I had all plugins disabled, except Akismet. I'm running RC1 & did an automatic upgrade last night & today.
I removed all of the ping services and it worked! They were located in the "writing" settings. Oddly, they are the same list of services I had been using successfully for months in 2.6.5 & earlier. I use a list I found somewhere: http://api.moreover.com/ping http://api.my.yahoo.com/rss/ping http://blogsearch.google.com/ping/RPC2 http://ping.bitacoras.com http://ping.feedburner.com http://ping.syndic8.com/xmlrpc.php http://rpc.blogrolling.com/pinger/ http://rpc.icerocket.com:10080/ http://rpc.technorati.com/rpc/ping http://rpc.weblogs.com/RPC2 http://topicexchange.com/RPC2 http://www.blogdigger.com/RPC2 http://www.blogoole.com/ping/ http://www.popdex.com/addsite.php http://www.wasalive.com/ping/ http://www.weblogues.com/RPC/ http://blogping.unidatum.com/RPC2/ Guess one or more may be bad? Anyone care to share the list they are using & I'll doublecheck. For now, I've removed all ping services. Thnx Hayes ;) -- Mark Rodriguez --------------------------------------------------------------------------------------------------- E-mail = [EMAIL PROTECTED] Website = http://mrod411.com RSS = http://friendfeed.com/mrod411?format=atom --------------------------------------------------------------------------------------------------- On Tue, Dec 2, 2008 at 12:54 PM, <[EMAIL PROTECTED]> wrote: > Send wp-testers mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.automattic.com/mailman/listinfo/wp-testers > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of wp-testers digest..." > > > Today's Topics: > > 1. Re: Hanging after "Publish" (Mark Rodriguez) > 2. Re: Re: Bugs/Fixes, Security Requests (Otto) > 3. Re: Re: Hanging after "Publish" (Hayes Potter) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 2 Dec 2008 12:41:54 -0500 > From: "Mark Rodriguez" <[EMAIL PROTECTED]> > Subject: [wp-testers] Re: Hanging after "Publish" > To: [email protected] > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > I was hoping you inspired a variable. While my posts weren't large, > they did have linked images. I just did two tests. I created a new > post with just text - one word to be exact. It still sat there > "Waiting for mrod411.com..." yet posted successfully when I checked in > a new Firefox tab. > > The second test was using the quickpress feature, which worked fine. > > -- > Mark Rodriguez > > --------------------------------------------------------------------------------------------------- > E-mail = [EMAIL PROTECTED] > Website = http://mrod411.com > RSS = http://friendfeed.com/mrod411?format=atom > --------------------------------------------------------------------------------------------------- > > > > On Tue, Dec 2, 2008 at 12:26 PM, > <[EMAIL PROTECTED]> wrote: >> Send wp-testers mailing list submissions to >> [email protected] >> >> To subscribe or unsubscribe via the World Wide Web, visit >> http://lists.automattic.com/mailman/listinfo/wp-testers >> or, via email, send a message with subject or body 'help' to >> [EMAIL PROTECTED] >> >> You can reach the person managing the list at >> [EMAIL PROTECTED] >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of wp-testers digest..." >> >> >> Today's Topics: >> >> 1. Re: How long does the Auto Update take? (Kirk M) >> 2. Re[2]: [wp-testers] How long does the Auto Update take? >> (Jason Gottschalk) >> 3. Re: Re: Bugs/Fixes, Security Requests (g30rg3_x) >> 4. Re: How long does the Auto Update take? (Chris Moody) >> 5. Hanging after "Publish" (Mark Rodriguez) >> 6. Re: Hanging after "Publish" (Paleo Pat) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Tue, 02 Dec 2008 08:34:55 -0500 >> From: Kirk M <[EMAIL PROTECTED]> >> Subject: Re: [wp-testers] How long does the Auto Update take? >> To: [email protected] >> Message-ID: <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset=ISO-8859-15; format=flowed >> >> Just as an example: >> >> I have low end DSL (128k up/768k down), a Bluehost shared server and >> auto update takes anywhere between 5 to 10 seconds depending on how many >> files have changed and the load on the server at the time. I'm also >> running PHP 5.2.6 (fastCGI). And are you deactivating all your plugins >> before you attempt an update? Also, what PHP version are you running and >> your connection speed? I know, stupid checks but it's always worth it. >> >> On 12/2/2008 1:07 AM, Jason Gottschalk wrote: >>> Hello Chris, >>> >>> 20 minutes on the first try tonight, I gave up. >>> >>> Went back and it ran 25 minutes then gave an error, it couldn't write >>> wp-trackback.php. >>> >>> Tried a third time (no changes) and it finished in 30 minutes, successfully. >>> >>> Phew..... I was getting nervous! >>> >>> Tuesday, December 2, 2008, 12:50:28 AM, you wrote: >>> Chris> Jason Gottschalk wrote: >>> >>>>> Hello Wp-testers, >>>>> >>> >>> >>>>> Auto update is taking forever for me. I cannot tell what it is doing, >>>>> seems like it is not doing anything. I usually give up and move on. I >>>>> can't tell if actually updates anything or not. >>>>> >>> >>> >>>>> >>>>> >>> Chris> It has been telling me its completed in about 2 minutes or so I >>> think. >>> Chris> Maybe faster... >>> Chris> _______________________________________________ >>> Chris> wp-testers mailing list >>> Chris> [email protected] >>> Chris> http://lists.automattic.com/mailman/listinfo/wp-testers >>> >>> >>> >> >> >> ------------------------------ >> >> Message: 2 >> Date: Tue, 2 Dec 2008 09:35:12 -0500 >> From: Jason Gottschalk <[EMAIL PROTECTED]> >> Subject: Re[2]: [wp-testers] How long does the Auto Update take? >> To: Kirk M <[email protected]> >> Message-ID: <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset=iso-8859-15 >> >> Hello Kirk, >> >> "Depending on how many..." I thought this might be it since I had not had a >> successful update in weeks. >> >> I tried an update this morning, after a successful run last night on the >> third try, but it too failed on the "cannot copy