Some users were reporting issues with the email coming through as ignoring the HTTP headers and including all of them within the email itself. A big mess indeed. Now it uses the wp_mail command so it can be hooked into by other plugins. Also because of this function usage it means that I don’t need to write the headers manually.. WordPress does all that for you. It should now be a lot more compatible with the various mail clients.

Download it here: SB Mail Attachment Widget (2.7 kB)

The new field in all it's glory!

I wrote a post about this a couple of days ago attributing some custom work to a client of mine. It seems that now other people (person) are (is) coming forward with more changes. This little time saver was sent to me which adds a quantity input box and a loop to add the key as many times as you want when adding a manual key.

So, for example, let’s say you are offering a particular client 50 licenses for free (for some reason) and are doing it ‘off the books’ so to spean but don’t want to have to add their key 50 times in a row. This box allows you to add it once and type 50 into the second box to do the same job!

Download it here: SB Auth Admin (11.08 kB)

I also snuck in a new images directory and a WordPress Menu Icon for fun!

I have had a few comments and emails about it with people wanting to integrate it into their own sites and querying compatibility with additional Payment Processors. It only supported E-Junkie before which costs a few dollars a month I think. I have just been informed by a client of mine that it also works with JV Zoo. This is good news indeed seeing as this doesn’t cost per month so a definite winner over E-Junkie. I am an affiliate of neither so feel free to pick and choose which you use but if course no monthly outgoing is a winner in my book.

Well such news warranted a new version number and a blog post.. why not! Although the E-Junkie IPN line works I have added one for JV Zoo in case either change their protocols and I need to update the plugin.

Download

Get the new version here: SB Auth Admin (11.08 kB)

Configuration

Like the arrow? I did it myself. My Photoshop skills are unmatched!

It’s simple.. on the add/edit product screen you will see a field named ‘IPN Forwarding URL’. Simply copy and paste the line from the SB Auth Admin plugin admin page (which looks something like http://www.yoursite.com/?add_license_key=jvzoo) and you are done! Be sure to test it of course but I am told it works a treat.

Thanks to Mathias from wsoparty.com

I spent all of september in France with my family. We stayed just outside of St Tropez on the riviera and I was forced to cut down my working, let alone blogging, to a minimum in account of the shocking Internet speed and lack of real computer with me. Needless to say though I did get some work done although more bread and butter than stuff for this site.

Since I have been back I have been working frantically to catch up with myself. I have been working on some pretty exciting projects though so lots of juicy code to offer up to the masses.

This includes

• Tell a friend widget
• Email widget with attachment functionality
• A variety of WordPress tutorials in the pipeline

Things I have done but you might not have realised are updates to my plugins in the WordPress repository, SB Uploader, SB Child List and Welcome Email Editor. Take a look at them on the WordPress site or if you are already using these plugins then check out your plugins page from the site they are running on and get he updates from there.

In short I have added widgets, shortcodes and generally neatened them up based on feedback I have had on here using the comments/contact systems and via the WordPress forums for each plugin.

A big thanks to all those people that got in touch with me for plugin help and WordPress advice. You have helped keep me awake during days when I am working on large projects and to those that have donated, once again, thanks for your support.

Remember I don’t add links back to my site in my plugins. I don’t add donate buttons or links to amazon wishlists and nor do I interfere with your WordPress sites in any way except for providing the functionality of the plugins I have written. This is because I feel that doing so is annoying and unsolicited. If you want to keep up to date with my plugin and WordPress work then check back here occasionally or add me to your RSS list. You will always be welcome.

Coming soon…

I have a few ideas for plugins and my website to appear over the next few months.

This site will soon become Tortoise IT in domain name and in site name. A designer friend of mine has mocked up a logo and theme for me to build over Christmas and the site is going to be moving in that direction. As well as offering free plugins and support, it shall also be a portfolio of my work and hopefully result in a much better user experience.

I dare say I shall post a few more times before Christmas however if I don’t.. Happy holidays from me and the rest of the Barton family.

Sean

I just updated my review system plugin to incorporate custom post types. On activation it adds records into it’s settings page for the custom post types you have on the system and sets the system to off for those types. So you simply add my plugin then go to the settings page and turn the system on for the post types you like.

I did this because I needed to write a product review system for WP-Ecommerce today. Their system incorporates a star rating and you can comment on products but not both together.. ie you can’t rate a product and leave a review in one go. My plugin, as you should know, takes over the WP comments system and adds the ability to add a star rating. You might need to custom code your Ecommerce template if you want to report on the average star rating but even without it works a treat.

Enjoy!

