Free Technology Tutorials

It’s no secret that Moodle, the open-source learning management system, has suffered from some very serious security problems recently. And those security problems aren’t limited to individuals who simply buy a cheap, $5 hosting account, install Moodle using Fantastico, and try to set up an online class when they really don’t know what they’re doing.

In fact, some of the biggest Moodle security problems have impacted customers of some of the largest professional Moodle hosting providers–Moodle Partners–commercial companies endorsed and certified by Moodle to provide professional, enterprise-level services.

One example of this is the Moodle porn spam issue that impacted millions of Moodle sites all over the world–and still impacts an untold number of sites today. This issue received world-wide attention when Primary School Moodle sites, provided by a certified Moodle Partner, were found to be infested with vile pornography.

Source: Primary schools hit by porn hackers
Source: Porn infecting ‘thousands’ of e-learning (Moodle) sites

Another example is the huge security hole first reported here just a couple months ago demonstrating how any teacher on any Moodle site in the world could download the entire user database table and have access to all user information–usernames, passwords, e-mail addresses, phone numbers, etc., for every user on the Moodle site.  Professional Moodle partners all over the world got caught sleeping at the wheel…again.

Source–just one of many: Groot gat in open source e-learning cms Moodle

One would think that an open-source “community” with problems as serious as Moodle has had recently, would invite open and honest communication about its products and services, but you would be wrong.

I don’t know many things for sure, but one thing I do know is that Moodle has not seen the last of these types of problems. The closed, arrogant, intolerant, atmosphere that has been cultivated on moodle.org by the Moodle lead developer will continue to ensure that there is no shortage of people just waiting to expose the next big hole…it’s not a matter of “if” there is another big hole…it’s only a matter of “when” it will bite Moodle (ergo Moodle users) in the rear.

Note: The following is made available under GPL from http://codex.wordpress.org/GPL. It has been edited significantly from its original form. There is no guarantee this information is accurate…use at your own risk.
—————————————————–

My WordPress blog has been hacked; or at least I think its been hacked. What do I do now?

The WordPress Exploit Scanner plugin can help detect damage so that it can be cleaned up. Other things you should do:

• Change passwords for all blog users, including your own, with a role higher than Subscriber
• If you upload files to your site via FTP, change your FTP password
• Change your web hosting control panel (such as Cpanel) password
• Completely remove all current WordPress core code and re-install the latest version of WordPress
• Make sure you are only using trusted plugins and themes–those from wordpress.org or a trusted commercial developer
• Remove all unused themes and plugins
• Make sure all of your plugins and themes are up-to-date–it’s best to install new, clean copies of each theme and plugin
• Update your security keys in wp-config.php
• Search your entire web-directory (public_html directory, not just the WP directory) to ensure no other files are infected
• Check directory and file permission on your server. Typically, directory permissions should be 755 and files should be 644, but this will depend on your particular server environment.

If all else fails, contact me and I will quote you a reasonable price for fixing your site for you…I only work on Linux systems with Cpanel, or an equivalent control panel.

In a default install of WordPress, each time you edit a post or page, WordPress will automatically save your previous posts/pages allowing the possibility of reverting to a previous version of that post or page. This is a cool feature, but it can get a little ridiculous when you have dozens of previous versions sitting below the post–and taking up space in your db. As you can see in the following screenshot, with just a couple of edits to this post, I’ve already racked-up 4 revisions…by the time I finish editing, I’ll probably have a dozen or so…

Each of those revisions requires a separate record in the db. So, although this is a cool feature, it can significantly add to db bloat.  If you don’t really care to have all those revisions sitting around, or if you want to limit the number, WordPress does provide an option to change the default behavior allowing you to either disable revisions completely or allowing you to limit the number of revisions saved. To make these changes you do need to edit your wp-config.php file directly…currently, there is no option for doing this in WP admin.

Disable Post Revisions

To completely disable the revisions feature, add (or if already present) edit the following code to your wp-config.php file. The word (false) disables this feature.

define(‘WP_POST_REVISIONS’, false );

Specify the Number of Post Revisions

If you want to keep the revisions feature, but limit the number revisions saved, then use the same code as above, but change false to the number of revisions you want to keep. In the example below, WordPress will keep the latest 3 post or page revisions.

define(‘WP_POST_REVISIONS’, 3);

WordPress version 2.9.1 was just released and should fix the annoying scheduled post problem. The problem was scheduled posts weren’t being published on some 2.9 installs — including a couple of my own installs . Instead, when you looked at the list of posts you would just see errors reading “missed schedule” or something similar. There is a way of fixing the problem by editing a core file, but no need now…just upgrade to 2.9.1 and all should be well. Remember…backup, backup, backup before pressing the upgrade button–chances are you will have no problems, but if you do, will be glad you backed up.

In WordPress 2.9 one of the new features is the ability to send posts, pages, and comments to trash instead of simply deleting them as in previous versions.

