As I was in the process of writing a new blog entry titled “Do You Know Who’s Reading Your Drafts” in response to a recent loophole in the WordPress system, the development team has come out with a brand new update.
In case you were wondering what all the fuss was about, anyone who adds /wp-admin/ to your URL could view the posts that were currently sitting in draft or published with a future date.
Now, this method is truly harmful if you publish your entire post on the front page of the blog as opposed to using the more tag or excerpts because clicking on the permalink would, of course, yield a post not found error.
Without going into too much detail we’ll just say that WordPress is incorrectly checking to see whether a user is an administrator. Using XXXX as an example, you can visit this URL to reveal some of his upcoming posts:
http://www.address.com/index.php/wp-admin/If a website is not using the FeedBurner redirect plugin all of the future posts will be available through an RSS feed as well. The URL for that would look something like this:
http://www.address.com/?feed=rss2&x=wp-admin/That would not be good because there are thousands of sites out there that are setup to scrape feeds from websites, and then publish the content to their own site. This would give them easy access to all of your unpublished content.
The fix presented on the site does not work, so it’s highly recommended that you upgrade your WordPress installation, especially if you’re a journablogger (i.e. journalist blogger) and have a lot of posts set to publish in the future. And as an added bonus, you can now easily customize your DB error page if you don’t like the one generated by WordPress.
Thank you. These last two posts are especially fantastic. (I love your writing style by the way.)
I’ve just updated the first of my blogs and will update the others soon. I also am adding the math challenge plugin to my blogs. I learned a lot from your recent Akismet post.
Many thanks!
# December 30th, 2007
Mmm that could be a problem for people who post in advance.
# January 2nd, 2008
Thanks for the heads-up on the release, Teli. I was in the process of setting up the domain when I saw your post. It saved me going live and having to upgrade almost immediately. I really appreciate that.
# January 2nd, 2008
I have been visiting and reading your posts for quite sometime now and I am impressed by the information I have been getting here. Thanks for the heads up. Keep blogging.
# January 7th, 2008
Teli -
Thanks for the heads up. Upgrading now!
- Dave
# January 7th, 2008
Great post. I never knew about the loop hole before. Thanks!
# January 8th, 2008
My o my.. I dint know that.. What if some one copies all your draft and publish the same before you do and say its there content
Any way thanks for the update.. Am sure many out there are still unaware of the same and haven’t upgraded to the latest release
# February 14th, 2008