Disabling XML-RPC

If you have been reading this blog for awhile, you will probably realize that onMason, like many WordPress blogs, has been under constant attack by hackers for quite some time. We’ve had brute force login attacks and comment spam problems (between April 2014 and June 2014). However, I like to think that we’ve done a decent job mitigating those attacks.

The latest thing that the hackers are trying to do is to exploit the XML-RPC interface. WordPress uses the XML-RPC interface to handle Pingbacks and allow remote publishing programs like the WordPress mobile app and Windows Live Writer to work.

To mitigate this latest attack, we are disabling the XML-RPC interface since almost no users actually use either Pingbacks or remote publishing programs.


Spring Cleaning – Upcoming Upgrades

During Spring Break (March 10, 2014 – March 16, 2014) we will be upgrading the software running onMason.

We do not expect any extended outages during the upgrade process.

After the upgrade, there will be a few changes to onMason. The most noticeable change will be a new look to the admin dashboard. It will feature a higher contrast color theme (with blacks replacing the grays). However, the menu items will largely remain the same.

We will also take the opportunity to remove a number of seldomly used, obsolete or broken plugins. Those plugins include:

Calendar* – we recommend that you use the Google Calendar Events plugin instead.

Do Follow* – the functionality of this plugin is already part of the standard SEO controls we offer.

Pulish2 – no alternative or replacement is planned.

Widget Logic* – no alternative or replacement is planned.

Wickett Twitter Widget – this plugin will be replaced with the Twitget plugin.

*These plugins were only available to a select number of sites.

It is important for us to remove these plugins as they affect the stability and performance of onMason.


Recent issues with onMason

I’m sure some of you have noticed that onMason has experienced some times recently when the site was either inaccessible or sluggish. The reason this has been happening is that onMason has been under constant attack since April.

An unknown party has attempted to gain access to the onMason administrator password using “brute force” methods. What this means is that the unknown party tries to log into onMason several times a second using random passwords, hoping to guess the correct password. This attack does not currently pose a threat to the security of onMason as they have been attempting to access non-existent accounts.

Unfortunately, the sheer volume of login attempts has caused performance issues with the site.

We do not believe this attack is specific to onMason or any of the sites we host since similar attacks have been reported by other WordPress sites.

See:
http://www.us-cert.gov/ncas/current-activity/2013/04/15/WordPress-Sites-Targeted-Mass-Brute-force-Botnet-Attack

In order to maintain the performance, stability and safety of onMason, we have implemented the following change:

After 5 incorrect login attempts, your account will be locked for 15 minutes. Please do try to login again before the 15 minutes are up as further attempts to login can result in an indefinite lock out.

If you are accidently locked out of your site or as experiencing any other issues due to the attacks, please contact the onMason Webmaster at webmaster@onmason.com.

We thank you for you understanding as we deal with this issue.

onMason Webmaster
Office of Student Media


Upcoming Upgrade

We will be upgrading the software running onMason on Wednesday, October 3, 2012 between 10:00 a.m. – 11:00 a.m. As a result, onMason will be periodically unavailable during that time.


Upgrade Notice

We will be upgrading the software running onMason on Thursday, August 23, 2012 between 10:00 a.m. – 11:00 a.m. As a result, onMason will be periodically unavailable during that time.


Server Upgrade (Update: Done!)

We will be upgrading servers in the next 24 hours. There may be some some downtime during this process. We apologize for any inconvenience this may cause, but this is necessary in order for us to continue to provide a high level of service to our users. onMason will be ready to go well before the semester starts next Monday. Again, thank your for your patience.

UPDATE: The upgrade has been completed. Please let us know if you run across any problems.


Theme Updates

Over the past few days, we have been updating many of our themes in order to bring you added customizability and to increase the stability of onMason.

As part of this update, when you check the Appearance menu in your Dashboard, you might notice additional options. Additionally, you may notice slight changes in the spacing and alignment of elements on some pages.

All of these changes should be positive. However, if you are experiencing any problems as a result of this update, please submit a support ticket through your Dashboard. You may also leave feedback by commenting on this post.


Upgrades and privacy plugin phased out

We are in the process of upgrading onMason for the Fall semester. As part of that process,  we will be phasing out the Private WP 2 plugin. That plugin’s functionality is now included as part of WordPress. Here is how you can activate it:

  • We’ve attempted to migrate all sites using the plugin to the appropriate privacy setting on WordPress.
  • If you are running the plugin, check your settings. Go to the Settings menu and click the Privacy option.
  • If not already selected, select the setting “I would like only logged in users who are registered subscribers to see my blog.”
  • Save changes
  • The result should look like below:

If you have any questions please leave a comment below.

We will be turning off the Private WP 2 plugin at the end of the week.

Enhanced by Zemanta

System upgrade… and a Userthemes error

Hello onMason users!

It’s been a while, I know, but I come with good news! The onMason site has been upgraded to a newer version of WordPress-MU. Things should be running faster and more smoothly now.

Unfortunately, with every upgrade, there’s the chance of an unexpected error coming from the system. Please keep an eye out for us and report any errors you encounter via the comments on this post or by filing a support ticket.

We’ve only encountered one error thus far: Userthemes, which allows users who have requested the ability to edit their themes to do so, seems to have reacted oddly with the latest upgrade. It may list an excessive number of themes copied to your account and it may not give you access to the edit page in UserThemes. We are aware of this difficulty and working quickly to resolve it.

Thanks for your patience and understanding,

-Aram Zucker-Scharff


On Downtime and a New Podcasting Plugin

Hello all,

First of all, I’d like to apologize for the recent downtime. The issue was not with onMason but with an impossible-to-anticipate server hardware fault.

The problem was within the server’s RAID, which is a set of redundant hard drives designed to automatically duplicate file systems and spread out data to minimize loss. That set of HDDs is governed by their own set of hardware and software and I believe it was the governing mechanisms which were experiencing issues. Because the method by which the HDDs are accessed has been malfunctioning, there was a problem keeping them active or reaching them in order to transfer the data. However, the server host transfered onMason to an entirely new set of hardware.

The server seems to be working fine now. However, due to frequent problems with the current host and communications issues, the Office of Student Media is now in the process of seeking out a new server host.

Now, on to the good news! podPress, the best podcasting plugin out there, has finally upgraded to work with the latest version of WordPress. We are very very happy to install this as an option to activate as a plugin. If you are already using the Blubrry plugin, we’d recommend you carefully consider what would happen when you switch and make sure that all the info is properly ported over. If you are not using any of the plugins but are intrested in making a podcast, podPress makes it easy, so activate it in your plugin page today!

-Aram
onMason Admin