From the folks at WordPress:

An important security issue has been brought to the attention of the WordPress team and we have worked diligently to bring you a new stable release that addresses it. Our latest version 2.0.2 contains several bugfixes and security fixes.

I highly recommend that you download the newest release and upgrade your WordPress installation(s) ASAP (and backup your database before upgrading!).

For those of us with many blogs, this is one of those pains in the neck that makes you wish you had a hosted solution that did the upgrading for you. But all in all, the pros of getting all the features and customizability of the full version of WordPress makes it worth the hassle for those who are technically inclined enough to handle WordPress.

(The rest of you should check out WordPress.com — they’ve had a lot of upgrades lately, including new themes, WordPress Widgets, and more - which I’ll write about in a later post, but suffice it to say good things are happening over there )

BTW - It has not been clarified whether this security vulnerability which was found (and fixed) was in any way related to the supposed hacking of the WP 2.0 Theme Competition that was being hosted by kycap.com, but based on the dialog in the WordPress support forums it does appear that the KYCAP theme competition was a hoax, which, if true, is just evil. Fortunately, a new WordPress 2.0 Theme Competition has sprung out of this mess and is being run and judged by some of the more well known and respected (i.e., trustworthy) members of the WP community

I’ve previously reported that wordpress.com did not give bloggers the ability to incorporate AdSense ads into their blogs. I just came across a post in the wordpress.com FAQ that explains the reasoning was to avoid the attack of the spam blogs that free sites like Blogger.com got slammed by. However, they also hinted that we could expect functionality for including ads on wordpress.com in the future:

We currently don’t allow Adsense or other JS ad code on the site, though we probably will in the future. However right now it is keeping sploggers (spam bloggers) from exploiting WP.com and only a few legit users have asked for it.

We’ll announce when you’ll be able to add Adsense or Yahoo or Chitika to your templates.

I look forward to the time when they do allow wordpress.com bloggers to earn a little money for their hard spent hours blogging through adsense, ypn, chitika, and what-have-you. I think that would be a great move for wordpress.com as right now that’s the number one reason I’m not recommending it to bloggers looking for a hosted solution (in which case I’d currently say go with TypePad). There are plenty of legitimate bloggers who would like to be compensated somewhat for their writing.

That doesn’t mean that I don’t think that wordpress.com should continue to take a hard stance against sploggers (spam bloggers) - by all means, nuke their butts! They could make it easier to identify splogs by adding a little button of ‘flag as spam’ in the dashboard for wordpress.com users who are logged in and surfing other wordpress.com blogs. Right now they’re asking users to use the Feedback button to send them a note when someone comes across a splog - but by installing a button on the dashboard that automatically sends that feedback they could make the process of reporting splogs that much easier…(my 2 cents)

Update: It now appears that the kcyap theme competition was a complete hoax and the site owner made off with 188 WordPress 2.0 specific themes! The site itself has disappeared, the owner doesn’t respond to any questions nor does he make any attempt to restore the posts, etc. You can read up on some of the discussion in the Wordpress Support Forums. I have removed the links to the hoax site so-as to not generate any additional traffic or inbound links for the jerk.

I ask that all theme designers who applied to the scam competition now enter the new, legit one — and also would be extremely grateful if you would submit your themes to me, as well. While I’ve nothing to offer in the way of prizes (wish I could, but hopefully some fame and the knowledge that you’re helping the community will be inspiration enough), I am extremely eager to create a Comprehensive List of WordPress 2.0 specific themes (and have plans to create a blog specifically about themes to make it much easier for folks to find the theme of their dreams). Please email all theme info to howtoblog @ gmail.com with a subject of WP 2.0 theme — thanks!

On March 5th, the WordPress 2.0 Theme Design Competition that was being hosted by kcyap.com claimed that it got hacked (and that his entire database was erased):

“Very regret to announced that this competition blog website had been hacked. I have no backup for all this data and not sure if the server admin did have a backup on it or not. I am very sorry for this incident.

