I use NetPhotoGraphics to handle a 2.5 gig gallery, spanning back 20 or so years. The gallery used to be a home grown PHP script, then it was Gallery, then Gallery 2, then ZenPhoto, and now NetPhotoGraphics (which ostensibly is a fork of ZenPhoto, but diverged in a way I’m more supportive of).
Anyway. I use this gallery in conjunction with a WordPress site. I’ll post news on WordPress and link to the gallery. But for years, to do that my choices were:
make a text link
make a photo which is a link
copy all the thumbnails over and link each one
Those all suck. Especially the third, since you can’t (out of the box) custom link images in a gallery in WordPress and frankly I don’t like any of the plugins.
Once upon a time, I used a ZenPhoto plugin, but it’s been abandoned for years and stopped working a while ago. I needed something that had an elegant fallback (i.e. if you uninstall the plugin) and seriously thought about forking the WordPress plugin…
But then I had a better idea.
Why oEmbed?
oEmbed is an industry standard. By having your app (Flickr, Twitter, your WordPress blog) offer a custom endpoint, someone can embed it easily into their own site! WordPress has supported many embeds for a long time, but as of 2015, it’s included oEmbed Discovery. That’s why you can paste in a link to Twitter, and WordPress will automagically embed it!
I maybe wrote an oembed plugin for another CMS so I could embed things into WordPress… Because the other option was a MASSIVE complex WP Plugin and FFS why not?
(Note: I shut down my twitter account in November ‘22 when it was taken over by a narcissist who brought back abuse.)
I just pasted the URL https://twitter.com/Ipstenu/status/1441950326777540609 in and WordPress automagically converts it to a pretty embed. About the only social media company you can’t do that with is Facebook, who requires you to make an app (I use Jetpack for it). Anyway, point being, this is also how tools like Slack or Discord know to embed your content when you paste in a link!
By making an oEmbed endpoint, I allow my site to become more shareable and more engageble, which is a net positive for me. If I do it right, out of the box it’ll allow anyone with a WordPress site (i.e. me) to paste in a URL to my gallery and it looks pretty! Win win!
The NetPhotoGraphics Plugin
Now. I’m a terrible designer, so I literally copied the design WordPress itself uses for embeds and spun up a (relatively) fast solution: oEmbed for NetPhotoGraphics.
The code is one file (oembed.php) which goes in the /plugins/ folder in your NetPhotoGraphics install. Then you activate the plugin and you’re done. There are only one thing to customize, the ‘gallery’ icon. By default it grabs a little NPG logo, but if you put a /images/oembed-icon.png image in your gallery, it’ll use that.
And does it work? Here’s how the first version looked on a live page:
I wanted to limit the images since sometimes I have upwards of 200 (look, episodes of CSI are a thing for me). And frankly pasting in a URL to the gallery is a lot easier than drilling down on a list of a hundred albums. This is exactly what I needed.
Since the creation of that, I worked with netPhotoGraphics and he helped me make it better.
One Bug and a Future
There’s room to grow here. Thanks to S. Billard, we’ve got a lot more flexible. You can override the basic design with your own theme, you can replace the icons, and there are even options to adjust the size of the iframes. Part of me thinks it could use a nicer design, maybe a single-photo Instagram style embed instead of what I have, but that’s not my forte. Also I have yet to get around to putting in ‘share’ options. (Pull Requests welcome!)
And yes, I know the security isn’t ‘enough’ but I wasn’t able to get it to work how I wanted due to a weird bug. You see, I did run into a rare quirk with WordPress due to how I built out the site. IF you have your gallery in a subfolder under/beside a WordPress install AND you try to embed the gallery into that WordPress site, you MAY find out WP thinks your embed is WordPress and not NPG.
In my case, I have:
example.com – WordPress
example.com/gallery – NetPhotoGraphics
I guess WordPress reads a little too deep into who’s WP and who’s not, which resulted in me making this WordPress filter:
The posts and the theme are in the same repo, but stored under ‘Content’ (which has data, posts, and static) and themes (which has … the theme)
Most of the changes are in the post content
Okay, now this is not a conversation about why (or why not) use Hugo. I like it for my pretty much text-only wiki type content, in that it lets me keep things organized and usable from everything including my iPad.
