WordPress Manual Update Instructions

One of the great things about WordPress is the one-click upgrade procedure. It’s particularly convenient, because WordPress has frequent upgrades and security updates. Without an easy way of upgrading, many users would complain of upgrade fatigue, or would continue running older versions with security flaws.

Of course, not everyone can use the one click upgrade: My host is not configured properly, so I need to upgrade manually. Fortunately, a manual upgrade is relatively painless. Although it is described in some detail at Upgrading WordPress: Manual Update, I’m listing my specific procedures (using the Bash shell) here.

  1. Download the latest version to your home directory:
    wget http://wordpress.org/latest.tar.gz
  2. Remove any old WordPress directory before unpacking the latest:
    rm -r ./wordpress
  3. Unpack the latest version:
    tar -xf wordpress-3.2.tar.gz
  4. Backup the database:
    mysqldump --add-drop-table -h localhost -u [username] -p [database name] | bzip2 -c > [site name].[dd-MMM-yyyy].bak.sql.bz2
  5. Disable plugins. You can do this via the admin interface, or the database:
    UPDATE wp_options SET option_value = 'a:0:{}' WHERE option_name = 'active_plugins';
  6. Remove the wp-admin and wp-includes directories:
    rm -r ./path/to/your/wordpress/wp-admin ./path/to/your/wordpress/wp-includes
  7. Copy only the updated files over to the WordPress install:
    cp -ru ./wordpress/* ./path/to/your/wordpress/
  8. Visit the admin page (which may prompt a database upgrade).
  9. Re-enable any plugins.

Step 6 may seem unnecessary in light of step 7, but in my experience merely updating the wp-admin and wp-includes directories is not enough: there may be old files that are not present in the latest version, but that will cause problems if they still exist.

I’ve found that my reCAPTCHA plugin doesn’t retain its API keys, but you can look them up again on the reCAPTCHA site. Other plugins may have similar issues.

Thanks to Perishable Press for the tip on disabling WordPress plugins via MySQL.

SQL Injection Goes Mainstream

Note to the web development world: even a mainstream media source like Time Magazine knows about SQL injection. Don’t you think it’s time you protected your web applications against it?

Last week’s issue of Time featured an article that focused on LulzSec‘s activities. In Hack Attack, author Bill Saporito went a step beyond most journalists covering web security by mentioning an actual technique: SQL injection.

SQL injection is a subclass of injection attacks, wherein a malicious user manipulates input so as to insert (or inject) a tag-along command into the application code. It’s #1 on OWASP’s Top Ten Vulnerabilities for 2010, in part because such vulnerabilities are:

  • Common
  • Easy to exploit
  • Have a huge payoff (i.e. devastating impact)

Because it is so common and easy-to-exploit, there are a lot of automated tools that malicious users (often by way of compromised machines) use to scan sites and test them for vulnerabilities. If a vulnerability is found, the application may be targeted for further attacks. Basically, attackers are on the lookout for low-hanging fruit in the same way that thieves look for valuables sitting in plain sight in a parked car. Don’t take the car analogy too far, though: if someone breaks into your car, there will be broken glass and your iPod will be gone. If someone exploits a SQL injection vulnerability on your site, they may have all your user data (and more), with hardly a trace: entries in your access logs and error logs, which are too-often completely ignored.

As the joke goes, you don’t have to outrun the bear to avoid being mauled and eaten–you just have to outrun the other guy. One of the best ways to make sure your web application is not targeted for further attacks is to make sure the relatively simple SQL injection scanners don’t find any vulnerabilities.

SQL injection is fairly simple to defend against using parameterized input, and your development language of choice should have documentation on how to do this. OWASP also offers a SQL Injection Prevention Cheat Sheet. There are also automated tools to you can use to check your code for SQL injection flaws (such as QueryParam Scanner for ColdFusion), or test your site for vulnerabilities–also known as penetration testing or pen testing–such as the (currently out-of-date) SQL Inject Me add-on for Firefox.

Checking your web applications for SQL injection vulnerabilities is the first thing you should do, but it is hardly the last. Although fending off automated SQL injection attempts is definitely a good thing, there are many other categories of vulnerabilities, and a determined attacker will find them. Stay informed, and make sure you know what attackers are up to before you read about it in Time.

Online Advertising Click-Thru Rates, Revisited

A couple years ago, I wrote Online Advertisements and Statistical Analysis, in which I did my best to show that a past study of online advertising click-thru rates (CTRs) wasn’t worth the pixels it was printed on.

About a week ago, my wife and I were visiting friends, and I found myself in a room with 3 neuroscientists. The topic of statistics came up, and I managed to insert into conversation my small triumph in analyzing the click-thru study and determining both a confidence interval and the number of tests that would need to be run in order to have a meaningful confidence interval. “Sure,” one of the scientists says, “but what you should really do instead is a chi-square test for goodness-of-fit.”
Continue reading Online Advertising Click-Thru Rates, Revisited

3 Ways to Make Your Pages Facebook-Friendly

Sharing on FacebookYou’ve made a Facebook page and a Twitter account. You’ve even added “chicklets” to your site to let people easily share your content. But are your pages optimized for sharing?

When a user shares a link on Facebook, they can change the title and the description–but most people don’t know that, and won’t take the time even if they do. It is important to make sure that the default information that appears is what you want other users to see.

