Archive for the Hacking WordPress Category

In case you didn't notice, I've just installed the reCAPTCHA Wordpress plugin by the Carnegie Mellon University.
It uses an IFRAME as a fall back to provide its functionality when JavaScript is disabled, so if you happen to be a NoScript user and you're blocking both JS and IFRAMEs, you know what the placeholder inside the comments frame is about.

By the way, any comments? ;)

There's been some talk, lately, about the "friendly" AJAX worm coded by Benjamin Flesch as a proof of concept both leveraging and patching 3 XSS vulnerabilities he found in WordPress 2.2.x.

Allowing a foreign program to run on your system without a chance to scrutinize its source code is not a great idea (I know, many Microsoft customers could not agree).

I'm very new to WordPress (I started playing with it 3 days ago), and I've heard many nightmarish stories about its security, so I'd really love to patch everything I can before I start my own auditing.

On the other hand, I fully subscribe to .mario's concerns -- w/o code review no usage -- and looks like Symantec agrees about this beastie being not harmless, despite its good intentions.

Hence I decided to grab the snail by its tail and forced it to spit its 3 "little secrets".
Here you'll find the patches in a concise and readable form, and you can decide if manually applying them or not.

OK, now that I installed WordPress and customized the Royal theme enough to suit my own megalomania and my girlfriend's taste, I try to post an empty test comment, expecting a nice error message, and... ouch! the digest authentication prompt guarding my administration directory?! why?

A quick grep reveals that the


function in


uses its own hardcoded template, linking many assets under the protected


directory, e.g.


. Bad.

Looks like an "idea" about Modular error pages/a way to override wp_die exists in the Wordpress Ideas vault since two weeks ago. Good.
But I need them now, themed error pages. It's a matter of decency!

Luckily, it's quite easy, even if a wonderfully dirty hack...

Bad Behavior has blocked 867 access attempts in the last 7 days.