ReadWriteWeb report today that Six Apart have announced the release of some Six Apart plugins for Wordpress at Wordcamp Mid-Atlantic. RWW think this is “shocking”. If they think that counts as shocking they need to get out more….

I was intrigued enough to zip on over the their page for Wordpress users, and yes, sure enough, there are some shocking plugins available.

On initial examination, I kind of felt there wasn’t much new to it: wow a comment spam plugin, an advertising plugin… The only one that caught my eye was the TypePad connect plugin, and even that one I kind of knew wasn’t going to be a runner.

Yes it does lots of fantastic stuff, see the above page for a feature list, but it struck me that:

• users had to go off to TypePad.com to register for your blog
• comments were no longer stored on your own blog
• the gains offered for the above are really not worth it

So I gave it the benefit of the doubt and installed the code on a test blog site. Installation itself is pretty easy, so no complaints there.

As expected, the newly activated plugin does make users go off to TypePad.com and create a TypePad account in order to become a member of your site. This doesn’t sit nicely with me: users click a link on your site and all of a sudden they are on TypePad.com being asked for their email address, set a password and their date of birth (TypePad: you don’t need my DOB, you might think you do, but you just don’t).

Ok so if you do all that and post a comment on my site it shows up and there are all the extra goodies they mention on their page.

Some points against:

• You no longer have comments stored within your own site
• Comments are harder to manage: two different sites to manage your blog, your blog site and your comment site
• Not offering much: threaded comments are available in WP 2.7.x, Comment Spam is not an issue with plugins
• The community thing: wow, you can create profiles. Not a big seller for me.
• I can’t find any option to export your comments back to WordPress if you choose to leave TypePad connect???

The very fact that comments are no longer stored within my own Wordpress database, not even duplicated there, is a deal breaker for me. Comment counts are often used in my work for listing most popular posts, etc. I see no need to have data stored elsewhere.

In short, there are some nice features here and I think it is great that Six Apart are opening up their work to other platforms, but so far, there is nothing here that makes me want to use one of their plugins.

TIP: If you think TypePad connect might be something you find useful, check out IntenseDebate also.

No, I don’t suppose that is the first thing you are going to tell a perfect stranger now is it? How about someone who has just called to your door? More unlikely still.

The Rant:
Which is why it really annoys me that some web applications insist on vanity tags displaying to the world what software system you are using, and worse still, sometimes it shows what version you are using!

Just what is required to execute a zero-day attack on your poor little website. Or indeed make it far too easy for evil minded people to find sites running out of date software.

Is it on your site?
Examine the source code of your web page. It will be between the “head” tags at the top of the page. Take for example the screenshot of the html code on a blog I visited the other day. You can clearly see from the generator meta tag that not only is the blog powered by Wordpress, but it is running version 2.5.1. In this example, the blogger is probably fine. There are a couple of security fixes released since Wordpress 2.5.1 was out in July, but none that I would rate as vital. But is it really a good idea to let the world know:
a) what web application you are running?
b) what exact version you have installed?

The cure
Now, I was going to go into a big rant about just how pointless I thought the generator meta tag was anyway, but I have to decided to bite my tongue and concentrate on the real evil: including the version number.

This is just plain old bad idea. I was really annoyed to see it creep back into the Wordpress blogs I manage recently as the location has been switched from the wordpress header template file to the Wordpress internals (from Wordpress 2.5 on). So even if you thought you had removed it, if you upgraded to 2.5 or later, it might be back in there again!

There is a relatively easy way to remove it again however, and this should be permanent unless they change this again in a future major version release.
Add the following line to the functions.php file of your Wordpress theme:
remove_action('wp_head', 'wp_generator');
(within the php code tags)

For other web applications, you may need to check the documentation or search the support forums for answers on how to remove the generator tag.

I have just recently switched this website from the Drupal CMS to Wordpress. Within the last 24 hours I have had the first symptoms of an irritation I have noticed on other blogs I mangage. Almost as soon as the conversion was complete, I had two suspicious user sign-ups. Suspicious in that they occurred in very short order for a relatively low traffic website, and guess what, they both end in “.ru”, the Russian domain ending.

Now I am not in favour of tarring everyone with the same brush, I am sure most Russians couldn’t give an Abkhazia about my blog, but there is something fishy going on. Another blog I managed has over 1,500 registered users, yet over 800 of those users have emails ending in “.ru”.

So what is going on here? Initial suspicion was that this was a way of attempting to place spam comments on the blog, but does not seem to pan out. Firstly, the Akismet plugin does not seem to have a problem catching comment spam whether the user is registered or not. Not that I could find any relationship between these “dodgy users” and the comments that had been placed into the Spam bin by Akismet.

