Something Odd!

WordPress MU 2.8.4

WordPress MU is a multi user or multi blog version of WordPress that is used to run sites like WordPress.com.

Today’s WordPress MU release is 2.8.4, a security release that fixes an annoying bug that allowed any user to reset the admin password. Your password was never at risk however so it’s more an annoyance than anything else.

Oh, thanks to everyone who tested the exploit on my blog. See? You didn’t get my password! 😛

Upgrade automatically from within your dashboard (first fix the upgrader if you haven’t updated to 2.8.3 yet), or download the new release from the download page and upgrade manually, overwriting your current install with the new files.

Edit: James Collins noticed that line 164 of wp-login.php wasn’t merged properly. If you downloaded 2.8.4, please grab 2.8.4a. Thanks James for the prompt feedback!

WordPress MU 2.8.3

WordPress MU is a multi user or multi blog version of WordPress that is used to run sites like WordPress.com.

WordPress MU 2.8.3 is a security and bugfix release based on the fixes in WordPress 2.8.3 but also contains many other changes.

It’s a required upgrade for security reasons but also fixes a number of annoying bugs, especially #1067 and #1076.

Unfortunately the automatic upgrader in MU 2.8.2 is broken but it’s simple to fix:

Before upgrading, edit wp-admin/includes/class-wp-upgrader.php and look for line 697.

if ( !$wp_filesystem->copy($working_dir . ‘/wordpress/wp-admin/includes/update-core.php’, $wp_dir . ‘wp-admin/includes/update-core.php’, true) ) {
See the “/wordpress/wp-admin/includes” bit? Change that to “/wordpress-mu/wp-admin/includes”:

if ( !$wp_filesystem->copy($working_dir . ‘/wordpress-mu/wp-admin/includes/update-core.php’, $wp_dir . ‘wp-admin/includes/update-core.php’, true) ) {
Save the file and auto upgrade. I upgraded this afternoon without a hitch after making that change. It’s fixed in 2.8.3 so it’s the last time you’ll have to do it.

Do not copy and paste the line above as WordPress will have changed the quotes to “smart quotes”. Actually go in and type “-mu” after “wordpress”. No copy and pasting please!

If auto upgrading still doesn’t work, don’t sweat it. Download the new release from the download page and upgrade manually, overwriting your current install with the new files.

Last Friday we stayed in a West Cork B&B

This weekend we stayed in “Aisling Heights”, a B&B in Clonakilty, County Cork while attending my cousins wedding in the area.

It was my first time in a long time staying in a B&B but I think I may be back because it was a great place to stay. After ringing them, we were met in the town and guided back and helped with our bags.
All the rooms in the house were immaculate and exquisitely decorated. As (bad) luck would have it I didn’t photograph the rooms themselves but check out the photos of the hallway and living room below! If you’re tired of staying in yet another shabby, run down hotel, give this B&B a go. Beds are fairly comfortable, rooms are nice and large and light pours in as there is plenty of space around the building. Breakfast is fine, lovely fry up, toast, tea and cereal and it was very competitive at 35 Euro each for the night.
Our 2yro Adam stayed for free although they didn’t have a travel cot so we brought our own.

Anyway, many hotels in this price range (and more expensive!) are in a shabby state of repair and understaffed, so you owe it to yourself to spoil yourself with the picturesque surroundings of this delightful B&B. Call them at +353-23-8833491. (More photos and details are available on this page.)

WP Super Cache 0.9.6.1

WP Super Cache 0.9.6.1 is now available.

This release adds the following menu item to the admin page.

You can now choose to not cache different types of pages on your blog. Don’t want to cache your front page? That’s easy now. The indented page types are types covered by the top type. “Archives” covers “Tag” and “Category” pages for example.
See the Conditional Tags codex page for a description of the page types, especially “front page” and “home”.

I also fixed a few bugs, including the AYS problem saving posts which was a problem if you had “Don’t cache for logged in users” enabled.

I never got around to blogging about 0.9.6 but that included an uninstall script that deletes the folders and files created by wp-super-cache. Make sure you read the readme.txt before running it. For security reasons you have to edit the script before using it.

I also updated the mod_rewrite rules in cache/.htaccess (Thanks Andrew!) For some reason the web server forgets the mime type it’s supposed to serve gzipped supercache files as. It should be “text/html” in the cache dir but randomly and on the odd occasion it reverts to the gzip mime type. I examined the cache files when this happens and they look correct. Clearing the cache dir fixes the problem temporarily (and file sizes match before and after). I can’t explain it.
Remove cache/.htaccess if you see this happen (you might need to use the uninstall script) and reload the admin page to regenerate the file. The new rules force the mime type in a different way. Hopefully Apache won’t forget it this time.

Win a trip to Disneyland

I’ve got good news, and I’ve got great news! The good news is for spammers. The great news is for you.

The good news is that in 3 simple steps you too could win a trip to Disneyland:

Visit one of those sites that lists this blog as a dofollow blog (BTW – it doesn’t dofollow anymore)
Click on a link to my blog.
Have a great time in Disneyland!

The great news is that you can send those spammers to Disneyland too! Just take a look at the code in disney.txt and copy it into your wp-config.php (Put it right at the top of the file!) or into an auto_prepend file.