  1. Use a good title.

    This has always been important for SEO, but it’s also what shows up when a user shares your link. You can supply text specifically for sharing with an Open Graph meta tag:
    <meta property="og:title" content="3 Ways to Make Your Pages Facebook Friendly" />

    This can help you keep it short by eliminating your lengthy blog name or company name.

  2. Make sure the first paragraph is important.

    The first paragraph shows up as the descriptive text. If your page contains rich media or other non-text content, you can add an Open Graph meta tag

    Like the title meta tag, it looks very similar:
    <meta property="og:description" content="What do your pages look like when you share them on Facebook? Do they have a good title? Relevant intro text that interests the reader? An interesting image? Tips on how to make your page work for all 3." />

  3. Include a relevant image.

    Wall posts with images stand out more. Facebook will select the first non-linked image as the default, and will let users select from a menu of other non-linked images on the page

  4. You can find out about other Open Graph meta tags at http://developers.facebook.com/docs/opengraph/. Facebook recommends including the XML namespace attribute for the Open Graph in your html element:
    xmlns:og="http://ogp.me/ns#"

    Digital Inspiration’s Set Thumbnail Images for Your Web Pages describes a way to specify a thumbnail images using a link element:
    <link rel="image_src" href="http://osric.com/chris/images/sharing-on-facebook.gif" />

Using SharePoint’s Imaging Web Service to access Publishing Images

I spent a fair amount of time yesterday trying to access the images in the Images list (also known as Publishing Images) of a SharePoint site using the SOAP-based Imaging web service. Every time it failed, usually with an uninformative error message.

Finally, I used cURL to send the SOAP requests so that I could see every last detail of the transaction. The SOAP response was pretty clear at that point:

The list PublishingImages is not found

or

The list Images is not found

I tried other Picture Libraries on the site, and that worked fine. That’s when it dawned on me: the SharePoint Images (or PublishingImages) list is a Document Library, not a Picture Library. That makes absolutely no sense whatsoever, but fine, it wouldn’t be the first time I’ve run into something nonsensical in SharePoint.

I was hoping to use the download method of the Imaging web service. I don’t have an alternative solution at this time, but I hope to find one soon using one of the other SharePoint web services.

Opening links in a new window without the target attribute

Web developers often use the attribute target="_blank" to force a link to open in a new window. However, if you use an HTML validation service to check your web pages, you know that the target attribute is not valid in strict versions of HTML and XHTML.

There is a simple way to have a link open in a new window using Javascript. You may have seen code like this:
<a href="#" onclick="window.open('http://osric.net')">osric.net web hosting</a>

That method has some serious drawbacks, though:

  • The user now sees # in the browser’s status bar instead of the actual destination URL
  • The link fails if the Javascript fails (or if the browser has Javascript disabled
  • Search engines may not follow the link

I’ve written a summary of the issue and the methods I’ve found so far that best address it. I moved it to a page outside this blog because of the Javascript examples, which were easier to include on a separate page:

How to best use Javascript to open links in a new window

More People Alive Today Than Have Ever Died

A few years ago, I ran across this quote:
“There are more people alive today than have ever died.”

As we contemplate overpopulation, a quote like that is quite thought-provoking and shocking. Could it be that the living today outnumber all of our ancestors? It’s astounding. However, I didn’t believe it. I still don’t believe it, and for good reason.
Continue reading More People Alive Today Than Have Ever Died

JSONP and Sencha Touch

I was recently trying to get a Sencha Touch demo up-and-running, but my callback functions after requests for JSON data never ran, and Firefox would throw errors along the lines of “invalid label.” I didn’t understand why–until I read more about JSONP.

JSONP prefixes your JSON response with a function name, which runs when the response is retrieved. It’s a way of handling the data without a listener.

This means that your JSONP provider needs to detect a JSONP parameter, and then wrap or “pad” the response within the specified parameter value.

For Sencha Touch, the JSON returned should be wrapped in Ext.util.JSONP.callback();. If your JSON looks like this:

{"results":[{"name":"Chris"},{"name","Harry"}]}

then your JSONP should look like this:

Ext.util.JSONP.callback({"results":[{"name":"Chris"},{"name","Harry"}]});

Not that you should hard-code that function name anywhere in your JSON output–web-based APIs and services should pick up the function from your request and wrap the JSON for you. For example, the twitter search API accepts a callback querystring parameter.

http://search.twitter.com/search.json?q=fakecriterions&callback=myCallbackFunction

would wrap the JSON response inside

myCallbackFunction();

I ignored the extra letter in the acronym at my own peril–I figured it was just a trivial variation on JSON (which it is) that wouldn’t make any difference in how it was handled (but it does).

Why I’m Not Friends with My Bank on Facebook

I received a request today from my financial institution asking me to follow them on Facebook, Twitter, Flickr, and YouTube.

Aside from the fact that I doubt that their updates on these various services will enrich my life, there is another very good reason not to follow them:

Security.

It’s easy to trace your connections online. Most of this information, for most users, is public. If you follow Bank A, it stands to reason that you have an account at Bank A–something a malicious person would not have known before. Even if your online persona isn’t directly connected to your name, you might be surprised at how easy it is to connect the two with a Google search.

(That last item says a lot, I think.)

Any bank that suggests you follow them on social media must be pretty confident of their security! Or, more likely, their marketing teams and their security teams don’t talk to each other.

You wouldn’t stand on a street-corner handing out cards that say, “My name is Bob Billiards and I have an account at Bank A” would you? Then don’t follow your bank on a social media site.