WPtouch 2.0 Pro Pricing Details, Beta 2

Jun 04 / 2010
author image Dale Mugford
Coffee & Code

Coffee & Code

After several months, thousands of hours, hundreds of thousands of minutes, we’re close enough to WPtouch 2.0 Pro to announce pricing.

Premium Community

Truth be told it’s actually been difficult for us to make the decision to throw weight behind a premium version of WPtouch. We have always loved the spirit of the open-source community, and agree with the software freedoms associated with works attributed under a GPL license. And we’ve also been behind freely available plugins for our favourite publishing platform. Yet for those with successful and popular WordPress plugins, the support, update, maintenance and upkeep for such a plugin become hefty. Without financial support, they are impossible to sustain effectively, and enjoyably.

There’s a growing community of premium solutions available for platforms like WordPress, and with WPtouch Pro we’re throwing our hat into the ring.

Unlike many other paid plugins, WPtouch Pro is neither small or limited in its functionality, nor is it a premium plugin that’s come out of nowhere— people who purchase WPtouch 2.0 Pro know the quality, time, dedication and style of the work we do, based on the freely available WPtouch 1.x that’s been out for almost 3 years, and our other popular WordPress plugin, WordTwit.

Without Further Ado: Pricing

All figures in Canadian dollars (CAD).

  • The price for a single license of WPtouch 2.0 Pro is only $29
  • The price for a 5-pack of licenses is only $59
  • The price for an unlimited, developer license is only $199

Licenses, among other things offer:
- Free automatic upgrades through a major version (all 2.x releases)
- Pro Support on bravenewcode.com/support
- Access to Docs, Knowledge Base articles
- Receive the new themes that ship with 2.x as a part of automatic updates

Note: Free direct support for WPtouch 1.9 is being discontinued. Free support will end 30 days after the release of 2.0. The Support forums will still include the community forums for 1.9 so users can share tips, and find existing answers to commonly asked questions.

Compare

Compare WPtouch Pro pricing with most other premium plugins and we think you’ll find it quite reasonable (it’s probably one of the cheapest premium plugins, really).

And for all of what WPtouch 2.0 Pro brings to the table we think it’s an incredible offer as far as premium plugins go.

Beta 2

We’ve been making good progress with beta 1 of WPtouch Pro, and plan on pushing out beta 2 early next week, likely Monday. For those in the beta program, expect a 1.4 update tomorrow which should shore up the existing issues in beta 1, and we’ll be working aggressively over the weekend to add a few more things for beta 2.

Beta 2 is an important milestone because it will mark the finished Skeleton template, complete with web-app mode, enabling those of you most interested in custom theming to get to work with what will essentially be the shipping version of the Skeleton.

More Info

You can get more information on WPtouch Pro, what’s included, feature set overviews and sign-up to be notified when its available by visiting bravenewcode.com/wptouch-pro.

WordTwit 2.4 Released

May 31 / 2010
author image Duane Storey

We just pushed out a new version of WordTwit. Twitter has announced that they will be discontinuing their old API in June and will only support their new OAuth version going forward. So, we ripped out the old authentication system in WordTwit and upgraded to the OAuth version.

So if you upgrade to WordTwit 2.4, make sure you go to the administrational panel and reauthorize your account. Also, the signature method required for the new Twitter API (hmac-sha1) is only available in PHP5. So unfortunately at this time we’ll only be support PHP5 for WordTwit.

If you have any problems with WordTwit 2.4, please drop a comment in the support forums.

Update – version 2.4.4 is now in the repository, please make sure you are using the latest version

WPtouch 2.0 Pro Beta1 Now In The Wild!

May 28 / 2010
author image The BNC Team

WPtouch 2.0 Pro beta1 is now officially in the wild. The number of beta testers for beta1 is relatively small, so if you applied and didn’t get accepted, don’t worry too much as we’ll be adding more people for beta2.

