Some of you may have read recently that there is currently an ongoing attack against WordPress sites. If you’re interested in a good explanation of what’s going on please check out this article from ithemes.com: Ongoing WordPress Security Attacks, The Details and Solutions.
In general there is nothing you need to be worried about. We’re taking care of it on our end and you should not see any significant changes to your sites as a result. We do however have two suggestions/reminders and one heads-up that may affect you.
First: Please NEVERuse “admin” or “administrator” as a username. Not on WordPress or on anything else if you can help it. (There are some systems that require this so in those cases it’s unavoidable.) The core of the current WordPress attack is based on assuming there is an account named “admin” or “administrator” and then trying to brute-force guess the password. We have already made sure that no one is doing this on their sites but now would be a good time to check all of your other accounts both personal and library.
Second: Pick a good password. Here’s a site that will help. Yes, it’s annoying but it is your single best line of defense. We have no way to check on the strength of your passwords or even know what they are so please take this advice seriously.
Third: We may be installing a plugin on everyone’s site that will limit login attempts. For example, if we turn this on you will be limited to three login attempts. If all three fail, you will be locked out of your site for a short period of time. If after that time, there are another three failed attempts, you will be locked out for a much longer period of time. We are looking to avoid this but if the attacks increase this is a line of defense we’ll be forced to take on this end. So, when you log into your site, please be sure to enter your login credentials correctly.
As always, if you have any questions please do not hesitate to leave a comment and we’ll be happy to help in any way we can.
I’ve been using and recommending Compfight for year as a great way to search Flickr for CC-licensed content. Last night while searching for an image for a blog post I noticed that they were highlighting the fact that they now have a WordPress plugin. So, this morning I installed it and gave it a try on my own site. Result: I love it! No, it’s not perfect (you’ll need to tweak your layout after insertion as needed,) but it does allow you to keyword search flickr, see CC-licensed results, and insert various sizes (Small, Medium, Large, Full) all without leaving WordPress.
If you’d like it installed on your site just leave a comment here with your library name and I’ll get it installed as soon as I can.
Fellow WordPress users come forth and pay attention for I have just been pointed to the single most useful WP-related Web site I have ever laid eyes upon. (Yeah, I think it’s that cool!) Head on over to http://whatwpthemeisthat.com/ and enter the URL for the WordPress site of your choosing. What you’ll get back is not just the name of the theme that site is using, but the version number, official description, sample screenshot, a link to the author’s home page, and the license. Oh, and did I mention it will also report what plugins the site is currently using? Seriously, this is amazing. No more hunting through the code to try to find it all on your own.
Thanks to pollyalida for the pointer! Oh, and that link just there, that take you to her WordPress Tips and Tricks Scoop.it page which you should subscribe to immediately.
I’ve been on the phone recently with several people from other libraries and library systems that are interested in the hows and whys of Nebraska Libraries on the Web. Mainly they’ve all been considering setting up a system like we’ve got here in Nebraska and wanted to get the skinny on why we chose WordPress over other content management systems. Then this morning this article came across my feed reader: Five Reasons We Still Use WordPress in 2013. They’re five reasons are:
Ease of Use
Backed by a Dynamic and Diverse Community
WordPress Plugins
Bulletproof
About half of the top 10,000 sites use WordPress
The article goes into much more detail and I highly recommend you take a moment and read it. In the end, I’d say that these are five core reasons that we chose WordPress over other systems. All leading to the fact that we felt it was the best choice for our libraries and three years later I know we made the right choice.
We here at the commission have already been in contact with the six libraries that are affected by this problem, but in the interest of full disclosure, and to have a full record of the project I’m also posting this information here.
Google Analytics (GA) is a Google service that will give you statistical reports of visits to your Web site. In order for this service to work with WordPress-based sites, a plugin must be installed to connect the site to a GA account. We’ve been offering this plugin for about a year now without any problems.
Recently we updated our installation of PHP, the programming language that WordPress relies on to run. That upgrade caused the GA plugin we were using to fail, and in at least one case, cause errors to appear on the library’s page. Of course, this happened not just over a weekend, but a weekend between my being out of the state and then being sick for two days.
At this point, the only solution has been to disable the GA plugin that we were using. The next step will be to find a new one and test it before rolling it back out to participating sites. In the mean time, those of you that were using GA will receive reports of zero visits. There is nothing you need to do to your GA account. Just leave it as is.
Please accept my apologies for this and know that I’m working on it and hope to have something tested and ready to use ASAP.