wp-trackback.php" error. >> >> I have not been dectivating any plugins (I have one) >> PHP version is: 5.2.4 >> >> >> GET THIS...... :) >> >> I have determined that I get this error *every other time* I run the update: >> (and it doesn't seem to matter if I deactivate the plug-ins.) >> >> >> Downloading update from >> http://wordpress.org/nightly-builds/wordpress-latest.zip >> Unpacking the core update >> Could not copy file: >> /public_html/wp-content/upgrade/core/wordpress/wp-trackback.php >> Installation Failed >> >> >> >> >> >> Tuesday, December 2, 2008, 8:34:55 AM, you wrote: >> Kirk> Just as an example: >> >> Kirk> I have low end DSL (128k up/768k down), a Bluehost shared server and >> Kirk> auto update takes anywhere between 5 to 10 seconds depending on how >> many >> Kirk> files have changed and the load on the server at the time. I'm also >> Kirk> running PHP 5.2.6 (fastCGI). And are you deactivating all your plugins >> Kirk> before you attempt an update? Also, what PHP version are you running >> and >> Kirk> your connection speed? I know, stupid checks but it's always worth it. >> >> Kirk> On 12/2/2008 1:07 AM, Jason Gottschalk wrote: >>>> Hello Chris, >> >>>> 20 minutes on the first try tonight, I gave up. >> >>>> Went back and it ran 25 minutes then gave an error, it couldn't write >>>> wp-trackback.php. >> >>>> Tried a third time (no changes) and it finished in 30 minutes, >>>> successfully. >> >>>> Phew..... I was getting nervous! >> >>>> Tuesday, December 2, 2008, 12:50:28 AM, you wrote: >>>> Chris> Jason Gottschalk wrote: >>>> >>>>>> Hello Wp-testers, >>>>>> >> >>>> >>>>>> Auto update is taking forever for me. I cannot tell what it is doing, >>>>>> seems like it is not doing anything. I usually give up and move on. I >>>>>> can't tell if actually updates anything or not. >>>>>> >> >>>> >> >>>>>> >>>> Chris> It has been telling me its completed in about 2 minutes or so I >>>> think. >>>> Chris> Maybe faster... >>>> Chris> _______________________________________________ >>>> Chris> wp-testers mailing list >>>> Chris> [email protected] >>>> Chris> http://lists.automattic.com/mailman/listinfo/wp-testers >> >> >>>> >> Kirk> _______________________________________________ >> Kirk> wp-testers mailing list >> Kirk> [email protected] >> Kirk> http://lists.automattic.com/mailman/listinfo/wp-testers >> >> >> -- >> Best regards, >> Jason Gottschalk mailto:[EMAIL PROTECTED] >> SYO Computer Services and Biometric Controls >> 586-286-2557 >> >> >> >> ------------------------------ >> >> Message: 3 >> Date: Tue, 2 Dec 2008 09:41:38 -0600 >> From: g30rg3_x <[EMAIL PROTECTED]> >> Subject: Re: [wp-testers] Re: Bugs/Fixes, Security Requests >> To: [email protected] >> Message-ID: >> <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset=UTF-8 >> >> Well about the Security Requests... >> >> I have been trying to promote this idea/change since almost 2 years[1] >> but even if we change the perspective of the problem this change isn't >> going to happen... even that exist a variation of the version >> enumeration[2] (introduced in milestone 2.6) that makes every >> plugin-based solution totally ineffective (example[3]). >> >> As for user enumeration on login, well you can still hide that >> messages truth the login_errors filter but you can still enumerate >> users via /author/<username>, which also can prevented by changing >> (directly in the BD) the user_nicename to something different to the >> user_login. >> >> As and example: i have my own personal/private plugin which contains >> all this changes (plus one more), you can view it here[4], as you can >> see is fairly simple what the plugin does, just as remind about the >> version hidden: its changed only inside the admin panel so in order to >> fully work you would need to first change the version number on >> wp-includes/version.php to something different to real version. >> >> However i must notice that this modifications won't enhance your >> wordpress-based site security, they would make just the exploitation >> of _critical_ vulnerability more hard (but just a little), a good >> cracker can still be very dangerous even if you hide your version and >> other sensitive information, so the best advice is always keep up to >> date your WordPress based-site. >> >> Regards >> >> [1] http://trac.wordpress.org/ticket/4155 >> [2] http://trac.wordpress.org/ticket/7545 >> [3] http://activeblogging.com/wp-admin/gears-manifest.php >> [4] http://paste.ideaslabs.com/show/xgJhcf4a0g >> >> 2008/12/1 Jacob Santos <[EMAIL PROTECTED]>: >>> See reply below previous messages. >>> >>> Admin wrote: >>>> >>>> Hi - I'm sorry I'm a bit late to this list, but I encountered some bugs >>>> (w/fixes) in the code - hope it's not too late to add them. As well, I had >>>> some security requests: >>>> >>>> Bugfix: >>>> ------- >>>> "Warning: Cannot modify header information - headers already sent by..." >>>> >>>> Caused on windows/apache install, when starting with no wp-config.php file >>>> - auto-creating it adds spaces at end, which gives this message (first >>>> visible during the install pages). The fix is to change this line >>>> 158@/wp-admin/setup-config.php to add +b for binary: >>>> >>>> $handle = fopen('../wp-config.php', 'w+b'); >>>> >>>> this prevents the function from defaulting to text format, and inserting >>>> the extra lines (tested) >>> >>> I don't think writing text is binary, but okay. It isn't about that, as it >>> is about the new line character. I've been using the >>> wp-admin/setup-config.php and not once has it created an extra newline where >>> it shouldn't. Would be nice to do it, if it works and fixes the problem. >>> >>>> Security Request: >>>> ----------------- >>>> Remove the generator meta display in themes when called by wp_head(), >>>> which is the hook set at line 173@/wp-includes/default-filters.php: >>>> >>>> add_action('wp_head', 'wp_generator'); >>>> >>>> Although it can be removed in the theme or via plugin (I did a blog post >>>> at >>>> http://activeblogging.com/info/wordpress-security-version-numbers-and-themes/ >>>> explaining how), broadcasting the version by default seems a bad idea - an >>>> easy way for a spam program to patrol for older installs (or zero day >>>> exploits). >>> >>> Like you said, you can already remove it. That was the reason it was added >>> as to the filter as opposed to being hard coded. Well, one of the reasons. >>> >>>> Request: >>>> -------- >>>> Add non-indexing code to the login page to keep it out of indexes - it >>>> doesn't help search results, and exposes details of the site to casual >>>> viewers. To solve, you can insert this around about line [EMAIL PROTECTED]: >>>> >>>> <meta name='robots' content='noindex,nofollow' /> >>> >>> Well, you could probably do this using a plugin as well. Also you can add it >>> to the robots.txt file for good measure. >>> >>>> >>>> Security Request: >>>> ----------------- >>>> While a bit more involved, the security for the login page reveals a lot >>>> of information - if I enter a correct user name but bad password, it tells >>>> me; if I enter an invalid user name, it tells me. It might be a good idea >>>> to >>>> replace the specific messages with generic ones - eg "error: incorrect >>>> password or invalid username." This makes fishing for information less >>>> useful (for example, guessing user names and checking the message to see if >>>> they exist). The error strings involved all have ">ERROR<" in them, in >>>> wp-login.php >>> >>> This horse as already been beaten to death, risen from the dead and then set >>> on fire to prevent the zombie from coming back. The reason for it (from what >>> I can remember from past discussions) are 1) security through obscurity >>> usually isn't and 2) It is very helpful when you've forgotten both your >>> username and password and don't have immediate or any access to the database >>> tables. >>> >>>> >>>> >>>> Misc: >>>> ----- >>>> While fixing the generator metatag issue, I read the documentation at >>>> http://codex.wordpress.org/Function_Reference/remove_action that: >>>> >>>> "To remove a hook, the $function_to_remove and $priority arguments must >>>> match when the hook was added...No warning will be given on removal >>>> failure." >>>> >>>> While not a problem in my case, it means that if later on you change the >>>> priority of an action added, other code with remove actions will fail >>>> silently (unless they are updated to the same priority). This could be an >>>> unnecessary maintenance issue in the future. Perhaps a function could be >>>> exposed allowing ALL occurrences of the action function, regardless of >>>> priority, to be removed. I'd be happy to submit one if no one has time to >>>> write it. >>> >>> It is never going to change. You have no need to worry. >>> >>> Jacob Santos >>> >>> _______________________________________________ >>> wp-testers mailing list >>> [email protected] >>> http://lists.automattic.com/mailman/listinfo/wp-testers >>> >> >> >> >> -- >> _________________________ >> g30rg3_x >> >> >> ------------------------------ >> >> Message: 4 >> Date: Tue, 02 Dec 2008 08:46:33 -0800 >> From: Chris Moody <[EMAIL PROTECTED]> >> Subject: Re: [wp-testers] How long does the Auto Update take? >> To: [email protected] >> Message-ID: <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset=ISO-8859-15; format=flowed >> >> Perhaps its your host? Are you able to upgrade plugins automatically? Or >> do you have the same issue? >> >> >> Jason Gottschalk wrote: >>> Hello Kirk, >>> >>> "Depending on how many..." I thought this might be it since I had not had a >>> successful update in weeks. >>> >>> I tried an update this morning, after a successful run last night on the >>> third try, but it too failed on the "cannot copy wp-trackback.php" error. >>> >>> I have not been dectivating any plugins (I have one) >>> PHP version is: 5.2.4 >>> >>> >>> GET THIS...... :) >>> >>> I have determined that I get this error *every other time* I run the update: >>> (and it doesn't seem to matter if I deactivate the plug-ins.) >>> >>> >>> Downloading update from >>> http://wordpress.org/nightly-builds/wordpress-latest.zip >>> Unpacking the core update >>> Could not copy file: >>> /public_html/wp-content/upgrade/core/wordpress/wp-trackback.php >>> Installation Failed >>> >>> >>> >>> >>> >>> Tuesday, December 2, 2008, 8:34:55 AM, you wrote: >>> Kirk> Just as an example: >>> >>> Kirk> I have low end DSL (128k up/768k down), a Bluehost shared server and >>> Kirk> auto update takes anywhere between 5 to 10 seconds depending on how >>> many >>> Kirk> files have changed and the load on the server at the time. I'm also >>> Kirk> running PHP 5.2.6 (fastCGI). And are you deactivating all your plugins >>> Kirk> before you attempt an update? Also, what PHP version are you running >>> and >>> Kirk> your connection speed? I know, stupid checks but it's always worth it. >>> >>> Kirk> On 12/2/2008 1:07 AM, Jason Gottschalk wrote: >>> >>>>> Hello Chris, >>>>> >>> >>> >>>>> 20 minutes on the first try tonight, I gave up. >>>>> >>> >>> >>>>> Went back and it ran 25 minutes then gave an error, it couldn't write >>>>> wp-trackback.php. >>>>> >>> >>> >>>>> Tried a third time (no changes) and it finished in 30 minutes, >>>>> successfully. >>>>> >>> >>> >>>>> Phew..... I was getting nervous! >>>>> >>> >>> >>>>> Tuesday, December 2, 2008, 12:50:28 AM, you wrote: >>>>> Chris> Jason Gottschalk wrote: >>>>> >>>>> >>>>>>> Hello Wp-testers, >>>>>>> >>>>>>> >>> >>> >>>>> >>>>> >>>>>>> Auto update is taking forever for me. I cannot tell what it is >>>>>>> doing, seems like it is not doing anything. I usually give up and move >>>>>>> on. I can't tell if actually updates anything or not. >>>>>>> >>>>>>> >>> >>> >>>>> >>>>> >>> >>> >>>>>>> >>>>>>> >>>>> Chris> It has been telling me its completed in about 2 minutes or so I >>>>> think. >>>>> Chris> Maybe faster... >>>>> Chris> _______________________________________________ >>>>> Chris> wp-testers mailing list >>>>> Chris> [email