WPtouch 2.0 Pro represents nearly five months of work between the two of us. The original features were hashed out over a few beers down in Punta Cana of November of last year. It became evident based on our initial discussions that in order to have the features we wanted we would need to do a 100% rewrite of the existing code, which is ultimately what we did.

Baby’s Got a Brand New Bag

2.0 is a complete mobile theming framework that was built upon a comprehensive plugin framework, both of which were created from scratch explicitly for this project. Under the hood WPtouch 2.0 constructs the entire administration panel programmatically, which means adding new features going forward will in most cases not require more than a few lines of code. It also means that mobile theme developers can easily add setting options to the WPtouch administration panel and have the majority of hard work taken care of for them.

Easily Extensible

One of the complaints developers had about WPtouch 1.x is that it wasn’t very easy to build upon. First, we didn’t have many plugin hooks that other plugin developers could tap into. Second, the default theme in WPtouch was fairly inflexible for people trying to add new theme features. We’ve addressed both of these limitations in 2.0.

All WPtouch 2.0 themes are based upon a theming example called Skeleton. It is our goal to continue to update Skeleton for each release, including support for nearly all of the WPtouch 2.x features. Skeleton can easily be cloned in the WPtouch 2.0 administration panel and used as a starting point for a completely custom theme, one that won’t be overwritten when WPtouch is upgraded.

WPtouch 2.0 also includes nearly 100 different hooks and actions that other plugin developers can tap into. In fact, many of the recent features added to WPtouch 2.0 utilized these same hooks.

The World’s Not So Big After All

All the text strings in WPtouch 2.0 have been properly internationalized. That will allow us to slowly translate WPtouch 2.0 into other languages. The first release of WPtouch 2.0 will have support for Italian, Japanese, Spanish, German and French. We’ll hopefully add a new language or two for each subsequent release.

The Beta Cycle

As WPtouch 2.0 is a 100% rewrite, we’re looking to our beta users to help us flesh out any of the issues that crop up in the wild. Beta1 will focus mainly on the administrational panel, the upgrade process, support forum integration, and general WPtouch 2.0 usage. We expect beta1 to last roughly a week or so, depending on any issues that turn up. We’ll be releasing periodic updates to beta1 to fix bugs.

Beta2 will be the second and last beta cycle, and will include the full suite of mobile themes and final functionality. Once we’re confident that beta2 is stable, we’ll release WPtouch 2.0 officially for everyone. So if you do the math, we’re only a few weeks from releasing WPtouch 2.0 for the general public.

Feature Set

There are over 100 new features not present in WPtouch 1.9. Here are a few of the highlights:

  • Deep integration between WPtouch and the BraveNewCode support forums – users can post support questions directly from the WPtouch 2.0 administration panel
  • Re-designed administrational panel featuring intuitive tab interface
  • Admob and adsense advertising support in themes
  • Support for multiple Prowl accounts
  • New plugin compatibility disabler (prevent problematic plugins from hooking into WPtouch)
  • New page/menu management panel that includes drag and drop functionality for icons
  • All new theme designs and effects
  • Inclusion of Skeleton theming example for developers looking to create custom mobile themes
  • Ability to customize a welcome message for 1st-time visitors
  • Inclusion of several new icons sets
  • New nested menu system available to themes
  • Inline comment replies and threading
  • Support for web-application mode
  • Ships with 5 professionally translated languages

And So It Begins

We want to thank everyone who applied to be a part of our beta program, and also everyone who was officially chosen to help with beta1. We’re very close to releasing WPtouch 2.0 Pro to everyone, something that we are quite looking forward to.

If you’re late to the party, you can sign up to be notified when WPtouch 2.0 Pro is released over at wptouch.com, or follow our updates on Twitter. We’ll post again when the second beta cycle opens up, at which point we can hopefully relay information about the final release date and price points for WPtouch 2.0 Pro.

