At first they were kind of cool, but then what do you do with them?

You’re not running a wiki. Right?

Here is how to get rid of them once and for all.

Edit wp-config.php, add this line in to disable the post revisions feature.

1

define('WP_POST_REVISIONS', false);

You will also need to clean the database of all the previous entries under the wp_posts and wp_postmeta tables.

1
2

USE database_name;
DELETE a,b,c FROM wp_posts a LEFT JOIN wp_term_relationships b ON (a.ID = b.object_id) LEFT JOIN wp_postmeta c ON (a.ID = c.post_id) WHERE a.post_type = 'revision';

Congratulations, you are done! Enjoy your now much smaller database.

A few weeks ago we were hit with an SMF v1.1.3 exploit just a few days after the release of v1.1.4. The intruder inserted a slew of hidden spam links into the main ‘index.php’ file.

It took me a day or two to detect the modifications. And in this short time period forums.devside.net, which has been online since 2003, with a healthy Pagerank, had all it’s pages dropped from Google [with the exception of profiles and archives].

It’s a good thing I keep the forums on their own sub-domain, which Google treats more like a separate domain than anything else. A SE problem with the sub does not affect the main domain.

As a counter-measure to these “exploit app weakness, get shell, d/l script, profit” type of attacks, I have disabled most of the shell related PHP functions on the server.

And so I thought my problems where solved…

This time it’s my fault. I was running WordPress v2.2.2, with v2.2.3 having been released about a month ago. I’ve been checking the WP dashboard, but I must have missed it, or forgotten about it.

This time the intruder exploited one of many WP weaknesses, and inserted some type of a hidden “-1″ post that was nothing more than an attachment to this particular shell-script, executed with URL ‘/blog/?poncheg’…

217.118.81.46 - - [08/Oct/2007:07:10:20 -0400] "GET /wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 404 520 "-" "-"
217.118.81.46 - - [08/Oct/2007:07:10:25 -0400] "GET / HTTP/1.0" 200 12071 "-" "-"
217.118.81.46 - - [08/Oct/2007:07:10:35 -0400] "GET /blog/wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 200 7665 "-" "-"
217.118.81.46 - - [08/Oct/2007:07:11:01 -0400] "POST /blog/xmlrpc.php HTTP/1.0" 200 4327 "-" "Opera"
217.118.81.46 - - [08/Oct/2007:07:11:49 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 200 1647 "http://www.devside.net/blog/wp-admin/options.php" "Opera"
217.118.81.46 - - [08/Oct/2007:07:11:56 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 302 904 "http://www.devside.net/blog/wp-admin/options.php" "Opera"
217.118.81.46 - - [08/Oct/2007:07:11:59 -0400] "POST /blog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0" 200 1554 "http://www.devside.net/
blog/upload.php?style=inline&tab=upload&post_id=-1" "Opera"
217.118.81.46 - - [08/Oct/2007:07:12:14 -0400] "POST /blog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0" 302 509 "http://www.devside.net/b
log/upload.php?style=inline&tab=upload&post_id=-1" "Opera"
217.118.81.46 - - [08/Oct/2007:07:12:25 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 200 1629 "http://www.devside.net/blog/wp-admin/options.php" "Opera"
217.118.81.46 - - [08/Oct/2007:07:12:30 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 302 904 "http://www.devside.net/blog/wp-admin/options.php" "Opera"
217.118.81.46 - - [08/Oct/2007:07:12:33 -0400] "GET /blog/wp-admin/upgrade.php?step=1 HTTP/1.0" 200 1446 "-" "-"
...
82.103.135.182 - - [08/Oct/2007:07:12:48 -0400] "GET /blog/?poncheg HTTP/1.0" 200 4789 "-" "Opera/9.22 (Windows NT 5.1; U; ru)"
...

whois 217.118.81.46
JSC "VimpelCom" WLAN1 Moscow
 
resolveip 82.103.135.182
Host name of 82.103.135.182 is vps206.fastvps.ru

Luckily, in addition to the disabled PHP functions, I also had all my file/dir permissions under WP locked down, so it does not look like anything was modified. I still recreated the entire WP directory, just for safety sakes, and had to manually go into the database and delete the hidden attachment/post.

It’s not a matter of if you are going to get hacked, it’s a matter of when. So keep those web apps patched!

It was a rather simple procedure — since our blog is very standard [non-modified]…

• Backup wp db, as a precaution.
• Backup wp dir, as a precaution.
• Unpack new wp version dir.
• Copy over files wp-config.php and .htaccess
• Run upgrade.php

With other setups, you would also want to copy over dir wordpress/wp-content, as it can contain themes, plugins, and images linked to from blog posts.

The major changes with our new setup are…

• The use of the default WP theme, as it’s a bit cleaner.
• The use of the Akismet spam plugin, hence allowing all visitors to post comments.
• The use of the wp-cache plugin for faster load times.
• The use of the Social Bookmarks plugin to allow interested readers to bookmark/submit an article to the various social sites.
• The use of the Category Tagging plugin. [It's the only one in its category that I could get to work]
• The use of the Add-Meta-Tags plugin to improve Blog SEO.

The installation of the wp-cache plugin required permissions and ownership change for the wordpress\wp-content dir…

• ‘chown root:apache wp-content’ to give ownership to the Web-Server
• ‘chmod 775 wp-content’ to give write permissions to the Web-Server

The Category Tagging plugin was a bit harder to setup, as it required the manual editing of a theme template and css file.

The other plugins installed automatic.

Previous posts: upgrading WordPress.

Backup current ‘wordpress’ directory and database.

1. cp -a wordpress/* /usr/local/bk/wordpress/
2. mysqldump --user=root --password=XXX wordpress > /usr/local/bk/wordpress/wordpress.sql

Download and extract latest version of WordPress.
This will unpack a directory called ‘wordpress’ so be careful where you do this and how.

1. wget http://wordpress.org/latest.tar.gz
2. tar -xzf latest.tar.gz

Copy the newer wordpress files over the current base. This will not overwrite files ‘.htaccess’ or ‘wp-config.php’, or anything else that was placed or generated after the initial install.

cp -r --reply=yes wordpress/* /path/to/current/wordpress/dir/

Run upgrade script.

http://www.example.com/wordpress/wp-admin/upgrade.php