protected] >>>>> Chris> http://lists.automattic.com/mailman/listinfo/wp-testers >>>>> >>> >>> >>> >>>>> >>>>> >>> Kirk> _______________________________________________ >>> Kirk> wp-testers mailing list >>> Kirk> [email protected] >>> Kirk> http://lists.automattic.com/mailman/listinfo/wp-testers >>> >>> >>> >> >> >> >> ------------------------------ >> >> Message: 5 >> Date: Tue, 2 Dec 2008 12:06:57 -0500 >> From: "Mark Rodriguez" <[EMAIL PROTECTED]> >> Subject: [wp-testers] Hanging after "Publish" >> To: [email protected] >> Message-ID: >> <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Is anyone experiencing hanging after pressing the "publish" button? My >> post successfully posts, but I need to navigate away from the edit >> page, after hitting publish. >> >> It started after upgrading to RC1 from 2.6.5. >> >> I have all plugins disabled, minus the spam catcher. >> >> I've tried different themes. >> >> Is this a known issue? I'm new to this list, so if there is an online >> resource for known issues, point the way & I'll follow :) Thanks for >> the help! >> >> -- >> Mark Rodriguez >> >> --------------------------------------------------------------------------------------------------- >> E-mail = [EMAIL PROTECTED] >> Website = http://mrod411.com >> RSS = http://friendfeed.com/mrod411?format=atom >> --------------------------------------------------------------------------------------------------- >> >> >> ------------------------------ >> >> Message: 6 >> Date: Tue, 2 Dec 2008 12:26:18 -0500 >> From: "Paleo Pat" <[EMAIL PROTECTED]> >> Subject: Re: [wp-testers] Hanging after "Publish" >> To: [email protected] >> Message-ID: >> <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset=UTF-8 >> >> Only time it happens with me is when I write a very long posting. I've >> mentioned it before. It doesn't happen all the time. So, it's kind of >> hard to replicate. >> >> >> -Paleo Pat >> http://www.politicalbyline.com >> >> >> >> >> >> On Tue, Dec 2, 2008 at 12:06 PM, Mark Rodriguez <[EMAIL PROTECTED]> wrote: >>> Is anyone experiencing hanging after pressing the "publish" button? My >>> post successfully posts, but I need to navigate away from the edit >>> page, after hitting publish. >>> >>> It started after upgrading to RC1 from 2.6.5. >>> >>> I have all plugins disabled, minus the spam catcher. >>> >>> I've tried different themes. >>> >>> Is this a known issue? I'm new to this list, so if there is an online >>> resource for known issues, point the way & I'll follow :) Thanks for >>> the help! >>> >>> -- >>> Mark Rodriguez >>> >>> --------------------------------------------------------------------------------------------------- >>> E-mail = [EMAIL PROTECTED] >>> Website = http://mrod411.com >>> RSS = http://friendfeed.com/mrod411?format=atom >>> --------------------------------------------------------------------------------------------------- >>> _______________________________________________ >>> wp-testers mailing list >>> [email protected] >>> http://lists.automattic.com/mailman/listinfo/wp-testers >>> >> >> >> ------------------------------ >> >> _______________________________________________ >> wp-testers mailing list >> [email protected] >> http://lists.automattic.com/mailman/listinfo/wp-testers >> >> >> End of wp-testers Digest, Vol 46, Issue 8 >> ***************************************** >> > > > ------------------------------ > > Message: 2 > Date: Tue, 2 Dec 2008 11:53:35 -0600 > From: Otto <[EMAIL PROTECTED]> > Subject: Re: [wp-testers] Re: Bugs/Fixes, Security Requests > To: [email protected] > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > On Tue, Dec 2, 2008 at 9:41 AM, g30rg3_x <[EMAIL PROTECTED]> wrote: >> However i must notice that this modifications won't enhance your >> wordpress-based site security, they would make just the exploitation >> of _critical_ vulnerability more hard (but just a little) > > I can see that this is a topic that just won't die with you, huh? I > don't really know how to explain this in a way that will be fully > understood here. I've tried before, but it's clearly not getting > through. Let me take one final stab at it: Hiding the version number > will not make the exploitation of a critical vulnerability harder. Not > even a little bit. Really. > > Look at it from the point of view of an attacker. There's two possible > scenarios to consider: > > > Scenario 1: Cracker wants to exploit a lot of sites and stick his spam > on them. This is the most common case. > > In this scenario, the cracker gets a big list of vulnerabilities, and > spams them across every site he can find. When one of them strikes > paydirt, the "load" is injected, which then goes and cracks every > piece of software on that server possible. You see this a lot on > shared hosting setups, once the exploit is performed, a script is > loaded which searches all possible injection points on that server and > writes his spam into everywhere it can find to do so. This infects > many more sites on that server with the link spam, and causes > potentially hundreds of sites to now have links back to the spammer's > stuff. > > This is a common case because it's an easy one. Software exists to do > exactly this sort of thing. Vulnerabilites are circulated in > plug-and-play forms for these specific types of software. > Exploits/injections are pluggable as well, and can be easily adapted > to any spam you want to use. In literally a matter of minutes, with > zero code being written by the attacker, somebody can create a system > using nothing but plug and play modules that will attempt to exploit > hundreds of known vulnerabilities on a list of millions of websites, > and it can even run on a distributed system (botnet). All it requires > is money and a lack of morals. > > Note that NONE of this involves ever caring what version of the > WordPress software you are running. Indeed, they don't even care that > you are running WordPress. It's simply one of the many different > packages with exploits coded into their exploit-pack. Indeed, checking > your