INFOSEC 101: Breaking Down Scary Terms and What They Mean

I am not a hacker. But I understand the information security world. It’s a scary place, unfortunately, to people who have no exposure to it. Yesterday, WordPress 3.0.4 was released as a critical release… and it was. Matt explained the reason for the release in this way:

Version 3.0.4 of WordPress…is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”

Simple enough. He goes on to refer to the vulnerability as an XSS vulnerability which caused a bit of angst on Twitter about what that means and if non-technical users should be given more information due to the terminology.

So, as a public service, I give you some basic definitions and concepts of web security and what we mean. These concepts are rightly scary, but the names tend to be scarier to those who don’t understand them.


XSS means cross site scripting. Cross site scripting attacks are generally attacks that occur because something is injected into a URL or “event” on a site to make the site do something else. Do something else can mean “hijack” a site so all visitors are sent somewhere else, or special HTML is injected into a site (often in the form of hidden links that diminish Google search results for the site, etc). This was the nature of the vulnerability fixed in WordPress yesterday.

XSS attacks are almost always carried out because of JavaScript injection. WordPress does have security API that makes dangerous characters (that is, special characters that make JavaScript do things) and it is encouraged that all plugin and theme developers use these APIs. [Docs]


CSRF means Cross Site Request Forgery. With CSRF attacks, browsers (and sometimes other things) are hijacked to “do” things to a website without a user knowing. It’s the proverbial trojan horse where there is an inherent trust from a site that the user/browser is doing something trusted and so attacks riding the coat tails of such trust are given the same trust that the user would also get.

A simple example (does not actually exist) would be that an authenticated user in WordPress with admin privileges is tricked into clicking a link (as the authenticated user) and then admin privileges are transferred to the attacker. We’ve seen this kind of attack on Facebook and Twitter before where DMs or messages are spread across Facebook walls or via Twitter DM).

SQL Injection

SQL Injection is an attack that, without going into the technical details, allows an attacker to send special queries to the database that can alter, modify or even delete a database altogether. You don’t see many of these anymore because most apps are built on frameworks or platforms (like WordPress or Drupal) that have built in routines and APIs that prevent this. In WordPress, there is a prepare() function in the database class which ensures that no SQL injection is possible.

0Day Vulnerabilities

0Day (that is Zero, not “Oh”) is a vulnerability that is exploited before it has been disclosed. Many security researchers work closely with web application developers to alert them to newly discovered vulnerabilities before they are publicly disclosed. They then work with the developers to close the hole before disclosing the vulnerability. The term 0Day comes from the idea that the web app developer knows about the exploit on the 0th day after public disclosure (it hasn’t been disclosed yet).

Denial of Service/(D)DoS

(D)DoS is a (Distributed) Denial of Service attack. These attacks are carried out by flooding a site with traffic/requests to the point where the site can no longer handle the traffic and collapses. If the attack comes from a single source, it’s a DoS but if it comes from more than one, it is a DDoS.

Obviously, there are many aspects of security. We could go way complicated on terminology and concepts, but these are some of the basics you should know when you see something about a vulnerability.

Photo Credit: heathbrandon

10 Things You Need to Know About WordPress 3.1

Happy New Year, everyone. WordPress development on version 3.1 is wrapping up (Currently it’s in Release Candidate and should be released early in 2011)…. which means, it’s time for another edition of our 10 Things You Need to Know About posts.

This is a bigger release than was originally planned. It was supposed to stay small and set the stage for a larger WordPress 3.2 release later in the year. That release will require PHP 5.2 (make sure your host supports it now… We do at WP Engine. WP 3.1 did turn into a larger release than expected, but I think you’ll be happy. So without further adieu.

Network Admin

if you’re running WordPress in Multisite mode, or have used WordPress MU for a while, you may find yourself alarmed by the conspicuous lack of a Site Admin/Super Admin menu that has been situated at the top of the Admin menu. Never fear, though it looks like this has gone the way of the dodo, in fact it has been relocated into a separate dashboard area accessible from the new “Network Admin” in the top right of the WordPress Admin. Notably, when you click on this link, you are taken to a new dashboard for Network management (and that link then changes to Site Admin to allow quick access back into the normal WordPress admin. Also note that, like the previous Super Admin menu, this link is only viewable (and by proxy, accessible) to users who have been designated as Super Admins. This change allows for additional separation of content production and administration and allows for blogs (Sites) to be managed individually and the Network to be managed separately.

