Seven years ago today, WordPress was turned loose on the world.

The platform has come quite a way in that time, boasting an impressive 9.4 million downloads of WordPress 2.9.

With WordPress 3.0 looming which will include multi-site support, it’s clear the “blogging” platform has become much much more. Built on the back of countless hours of volunteer work, WordPress is now a full CMS solution that can power even the most complicated sites.

While I’ve been a vocal critic of Matt Mullenweg and Automattic’s leadership of the WordPress project, the fact remains that without their efforts, the platform wouldn’t be what it is today. Whatever your thoughts are on the politics surrounding WordPress, it would be foolish to deny the incredible progress that has been made under their guidance in just seven years.

And, since I’ve personally benefited tremendously from all the tireless work that has gone into the project, I’d like to mark the date by congratulating and thanking everyone that has contributed in any form to the WordPress platform.

WordPress truly has revolutionized the way content is published online and I’m excited to see what the next seven years bring.

Neither WordPress nor Automattic would be where they are today without the tireless efforts of Matt Mullenweg. I have personally benefited from his work and for that I’m truly thankful.

That said, it’s time for Matt to resign from either the WordPress Foundation or Automattic.

The reason is fairly simple, there’s a glaring conflict of interest.

Automattic

Automattic is the for profit company Matt co-founded which provides several WordPress related services such as premium WordPress hosting, Akismet and VaultPress, a security and backup service for WordPress blogs.

The company has raised over $30 million from investors and, as co-founder, Matt is ultimately responsible to make sure Automattic earns a profit for those investors.

Simply put, Automattic, like every other business, has to make money and it’s Matts job to make that happen.

WordPress Foundation

The WordPress Foundation, on the other hand, is a non-profit organization intended to “further the mission of the WordPress” and “be responsible for protecting the WordPress … related trademarks.”

As Matt has admitted on several occasions it is not intended to fix the “Matt runs everything” issue.

However, the fact that even Matt acknowledges there is such an issue should invoke memories of the “Danger, Will Robinson!” robot.

While it might seem like a minor thing, controlling the trademark of several WordPress related terms makes the foundation a very powerful entity.

Imagine if a company offering WordPress related services were prevented from using the phrase WordPress!

The Conflict

Automattic has enjoyed a long run as a monopoly in several service areas, but challengers are springing up all over as the number of WordPress users continues to grow.

Companies like Page.ly, for example, are now competing with WordPress.com in the premium WordPress hosting market.

The BackupBuddy plugin by PluginBuddy offers many of the same features Automattic’s newest service, VaultPress offers.

Matt owes it to Automattic’s investors to ensure new competitors like Page.ly don’t cut into their profit margins. On the other hand, Page.ly is perfectly GPL compliant and a valuable resource to the community the WordPress Foundation is supposed to serve.

Should Matt protect his investors and prevent Page.ly from using the WordPress trademark or should the WordPress Foundation help promote the valuable service Page.ly provides to the community?

I don’t know about you, but I certainly wouldn’t want to have to make that decision.

Jane Wells, an Automattic employee caused an uproar earlier this week by declaring all “non-GPL-compliant people” ineligible to sponsor, organize, or speak at WordCamp events.

Since WordCamp is one of the trademarks owned by the WordPress Foundation, they can pretty much set any rule they want about who can and can’t participate.

Keeping only Automattic’s goals in mind, it would be foolish to allow a competitor to gain publicity by organizing, speaking at, or sponsoring a WordCamp event.

By contrast, it would an enormous disservice to the community if Matt used the WordPress Foundation’s trademarks to prevent Automattic competitors from participating.

Unfortunately for Matt, there are countless more perfectly plausible situations where Automattic and the WordPress Foundation’s interests would conflict.

Solution: Remove the Conflict

In government there are rules and regulations to prevent conflicts of interest like this from arising. When people write the rules for the industries and companies they’re financially invested in, we tend to wind up paying $30,000 for a toilet seat.

I should note that Matt seems to have tip-toed across this ethical tight-rope successfully – so far. But, as the old saying goes, absolute power corrupts absolutely and no one is perfect.

