Intrusion detection with Perl

There has been a lot of hype lately concerning WordPress security and vulnerabilities that are out in the open. This is an open source project so the big advantage is that (and i will quote):

Luckily, the entire WordPress community has our backs.  Several folks in the community dug deeper and discovered areas that were overlooked.  With their help, the remaining issues are fixed in 2.8.3

This is the heart of any open source project. Since the code is out there in the open, many can take a look and, therefore, discover any potential issues.

Now, i know that many users think that, whenever a new version comes out, they should let other people do the upgrade, check it out and then, they will go on with it. This might be the case with major versions (for instance 2.7.1 -> 2.8.3 as we speak) but it is definitely not the case when we have security patches and fixes (for instance 2.8.1 -> 2.8.2). In these situations, if you don’t upgrade, it means that your WordPress installation is compromised to an outside attack and you shouldn’t be surprised if that happens.

But, does being updated to the latest version, mean that you are absolutely exploit-free? Unfortunately, not. You can never be sure. Not with open source, not with closed source. Never. You never know what someone can come up with to bring down your service. Being updated minimizes that to the absolute minimum, but there is still a chance that it may happen.

Focusing back on WordPress, a very popular exploit is that of the hacker adding his own chunk of code to the core of your installation, hiding it fine. The privilege of that is that they can insert anything they want, for instance, an affiliate link of theirs or a link to a site that contains malicious software, thus their code will be downloaded and executed by every visitor of yours. This is not the only thing an attacker can do, of course, but it is a large portion of the consequences (see this example).

(more…)

What’s an API for a web service?

You all must have heard of the term “API” but all of the non techy out there should have drowned in trying to understand what it is. First of all, a general definition of the term can be found on Wikipedia. But here i will concentrate on web services, as the mass of people out there know it. So what do Twitter, Technocrati, Google and the same mean when they say they have an “API” at the developers’ disposal? What is this magical term that enables many developers to deliver the product to the end user in a more pleasant way?

In order to grasp the idea more clearly i will focus on Twitter which, i believe, we have all used. You must know that there are various ways to check your timeline or tweet, through the official website or through the desktop applications (Tweetdeck, Seesmic etc) or other websites that are frontends to it (TwitterFeed, Hootsuit etc). But what’s the main difference? Well take a look at the diagram below.

(more…)

Efficient or non-efficient?

All of you out there that know me, know that i am an efficiency freak. Most of the times, when someone flashes a plugin to me, i stop and say “is that really necessary?” instead of “this looks cool!”. I know, it’s mostly annoying but you got to admit, i have a point. But, first things first. I will concentrate on WordPress, since, most of my readers are bloggers using the platform and many don’t really get why i nag all the time about performance and plugins. To give you a good taste of the complexity here is a small diagram.

This actually is a rough representation of what’s going on when a client request on your blog is in progress. Let’s take it one step at a time:

1. A client makes a request on your blog. This starts on the Apache level.
2. Apache realizes that it’s a php script that has to be executed (index.php).
3. Gives the PHP module the script as a parameter and kicks it off.
4. Then, it’s WordPress’s time. It starts loading the core.
5. On various steps of the process of rendering the requested page the plugins are loaded.
6. Just like a special plugin, the theme of the site is loaded as well. WordPress decides if it needs to load single.php for instance (when rendering a single post) or index.php (when rendering the homepage) etc.
7. Each time a plugin or a theme wants to make a query it uses the wpdb global variable. This actually channels the query through WordPress, which channels it to the PHP module, which channels it to the PHP MySQL module, which channels it to MySQL server, which runs the query and creates the result set, which is finally channeled back all the way to the plugin.

Do you see how painful it is to make a query? Now take that and multiply it by 50-60 which is the average query count on a WordPress blog (not the default installation but an established one). You can see now how your memory and CPU get clogged up when a few requests come along together.

(more…)

Search feature on static HTML sites – The smart way

You all must have stumbled on static HTML sites. Either you created them or you found them around. The purpose of those sites today is simplicity. Not everybody needs dynamic content and thus not everybody needs complex CMS’s with huge back end administration panel. So, what is more easy than putting together a few simple HTML pages. But what if you want to incorporate a search feature into that? Well, when a developer first thinks of search, the second thing that hits his mind is “database“. If you fall for that, then there goes simplicity and fast loading. You are already on a war path.

I’ve been challenged to that and here is what i came up with. I created a small PHP script that actually searches the HTML files! The simplicity in the thought is what makes me happy about this. You just get a search term, open the HTML files up, pattern match for it and then echo the results with links back to the original static files. So, you have a dynamic search feature with static content! And what’s even better is that if you make any changes in the HTML files, those will be reflected on your search just like it would happen using the classic database way.

I have created the script and included it with a small example here: Dynamic search for static HTML (2288) The only requirements to run this example is a web server with PHP installed. Here is how to check it out:

• Download and extract the folder “search_test” into a place accessible from the web.
• Hit the URL “http://place.of.folder/search_test/search.php?s=ipsum“

As you can see, the above URL will search for “ipsum” in the .htm and .html files and show you the results. If you want to play a little bit with the parameters of the script you can open it and check the global variables on the top (recursive search, highlight etc).

One thing that could be improved is cached search. This would decrease the load on the server for each search. I can help you do it if you need to. I just didn’t go on with it because i didn’t want to over-complex my script.

As you can imagine, this is just the skeleton of the script. You should configure it to fit your needs. If you have any problems or need any help don’t hesitate to leave a comment or contact me!

EDIT: I forgot to mention that this will work for text that is wrapped around a “<p>” (paragraph) tag. In order to make it work with more or be more flexible, you will need to edit the regular expression at the “preg_match_all” call on the script.

Get rid of the newsflash plugins. Do it yourself!

Does the title ring a bell? I bet it does. It must remind you of the article i wrote quite some time ago titled “Get rid of the sociable plugins. Do it yourself!“. It helped a lot of people save some CPU time and memory usage. Now it’s time for the newsflash! The idea came to me after i read this article on a modification for the theme. It actually gives a very nice little admin area on the theme options but it fiddles with the database so i decided to show you how you can do the same thing without any query run.

Firstly, i will summarize all the steps we are going to take in order to achieve this:

1. We will have a plain text file called “newsflash.txt” in our theme folder. This file will actually contain the newsflash we want to display to the visitor. If it’s empty, or not there at all then nothing will be shown.
2. On the “index.php” file of our theme we will be adding a few extra lines of code that will actually do just that. Check for the existence of the file and if it’s there and has things in it, then a newsflash div will be rendered before the posts do.
3. Skin the newsflash div box through the style.css file.

The result will look something like the following.

(more…)