version before attempting to exploit you doesn't really save them > anything. Time, perhaps, but only slightly, and only if the software > is smart enough to care (95% of these softwares are not, they just > spam a series of hacks and check for success/failure). > > > Scenario 2: Somebody with a revenge fixation decides they want to hack > you, specifically. > > In this scenario, they can quickly tell that you're running WordPress. > a) Assuming you're not hiding your version, then they look for > exploits for that version. > b) Assuming you're running the latest version, then they won't find > any and you're safe. > c) Assuming they're slightly smarter than that, they do some > easy-to-do searches, find exploitable software running on other > websites, but on the same shared host as you, and hack you that way. > d) Failing all this, they stamp their feet and give up. > > Now, in your situation, you want to hide the version of WordPress. > This stops them from looking for specific exploits. However, a list of > generic WordPress exploits for several versions *is just as good to > them*. They can sit there and try half a dozen exploits, no problem. > It doesn't take them any more time, really. Just a few extra HTTP > requests. If they don't know how to do this sort of thing themselves, > then they download a bunch of script kiddie hacks and run them all, > hoping that one hits. The point being that they are not significantly > slowed by this sort of preventative medicine. And anyway, assuming > you're running the latest version and therefore "safe", it makes no > difference anyway. > > > Now, you might be considering scenario 3: Zero-day exploits. An > exploit is discovered against the latest version, so there is a > limited amount of time to exploit it before it is patched. Having your > version hidden means you don't show up in searched for that version. > Problem with that sort of thinking is that they're not searching for > sites with a specific version. They just keep a single list of known > websites for that sort of thing. When a zero-day is discovered, they > spam it across to all of them. *Searching takes too much time*. It's > easier to simply keep a list of a whole crapload of sites, then spam > them all. And version checking is not done here either, because it's > faster to attempt the hack than it is to a) check for vulnerability > and then b) attempt the hack. Trying the hack takes the same time as > checking for the version number, so why bother? Makes no sense. > > > Hiding the version is simply ineffective, in all respects. It does > nothing that is even slightly helpful for your site. It deters nobody. > > -Otto > > > ------------------------------ > > Message: 3 > Date: Tue, 02 Dec 2008 12:53:25 -0500 > From: Hayes Potter <[EMAIL PROTECTED]> > Subject: Re: [wp-testers] Re: Hanging after "Publish" > To: [email protected] > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Mark Rodriguez wrote: >> I was hoping you inspired a variable. While my posts weren't large, >> they did have linked images. I just did two tests. I created a new >> post with just text - one word to be exact. It still sat there >> "Waiting for mrod411.com..." yet posted successfully when I checked in >> a new Firefox tab. >> >> The second test was using the quickpress feature, which worked fine. >> >> -- >> Mark Rodriguez >> >> --------------------------------------------------------------------------------------------------- >> E-mail = [EMAIL PROTECTED] >> Website = http://mrod411.com >> RSS = http://friendfeed.com/mrod411?format=atom >> --------------------------------------------------------------------------------------------------- >> >> >> >> On Tue, Dec 2, 2008 at 12:26 PM, >> <[EMAIL PROTECTED]> wrote: >> >>> Send wp-testers mailing list submissions to >>> [email protected] >>> >>> To subscribe or unsubscribe via the World Wide Web, visit >>> http://lists.automattic.com/mailman/listinfo/wp-testers >>> or, via email, send a message with subject or body 'help' to >>> [EMAIL PROTECTED] >>> >>> You can reach the person managing the list at >>> [EMAIL PROTECTED] >>> >>> When replying, please edit your Subject line so it is more specific >>> than "Re: Contents of wp-testers digest..." >>> >>> >>> Today's Topics: >>> >>> 1. Re: How long does the Auto Update take? (Kirk M) >>> 2. Re[2]: [wp-testers] How long does the Auto Update take? >>> (Jason Gottschalk) >>> 3. Re: Re: Bugs/Fixes, Security Requests (g30rg3_x) >>> 4. Re: How long does the Auto Update take? (Chris Moody) >>> 5. Hanging after "Publish" (Mark Rodriguez) >>> 6. Re: Hanging after "Publish" (Paleo Pat) >>> >>> >>> ---------------------------------------------------------------------- >>> >>> Message: 1 >>> Date: Tue, 02 Dec 2008 08:34:55 -0500 >>> From: Kirk M <[EMAIL PROTECTED]> >>> Subject: Re: [wp-testers] How long does the Auto Update take? >>> To: [email protected] >>> Message-ID: <[EMAIL PROTECTED]> >>> Content-Type: text/plain; charset=ISO-8859-15; format=flowed >>> >>> Just as an example: >>> >>> I have low end DSL (128k up/768k down), a Bluehost shared server and >>> auto update takes anywhere between 5 to 10 seconds depending on how many >>> files have changed and the load on the server at the time. I'm also >>> running PHP 5.2.6 (fastCGI). And are you deactivating all your plugins >>> before you attempt an update? Also, what PHP version are you running and >>> your connection speed? I know, stupid checks but it's always worth it. >>> >>> On 12/2/2008 1:07 AM, Jason Gottschalk wrote: >>> >>>> Hello Chris, >>>> >>>> 20 minutes on the first try tonight, I gave up. >>>> >>>> Went back and it ran 25 minutes then gave an error, it couldn't write >>>> wp-trackback.php. >>>> >>>> Tried a third time (no changes) and it finished in 30 minutes, >>>> successfully. >>>> >>>> Phew..... I was getting nervous! >>>> >>>> Tuesday, December 2, 2008, 12:50:28 AM, you wrote: >>>> Chris> Jason Gottschalk wrote: >>>> >>>> >>>>>> Hello Wp-testers, >>>>>> >>>>>> >>>> >>>>>> Auto update