Eventually Matt will find himself faced with a decision that will hurt either the community or his company’s bottom line. I have no idea which side he’ll come down on but I do know one thing…

He shouldn’t be put in that position in the first place.

It’s time for Matt to do the right thing and remove himself from this obvious and dangerous conflict of interest.

Update IV: If your WordPress installation has been hacked and you need help fixing it, I would highly recommend talking to  Michael VanDeMar. He’s written a great guide to cleaning up WordPress hacks and offers a cleaning service if you’d rather not do the work yourself.  Contact him here for more details.

Update III: Chris Pearson has published a guide on how to diagnose and fix this hack. If you’ve been hit by this thing, this is how to get your site back. However, the vulnerability that allowed the hackers in is still unknown. It has hit multiple sites across all sorts of web hosts and servers.

Update II: The RSS file seems to have been the culprit for several other sites as well. Christopher Penn (it seems this hacker picked the wrong Christophers to mess with) has a tip on how to fix it.

“Log into your MySQL database (most hosts have this via PHPmyAdmin) and execute this query:SELECT *FROM `wp_options` where option_name like ‘rss%’ ORDER BY `wp_options`.`option_name` ASC

What you’re looking for is an entry that starts with rss_ and then some random numbers. The text of the entry is encoded javascript, which looks like this:

FFPJ1JpnyfUnpDzz3h9tfaI92uDvyD/Of+r4XyJ2f2Uev6U539WDM39kP10QFLP53+Y5BaX3+0/a03rZ0
0nKX5Na27hXdOSw17TGuO7pDWt/+Na0+lVHHdrWrScqzVqdysqybmiWvILqqXzn5L+ehyvSzriIZHsf
oIiUKwlJvcjvH69FR7SHB4UNXyXOaZw+ivT8dhjkZ6rtGj+PPJRMlCW5ePEZVlLOj8YkgL80/26Luefq
VXgStMY/Afw/

Delete this entry.”

You’ll want to be sure to back up your site before making any changes, and after making the fix, change your passwords for your WordPress installation, the FTP password, and even the database password.

There’s still no word as of yet on HOW the hackers gain access to the sites, but this should at least remove the issue and hopefully prevent it from recurring.

Update: Chris Pearson seems to have found the offending code, at least in his case. The injection point seems to have been an RSS magpie widget, however that’s not necessarily the point of vulnerability. He recommends looking “in your wp_options table for the following option name: rss_f541b3abd05e7962fcab37737f40fad8.” Please note this is ONLY a single case and from what I understand it’s quite common for hackers to use multiple or varying file names. If you’ve been hacked, I would again urge you to contact security@wordpress.org so we can find a fix for this issue as soon as possible. Thanks!

There’s an incredibly nasty hack hitting WordPress sites right now, even sites that are running the latest most up to date version (2.9.2).

What makes this hack so mean is that it is only viewable to search engine spiders AND it apparently has a high rate of recurrence. Detecting the hack is fairly simple, just do a site:yourdomain.com search in Google for your site. If you see title tags involving all sorts of pharmaceuticals, you’ve been hit. I don’t have an answer for you on how to fix it. I wish I did, but hopefully this post will help lead to a resolution.

Several prominent sites including the WPquestions.com blog, Chis Pearson’s (creator of the Thesis theme) personal blog, and dozens if not hundreds of others have been hit. Plus, the hack was covered on ThemeLab.com, discussed in a WPtavern thread, and apparently submitted a couple of times to the WordPress support forums.

Despite the well documented security issues WordPress has had over the last year, the resounding sentiment seemed to be “It’s not my problem until you can prove it’s my problem.” In the WPtavern thread, members were quick to argue that it wasn’t necessarily a WordPress issue and basically argued that if it were a WordPress issue, more sites would have been hacked by now. In the WordPress.org forum, it appears the thread received an even cooler reception, being deleted all together.