Register Today for the WPtouch 2.0 Pro Beta

May 21 / 2010
author image The BNC Team

Updated: The beta registration is now closed.

After months of hard work WPtouch 2.0 Pro is ready for some beta testing love. We’re looking for a small group of dedicated testers to help make it as solid, safe and snappy as possible. If you’re interested in joining the beta program please read below on what we’re looking for before deciding to dive in.

General Information About The Beta Program

The WPtouch 2.0 Pro beta program is for the paid version of WPtouch. Beta testers participating in the program will receive a copy of the WPtouch 2.0 beta, and gain access to a private beta forum on our Support Forums to log issues and discuss the release.

Once installed, new versions of the beta will be released through the admin panel in WordPress. When the official 2.0 release is available, testers can upgrade to it through the admin from the beta as well.

Beta testers should be aware that WPtouch 2.0 Beta 1 is incomplete. We will issue updates to the beta over the coming weeks to improve stability and complete features, and we’ll ask for new rounds of review with a list of changes for testing.

As with any beta release, we expect to see bugs and issues which (though unlikely) may affect the stability of your WordPress environment. It is not recommended to join the beta program unless you are comfortable with beta releases and feel capable of restoring software and databases associated with your WordPress setup. That said, we don’t anticipate any serious issues or concerns with the betas.

Areas Of Focus

We ask that if you are interested in a beta of WPtouch Pro that you fall into at least 1 of 3 categories:

  1. You’re interested because of the many new features, and want to try and help improve the new theme(s) it offers
  2. You’re interested in designing/developing a custom theme with the new Skeleton
  3. You’re damn good at finding bugs and testing software, and think you can help us with your awesome bug squishing abilities

Requirements

To join the WPtouch 2.0 Pro beta program, we require the following:

  1. You have or create a BNCID* (to assign the license and forum access)
  2. You have a WordPress.org self-hosted website running WordPress 2.9.x
  3. The necessary admin credentials to upload and activate plugins on your WordPress installation
  4. That’s it!

*You can register for a BNCID by clicking the ‘Register’ link in the header of this website.

For beta 1 we will only be testing on 2.9.x. WPtouch 2.0 Pro will support WordPress 2.8, 2.9, and 3.0 officially, but our focus for beta 1 is on current versions of WordPress.

The purpose of the beta program is to harden and shore-up any issues related to the working functionality of the software, so we’d kindly ask that you do not publish reviews of the WPtouch 2.0 betas as product reviews at this time.

We’d also ask that you resign yourself to being a top-secret spy and not spreading information and details about the plugin before we do, if at all possible. We’re not crazy like Apple but do appreciate solidarity!

Enough Already! Gimme A Copy!

Hold your horses! First thing’s first: there are a limited number of spaces in the beta program.

We’ll contact those who want to join on a first-come, first-serve basis. We’ll send out a welcome mail and fill you in on the details if you’re in the group. If not, don’t worry: WPtouch 2.0 Pro will be released in June, and that’s not far off!

Register for the WPtouch 2.0 Beta

Updated: The beta registration is now closed.

The Big Changes In WPtouch 2.0

May 10 / 2010
author image Dale Mugford

There’s a groundswell of anticipation growing around the launch of WPtouch 2.0, a major update to our popular mobile plugin for WordPress. One of the hotly anticipated features (and arguably, most important) is the addition of themes. We’ve written extensively in the past about the various ways we’ve approached the idea of adding themes support to WPtouch, notably how hard it’s been to come up with a way that both:

  • Makes it easy for users to choose from different themes and set them up quickly, for those who want an easy, fast mobile solution that looks and works great…
  • While also providing a framework for those who want to customize themes, and even build their own from scratch

The two different paths are indeed very different, both from a user perspective and a coding perspective… ensuring both paths were well-designed was a feat.

We opted for a brand new admin panel to help solve some the issues we faced, and we think the combination of vertical/horizontal tabs for navigating the WPtouch settings alleviates our concerns.