Post Formats

Perhaps one of the most talked about features in WordPress 3.1 are post formats. Post formats have been implemented in a variety of ways for years. The idea that some content is different (and should be rendered differently as a result) has gone way back. A prime example of this was the concept of “Asides” – or little blurbs that were often simply links or short posts that were off topic, not really worth a full blog post or whatever. Now, with a bit of code in a theme functions.php, you can enable any number of 9 different formats: aside, chat, gallery, link, image, quote, status, video, or audio.

In this paradigm, theme developers can target specific CSS and layout structure to each of these post formats. This enables rich user experience and high quality layout without prejudice toward the most common type of content… text. If you aren’t sure what each of these types of content are, I refer you to the Post Formats section of the Codex which has a list.

In order to enable a theme with one or more of these formats, add the following line to the theme functions.php file:

add_theme_support( 'post-formats', array( 'aside', 'gallery' ) );

This line enables new UI in the post edit
screen that allows for you to designate a post with a specified format. For a thorough write-up on this new feature, go read the post format reference from my friend Lisa Sabin-Wilson.

Internal Linking

Have you ever gone through the torturous process of adding links to your own site to a post you’re writing? You have to go find that post from a different tab or window, usually via search or scrolling through potentially pages of content to find exactly what you want? Yeah? Me too. As a result, WordPress has added Internal Linking as a feature to WordPress 3.1.

This feature, only available when using the Visual Text Editor, allows you to add a link as you always have, or choose from already existing content on the same page. Yeah… that easy. Simply click the typical link button, then click on the arrow to
expand the “Link to Existing Content” section of the pop-up window. Pretty neat!

Import Overhaul

In advance of WordPress 3.2 and PHP5 dependence, we see yet another improvement that rewards WordPress users who utilize hosts using PHP5. The import routine has been rewritten from the ground up with efficiency in mind. While the old importer used regular expressions to parse through the WordPress export file (XML), this caused really bad efficiency problems.

Now, using native XML parsers, the WordPress import can process files much more efficiently. Additionally, similar to the file system transport API that is used by the one click installer and upgrade routines, WordPress goes through a series of checks to find the best method for XML parsing available on the server, thus a progressive enhancement for PHP 5. The first check is for SimpleXML (PHP5-only) followed by XML Parser (used in PHP 4) and, if neither of those two libraries are enabled, it falls back on the old, antiquated regex parsing.

Editorial Comment: I was hoping for a rewrite for 3.2 to both the exporter and importer that would handle everything in JSON (a much more lightweight plain text file format), perhaps optionally, instead of XML. XML parsing by nature, regardless of SimpleXML or XML Parser, is quite expensive in terms of CPU cycles and efficiency.

Theme Filter users are probably familiar with the theme filter that those bloggers have had access to. With Theme Filters, users are able to quickly drill down on possible themes to install and use based on criteria such as number of columns, features, etc. To access this, simply click on the Feature Filter on the right side of the themes page to display all the options that are available. Note for Theme Developers: In order to make this useful for bloggers, please ensure that your theme style sheet headers include a Tags header similar to this:

Tags: white, yellow, light, one-column, two-columns, fixed-width, custom-colors, custom-header, custom-background

Advanced Taxonomy and Postmeta Queries

WordPress wouldn’t be complete without enhancements for developers as well. In WordPress 3.1, developers have access to powerful new features that provide for robust querying of both taxonomies and postmeta. In previous iterations, developers could target posts with WP_Query (or the Loop) to only those posts that have meta_key=foo or meta_value=bar.

The problem was, the potential for more granular targeting (i.e. get only posts with meta_key=foo AND meta_key=bar AND published BETWEEN Jan 1 of 2007 and Jan 31 of 2002) was not possible. Now it is. Replace meta_key and meta_value with meta_query and feed it in an array of arrays that contain any of key, value, compare (comparison operator) and type (data type). This will cause the query to automatically drill down with more granularity on the content requested.

$query = new WP_Query( array(
'meta_query' => array(
'key' => 'foo',
'value' => 123,
'compare' => '>=',
'type' => 'numeric'
'key' => 'foo2',
'value' => array( 'bar2', 'bar3' ),
'compare' => 'IN',
) );

The same can be done with taxonomy queries. Instead of meta_query, however, use tax_query and instead of key, value, compare and type you would use taxonomy, terms, field and operator. Otto has a good explanation for that on his site.

