You can’t go out this Friday night, it’s time to update WordPress to Version 3.4.2

Holy mother of toad! Again! WordPress just loves to release those late in the week security updates.

We already know how hackers work — they do a file compare of the old WordPress version to the new one, the write some code to exploit the vulnerability, and then they set the code loose on whatever servers they already control to hack MORE servers and control them too.

Then they go out, party for the weekend, and check in Monday morning to see all the WordPress installs they’ve hacked and can add their porn links to.

You’ve got two choices folks:

1. Get hacked and have all the gurus on blame you for your negligence.

2. Stay in Friday night logging into each of your WordPress installs and clicking the damn UPDATE button and waiting for it to finish. (And if you’re smart, run a backup before you do that.) No party for you

But FINALLY there is a new third choice that actually makes sense!

3. Use ManageWP to administer all your WordPress sites and be able to update them all with ONE click. And then go out and party!

I just used it and now I get to go out and party while feeling a bit safer and secure, knowing that my WordPress sites are all updated to the latest version.

Go there, do it now, the pain of having your site hacked over the weekend is too much. Trust me: been there, done that.


WordPress – Be Ready To Be Hacked Again

Ahh… the dreaded

3.0.4 Important Security Update

…a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”

Yeah. What that says to me is, “A hacker has already looked at the vulnerabilities in 3.0.3 and written a script to exploit it and deployed it on the websites he/she has already hacked so that it can go out and get access to even more web servers by simply crawling the web looking for WordPress installations that haven’t been updated yet.”

Read the rest of this entry »


Who is UlricheDmond ?

UlricheDmond using the email address just created an acount on this blog.

Since (as the domain name might suggest) this is my blog (Eric Shefferman), there’s no need for anyone else to have an account here.

I googled the name and so far found

which lists this name/email as someone who tried to hack their blog (along with a list of other hacker usernames).

They seem to be a busy person/hacker/software robot — they also signed up here on September 7 2009

and here on September 8, 2009:

And probably other places that just haven’t been indexed by google yet.

I deleted the user, but this is getting crazy. Static HTML websites are looking better and better.

– – –

Yup, an hour after I posted this, the same user/email registered on another blog of mine that is totally unrelated. This is pretty stupid since the only reason this is happening is as part of a WordPress security exploit. Someone thinks that by getting a user onto WordPress they can then elevate the user to admin level access and screw around. It’s not like I can stay up all night to try to delete these users as fast as some automated system can add them.


WordPress Security Exploits – This site was hacked

I still have no idea what this means.

I’m currently running WordPress 2.8.4 on this site.

One of my older sites was hacked as per

and the permalinks were changed to


There was a hidden user named “WordPress” — javascript was being used to prevent the user from showing in the admin users section (and it didn’t show the user in the user count). My computer is running slow, so when looking at the user list this second user would appear and then disappear as the javascript executed. On a faster computer, it would have been impossible to see the hidden user. Dumbass javascript tricks.

Read the rest of this entry »


Keep Up With
Eric Shefferman


Via Email Updates



The following link is not for people: I do not like it, Sam I Am.