One thing I loathe about WordPress 2.5 is login cookies only last two weeks. So every two weeks I get prompted to login again. It is extremely disruptive to have to log in again, when just a few hours earlier I was logged in. The cookie logic should be tweaked that if you haven’t logged in over the past two weeks, then (maybe) the cookie should expire. but if I was allowed to work on the blog yesterday, why should I need to log in again today. The two week window should not be based on when I first logged in, but on when I last did administrative functions while logged in.

There aren’t any plugin hooks to the cookie setting functions of WordPress 2.5. But you can edit line number 547 of pluggable.php (which is under wp-includes of your WordPress installation) to lengthen the amount of time a cookie is stored for. Simply change the number at the end of the line
$expiration = $expire = time() + 1209600;
to ever how many seconds you want the cookie to be good for.

Two Weeks: 1209600
One Month (30 days): 2592000
One Year (365 days): 31536000
Ten Years (3650 days): 315360000

Once you’ve made that change, log out (in the top right of the administrative area) and then log in again to create the new cookie with the longer login time. Or simply wait two weeks for your cookie to expire, and then the next time you login, you’ll be all set.

Yes, I can see how this might be a security issue, since an attacker may stay logged in for a long time, and get past any system upgrades. (A system upgrade though should wipe any stored logins. Which doesn’t appear to be possible currently, since the cookie doesn’t store which version of WordPress the cookie is good for.) Or if your machine is compromised, your blog can be compromised. But generally, if that happens, you’re screwed anyways. So in this instance, ease of use is trumping security for me.

If you're new here, you may want to subscribe to my RSS feed. This allows you to read my newer articles without having to visit the site again. Thanks for visiting! Mike

On May 1st, I zapped my 30,000th comment spam. Yesterday was the 40,000th. Here’s a chart of the count, recorded daily.

And here’s the daily rate, with a peak since May 8th (the end of the last storm) at 160 on June 6th, and a low of one on May 19th.

This morning I received a string of bot spam attempts from some idiot spammer using the following as his HELO command (yes, including the braces):

HELO {bot_hostname}

Luckily Postfix rejected the conversation immediately.

I prefer having the time listed on the “edit posts” page under the WordPress admin area, instead of just the date of the post. Usually the URL you see this is something like (WP-base)/wp-admin/edit.php. I don’t see a hook to manage this format, so I couldn’t write a plugin. (If there is a hook, please let me know what it is!)

To edit the date and time that are displayed, simply edit line #74 in wp-admin/edit-post-rows.php (line 74 in WordPress 2.51, the line number may be different in other versions of WordPress). Change the portion that says “Y/m/d” to “Y/m/d H:i” and you’ll then see the time listed on the edit.php page. You can use any of the date/time formats defined by php.

I just received an email letting me know that Verizon is again changing their terms of service. It’s interesting that the first item listed below means they are changing their privacy policy and are going to share your account and identifying info if they even think you’re doing Bad Stuff. I wonder what was wrong with simply waiting for a legal order of some sort?

Also, i wonder if item #4 below means they could block bit torrent traffic?

And if you do go to the URL they provide for seeing more information (www2.verizon.net/policies) you have to give your area code and exchange to see the info. Hmmm, trying to keep researchers and other interested people out perhaps? Is anyone interested in a research project to see how the policies are different in different areas?

Effective June 9, 2008 - Important Information Regarding Changes to Your Verizon Online Terms Of Service

The following is an outline of important changes to the Verizon Online Terms of Service which are effective as of June 9, 2008. We have described these changes in general terms below and recommend that you review the complete Terms of Service to determine how these changes, and other routine changes being made simultaneously, apply to you or your use of the Service. The Terms of Service can be accessed by clicking on the “Policies and Terms of Service” link (www2.verizon.net/policies) at the bottom of any page of our Website. The Terms of Service, as revised, will govern your rights and obligations, and ours, with respect to your use of the Services we offer. As set forth in Paragraph 3 of the Terms of Service, your continued use of the Service after the effective date of these changes will constitute your agreement to the changes.