User Queries Overhauled and Simplified

Anyone who has done plugin development that has needed access to users have had a hodge podge of functions like get_userdatabylogin(), get_user_by_email(), etc. Not a lot of consistency, and definitely something that required frequent referencing of code. Now, from the “Duh! Why Didn’t I think of that?” file, comes the get_users() function that simplifies that API. It also wraps around a more powerful class for user search and querying called WP_User_Query.

To leverage this new API, you simply pass an array to get_users() and it returns an object based on the dataset retrieved. Arguments in the passed array can be:

  • blog_id – defaults to the blog id of the current blog (always 1 when WordPress is in standard mode but maybe another number in Multisite mode.
  • role – administrator, author, editor, subscriber, contributor. Defaults to nothing.
  • meta_key – allows for usermeta comparison and defaults to nothing.
  • meta_value – allows for usermeta comparison and defaults to nothing.
  • meta_compare – allows for usermeta comparison and defaults to nothing.
  • include – an array of user IDs to search. If empty, it searches all users. By default, it’s empty.
  • exclude – similar to include, this is an array of user IDs to not search. By default, it’s empty.
  • search – provides a way to target how columns are targeted. If, for instance, *max* is passed, wildcard searching is done in user_login, user_email, etc. By default, it’s empty.
  • orderby – specifies which column the results should be sorted on. By default, it is ‘login’ which designates the user_login column.
  • order – ASC or DESC. By default, queries are returned in ASC order.
  • offset – Designates a number of records to offset in the resulting dataset. If set to 1, for instance, the data will be returned with the first record skipped and begin on the second. By default, this is empty.
  • number – Designates how many records to return.
  • count_total – if set to true, the number of records returned is included in the dataset. By default, this is set to true.
  • fields – designates which fields to search. By default, this is set to ‘all’

Admin Bar

For those of you who have been or BuddyPress users, you’ll be familiar with the admin bar. The Admin bar is a toolbar that goes across the top of the site that allows users quick access to other parts of their blogs. That Admin Bar has now been brought to WordPress 3.1 as a user setting so it can be turned on or off based on preference
in your user profile.

In Multisite, the default is to show the admin bar in both the wp-admin as well as on the front end. In standard mode, the admin bar is set to only display on the front end by default. The Admin Bar, by default, provides quick access to a User menu providing a quick link to the user profile as well as the dashboard and the ability to logout. There is also a My Sites drop down menu available in Multisite that allows users quick access to blogs they have access to. There is also Admin Bar access to other frequently used areas of the blog and plenty of hooks and filters for plugin developers to add additional access.

Improvements to Custom Post Types

In WordPress 3.0, custom post types were introduced and now they have been iterated on. For one, in WordPress 3.0, custom post types could be declared but a standard set of UI was added to the admin menu. This set of UI was fashioned with an edit menu (called Posts for the standard Posts UI), Add New and, if custom taxonomies were assigned, Categories and Tags (or
whatever those taxonomies were designated as).

Now, developers can add a show_in_menu argument when registering a post type, and designate which menu to display limited UI in. This allows for custom post types to be used with the flexibility of eliminating potentially unwanted UI that would clutter the menu. Andrew Nacin has a great writeup on admin menu changes with post types that is worth the read for any developer working in this area.

Related, when declaring a post type, you have traditionally had to pass an array of labels that designate a singular version of a name (i.e. Post vs Posts) as well as a common name (i.e. Posts). You can now add menu_name to that list of labels if you want to target a specific way of displaying the post type in the admin menu.

Finally, theme developers can now create template files named archive-{post_type}.php to target specific post types to specific templates. Utilize a new has_archive() function to determine what should be displayed when there are actually posts that match the criteria of the query or not. This gives a good way of providing some kind of 404ish or other content if no content for the post type exists.

Filterable Template Hierarchy

Speaking of template files, it’s now possible to designate different template file orders and hierarchy depending on need. The original ticket, patches and ultimate core addition, uses the following example:

Take the author template hierarchy: author-{nicename}.php > author-{id}.php > author.php

Say I want to add author-{role}.php before author.php.

With an ‘author_template_candidates’ hook, I could manipulate the actual hierarchy.

Thus was born the ‘{$type}_template_hierarchy’ filter which can be used by developers to insert author-{login} before author.php in the hierarchy by hooking on the filter ‘author_template_hierarchy’. Pretty Neat!


