WordPress Plugin Security Issues

Over on Weblog Tools Collection, Jeffro recently posted about Dean’s Permalink Migration Plugin which has a bug that can allow an attacker to force a user to perform an unsolicited action to allow the attacker to gain valid credentials, or basically, have access to your blog.

While someone stepped up to the plate and released a new, fixed version after the original author couldn’t be contacted, it still brings up the issue of continued WordPress plugin security.

As WordPress moves closer to the new 2.5 release, due out this spring, will plugin authors that develop the plugins we have come to depend on continue to support and develop their work s that the community can continue to benefit, or will new plugin authors have to step in to fill that role?

Who is responsible for the security of the plugins created? When will the WordPress community demand a group of standards to help improve the security of both WordPress plugins and themes?

I hope this issue is dealt with long before the next major version of WordPress. And while I hate to give Automattic more power and control over the WordPress open source project, I do think that they are the best suited to step up and hire someone to organize and check over WordPress plugins submitted to the plugin directory on WordPress.org.

I want to make this clear though, I don’t think the person from Automattic should become responsible for security issues related to plugins, but another set of eyes, focused on finding security issues, could help save many blogs from issues down the road.

Originally posted on January 28, 2008 @ 3:50 pm

Disconnect to Increase Productivity

So today, I decided to get away from home, and not go somewhere with Internet access. I didn’t want wi-fi. I didn’t want instant messaging. I opened all the reference material and wrote down a dozen ideas for articles before I left, and then went to the local mall and sat in the noisy, busy, uncomfortable food court.

I didn’t have access to the Internet, and I got more work done. Why is that?

Once I got to the food court, set up my laptop, and began writing, I realized. While it is noisy, there are no distractions. I don’t have a phone, no instant messages, no e-mail and no gaming consoles.

While it is uncomfortable, I know that the more work I get done, the sooner I can leave, and go back home to the comfort of my office.

While my battery ticks away, I know I am in a race against time, and so every bit of my attention, and energy is being poured into creating great content, organizing my thoughts, and ideas, and really getting some work done.

It feels great to disconnect, and just work without distraction. Highly recommended for a blogger having productivity issues.

Originally posted on January 25, 2008 @ 7:07 pm

The Basics of WordPress: Permalinks

What are they?

Permalinks are used as the permanent link to your post or page, most WordPress users like what are considered “clean” or “pretty” permalinks, where information is put in the link, such as the title of the post, or even the date. The default by WordPress is to use post numbers, but that doesn’t look very professional, nor does it help to easily identify a post or page.

By default you’ll see something like:
www.domainname.com/index.php?p=25

But this section will help you change that to:
www.domainname.com/2007/a-little-about-me/

WordPress uses the ?p=postnumber links because they work across all servers that meet WordPress’ requirements.

How to change them?

Log into your WordPress administration area, and go to Options, and then Permalinks. You will see some text, as well as a few options.

WordPress Permalinks

Included WordPress Options

WordPress makes changing permalinks very easy. By default, the default option, with the question mark and post number should be selected. Again, this isn’t a very good selection, as it doesn’t give any information about the post or page that the reader will be going to.

Next there is date and name based. This is one that I have used for a long time, though search engine experts sometimes say that the articles look like they are too deep within a directory structure to the search engines, but it is still one of my favorite options.

Thirdly, there is numeric. Much like the default option, having numeric post URLs doesn’t lend much information about the article.

Lastly, there is an option to set a custom structure. This is the option most used, at least in my recent experience. It allows you to create your own structure for your blog, using the built-in structure tags from WordPress.

One of the most common custom structure I see is /%postname%/ which will make it so that all your posts are www.domain.com/postname/. This makes it very easy to recognize articles, as well as share links to your blog posts, and it is said to have the most search engine benefit.

I am still a fan of at least having the year before my post name, so that people can instantly tell how old an article is, but others tell me that great articles are timeless. If you want the year before your post name, the custom structure that you would use is /%year%/%postname%/.

