One thing I loathe about WordPress 2.5 is login cookies only last two weeks. So every two weeks I get prompted to login again. It is extremely disruptive to have to log in again, when just a few hours earlier I was logged in. The cookie logic should be tweaked that if you haven’t logged in over the past two weeks, then (maybe) the cookie should expire. but if I was allowed to work on the blog yesterday, why should I need to log in again today. The two week window should not be based on when I first logged in, but on when I last did administrative functions while logged in.

There aren’t any plugin hooks to the cookie setting functions of WordPress 2.5. But you can edit line number 547 of pluggable.php (which is under wp-includes of your WordPress installation) to lengthen the amount of time a cookie is stored for. Simply change the number at the end of the line
$expiration = $expire = time() + 1209600;
to ever how many seconds you want the cookie to be good for.

Two Weeks: 1209600
One Month (30 days): 2592000
One Year (365 days): 31536000
Ten Years (3650 days): 315360000

Once you’ve made that change, log out (in the top right of the administrative area) and then log in again to create the new cookie with the longer login time. Or simply wait two weeks for your cookie to expire, and then the next time you login, you’ll be all set.

Yes, I can see how this might be a security issue, since an attacker may stay logged in for a long time, and get past any system upgrades. (A system upgrade though should wipe any stored logins. Which doesn’t appear to be possible currently, since the cookie doesn’t store which version of WordPress the cookie is good for.) Or if your machine is compromised, your blog can be compromised. But generally, if that happens, you’re screwed anyways. So in this instance, ease of use is trumping security for me.

If you're new here, you may want to subscribe to my RSS feed. This allows you to read my newer articles without having to visit the site again. Thanks for visiting! Mike

I. Background

Recent attacks against the WordPress Content Management System have prompted reminders of the recommendation that you should make sure you are running the newest version of the WordPress system. When you download WordPress, you can also download the WordPress MD5 signature so that you can double check that the downloaded file has not been damaged during the download.

There are many algorithms available that can compute a file’s signature. The signature is generated by reading the file and running the data in the file through an algorithm. If even one character in a file is changed, such as a space added, or a comma replaced with a period, the signature will change to a radically different string. So, if the signature you generate on your computer after downloading a file is different from the signature that the vendor provides, that likely means the file has been corrupted during the download. A common time this is seen is when you upload a compressed file (.zip or .gz) to a web server in ascii (text) mode instead of in binary mode.

So, let’s say you’re upgrading or installing WordPress on your server. You compare the MD5 signature provided by WordPress (for 2.5.1 the MD5 signature is b1a40387006e54dcbd963d0cb5da0df4). What you would do under Linux is type the command md5sum wordpress-2.5.1.tar.gz and you should get that random-looking sequence of characters. If you don’t get b1a40387006e54dcbd963d0cb5da0df4, there is a problem.

But what happens after you uncompress and install the software? What if a cracker gets in and messes with your system? This is where file integrity comes into play. Historically (like the 1980’s and 1990’s) computer viruses would attach themselves to applications and documents on your computer, so there were two steps of protection: (1) a virus scanner which looked for actual code in files on the system; and (2) a file scanner to see if files has been changed.

Today that second form of scanning has fallen out of favor. But with the increasing number and complexity of WordPress attacks, I think having a fingerprint of the more than 500 files that are a part of WordPress is a valid security method. Fingerprinting WordPress can also help protect you against hardware failure.

I’ve written a set of scripts that can be run on a Linux system. (You could also add the WordPress files to your TripWire settings or other file integrity tool.) You simply provide the full directory path to the base of your WordPress install, and then two files will be generated in the correct format: a MD5 and a SHA fingerprints of the “official” WordPress files downloaded from WordPress.org.

Then you regularly run the check program. Suggestion: add the check program to a cron schedule so it will run automatically.

This is version 1.0 of this system. Definitely let me know if you find any problems or have any suggestions with this.

II. Installation

This system has only been tested on Linux (specifically CentOS 4.6). Please let me know if your system works or not. It only requires md5sum and shasum. This tool requires a familiarity with the Linux shell.

1. Download the software.
2. Generate the md5sum and shasum fingerprints for the .gz file. The MD5 fingerprint is “1bc778dc72741dbaa942b9fcd81e832b” and the sha fingerprint is “e4f1ef0f53397d820d8c07fee1786823d6a70cb2″ Important: If you are unable to verify the fingerprints for the download, don’t continue! You will just be frustrated!
3. Create a new directory on the web server.
4. Unzip the software in that directory.
5. Make sure that both version-check-251.sh and wordpress-check.sh are able to be executed. (chmod 700 or 755).
6. Find the full path to your WordPress installation. This will vary based on each server setup. If you go to the folder that has your wp-config.php file and type the “pwd” command, that is probably the directory information you need. Common directories are /var/www/html/www.example.com/ or /var/www/docs/www.example.com/ or /var/htdocs/www.example.com/. The version-check-251.sh script will tell you if it can’t find the WordPress files.
7. Change to the directory that you installed the scripts in.
8. Type: “./version-check-251.sh (the full path found in step 4)”.
9. Then type “./wordpress-check.sh” to check the fingerprints with the actual files in your installation. If there are any problems, it will be very obvious. Hopefully you will only see status messages.
10. If you want to have the check script run by cron, use the wordpress-check-cron.sh script. The only difference in the two scripts is the cron script doesn’t print status messages.

III. Common Causes of Fingerprint Failures

If you’ve made any changes to any of the files, you will get an error. Simply update the domain-name.md5sum.txt and domain-name.shasum.txt files. The command to generate the new fingerprint is:

md5sum full-path-to-the-file
or
shasum full-path-to-the-file

Another common problem is not updating the default and classic themes (/wp-content/themes/) when updating WordPress.