There are also other great things about WPtouch 2.0, and we wanted to share a little more about what they are today.

The BraveNewCode Way

We pride ourselves and our business on providing quality. Quality means different things in different contexts, to different people, but to us it translates into our users and customers feeling knowing that they are working with something that’s had a great deal of thought, care, consideration and work put into it. They should feel confident (and if we’re lucky) even delighted to have it in their arsenal of tools that run their websites, business, etc.

Because there’s a paid version of 2.0 (we’ll be releasing this first, but indeed a free version will be released later as well) we wanted to ensure that the highest degree of quality we could muster was at the foundation of the work.

We do not take the growth of this plugin lightly. Since its become one of the most popular plugins for WordPress (was in the top spot just the other day, and downloaded over 700,000 times!) we’ve thought deeply about what it would mean to grow the plugin in a good way, extend its capabilities and the talents of WordPress as a publishing platform. It’s always tempting to want to throw a price tag on something like this that’s popular, but we’ve always felt that if WPtouch was going to have a paid version it would have to do more, much more.

As we move into an age where mobile internet usage is fast becoming as important (and maybe soon, more important) than desktop access, WPtouch has the potential to be something powerful for website owners to publish content for mobile visitors.

We put a fair amount of critical thought against the ideas we generate to discriminate which we want to act upon. Both Duane and myself are constantly generating new ideas and it’s a great asset as a small company to be able to creatively generate so much possibility. Though it can also be a lynch: we must filter these ideas, and determine which are valuable to act upon in an immediate manner and which should be shelved for ’someday’.

And we don’t always agree, but I’d hate to have a partner whom did not carry a different vision. One of our strengths is looking at and approaching things differently, it’s something we work on all the time at improving and synthesizing.

So arriving at what WPtouch can become and how it should get there has been a journey lasting nearly a year, and that doesn’t include the time it’s taken building it.

Support

When WPtouch was a fairly small plugin, it wasn’t very hard to support it. But given the popularity of WPtouch and the growing user base, more users are looking for help and support. Right now there are two options: the community forums on WordPress.org and the Support Forums on this site.

While we drop by our free forums whenever we can to answer questions, often ongoing client commitments limit our availability on the forums. To that end, the paid version of WPtouch Pro will allow us to dedicate the time to provide full support in our forums for paid users, addressing issues in a timely, comprehensive manner. We’ll also be supplying supporting documentation based on the WPtouch codebase which will help developers and users who wish to make their own enhancements or customizations.

A New Hope

The most frequent areas of request for WPtouch are compatibility with other WordPress plugins, and having more theme customizability.

Users want to see their favourite plugins work well with WPtouch, and want to be able to brand and customize WPtouch in ways that are not currently available to them without some form of fixed modification which will not survive plugin updates.

WPtouch 2.0 aims to take care of both of these concerns, and we think we’ve come up with some enterprising ways of doing so. There are a slew of other enhancements, changes, features and additions to 2.0, but we’re focusing this post on a couple of things which we know many users want to know about.

Other Plugins

It’s not sustainable for us to try and support the integration of thousands upon thousands of plugins available for WordPress. it’s also not going to work if we simply tell our users to ask developers of other plugins to find a way to make them work with our plugin without adding anything to WPtouch to make it easier to do so.

With 2.0 there’s an entirely new codebase, and with it Duane’s packed in a variety of ways that ensure WPtouch is pluggable, extensible and modifiable by WPtouch theme authors and plugin developers. We hope that with these changes plugin authors can quickly and easily add modified functionality to their plugins for WPtouch, or create entirely new plugins which can hook into and provide functionality for WPtouch itself and/or its themes. It’s a brave attempt from our side at solving one of the things we (and our users) have struggled with most.

