This release addresses some issues large or busy sites had with deleting expired cache files. Some sites generated so many cache files that there were two [sic] many files generated, even when those files were cleared out every hour. To fix that I limited the recursive function that deletes the files to 100 deletions at a time. That function is called until all the cache files are deleted (or strictly speaking, no files are deleted. That’s how the expired file cleanup works).
It’s also possible to set the garbage collection interval to 10 minutes now which will also help.

This is one of those plugins I continually tell people with WordPress blogs that are interesting, (because they get a lot more visitors than I do) to get. If you use WordPress you should use this plugin.

Subscribe to Comments puts a checkbox in your comments form that, if checked when leaving a comment, will e-mail that commenter all followup comments on that post.

This is great news for those using WordPress.com. It should help increase the number of comments, and increase discussion because of comments. Great Work!

A new paper out this week details the exploit of MD5 and Certificate Athorities (CA). What makes this such a scary and threatening attack is the use of MD5 to secure a website identity. Using the HTTPS protocol, web surfers verify the identity of secure sites by checking for the lock icon and the use of HTTPS in the web address.

Using this exploit, an attacker can fake the authenticity of a website by giving the user a genuine certificate.

What can you do to protect the identity of your site, and sites you visit?

The first thing is to make sure the CA is using SHA-2 instead of MD5. Next is to make sure the CA of the sites you visit do the same. Sure, this isn’t the best advise, and not everyone will take it, but at the moment, it is the only way to be sure you are safe.

Please read through the paper here. It is quite detailed, and will let you know exactly how the exploit was achieved.

WordCamp Whistler

WordCamp Whistler is coming January  24th, 2009 in Whistler BC, Canada. It will be held at the Fairmont Chateau Whistler.

Speakers for this event include:

• Lorelle VanFossen
• Andy Peatling
• And More…

Subscribe to their RSS feed here

Follow @WCWhistler on Twitter for updates

WordCamp Indonesia

Following the success story of WordCamp Philippines 2008 at last September 6, 2008 as the first WordCamp in SouthEast Asia,

and now

It’s time for Indonesia’s first WordCamp.

will be held on January 17th-18th, 2009
at Sahid Jaya Hotel, Jakarta

WordCamp is a 2-day conference for WordPress users and developers. Its a wonderful ways of getting to know fellow WordPress fans and bloggers.

IDR 400,000 (Limited Seats) Register Now!

WordCamp Indonesia 2009 organized by Valent Mustamin.
Feel free to contact me, to share and discuss about this upcoming event.

WordCamp: Las Vegas

WordCamp Las Vegas is coming this month in just a few days. If you haven’t signed up yet, please do so now. It will be held at Palace Station Hotel & Casino, January 10th and 11th.

Some of the speakers to this WordCamp include:

• Matt Mullenweg
• Joseph Scott
• Aaron Hockley
• Lorelle VanFossen
• Jim Kukral
• Geoff Kleinman
• Liz Strauss
• Michael Dorausch
• Dave Taylor
• And more…

Subscribe to the RSS Feed for this event here

Follow @lvwordcamp on twitter for updates

WordPress Hacker

I have recently come across a series of posts regarding the elusive task of securing a WordPress installation. I was curious about how this works, and wondered why this would be needed since the WordPress development community does a fantastic job of release security updates to prevent attacks on millions of blogs run by the publishing software.

In reading on this subject, I found a website called wordpresssecured.com. I thought to myself how odd it would be for millions of people to be using an unsecure code set to run their business, or personal blog.

Rest assured, if you have the latest version of WordPress and keep it updated when security patches are released, you are as secure as you can be. The folks over at wordpresssecured.com are preying on the fears of many by using attacks as a means to make money.