While WordPress 3.1 is not the biggest release in the history of WordPress major releases, it does add quite a few new toys for bloggers, as well as developers. Remember when upgrading that you should, if you can, test your site in a development area before doing the upgrade. Plugins should most likely work, but you never know. And if something is broke, you can email me a and, for a fee, I may be able to help you out.

Finally, the second edition of the WordPress Bible will be out sometime this spring and it does, in fact, cover WordPress 3.1. However, the 1st edition is available now and is a great resource if you’re trying to get under the hood. You can buy that today on Amazon.

Credit: Andrew Nacin (@nacin), a Core WordPress Developer, slapped me with a trout several times during the course of writing this article. While I take credit for the article, any inaccuracies are entirely his fault. ;-) #blamenacin

Ravens, Playoffs, Ho-hum

The Ravens have reached the playoffs in 7 of the last 10 years, an astounding number considering the strength of the AFC North (and Central pre-2002) and the lack of offensive talent that has been pattern of the team for most of those 10 years.

In this year, 2010, the Ravens are 11-4 with a game left to play. With only the 3-win Cincinnati Bengals remaining in the regular season, it’s a good assumption that the team will end the regular season 12-4. That number is important for two reasons:

  • 12-4 was the record of the 2000 Superbowl Ravens who snuck in as a wild-card only because, then-division rival Tennessee had a 13-3 record, and
  • Only one other playoff run has come off of a better record (2006 at 13-3)

But as a Baltimore fan who has the good fortune of supporting a team going into their third consecutive playoff appearance with a third-year head coach and a third-year quarterback, I feel a bit like an Atlanta Braves fan.

The Atlanta Braves visited the postseason 14 consecutive times from 1991-2005 (excluding the 1994 strike-shortened year) and it became “normal” to Atlanta baseball fans. So normal, in fact, that Atlanta homegames in the postseason were often not well attended. Braves fans expected the postseason!

Here’s the problem with the Braves Nation though. They expected the playoffs but didn’t expect to win. The reason was… they only won the World Series once (1995)!

Yesterday, with a workman-like victory over the Browns, Ravens nation should have been ecstatic to get to the playoffs. Imagine what is happening in Kansas City right now with a Chiefs playoff clinch? What would happen in Buffalo if that team, that is so close to being competitive, actually visited the dance?

To us, the playoffs are meh. We’ve been here. We’ve done that. We’ve won division titles. We’ve made it as a wildcard team. We even won a Superbowl.

But we need another Superbowl. Soon. I can sympathize a bit with the Eagles who made it to the dance so many times in the middle of last decade, but struggled to reach the ultimate game (or win it).

I love the fact we’re in the playoffs but you’re going to have to give me more to get excited about because right now, it looks like a cliché road to the playoffs with another cliché cast of characters. It looks like the road, for Baltimore, will go through Indianapolis, Pittsburgh and New England… We’ve seen this story before. I need a different result.

Best Photo of 2010

I can’t believe I’ve only posted one entry on this blog since last year when I asked you to vote for my best photo of 2009. C’est la vie, I suppose. Maybe I’ll do better in 2011.

Anyways… since we’re coming up on the end of the year, I’ll ask again… Whichever photo you choose, I’ll have printed and hang in my apartment. What was my best photo of 2010? :)

An Austin Food Wagon

An Austin Food Wagon

Arizona Memorial

USS Arizona Memorial

Under the Texas Sky

Under the Texas Sky

Sunset on Lake Travis

Sunset at the Oasis

Best Internet Memes of 2010

Pants on the Ground

January came in with a roar with American Idol auditions. One audition, General Larry Pratt, sang a ridiculous song “Pants on the Ground”. See the original audition below:

This spawned remixes, covers and even Brett Favre firing up the Minnesota Vikings after winning the NFC Divisional game.

I’m on a Horse

The Old Spice commercial that took the internet by storm because… well, because it was so damn ridiculously funny. The man behind the I’m on a horse commercial is none other than Twitter user @isaiahmustafa.

Funny stuff.

The meme continued when Old Spice did an Old Spice Questions series on YouTube where Isaiah Mustafa took questions from Twitter users and answered them on YouTube.

After Isaiah Mustafa stepped down as the Old Spice spokesman, Baltimore Ravens lineback Ray Lewis stepped in with a hilarity of his own.