But this use of Hugo comes with a cost. One of the reasons people love CMS tools like WordPress is that you can edit in your browser, and frankly that’s super easy. Using a static site builder, you have to run (somewhere) the static site build command. For a while I had a ‘deployme’ local command that did this:
Not super complicated, right? I have it on my laptop but it means I can’t always push code. Like if I edit directly on Github or on my iPad.
Normally I’d look into something like Codeship (which I’ve talked about before) but … I thought it was high time I sat down and made things simpler.
What’s Simpler?
In this case, simpler means “fewer moving parts that could go wrong.”
See I love Codeship, it lets me do a lot of cool things, but it’s also a little fragile and (honestly) sucky when it comes to Hugo. Creating a server and running hugo took longer than it did on my laptop. A lot longer. Many minutes longer.
If I ran it locally it was a few seconds:
Start building sites …
hugo v0.87.0+extended darwin/arm64 BuildDate=unknown
| EN
-------------------+-------
Pages | 1762
Paginator pages | 0
Non-page files | 0
Static files | 92
Processed images | 0
Aliases | 2
Sitemaps | 1
Cleaned | 0
Built in 1562 ms
When I did it on Codeship it would be 5-14 minutes! That’s crazy, right? Which is why I moved off Codeship and down to local. But that came with the cost of limiting when and where I could run anything. While my code is super simple, it’s also silo’d and that’s bad.
In order to achieve simplicity, what I really needed is code that runs from Github. Or on the server where the site is. Back in ‘the day’ I installed hugo on the server, but also Git! That means I pushed to my git repo, which was on the same server, and I used post-commit hooks to deploy. I’ve toyed around with a few iterations, but then I moved to a new server where I didn’t install Go because … I didn’t need it.
And that means here, simple is:
runnable from anywhere
automated
restricted when needed
not crossing multiple services
Which led me to Github actions.
Github Actions
This is a service from Github.
GitHub Actions makes it easy to automate all your software workflows, now with world-class CI/CD. Build, test, and deploy your code right from GitHub. Make code reviews, branch management, and issue triaging work the way you want.
In other words, Github saw us all using Travis and Codeship and thought “We could do that and keep people here, right?”
But Actions goes beyond just automation. The Actions interface allows you to run tests, builds, checks, and, yes, deploys. It’s an order of magnitude faster than tools like Codeship because it’s a stripped down, basic interface. It’s also controlled by Github so you don’t need more access than committing code.
There are some cons, though. One of the headaches with Codeship was that when Hugo updated, Codeship might just … stop working right. So you had to find the magic sauce to make it work. With Github Actions, you’re using ‘actions’ built by other people a lot of the time, and if you’re familiar with the drama that happened in npm a while ago, you may share my fear of “What if someone else deletes their action…?”
Yeah, I have concerns/
main.yml
Here’s my code:
name: 'Generate and deploy'
on:
push:
branches: [ production ]
jobs:
deploy-website:
runs-on: ubuntu-latest
steps:
- name: Do a git checkout including submodules
uses: actions/checkout@v2
with:
submodules: true
- name: Setup Hugo
uses: peaceiris/actions-hugo@v2
with:
hugo-version: 'latest'
# extended: true
- name: Build Hugo
run: hugo --minify
- name: Deploy to Server
uses: easingthemes/ssh-deploy@main
env:
SSH_PRIVATE_KEY: ${{ secrets.SERVER_SSH_KEY }}
ARGS: "-rlgoDzvc -i"
SOURCE: "public/"
REMOTE_HOST: ${{ secrets.REMOTE_HOST }}
REMOTE_USER: ${{ secrets.REMOTE_USER }}
TARGET: "/home/username/domain/library/"
#EXCLUDE: "/dist/, /node_modules/"
There are a number of alternatives, but I picked peaceiris/actions-hugo because that developer is well known and respected. And while there are all-in-one Hugo build and deploy, I decided to separate them because I linked peaceiris’ code. This meant I needed an Rsync or ssh deployment. I settled on easingthemes/ssh-deploy because they strongly encouraged the use of secrets, and that’s a good sign to me. Also it’s heavily recommended by Flywheel, and a I cannot imagine them being reckless.
