation” by Smackdown is a good article on how to reinstall WordPress after being hacked, but take care to keep your export limited to the post content and comments (and Pages), not the entire database as the hack goes into the database.

How to Respond to a WordPress Attack

WordPress has been requesting users update as soon as an update is released for several years. They also now have a excellent team to track down this issue and quickly protect WordPress with any necessary updates.

Please blog and Twitter about the attacks. It’s important that we spread the information throughout the WordPress Community as fast as possible, encouraging everyone to update WordPress. Take care not to promote rumors, just the facts, until we know more.

If you have pertinent information that will help the WordPress team track down and stop this attack, please report it to security@wordpress.org.

Check the WordPress Support Forums for more information and support. Also check for news and announcements on security issues and updates on the WordPress Development Blog and in your WordPress blog Dashboard Panel.

Please, keep your WordPress site constantly updated. You are now informed of updates directly through the Administration Panels. Act upon it.

Here are some other articles and information that may prove useful.

• WordPress Codex – FAQ – My Site Was Hacked
• Journey Etc – WordPress Permalink RSS Problems
• SmackDown – How to Completely Clean Your Hacked WordPress Installation
• Protect Your Blog With a Solid Password
• WordPress Codex – Hardening WordPress (security protection)
• Fear, Uncertainty and Disinformation About The WordPress Exploits and Spam
• BlogSecurity – WordPress Security Predictions in 2009
• WordPress Security Prevention, Reactions, and Scares
• Mark Jaquith – WordPress Security
• Matt Mullenweg – On WordPress Security
• Technorati: Vulnerable WordPress Blogs Not Being Indexed
• Weblog Tools Collection – Maximum WordPress Security
• The Correct Way To Report A Security Issue With WordPress
• WordCamp Toronto 2008 – WordPress Security with Mark Jaquith (video)
• Matt Cutts: Alerting Webmasters to Webserver Vulnerabilities
• WordPress Security Whitepaper
• Blog Security – Interview of a WordPress Hacker
• Guvnr – 10 Tips to Make WordPress Hack Proof
• Web Hacks, Worms, Infections, and Viruses: Is Your Blog Prepared
• Firewalling and Hack Proofing Your WordPress Blog
• Daily Blog Tips – Make Sure Your WordPress is Not Hacked
• Noupe – WordPress Security Tips and Hacks
• Vladimir Prelovac – Improving security in WordPress Plugins using Nonces
• Smashing Magazine – 10 Steps To Protect The Admin Area In WordPress

Subscribe Via Feedburner Subscribe by Email

Copyright Lorelle VanFossen, member of the 9Rules Network, and author of Blogging Tips, What Bloggers Won't Tell You About Blogging.

This is a post for all the WordPress theme developers out there. Here are only a few of the many great snippets of code that will take your current theme creation and make it that much better. Please, use them.

This is a post for all the WordPress theme developers out there. Here are only a few of the many great snippets of code that will take your current theme creation and make it that much better. Please, use them.

This is a post for all the WordPress theme developers out there. Here are only a few of the many great snippets of code that will take your current theme creation and make it that much better. Please, use them.

Pas browsing subuh tadi, iseng2 pengen tau perkembangan monetize web langsung keinget ke situsna tokoh moneymaker on net bung cosa arada. eh pas liat kok tampilana jadi begini

Dengan tulisan gede di address bar “Own3d by Eagle Eye” beuh situs berbasis wordpress trus milik seorang pakar wordpress pula bisa kena hack? apalagi kita kali yee.. bener2 deh .. ga ada yang aman di internet

Fix wordpress smilies problem when styling images

Pictures say a 1000 words. Adding images and style your images are important in your articles in two ways, first they add up in a good look and feel of your article and second it make you gain credibility as an author. But you should be aware of the problem with smileys …

Problem

You might use these CSS code to style images in your entries :

.entry img {

margin:10px;

padding:10px;

border:1px solid silver;

}

Yeah, it is fine. Those code make your images more beautiful, but wait … This would affect your smiley images too! Look at the image below

<img style=”border: 1px solid rgb(204, 204, 204);” title=”WordPress smileys” src=”http://i536.photobucket.com/albums/ff324/themelib1/wp-smiley-2.png” alt=”WordPress smileys”>

Your smiley images is added 10px margin, 10px padding, 1px silver border. And therefore it is not good looking

How to fix

The smiley images in WordPress are automatically given a CSS class of wp-smiley when they are displayed in a post. You can use this class to style your smileys differently from other post images.

