These days, gallery is a massive image oriented CMS (so much so that the developers are refocusing on their core objectives for Version 3), with a ton of modules / plugins and themes. It should be no surprise therefore that it’s easy to add a cart / checkout to it.
Rowan :: Dec.29.2008 :: Ecommerce, Quick Solutions, Uncategorized, Web Apps :: No Comments »
Remember some years ago now all the (justifiable) furore around how long you could connect a vulnerable Windows PC to the net for before it got hacked / infected? The statistic ended up being 20 minutes, i.e not long at all.
I’ve not seen any similar research (at least as widely publicised) for popular web apps, such as Wordpress, SMF, Joomla etc. But the statistic has to be something pretty similar. Watching my own logs, and the logs of the system’s at work, script installs that have never been compromised are probed regularly for vulnerabilities. Those that have been compromised before are probed even more regularly, making it likely that they’ve made it onto “suckers lists” that are passed around or sold.
Web scripts that have been compromised, or used to launch attacks on others are normally seen as a sign of bad administration by the site owner and this is sometimes the case, however in a lot of cases the odds are still stacked against even the vigilant web site operator. Whilst many scripts now have built in update notifications in their admin panels for security updates for their core installs (and sometimes for plugins too) there is an inevitable time lag between any announcement and the admin
Script / CMS developers can do more here to help. A part of the install for any web forum or blog should be signing the owner email (or another email of choice) to a security update notification feed. Can you offer security notifications by SMS for a small extra charge?
Backup configuration should also be a part of the core install and not left to third party plugins. Yes this is extra work, but with these present there isn’t a lot more you could humanly do to protect site owners.
Wordpress now has one click upgrade options for both plugins and with 2.7 the main script itself, providing you’re running a server setup (suphp or similar) that can support it, this is great. Whilst automatic (i.e without site owner intervention) upgrades are becoming possible, the large variety of server configurations out there make this less realistic in the short term although it would be nice to see the feature experimented with in more web apps. Although somewhat rightly most site owners would probably be suspicious of automatic upgrades.
Options could also be added to automatically put the install into a maintenance mode / offline mode so that it could not be attacked until a severe issue is patched. Whilst most who make money from their site (but don’t have 24/7 IT staff to do upgrades, and believe me this is an awful lot of people) wouldn’t initially like the idea, you have to consider what’s worse
If you’ve seen any research into the above question , I’d be interested in a link 
Rowan :: Dec.13.2008 :: Security, Web Apps, Web Hosting :: No Comments »
This is just a quick aide memoir, for how to find the current Joomla version in use if you do not have direct access to the admin panel. The version information can be found in
libraries/joomla/version.php
Rowan :: Sep.05.2008 :: Quick Solutions, Web Apps :: No Comments »
Interesting to see this post from WP developer Donnacha, on removing various popular nasties from a wordpress install after it has been hacked or compromised.
At work we often see instances where it is not possible to simply return a user’s CMS install to a pre-hack backup and then upgrade (the safest course of action) because of
So we’re often left with a script / CMS install that needs to be cleaned up and upgraded. Where suspicious files have been uploaded, these are often easy to locate because of the sheer number of requests to these, for example from vulnerable PCs that have been tricked into trying to download a virus or trojan loader. Malicious javascript added to core or template files can be more difficult to spot in this manner as are disguised files referenced from the CMS’s database.
It would be helpful if the development / security investigation teams of most major CMS’s published these sorts of guides. Thanks Donnacha!
Rowan :: Jun.17.2008 :: Security, Support, Web Apps, Web Hosting :: No Comments »
This post is an aide memoir more than anything else, but hopefully might come in handy to someone.
Settings.php
Database
There are several instances within the settings table where the local file system path is stored within the database. Whether you pick find and replace (if restoring via a .sql file), the forum backend or PHPMyAdmin lots of things such as post icons and avatars will look screwy until you do. The theme path is also stored within the database in some instances. Make sure you get them all 
Rowan :: Jan.22.2008 :: Quick Solutions, Web Apps :: No Comments »
I’ve been pleased to see the inclusion of an update warning in recent versions of Wordpress when new versions are released. Coupled with the plugins page that now tells you when updates are available for your installed addons the system is becoming a lot easier for the non technical user to maintain, even if they ultimately have to seek help with the process. Working on a web host’s helpdesk, it’s obvious that half the problem with old script installs is that the site owner isn’t aware updates are required.
I’m looking forward to the day when Wordpress can also have the option to update itself (for example as Simple Machines Forum can do, by feeding it your FTP details), just to make it a little harder for users to ignore
Rowan :: Jan.12.2008 :: Web Apps, Web Hosting :: No Comments »
Learning to use the command line is one of the hardest things about moving to Linux, however once you’re used to it, doing things becomes second nature and you actually miss being able to use the terminal in those cases where you have FTP access but no shell account. For some things using a GUI is laborious, upgrading web apps is a major case in point.
