Improving Gravatar (the service)

The problem:

Gravatar hashes are somewhat easy to crack. Websites are super easy to scrape. Sites with Gravatar urls in the img-src or profile link make it trivial to generate lists of hashes to crack. Other data available on sites and in Gravatar profiles can be used to generate targeted wordlists which make cracking a large proportion of the hashes much quicker, in seconds rather than days.

Continue reading “Improving Gravatar (the service)”

A Slack bot that gets the last three posts from a WordPress site

This Glitch project grabs the latest three posts for WordPress sites which are using either the WP REST API or the WP.com version via Jetpack. It uses MongoDB for persistence. It’s not super exciting or well written but a fairly effective way to mindlessly try sites on Slack and see if they have the WP API somewhere when you’re a bit bored. (Try Glitch. It’s fun.)

Keeping your email address safe on Gravatar enabled sites (or if you don’t know if it is or not)

Do you consider your email address to be private information but use it to register and comment on WordPress powered sites? Many WordPress sites use Gravatar to provide the avatars on comments and user lists and this can be an issue if you do.

Continue reading “Keeping your email address safe on Gravatar enabled sites (or if you don’t know if it is or not)”

How does WordPress know if a pending post hasn’t been published yet?

If WordPress has a newly created pending post, when you publish it the timestamp on the post is set at the time of publishing. If you publish a post, then set the post status to pending, the timestamp does not update when you re-publish it. How does it know? And why does it matter?

Continue reading “How does WordPress know if a pending post hasn’t been published yet?”