And lastly, it is possible that Akismet may release a newer version of the plugin before WordPress itself is updated. Simply generate a new fingerprint of the new version of the plugin.

Updates

When WordPress gets updated, I will release a new version of the fingerprints. To stay informed about updates, subscribe to my RSS feed.

I have released a new WordPress plugin today Login Error Cleanup. When you attempt to login to a WordPress account, you are given fairly specific error messages if you enter the username or password incorrectly. This can be helpful to an attacker if they are trying to guess usernames and/or passwords. This plugin simply returns the message “Error” if the combination submitted is not valid.

This plugin is generally only going to be useful for people running a blog that only has a few authors. “Security by obscurity” is generally not the greatest security method, but it has its place. You would want to use this plugin if the default WP super user is not the regular and expected “admin” user login, and your day to day blogging and commenting is done as a regular author user. If your admin user is not “admin,” an attacker will have a more difficult time hacking and cracking your WordPress. If anything, automated attacks would be much more likely to fail.

This is 2008. Why in the world does WordPress not know how to shift it’s internal clock when Daylight Savings Time starts or ends? If the server itself can do it, why can’t WordPress? Heck, my VCR can even automagically adjust by an hour twice a year.

I was going to write a plugin to do this, but Kimmo Suominen has already done it. In February 2005! Matt Mullenweg or someone at Automattic, send Kimmo a check for a few hundred bucks and incorporate his code into the core WP system for 2.5.

The plugin is available at Time Zone plugin for WordPress.

For one of my other sites, I’ll be doing some postal mailings in which I’ll need to include the URLs of some of the posts I’ve made. I really don’t want to force people to have to retype those horribly long URLs. I could use a service like TinyUrl.com, but I’m not happy giving a third party control of portions of my web site. So I’ve made it easier by using the power of apache’s rewrite rules with WordPress’ Post ID #. So instead of me having to mail out a URL like:
http://www.showbizradio.net/2008/01/10/community-theater-schedule-wallpaper/


I can include this one, which will redirect to the same post, and is much easier to type, or read over the phone:
http://www.showbizradio.net/goto/2133


To do this, create a new folder under your WordPress directory. You can call it anything you like, but shorter is better. I’ve called the directory goto, although go would also work well.

Inside that directory, create a file called .htaccess. The leading dot is important!

Put these lines in the the .htaccess file:

RewriteEngine On

RewriteRule ([0-9]+) /index.php?p=$1 [R=301,L]

RewriteRule (.*) / [R=301,L]

The first line simply enables the ability for the web server to process the request.

The second line says that if any page request in your “goto” directory is only digits, to pipe those digits into the index.php program. The R=301 tells web browsers and search engines to permanently redirect to the new url, and the L means this is the last command to execute.

The third line catches any other request (such as http://www.showbizradio.net/goto/heck) by simply redirecting any other request to your site’s home page.

And that’s all there is to it. Let me know if you have any problems with this. I’ve tested it only on WP 2.3.2, running under Apache. It should work fine if you have customized your site’s permalink structure.

I’ve just released a WordPress plugin for disabling smart quotes in text that is inside a <code> block. Smart quotes, also known as curly quotes or fancy quotes, don’t mix well inside code, so if someone copies and pastes your code with smart quotes, they have to tweak the code they want to use. Which I think everyone will agree is a waste of time. More information and the download are available on the CodeQuote page. Please send me your feedback; I definitely need to know about situations where other characters inside code are being “fixed” by WordPress.

Update: 4:42pm I’ve already made several bug fixes to CodeQuote. Things like less than symbols apparently are now working correctly. And it doesn’t matter if you have a blank line in front of the open code tag. Let me know if you see any other weirdness. I’ll need to see the code you’re entering into a post so I can experiment on it here.

I’ve tweaked a plugin that will disable the Windows Live Writer headers that appear in the html headers of pages generated by WordPress 2.31. More information and the download can be found at the WLW Disabler plugin page.

The name of the blogging system WordPress is a trademark of Automattic, and they’ve chosen to spell it with an uppercase “W” and an uppercase “P.” It should not be with a lowercase p, such as Wordpress. The Fix The P WordPress plugin changes the lowercase p in “WordPress” to an uppercase P (essentially changing Wordpress to WordPress) in titles, posts, pages, excerpts and comments. This helps your reputation as a professional. How professional is it to blog about one of the world’s most popular blogging platforms, and spell it wrong? Fix the P gives you a safety net.

Complete information about Fix the P is on the Fix the P plugin page.

Many thanks to Lorelle VanFossen for the idea for this plugin.

I have just finished my first WordPress plugin, WARP, which stands for WordPress Admin Reminder Plugin. This plugin adds a reminder tip (in large red letters) in the top right corner of your WordPress admin pages. The text is a link to the appropriate page in the wp-admin area. Reminders include:

• Making a backup of your database (every Friday)
• Checking your spam for false positives (every Wednesday)
• Other tasks that are easy to forget (every third Monday)

Hopefully this will help you keep your WordPress blog in good working order.

Complete information about WARP is on the WARP plugin page.

I’ve started work on my first WordPress plugin. So far, I’ve managed to break my development web site several times; gotten the plugin to work partially several times, and added a menu to the “Manage” menu of the WordPress administration system. Of course, the page I’ve created there doesn’t actually do anything yet. It’s very exciting seeing the system not barf when I “activate” my plugin. Hopefully I can release the plugin to an unsuspecting world next week.