making bbPress (and WordPress) work better!

WP development

To Save the Future of WordPress, Steal This Idea…

A Little History…

Nearly 13 years ago, Michel Valdrighi quietly added some code to his
program which unknowingly was to become one of WordPress’s greatest abilities:

http://cafelog.cvs.sourceforge.net/viewvc/cafelog/zerodotx/b2-include/b2template.functions.php?hideattic=0&r1=1.49&r2=1.50#l1057

That code commit back in October 2002 contans a single note: “now with b2_filter support !” – perhaps the exclamation point exposing a little thrill that this was something new and exciting, but I have to wonder if he could actually imagine what it really meant for the future.

In fact with the addition of those functions “add_filter/apply_filters” one can begin to easily recognize some of the oldest source code as WordPress itself, compared to earlier versions.

(more…)


WordPress.com has 2200 servers

500 of them are just for MySQL with 500 million tables. More here:


undocumented WordPress.org Plugin API for plugin authors

Did you know you can get info about plugins in WordPress.org’s extend section in json or xml format? Virtually all the info about the plugin is available in machine readable format.

It’s as simple as adding the plugin’s stub name to the end of this url like so:

xml: http://api.wordpress.org/plugins/info/1.0/hello-dolly.xml
json: http://api.wordpress.org/plugins/info/1.0/hello-dolly.json
php serialize: http://api.wordpress.org/plugins/info/1.0/hello-dolly.php

You can request partial info or info on multiple plugins via the full API, which is not documented anywhere except this message from last year:
http://comox.textdrive.com/pipermail/wp-hackers/2009-January/023505.html

PHP code example:
http://wordpress.pastebin.com/raw.php?i=7Ji8rD2P

It was written by DD32 (aka Dion Hulse)

Missing from version 1.0 API are a few finer details like “downloads yesterday” & “last week” but that can always be derived from the graph data like so:

http://wordpress.org/extend/stats/plugin-xml.php?slug=hello-dolly

Graphing was just added to the bbPress.org side but the full API does not appear to be available (yet).


every WordPress install vulnerable to new security hack

Remember the mysterious babloo/blyat attack that hit many blogs including xkcd and is continuing in the wild? Here’s how they did it:

coresecurity.com : WordPress Privileges Unchecked

It’s just mind boggling that the WordPress people:

1. knew about it since June 4th
2. took OVER A FULL MONTH to release a fix (June 4th – July 8th)
3. left ALL previous versions of WordPress flapping in the wind
4. there is no advisory as to how to manually patch existing installs

bbPress 1.0 is possibly affected by this vulnerability now that it uses the WP core
bbPress 0.9 might be immune

added 7/13

I don’t know if this is a reasonable security patch for existing WP installs but the logic seems to make sense to me so far. It might break plugins like subscribe-to-comments or anything else that interacts with regular users through the admin interface.

The problem seems to be this line in admin.php

include(ABSPATH . PLUGINDIR . "/$plugin_page");

Since there is not a natural, singular action before it to hook (it adds the plugin name) the file will have to be edited, and maybe add something like this BEFORE the above line:

if ( ! current_user_can('level_2') ) {
wp_die(__('You are not allowed here.'));
}

This only allows Authors and above to use plugins via the admin menu.

The WP legacy where regular members are allowed into the admin area, but with reduced privileges, has always been very messy. And this is (yet another time) where it’s coming to haunt WP adopters. The good news is at least bbPress learned from the mistake and does it differently.


WordPress 2.8 might break login compatibility (again)

Remember how they changed the login cookie in WordPress 2.5 ?

Then they realized they got the security model wrong so they changed it again in 2.6 causing more backward compatibility problems. (then they finally added HttpOnly in 2.7)

So since it’s all working/stable now, guess what, they are tampering with it again:
(more…)


simple WordPress and bbPress security plugin to block long requests

I opened a WordPress security ticket today with something that’s been bothering me for awhile – Apache will take long URL queries up to 8k (8192) characters in length but it’s completely unnecessary and allows XSS exploits to get into WordPress and bbPress. Why not block them entirely with this scrap of a plugin (save as “_block_long_queries.php” without the quotes but with the leading underscore so it loads as early as possible and doesn’t need activation – also can’t be easily deactivated by hackers)
(more…)


stuff I would have wanted to see at WordCamp SF 2008

Apparently they crammed it all into one day this year and the tech stuff was held separately (downstairs) from the general stuff (don’t want those devs and general users to mingle, ruh roh!)

I don’t fly so I was hoping for some audio or video recordings. I found a live video feed from some bloggers upstairs but nothing downstairs (at least not that I could find). I need to hunt down the slideshows for Crazyhorse, BuddyPress, Nginx etc. Finding a schedule of the tech stuff would probably be a good start, I found one for the general stuff upstairs but not downstairs. ZDnet covered only the non-dev side, but in detail.

Was there *no* bbPress presentation this year at WordCamp? Really?
Twitter went insane with WordCamp stuff!
added: some really good notes from Jeremy Person
(more…)