Tech Ramblings — 21 March 2011

Since a lot of poker blogs out there are powered by WordPress I thought I would help get the word out about a vulnerability that exists if you allow users to register on your site. On another (not poker related) blog I run I’ve been getting occasional posts in Polish. Which is odd because when I look at the poster he is listed as having “Contributor” permissions. That means he should be able to write posts but they can’t go live to the world unless they’ve been approved by me. How are they ending up on the website without my ever approving them? I don’t know but in investigating the issue I’ve run across a few other sites that have run into the same issue, including the same person (klamka13303) doing the posting. Their research seems to indicate that over 300,000 blogs have been hit by this guy already.

"Subscribe to Bill's Poker Blog"
Receive an update straight to your inbox every time I publish a new article. Your email address will never be shared
arrow 3 WordPress Contributor Role Vulnerability

If you are running WordPress you should take a moment and log into your admin control panel. From there go to Settings>>General. You will see the following options:

Screen shot 2011 03 21 at 2.24.55 PM WordPress Contributor Role Vulnerability

The safest route seems to be to disallow registration. If you’re the only person who posts on your blog you probably don’t need people to register anyway so it shouldn’t be too big of a deal. If you need to have people register on your site I guess your second option would be to set the default New User Default Role to “Subscriber” rather than Contributor. I’m not sure if that stops the exploit but in theory they wouldn’t even be able to create or save a post. Then again, they’re not supposed to be able to publish their own posts as a Contributor which is why just disabling user registration seems like the most prudent option if you can do it.

 WordPress Contributor Role Vulnerability

About

Bill Rini has been working in the online poker industry since 2004. He was a product manager for poker at Full Tilt and was the poker room manager at PartyPoker. Currently, Bill is the Head of Online Poker for WSOP.

 

Bill has been blogging about online poker since 2003 and is considered one of the leading authorities on the online poker industry.

 

“I like What Bill Rini said in his blog” – Doyle Brunson

 

“In other news, we had Bill Rini write an absolutely home run blog.” Daniel Negreanu

 

“Industry insider Bill Rini has one of the most popular blogs in poker, with thousands of subscribers and fans regularly coming back for his universally respected insight into the industry” – Barry Carter (News editor for PokerStrategy, Co-Author: The Mental Game of Poker)

Ship It Holla Ballas!

Share

About Author

Bill Rini has been working in the online poker industry since 2004. He was a product manager for poker at Full Tilt and was the poker room manager at PartyPoker. Currently, Bill is the Head of Online Poker for WSOP.

 

Bill has been blogging about online poker since 2003 and is considered one of the leading authorities on the online poker industry.

 

“I like What Bill Rini said in his blog” – Doyle Brunson

 

“In other news, we had Bill Rini write an absolutely home run blog.” Daniel Negreanu

 

“Industry insider Bill Rini has one of the most popular blogs in poker, with thousands of subscribers and fans regularly coming back for his universally respected insight into the industry” – Barry Carter (News editor for PokerStrategy, Co-Author: The Mental Game of Poker)

(3) Readers Comments

  1. Hi Bill… Thanks for the mention.. I have also stopped registration on my blog. Hope this is resolved by WordPress soon…

  2. Pingback: Shorten Your Own URLs With YOURLS — Bill's Poker Blog

  3. Great info Bill, thanks alot, love the blog too, great read, laughs and good info too

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <card> <code> <em> <i> <span class=""> <strike> <strong>