You could add these code to your CSS :

img.wp-smiley {

margin:0px;

padding:0px;

border:0px;

}

That’s all

Hmm yesterday i began my wonderful journey in the world of javascript hacking .. well before i begin lets just understand hacking .. hacking is nothing but a in-depth knowledge of things .. most websites use javascripts and cookies to check as the authentication code ..

these javascripts are of diff kinds it can be mathematical expressions .. cookies weird caculations encrypted words or as i mentioned earlier cookies .. though i still have a very blurred idea of cookies work and think i got a idea of javascript athuentication works now thanks to the hacking tutorials at  Starfleet Academy .

I reached till lvl 12 that’s where i got stuck and thats just because the math involved got me fucked … too many variables .. so this is just a noob level hacking site .. just imagine the real world https authentication done .. and for those of you who think you can hack think again genius cause hacking aint easy you need to know loads of php javascript asp.net and stuff before you even think you can begin .. oh and for starters ..

Try Reading the source code!!

and before i leave here something you may need ….

Level: 01
Password: easy
Level: 02

Password: JavaScript

Level: 03
Password: #235711
Level: 04
Password: CODEZ
Level: 05
Password: 1234
Level: 06

Password: badscript

Level: 07
Password: commander

Level: 08
Password: login

Level: 09
Password: hannover

Level: 10
Password: 24*45*32+56-54/842*5623+4567

Level: 11
Password: where|time|and|space|meet -; calculated password is “picard” (without “”)

PS. Someone help me with lvl 12 .. me a noob too!!! still cant get the maths … though i know the answer :’)

Menindaklanjuti dari threadnya Mas Jauhari disini, saya berusaha untuk mempraktikkan di dua proyek terakhir saya, dan hasilnya menakjubkan … Biasanya pada fungsi the_excerpt(), image kita gak akan kelihatan (hanya tulisan saja). Nah bagaimana cara menampilkan image tersebut. Begini caranya:

Masukkan kode berikut pada looping anda:

    <?php $id =$post->ID;
    $title=$post->post_title;
    $the_content =$wpdb->get_var("SELECT post_content FROM $wpdb->posts WHERE ID = $id");
    $pattern = '!<img.*?src="(.*?)"!';
    $pattern2 = '!<img.*?alt="(.*?)"!';
    preg_match_all($pattern, $the_content, $matches);
    $image_src = $matches['1'][0];
    preg_match_all($pattern2, $the_content, $matches);
    $image_alt = $matches['1'][0];
	?>
	<?php if($image_src != ''): ?>
<div><img border="0" class="attachment wp-att-<?php echo $id;?>" src="<?php echo $image_src;?>" alt="<?php echo $title;?>"/></div>
<?php endif;?>

- Nah hasilnya bisa jadi seperti ini :

atau di slideshow saya ini

Selamat mencoba yah…

Cukup banyak rasanya situs WordPress self-hosted yang memiliki frase “Blog Archive” di Title Tag-nya.

Hasil pencarian ketika entri ini ditulis menunjukkan angka 14 juta temuan. Coba saja dengan keywords pencarian di Google berikut ini: intitle:Blog Archive.

Sepertinya, ini karena theme yang digunakan kemungkinan besar merupakan modifikasi dari WordPress Default Theme. Lebih jelasnya, lihat pada file header.php akan terlihat kode berikut:

<title><?php bloginfo('name'); ?> <?php if ( is_single() ) { ?> &#187; Blog Archive <?php } ?> <?php wp_title(); ?></title>

Nah, frase “Blog Archive” muncul karena kode :

<?php if ( is_single() ) { ?> &#187; Blog Archive <?php } ?>

Jadi untuk konsisten pada maximal uniqueness blog masing-masing, tak ada salahnya untuk menghilangkan frase Blog Archive tersebut.Caranya? Cukup dengan menghapus bagian kode tadi dari header.php

Tenang, hasilnya tidak akan mengubah link ke halaman blog terkait, karena frase itu hadir di Title Tag. Dampak “positifnya” terasa pada halaman hasil pencarian Google untuk halaman itu. Kalau tidak dihapus, frase Blog Archive akan terus muncul “memakai jatah” tampilnya judul entri blog yang lebih utuh.

Untuk hack lainnya, sila kunjungi tutorial praktis dari Nick La.