I stumbled across this problem when I recently switched hosts. At first I thought it was related to my WordPress 2.7 install but after investigation I found it was related to ModSecurity. ModSecurity provides request filtering and other security features to the Apache HTTP Server. Basically when you add a new post, or edit an existing post, the request is filtered through a list of checks to look for possible security problems like intrusion attacks.
In my case the post was triggering a SQL Injection attack warning so Mod Security was 404 redirecting the request. Mod Security was concerned because my post contained the word “select” followed by the word “from”. It did not seem to care that these words were 2 paragraphs apart?
How to Fix This Problem?
I am sure that there are many ways to fix this problem. ModSecurity is installed for a reason, and does offer some benefits so anything you can do to selectively fix problems you are having with ModSecurity is better than completely deactivating it. In my case I was able to see that the filter triggering the problem had an ID of 300016. I was able to tell ModSecurity to “skip/remove” this filter by adding the following to the virtual host block in my apache configuration file:
<Location "/wp-admin/" >
SecRuleRemoveById 300016
</Location>
Notice that I only removed this rule from requests in the /wp-admin/ directory. In theory ModSecurity should still utilize this rule to detect SQL Injection attacks in other directories. If you don’t have access to http.conf you can also use .htaccess directives to control ModSecurity from within .htaccess files. It’s probably best to contact your host to see if they are using ModSecurity and to see what they suggest.
The first sign of trouble was the following email that suddenly appeared in my Inbox:
Subject: Password Lost/Changed
Password Lost and Changed for user: admin
I attempted to log into my blog, but was unable to. I logged into phpMyAdmin and checked the user table. Somebody had changed the admin email address and and admin password. I quickly changed the email address back to my address and used the forgot password feature to reset the password.
Unfortunately that wasn’t the end of the problems. Later that day I received the Password Lost/Changed email again, and this time I was too late. My homepage looked like this:
Defaced by Hacker Attack
I am not a security expert, but this did not make sense. How had the hacker got my new password? I called my hosting provider, Bluehost, to tell them about the hack. I don’t remember the customer support persons exact words, so I will have to paraphrase. Basically I was told that they are not responsible for security of my site, there is nothing they can do, even the Pentagon gets hacked, and I should call a security expert so they can assess my site for security problems. Awesome! Can somebody explain why WordPress recommends this company?
Anyway, I was still confused. It didn’t make sense that a hacker had grabbed my password twice, so I looked into it a little deeper. Luckily my site isn’t very busy so it was easy to find how the hacker had arrived at my blog:
Basically, somebody with a Cairo, Egypt IP address had run this search to find the keyword “WordPress” on a specific IP address. The IP address happened to correspond to the server I was hosting on at Bluehost. Why would a hacker be searching for WordPress blogs on a specific server? I have a pretty good idea, but I don’t know the answer for certain, so I’ll let others draw their own conclusions.
Looking at the search results I noticed other sites like donnapinto.com and spaceplans.org had also been hacked. A few weeks later and donnapinto.com is still defaced. Spaceplans.org is now displaying a proud Patriotic homepage. I didn’t check anymore sites, it was clear the hacker had some sort of access to more than one site on the same server. A few days later I found a new home for my site. My next step is to brush up on my WordPress Security. Damn Hackers!
Since WordPress 2.3, WordPress Widgets have been fully integrated into all versions of WordPress. Using a Widget compatible WordPress Theme bloggers can customize their sidebar content without editing any HTML or PHP code.
One of the available widgets is the Tag Cloud which displays a list of popular tags. Unfortunately, adding the Tag Cloud to my sidebar resulted in the following unreadable mess:
Ugly Wordpress Tag Cloud
Obviously this needs cleaning up, but what is the best way to make this look better? A quick look at how the tag cloud widget is being created in wp-includes/widgets.php shows that the tag cloud function wp_tag_cloud() is being called without any parameters and there is no way to currently pass parameters to this. Parameters that can be passed using the wp_tag_cloud() function include specifying the font-size to use for the smallest and largest tags. The default size for the largest tag is 22pt which is clearly too large for some Themes.
To find a possible solution I searched the WordPress Plugin page for tag cloud plugins. The most popular tag cloud plugin is Simple Tags. It doesn’t mention anything about styling the Tag Cloud Widget so I decided to download the Configurable Tag Cloud (CTC) plugin instead. The configurable tag cloud plugin adds a new widget to your list of available widgets. It’s similar to the tag cloud widget provided in the WordPress install, except it allows you to customize all the function parameters as you can see in the following screenshot:
By setting the smallest font size to 10 and the largest font size to 16 my tag cloud was already looking better:
Wordpress Tag Cloud Widget Using Configuable Tag Cloud Plugin
If you are looking for an alternative to the Tag Cloud Widget that comes with a standard WordPress installation I can highly recommend the Configuable Tag Cloud Plugin.
We are happy to provide this theme free of use. If you want a copy contact us and we’ll email it to you. Please indicate where you plan to use the theme. You can make any changes you like. All we ask is that you provide some sort of attribution by linking back to this site.
Iced Coffee Demo
My Wordpress upgrades have always gone smoothly. Maybe it’s because I rarely download and use plugins. Maybe it’s because I almost know what i am doing. Maybe it’s because Wordpress rocks. Who knows? Anyway, the fact that everything has always gone so smoothly has led to me slowly developing bad habits like (stupid, I know) not backing up anything before I upgrade. Anyway, upgrading to Wordpress 2.5 did not go smooth and I will never upgrade without backing everything up again!!
Everything looked great at first but then I went to upload an image and everything went kaput. No image, nothing, nada, zilch. The fancy new flash based media uploader wasn’t going to let me upload anything. Now, maybe it’s just me, but isn’t uploading media sort of important? Wordpress isn’t that complicated, and really isn’t that involved. Besides uploading media and writing posts/pages was else is there? Why would such a major problem be overlooked? Apparently, even though I’m seeing lots of posts about people having problems the development team at Wordpress never encountered them.
Here is the sticky with some possible solutions
At first I tried option 3 (Update your Adobe Flash to the latest version) but that did not change anything. Then I tried option 1 (Make sure you uploaded all the WordPress files correctly). Usually I delete everything except the wp-content folder, wp-config and my .htaccess file. This time I went a step further. First I backed up all the files on my server, then I deleted everything leaving me with an empty folder. Next I copied all the Wordpress 2.5.1 files to the server. Then I copied my wp-config and .htaccess files file from my backup. I reverted to the default theme and tested uploading an image. Bingo. It worked. *WHEW* All I had to do next was copy over content from my backed up themes, plugins and uploads folders and I was back in business.
So, before you start playing with permissions and playing with mod_security, just try a completely fresh install. Obviously make sure you have a backup. You’ll thank yourself later.
**UPDATE**
Well, even though I thought the clean install had fixed my problems, I was wrong. The problems returned a few days later. Luckily the latest version of Wordpress 2.6.2 appears to be running OK so, if you are still having problems uploading media, try 2.6.2. It works for me!