The only ‘gotcha’ I had was the directions about how to setup SSH was not great.
To make it work, you need to create a pem key on the server:
ssh-keygen -m PEM -t rsa -b 4096
Then you need to put that key in a secret (I named mine SERVER_SSH_KEY). But what they don’t mention quite as clearly is what this means:
Private key part of an SSH key pair. The public key part should be added to the authorized_keys file on the server that receives the deployment.
Yes, they’re saying “the public key for your own server has to be on the authorized_keys for the server.” And yes, that’s a weird thing to say, but there it is. That means you copy your own key from your server at ~/.ssh/id_rsa.pub (the .PUB is the part that explains this is a PUBLIC key) and you paste that in to the end of ~/.ssh/authorized_keys on the same server. Yes, it’s really funky.
My ongoing concerns
I mentioned that there are security issues. I spend a lot of time in WordPress plugin land, where people could commit nefarious code to a plugin any day. Some do. I’ve banned enough people from .org for stupid stuff like that. And some of Github’s advice matches my own: the only way to be safe is to do the damn research yourself.
But that’s not really something most people can do. And it’s something for a longer post in general. My short list of concerns right now is:
the action I’m using is deleted
the action is edited and breaks my flow/injects malware
the action is used to steal my credentials
There are ways to mitigate this
I can use actions made and managed and maintained by Github only (those are under the Actions org) — those are unlikely to be deleted and can be trusted as much as Github
I can make copies of the actions I want to use (and periodically remember to update them…)
I’ve been using Tiny Tiny RSS for … well years. Almost a decade. I like it a lot, the interface is nice and pretty to use. But there have always been some serious lingering issues with it.
The developer is very opinionated, to the point of aggression
The development is Docker, to the point that non-Docker support is non existent
Support for ‘non modern’ browsers means Safari is not supported
Now I’m opinionated, and I can be curt and blunt at times. And I work with a lot (A LOT) of people who are similar. I do plugin reviews for WordPress.org — trust me, I know from opinionated developers. I have lost track of the time I’ve spent arguing with prima donnas who cannot fathom that their code might not be god’s gift to the universe.
The majority of people, thankfully, are not like that. They recognize no one is perfect, they understand that sometimes you have to make allowances in your code for the sake of a system, and most of all they aren’t aggro when told “no.” (If you find yourself getting pissed off, BTW, when someone reviews your code, yes, I’m talking about you.)
Anyway. Andrew Dolgov is an amazing developer, a talented one at that. But he has a very ‘my way or GTFO’ kind of flow, and since it’s a single-man project, I really do get that. And for the time that he happily supported PHP on whatever, I didn’t care. The code worked, he didn’t have any strong opinions that offended me (like being a Nazi sympathizer, and yes, I’ve ditched software I love for that), and so what if he was a bit prickly?
But… He’s Docker all in. And I like Docker, but I don’t want to run it all the time, and certainly not for a flippin’ RSS reader that is PHP and SQL and that’s it. As time went on, it got harder and harder and harder to manage and maintain a slight fork, to the point that it’s just not worth it.
The Replacement: FreshRSS
FreshRSS. It’s a barebones, simple, easy to install RSS reader. How easy? It’s practically a ‘famous five minute install.’
The install was to download the latest release, unzip it on my server, and then I went to the URL where I’d installed it ( i.e. https://example.com ) and entered the DB credentials. Then I made a new account and boom. Done.
Much like with TTRSS, I have to set up a cron job to run the refresh, which I set to hourly:
Don’t waste time with the various plugins, they’re not supported and in my experience, don’t work. Also if you’re mystified trying to find out how to export, it’s not just you. I had to trawl through the forums to find an example that didn’t work, but did link me to the code and I was able to figure it out from there.
Once you have that, save the OPML file and pop over to FreshRSS and import. It will keep your categories and everything.
Yeah, that was it!