For more information on Permalink options, check out the WordPress Codex.

Originally posted on January 10, 2008 @ 9:30 pm

Understanding Search Engine Penalties

A friend of mine contacted me asking my opinion on why Google isn’t loving Celebrity Cowboy. Celebrity Cowboy is a celebrity blog that should be ranking well for a variety of terms is, for some reason, continually under-performing for its niche.

Celebrity Cowboy

I told him that I would take a look at it, and while my speciality isn’t really search engines, I did notice a few things right off the bat.

Code

Positioning
One of the first things I noticed about the xhtml generated by the theme used at Celebrity Cowboy is that the blogroll is near the top of the page, with more than twenty items linking out to other sites. While this is only on the front page of the site now, it wasn’t always like this and could have lead to a black mark for the site.

Then there is the content, and then the list of internal links to each one of the more than two dozen categories. Could Google be penalizing the site for having so many outbound links at the top of the page of code, and so many links near the bottom? Could they see this as an attempt to effect search engine rankings by stuffing links in a site?

Things like this have happened before and Google has always been harsh on such things. The flip side though is that all of these links are relevant. Google doesn’t penalize for relevant links, do they?

With Google’s war against paid links, I would be surprised if a few sites got caught in the crossfire, and with these links being site-wide, Google may have mistaken them as paid links.

No doubt they would like sites to make sure to no-follow their blogrolls and other external links that aren’t part of the normal daily content, despite being relative.

Validation
The theme that Celebrity Cowboy is using doesn’t validate. Google has proved time and time again that if you don’t work hard on making your code valid, you can cause yourself to drop in the rankings, and even sometimes to be marked as a “bad” site.

Sometimes sites get listed on stopbadware.org just because their JavaScript doesn’t work correctly, or advertising doesn’t load properly. I have seen this happen to more than a few sites.

Fixing up as many validation issues as possible, could help remove the penalty placed on the site, as Google’s indexing bots might then be able to index the content more efficiently, and without error.

One of the things I first noticed was that there is an ID used more than once, something that probably doesn’t effect the Google search bots, but something that is not correct in xhtml. Classes should be used for repeating items, not ID’s.

Correcting such things should also improve how various browsers render the site, which could have the side effect of increasing traffic, page views, and even links to the blog.

Just Plain Strange
There was one more thing about the coding of the site that really got me scratching my head. It seems that the header image is displayed via CSS, and so rather than showing an image with the proper hyperlink code around it, the coder chose to use JavaScript to make the div that the header is shown thanks to, into a clickable item that uses location.href to bring the visitor back to the index page.

To me this seems like a very bad way to do this effect, and probably not one that Google looks highly on. Continue reading

Originally posted on January 9, 2008 @ 9:36 am

Guest Post on John Cow

So recently, John Cow decided to head off for a nice vacation, and opened up his blog for guest posts. I was really excited about the idea, since his blog has more traffic than my own.

I carefully constructed a post, that while outside his normal topic area, still would be of great interest to a wide variety of bloggers. I decided to talk about working for a blog network. This is something I know a little bit about having now worked for two relatively strong blog networks. Bloggy Network was smaller in personnel, but had some A-List sites in their stables. Splashpress Media is huge by comparison, both in number of sites and employees.

I assumed writing such a post would bring in a fair bit of traffic, and maybe some new subscribers, but what I quickly realized is that people read John Cow for its wit, and advice and I am a much more serious person. As such, his audience didn’t seem to latch on to the way I write, or the type of content I produce. The traffic increase wasn’t noticeable, nor was their any jump in my subscribers.

Does this mean I failed with my guest post? Well, not really. The post allowed me to increase my reach, my sphere of influence, and link back to this blog. All of which are great things for the long term development of this blog.

Would I do it again? Most likely, but not on John Cow’s blog. I would try to get a post on a blog that fit my own audience demographic a little better, which would hopefully create more of an interest in this blog and what I write here.

Originally posted on January 29, 2008 @ 7:54 am