WordPress 1.5.2 now available

WordPress 1.5.2 now available for download from the WordPress website.

Upgrading from a previous incarnation of version 1.5 is simply a case of backing up the MySQL database, backing up the current WordPress installation, deleting everything apart from \wp-content and wp-config.php, and then uploading the new files. That’s it.

WordPress 1.5.2 contains a number of security fixes, bug fixes, and a new “Save and Continue Editing” button for Pages (although I’ve just noticed that this is only available once you have actually created a new page, which I guess makes sense).

I love WordPress. It’s simple to install, use, develop, and upgrade.

Hacked again (pt.2)

I got back from Cellardyke tonight to discover that my site had been hacked once again. This time I didn’t delete the files they’d dumped on my server; I’ve zipped them and sent them to my webhost for examination.

I’m now wondering if they’ve used a Linux kernel exploit to gain root access to the server. That’s pretty serious stuff, and if that is the case then I do hope my webhost get the kernel patched asap. If it’s not, then I hope they help me get to the root of this problem.

I got hacked!

I’ve just sent an email to my webhost, HostEurope/Pipex, to ask if they can shed any light on how/why my website got hacked. This morning I received this email, written at 19:42 last night:

Check this address – some one has invaded your site
Kathryn
https://www.garethjmsaunders.co.uk/index.html

and sure enough, my website front page had been replaced with a two word plain text file that read “F*ck .uk” (but with no asterisk).

I’ve now replaced the offending/offensive page with my original page and will await to see if Pipex can shed any light on how or why it was hacked, and what I (or they) can do to prevent this in the future.

WordPress: Upload code hack

Something that annoys me a little about WordPress — that has changed between v.1.2 and the latest v.1.5 — is the code it automatically generates for uploaded image files.

When you Upload a file WordPress automatically generates the XHTML code for you, so that you can simply copy and paste it into a post or page, for example:

<img src='https://www.garethjmsaunders.co.uk/wp-content/image.jpg' alt='Description of image here' />

But you will notice that it has surrounded the URL and alt description with single quotation marks (') rather than double ("). I'm a fan of double-quotation marks here. So I've made a simple hack to the upload code:

How to hack upload.php

Here's how to change the code in your WordPress 1.5 installation to ensure that it will always give you double-quotation marks (") in the auto-generated XHTML code:

  1. The code for uploading files is contained in the file wp-admin/upload.php within your WordPress installation.
  2. Open the file in your text editor of choice (I prefer 1st Page 2000) and scroll down to about line 202
  3. There you will see the following lines of code:

    $piece_of_code = "<img src='" . get_settings('fileupload_url') ."/$img1_name' alt='$imgdesc' />";
    else
    $piece_of_code = "<a href='". get_settings('fileupload_url') . "/$img1_name' title='$imgdesc'>$imgdesc</a>";

  4. Simply replace these lines with the following:

    $piece_of_code = "<img src=\"" . get_settings('fileupload_url') ."/$img1_name\" alt=\"$imgdesc\" />";
    else
    $piece_of_code = "<a href=\"". get_settings('fileupload_url') . "/$img1_name\" title=\"$imgdesc\">$imgdesc</a>";

  5. You will notice the subtle alteration of escaped quotation marks (\") replacing the previous single quotation marks ('). The backslash before the quote tells PHP to regard the quotation mark as a text character rather than as part of the syntax of the code.
  6. Now save this file, and upload it (no pun intended) to your WordPress installation.
  7. er…
  8. that's it!