Don’t get me wrong, I have no doubt everyone on the WordPress team wants the platform to be as secure as possible. But the reaction we’re seeing to this significant problem is baffling to me. Whether WordPress is the source of the vulnerability or not, the hack is obviously targeting WordPress sites and making life difficult for a LOT of WP users.

As WP developer, Mark Jaquith pointed out via Twitter, they receive hack reports on a daily basis and try to track down all actionable security information. While I’m sure that’s the case, this specific hack is very easy to miss if you’re not actively checking out your search engine listings. A vast majority of these site owners probably have no idea their site’s been hit, and that’s going to make it tough for them to raise the issue to the WordPress team directly.

Even though I’ve been lucky enough to not have any of my sites affected (knock on wood), I was able to find and point Mark to thousands of examples the WordPress team can take a look at to find any possible patterns.

Looking at a hacked site from the outside in, however, isn’t nearly as helpful as having access to the behind the scenes info. Providing things like:

• a list of what plugins you’re running
• what version of WP you’re running
• what theme you’re using
• who your hosting provider is
• and a list of any other applications installed on your account

would GREATLY increase the WordPress team’s ability to narrow down the list of possible culprits.

If you’re site has been hacked (again you can find out by going to Google and typing site: before your url) please send those details in an email to security@wordpress.org and feel free to post them in the comment sections below.

This issue is a particularly nasty one and the sooner we can nail down the vulnerability, the sooner it can be eliminated!

Note: If your WordPress installation has been hacked and you need help fixing it, I would highly recommend talking to  Michael VanDeMar. He’s written a great guide to cleaning up WordPress hacks and offers a cleaning service if you’d rather not do the work yourself.  Contact him here for more details.

Image source: ICanHasCheezburger.com

Any time a WordPress site is hacked, it becomes a WordPress problem.

Now don’t get me wrong, hacks happen.

Unfortunately that’s just a fact of life in our online world. When a platform becomes popular enough, the ne’er-do-wells will eventually attack it.

WordPress is no exception.

It’s been the target of countless attacks and hacks over the years; some because of vulnerabilities in its code, but most due to vulnerabilities in plugins, servers, or outdated versions.

I recently reported on a nasty attack that’s been targeting WordPress sites with Google cloaked pharmaceutical spam. Just days later, a different hack hit the WordPress installs of many Network Solutions customers.

Disclaimer: I’m the SEO Manager for Network Solutions. I had no involvement in the recent WordPress episode on a professional level. Also, this blog does not, and never has spoken for NetSol. I’m not an official rep for the company or anything like that. I’m simply a big fan of the WordPress platform.

In reading Network Solutions’ blog posts, it seems the WordPress community was very helpful in this situation. However, the sentiments expressed following these hacks, and readily apparent in Matt’s recent post, are what I’m calling into question.

There was so much press about WordPress hacks going around that Matt Mullenweg felt the need to address the issue in a blog post published yesterday. While he was talking specifically about the NetSol attack, the impression I got from that post is “if the vulnerability isn’t in the core code of WordPress, it’s not our problem.”

Not My Problem

When reporting the “pharma hack” in the WordPress support forum as well as the WPtavern forum there were several replies that seemed to be reprimanding the poster for suggesting it could be a WordPress issue and that a smoking gun would be needed before it would be taken seriously.

It was in fact that sentiment, and the lack of coverage about the ongoing pharma hack, that prompted me to cover the attack again, despite it having already been mentioned months ago on several different sites!

Again, let me be clear. I’m by no means suggesting that all hacks are due to faults in the WordPress code. In fact the large majority aren’t.

However, they ALL impact the community, the platform’s brand, and should be dealt with swiftly and aggressively. In short, they’re ALL WordPress’ problems to deal with.

Thousands of WordPress users are being hit with the “pharma hack” (Google has just under 2 million results for title tags that match the hacked pattern) and WordPress hasn’t said a word about it.

Mark Jaquith has reached out privately to a few people and there’s finally a thread on the support forums that didn’t get deleted but we still don’t have the vulnerability pinned down months into this attack.  Chris Pearson has been tweeting about it, in an attempt to solve the issue, but that only earned him a lecture from Matt!

