The ability to leave comments on eduBuzz sites has been temporarily disabled by our hosting company, DXW, to protect against a WordPress security vulnerability identified at the weekend, details below. One of the benefits of using such a popular application is that bugs are quickly identified and addressed, but it does also mean, as with any other popular software on the internet, that there are many malicious people who seek to exploit them. DXW are doing absolutely the right thing here, and experience tells us that the security vulnerability will be quickly fixed.
Due to a critical security vulnerability announced on Sunday evening, we have disabled commenting on all dxw-hosted sites.
In so doing, they would be able to entirely take over your website, adding or removing any content and taking any action that an administrator is able to complete through the admin area.
Due to the seriousness of this flaw we have disabled commenting across the GovPress platform pending a patch from WordPress. We expect that a patch will be released quickly and we will deploy it as soon as possible.
We have also posted this security alert on the dxw blog, and will make further updates there. If you have any questions not covered by the blog post, please reply to this alert to create a ticket.
This is an update on the recent incident.
The hosting company have now restored the majority of the uploaded files (57,665 of ~68,000 files) from backup.
Those files which cannot be restored are those missing files which were uploaded since around November 2013 when the site was moved to its new hosts.
- Arrangements are in hand to contact contributors who uploaded document files which are still missing. Where new copies of the same files can be provided, the hosting company will replace them exactly as before.
- It is not practical to replace image files in the same way.
If your site’s appearance is being affected by missing image files, e.g. because a header image is still missing, these will need to be replaced manually. Please contact us (firstname.lastname@example.org) for assistance if required.
We learned this week that there has been a major incident affecting the files which have been uploaded by our staff and students to their schools eduBuzz WordPress sites.
We now know the extent of the problem, and this post is to share that information, and advise you of current recovery plans. Please share it with other staff as appropriate. Continue reading “Incident Affecting Schools eduBuzz (WordPress) Web Sites”
Many images around the eduBuzz WordPress sites are currently not displaying properly. Many other uploaded files, such as PDF documents, are also inaccessible.
The image on the left is a screenshot showing what visitors to the sites see where image(s) should be. This example was obtained using Internet Explorer 9; other browsers might handle the situation differently.
Attempts to access uploaded files such as PDF documents are causing the error message “Forbidden” to be displayed.
A support call has been raised with the hosting company, and they are currently investigating.
eduBuzz WordPress sites (blogs) are now using a new system for protection against spam comments.
Over recent days increasing numbers of spam comments have been getting through, leading to an excessive number of comment notification emails and spam messages to be dealt with.
This is a relatively common experience with interactive web sites, as the people behind spam comments are always trying to defeat protection systems.
The system now in use provides much more variety in the “captcha” puzzles it presents. This will unfortunately mean that the familiar East Lothian place names are no longer used, but we hope that the new system doesn’t cause too much difficulty.
Your feedback on the new system would be appreciated.