Blog

We run a small sitewide multi-domain Wordpress installation for blogs and simple sites.  Wordpress (and before that Wordpress MU) is easy to install, manage, hack, and looks nice out of the box.

The only problem is that it is just not that well engineered, and I have done more than my fair share of double takes as to how primitive the system is.

Overestimate the quality of Wordpress code at your own peril.

Here is a specific example and my method for working around a particular limitation (without patching the core). 

First, the problem.  Even with CAPTCHA, WP-Hashcash, and Apache no-referrer denials in place, spambots can still post to wp-comments-post.php and enter their Viagra crap to the comments moderation queue.  How is this possible, you ask?  How would they get around Apache directives that mandate the request have a referral from the same site?  Are they actually injecting a fake referral in their bot?

Yes. Yes they are.  It is trivial to do with curl.  Here is an example:

curl -e "http://yoursite.com/2010/07/02/your-post-permalink/" -d "param1=value1&param2=value2" http://yoursite.com/wp-comments-post.php

-e is the post permalink (the string used as the referrer to gain access to wp-comments-post.php)

-d is some set of variables like, "name= and comment=" where you inject the actual comment.

The last argument is the destination, which would be your default wordpress comment post handler.

I have read all over the Internet where admins are under the false pretenses that the following Apache directives nullify direct access to wp-comment-post.php

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^/?wp-comments-post\.php.*
RewriteCond %{HTTP_REFERER} !.*yoursite.com.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* - [F]

I can assure you they do not, and reliance on this technique shows the distinct lack of experience of some of our newer Apache admins.  Every single http request is a direct request to the webserver.  Referrals are generated on the client-side and can be ANYTHING, anything at all. Remember, a good sysadmin never trusts his users or their input. 

Every http request is unvetted user input.

How could, the developers have avoided putting any security into wp-comments-post.php?  How could they allow direct access to that file?  Why is there not some sort of token or hash that is generated from the comment form and passed via the POST?  It seems reasonable to me that WP-Hashcash could pass its approval (based on some hash) upon POST and wp-comments-post.php could accept that as part of the environment.

Yet, there is no hook and no template post variables that can be extended by plugins without hacking wp-comments-post.php.  If comments are permitted by anonymous users on a post wp-comments-post.php will happily process the remote request and pass it to your moderation queue. You can inject any browser string, referral, or comment you wish, all day, every day. 

The solution, it turns out is to take your fresh Wordpress installation and rename the following files to something unique to your installation (you can make it random if you wish):

• wp-trackback.php
• wp-comments-post.php
• wp-signup.php

and then run

grep -rl wp-comments-post.php wordpress/ | while read file
do
   sed -i 's/wp-comments-post.php/hidden-comments-post.php/g' "$file"
done

and repeat that for each of other files wp-trackback.php and wp-signup.php (obviously modifying the targets appropriately).  You can just automate the process with a little shell script every time you update your wordpress installation (which is how we do it).

The result: now spammer bots do not know the name of the comment post script in your Wordpress installation.  They would have to pull the name from your particular instance (by looking at your comment form) and modify their bots to target you directly after that.  That is too much work, and I suspect they would not bother.  Better to go after the lower hanging fruit.

But still, I am left scratching my head.  How could direct access still be granted to wp-comments-post.php in 2010?  My solution is only a workaround based on obscurity and does not resolve the issue.  A true fix would involve wp-comment-post.php working in concert with the session of the user, javascript, or/and other parts of Wordpress.

News has been breaking today that http://recovery.gov/ was build with the Drupal Content Management System (CMS), the very same publishing platform that we use here at Altamente.  Coincidence?  Absolutely not.  Smart people choose Drupal.

At Altamente, we count on the following assets of Drupal:

1. Secure
2. Easy to use, extend
3. Robust, feature rich
4. Easy to theme
5. Allows clients and their users to generate content all on their own
6. No danger of data loss due to obsolescence or licensing restrictions or changes

Our community of developers has guaranteed Drupal is not going to go away, that its codebase is solid for the future, and that we have a stake in its progress. 

As an added bonus, any client that uses Drupal as their publishing platform, is rewarded with ownership of the source code.  That's right, you own all the code that goes into your website.  How is that for future-proofing your valuable data?  You will never have to refactor your website to a new application or programming language.

President Obama's team has made the right choice.  Isn't it about time you did so as well?

Check out other Drupal-run sites here: http://buytaert.net/tag/drupal-sites

We are starting to see more movement in adoption of OpenOffice. There are many reasons, but a recent article in PC Magazine, http://www.pcmag.com/article2/0,2817,2341228,00.asp, lists some really killer features. Pay special attention to legacy formats. Using OpenOffice one can open just about any file, DOC, XLS, PPT, old or new.

In addition, one of the things I really like about OpenOffice is the excellent support for styles and long documents. For example, instead of setting a heading as bold, 16pt type, sans serif, you define a heading style for heading 2 (h2) as bold, 16pt type, sans serif. Now, every time you start enter a heading for a new section, it will be styled the same way. To change the formatting, just go to your style window and adjust the default. All your formats are automatically updated. You can do this with any content type in your document, paragraphs, quotes, sections, bullets, etc. Although MS Office also has this feature, it is less intuitive, and not as front and center to the end user. As a result, I find that few people use it.

OpenOffice is not a step down, a crippled cheap shoddy free program that one uses only when cutting corners. No, Openoffice is an office suite full of enterprise features and robust document handling. OpenOffice is valuable at any price. It just happens to be free.  Download your copy today at: http://openoffice.org/

Altamente was consulted on an article that came out today in Caribbean Business, a local business journal in Puerto Rico.

Open source gains enthusiasts as economic IT alternative

I think they got the article right. It came across as balanced and productive. At Altamente, we have never been proprietary software bashers, but we do know that Open Source/Software Libre represents a considerable business advantage in many areas. Read the article and give us a call. We would be happy to save you 20% on your I.T. budget while giving you a leg up on your competition.

Open Source or Software Libre deserves a prominent place in the proper functioning of Government. From transparency in accounting to public policy, software applications and open data formats allow equal access to information that rightly belongs in the public domain. President Barrack Obama has begun his term with a request to Scott McNealy, co-founder of Sun Microsystems, to explore in what manner Open Source can serve the public good.

From the BBC:

The secret to a more secure and cost effective government is through open source technologies and products.

The claim comes from one of Silicon Valley's most respected business leaders Scott McNealy, a co-founder of Sun Microsystems.

He revealed he has been asked to prepare a paper on the subject for the new administration.

"It's intuitively obvious open source is more cost effective and productive than proprietary software," he said.

"Open source does not require you to pay a penny to Microsoft or IBM or Oracle or any proprietary vendor any money."

Mr McNealy told the BBC he wants to ensure the government does not get "locked in" to one specific vendor or company.

It is obvious to us as well.  The real benefit is, however, not that you do not have to pay anyone for software and services, but that you are not required to pay a particular vendor. Open Source software distributed under the GPL license allows you, the company or organization, to choose your partner. Since you have a choice, vendors compete for your business, and as a result may provide a more competitive solution.

Read "Top 10 Ways to Save Money on IT in 2009" for a better idea of Altamente's ideas on IT costs.