The Tweaks
Most of the settings are fine as is. I turned off the option to mark as read when I scroll by (I regularly use unread to know what I need to handle next):
I also added in a filter to mark a specific feed as read unless it mentions a keyword which was as easy as a filter for -intitle:keyword to that feed.
Something I knew would come up after I posted about my ongoing harassment is the question “How do we fix this?”
Now, the cause of all this actually can be boiled down to two things:
A systemic failure of social services to help those in need
The overall lack of awareness of how tools are abused
I can’t really fix the first one. The world is broken on many levels and the fact that people in pain and anger have no help, and thus lash out in anger at me, at you, at people who write code, at people just trying to help … That’s all of us. We need health care (physical and mental). We need fair and equal pay. We need a living wage, not a minimum one where companies literally pay you that because they don’t have to treat you like a human.
That one is huge.
But the other problem? That’s why I posted.
How Can Code Be (Ab)Used?
When we write code, and this is pretty much all of us, we’re trying to solve a specific problem. Sometimes that problem is huge, with multiple layers and facets and complexities that make us look like a scene from “A Beautiful Mind.” If we’re lucky. Usually we look like this guy”
Regardless of how twisty-turney our code is, though, at the end of the day the question many of us forgot to ask is “What’s the worst thing someone can do with our code?”
Let me give you an example.
“What’s a bad thing someone can do with Akismet?”
Right? It’s an anti-spam plugin that checks via a closed-API (meaning, I have no idea how it works) so it’s not easy at all to abuse, you might think. Well, without any forethought, the very first thing that comes to mind is I could write a bunch of clearly spam comments, spin up my VPN, and use someone else’s email address to leave spam comments on a hundred or a thousand blogs. That would get the email flagged and they’d probably have to constantly struggle until they figured out why, if they ever could. All they’d know is their comments never show up. Give me a couple hours and I could automate that, set it out into the world, and reap the joy of annoying someone.
I’m fairly certain I just screwed up someone’s day with that, by the way. Sorry/Not Sorry friends over at Akismet. Because that’s my point. If Akismet has not already sat down and made a list of all the shitty, terrible, vile things someone could do with their product, they’ve failed to fully protect its users.
Disruption Makes Harassment
When we build to ‘disrupt’ we do so with the knowledge we’re breaking the system. Sometimes we’re breaking it stupidly, like “Uber is disrupting taxis!” really is “Uber figured out that people would rather know what they’re going to pay, and wanted an easy way to hail a gosh darn taxi in the first place! Let’s go!” And yes, I have a low opinion on the ideas to ‘revolutionize’ the bus system (spoilers? invest in public transportation, not privatization).
The thing is, we continue to attack a single, specific problem. Big, large, whatever, we’re solving a thing.
But the problem with this is our disruptions create opportunities for harassment.
Did you get a delivery from Instacart or DoorDash? They know where you live and what you eat. Those are all known risks of course. Could someone roofie my food or tamper with it? Sure! Now the solving of that falls onto the people who package the delivery. Restaurants will tamper-proof seal their deliveries, but that’s on them. What did DoorDash do? Nothing I can find. Instacart? Most of their stuff is pre-packaged, but if you get fresh fruits etc, gosh they could. It’s like those stupid Halloween rumours we heard growing up. None were true, but …
Uber received 235 reports of a rape occurring during a ride in the United States in 2018. Those are the numbers of reported cases, provided by Uber. Remember, rape is wildly underreported in the US (probably everywhere). Now think about all the information an Uber driver has on you? They know where they picked you up, they know where they dropped you off, and they know your name. And they can get your phone number.
All those great innovations? Actually yes. They’re really helpful to people! Calling a car to your door that’s more reliable than a Taxi? Hell yes! But they are incredibly easy to use to harass someone. Of course they require you to be in the same general location, but still. What are they doing to make us safer? What about the drivers? Someone I know quit driving because the guy wanted her to drop him off inside a super suspect parking lot. She dropped him off outside. He called her a four letter word that starts with a C.
Social Media Makes Monsters
I’m sure I don’t have to list out the problems with social media. If someone harasses me, I block them, but they can make a new account and a new account and a new account. They can get a VPN and a fake email, and we’re always and forever behind the 8 ball catching and stopping.