It doesn’t mean we won’t build in some out-of-the-box support for various plugins, but it does mean we want other plugin developers to feel empowered to come up with solutions for their products when working with WPtouch, in much the same way they do for WordPress itself and desktop themes.

After all, WPtouch is now becoming a mobile theming platform, and less a plugin that will give your site a generic, Apple-esque mobile application appearance. Because of this, our focus will be on creating innovative themes that harness the power of the devices they’ll be shown on. We can’t both do that and find ways for these themes to work with every plugin out there. It’s not practical and it’s not reasonable for us. That said, wherever possible, we will work together with other developers to ensure they have the tools and information necessary to make their plugin(s) compatible with WPtouch.

New WPtouch Themes

WPtouch 2.0 ushers in a whole new theme mechanism which allows for theme switching in the admin. WPtouch 2.0 will ship with a few themes, and we plan on having many more down the road. When you install and activate WPtouch 2.0 you’ll now find an admin panel that defines a global vs. theme options ideology.

There are global WPtouch features and settings which apply to general setup and all themes, while a new active theme tab generated by themes themselves govern all the settings to do with that particular theme only.

We’ve worked hard to flesh out and distinguish what a theme needs to be able to do and access from what the plugin itself needs to govern and control. It’s been an exhausting process— ensuring that themes can be flexible while also having a foundation to build upon that saves themers time and energy building out their dream mobile site.

Custom Themes

We hope this new approach inspires others to create custom themes themselves, and we’ve set the stage with a new Skeleton theme (a theme template with the basic features, hooks and guts needed to start building out a custom theme). The Skeleton will start out as a theme that resembles the current 1.9 theme in many ways, and we’ll likely grow and expand upon the Skeleton over time, or have other Skeleton templates.

Down the road we can also see people wanting to share the themes they create with others, and that would be great to see. Our focus for now, however, will be ensuring that those wishing to endeavor to build a theme with WPtouch have the tools, guidance and support in doing so, and that begins with Skeleton.

Custom themes can do everything our own themes do, and of course go off in their own unique directions. In fact, we’re building all of our themes off the same Skeleton, too. Really nothing we’ve done or do is required from a theme standpoint, so creatively a themer can leverage our work and code, or roll 100% custom if they so choose.

When the WPtouch plugin is updated, all custom changes, settings, themes, etc., remain the same.

Any new features that can be taken advantage of will not affect or break a custom theme, or any theme, for the matter. Custom/user themes live outside WPtouch’s plugin directory, while separation between the global WPtouch admin settings and theme features ensures a smooth environment for custom work.

Themers can add new theme functionality provided by plugin updates easily if they want, or ignore the changes (they will most likely be added to the Skeleton and documented, and will be easy to see in action).

If capabilities are depreciated in favour of others at some point, they won’t be removed, so if you build a theme the day 2.0 is released it’ll always work with WPtouch. Wherever possible, we want those building and working with WPtouch to feel confident that they can do what they want to do without the fear that they’ll have their efforts quashed with subsequent releases.

Summary

To summarize: plugin features we add will not affect the functionality of a working theme, in much the same way that the core of WordPress adds functionality without breaking existing themes (for the most part, if they’re coded well).

Themes are user-selectable in the admin, and you can copy a theme to your custom folder to start editing its files if you so choose.

Support for 3rd party plugins will be handled not by direct plugin support, but rather through the ability to hook into WPtouch, and add/modify/remove a plugin’s functionality for better compatibility with WPtouch.

We may create modules that help perform some of this 3rd party functionality, but we’re hoping that developers themselves take to the streets themselves.

One More Thing…

Our WPtouch 2.0 themes will support web-app mode.

For iPhone/iPod touch visitors this means they can bookmark your website to their home-screen and your website will automatically be saved as a self-contained application which will run in fullscreen mode.

This means no address bar at the top of the screen, nor navigation bar at the bottom. Just your mobile site, in full and glorious view.