They claim WordPress “as-is” is insecure and that hackers can gain access to your blog within minutes with any WordPress installation. Sure, if you have an out-of-date version of WordPress, it is true there are documented security risks and exploits to attack. However, if you are running the latest version you are safe. Here is what they are claiming they can do…

Close and block all exploits that hackers know about
Block unwanted BadBots from your site
Stop any and all SQL injection attacks
Block all folders that are open to a hacker’s attack
Stop Kiddie Hackers dead in their tracks
Protect your sales. Google ads and reputation

They claim to have hundreds of satisfied customers and have some recommendations, but no specifics are ever given. I decided to dig a little deeper. Who is behind this site and what claims can they justify, also, what claims are they just making up?

Who is making these claims?

The person behind the site is James Stein. His biggest attribute to his success is simply that he has been online for more than 20 years and has been doing web development for 15.

How does his secured installation work?

Mr. Stein alleges that hackers know all of the code for wordpress and that any version of wordpress, be it an old version, or the version that came out yesterday are all completely vulnerable, simply because people know all of the code associated with it.

Fact is updating means nothing, the code is not encrypted and hackers have access to the code just like you do..

If you change how wordpress functions then it is very obvious that hackers can not hack it as they will have no idea what changes you made.

His installation technique is to change how WordPress functions. This is ludicrous! By changing how WordPress functions, he removes what makes WordPress powerful… an entire community of developers and users working together to make everything work together seamlessly.

Separating Truth from Marketing Hype

The truth behind having a secure WordPress installation is not using some customized WordPress bundle, it is simply updating it as updates become available.

He claims one of the biggest reasons for insecurity with WordPress is because the code is not encrypted, therefore anyone can see it. I must admit, to the untrained eye, this seems to be a valid argument, until one considers that WordPress is open source.

If this was the truth for all open source projects then it would assert that Linux is much less secure than Windows. Rather, the complete opposite is true! Because it is open source, more developers are available to see and edit the code than commercial programmers. This alone would make Mr. Stein’s version of WordPress much less secure than the freely available package.

What People really have to say…

AskApache posted a reply on agentgenius.com about Mr. Stein:

Clearly [Mr. Stein] lacks any knowledge/experience of auditing code to find a vulnerability, then creating a custom exploit for that vulnerability, creating an agent to carry the exploit payload across Internet Protocols recognized by the target (blog on HTTP), and finally delivering and executing the payload.

I urge all of you to not fall into the marketing hype surrounding this product. I assure you, it is less secure, much more prone to attack, and will almost certaintly make you wish you didn’t spend a dime on this product. Don’t spend a dime and stick with what is free and more secure…

The latest version of WordPress!

John Coltrane

Just one day after 2.7 RC 2 was released, the real deal, WordPress 2.7 “Coltrane” has hit the servers and is a major change in not only the admin panel, but a lot of core changes as well.

There have been plenty of updates concerning what updates have happened, and many times that number on the admin area changes. With all of these major changes, it is a wonder this isn’t considered version 3.0!

Just to detail how major this update really is, take a look at the name, Coltrane. John Coltrane is one of the most famous jazz musicians of the 50s and 60s. The last “major” jazz musician WordPress used was Miles Davis for version 1.0.1!

WordCamp.org has it listed as being March 18 – 19.

Hacked Notification for WordCamp NOLA

Unfortunately, I went to the site and was greeted by an old-school “This page was hacked by…” type thing. I really hope they get this fixed soon, and plug whatever holes they had in security. I am thinking of attending this WordCamp because it is close by  and it has been a few years since I have been to New Orleans.

I will post more information on this as it becomes available. Hope to see a list of attendees and speakers soon.

Update: 12/6/2008 @ 9:33 PM CST

The site is back up, and the guys from WordCamp New Orleans have acknowledged the incident. Im not really sure what happended here, and I will try to get some more information, but in the mean time their site is up and it can be found here.

http://wordcampnola.com/

They posted an update via twitter:

Twitter Update from WordCamp NOLA

Thankfully, their site is back up and hopefully soon we will have some more information about the WordCamp and possible speakers to this event. Hope to see you all there.