Warning: Constant ABSPATH already defined in /home/public/wp-config.php on line 27
Site Maintenance — Why Now?
On-line Opinion Magazine…OK, it's a blog
Random header image... Refresh for more!

Site Maintenance

by Bryan

I have to update the site software as this site was being used in denial of service attacks on other sites, a problem just corrected by WordPress.

Hopefully I will be back up tonight.

Update: Cheated disaster again, but it will be a couple of days before I hack the file that gives people the ability to include images and such in comments as that is a hack done by hand.

Update: Hack complete. The publicly visible site is back to normal, but the back end is messed up again. If you have a WordPress site you really need to update to version 3.92 because the problem it fixes cost me some money yesterday before my host blocked it.

4 comments

1 Kryten42 { 08.14.14 at 10:10 am }

Yeah. I just finished updating my test server here. Now I have to wait for theme/plugin developers to upgrade them where required.

WordPress 3.9.2 Security Release — WP 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately. This release fixes a possible denial of service issue in PHP’s XML processing!

And soon… WordPress 4! Which promises to be a real PITA at the start! *sigh*

2 Bryan { 08.14.14 at 2:25 pm }

They were using pingbacks through an exploit of a weakness in xmlrpc.php. My host changed the permissions on the file to 6008 to stop them, and I left the change because I don’t need the features it provides. My host saw a jump in the resources being used by my site and investigated. The attack doesn’t have much of an effect on the normal performance of my site, so I didn’t start looking for a problem.

They were going update crazy for a while, so I was waiting for them to slow down. I was planning to upgrade after the Tour and then a hurricane showed up. Just as well as the security update in 3.92 was the necessary fix for the problem my host found. Nearly Free Speech are good people.

3 Badtux { 08.14.14 at 11:45 pm }

Interesting. I have xmlrpc.php on my WordPress setup, but I checked the logs and pretty much nobody is using it. I disabled it like you and will see if any of my users complain. (It is not my personal WordPress, it is a club web site that others post actual content to).

4 Bryan { 08.15.14 at 12:17 am }

The program/script is part of the distribution and supports the pingback/trackback feature as well as some of the connections to mobile apps used to post to the site. The new version in 3.92 is supposed to have fixed the problem, but I don’t use it anyway, so I kept the changed permissions.