1. Reporting of Actual or Potential Violations of Child Pornography Laws. We have added language to our Acceptable Use Policy (AUP) making clear that the Service cannot be used in any fashion for the transmission or dissemination of images containing child pornography. In addition, in Section 5, Privacy Policy; Legal Compliance, we have added language making clear that (a) we are required by law to report any facts or circumstances reported to us or which we discover from which it appears there may be a violation of the child pornography laws; and (b) that we reserve the right to report any such information, including the identity of users, account information, images and other facts to law enforcement personnel.

2. Billing Start Date for Additional Services. In Section 8.1, Prices and Fees; Billing, we have added language stating that, unless otherwise noted at the time of purchase, billing for the Additional Services set forth on Exhibit B will begin either on your Service Ready Date if you are also ordering new Broadband Service or upon submission of your order if you are ordering only an Additional Service.

3. Refundable Deposits. We have added a new Section 8.8, Refundable Deposits, which permits us, in certain instances, to require a refundable deposit either prior or subsequent to activation of Service.

4. Modifications to AUP. We have added language to our AUP making clear (a) that we may monitor our subscribers‚ compliance with our Terms of Service and AUP; and (b) that we have the right, but not the obligation, to pre-screen, refuse, move or remove any content available on the Service including, but not limited to, content that violates the law, our Terms of Service or our AUP.

5. Verizon Premium Technical Support (PTS). We have added a new Section 6 to Exhibit B, Additional Terms, which sets forth the terms and conditions governing our provision, and your use, of the PTS service.

Please take time to review the complete Verizon Online Terms of Service. Thank you for being a Verizon Online customer.

Be careful if using eHealthInsurance.com. They do not honor unsubscribe requests from their mailings. I’d suggest using a unique email address so you can disable it after you’ve used their services. I’ve emailed their privacy office asking about this. If a week goes by, I’ll escalate to TRUSTe.

I originally signed up with them on October 9th, 2007, unsubscribed on March 24, 2008 (after they emailed me five months after my last contact with them), and then again today (June 2, 2008) two months after opting out.

It’s amazing what you find when digging through old backups. Another item I found was my ancient collection of mailboxes for my catchall address. In early February 2007 I finally surrendered to the spammers that were hammering my mail server. There was no hint that the spam rate was going to decrease, so the catchall went away.

This chart shows the change, from 61 messages in January 2002, to more than 85,000 in January 2007. It took until May 2002 to break 100; 11 months later to break 1,000; then until October 2004 to shatter the 10K barrier with 12,428.

If I get a few minutes free (ha!) I’ll re-enable to catchall to see how much garbage comes through.

As I mentioned yesterday when I noticed I passed the 30,000 spam comment threshold, the comment spam rate on the blog has gone through the roof. I dug out some of my old backups of my WordPress database and generated this chart showing how many spam comments I’ve received. This chart is from December 14, 2006 (8,105 spam comments) through today (31,601 spam comments).

This chart shows the daily rate of how many spam comments have been received. The peak before today was December 14-19, when I was getting 143 spam messages per day. Since yesterday the rate has been 1,154 per day.

I just deleted my 30,000th comment spam. I have no idea how high the count would have been had I not put into place several techniques that automatically block bad commenters. Those that fall into my traps don’t even get entered into the Akismet system, and so aren’t counted.

(Addendum 9:32pm: The count is now up to 30,447. That comes to one new spam comment every 63 seconds.)

I. Background

Recent attacks against the WordPress Content Management System have prompted reminders of the recommendation that you should make sure you are running the newest version of the WordPress system. When you download WordPress, you can also download the WordPress MD5 signature so that you can double check that the downloaded file has not been damaged during the download.