is taking forever for me. I cannot tell what it is doing, >>>>>> seems like it is not doing anything. I usually give up and move on. I >>>>>> can't tell if actually updates anything or not. >>>>>> >>>>>> >>>> >>>>>> >>>> Chris> It has been telling me its completed in about 2 minutes or so I >>>> think. >>>> Chris> Maybe faster... >>>> Chris> _______________________________________________ >>>> Chris> wp-testers mailing list >>>> Chris> [email protected] >>>> Chris> http://lists.automattic.com/mailman/listinfo/wp-testers >>>> >>>> >>>> >>>> >>> ------------------------------ >>> >>> Message: 2 >>> Date: Tue, 2 Dec 2008 09:35:12 -0500 >>> From: Jason Gottschalk <[EMAIL PROTECTED]> >>> Subject: Re[2]: [wp-testers] How long does the Auto Update take? >>> To: Kirk M <[email protected]> >>> Message-ID: <[EMAIL PROTECTED]> >>> Content-Type: text/plain; charset=iso-8859-15 >>> >>> Hello Kirk, >>> >>> "Depending on how many..." I thought this might be it since I had not had a >>> successful update in weeks. >>> >>> I tried an update this morning, after a successful run last night on the >>> third try, but it too failed on the "cannot copy wp-trackback.php" error. >>> >>> I have not been dectivating any plugins (I have one) >>> PHP version is: 5.2.4 >>> >>> >>> GET THIS...... :) >>> >>> I have determined that I get this error *every other time* I run the update: >>> (and it doesn't seem to matter if I deactivate the plug-ins.) >>> >>> >>> Downloading update from >>> http://wordpress.org/nightly-builds/wordpress-latest.zip >>> Unpacking the core update >>> Could not copy file: >>> /public_html/wp-content/upgrade/core/wordpress/wp-trackback.php >>> Installation Failed >>> >>> >>> >>> >>> >>> Tuesday, December 2, 2008, 8:34:55 AM, you wrote: >>> Kirk> Just as an example: >>> >>> Kirk> I have low end DSL (128k up/768k down), a Bluehost shared server and >>> Kirk> auto update takes anywhere between 5 to 10 seconds depending on how >>> many >>> Kirk> files have changed and the load on the server at the time. I'm also >>> Kirk> running PHP 5.2.6 (fastCGI). And are you deactivating all your plugins >>> Kirk> before you attempt an update? Also, what PHP version are you running >>> and >>> Kirk> your connection speed? I know, stupid checks but it's always worth it. >>> >>> Kirk> On 12/2/2008 1:07 AM, Jason Gottschalk wrote: >>> >>>>> Hello Chris, >>>>> >>>>> 20 minutes on the first try tonight, I gave up. >>>>> >>>>> Went back and it ran 25 minutes then gave an error, it couldn't write >>>>> wp-trackback.php. >>>>> >>>>> Tried a third time (no changes) and it finished in 30 minutes, >>>>> successfully. >>>>> >>>>> Phew..... I was getting nervous! >>>>> >>>>> Tuesday, December 2, 2008, 12:50:28 AM, you wrote: >>>>> Chris> Jason Gottschalk wrote: >>>>> >>>>> >>>>>>> Hello Wp-testers, >>>>>>> >>>>>>> >>>>>>> Auto update is taking forever for me. I cannot tell what it is >>>>>>> doing, seems like it is not doing anything. I usually give up and move >>>>>>> on. I can't tell if actually updates anything or not. >>>>>>> >>>>>>> >>>>> Chris> It has been telling me its completed in about 2 minutes or so I >>>>> think. >>>>> Chris> Maybe faster... >>>>> Chris> _______________________________________________ >>>>> Chris> wp-testers mailing list >>>>> Chris> [email protected] >>>>> Chris> http://lists.automattic.com/mailman/listinfo/wp-testers >>>>> >>> >>> Kirk> _______________________________________________ >>> Kirk> wp-testers mailing list >>> Kirk> [email protected] >>> Kirk> http://lists.automattic.com/mailman/listinfo/wp-testers >>> >>> >>> -- >>> Best regards, >>> Jason Gottschalk mailto:[EMAIL PROTECTED] >>> SYO Computer Services and Biometric Controls >>> 586-286-2557 >>> >>> >>> >>> ------------------------------ >>> >>> Message: 3 >>> Date: Tue, 2 Dec 2008 09:41:38 -0600 >>> From: g30rg3_x <[EMAIL PROTECTED]> >>> Subject: Re: [wp-testers] Re: Bugs/Fixes, Security Requests >>> To: [email protected] >>> Message-ID: >>> <[EMAIL PROTECTED]> >>> Content-Type: text/plain; charset=UTF-8 >>> >>> Well about the Security Requests... >>> >>> I have been trying to promote this idea/change since almost 2 years[1] >>> but even if we change the perspective of the problem this change isn't >>> going to happen... even that exist a variation of the version >>> enumeration[2] (introduced in milestone 2.6) that makes every >>> plugin-based solution totally ineffective (example[3]). >>> >>> As for user enumeration on login, well you can still hide that >>> messages truth the login_errors filter but you can still enumerate >>> users via /author/<username>, which also can prevented by changing >>> (directly in the BD) the user_nicename to something different to the >>> user_login. >>> >>> As and example: i have my own personal/private plugin which contains >>> all this changes (plus one more), you can view it here[4], as you can >>> see is fairly simple what the plugin does, just as remind about the >>> version hidden: its changed only inside the admin panel so in order to >>> fully work you would need to first change the version number on >>> wp-includes/version.php to something different to real version. >>> >>> However i must notice that this modifications won't enhance your >>> wordpress-based site security, they would make just the exploitation >>> of _critical_ vulnerability more hard (but just a little), a good >>> cracker can still be very dangerous even if you hide your version and >>> other sensitive information, so the best advice is always keep up to >>> date your WordPress based-site. >>> >>> Regards >>> >>> [1] http://trac.wordpress.org/ticket/4155 >>> [2] http://trac.wordpress.org/ticket/7545 >>> [3] http://activeblogging.com/wp-admin/gears-manifest.php >>> [4] http://paste.ideaslabs.com/show/xgJhcf4a0g >>> >>> 2008/12/1 Jacob Santos <[EMAIL PROTECTED]>: >>> >>>> See reply below previous messages. >>>> >>>> Admin wrote: >>>> >>>>> Hi - I'm sorry I'm a bit late to this list, but I encountered some bugs >>>>> (w/fixes) in the code - hope it's not too