So I haven’t worried too much about them since they don’t seem to be doing any damage.

As I mentioned earlier, this is a new blog. Comments have been open on it, but I have only just activated the Akismet plugin. So there were about 24 hours during which comment spam could have been placed on the blog yet it wasn’t, even by the suspicious new users. Strange huh?

It seems then that there must be another reason for these signups other than comment spam. They may be trying to exploit known vulnerabilities in older versions of Wordpress.

In any event, to see if I can cut this out, I have installed a new plugin, Register Plus, this has quite a number of nifty features around user registration which have been a bit lacking in Wordpress to date. The features I have so far activated are:

• Email address confirmation for new users
• Users can set their own passwords
• Custom logo on the registration page

There are a number of additional features worth checking out, but so far those are the ones I will be using.

I will see how I get on over the next few weeks and if successful, I will roll out the plugin to other Wordpress sites I manage.

My suspicion is that these “dodgy signups” are driven by an automated bot and this may well not be able to use the new registration form. If that fails, then I am pretty sure the email addresses are invalid and therefore the user accounts are not activated and will be removed after 7 days.

In the last resort, there is also a captcha feature, but I would prefer not to have to use that. Hate the bloody things!

Another blogger who doesn’t think much of the fake user signups is using the Sabre plugin, but I am going to see how I get on with Register Plus before employing yet another plugin that only does one specific task. They become a nigthmare to manage them all.

If like me, you are sometimes adding content created elsewhere to a Wordpress blog (in my case adding new articles to the website of a journalist client of mine), you might find yourself simply cutting and pasting the content and title into the Wordpress write post form.

One thing that has slightly miffed me is that I can sometimes place the cursor in the title field and then, for whatever reason, I might move it elsewhere, say to the post body etc. This may not seem like a big issue, but the permalink (the url given to the Wordpress post) can sometimes contain the words of your post title (this is often good for SEO purposes). This permalink is updated when you move your cursor from the title field to somewhere else on the page. It then takes the title and created a search engine friendly url with those words.

If you either did not put in the correct title, or as I often do, did not put in anything, the permalink may not therefore contain exactly what you want it to (you will see a preview of it in grey directly underneath the title field).

Up to now, I found this quite annoying as I had to then click the edit link and edit the permalink manually. Simply updating the title will not change the permalink. This might seem trivial, but Wordpress automatically formats the permalink for search engine consumption, removing punctuation marks and placing dashes between words. Doing this manually is a pain.

There is a fast and easy workaround:

1) Put the correct title into the title field
2) Click the permalink edit link
3) Hit ctrl A, then delete to select all and delete from that field
4) Hit save

And hey presto, instead of a blank permalink, it then goes back to the title field and takes your updated title.

I’m very pleased for one of my very good clients, David McWilliams, who has just recently been selected as a Young Global Leader by the World Economic Forum. The only Paddy on the list!

I’ve been involved in the McWilliams web project since it’s start in 2003. It has only recently switched over to a WordPress powered site.

The WEF selection means that David will have access to some very interesting individuals in the coming years and hopefully we can utilise this in our Podcasting experiment which is still in it’s infancy.

Jason Roe has pointed out a potential security issue for Wordpress which I picked up on via boards.ie.

The issue can allow someone to scrape email addresses and other contact details from a wordpress site that allows user registration on it.

In the grand scale of things, it isn’t the worst, but it certainly is not kosher to allow someone’s email address to be seen when you have assured them it will be private.

This was of concern to me as I recently completed a project that is powered by Wordpress and there are several hundred registered users. I zipped on over and sure enough, it was vulnerable (it was running Wordpress 2.04).

I immediately went about upgrading to the latest version of Wordpress 2.0x, version 2.06. This is not affected, but there is a mistake in the related code. Line 60 of the file /wp-admin/user-edit.php has the following:

die__('You do not have permission to edit this user.');

It should be

die(__('You do not have permission to edit this user.'));

It isn’t a biggie, it just throws a php error rather than telling the nosey parker to mind their own beeswax. I will report it to Wordpress now if someone hasn’t already.

Wordpress is an increasingly popular web publishing tool and with popularity comes security holes, from simple bugs like this one not being spotted through to people running versions that should have been upgraded a year ago. On the whole, I’m comfortable with it’s standard of coding and security.

I’m quite sure other, less popular applications have as many issues, but they go unnoticed without as many users poking and prodding the software.

It is sometimes easy to be lazy and leave that upgrade to another day, but issues like this highlight the importance of keeping up to date with the latest developments of your chosen web applications.