There are many algorithms available that can compute a file’s signature. The signature is generated by reading the file and running the data in the file through an algorithm. If even one character in a file is changed, such as a space added, or a comma replaced with a period, the signature will change to a radically different string. So, if the signature you generate on your computer after downloading a file is different from the signature that the vendor provides, that likely means the file has been corrupted during the download. A common time this is seen is when you upload a compressed file (.zip or .gz) to a web server in ascii (text) mode instead of in binary mode.

So, let’s say you’re upgrading or installing WordPress on your server. You compare the MD5 signature provided by WordPress (for 2.5.1 the MD5 signature is b1a40387006e54dcbd963d0cb5da0df4). What you would do under Linux is type the command md5sum wordpress-2.5.1.tar.gz and you should get that random-looking sequence of characters. If you don’t get b1a40387006e54dcbd963d0cb5da0df4, there is a problem.

But what happens after you uncompress and install the software? What if a cracker gets in and messes with your system? This is where file integrity comes into play. Historically (like the 1980’s and 1990’s) computer viruses would attach themselves to applications and documents on your computer, so there were two steps of protection: (1) a virus scanner which looked for actual code in files on the system; and (2) a file scanner to see if files has been changed.

Today that second form of scanning has fallen out of favor. But with the increasing number and complexity of WordPress attacks, I think having a fingerprint of the more than 500 files that are a part of WordPress is a valid security method. Fingerprinting WordPress can also help protect you against hardware failure.

I’ve written a set of scripts that can be run on a Linux system. (You could also add the WordPress files to your TripWire settings or other file integrity tool.) You simply provide the full directory path to the base of your WordPress install, and then two files will be generated in the correct format: a MD5 and a SHA fingerprints of the “official” WordPress files downloaded from WordPress.org.

Then you regularly run the check program. Suggestion: add the check program to a cron schedule so it will run automatically.

This is version 1.0 of this system. Definitely let me know if you find any problems or have any suggestions with this.

II. Installation

This system has only been tested on Linux (specifically CentOS 4.6). Please let me know if your system works or not. It only requires md5sum and shasum. This tool requires a familiarity with the Linux shell.

1. Download the software.
2. Generate the md5sum and shasum fingerprints for the .gz file. The MD5 fingerprint is “1bc778dc72741dbaa942b9fcd81e832b” and the sha fingerprint is “e4f1ef0f53397d820d8c07fee1786823d6a70cb2″ Important: If you are unable to verify the fingerprints for the download, don’t continue! You will just be frustrated!
3. Create a new directory on the web server.
4. Unzip the software in that directory.
5. Make sure that both version-check-251.sh and wordpress-check.sh are able to be executed. (chmod 700 or 755).
6. Find the full path to your WordPress installation. This will vary based on each server setup. If you go to the folder that has your wp-config.php file and type the “pwd” command, that is probably the directory information you need. Common directories are /var/www/html/www.example.com/ or /var/www/docs/www.example.com/ or /var/htdocs/www.example.com/. The version-check-251.sh script will tell you if it can’t find the WordPress files.
7. Change to the directory that you installed the scripts in.
8. Type: “./version-check-251.sh (the full path found in step 4)”.
9. Then type “./wordpress-check.sh” to check the fingerprints with the actual files in your installation. If there are any problems, it will be very obvious. Hopefully you will only see status messages.
10. If you want to have the check script run by cron, use the wordpress-check-cron.sh script. The only difference in the two scripts is the cron script doesn’t print status messages.

III. Common Causes of Fingerprint Failures

If you’ve made any changes to any of the files, you will get an error. Simply update the domain-name.md5sum.txt and domain-name.shasum.txt files. The command to generate the new fingerprint is:

md5sum full-path-to-the-file
or
shasum full-path-to-the-file

Another common problem is not updating the default and classic themes (/wp-content/themes/) when updating WordPress.

And lastly, it is possible that Akismet may release a newer version of the plugin before WordPress itself is updated. Simply generate a new fingerprint of the new version of the plugin.

Updates

When WordPress gets updated, I will release a new version of the fingerprints. To stay informed about updates, subscribe to my RSS feed.