Whether WordPress is the source of this problem or not, if no solution is found, what option will these blogs have other than to stop using WordPress? Sure it might not be WordPress’ fault, but if another platform isn’t being exploited in this way, it won’t much matter.

Brand Damage

WordPress has earned a well deserved reputation as a great CMS. However the frequent updates, many of them security related, have also earned it a reputation of being insecure.

Users who don’t update to the latest version are obviously posing significant security risks, but every time they get hacked, it’s one more person that has a WordPress hack story to tell. Every hack that targets a WordPress plugin is another Do Matt and others within the community really not care whether WordPress’ reputation is damaged in this fashion?

Defensiveness

The root of this “not my problem” attitude is likely defensiveness. No one wants to be at fault when a hack happens. And, WordPress get’s more than it’s fair share of accusations. Since WordPress is developed by a team of volunteers, it’s easy to see why they would take offense to these accusations.

However, with as many security releases as WordPress has put out in the last year or so, it’s certainly not unreasonable to suspect the platform could be the source of a vulnerability. Yes, security releases mean that a threat is being dealt with, but it also means that exploits were there in the first place.

As I said, hacks happen. The WordPress dev team has very limited resources. Unfortunately there are probably thousands of hackers out there right now trying to figure out how to exploit the platform.

The fact of the matter is it’s only a matter of time until the next one is found. That doesn’t mean the WordPress team is made up of horrible people. It just means they’re out-manned.

What would you have us do?

Thankfully, there are several actions the WordPress community (myself included) can take to improve this situation. They include:

• Be more vocal in praising the WordPress developers for improvements and successes.
  Sure there’s more motivation to comment or blog when you’re upset. But if the team deserves criticism, then they also deserve credit when they succeed (which happens much more frequently than the slip-ups). I’m one of the chief perpetrators of this and resolve to do better in the future.
• Volunteer to beta-test new releases.
  The WordPress dev team is always looking for more testers. The more people looking at the beta releases, the better chance problems will be found before the full release, thus preventing more of the updates we all love to hate.
• Don’t take criticism personally.
  This one isn’t easy but just because someone suggests there could be an issue with your theme, plugin, or even platform, doesn’t mean they hate you. Mistakes happen. Let’s figure out how to fix the problem and move on.
• Discuss hacks openly.
  One of the biggest mistakes I see being made right now is that information about hacks and vulnerabilities is often treated like a state secret. While I certainly can see the merit in keeping information about how to perpetrate a hack private, in today’s Twitter world, everyone is going to know when an attack happens.You’re not going to keep the discussions from happening, so you might as well bring the conversation onto your own turf. When something surfaces that’s affecting thousands of WordPress users, you need to address it.
• Face the facts.
  Whether it’s earned or not, WordPress has a reputation as being a security problem. The very fact that WordPress get’s so many hack reports proves that people are naturally inclined to blame the platform. Realizing and accepting that will make it easier to go about fixing it.
• Hire more security experts.
  One of the biggest ways to change the security reputation would be to hire more security experts. It’s obvious the team will never be able to compete with the number of would-be hackers out there. However, by publicly hiring security experts, you’ll not only be making a good PR move, you’d improve the product as well.More folks focusing on security would allow more thorough review of plugins and themes that are submitted, as well as more active pursuit of active hacks or attacks.

Your Suggestions

Thankfully, the WordPress community is full of people a lot smarter than me. I’m by no means a security expert (as I’m sure you’ve seen over the course of the last few posts) but there are plenty of you out there. What kinds of suggestions do you have? How can WordPress improve the security situation, or are things fine the way they are?

image source: rpongsaj

WordPress 2.9.2 was released yesterday and in following the recent trend, it contained a security patch.

It would seem that the idiot-proofing “feature” of sending posts to the trash instead of deleting them permanently allows logged in users to see the posts.

You can read all the details over on Thomas Mackenzie’s blog but basically if you have any sensitive data in a post that you trashed or perhaps said something unflattering, you need to upgrade immediately as any registered user of your blog can view it no matter what permissions they might have.