late to add them. As well, I had >>>>> some security requests: >>>>> >>>>> Bugfix: >>>>> ------- >>>>> "Warning: Cannot modify header information - headers already sent by..." >>>>> >>>>> Caused on windows/apache install, when starting with no wp-config.php file >>>>> - auto-creating it adds spaces at end, which gives this message (first >>>>> visible during the install pages). The fix is to change this line >>>>> 158@/wp-admin/setup-config.php to add +b for binary: >>>>> >>>>> $handle = fopen('../wp-config.php', 'w+b'); >>>>> >>>>> this prevents the function from defaulting to text format, and inserting >>>>> the extra lines (tested) >>>>> >>>> I don't think writing text is binary, but okay. It isn't about that, as it >>>> is about the new line character. I've been using the >>>> wp-admin/setup-config.php and not once has it created an extra newline >>>> where >>>> it shouldn't. Would be nice to do it, if it works and fixes the problem. >>>> >>>> >>>>> Security Request: >>>>> ----------------- >>>>> Remove the generator meta display in themes when called by wp_head(), >>>>> which is the hook set at line 173@/wp-includes/default-filters.php: >>>>> >>>>> add_action('wp_head', 'wp_generator'); >>>>> >>>>> Although it can be removed in the theme or via plugin (I did a blog post >>>>> at >>>>> http://activeblogging.com/info/wordpress-security-version-numbers-and-themes/ >>>>> explaining how), broadcasting the version by default seems a bad idea - an >>>>> easy way for a spam program to patrol for older installs (or zero day >>>>> exploits). >>>>> >>>> Like you said, you can already remove it. That was the reason it was added >>>> as to the filter as opposed to being hard coded. Well, one of the reasons. >>>> >>>> >>>>> Request: >>>>> -------- >>>>> Add non-indexing code to the login page to keep it out of indexes - it >>>>> doesn't help search results, and exposes details of the site to casual >>>>> viewers. To solve, you can insert this around about line [EMAIL >>>>> PROTECTED]: >>>>> >>>>> <meta name='robots' content='noindex,nofollow' /> >>>>> >>>> Well, you could probably do this using a plugin as well. Also you can add >>>> it >>>> to the robots.txt file for good measure. >>>> >>>> >>>>> Security Request: >>>>> ----------------- >>>>> While a bit more involved, the security for the login page reveals a lot >>>>> of information - if I enter a correct user name but bad password, it tells >>>>> me; if I enter an invalid user name, it tells me. It might be a good idea >>>>> to >>>>> replace the specific messages with generic ones - eg "error: incorrect >>>>> password or invalid username." This makes fishing for information less >>>>> useful (for example, guessing user names and checking the message to see >>>>> if >>>>> they exist). The error strings involved all have ">ERROR<" in them, in >>>>> wp-login.php >>>>> >>>> This horse as already been beaten to death, risen from the dead and then >>>> set >>>> on fire to prevent the zombie from coming back. The reason for it (from >>>> what >>>> I can remember from past discussions) are 1) security through obscurity >>>> usually isn't and 2) It is very helpful when you've forgotten both your >>>> username and password and don't have immediate or any access to the >>>> database >>>> tables. >>>> >>>> >>>>> Misc: >>>>> ----- >>>>> While fixing the generator metatag issue, I read the documentation at >>>>> http://codex.wordpress.org/Function_Reference/remove_action that: >>>>> >>>>> "To remove a hook, the $function_to_remove and $priority arguments must >>>>> match when the hook was added...No warning will be given on removal >>>>> failure." >>>>> >>>>> While not a problem in my case, it means that if later on you change the >>>>> priority of an action added, other code with remove actions will fail >>>>> silently (unless they are updated to the same priority). This could be an >>>>> unnecessary maintenance issue in the future. Perhaps a function could be >>>>> exposed allowing ALL occurrences of the action function, regardless of >>>>> priority, to be removed. I'd be happy to submit one if no one has time to >>>>> write it. >>>>> >>>> It is never going to change. You have no need to worry. >>>> >>>> Jacob Santos >>>> >>>> _______________________________________________ >>>> wp-testers mailing list >>>> [email protected] >>>> http://lists.automattic.com/mailman/listinfo/wp-testers >>>> >>>> >>> >>> -- >>> _________________________ >>> g30rg3_x >>> >>> >>> ------------------------------ >>> >>> Message: 4 >>> Date: Tue, 02 Dec 2008 08:46:33 -0800 >>> From: Chris Moody <[EMAIL PROTECTED]> >>> Subject: Re: [wp-testers] How long does the Auto Update take? >>> To: [email protected] >>> Message-ID: <[EMAIL PROTECTED]> >>> Content-Type: text/plain; charset=ISO-8859-15; format=flowed >>> >>> Perhaps its your host? Are you able to upgrade plugins automatically? Or >>> do you have the same issue? >>> >>> >>> Jason Gottschalk wrote: >>> >>>> Hello Kirk, >>>> >>>> "Depending on how many..." I thought this might be it since I had not had >>>> a successful update in weeks. >>>> >>>> I tried an update this morning, after a successful run last night on the >>>> third try, but it too failed on the "cannot copy wp-trackback.php" error. >>>> >>>> I have not been dectivating any plugins (I have one) >>>> PHP version is: 5.2.4 >>>> >>>> >>>> GET THIS...... :) >>>> >>>> I have determined that I get this error *every other time* I run the >>>> update: >>>> (and it doesn't seem to matter if I deactivate the plug-ins.) >>>> >>>> >>>> Downloading update from >>>> http://wordpress.org/nightly-builds/wordpress-latest.zip >>>> Unpacking the core update >>>> Could not copy file: >>>> /public_html/wp-content/upgrade/core/wordpress/wp-trackback.php >>>> Installation Failed >>>> >>>> >>>> >>>> >>>> >>>> Tuesday, December 2, 2008, 8:34:55 AM, you wrote: >>>> Kirk> Just as an example: >>>> >>>> Kirk> I have low end DSL (128k up/768k down), a Bluehost shared server and >>>> Kirk> auto update takes anywhere between 5 to 10 