Add a code snippet to protect your site from zero-day vulnerability

A couple of days ago, a WordPress vulnerability was disclosed. In some cases, depending on the server configuration, an attacker might be able to play some dirty tricks with the password reset function of WordPress.
While you wait for WordPress to patch this, there’s one thing you can do now to harden your security.

WP Tavern suggests that one should simply add the following snippet:
add_filter( 'wp_mail_from', function( $from_email ) { return 'wordpress@mysite.com'; } );

I’ll show you one easy way to do that.

  1. Install the nice plugin Code Snippets by Shea Bunge, and activate it.li>
  2. In the main admin menu, you should now have a new entry, called “Snippets” with an icon featuring a pair of scissors. Go to Snippets -> Add new
  3. Name your snippet something like “Force email from this server to used hardcoded address as sender” and paste the code snippet into the field “Code”. Remember to edit the sender email address so that it coincides with your domain name.
  4. Under “Description” you might add more information, if needed. Here you could, for instance, paste a link to my blog post, as a reminder about what this is all about. The “Tags” field would probably be helpful if you had a lot of snippets and would need to sort them.
  5. Finally, hit the button Save changes and activate note that this snippet needs to be active for all pages, since the password reset functionality actually in itself is not a part of the admin area.

One more thing. This simple patch will hardcode a sender’s address for any email sent from you website, which may also affect emails sent from any other part of your site, like a form.

Security is more that just https – signon.se just missed me as a customer

A few weeks ago “Thirst”, the newest book by Jo Nesbø, was released in Swedish. (It will be realeased in English tomorrow.) I wanted to buy it and found that one of the best prices was offered by www.signon.se.

By the way, if it wasn’t for a direct link from pricerunner.se, I’d never found the book on their site, since their internal search logic is really bad. They state that you can search on title, author, publisher, etc., but in reality you can only search for any single one of these arguments. And you must get a 100% match. Try typing “Jo Nesbø” without Norwegian or Danish keyboard layout!

So I added the book to my order and went to check-out. First I would had to register. And this is were things went awkward. Obviously, the site uses https, so the communication between my browser and their server is encrypted. But what do they do with my data?

Firstly: The password I created for this website was e-mailed back to me! To me, this an obvious signal that their whole thinking around security is flawed. It’s quite possible that they store my password in clear in their database, which is insecure practice. Almost all current frameworks know to instead store hash values that are created using individual salt strings and cryptography, and never ever send e-mails with the password in clear. The industry practice is to only send one-time nonce-values upon request that then are used to allow password to be reset if lost or forgotten.

Secondly: The account was immediately activated without any verification of my e-mail address. With a simple script you could start stuffing their database with fake accounts and even have them automatically send out confirmation emails as spam, possibly with insulting passwords written in clear!

Next, I went to the beautiful check-out page, which proudly shows off a DIBS logo. Would I trust DIBS with my credit card details? Yes, they’re OK. But would I trust signon.se with my details? No, not really. So I had a quick look at the code behind the page. The form was programmed to deliver my credit card details to their own server. That helped me make my final decision.

End of story: I decided to pay about one euro more, but to a different vendor.

A good tool to get better quality in WordPress translations

First of all, a big “Thank you” to those of you, who have contributed and continues to contribute in making WordPress available in various languages, including Swedish.

All translation of WordPress core, and most translations of plugins and themes are handled via the online platform GlotPress. Anyone is welcome to take part in this work. You just need to register a free account at www.wordpress.org, and then you may head over to https://translate.wordpress.org/ and start translating!

However, one important task for us, is to create and maintain a consistent user experience for a localized (i.e. translated) WordPress.

One important tool for this is the glossary, where we have collected useful comments on specific words and phrases and in many cases give the specific term we’ve chosen to use.
One example: The English word “shortcode” might be translated into Swedish in various ways, and we’ve simply chosen the word “kortkod” for this term.
You can check out the Swedish glossary here:
https://translate.wordpress.org/projects/wp/dev/sv/default/glossary

If you’ve been translating anything for WordPress core, then you may have seen translated terms and comments automatically show up in the translator view. In a future version of GlotPress we may expect these useful hints to show up during translations of any plugin or theme.

But in the meantime, I’d like to tell you about a very useful tool, which will “inject” translator hints in these other projects already today.
It’s “GlotDict” an add-on for Firefox and Google Chrome, developed by @Mte90, Daniele Scasciafratte from Italy. More information can be found at https://github.com/Mte90/GlotDict

If you want to help in translating WordPress into Swedish, then you’re more than welcome. And please join our special slack channel: #translations at https://wpsv.slack.com/ (You’ll need an invitation to Slack, which you can get from anyone, who’s already there.)

Whatever you do, never activate your Trados Studio 2017 before trial period has ended!

I just discovered a weird bug in Trados Studio 2017, and it may cost me 1-2 working days!

I started using Trados Studio 2017 (and got it in trial mode mid November 2016. On December 14, when some 2-3 days remained of the trial period I decided to activate my copy. Everything worked fine. Since my license was for the “Starter” edition, I had to choose 5 languages I want to work with, but that’s OK.