One way of getting around this is the curlftpfs package. The software allows you to mount your FTP account and access it as you would any other part of your Linux File System.
After installing the package, you may have to modprobe fuse and may have to add your user to the fuse group. The former was necessary on Suse 10.2 and the latter on Kubuntu Feisty. After that simply create the folder you wish to use as a mount point and issue the command.
curlftpfs -v ftp://user:pass@ftp.somewhere.net/ MountPoint/
Once everything is working you can do away with the -v which enables verbose output. This is great if you need to do work on a web app where there is no shell access.
Caution
It is easy to forget this is not shell access, commands like unzip, unrar etc will use the binary on your machine with the resulting backwards forwards data transfer. Use such commands at your peril if working on an unstable connection, with large files or if you don’t have a backup.
Whilst this can be used with the rails command (again not recommended), bear in mind that you’ll need to copy the contents of the vendor directory to the server manually, as this is normally symlinked when working on the shell.
References
http://gentoo-wiki.com/HOWTO_FTP_Mount
Rowan :: Sep.02.2007 :: Linux, Quick Solutions, Web Apps, Web Hosting :: No Comments »
Recently a couple of the people who run the biggest WPMU based sites out there have put together a premium member’s area for those wishing to run serious MU based sites.
Seeing as Boz and I have been recently putting together an MU site for a group of friends this is an interesting development, I can immediately see the need for this for those working singly or in small departments who don’t have the direct WPMU expertise but want to quickly reach a large user base on a stable, scalable software base. A reasonable proportion of the freely available MU plugins out there look like they may present scaling difficulties down the line - something you definitely don’t want if you’re providing a service you have to support. Hitting a wall once you’re a few thousand users in is probably extremely unpleasant as it’s harder to redevelop something that is running 24/7.
If we do get around to building another site with WPMU (I have to say I’ve enjoyed working with it) I’ll probably subscribe to this as much out of interest as out of need.
The only real downside I can see is that they may well get an influx of subscriptions from people who really want everything done for them, from consultation to installation and ongoing support which may well clog up the premium forums and their time to support on there with inappropriate questions. However the entry fee will hopefully discourage this kind of behaviour.
There may well be a snotty counter argument to doing this sort of thing off the back of GPL style software, but in all honestly, WPMU is a fair way short of what wordpress.com is so it’s difficult to make an argument whereby these people shouldn’t get rewarded for their expertise and time. Essentially I can see dev premium saving me time in working out answers other people have already arrived at and life is too short for the alternative.
Rowan :: Jul.20.2007 :: Web Apps, Wordpress MU :: No Comments »
The forums over at Wordpress MU aren’t really the hand holding sort, the regulars are just too busy. However if one has done some background work first there are good solutions in the threads and the regulars are happy to assist someone who has managed to get a part of the way on their own initiative.
A lot of people however seem to approach MU without the pre-requisite skills suggested in the software’s readme (i.e being able to cope with server level software as opposed to a single cms / wordpress install).
For this reason I’d consider the four points below fairly essential if you want to work with MU (even if you have a technical background).
1. Use self hosted wordpress for at least six months - by “use” I mean creating a site installation you’re happy with and blogging to it regularly. Install via FTP or shell rather than fantastico or equivalent and install any security updates as soon as you can.
2. Be comfortable installing and fixing small issues with widgets, plugins and themes - be comfortable reading through the code and following the logic into the database if something isn’t working as expected. The wpmu forums are an invaluable resource but will often only point you in the right direction with a code snippet, you’ll have to apply the solution or follow the logic through so it fits to your site.
3. Ideally have written some plugins / widgets / themes for WP yourself - I hadn’t before starting to work with MU and I really wish I had as there is the added complexity of considering the multi user element when working with MU.
4. Be able to manage the necessities on a dedicated server or VPS - If you need to hire hardening or optimisation experts or have the budget to pay for management, fine. My own WPMU site is currently sitting on a shared host and will hopefully be fine there - once ready to deploy a site that will be for the wider public rather than just friends from reading the MU forum it appears that this is the ONLY reliable way to go. My experience at a shared hosting company completely backs this up - as a general rule users aren’t allowed to install server level software themselves as it puts far too much of a drain on the shared resources.
Rowan :: Jul.11.2007 :: Web Apps, Wordpress MU :: No Comments »
As further proof that whenever you have an idea the Internet is capable of crushing you by showing you that someone has already done it, I’ve been meaning to write an article on this for a while - and now I don’t need to.
Updating a personal website has always been something I’ve known I should do, but never got around to very well, Wordpress lets me easier than any other CMS I’ve used.
Rowan :: Jun.25.2007 :: Reviews, Web Apps :: No Comments »