In case you didn’t know, the filters and action hooks API is the glory of WordPress: it’s what makes WordPress so easily modified and extended. Seeing which are the most often used should say something about what plugins in general are trying to do.

I think the most interesting result of Dale’s survey is that so few are used frequently. Once you get past the action hooks that have to do with plugin/widget initialization and the filters of post text, few remaining are statistically significant. That suggests to me that most plugin developers are under-utilizing WordPress’s full potential.

See Dale’s results here.

Most of the changes seem to be a result of blogs coming and going from the ranks of the top 100. Glancing at a diff of the two lists, it appears the only blog to have actually changed its CMS is Crooks and Liars, which switched away from WordPress to Drupal.

Although I wish I could share Matt Mullenweg’s optimistic hope that next year WordPress will be used by “between 40-50%” of the top 100 bloggers, the little amount of change from last year suggests that things will remain mostly the same. That makes sense, given that most of these blogs are big business, and big businesses tend to act conservatively.

This attack seems to be taking advantage of the security vulnerability that necessitated WordPress 2.6.3, whereby if an attacker could get control of an RSS feed that you publish on your blog (for example using the RSS widget), he might be able to execute any commands.

Keep in mind that WordPress 2.7 is still under development, and these features could change somewhat before 2.7 is released.

By default, this admin bar looks a lot like the one at WordPress.com, but it (optionally) includes all available admin menu items, and there are a number of built-in styles, or “themes,” to choose from.

Viper007Bond contributes quite a bit to WordPress core development, so as one would expect, this plugin is coded well: the code itself is clearly organized, it follows WordPress standards with regard to localization, it’s even forwards-compatible with some features of the next version of WordPress, and it’s extensible: he’s provided a feature that allows themes to add their own admin bar “theme.”

Typically, if you paste content from Word into WordPress’s WYSIWYG, TinyMCE, you get a ton of unsightly markup, such as font and alignment tags, which can wreak havoc on your site’s appearance. Users can get around this by enabling the advanced features of TinyMCE (click the “kitchen sink” button on the far right) and pasting using the special “Paste from Word” button, but the problem with this is that the kind of people who usually have a problem with this (using Internet Explorer, TinyMCE, and writing blog entries in Word) are not typically the most tech-savvy folks, so finding and remembering to use the “Paste from Word” button can be difficult. For a number of end users I’ve written regex replacements that do the same thing, so this plugin is a welcome addition.

Hackers are taking advantage of the open-source nature of the software to analyze the source code and test it for potential vulnerabilities. It is then left up to developers and users to detect, track down, and then close off the vulnerabilities in the code that attackers are using. The pattern seems to be that when a new hole is found, it is broadly exploited, then developers rush out a patch and a new release.

Agreeing with many of his overall points, such as the necessity of making frequent backups and keeping up-to-date, I thought it was interesting to note that the specific sites he mentions do not seem to support the premise that they fell even while diligently being updated.

By checking the source of these sites as cached by various search engines, you can see what version of WordPress they were using recently. The first one Cubrilovic mentions was “hacked” back in January, when it “was running the most recent version of WordPress available at the time.” Apparently that attack didn’t inspire its maintainer to keep up with updates, as a cached page shows that as recently as the end of May it was using a version of WordPress, 2.3.3, that was seven weeks outdated.

Cubrilovic also links to another compromised site, whose owner admits that he had “been running an ancient version of WordPress and had meant to upgrade, but it never seemed urgent.” At another he points out, the owner says “I was already at the latest, 2.5.1, and still got hit.” However, a cache search shows that as of June 1 the site was still using version 2.5, five weeks after the 2.5.1 security release, suggesting that the attack came prior to the upgrade. TechCrunch itself as of three days ago ran a version of WordPress over 10 weeks old.

Cubrilovic makes it sound like a WordPress user has to follow every bit of news about WordPress to stay safe: “For users of WordPress, backups are essential, as are frequent updates, monitoring your blog usage and tracking the official WordPress blog and other blogs for news of any new security holes.” That’s not bad advice, but keep in mind that since WordPress 2.3 there has been a prominent, automatic reminder to upgrade whenever a new release comes out. In each of the examples, the users had to ignore week after week this message at the top of their admin screens:

According to Donncha O Caoimh of Automattic, this exploit took advantage of a vulnerability that has been fixed in the latest stable version of WordPress, 2.5.1. As he points out, although 2.5.1 sites have succumbed to the attack, the evidence so far is that they were compromised prior to being upgraded. O Caoimh has a thorough description of how to identify this hack, how to avoid hacks in general, and what to do to recover from a hack in general. If you manage a WordPress blog, you should read his post.

This topic has appeared in the WordPress bug tracker, on the WordPress.org support site, and a number of people have blogged about it.