Today I needed to work, so I started the program. And it tells me: License expired!
Trados 2017 License expired
My online account at SDL, though, still shows that I got one license, which was activated on Dec 14. Therefore I’m not allowed to reactivate with the same code, on the same computer, since that license is “already in use” according to SDL.

I’ve filed a ticket to SDL, this may cost me 1-2 days, since I haven’t paid for premium support.

Weird!

Solved “Stream is offline” in facebook live preview

I spent several hours this morning trying to figure out why it didn’t work.
I was attempting to stream video to facebook live from my Windows PC with OBS encoding software. The encoding software was happily transmitting to somewhere, but the facebook preview in the publishing tool kept on reading “OFFLINE – If your video isn’t working, make sure you copied the contents of these fields into your video streaming software’s settings.”

 
 
 
 
Solution: Yes, I found the solution. In my case it was almost embarrassing. After I tried streaming to youtube and everything worked spot-on, I went back to another try again with facebook. But this time I noted a small banner at the top of my browser window. It turned out I was blocking some flash player content on the page. As soon as I clicked on “allow”, the OFFLINE message vanished and I could see my preview.

Happy streaming!

-1 comments???

Now and then, I answer some questions over at Yahoo answers.
Today, I noted an interesting thing. One of my answers suddenly had -1 comments!

How could this ever happen?

Well, I happen to know half of the story, so I can make up at least of part of the rest.

There was one comment there.
Then I responded to the first comment, but made a typo, so I posted again, now without the type.
At this point there were three comments. But I could really live without the second one, with my typo. And, guess what, when I hovered over the comment, a little button with an X appeared.
I clicked on it, but nothing happened. So I clicked again a few times. My comment was still visible. I figured it might be some issue with some script not executing correctly in Firefox, so I started another broswer (chrome), logged in and went to the answer.
And there it was: -1 comments! I reloaded the page in Firefox, and got -1 comment there, too.
If you don’t believe me, here’s a screenshot. I’ve manually painted around the offending part!
minusone

So it seems, that the button is tied to a script, which calls back in ajax-style to delete the comment on the server. But the button doesn’t make itself unclickable, once clicked. And the button remains on page, and can be clicked several times. And the comments aren’t referred to with individual, permanent addresses, but rather “delete the second comment please. And a dumb script on the server decrements the total number of comments without even reflecting that it was one and the same comment that was deleted a couple of times…

Bug report

Hi there. I wanted to file a bug report, but couldn’t find any link for where to do it. So I post it here instead…

I’ve been using unfriend finder on Chrome for a while, and it works reasonably well, although the intermediate ad page before reaching the useful interface is a bit exhausting (especially when there are lots of ads sprayed all over the main interface, too). Oh, at least when one has some 2000 facebook friends, the plugin seems to sporadically regard some friends as disappeared, although they are still there. I guess an unstable internet connection could be a reason for this. (And that would also indicate that the plugin may be using some noticeable bandwidth for its work.)

I use Firefox as my main browser. And today I noticed that unfriend finder now is available for firefox, too. So I installed it. The plugin seems to work. After a while, the plugin button showed me that there were news for me.

But when I click on the button, the plugin opens a way too small window. So I can’t get to the link for the main interface. (And the window is only scrollable sideways!)

toosmallwindow

unfriend finder 1.2.4
firefox 42.0
Windows 7

Best regards,
Tobi

Basic WordPress-training in Barcelona, in Russian

This is just a quick note that I’m planning to run a small basic training in how to set up your own web site using WordPress. The training will be in Barcelona and will be held in Russian.

More information can be found at http://kursy.fjellner.com/ Please do share this if you know anyone who might be interested.

Security update of WordPress

20 minutes ago WordPress.org started rolling out a security update to several of the latest releases. By default, this update will happen automatically (automagically ;) ). But in case you have, turned off the automatic update, then this is gor you. The update fixes a whole bunch of XSS (Cross-site scripting) vulnerabilities that you WANT to plug as quickly as possible!

More information here: https://wordpress.org/news/2014/11/wordpress-4-0-1/

Virtual version of Östhammars Poetry street on Google maps

Recently, the main activities of the Festival of Words in the small Swedish city Östhammar occured. A part of the festival was the “Poetry Street”, where quite a few short poems on the festivals theme (for the year 2014, the topic is freedom) were on display in the windows of various shops in the centre of the city.

Two of my own texts are included, but since I live too far away from Östhammar to see those displays myself, I suggested that we should back up with virtual version of the Poetry street. This way, anyone can visit the exhibition, without going to Östhammar. And the exhibition will still be around when the poems are taken down in the shops physical display windows. And, finally, the internet version can be useful even to someone visiting Östhammar, since s/he has the possibility to check that no single poem on display was missed!

First, I'll give a quick look at what the map looks like. It’s interactive. Try clicking on some of the placemarks, to see the included poetry! Read the rest of this entry »

Older posts «