Weblog Tools Collection

Thanks for visiting! If you're new here, you may want to subscribe to our RSS feed. This blog posts regular Wordpress news, updates of themes, plugins, ideas, hacks, quick fixes and everything about blogging, especially about Wordpress. Go ahead, subscribe to our feed! You can also receive updates from this blog via email.

For most of you, WeblogToolsCollection.com has become your number one source for new WordPress theme releases. Since Keith introduced the small thumbnail previews and demo links, theme posts seem to be better liked by our audience. I appreciate Keith’s attention to detail and look forward to his regular theme and plugin posts.

Smashing Magazine has published an article which highlights at least 20 free WordPress themes to choose from. Some of these themes look as if they could almost be considered premium but they are still free. My personal favorite is 5ThirtyOne while Probama comes in second. Although I’m a little bummed that the article didn’t feature Justin Tadlocks Options theme. I feel that it would have been a nice addition to the post.

At any rate, make sure you read each themes license agreement as they can vary from theme to theme. This is especially true when it comes to using the theme in a commercial environment.

I’ve seen a number of people tell others that WordPress 2.5 will have little to no database schema changes. It looks like that is no longer the case as MichaelH has pointed out.

Changes to database schema from Version 2.3 to 2.5.

*Table: comments

• Changed ‘comment_approved’ to varchar(20) NOT NULL default ‘1′
• Added KEY ‘comment_approved_date_gmt’ (comment_approved, comment_date_gmt)
• Added KEY ‘comment_date_gmt’ (comment_date_gmt)

*Table: links

• Changed ‘link_visible’ to varchar(20) NOT NULL default ‘Y’

*Table: options

• Changed ‘autoload’ to varchar(20) NOT NULL default ‘yes’

*Table: posts

• Changed ‘post_status’ to varchar(20) NOT NULL default ‘publish’
• Changed ‘comment_status’ to varchar(20) NOT NULL default ‘open’
• Changed ‘ping_status’ to varchar(20) NOT NULL default ‘open’

*Table: term_relationships

Added ‘term_order’ int(11) NOT NULL default 0

Thanks to MichaelH for putting these changes together. This information is especially useful to plugin and theme authors as it lets them know if their particular project will break.

WordPress Development Blog: 2.5 Sneak Peek  I love the staccato description Matt uses to start the post: A customizable dashboard, multi-file upload, built-in galleries, one-click plugin upgrades, tag management, built-in Gravatars, full text feeds, and faster load times sound interesting? The first Release Candidate for WordPress 2.5 is out for those that have been waiting patiently to try out the new features. Matt details out the updates and the new features of 2.5 on the development blog and the good news is spreading in the WordPress circles.

In addition to many underlying changes and updates to the code, the administration back end of WordPress gets a major rework in this version. The release candidate is not for everyone and can be downloaded for testing and bug searching.

If you make frequent backups and you’re interested in helping us out with development by testing the new code, download and install Release Candidate 1 of WordPress 2.5, and join our testers mailing list to report any bugs you find in the code.

We’re also interested in feedback on the new interface and would love to hear your opinions, thoughts, rants, raves, and anything in between. We created a special email address just for the occasion: 2.5-feedback@wordpress.org.

Two Column Themes

In The Blue

In the blue is a simplistic theme with a real life photograph in the header. The theme is simple and in the blue.

Demo | Release Page | Download

YG Mag

A two column theme with a eye catching header and a suitable sidebar with tabbed content. Content area is good enough to post wide width images.

Demo | Release Page | Download

Three Column Themes

Magadine

This theme comes with a four column home page with its inner pages consisting of three columns. The theme home page is based on magazine style.

Demo | Release Page | Download

Hot Pink

Ever wondered how pink could be hot, well this theme uses variants of pink that makes it look hot pink.

Demo| Download

I battled this one for a little bit and I hope the information here helps someone.

First and foremost, there are various version of this problem and they might have different causes stemming from the same source. I list them here in no particular order. I found all the topics starting with a search for the dreaded “Method Not Implemented” 501 error code from the admin panel of WordPress.