Disclaimer:

Now, before I start in on my brief bit of commentary on this issue, please let me make something clear. I appreciate all the time and effort any and all WP devs contribute. WordPress is a platform driven by the good will of many smart coders.

WordPress Doesn’t Take Security Seriously – FACT

That being said, it has become painfully obvious that WordPress is completely inept when it comes to security. There have been countless vulnerabilities discovered of varying degrees of seriousness. This lapse probably won’t impact a ton of users negatively but it does continue the disturbing trend of WP vulnerability.

Yes, WordPress has made the upgrade process a hell of a lot faster & yes, they’ve implemented an alert system that lets users know when their installations are out of date. But instead of coming up with new and creative ways to help users stay upgraded, how about spending a healthy amount of time on security issues before each release?

WordPress 2.9 has been downloaded over 4 million times and with that many blogs depending on your platform, you’d better have a better security plan than throw it out there & patch as things are found.

How about oh, I don’t know, hiring a security expert to pound on features before they’re released? How about recruiting some of the most devious minds in PHP to try and break things when Beta testing?

If there aren’t funds currently available for this (although there’s no way for anyone other than Matt Mullenwege to know that) there are plenty of ways to raise money for the purpose of increasing security.

There are currently affiliate links for different web hosts and in the past it has been suggested that those funds go to keeping the server running. Why not toss a few more affiliate links (perhaps on the Premium Theme page) to pay for a security expert? If you don’t like that method, just put a paypal link up and ask for donations.

The point is that if WordPress were REALLY serious about security issues, there are PLENTY of ways to go about address the glaring problem. Instead, we’re treated to a round of “we’re donating our time, not enough people participate in beta testing” excuses.

Until that changes WordPress’ security will remain the joke that it is.

Image Source: Robert S. Donovan

Update: WordPress 2.9.1 has been officially released and it seems to have addressed the variety of issues that occurred when upgrading, as well as a problem people had with scheduled posts. I gave it a shot on the two sites that choked on 2.9 and it worked seamlessly so I think it’s safe to upgrade at this point.

WordPress released version 2.9 over a week ago but the automatic upgrade has been causing several people problems.

It seems the process will occasionally hang mid-upgrade, often causing database problems with your site.

Sugarrae upgraded her afiliate marketing / internet marketing website (a must read if you’re not already subscribed) and had disasterous results.

I tried updating one of my own installations tonight but the automatic upgrade didn’t finish, resulting in every page on my site throwing an error.  Thankfully, I had the site content backed up and I needed to move the blog over to Hostgator anyway.

After tweeting my experiences, fellow SEO, Dave Curtis mentioned he had just had similar problems.

I’m willing to chalk one or even two failures up to coincidence but three in a relatively short period of time is enough for a pattern in my mind.

What Can I Do?

The first and most important step is to back up your WordPress installation before attempting an upgrade. That way if anything should go wrong you can reinstall WordPress or your database if it should come down to that.

At this point you can either roll the dice & hope you don’t have to use those backups you just created, or if you want to be 100% safe, you can always upgrade using the old-fashioned manual method.

I’ve heard the problems blamed on everything from plugins, to themes, to different versions of PHP. My failed upgrade seemed to be caused by a slow or unresponsive server but I haven’t been able to verify that. If anyone else has more details on the problem feel free to share them in the comments below.

WordPress 2.9.1 beta has also been released and reportedly fixes some of the bugs that may be causing the upgrade issues but of course, that upgrade has to be done manually as well which can be a bit of a pain for those of us with dozens of installs.

It wouldn’t surprise me at all for 2.9.1 to be officially released shortly and since 2.9 didn’t contain security patches this might be a rare instance where not upgrading is the best course of action.

Update: It appears that at least for my failed upgrade, WordPress recognized the failed upgrade and is allowing me to reinstall the upgrade. I know others haven’t been as lucky but at least some of the failures don’t appear to cause permanent damage.

image source: Chris Daniel

Word on the street is that some WordPress blogs are being hit with a brute force attack that is essentially a script that continuously tries to guess the admin’s password.

