Social Entrepreneur blog for the world changers
Matt
This user hasn't shared any biographical information
Homepage: http://wordpress.org/development
Posts by Matt
Secure File Permissions Matter
Apr 13th
Summary: A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files, and some members of the “security” press have tried to turn this into a “WordPress vulnerability” story.
WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?
A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.
I’m not even going to link any of the articles because they have so many inaccuracies you become stupider by reading them.
If you’re a web host and you turn a bad file permissions story into a WordPress story, you’re doing something wrong.
P.S. Network Solutions, it’s “WordPress” not “Word Press.”
WordPress 2.9, oh so fine
Dec 18th
I want to make you mine, all the time… oh wait. Hello. I’m here on behalf of the entire WordPress development team and community to announce the immediate availability of WordPress version 2.9 “Carmen” named in honor of magical jazz vocalist Carmen McRae (whom we’ve added to our Last.fm WP release station). You can upgrade easily from your Dashboard by going to Tools > Upgrade, or you can download from WordPress.org. And of course, it wouldn’t be a major release without a short video summarizing some of the cool things about the new version:
The coolest new stuff from a user point of view is:
- Global undo/”trash” feature, which means that if you accidentally delete a post or comment you can bring it back from the grave (i.e., the Trash). This also eliminates those annoying “are you sure” messages we used to have on every delete.
- Built-in image editor allows you to crop, edit, rotate, flip, and scale your images to show them who’s boss. This is the first wave of our many planned media-handling improvements.
- Batch plugin update and compatibility checking, which means you can update 10 plugins at once, versus having to do multiple clicks for each one, and we’re using the new compatibility data from the plugins directory to give you a better idea of whether your plugins are compatible with new releases of WordPress. This should take the fear and hassle out of upgrading.
- Easier video embeds that allow you to just paste a URL on its own line and have it magically turn it into the proper embed code, with Oembed support for YouTube, Daily Motion, Blip.tv, Flickr, Hulu, Viddler, Qik, Revision3, Scribd, Google Video, Photobucket, PollDaddy, and WordPress.tv (and more in the next release).
2.9 provides the smoothest ride yet because of a number of improvements under the hood and more subtle improvements you’ll begin to appreciate once you’ve been around the block a few times. Here’s just a sampling:
- We now have
rel=canonicalsupport for better SEO. - There is automatic database optimization support, which you can enable in your
wp-config.phpfile by addingdefine('WP_ALLOW_REPAIR', true);. - Themes can register “post thumbnails” which allow them to attach an image to the post, especially useful for magazine-style themes.
- A new
commentmetatable that allows arbitrary key/value pairs to be attached to comments, just like posts, so you can now expand greatly what you can do in the comment framework. - Custom post types have been upgraded with better API support so you can juggle more types than just post, page, and attachment. (More of this planned for 3.0.)
- You can set custom theme directories, so a plugin can register a theme to be bundled with it or you can have multiple shared theme directories on your server.
- We’ve upgraded TinyMCE WYSIWYG editing and Simplepie.
- Sidebars can now have descriptions so it’s more obvious what and where they do what they do.
- Specify category templates not just by ID, like before, but by slug, which will make it easier for theme developers to do custom things with categories — like post types!
- Registration and profiles are now extensible to allow you to collect things more easily, like a user’s Twitter account or any other fields you can imagine.
- The XML-RPC API has been extended to allow changing the user registration option. We fixed some Atom API attachment issues.
- Create custom galleries with the new include and exclude attributes that allow you to pull attachments from any post, not just the current one.
- When you’re editing files in the theme and plugin editors it remembers your location and takes you back to that line after you save. (Thank goodness!!!)
- The Press This bookmarklet has been improved and is faster than ever; give it a try for on-the-fly blogging from wherever you are on the internet.
- Custom taxonomies are now included in the WXR export file and imported correctly.
- Better hooks and filters for excerpts, smilies, HTTP requests, user profiles, author links, taxonomies, SSL support, tag clouds, query_posts and WP_Query
All of this and more is reflected in the over 500 tickets, bugs, and enhancements that WP developers in this release cycle.
