Wordpress 2.6.2 and Automatic Updating
Wordpress version 2.6.2 is out, fixing a few security holes. If you haven’t already, you should upgrade your installation as soon as possible.
I think I’ve mentioned it here before, but if you’re not running the Automatic Upgrade plugin, stop and add it to the top of your to-do list. True to it’s name, the plugin does all the work of updating your Wordpress install with just a series of clicks. This is especially useful for users who may be afraid of uploading a bunch of files or perhaps don’t have FTP access to their blog.
From a technical perspective, the plugin does a lot of nice things on the system side. First, it gives you zip files containing your content and database backups. It’s more a just-in-case thing, but nice to have. Then, it puts your blog into a maintenance mode. That way, people aren’t leaving comments or trying to log in during the upgrade. It will also de-activate your plugins, again, to reduce the possible errors that may pop up. The plugin then gets new files from Wordpress directly, updates your install, turns everything back on and asks you to clean up the cruft leftover.
Upgrading today took 3 minutes, which is a small price to pay to make sure your install is safe and secure.
If you enjoyed this post, please subscribe to my RSS feed!
Do you have an Extended Validation Certificate?
Are you using Firefox 3? Cool, me too. See where the favicon is for this site up there in the address bar? Did you know it’s clickable?
That area now presents security information about the site you are visiting. Firefox is calling it the Site Identification Button, and it’s taking the old padlock icon to the next level. No longer will you be able to just see if the site you are visiting is secure, you’ll be able to learn more about who the site owner is. Identity will be shown via three icons. If you see a red icon, leave the site immediately.
The gray button says that the site doesn’t give out any identity information. The blue button shows the site you are visiting is encrypted and the domain has been verified, but the actual owner of the domain has not been identified. A green button shows the site is encrypted and the site has fully verified ownership.
I used this tool on one of my secure domains and here’s what it showed:
As you can see, we haven’t (yet) put an Extended Validation Certificate into place for our site. This will complete the identity process and ensure site visitors we are who we say we are.
This extra certificate isn’t just for Firefox. If you have this extra certificate in place, users will also see a green address bar in Internet Explorer.
These new EVC’s are available from a variety of vendors and it will be interesting to see how fast they are adopted and what their use rate will be in higher education. Dria.org has more about these certificates and the new security features of Firefox.
If you enjoyed this post, please subscribe to my RSS feed!
Exterminating Form Spam
In 2005, we launched a web application for our campus that allows our users, especially those with no technical knowledge, to produce web forms.
Why did we do this? Mostly, we did it because everyone always wanted a form and my group had to build them all. We had been using the ancient FormMail.pl but each receipient had to be approved and each form hand-coded with required fields. I wanted users to be able to create forms, have the results emailed to them as well as saved in a database, and manage those forms, all without having to get the web team involved.
I know, web forms aren’t sexy. Not in the least, but they’re a critical part of how people communicate with us on our sites. Since it’s launch, FormBuilder (original name, I know) has really made an impact across campus. Forms are all uniform in terms of style and layout. This was a huge problem, as everyone, myself included, was building forms differently. Offices on campus can create a form in just a few minutes, email the address or post it on the web and start getting responses in minutes. These offices have seem a dramatic improvement in student responses and program attendance.
So FormBuilder’s been chugging along with no problems, until recently when it’s been getting hammered with spam. Not all forms are getting hit, just a lucky few. They are receving, seriously, hundreds of submissions a day. Luckily, it’s mostly gibberish and not pr0n spam, but still, it’s annoying for my users and it’s using my resources up. Not cool.
I wrestled for a long time with how to stop the spam. I thought about adding some kind of question that would be appended to each form, such as “What is 2+2,” or something to that effect. I thought about using code like Bad Behavior, but I don’t know if that would be easily defeated.
In the end, I decided to implement the dreaded CAPTCHA.
I looked at code to generate my own and do all the processing on my server. I struggled with getting them to be readable and getting them to fit in with the look and feel of our forms. After running into so many problems, I decided to use the reCAPTCHA service.
reCaptcha was developed by Carnegie Mellon University, and, in addition to reducing spam, the project helps digitize books from the Internet Archive. In my eyes, that’s a win-win. ReCaptcha allows users to reload the images if they are tough to read, and they also allow for users to hear a series of numbers that they enter instead of words. Listen to the numbers sometime, it’s a little creepy.
ReCaptcha is being used on a great deal of large websites, including Twitter, StumbleUpon and Ticketmaster, to name but a few. I’m sure you’ve seen the red reCaptcha boxes as you’ve surfed the web.
Implementing reCaptcha was painless. They offer libraries in a variety of languages and detailed instructions. I used the PHP code and it’s worked perfectly. What really drew me to the service is the fact that you can really customize the look and feel of the captcha to match your color scheme.
Here’s a standard reCaptcha box:
Here’s an example from one of our FormBuilder powered forms:
Earlier this week, we rolled this out on all FormBuilder-powered forms. It was smooth and other then a call to our computing help desk by a user who feared we’d been hacked, we haven’t heard any issues from people filling out forms or from our campus users.
Thus far, the spamming has stopped and only legitimate form entries are getting through. Of course, it will only be a matter of time until hackers beat ReCaptcha, and the whole cat and mouse game will start again.
If you enjoyed this post, please subscribe to my RSS feed!