Dennis Fisher has all the details over on Threatpost summing up the threat with the following:

The wp_brute_attempt() function takes 3 parameters, $ch which is cURL’s structure (cURL is a command line tools that can be used to perform HTTP requests). The other two parameters define the site and the password that will be tried. If the script logged in successfully, the page that gets returned by the server will contain the phrase “Log Out”, and the function will return a true value.

So how can you protect yourself from this kind of attack?

It’s actually fairly easy. Change the default administrator’s login name from admin to something unique and use strong passwords with numbers, capitalized letters, etc.

There’s also a plugin designed specifically to prevent this sort of brute force attack, called Login Lockdown.

The plugin “records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range.”

And last but not least, as a last line of defense you should always make sure to regularly backup your WordPress installation in multiple locations.

I know posts like this seem like nagging or a waste of time but the first time your blog is hacked you’ll be kicking yourself for not taking action.

Image Source: kadath

In the WordPress world there’s no quicker and easier way to start a passionate debate than to bring up the issue of the GPL.

For those of you new to the discussion, the GPL is the license under which WordPress is distributed. It states, in part, that you’re free to modify and build on the code of WordPress, and distribute it in any manner you wish.

Premium Theme Controversy

Where the controversy comes in is that the license stipulates that your derivative work inherits the GPL licensing as well.

Where this has become a hot topic for discussion is in regards to “premium” plugins and themes.

Several of the most prominent premium themes such as Thesis or Headway contend their themes do NOT inherit the GPL licensing and have restricted use of their themes accordingly.

Other theme creators such as WooThemes, StudioPress, and others have publicly embraced the GPL and structured their business models accordingly.

The most recent entry into the premium theme market, Rocket Theme, states in their FAQ that they adhere to the standards of the GPL and yet price their themes in a manner which directly contradicts the license, a much more deceptive practice than flat out rejecting the license all together.

In short, the WordPress community tends to be all over the map when it comes to the implications of GPL licensing.

Matt Weighs In

WordPress creator, Matt Mullenweg, has weighed in on this issue several times, going so far in fact to ask a lawyer about the topic.

His position, which is supported by the lawyer and I happen to agree with, is that the PHP of WordPress plugins and themes that are distributed do in fact inherit the GPL licensing regardless of the developers’ wishes. Images and CSS files however, do not necessarily inherit the same licensing.

The problem of course is that some of the framework themes use the PHP to generate the CSS files and use very few if any images. And, as WordPress themes progress, that seems to be the direction more and more themes are heading.

In short, this issue isn’t going away any time soon.

Where the Rubber Meets the Road

The reason this is such a contentious and potentially far-reaching issue is simple…

Money.

If Matt’s interpretation of the GPL is accurate, users would be well within their rights to distribute premium themes at a lower price or even for free if they chose to do so.

Naturally some premium theme developers have been very vocal about their opposition to this interpretation of the GPL. In fact, Thesis developer Chris Pearson and Matt Mullenweg have previously feuded over the issue with the threat of legal action being thrown into the mix.

Just last week Matt published the video embedded below in which he says around the 8 minute mark that premium themes that place limits on users’ rights such as number of installations or footer links are “evil.”

Put Up or Shut Up

Now I don’t know about you, but calling a company evil seems like a pretty strong statement to me. If nothing else it’s evident that Matt feels strongly about the issue.

Unfortunately, he hasn’t bothered to actually DO anything about it.

Instead he’s left users like you and I in the middle to try and interpret the legal language, debate it amongst each other, and contend with the thread of a lawsuit should we decide to embrace the rights he claims we have under the GPL.

So my request to Matt and the rest of the Automattic team is simple. If you honestly believe that WordPress themes inherit the GPL licensing, put your money where your mouth is.

Either distribute the GPL portions of premium themes for all WordPress users to enjoy or file a lawsuit against premium theme companies that don’t adhere to the GPL.