This release included code from over 140 contributors, here’s everyone we were able to identify: aaroncampbell (Aaron Campbell), abackstrom (Adam Backstrom), aldenta (John Ford), alexkingorg (Alex King), [amilanov], antonylesuisse (Antony Lesuisse), apeatling (Andy Peatling), apokalyptik (Demitrious Kelly), arena (André Renaut), batmoo (Mohammad Jangda), Ben Dunkle, BenBE1987, Benjamin Flesch, bookchiq (Sarah Lewis), brianwhite, c0nstruct, caesarsgrunt (Caesar Schinas), CalebKniffen (Caleb Kniffen), chrisbliss18, chrisscott (Chris Scott), christoph179, coffee2code (Scott Reilly), [cross country flight], Curioso, davecpage (Dave Page), dcole07 (Dan Cole), dd32 (Dion Hulse), demetris (Δημήτρης Κίκιζας), Denis-de-Bernardy, dj-wp, dwright, eddieringle (Eddie Ringle), error (Michael Hampton), ewestp, fabifott, filosofo (Austin Matzko), greenshady (Justin Tadlock), gsnedders/link92 (Geoffrey Sneddon), hailin (Hailin Wu), hakre, hanilovesme, Harald Nesland, harrym, holizz (Tom Adams), ikonst, jacobsantos (Jacob Santos), janeforshort (Jane Wells), jamescollins (James Collins), jdub (Jeff Waugh), jeff_ (Jean-François “Jeff” VIAL), jeremyclarke (Jeremy Clarke), JeremyVisser (Jeremy Visser), jikamens, jmulley, Joern_W, johanee (Johan Eenfeldt), johnbillion (John Blackbourn), johnjamesjacoby (John James Jacoby), johnjosephbachir (John Joseph Bachir), JonathanRogers, joostdevalk (Joost de Valk), Jose Carlos Norte, josephscott (Joseph Scott), junsuijin, kevinB (Kevin Behrens), kometbomb, lilyfan (IKEDA Yuriko), [lostinlafayette], madhyde, MattyRob, mdawaffe (Michael Adams), Mittineague, miqrogroove, morfiusx, mrmist (David McFarlane), mtdewvirus (Nick Momrik), mysz, nacin (Andrew Nacin), nanochrome, nao (Naoko McCracken), nathanrice (Nathan Rice), nbachiyski (Николай Бачийски), niallkennedy (Niall Kennedy), nickohrn (Nick Ohrn), ninjaWR (Ryan Murphy), noel (Noël Jackson), Otto42 (Samuel Wood), pairg, peaceablewhale (Franklin Tse), prettyboymp (Michael Pretty), ProDevStudio, ramiy, redsweater (Daniel Jalkut), ruslany, sambauers (Sam Bauers), scribu, Sewar, Simek, simonwheatley (Simon Wheatley), sirzooro (Daniel Frużyński), sivel (Matt Martz), skeltoac (Andy Skelton), snakefoot, stephanreiter (Stephan Reiter), strider72 (Stephen Rider), taco1991, takayukister (Takayuki Miyoshi), tellyworth, tenpura, usermrpapa, utkarsh, Viper007Bond, vladimir_kolesnikov (Vladimir Kolesnikov), VoxPelli (Pelle Wessman), [voyou1], wahgnube, waltervos, westonruter (Weston Ruter), wnorris (Will Norris), xenlab (Eric Marden), yoavf (Yoav Farhi). Wowza!
2.9 has been an exciting development cycle, and I must say it has whetted our appetite for 3.0, which is coming next (probably this spring) and will include at the very least the merge of MU with the WordPress core, and a new default theme. We can’t wait to start working on it. But first, some Carmen McRae tunes and a beer. Join us! 
(After you upgrade, of course!)
I hope everyone is having a wonderful holiday season.
2.9 Release Candidate 1
Dec 16th
We’re at that exciting point in WordPress development where the dev team feels like version 2.9 is complete and ready for the world.
If you’ve been waiting for your moment to pitch in, it’s now. First we need tech savvy testers to upgrade their blogs and kick the tires, make sure everything is rolling like you expect it to. Here’s a list of all the fun and geeky new stuff in 2.9 to try out. Second, and more importantly, we need everyone to test out their plugin compatibility.