One thing about this new feature that is not so obvious, is that by default, items in trash are automatically deleted after 30-days. Of course, this could be a good thing as long as you know about it, but it could catch some by surprise who don’t know about this auto-delete feature in trash. I would imagine there are some who will use the trash as a holding place for posts, pages, or comments that they may want to remove from public view, but keep handy for possible future use. In the past, you may have just changed the status of a post or page from “Published” to “Draft” or simply “Unapproved” a comment to achieve the same result. The difference is, your draft posts/pages and unapproved comments were never deleted unless you deleted them–not so when you send something to trash. The 30-day delete time is defined in wp-settings around line 570–see screenshot below.

Of course, now that you know this, if you wanted to change it, you could open wp-settings and edit it there–changing the 30 to 60 would auto-delete items after 60 days. However, there is a better way to accomplish this so that you don’t over-write your changed during an upgrade, by defining this variable in the wp-config.php file. So, if you want to increase, decrease, or even disable this feature, you should open your wp-config.php file and include a line somewhere just like you see highlighted in the screenshot above. A good place to add the line would be directly below where the table prefix is defined in the wp-config.php file. The screenshot below shows wp-config.php edited to auto-delete items in the trash after 120 days.

But what if you want to completely disable the new trash feature? Changing the value to 0 (zero) will do that for you. The screenshot below shows how to edit wp-config.php to completely disable trash so that when you delete an item it is automatically deleted just as it was prior to version 2.9.

But note, if you disable trash, then when you click to delete something you will NOT be prompted to confirm…when you click Delete the item simply gets deleted and there is no getting it back without a backup.

WordPress 3.0, due to be out around mid-2010, will be getting a new default theme. So, if you love Kubrick, I’m sure you will still be able to use it and customize it, but it won’t be the default with the next release–at least not in its current form. If you would like to provide input on what the default theme should be, look like, features it should have, etc., then be sure to stop over at WP.org and post your 2 cents.

http://wordpress.org/support/topic/342819

Since I don’t participate in those forums any longer, I’ll just provide my thinking here.

In a nutshell, I don’t really care what the default theme is. The first thing most people do once they get WP installed is change to a custom theme anyway. So putting a lot of thought and effort into what is the “default” theme may be important to WP and its image or brand, but it’s not important to end users…in reality, the default theme is really nothing more than just one of over a thousand GPL themes anyone can install in just a few seconds through the theme installer in the WP admin.

Now don’t get me wrong…I’m not trying to throw a wet blanket on the theme initiative and I’m sure it’s important for WP to show that they are staying “up to date” and on the cutting edge. Simple fact is, WP is hands-down the best blog software (and fast becoming the best CMS software) available today–open source or proprietary. So, best of luck with the default theme initiative, but I’m far more interested in how WordPress MU will be incorporated into WordPress–which is also due to happen in 3.0.

Merry Christmas and Happy New Year from Figaro and Tori and family.

Note: Figaro is the old, ugly one Tori, joined our family in 2009, so it’ll be hard for 2010 to top that.

Note: The following is made available under GPL from http://codex.wordpress.org/GPL. It may be edited a little from its original form, but probably not a lot. There is no guarantee this information is accurate…use at your own risk.
—————————————————–

In WordPress 2.9, it’s super easy to embed videos, images, and other content into your WordPress site. Just type/past the url into your post/page and WordPress does the rest. Make sure that the URL is on its own line and not hyperlinked (clickable when viewing the post).

For example, all I did to add the video below was copy/past the the video url into this post…the url should be on its on line. In the past you would have just seen the link to the video, but from 2.9 onward, WordPress automatically embeds the video in the post.

You can also opt to wrap the URL in the embed shortcode. It will accomplish the same effect, but does not require the URL to be on its own line.

Note: It’s important to make sure the url isn’t hyerlinked when you type/past into the post/page. If so, then you will simply see the link, like below. This is also a good tip if, for some reason, you want to show the link and not the embed.

http://www.youtube.com/watch?v=5nxXsROoBYs

Can I Use Any URL With This?

Not by default. For secutity reasons, WordPress will only embed URLs matching an internal whitelist. By default, WordPress will automatically embed from the following sites…this list will grow over time.

• YouTube
• Vimeo
• DailyMotio
• blip.tv
• Flickr (both videos and images)
• Viddler
• Hulu
• Qik
• Revision3
• Scribd
• Photobucket
• PollDaddy
• Google Video
• WordPress.tv (only VideoPress-type videos for the time being)

If you have upgraded to WordPress 2.9 and are running into problems, it’s usually due to incompatible plugins or themes. If you’ve upgraded and can’t login now, you can search this site for video tutorials on how to disable the plugins. If that doesn’t work, then you can try to ftp to your site and rename the current theme you are using–this will result in WP using the default theme. If that doesn’t work, then you can contact me and I’ll look at it for you for a small fee…if I can fix your site, you pay the fee–no more than $50–if I can’t fix your site, then you pay nothing. If interested, use the contact link in the nav bar.

WordPress 2.9 has just been released as stable. I upgraded this site and all seems to be well. See the following post for some of the cool new features.

http://educhalk.org/blog/wordpress-2-9-a-video-demonstration-of-new-features/