The $bad_referrers array is a simple list of offending sites that send you the most spammers. Add them in and when the spammer comes visiting they’ll be whisked off to Disneyland for a magical tour of the castle. (Hopefully they’ll meet an ogre who’ll take a fancy to them and lock them in the tower or something!)

I use my Comment Referrers WordPress plugin to tell me where comment authors come from but sometimes if they’ve browsed around my site (and the referrer is gone then), I search my logs for their IP address.

Yes, the above could be done with .htaccess mod_rewrite rules but this is more portable and I redirect to a Pretty Link shortcut so I can easily count the hits. No matter what I did I couldn’t get it to exclude the hit to the shortcut and it would redirect continuously.

Update! I added rewrite rules to send the spammers off. I’m sure these rules can be improved so leave a comment if you have any tips.

RewriteCond %{HTTP_REFERER} .*theseomizer.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*seomizeme.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*revolutioners.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*rishabhsood.net.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*011831068587400451950.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*backlinkmagic.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*www.online-utility.org/webmaster/backlink_domain_analyzer.jsp.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*forums.digitalpoint.com/showthread.php?t=1011238.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*courtneytuttle.com/blogs-that-follow/.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*forums.digitalpoint.com/showthread.php?t=1006727.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*forums.digitalpoint.com/showthread.php?t=1003675.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*rasimcoskun.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*smartpagerank.com.* [NC]
RewriteRule ^(.*) http://disney.com/ [R,L]

And in other news, Stephen Cronin created the comment warning plugin to warn visitors who come from predefined urls like the dofollow lists above. Nice!

WordPress MU 2.8.2

WordPress MU 2.8.2 has just been released. This is a security release with the same fix as the standalone WordPress.

WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site.

This release also fixes a number of other bugs, most notably the upgrade notice, but also fixes a number of other problems. See the timeline for a record of the latest activity.

Grab the new release from the download page or upgrade automatically from within WordPress MU.

reCAPTCHA Fail

I had to refresh twice to get a string I could read and type. Captcha anti spam checks suck.

WP Super Cache 0.9.5

WP Super Cache 0.9.5 is now available.

This release fixes a number of bugs and adds a few new features. The main one being improved mobile support and improved mod_rewrite rules generation.

For more, check out the shiny new changelog.

Worldwide Photowalk on MU

For all you photographers out there, did you know the Worldwide Photowalk takes place next Saturday? It’s a good chance to meet other photographers in your area. It was a pleasant surprise when I realised their website runs on WordPress MU! I’m leading the Cork City Walk (still a few places left!) on Saturday and it was nice when I recognised what it was running on.

So, if you’re free on Saturday, check out the listings page. There might be a photowalk near you!

PS. If you’re running WordPress MU, check out the alpha release of the new version. It fixes a number of bugs in the original 2.8.1 release. It’s very stable but try it out on a test server first.

Why you should limit login attempts

Some idiot at 213.155.4.184 hit all my websites over the last few days trying to login to my blogs. He fired off hundreds of automated requests probing and searching and testing my admin login. Each request had a different password. I use difficult to guess passwords but seeing the attempts was disconcerting.

I went searching and found the Limit Login Attempts plugin. After installing, a new page appears under Settings with a wealth of options:

I’m glad I did install it, it caught the same guy when he hit this blog a few hours later! You should probably install it too.

PS. Matt asked me to explain how I recorded those requests. There is a WordPress plugin that sends an email when a POST request is made but I threw this code into a file and load it with the “auto_prepend_file” directive in my php.ini (saves adding it to every installation of WordPress on my server)

if ( ( isset( $HTTP_RAW_POST_DATA ) || !empty( $_POST ) ) && $_SERVER[ 'REQUEST_URI' ] != '/wp-cron.php?doing_wp_cron' && $_SERVER[ 'SCRIPT_NAME' ] != '/wp-comments-post.php' && substr( $_SERVER[ 'REQUEST_URI' ], -10 ) != '/trackback' && substr( $_SERVER[ 'REQUEST_URI' ], -11 ) != '/trackback/' ) { mail( "MYEMAIL@gmail.com", $_SERVER[ 'HTTP_HOST' ] . " POST request: " . $_SERVER[ 'REMOTE_ADDR' ], "URL: {$_SERVER[ 'REQUEST_URI' ]}\nPOST: " . print_r( $_POST, 1 ) . "\nCOOKIES: " . print_r( $_COOKIE, 1 ) . "\nHTTP_RAW_POST_DATA: $HTTP_RAW_POST_DATA" ); }

xanna on The Bohemian Rhapsody Trailer in LegoJanuary 7, 2026
… reposted this!
Donncha on Make Photo Competitions SimpleJanuary 1, 2026
It would be possible but it would be open to abuse. If you put in email verification before uploading that…
James on Make Photo Competitions SimpleDecember 30, 2025
I think this has potential to be a fantastic plugin. I would love to have the ability to have the…
Chris on Make Photo Competitions SimpleDecember 12, 2025
… liked this!
Shane McDonald on Bohemian Rhapsody OverloadNovember 27, 2025
I did enjoy Bohemian Rhapsody but there are parts of the film which I find it hard to watch. I…