It has come to my attention that part of the Nebraska Library Commissions computer security protocols could have a serious effect on someone’s ability to access sites hosted as part of the Nebraska Libraries on the Web project. Here is the official statement from our computer team who handles security:
The Internet presence of and online services offered by the Nebraska Library Commission continue to expand. In order to safeguard its computer equipment, network, and data from misuse, the agency blocks inbound access from ranges of IP addresses that have been the source of repeated malicious activity. The practical effect of this process over many years is that a large portion of the IP address space outside North America is blocked. Users in those areas are unable to view webpages and sites hosted on Nebraska Library Commission servers. This includes all libraries.ne.gov sites.
So far, this has not been a known problem for any of our participating libraries but in the interest of full disclosure, I wanted to make sure that you were all aware of this issue. I apologize to anyone who wish they’d known this prior to setting up their site with us. If because of this you wish to move your site to another server/service we’ll do what we can to help assist you with that process.
This information has been added to the Want to the Participate page so as to alert any new libraries wishing to join the program.
If you have any questions about this please feel free to leave a comment below and I’ll do my best to provide what answers I can.
Well, it turns out that I spoke too soon with yesterday’s post. Yes, I solved the new user registration problem but I created another problem. With the new plugin turned on, users were unable to post comments to your sites. So, for the time being I’ve turned off the new CAPTCHA plugin and everything “working”. The trouble is, this has the potential to significantly increase the amount of comment spam you may receive. So please keep an regular eye on your incoming comments for the immediate future. I’m actively working on solving all of this ASAP and will report back as information is available.
(If you’re more technically oriented and are interested, I have submitted a help request to the plugin’s community which you can read and follow along with @ http://betterwp.net/community/post/252/.)
At some point this week we’ll be upgrading to WordPress 3.3. I’ll post when this happens but in the mean time here’s information about the changes that may effect you.
Easier Uploading
File Type Detection
We’ve streamlined things! Instead of needing to click on a specific upload icon based on your file type, now there’s just one. Once your file is uploaded, the appropriate fields will be displayed for entering information based on the file type.
Drag-and-Drop Media Uploader
Adding photos or other files to posts and pages just got easier. Drag files from your desktop and drop them into the uploader. Add one file at a time, or many at once.
More File Formats
We’ve added the rar and 7z file formats to the list of allowed file types in the uploader.
Dashboard Design
Flyout Menus
Speed up navigating the dashboard and reduce repetitive clicking with our new flyout submenus. As you hover over each main menu item in your dashboard navigation, the submenus will magically appear, providing single-click access to any dashboard screen.
Header + Admin Bar = Toolbar
To save space and increase efficiency, we’ve combined the admin bar and the old Dashboard header into one persistent toolbar. Hovering over the toolbar items will reveal submenus when available for quick access.
Responsive Design
Certain dashboard screens have been updated to look better at various sizes, including improved iPad/tablet support.
Help Tabs
The Help tabs located in the upper corner of the dashboard screens below your name have gotten a facelift. Help content is broken into smaller sections for easier access, with links to relevant documentation and the support forums always visible.
Feels Like the First Time
New Feature Pointers
When we add new features, move navigation, or do anything else with the dashboard that might throw you for a loop when you update your WordPress site, we’ll let you know about it with new feature pointers explaining the change.
Post-update Changelog
This screen! From now on when you update WordPress, you’ll be brought to this screen — also accessible any time from the W logo in the corner of the toolbar — to get an overview of what’s changed.
Dashboard Welcome
The dashboard home screen will have a Welcome area that displays when a new WordPress installation is accessed for the first time, prompting the site owner to complete various setup tasks. Once dismissed, this welcome can be accessed via the dashboard home screen options tab.
Content Tools
Better Co-Editing
Have you ever gone to edit a post after someone else has finished with it, only to get an alert that tells you the other person is still editing the post? From now on, you’ll only get that alert if another person is still on the editing screen — no more time lag.
Tumblr Importer
Want to import content from Tumblr to WordPress? No problem! Go to Tools → Import to get the new Tumblr Importer, which maps your Tumblog posts to the matching WordPress post formats. Tip: Choose a theme designed to display post formats to get the greatest benefit from the importer.
Widget Improvements
Changing themes often requires widget re-configuration based on the number and position of sidebars. Now if you change back to a previous theme, the widgets will automatically go back to how you had them arranged in that theme. Note: if you’ve added new widgets since the switch, you’ll need to rescue them from the Inactive Widgets area.
Some of you may have read recently that there is currently an ongoing attack against WordPress sites. If you’re interested in a good explanation of what’s going on please check out this article from ithemes.com: Ongoing WordPress Security Attacks, The Details and Solutions.
Have you ever gone to edit a post after someone else has finished with it, only to get an alert that tells you the other person is still editing the post? From now on, you’ll only get that alert if another person is still on the editing screen — no more time lag.