Why do Facebook moderators have PTSD? Why do content moderators on YouTube have to sign a waiver agreeing that they know their job may case mental breakdowns, and it’s not YouTube’s fault?
And the answer here is because our solutions are HUMANS.
We disrupted communication, but we opened the door for harassment because there was little to no forethought put into how to protect anyone. In fact, I bet I know how the conversation went (spoilers? I had this conversation with someone):
“Hey, someone could make a hundred fake accounts all to call someone a jackass.” “Yep. No point trying to stop that. We block ’em they’ll just make new accounts.” “Yeah, good point. Okay, next item on the agenda? Bots!”
Oh yeah, Bots totally extended from that problem. I used to use something called Block Together to catch and block bots and spammers and harassers, but the fact that it shut down and Twitter never made anything better is … well it tells a story, doesn’t it? Can anyone tell me what Twitter’s done?
Well they, and Facebook, claim to be using machine learning to find and track abuse, but here’s the funny thing. I have a friend who has been permabanned from Twitter for telling someone to jump in a volcano. The claim was she was violent and sent a legitimate and plausible threat. About a volcano. Which she does not own. I mean, do any of us? it’s not even that it was a bad joke about suicide, it was flagged as a violent threat.
Want to know how that happens? It’s easy. She tells a man to shove it, he and his friends mob-report her, Twitter’s AI decides “Gosh, if all these people flagged her, it’s real!” and ban her. No appeals. Done. And this story is repeated over and over, that the AI caught something (people talking about black and white chess pieces was pretty recent), banned someone, and that’s the end of it.
All this is not to mention the ongoing racist and sexist biases of AIs, like how Asian people can’t use FaceID, or how Google’s AI labelled black people as gorillas? All of those things come down to the problem of people with biases (which is a systemic issue related to the failure of social services) building AIs and not thinking about the abuse therein (which is … an us problem).
To put this a different way, we’ve been fighting spam in email since email was born, and everyone still gets some in their inbox. If we can’t win with that? We’re never going to win with an AI and abuse.
Democratizing Abuse
Now, I’m going to say something controversial.
WordPress democratized abuse.
I’m not talking about WordPress.org and the forums and plugins and themes. I’m talking about your blog. If you have comments open, what’s to stop someone from leaving comments pretending to be you? Heck, if you have comments open, what’s to stop someone from leaving comments pretending to be ME? How do you ban someone from your site? How do you ban them from a network? How do you stop them from making an account or email one after another and using your contact form to be a jerk?
I have 10+ rather insane messages from a contact form that tells you that even for me, someone who is pretty much awesome at WordPress code, this is not easy. For a long time, you couldn’t filter contact form messages to block spammers on Jetpack. How long? Well I opened the ticket in 2014, so it was a long time until 2020, when someone else made a new ticket about.
Is all this WordPress’ fault? Absolutely not! I don’t have to have comments on most of the time, or a contact form. You’ll notice I have neither on most posts on this site, and it’s for a reason. Abuse and harassment. In fact, WordPress gives me the agency to both harass people via my blog (if I wanted to) and protect myself from the harassment by others. That’s a fun one when you say it out loud, ain’t it?
WordPress is a weapon, like all websites. When wielded by the good and just, it’s a weapon for good and justice. When it’s not? Let me just point out that there are a lot of ‘revenge porn’ type sites out there, powered by WordPress. And again, none of that is WordPress’ fault.
We built WordPress to make it easier to publish whatever we want, whenever we want. We build features and plugins and themes to share stories. Not all of those stories are good. Some of them are abusive. And while there are already laws out there about it, technology is a massive whole of lawlessness where the laws can’t be applied.
We’ve all heard “Guns don’t kill people, people kill people.” Some of you even know the common retort “Guns make it a heck of a lot easier, though.”
WordPress isn’t the harasser, but gosh it makes things easier. And if that doesn’t give you chills and nausea, you’re not paying attention to the world. It sure scares the snot out of me.
The Open Consequences Net
I have to preface this bit with the fact that I don’t believe in ