WordPress Hit With Backdoor Attack, Force Resetting User Passwords

Looks like no one is safe on the internet today, with numerous services being hit with hack attacks and password thefts. Today, it looks like WordPress was also hit with a backdoor attack where users were able to gain access and update some plugins in the repository.

The hackers apparently added some backdoor code to the attack and committed them to the repository, this affected some popular plugins like AddThis, WPtouch and W3 Total Cache. WordPress has managed to rollback those updates, but have also reset passwords for all WordPress.org users. If you use any WordPress related service, you will have to reset your password.

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.

We’re still investigating what happened, but as a prophylactic measure we’ve decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you’ll need to reset your password to a new one. (Same for bbPress.org and BuddyPress.org.)

This is not the first time WordPress has been attacked. Earlier this year, WordPress.com was hacked and code was compromised. Sony has also been hit with several attacks recently where user’s passwords were leaked on the internet. If you have a WordPress.org account make sure to update your password. Also read our earlier article on why it is the right time to update all your passwords.

Also, if you have recently updated any of these plugins, go and re-update them immediately.

More updates to come…

Now Comment On Any WordPress.com Blog Using Your Facebook And Twitter Account

wordpress_logoStarting today, you can comment on any WordPress.com blog using your Facebook and Twitter account, apart from using your email address or choosing your WordPress.com account to comment on a blog post. WordPress.com has recently introduced a new feature which lets anyone post a comment on any WordPress.com blog using their email address, WordPress.com, Facebook or Twitter account. This advanced commenting feature has been introduced to give users the ability to choose which identity they want to show on the concerned blog e.g their Twitter or Facebook account’s instead of using their email address.

Here is how the modified comment form of a WordPress.com blog looks like:

wordpress-comments-facebook-twitter

 

This enhanced commenting feature adds a layer of real human identityto the comments section of your WordPress.com blog since most real users would opt in for a quicker way to post comments. Unlike spammers and robots, real people want to post a comment with as less steps as possible, so it is most likely that users will quickly switch to the Twitteror Facebooktab, hit the button, grant all the permissions and post their comment. No more typing in your name and email address, makes life easy!

Users are in control of their identity and if you don’t want to reveal your WordPress.com username or don’t want to give your real email address to the blog in question, you have two more options to comment.

Please note that if you choose your Facebook account to comment on any WordPress.com blog, the comment activity won’t be pushed back to your Facebook account. This new feature is used only for authentication purpose and not exactly the same as Facebook comments social plugin, however WordPress is planning to integrate better social integration in coming days.

For blogs using the self hosted WordPress package, this feature is likely be released in a future version of the Jetpack plugin (read our review of Jetpack). And there is no way to turn off comments via social profiles, in case you hate it and want to fall back to the older comment form of WordPress.com.

Jetpack Brings A Lot Of WordPress.com Goodness To Your Self Hosted WordPress Blog

No, this is not about Mozilla’s experimental project (which has been also coined the term Jetpack). Automattic has just launched Jetpack, a new plugin which brings WordPress.com goodness to self hosted WordPress blogs i.e blogs that are hosted with WordPress.org.

With the Jetpack plugin for WordPress, webmasters or bloggers who don’t use WordPress.com and prefer using the open source CMS version can access features that depend on WordPress.com.

Installing Jetpack on Your Self Hosted WordPress Blog

Getting started with Jetpack is easy, you can either visit the homepage and download the files (740KB). Else you can do a search for Jetpack(without quotes) under Add New Pluginsin your blog’s administration area. I would prefer the latter option because this method does not require downloading the plugin, opening up an FTP client and uploading the files to the Wp-content/plugins directory.

install-jetpack

Once you have installed the plugin, you will have to connect your WordPress.com account with the plugin preferences. If you do not have a WordPress.com account yet, you know where to start

connect-jetpack

In the next page, simply enter your WordPress.com credentials and click Authorize Jetpack

authorize-jetpack

After you have authorized the plugin, you should be automatically redirected to the Jetpack settingspage of your blog, where you can choose the features you want to use on your self hosted WordPress blog.

jetpack-install-complete

Plugins And Features That Comes Bundled With Jetpack

Oh My, so many stuff under one hood. Yes, Jetpack brings a lot of WordPress.com features to your self hosted WordPress blog with a single click. You can individually handpick the features or plugins you want to use or choose all of them in one go.

This is quite similar to the first Fantastico installation provided by Dreamhost and some other hosting providers. If you have the experience of installing a new WordPress blog using Fantastico, you might know that some hosting providers provide a default bulk plugin and theme setups, after you’ve installed WordPress.

Following plugins and features are provided with Jetpack:

  • WordPress.com Stats: This one is a must, if you want to check your blog stats within your WordPress administration area. Simple, concise site stats with no additional load on your server.
  • Twitter widget: Display the latest updates from a Twitter user inside your theme’s widgets.
  • ShareDaddy: The most super duper sharing tool on the interwebs. Allow your website visitors to share content on Facebook, Twitter and many more social networking websites.
  • Gravatar Hovercards: Show a pop-up business card of your users’ Gravatar profiles in comments.
  • Wp.me Shortlinks: Enable WP.me-powered shortlinks for all of your Posts and Pages for easier sharing.
  • Shortcode Embeds: Easily embed videos from sites like YouTube, Vimeo and SlideShare.
  • After the Deadline: Helps you write better by adding spell, style, and grammar checking to WordPress.
  • Latex: Let’s you mark up posts with the LaTeX markup language, perfect for complex mathematical equations and other über-geekery.

WordPress founder Matt Mullenweg says:

Every time we launch something new on WP.com the first question is always asking how people can get it for their self-hosted blog. Now you can have your cake and eat it too — host your own blog, completely under your control and with the freedom of the GPL, and still get all the cloud goodies of our hosted service. It’s the best of both worlds.

You can head over to Jetpack’s FAQ page to learn more.

Another WordPress DDOS Follow Up, Origin Might Be China

WordPress.com was attacked again a few hours ago after the massive DDOS on Thursday. This was a follow up attack after the last one and as evident now; it originates from China every time. WordPress hosted premium blogs like Financial Post and TechCrunch suffered from the one-hour outage today, which skyrocketed the traffic to,

multiple Gigabits per second and tens of millions of packets per second.

In recent talks with Alexia Tsotsis, Matt Mullenweg states,

WordPress.com was hit with another wave of attacks today (the fourth in two days) that caused issues again. This time we were able to recover more quickly, and also determined one of the targets to be a Chinese-language site which appears to be also blocked on Baidu. The vast majority of the attacks were coming from China (98%) with a little bit of Japan and Korea mixed in.

As one commentator at CNET points out, WordPress blogs are still not as fast as they used to be. At the same time, a number of other sites on the same network as WordPress servers are suffering from these DDOS attacks.

If these attacks are indeed from China, it just got exposed a bit more in its attempt to shut opposition. Although WordPress servers are stable now, further attempts of DDOS cannot be overlooked completely.

 

Using Internal Linking in WordPress 3.1 To Link to Existing Posts

was released yesterday and it added a lot of new features which make it a very exciting prospect. Most of the new features that were added were under the hood, but there are a few features which can be used by regular users like the new Internal linking feature which allows you to link to your existing posts easily while writing articles.

Link to Existing Content WordPress 3.1

The Internal Linking feature is available as part of the regular linking workflow, however, in addition to adding a link, WordPress 3.1 also allows you to search for existing posts and link to them.

Insert Internal Link WordPress 3.1

When you use the link option in the write panel, you will now see an option called "Or link to existing content". Expanding this option will allow you to search and link to existing posts quickly and easily. The feature also allows you to use search terms so that you can narrow down the posts.

One of the good things I saw about internal linking is that it is fast and would definitely increase your productivity if you link to your own posts pretty often.

Have you upgraded to WordPress 3.1 yet? If yes, have you used this feature? Do you find it useful and productive? Do let me know your views through about it.

WordPress 3.0.4 Released; Critical XSS Security Patch

It looks like the WordPress team have been fixing a lot of security issues in the past few weeks. The WordPress team has just released WordPress 3.0.4, which fixing a core security bug in their HTML sanitation library, called KSES.

The update on their blog says that this patch is critical and should be applied immediately. Your website may be open to XSS attacks if this patch is not applied immediately.

Earlier this month, the WordPress team had also released WordPress 3.0.2 and 3.0.3 which contained security fixes. If you were planning to put off your upgrade because of the holidays, please don’t do it since the bug is now in the open and can be exploited by the bad guys.

You will be able to upgrade WordPress from your dashboard.

WordPress 3.0.2 Released, Includes Mandatory Security Update

The WordPress team has released WordPress 3.0.2 to users. The WordPress 3.0.2 update includes a security fix making it a mandatory update.

This maintenance release fixes a moderate security issue that could allow a malicious Author-level user to gain further access to the site, addresses a handful of bugs, and provides some additional security enhancements.

You can download WordPress 3.0.2 from WordPress.org or use the automatic upgrade feature to upgrade it. Make sure to backup your blog before you upgrade, there are several ways to do it.

WordPress Wins Hall of Fame CMS Award

WordPress is a really good platform and has made blogging easier for millions of people including us. It has won several accolades in the past, but this year they went one step ahead by winning the Hall of Fame CMS Award at the Open Source Awards 2010.

Open Source Awards 2010

The hall of Fame CMS award is awarded to a CMS which has won the Open Source CMS award at least once, and WordPress was a winner last year. The first runner up for the Hall of Fame CMS awards was Drupal, followed by Joomla.

This year, CMS Made Simple won the open source CMS award and was followed by SilverStripe and MODx. Here is wishing WordPress and all the other winners a hearty congratulations. Open Source and blogging would not have been the same without you folks.

Google Chrome Extension To Check WordPress.com Stats

If you are a WordPress.com user or have a self hosted WordPress.org installation, you might have heard about the WordPress stats plugin which tracks page views and hits to your website. If not then you might want to try it out here.

WordPress Stats in Google Chrome Extension

If you use the WordPress stats plugin and use , here is a quick way to check your stats without having to visit the site itself. The WordPress stats is definitely useful when you want to check your stats including top posts for the day, referrers, search terms and external clicks.

Interested? Go ahead and download the extension from here. You will need to enter your website URL and WordPress API key in the options page to start viewing your website stats.

FOSS Friday | WordPress vs. Thesis, Mandriva Drags on and Ubuntu keeps getting Better

This week in FOSS, we see a variety of happenings. As always, Ubuntu is generating buzz with the latest Unity theme and Mandriva Linux, which appeared dead earlier has resurrected.

GPL causes tension between WordPress and Thesis creator DIY Themes

GPL has some confusing rules and terms. WordPress creator Matt Mullenweg has accused Chris Pearson of  DIY Themes for GPL infringement. He has raised an issue citing that WordPress is released under GPL and Thesis is based around WordPress but is closed.

However, Chris Pearson has a strong defense pointing out that WordPress is like a platform and Thesis is based around WordPress but does not inherit any code from it. That makes it free of any GPL bindings. However, upsetting WordPress creators will land Thesis in an uncomfortable position.

Read more.

Mandriva comes back, planning to stay afloat for now

Mandriva Linux went into oblivion a few months ago when the company behind it shut down. However, some organizations depended on Mandriva for their business and decided to bring Mandriva back on track.

Therefore, Mandriva will live for now. However, it will be distributed exclusively and will be available on OEMs from now onwards.

Read more.

Unity Ubuntu theme aims for features

Unity theme for Ubuntu will be available from the next version onwards and has an impressive lightweight interface. However, the folks at Ubuntu have decided to focus on features and functionality of the theme now. With that in mind, the theme sports new features like Quicklists and global search.

Read more.