Automattic certainly has deep enough pockets to be able to afford the legal battle that’s likely to ensue. And as the creators of several WordPress based businesses, you have a vested financial interest in seeing the case through.

If you’re unwilling to take either of those steps, then I respectfully ask you to SHUT UP about the issue.

Don’t sit back and take pot shots at “evil” premium theme companies during an interview if you’re not willing to back your statements up with action.

I happen to agree with your stance on the GPL but I find myself unable to defend your attitude of superiority & intimidation towards non-GPL theme developers.

Either put up, or shut up.

It’s that simple.

image source: pedpaula

If you haven’t updated your WordPress installation to version 2.8.4, take a minute and go do so now.

As Lorelle explains, a new attack seems to be making the rounds amongst older versions of WordPress and wreaking havoc across the web.

Apparently the hack will not only create a new administrator for your site, but also penetrates the database making it much more difficult to restore if you’re a victim. Once your database is infected, even if you backup WordPress on a regular basis, those backups would likely also be tainted.

Given WordPress’ recent tendency to update every other week, I know a lot of bloggers held off making the latest update, figuring they’d just be doing the same thing in a couple of weeks. However, 2.8.4 has been out for nearly a month and this hack isn’t something you want to tangle with.

How Can I Tell If I’ve Been Hacked?

According to Lorelle:

“there are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.”

Also, my man Michael over at Smackdown has a great post on how to completely clean your WordPress installation if you’ve suffered an attack, however, with this particular attack you need to be sure that you’re NOT working with an infected database. You can either use an older DB that hasn’t been impacted, or just work with WordPress’ content export feature.

Using the latter option won’t be pretty as you’ll probably need to reactivate your plugins and could lose some settings for things such as SEO Smart Links, but it’s better than having a hacked site.

Basically, getting hacked is a real pain in the ass so don’t be an idiot and take the time to go update your sites if you haven’t already done so.

Update: Matt has a post on all the whole WordPress security issue that touches on a lot of topics including a bit of web security philosophy but his main point is the same as mine, keep your installations up to date.

He does stray off into a little bit of self righteous don’t blame us, we’re just a community of dedicated open-sourcers which is true to a large degree. But, as I’ve said before, Matt and Automattic make a lot of money off WordPress and it’s time they invest some serious resources into security. If Matt and the other developers can’t predict what schemes hackers will try, hire one to help you do just that.

Ok, I’ll step off my soap box for now, but only because I want you to stop reading, and go update!

Image Source: Vinit

After reading iThemes’ most recent blog post I came to a startling but suddenly obvious realization… Premium WordPress themes are dead.

I realize that may seem like a foolish statement given the constantly increasing number of premium themes on the market, but its true.

Over the last year, the premium theme that has garnered the most attention has undoubtedly been the Thesis theme.

In recent weeks, the Headway theme has exploded onto the scene and quickly emerged as Thesis’ main competitor.

So in light of the still growing popularity of these two themes, why would I proclaim that premium themes are dead?

Because.. They’re Not Themes

Oh sure they label themselves as themes, contain many of the same files as themes & are installed in the same way as themes, but they’re not themes.

They’re frameworks.

If you read my Thesis review, or our guest submitted Headway review, you may have noticed that the thing we liked best about these two “themes” was their flexibility.

You can create virtually endless different site designs, all while working within the framework of the Thesis or Headway theme.

And that my friends, is exactly why premium themes are dead.

Flexibility Killed the Premium Theme

Sure it’s nice that companies like iThemes keep turning out new themes, but they’re fighting a losing battle.

People don’t want to purchase a different theme for every new site they create or every time they want to redesign their site. We want a framework that allows us to make a vast array of design changes as quickly and easily as possible.

Unless premium theme companies release frameworks of their own, and do it soon before Thesis and Headway gain an even stronger strangle-hold on the market, they’ll be reduced to even more posts like the one we saw today.

As Monty Python taught us, it you can go around screaming “I’m not dead yet” as much as you want, but you’ll get carted off just the same.

Image Source: http://www.flickr.com/photos/paparutzi/