If you use WordPress to publish your knitting blog and have checked “permit guest users” under options, uncheck that option now. Why do this? Because Dr. Dave “The Unknown Genius” who wrote SpamKarma is suggesting all WordPress users do this as a precautionary measure while the real WordPress gurus patch a security bug.
How do you uncheck?
In you manager panel, near the top of the screen, find “Options”. Click that. Scroll down to “Memberships”. Uncheck “Anyone can register”. Click save. You’re done!
If that box was previously checked, I suggest you then click “Users” next to “Options” in the managers panel. Then click “authors and users”. If anyone suspicious appears in the users list, delete them.
Dr. Dave isn’t revealing the exact security issue this fixes. Not revealing details about a security issue is prudent when there is a security bug — revealing details gives spammers and hackers a tip on how to take advantage of the bug.
Take my word for it, if Dr. Dave says there is a security bug, there is one. So, make sure that option is unchecked! (Especially since few knitting blogs require people to register to leave comments. So, why let strangers make themselves “users”?)
Please leave comments! 2 Comments
2 Comments »
RSS feed for comments on this post.
Leave a comment
Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Previous posts: ( Rainbow Foo Foo Haiku | Home | Woolie Sheep Haiku)
Lucia Liljegren: Copyright 2005-2007 Rights to all site content including knitting patterns, generators and haikus reserved.
[...] Thanks to some drastic and controversial actions taken by SpamKarma creator Dr. Dave, a large percentage of the blogging populace has been alerted to a security hole in WordPress. He even went to the effort of activating a warning message that was sent out to everyone who uses his SK2 plugin. … [...]
Pingback by The Code Cave — 7/27/2006 @ 10:36 pm
Checking things after codecave’s blog entry:
Bugtrack seems to be here: http://seclists.org/lists/bugtraq/2006/May/
The upgrade from 2.0.2 to 2.0.3 seems to fix this bug:
http://seclists.org/lists/bugtraq/2006/May/0537.html
Unchecking register users seems to fix this.
I could be incorrect about this, but it appears that there is a security flaw in 2.0.2 that makes it dangereous to permit users to self register. 2.0.3 attempted to fix it. However, Dr. Dave warned us some security flaw associated with leaving self register unchecked remains in 2.0.3.
Evidently, now that the flaw has been brought to the WP team’s attention, they concurs a security flaw remains.
I think it’s wise to not let new users self register– particularly since nearly zero% of knitting blogs need this feature. If you co-blog, you’re both already registered, right?
Comment by lucia — 7/28/2006 @ 6:04 am