If you’re a user of plugins, there’s a groovy new compatibility feature on the plugin directory where you can vote on whether a plugin is compatible with a version or not and it’ll get registered in the new plugin compatibility checker. This is as a replacement to the old wiki-based lists we’d do before. To see it in action check out this Akismet plugin page, as you can see 14 people have already registered that it’s compatible with 2.9.
If you’re a plugin author, of course you should update your “Tested up to:” in the readme.txt for your plugin.
If all goes according to plan, WordPress 2.9 will be out before the end of the week. You can download the release candidate here.
For more details on the changes since Beta please review the revision log on Trac, and happy testing!
WordPress Wins CMS Award
Nov 17th
I was very excited last week to learn that WordPress has been awarded the Overall Best Open Source CMS Award in the 2009 Open Source CMS Awards. This is a landmark for us, as it is the first time we’ve won this award, and it marks a shift in the public perception of WordPress, from blog software to full-featured CMS. No small contest, the Open Source CMS Awards received over 12,000 nominations and more than 23,000 votes across five categories.
As Hiro Nakamura said when he first bent time and space to land in Times Square: “Yatta!”
In addition to winning in the Overall Best Open Source CMS category, WordPress was named first runner-up in the Best Open Source PHP CMS category. This is significant because we weren’t even in the top 5 last year, and now we’re #2, ahead of Joomla! As is stated on the Award site, “WordPress made its way into the top five for the first time. The fact that it was outranked by Drupal by a very slight margin indicates how popular it has become with users as well as developers over the past year.”
Every day thousands of new people are embracing WordPress to power not just their blogs but entire sites and communities without compromising on usability or scalability (as would be the case with a legacy CMS). Every member of the WordPress community, from core developer to beginning user, should be proud to be part of this momentum: congratulations to us all!
How to Keep WordPress Secure
Sep 5th
A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well — a little bit of work on an upgrade now saves a lot of work fixing something later.
Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.
The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.
I’m talking about this not to scare you, but to highlight that this is something that has happened before, and that will more than likely happen again.
A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)
2.8.4, the current version of WordPress, is immune to this worm. (So was the release before this one.) If you’ve been thinking about upgrading but haven’t gotten around to it yet, now would be a really good time. If you’ve already upgraded your blogs, maybe check out the blogs of your friends or that you read and see if they need any help. A stitch in time saves nine.
Whenever a worm makes the rounds, everyone becomes a security expert and peddles one of three types of advice: snake oil, Club solutions, or real solutions. Snake oil you’ll be able to spot right away because it’s easy. Hide the WordPress version, they say, and you’ll be fine. Uh, duh, the worm writers thought of that. Where their 1.0 might have checked for version numbers, 2.0 just tests capabilities, version number be damned.
The second type of advice is Club solutions; to illustrate, I’ll quote from Mark Pilgrim’s excellent essay on spam 7 years ago, before WordPress even existed:
The really interesting thing about these approaches, from a game theory perspective, is that they are all Club solutions, not Lojack solutions. There are two basic approaches to protecting your car from theft: The Club (or The Shield, or a car alarm, or something similar), and Lojack. The Club isn’t much protection against a thief who is determined to steal your car (it’s easy enough to drill the lock, or just cut the steering wheel and slide The Club off). But it is effective protection against a thief who wants to steal a car (not necessarily your car), because thieves are generally in a hurry and will go for the easiest target, the low-hanging fruit. The Club works as long as not everyone has it, since if everyone had it, thieves would have an equally difficult time stealing any car, their choice will be based on other factors, and your car is back to being as vulnerable as anyone else’s. The Club doesn’t deter theft, it only deflects it.
Club blog security solutions can be simple (like an .htaccess file) or incredibly complex (like two-factor authentication), and they can work, especially for known exploits. Club solutions can be useful, like using a strong or complex password for your login — no one would recommend against that. (Another club solution is switching to less-used software on the assumption or more like the software’s claim that it’s perfect and more secure. This is why BeOS is more secure than Linux, ahem.)
In the car world, if someone figured out how to teleport entire cars to chop shops, The Club wouldn’t be so useful anymore. Luckily for manufacturers of The Club, this hasn’t happened. Online and in the software world, though, the equivalent happens almost daily. There is only one real solution. The only thing that I can promise will keep your blog secure today and in the future is upgrading.