All posts, pages, comments, etc., are handled with Ajax. This means a super-fast and highly-optimized custom website experience for your website visitors, as native as one can get to a native application on the iPhone/iPod touch.

You can even define a loading image (the screenshot at the top of the page is just that!) that will show while your website fires up!

Launch Details, Beta

We haven’t finalized launch details or the beta release, but we’re getting closer everyday to be able to do so.

We would like to reveal some demos of the plugin in action, and announce release information soon. We’re excited about it all but first need a few more pieces to fall into place, so hang tight!

Pricing and other details will be a part of those announcements.

The best place to get sneak previews is to follow BraveNewCode on Twitter.

To be notified when WPtouch 2.0 will be available, visit WPtouch.com and use the sign-up form.

A Day In The Life

Apr 28 / 2010
author image Duane Storey

It’s been nearly two years now since we opened the doors here at BraveNewCode. Back then, I was working out in Vancouver at a software engineering job I didn’t really like. Dale and I had been working together on Matthew Good’s website off and on for a few months, and found that we complimented each other’s skill sets quite well. When opportunity came knocking, Dale and I decided to grab onto it, eventually incorporating BraveNewCode and doing our first few websites. When business started rolling in, I put in my notice in Vancouver, moved back home to a little farming town in British Columbia, and the rest is history.

The hardest part about working together is the time zone difference between Dale and myself: I live out in British Columbia and Dale lives in Hamilton, Ontario. When I wake up in the morning, usually around 8am or so, Dale’s already been up and at ‘em for a few hours. Depending on what we have on our plate, Dale and I usually try and do an early morning call to sync up. If Dale hits me before I’ve had a coffee (or even a decaffeinated placebo), sometimes I’m sure I sound a little grumpy. But to his credit, Dale just pretends like I’m not.

Depending on how much food and drink I have in my apartment, I’ll sometimes work at home, or often I’ll head out to a coffee shop. When at home, I generally avoid my home office (I’ve never really been able to make it feel comfy), and usually find myself working on the dining room table. In the evenings I’ll often flip on the gas fireplace, plant my butt down on the couch, and code from there. While I have an iMac in my office, 90% of the work I do these days uses my Macbook Pro.

I go through cycles typically, usually a phase of quoting projects, followed by a phase of actively working on projects. Dale handles the majority of web design, and I handle the majority of web development. Over the years we have both rubbed off on each other, and I sometimes find myself doing a bit of design (at least from a CSS level), while Dale occasionally writes PHP and Javascript.

We generally receive between five and ten project inquiries every week via our quotation form, and due to our size and our availability, generally only can take on about one project a month. If you do the math, that means we unfortunately have to turn a lot of projects down. Some people would immediately say we should ramp up the business and hire more people, but Dale and I are both inclined to keep it small and personal, opting instead to focus on our existing clients and the projects we’re passionate about.

We both have cell phone plans that let us talk to each other whenever we want for free – given that we’re 4,500 kms apart, that’s a pretty nice feature to have. When we’re working on projects that involve the both of us, often we’ll fire up an audio chat with iChat and communicate that way. There was a period of time there when my internet at home was pretty dismal, and we sort of abandoned iChat for a while. But it seems to have been fixed, so I imagine we’ll pick that up again.

I have quite a few IM accounts, but whenever I’m working I tend to use my top secret mobile .me account which essentially only has Dale as an iChat contact. I found that people used to interrupt me all the time on my other accounts, so I decided not to use them. Tim Ferris, author of the Four Hour Work Week, isn’t a big fan of IM, and neither am I. I’ve found in a lot of big corporate jobs that people just shuffle virtual paperwork around via IM, simply passing the buck for all their problems. When I gave up IM at my last job during the day, I found that a lot of problems that people used to try to get me to solve were eventually solved on their own when I wasn’t immediately available. I look at that as a win-win. So I only have a chat program with Dale on it these days for when we’re working.