The prizes will still be the same and i will upload once again all the submitted themes on by one from now. This may takes quite some time, please be patient.

The result for this competition will still be announce don the 10th March 2006.”

This should be a reminder to everyone to BACKUP YOUR DATABASE ON A REGULAR BASIS (I’ll write a how-to post on this shortly).

And as many commenters pointed out, it was unacceptable for a site hosting a theme competition of this level to not have backups. Other commenters suggested the site owner use the Google cache to try to retrieve the old posts.

However, the big question that’s on my mind - and which was brought up by CountZero is how did this happen??

“But the really more important task than assigning any guilt to anyone on this case, I suppose, is to find out how the hacker could compromise the machine. Did he use some undiscovered WordPress vulnerability, did he make use of those being published just about a week ago, or did he make use of other security issues on your server? Is it sure that these loophole(s) are closed now, and can you make sure there is no backdoor/rootkit left on the machine now?”

I hope the WordPress team is taking a good look at this to ensure that it wasn’t the result of some previously unknown security vulnerability in WordPress. Was the kycap Theme Competition Blog running on WP 2.0 or WP 2.0.1? And if he was running the latest version (WP 2.0.1), did the hackers get in through a WordPress security flaw, or through some other method related to his specific hosting situation? Or perhaps he had spyware on his PC and they had a keylogger which gave them access to his password so they could just easily log into his account. (Which reminds me that everyone should have Microsoft’s free Anti-Spyware software installed on their Window’s PCs)

Additionally, there has also been speculation that the whole Theme Competition was a hoax (to gain google pagerank?). Many commenters have found it rather suspicious that even if the database was wiped that there still wouldn’t be backups of all of the themes that designers had submitted - after all, they sent them in through email. And what of all the ‘unnamed judges’ (which I always thought was a little shady..) - shouldn’t they have copies of the themes and their descriptions, as well?

IMHO, the Theme Competition site owner (Justin) owes it to the WP community to work with both his webhost and the WordPress team to discover just how that site got hacked, and then reveal that information to everyone - both to restore his credibility and so that we can all know whether we need to be worried about the same thing happening to us - and learn from his situation about how to protect ourselves. Specifically, we need to know whether the hack stemmed from a problem with WordPress security. I’ll rest easier once this information is known, especially since I’m still entrenched in hoards of hours in porting How to Blog over to WP from TypePad (it was easy to import the posts, but there’s all this minutiae that’s taking hoards of hours to deal with as part of the transition).

Well, it’s official! I’ve finally gone ahead and done what I’ve been wanting to do for ages now — I ported “How to Blog” from TypePad to WordPress and it now resides happily at http://www.emilyrobbins.com/how-to-blog/

Please update all of your bookmarks and feed subscriptions to reflect the new location!

I’m very excited to have the site powered by WordPress for a number of reasons:

• I can reopen trackbacks on all my old posts (which I’m still in the process of doing) and allow pings on all new posts because WordPress’s anti-spam plugins will delete all the crap (meaning I’m not stuck wading through hundreds of spam a day trying to find legitimate trackback pings) and you will soon be able to trackback to any and all of my posts, restoring full blogging functionality to How to Blog (since you all know I think trackbacks are essential to the blogging experience!) It may be a day or two before all of the posts have been updated to allow pings — in the port from typepad, WP used typepad’s settings and had pings turned off for all posts and unfortunately I haven’t been able to find a plugin that will allow a mass change to all posts to allow pings (developers - there’s an idea for ya!) so I’m sitting here manually going through each post and checking the ‘allow pings’ box, so bear with me
• I can have subcategories!!!!!!!!!!!!!!!!!
• I can finally have pagination controls (previous page, next page), making navigating the blog much easier (and something that TypePad was sorely missing).
• I can have an Archives page which displays Archives by month, by category, as well as an entire archive of every posting on How to Blog, essentially creating a sitemap so that you can more easily find what you’re looking for
• Speaking of sitemaps, I can use the Google Sitemap plugin to automatically generate a Google Sitemaps compliant sitemap of How to Blogand automatically ping Google everytime a create or update a post
• I can save time by using plugins like Jerome’s Keywords to automatically create my technorati tags for me based on the keywords I’ve entered
• I can save time by using the autolink plugin to automatically setup the hyperlinks for me on phrases that I often use, like WordPress
• I can allow people to subscribe to my blog by email using the Subscribe2 plugin, where you can choose how often you want to be notified by email when I create new posts, and you can even specify which categories of posts you want to be notified about
• I can get MUCH better stats, since I’m running wordpress on my dedicated server on my webhost (Prohosters.com) and I get really detailed stats through the use of Sawmill
• I have a seemingly endless number of wordpress themes to choose from (I haven’t had time to figure out what I want to go with for the long haul — I really like the look of Semiologic, but it’s very hard to customize because it requires serious PHP knowledge and whatever theme I choose will likely be heavily customized when I’m done with it — OR, I might just take the plunge and create my OWN theme )
• I can allow people to subscribe to comments on any particular post, and they will then receive subsequent replies to that post through email
• I’m sure there are a million other things I’m forgetting, and I’ll write about them in due time. The one thing I am gonna miss from TypePad is their excellent WYSIWYG editor — WordPress’s is rather disasterous and I recommend that all users disable it. If you still want a wysiwyg interface for blogging, there are several excellent tools available including the Performancing extension for Firefox, the windows client BlogJet, etc

For now, I’ve got to get back to the ultra mundane task of updating all of my old typepad posts one at a time to show the new URL of where the post can now be found and turn of commenting on those posts. Then I get to go through all of my posts in WordPress one at a time and check the box to allow pings. Then I get to email all the people who have linked to my old site and ask them to update their bookmarks. And I get to pray that I don’t lose all of my traffic and the great search engine rankings that I had on my typepad version of the blog.

By the way, I do realize that blogging.typepad.com is certainly an easier URL to memorize than www.emilyrobbins.com/how-to-blog/ - however, I wanted to have it on my emilyrobbins.com domain - but not in the root of the domain as How to Blog is only one part of who I am. And, when I experimented with porting the typepad blog over to wordpress, google immediately started indexing the URLs (something I hadn’t anticipated to happen so quickly - especially since I hadn’t made a final decision as to what I wanted the URL to be - should I use a subdomain or a subdirectory, or should I give it it’s own domain) and rather than having to set up 301 permanent redirects I decided that this must be what fate wanted as the new How to Blog location - so here we are, and I look forward to being able to get back to posting (and I have many posts which need some updating including my theme list) when the drudgery involved with making the move is completed!

So far I’ve only had the opportunity to test how WordPress 2.0.1 handles sending of automatic trackbacks (in the Options|Discussion tab, we’re presented with a checkbox that
says, “Attempt to notify any Weblogs linked to from the article (slows
down posting.)”

What that means is that for any article linked to in a particular
post, wordpress should automatically be sending a ping to alert that
article that you’ve written about them, saving you the time of having
to manually paste their trackback URI into the Trackbacks section of
the Write Post screen.

On what was initially my WP 2.0 Test blog (and which is now my WP 2.0.1 Test Blog), I had reported that in WordPress 2.0, the only blogs that seemed to receive these automatic trackback pings were other WordPress 2.0 blogs.

I had hoped that these problems would be resolved in
WordPress 2.0.1, but instead they seem to have worsened, with even more
erratic results than before:

• again, no trackback pings to WordPress 1.5.x blogs or TypePad blogs got sent
• again, the only time WP properly sent a single ping to a referenced post was when it was pinging the same version of wordpress, this time from v2.0.1 to v2.0.1
• duplicate pings were sent to WordPress 2.0 blogs that were referenced in a wordpress 2.0.1 post, AND
• duplicate pings were also sent to wordpress.com blogs that were referenced in a wordpress 2.0.1 post - making you look like a spammer

What a bummer.