WordPress is a community of hundreds of people that read the code every day, audit it, update it, and care enough about keeping your blog safe that we do things like release updates weeks apart from each other even though it makes us look bad, because updating is going to keep your blog safe from the bad guys. I’m not clairvoyant and I can’t predict what schemes spammers, hackers, crackers, and tricksters will come up with with in the future to harm your blog, but I do know for certain that as long as WordPress is around we’ll do everything in our power to make sure the software is safe. We’ve already made upgrading core and plugins a one-click procedure. If we find something broken, we’ll release a fix. Please upgrade, it’s the only way we can help each other.
WordPress 2.8.4: Security Release
Aug 11th
Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.
Themes are GPL, too
Jul 1st
If WordPress were a country, our Bill of Rights would be the GPL because it protects our core freedoms. We’ve always done our best to keep WordPress.org clean and only promote things that are completely compatible and legal with WordPress’s license. There have been some questions in the community about whether the GPL applies to themes like we’ve always assumed. To help clarify this point, I reached out to the Software Freedom Law Center, the world’s preeminent experts on the GPL, which spent time with WordPress’s code, community, and provided us with an official legal opinion. One sentence summary: PHP in WordPress themes must be GPL, artwork and CSS may be but are not required.
Matt,
You asked the Software Freedom Law Center to clarify the status of themes as derivative works of WordPress, a content management software package written in PHP and licensed under version 2 of the GNU General Public License.
We examined release candidate 1 of WordPress 2.8, which you provided to us at http://wordpress.org/wordpress-2.8-RC1.tar.gz. The “classic” and “default” themes included in that release candidate comprise various PHP and CSS files along with an optional directory of images. The PHP files contain a mix of HTML markup and PHP calls to
WordPress functions. There is some programmatic logic in the PHP code, including loops and conditionals.When WordPress is started, it executes various routines that prepare information for use by themes. In normal use, control is then transferred via PHP’s include() function to HTML and PHP templates found in theme package files. The PHP code in those template files relies on the earlier-prepared information to fill the templates for serving to the client.
On the basis of that version of WordPress, and considering those themes as if they had been added to WordPress by a third party, it is our opinion that the themes presented, and any that are substantially similar, contain elements that are derivative works of the WordPress software as well as elements that are potentially separate works. Specifically, the CSS files and material contained in the images directory of the “default” theme are works separate from the WordPress code. On the other hand, the PHP and HTML code that is intermingled with and operated on by PHP the code derives from the WordPress code.
In the WordPress themes, CSS files and images exist purely as data to be served by a web server. WordPress itself ignores these files[1]. The CSS and image files are simply read by the server as data and delivered verbatim to the user, avoiding the WordPress instance altogether. The CSS and images could easily be used with a range of HTML documents and read and displayed by a variety of software having no relation to WordPress. As such, these files are separate works from the WordPress code itself.
The PHP elements, taken together, are clearly derivative of WordPress code. The template is loaded via the include() function. Its contents are combined with the WordPress code in memory to be processed by PHP along with (and completely indistinguishable from) the rest of WordPress. The PHP code consists largely of calls to WordPress functions and sparse, minimal logic to control which WordPress functions are accessed and how many times they will be called. They are derivative of WordPress because every part of them is determined by the content of the WordPress functions they call. As works of authorship, they are designed only to be combined with WordPress into a larger work.
HTML elements are intermingled with PHP in the two themes presented. These snippets of HTML interspersed with PHP throughout the theme PHP files together form a work whose form is highly dependent on the PHP and thus derivative of it.
In conclusion, the WordPress themes supplied contain elements that are derivative of WordPress’s copyrighted code. These themes, being collections of distinct works (images, CSS files, PHP files), need not be GPL-licensed as a whole. Rather, the PHP files are subject to the requirements of the GPL while the images and CSS are not. Third-party developers of such themes may apply restrictive copyrights to these elements if they wish.
Finally, we note that it might be possible to design a valid WordPress theme that avoids the factors that subject it to WordPress’s copyright, but such a theme would have to forgo almost all the WordPress functionality that makes the software useful.