seconds depending on how >>>> many >>>> Kirk> files have changed and the load on the server at the time. I'm also >>>> Kirk> running PHP 5.2.6 (fastCGI). And are you deactivating all your >>>> plugins >>>> Kirk> before you attempt an update? Also, what PHP version are you running >>>> and >>>> Kirk> your connection speed? I know, stupid checks but it's always worth >>>> it. >>>> >>>> Kirk> On 12/2/2008 1:07 AM, Jason Gottschalk wrote: >>>> >>>> >>>>>> Hello Chris, >>>>>> >>>>>> >>>> >>>>>> 20 minutes on the first try tonight, I gave up. >>>>>> >>>>>> >>>> >>>>>> Went back and it ran 25 minutes then gave an error, it couldn't write >>>>>> wp-trackback.php. >>>>>> >>>>>> >>>> >>>>>> Tried a third time (no changes) and it finished in 30 minutes, >>>>>> successfully. >>>>>> >>>>>> >>>> >>>>>> Phew..... I was getting nervous! >>>>>> >>>>>> >>>> >>>>>> Tuesday, December 2, 2008, 12:50:28 AM, you wrote: >>>>>> Chris> Jason Gottschalk wrote: >>>>>> >>>>>> >>>>>> >>>>>>>> Hello Wp-testers, >>>>>>>> >>>>>>>> >>>>>>>> >>>> >>>>>> >>>>>>>> Auto update is taking forever for me. I cannot tell what it is >>>>>>>> doing, seems like it is not doing anything. I usually give up and >>>>>>>> move on. I can't tell if actually updates anything or not. >>>>>>>> >>>>>>>> >>>>>>>> >>>> >>>>>> >>>> >>>>>>>> >>>>>> Chris> It has been telling me its completed in about 2 minutes or so I >>>>>> think. >>>>>> Chris> Maybe faster... >>>>>> Chris> _______________________________________________ >>>>>> Chris> wp-testers mailing list >>>>>> Chris> [email protected] >>>>>> Chris> http://lists.automattic.com/mailman/listinfo/wp-testers >>>>>> >>>>>> >>>> >>>> >>>>>> >>>> Kirk> _______________________________________________ >>>> Kirk> wp-testers mailing list >>>> Kirk> [email protected] >>>> Kirk> http://lists.automattic.com/mailman/listinfo/wp-testers >>>> >>>> >>>> >>>> >>> >>> ------------------------------ >>> >>> Message: 5 >>> Date: Tue, 2 Dec 2008 12:06:57 -0500 >>> From: "Mark Rodriguez" <[EMAIL PROTECTED]> >>> Subject: [wp-testers] Hanging after "Publish" >>> To: [email protected] >>> Message-ID: >>> <[EMAIL PROTECTED]> >>> Content-Type: text/plain; charset=ISO-8859-1 >>> >>> Is anyone experiencing hanging after pressing the "publish" button? My >>> post successfully posts, but I need to navigate away from the edit >>> page, after hitting publish. >>> >>> It started after upgrading to RC1 from 2.6.5. >>> >>> I have all plugins disabled, minus the spam catcher. >>> >>> I've tried different themes. >>> >>> Is this a known issue? I'm new to this list, so if there is an online >>> resource for known issues, point the way & I'll follow :) Thanks for >>> the help! >>> >>> -- >>> Mark Rodriguez >>> >>> --------------------------------------------------------------------------------------------------- >>> E-mail = [EMAIL PROTECTED] >>> Website = http://mrod411.com >>> RSS = http://friendfeed.com/mrod411?format=atom >>> --------------------------------------------------------------------------------------------------- >>> >>> >>> ------------------------------ >>> >>> Message: 6 >>> Date: Tue, 2 Dec 2008 12:26:18 -0500 >>> From: "Paleo Pat" <[EMAIL PROTECTED]> >>> Subject: Re: [wp-testers] Hanging after "Publish" >>> To: [email protected] >>> Message-ID: >>> <[EMAIL PROTECTED]> >>> Content-Type: text/plain; charset=UTF-8 >>> >>> Only time it happens with me is when I write a very long posting. I've >>> mentioned it before. It doesn't happen all the time. So, it's kind of >>> hard to replicate. >>> >>> >>> -Paleo Pat >>> http://www.politicalbyline.com >>> >>> >>> >>> >>> >>> On Tue, Dec 2, 2008 at 12:06 PM, Mark Rodriguez <[EMAIL PROTECTED]> wrote: >>> >>>> Is anyone experiencing hanging after pressing the "publish" button? My >>>> post successfully posts, but I need to navigate away from the edit >>>> page, after hitting publish. >>>> >>>> It started after upgrading to RC1 from 2.6.5. >>>> >>>> I have all plugins disabled, minus the spam catcher. >>>> >>>> I've tried different themes. >>>> >>>> Is this a known issue? I'm new to this list, so if there is an online >>>> resource for known issues, point the way & I'll follow :) Thanks for >>>> the help! >>>> >>>> -- >>>> Mark Rodriguez >>>> >>>> --------------------------------------------------------------------------------------------------- >>>> E-mail = [EMAIL PROTECTED] >>>> Website = http://mrod411.com >>>> RSS = http://friendfeed.com/mrod411?format=atom >>>> --------------------------------------------------------------------------------------------------- >>>> _______________________________________________ >>>> wp-testers mailing list >>>> [email protected] >>>> http://lists.automattic.com/mailman/listinfo/wp-testers >>>> >>>> >>> ------------------------------ >>> >>> _______________________________________________ >>> wp-testers mailing list >>> [email protected] >>> http://lists.automattic.com/mailman/listinfo/wp-testers >>> >>> >>> End of wp-testers Digest, Vol 46, Issue 8 >>> ***************************************** >>> >>> >> _______________________________________________ >> wp-testers mailing list >> [email protected] >> http://lists.automattic.com/mailman/listinfo/wp-testers >> >> > Some plugins, like "WP-Super-Cache" have an option to clear the cache > after every published post, this slows posting drastically. > > Another option that can slow posting is, having too much ping services > set, which is in your setting tabs under "Writing"...err maybe "Reading" > I forget. > > Oh, and what version of wordpress? > > Tell me if it works or not, if not I'll try something else. > > > ------------------------------ > > _______________________________________________ > wp-testers mailing list > [email protected] > http://lists.automattic.com/mailman/listinfo/wp-testers > > > End of wp-testers Digest, Vol 46, Issue 9 > ***************************************** > _______________________________________________ wp-testers mailing list [email protected] http://lists.automattic.com/mailman/listinfo/wp-testers