While we sometimes work late hours or weekends, for the most part Dale and I try to stick to a regular schedule. I spent most of my 20s working 60 hour work weeks, and the lack of a personal life is not only unhealthy, but generally makes one really miserable. So Dale and I work pretty hard to maintain a good balance. To that end, we are both big fans of automation and constantly try to remove inefficient processes from the company.

For example, a lot of the content on this site gets updated automatically. On the WPtouch page, all the plugin information gets updated the moment we push a new release to the WordPress repository. Even though that system is entirely managed using Subversion on WordPress.org, the data gets pulled into this site periodically which ultimately minimizes the amount of time we have to spend updating our site manually. That’s a philosophy we’ve carried over to all our client projects as well, and we routinely go out of our way to automate some aspects of content generation for them as well.

When I’m not pounding the keys and creating code, there’s a little lake near me that I usually disappear to. In the summer I usually end up camping there, and in the winter I often go up just for a stroll to clear my mind.

Dale’s passion outside of BraveNewCode is bass fishing, and he spends a lot of his downtime in the summer pitting himself against a legion of fish.

For the most part, the physical separation between Dale and I is hardly noticed in a normal work day. Even so, we do our best to meet up every few months, if for nothing other than a few pints. I was out in Hamilton, Ontario last month for Dale’s birthday, and Dale will be out to British Columbia in June for WordCamp Vancouver. If the weather starts turning for the worse, Dale and I will sometimes meet somewhere warm for a week of R & R and brainstorming, usually without much computer time. Last year we spent a week in Cancun and two weeks in Punta Cana, which is where we did most of the initial brainstorming around the soon to be released 2.0 version of WPtouch.

For the last few months, Dale and I have been busy designing and coding the next generation of our WPtouch mobile plugin. The new version is a 100% rewrite, complete with a framework which will allow people to build out mobiles themes. I think when it’s released most people will be extremely happy with the flexibility and ease of use of the new version. If you’re interested in WPtouch 2.0 Pro, make sure you sign up for notifications at WPtouch.com. We’ll also be occasionally updating people via our Twitter stream. If you like snappy one-liners, check out my Twitter stream or Dale’s stream.

And on that note, it’s back to PHP land for me. Next update from me will probably be around the time WPtouch 2.0 Pro is released. Until then.

On The Recent WordPress Blog Hackings

Apr 12 / 2010
author image Duane Storey

There’s been a lot of talk on the web today about some recent WordPress blogs that were hacked, so I wanted to chime in a bit. Thankfully nobody I know was affected by this latest attack, but I’ve had friends hit on previous ones.

First, no system is entirely secure. Ultimately you try to do your best to secure a system by adding obfuscation, encryption, obscurity, passwords, etc., but each of those systems has weaknesses as well. Even the public key encryption that forms the basis of SSL is attackable, it just currently relies on a level of computational complexity to make it nearly impossible for the average attacker.

The latest attack involved a user on Network Solutions going around and reading information from the wp-config.php file which contains the basic database information for WordPress itself. Once the user had that information, they effectively had the ability to change all the WordPress related configuration settings and stored content. The following are listed as reasons why this attack was successful, so I thought I would comment on each in order.

  1. The file permissions on wp-config.php weren’t restrictive enough. On Linux machines, you can assign file permissions separately for the owner of a file, for the group the file is in, and for everyone else. This is typically written in octal notation as 644 or 640, where the first digit is the owner’s permission (6 means read and write), the second digit the group (4 means read-only) and the last digit is for everyone else (a zero indicates it’s not readable or writable). A lot of articles I’ve read about this exploit indicate that this attack would not have worked had the permissions not allowed reading of the file by everyone. That’s probably true. Unfortunately it doesn’t take into account the reality how wp-config.php is created, or how the average Linux system sets file permissions. I can’t speak to how wp-config.php is created, but if it doesn’t already do it, WordPress should probably set the permissions on that file to 640 upon installation. In any case though, simply check the permissions of that file after an installation and adjust them accordingly.