Sincerely,
James Vasile
Software Freedom Law Center[1] There is one exception. WordPress does reads CSS and image files to create previews of templates for the template selection portion of the administrative interface. Even in that case, though, nothing in those files calls any WordPress functions, is treated as a command by PHP, or alters any other WordPress data structure. These files are read as data and used to create an image and display a miniaturized version of a webpage to the user.
Even though graphics and CSS aren’t required to be GPL legally, the lack thereof is pretty limiting. Can you imagine WordPress without any CSS or javascript? So as before, we will only promote and host things on WordPress.org that are 100% GPL or compatible. To celebrate a few folks creating 100% GPL themes and providing support and other services around them, we have a new page listing GPL commercially supported themes.
2.8 Release Jazzes Themes and Widgets
Jun 10th
I’m very excited to announce to everyone that the latest and greatest version of WordPress, version 2.8 “Baker,” is immediately available for download. 2.8 represents a nice fit and finish release for WordPress with improvements to themes, widgets, taxonomies, and overall speed. We also fixed over 790 bugs. This release is named in honor of noted trumpeter and vocalist Chet Baker. Here’s a quick video overview of everything in the new release:
The first thing you’ll notice is that visually 2.8 feels a lot like 2.7, just with some minor tweaks here and there. However once you’ll dig in you’ll begin to appreciate the changes.
Major New Improvements
First and foremost, 2.8 is way faster to use. We’ve changed the way WordPress does style and scripting.
The core and plugin updaters in previous versions of WordPress have been such a success we decided to bring the same to themes. You can now browse the entire theme directory and install a theme with one click from the comfort of your WordPress dashboard.
If you make edits or tweaks to themes or plugins from your dashboard, you’ll appreciate the new CodePress editor which gives syntax highlighting to the previously-plain editor. Also there is now contextual documentation for the functions in the file you’re editing linked right below the editor.
If you were ever frustrated with widgets before, this release should be your savior. We’ve completely redesigned the widgets interface (which we didn’t have time to in 2.7) to allow you to do things like edit widgets on the fly, have multiple copies of the same widget, drag and drop widgets between sidebars, and save inactive widgets so you don’t lose all their settings. Developers now have access to a much cleaner and robust API for creating widgets as well.
Finally you should explore the new Screen Options on every page. It’s the tab in the top right. Now, for example, if you have a wide monitor you could set up your dashboard to have four columns of widgets instead of the two it has by default. On other pages you can change how many items show per page.
And Even More
You can read the full list of over 180 new features, changes, upgrades, and improvements on the Codex. The list is exhausting!
The Future
We’re already thinking hard about the next versions, 2.9 and 3.0. Keep an eye out for improved media handling, better dependency checking, versioning of templates and themes, and of course the fabled merging of WordPress and MU announced at WordCamp San Francisco two weeks ago.
Make Friends with BuddyPress
Apr 30th
What if there was software with the elegance and extensibility of WordPress but all the features you’ve come to expect from social networks like Facebook? Now there is: check out BuddyPress.
BuddyPress is an official sister project of WordPress. The idea behind it was to see what would happen to the web if it was as easy for anyone to create a social network as it is to create a blog today. There’s been an explosion of social activity on the web, it’s probably the most important trend of the past few years, but there’s been a dearth of Open Source tools that enable the social web.
In WordPress we have a robust and extensible base that can scale to many millions of users, and BuddyPress is essentially a set of plugins on top of WordPress that add private messaging, profiles, friends, groups, activity streams, and everything else you’ve come to expect from your favorite social network, like a Facebook-in-a-box.
I don’t think BuddyPress will be something you use instead of your existing social networks, I mean all your friends are already on Myspace, but if you wanted to start something new maybe with more control, friendlier terms of service, or just something customized and tweaked to fit exactly into your existing site, then BuddyPress is a great framework to use. Maybe even someday you’ll be able to connect your BuddyPresses to each other and to the existing monolithic social networks.
This is just a 1.0 release and it’s not for everybody yet, for example it currently requires using MU which is a bit trickier to get set up than regular WordPress, but regardless I’d recommend diving into the community at BuddyPress.org, which is great example of the software in action.
Recent Comments