Download

Download

This is only very basic for the moment but I would happily extend it according to demand. Let me know if you have any ideas for it.

Features so far…

- Optional post/page override whereby you can set this plugin to take over comments systems on pages only but not posts or vice-versa (or any combination.. no custom post types yet).

- Automatic addition of the functionality to the end of posts/pages and comment rows.

Screenshots below

Download the plugin

Nantwich and Border Counties Sailing Club is situated about 15 minutes from my front door and offers a lovely little lake in which to take my Laser 2 out. I offered to help write a new site for them. The commodore used the phrase ‘It needs sexing up a bit’ which is never a good start. I worked with the vice-commodore in order to get something quick and basic up and running over the course of a few short hours work. It’s now live for all to see at http://www.nantwichsail.co.uk

I have also written a few little WordPress plugins in the last month or two and we have released another version of the popular Your Members plugin (1.7.2) so a busy and exciting time has been had.

More soon but in the meantime please feel free to contact me with your plugin and support requests.

What does it do?

The hack causes a file to be uploaded to one of your plugin directories and masks itself as a language template file (pot). So far I have seen it hiding within All in one SEO pack and Si Captcha plugins but there are more! Within the file is a huge amount of garbage that looks to be rubbish. In actual fact it’s all valid php code but nonsense in the form of massive nested ternary IF statements using Hex codes as the condition and action parts. The point is, of course, to make the file look encrypted whilst actually masking a single function. This function simply calls a single row from the wp_options table, selects a portion of the data, reverses it runs it.

The second part of the hack is as follows… The database row that the above file decodes is stored on wp_options with an option_name of rss_ followed by a long number… again an attempt to make it look genuine. Within the row is a serialised string containing what looks like valid data but with a huge encoded section in the middle. To the trained eye it’s known to be a base64 encoded string, however, the twist is that the string and corresponding ‘eval’ statement are reversed and therefore running base64_decode won’t work out of the box.

When reversed and run, it’s a chunk of php with yet more base64 encoding inside but this time the correct way round! The end result is that it’s both a shell and a mysql browser allowing anyone knowing the correct URL parameters to gain access to both your file system and database(s).

Scary huh! Anything else…

Sadly yes! Most sites are reporting a new user in their users table with administrative rights sometimes called ‘amin’, other times having a … in it and other times completely hidden. I have read that the username is actually a huge amount of JS code which hides itself. Fairly clever to give the author of this hack credit where it’s due!

Next other sites are reporting some dodgy iFrames showing up in their posts. This is, apparently the extent of the problem however with complete access to your database and file structure they could be a lot more malicious.

Is there a fix?

Yep… Rackspace are, apparently, doing their best to fix the problem whilst not (at the time of writing and to my knowledge) taking responsibility for the problem. I am told that the site setup has been blamed and permissions of 777 have been mentioned. Again, all speculation so best go read up at more official sources.

So other than Rackspace sorting it you can do any of the following…

• Remove any spurious rows from wp_options where there is a large encoded block in the value field. You should be looking for anything with an option name of rss_…. where … is a large number.
• Remove the user ‘amin’ or anything with ‘…’ inside it from your database and change any passwords. The hack can NOT give the hacker your admin password so don’t worry but it’s best to change it just in case. There are always ways!
• Check your plugin files for anything that looks odd. The file that I have seen has the ending .H.bak.pot or something similar. Bear in mind that .h is a library file, .bak is a text backup file and .pot is a language file. Neither .h nor .bak have any business on a WordPress site.

How can I stop this sort of thing from happening again?

You technically can’t but there are a couple of things to help you out…

• Backup your site files and database regularly (where regularly is more frequent than once a month or just relying on your provider to do them!)
• Turn off PHP commands like EXEC and EVAL. Anything that gives the PHP script access to your filesystem. It will definitely cause problems with plugins and sites but it’s the price we pay for safety
• Make sure your permissions are all correct and check them regularly.
• Check plugins before uploading them, a simple check in files for eval or exec should do it but it depends on how fussy you want to be!

That’s it for me… there are loads of blogs about detailing more about the problem and I understand the threat to be several days old now. Still worth knowing isn’t it!

Current plans include a whole new website just for the Your Members plugin to house things like… wait for it… documentation and a proper list of the things it can actually do! We have recently released YM version 1.6 which is the best version yet! We hope to get some feedback and tweets to the new YM Twitter account for things that you, the community, would like to see and then get the next version out to you sometime in the next couple of months.

Any questions about the plugin, the project or Glenns vital statistics then you can get in touch with us at newmedias.co.uk or use my site contact form and we shall get back to you.