Leroy Stick (fake name) began the Twitter account @BPGlobalPR as a result of watching for over a month as BP Public Relations people spun bullshit to the general public and government after the catastrophic oil catastrophy in the Gulf of Mexico. The account served several purposes. For one, it helped us laugh when he put out content like these:

The second purpose it served was to draw attention to the horrible way BP managed their reputation and brand. At the TEDxOilSpill event, Stick was quoted as saying, “Having a brand means you stand for something. If you lie, than lying is your brand.”

This account has easily become the most retweeted account in 2010 and it’s devastating in it’s satirical impact.

Double Rainbow

The Double Rainbow Meme was hilarious in its own right. A guy in Yosemite National Park witnessed a double rainbow and proceeds to cry, weep, squeal and ask, “What’s it mean?” on video. The video was shared across the internet and even remixed into an autotuned song.

You’re Holding it Wrong

With the release of the iPhone 4, users complained about lack of reception and dropped calls. In an extraordinary press conference shortly after the release of the phone, Apple CEO Steve Jobs commented on how, if the phone was held a certain way, it would interfere with the built-in antenna. This was echoed by Apple and AT&T Support technicians and the phrase, “You’re holding it wrong” was adopted by the masses.

You’re holding it wrong also became a euphemism for other hilarity throughout 2010.

Journos Go All Capitalistic on Wikileaks

Since the release of the State Department cables by Wikileaks, I’ve sat back and watched as the journalism world has gone through convulsions about the morality of capitalizing on these secrets.

It’s been a fascinating, and illuminating, charade. As the fourth estate, the media would like to portray themselves as an unbiased, objective entity that maintains balance in society. Yet, inherently, the media is just as guilty of self-interest as anyone else in this whole mess.

Yes, the State Department specifically, and the United States (and maybe other) governments would like to keep the lid on the memos. They see their credibility in talking with other nations on the line.

Julian Assange sees this, as pointed out in the great piece by zunguzungu, where Assange is quoted as saying:

Authoritarian regimes give rise to forces which oppose them by pushing against the individual and collective will to freedom, truth and self-realization. Plans which assist authoritarian rule, once discovered, induce resistance. Hence these plans are concealed by successful authoritarian powers. This is enough to define their behavior as conspiratorial.

Assange sees a world where transparent and open government subvert the power and authority of the same government and so there is a natural tendency (he calls it conspiracy) to hide what happens inside.

I agree that this dichotomy exists in some areas of government, but the diplomatic cables are common sense – for all involved. Keep them hidden as there is a potential that revelation can increase safety risks, decrease operational security and reduce negotiation power. Successful negotiations derive from a position of power and everyone knows this. This is not something that amounts to some great conspiracy.

Meanwhile, the media is on the sideline, their power usurped from this rogue operative with a rogue website. Instead of the New York Times or Washington Post benefitting from the receipt of leaked information as has been the case in their traditional past (see Watergate), an upstart “news organization” is stealing their thunder. Sure the Times and a variety of other media outlets were given the data eventually, but the arbiter of information was no longer them.

While the media wrings their hands over a contrived battle between the morality of publishing leaked, national security documents and preservation of national secrets, the bigger capitalistic battle is happening and that overshadows journalistic sense of responsibility.

The ability to be first is being tainted here. While Wikileaks promises to distribute new information, acting as a benevolent dictator, to news organizations, these news organizations are capitulating their responsibilities simply to make sure they have some crumbs off of Assange’s table.

No one, certainly, is suggesting that news outlets should become a lap-dog, as I have heard toss around, of the government, bowing to their every will and whim. Certainly not, lest we live in a Communist system. However, the media is expected to operate in a suitably responsible way.

In this case, the media knows that they are on the outs. In a last gasp of industry-pride, they have sacrificed themselves in a last-ditch effort to remain relevant. Put in another way, they have come to serve themselves instead of the people they exist to serve.

Of course, this hasn’t happened overnight. No, in fact, many years of budget cuts, acquisitions, mergers and staff reductions have caused the media industry to alter how they operate and approach stories. It’s less likely that you’ll have a Bob Woodward and Carl Bernstein hitting the trenches to uncover a conspiracy so deep that it reaches the President of the United States. No, that would require far more time and resources – and frankly, better reporters – than exist in todays media.

So with not a thought to their forefathers, the media of the 21st century makes decisions of national security to protect their own industry than serve the constituents who consume their journalism everyday. I wish it weren’t so.

Photo by Photoserra