    Unfortunately on most of the Linux systems I’ve encountered, the default mask for the files is usually 664, meaning the files are readable by everyone, and writable by the owner and the group. In an ideal world the second parameter would always be a 0 or a 4 as well (or a 5 for executable files), but many hosting providers require web files to be group readable as well, since Apache doesn’t run as the file’s owner. On some sites that use suPHP, the PHP process will actually be run as the owner of each PHP file, which basically means only the owner attribute is really important, and the others could conceivably be set to 0.

  2. The WordPress database password is stored in plain text. This is true, but there’s no real way around it. If the permissions of wp-config.php are set such that wp-config.php can only be read by Apache or the owner of the file, then this part really isn’t that relevant. But some people are arguing that if the password wasn’t stored in plain text this wouldn’t have happened.

    One option is to store the password in an encrypted form using symmetric encryption. As several people pointed out on Twitter, this is sort of useless since it would require storing the encryption key somewhere in plain-text as well, which causes the same problem. Also, the typical symmetric encryption library on PHP is mCrypt I believe, and it’s rarely installed on a host.

    Another option is to store the password in an encrypted form using public/private key encryption. The password could be encrypted using the private key, the private key deleted, and then the public key either stored on disk or in a PHP file. If anyone acquired the public key, they could easily decrypt the password, but it would provide a slight barrier for anyone not familiar with how public key cryptography works. Also, the public key could be stored as 640 or 600 on disk (although this is effectively a non-issue if those permissions were used originally). This type of scheme also relies on OpenSSL being installed, which it often is, but not on 100% of systems.

    I saw one comment on a site saying the password should be stored using MD5 and a salt. Since a hash is not reversible, this wouldn’t do the trick – ultimately MySQL requires an unencrypted password, so one-way transforms aren’t going to help.

If you’re an end-user that has a site hosted somewhere, you should do the following:

  1. Set the file permissions on wp-config.php to be 640. If you have SSH access you can do that by typing “chmod 640 wp-config.php”. If you have an FTP program you can usually do it by adjusting the file properties

If you’re a hosting provider, here are some tips:

  1. Don’t allow other users to browse each other’s directories. The base user directories should not be navigable by end users, only the main owner and potentially the group (depending on how Apache is set up)
  2. Don’t assign users to the same group Apache is in. If you require group permissions for Apache to run, don’t assign other users to that group or they will always have the same rights as Apache
  3. Scan your users’ directories for any wp-config.php files that has everybody permissions as readable and potentially adjust them all
  4. Change the default file mask so that the everyone/world permissions are not readable by default
  5. If your site somehow needs everyone permissions to be readable, then you probably need to re-architect your hosting environment.

If anyone has any other suggestions (or notices any mistakes), drop them in the comments below and I’ll update this post accordingly. Ultimately, every user needs to take responsibility for the security of their own site. While it’s easy to point the blame at WordPress, this type of exploit can occur with any PHP program that makes use of a database when it’s configuration files are exposed to all users on a system.

WPtouch 1.9.9.8: We Got The Fix For You

Mar 19 / 2010
author image Dale Mugford

Today we released WPtouch 1.9.9.8, a bug fix and maintenance release targeted at addressing issues related to RSS feeds in the admin panel. For some users the admin panel would either be partially loaded or fail to load entirely. This release also addresses an issue where using website RSS feeds elsewhere in a template or plugins (such as the FeedWordPress plugin) might also be affected.

This is update is recommended for all users.

Changelog

  • Fixes admin panel not working or broken for some users
  • Changed admin panel RSS feeds to use AJAX
  • Added function_exists and object checks to admin RSS
  • Changed Tweet RSS Feed to Support Forum Topics
  • Fixed minor page menu CSS issue
  • Included 40% reduction in PNG sizes thanks to BNCID user 13xforever