POST to /test/wp-admin/index-extra.php not supported: This error is also noticed on post.php and theme-editor.php. Now there are various WordPress Forum posts providing somewhat workable solutions to the problem. I tried some of the solutions but either they did not work for me (I had not looked that closely at the error before trying them) or they were too broad and I did not care for the results. There is some finger pointing in both the forums and the various other pages I found but I believe that the answer lies somewhere in the middle.

In my case, posting caused a “PHP Injection Attack. Matched signature” error that I found in my Apache error logs and the error generated on the browser said “Method Not Implemented 501 error code” with the name of the offending file. This error was caused by ModSecurity which is an Apache module that helps secure web applications on the fly. Now the errant bit of text was in ARGS:content that was bring posted to the server and it matched the regex in one of the ModSecurity rules. It could have been generated by WordPress itself or it could have come from one of the various plugins I have on my blog. I am not sure and I have not taken the time to investigate it further. (please provide more information if you have any). This was a false positive from my perspective and I needed to find an elegant and safe solution that would work.

On reading further about false positives, here is the solution that worked the best. Since I wanted to disable the rule that was catching the post, and not disable the whole mod security for either a file inside the admin folder or the whole admin folder, I found a way to do just that through the Apache configuration files for the virtual host. I found the rule number that was being triggered in the Apache error logs and though I will not disclose the rule number here for security reasons, it was relatively easy to spot. Then I added the following code to my httpd.include (or httpd-vhosts.conf depending on your hosts’ version of software) at the end of the file.

<LocationMatch "/wp-admin/post.php">
SecRuleRemoveById XXXXXX
</LocationMatch>

where XXXXXX was the rule number. Now an ever better solution would be to readd a new rule with the offending regex trimmed out or a !ARGS:content to the Secrule section to only apply to post.php inside the admin folder.

Some caveats: This case ONLY applies to a blog I was working on and the content that was being posted. Your case might be different. If you want to use this method to fix the problem and have no access to your server, just direct your administrator to this post. The secret is to find the offending rule in your error logs and use the rule number to isolate it from the file that it breaks by using LocationMatch and SecRuleRemoveById in your Apache vhosts config file.

Any insights or suggestions will be highly appreciated by me and I am sure by other readers.

Six Apart created the Trackback specification as a way to enable bloggers to communicate between each other via a link or acknowledgement.

My question to the reader: in what ways do you use Trackbacks?

Do you still find Trackbacks useful? With the growing Trackback spam, how do you keep up with legitimate bloggers?

Today, we have a moderately critical SQL Injection Vulnerability that was discovered by HouSSaMix in the “WP-Cal” plugin version 0.x for WordPress. According to the Secunia Advisory:

Input passed to the “id” parameter in functions/editevent.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Users with a malicious intent can conduct SQL injection attacks which may result in the retrieval of usernames, password hashes, and email addresses for users and administrators. However, the malicious user must have knowledge of the database table prefix.

So far, version 0.3 has been confirmed as having this vulnerability with other versions possibly being affected. Secunia states that the solution involves editing the source code to ensure that input is properly sanitised.

Click here to read the original advisory which provides an example of the exploit as well as the vulnerable code.

It is strongly advised that if you are using this plugin, to disable it’s functionality until a patch is published.

The other security bulletin deals with the AdServe Plugin.

A person who goes by the handle “enter_the_dragon” has discovered a vulnerability within the Adserve Plugin version 0.2 for WordPress. The vulnerability can allow malicious users to conduct SQL injection attacks that can result in the retrieval of usernames, password hashes, and the like. Just like the other SQL injection vulnerabilities, knowledge of the table prefix is required to perform these attacks. According to the security bulletin:

Input passed to the “id” parameter in adclick.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

You can check out the original bulletin containing a detailed description of the problem as well as an example of the exploit by clicking here. As with any plugin that experiences a security bulletin, it is strongly encouraged that you disable the plugin in question until a patch is released.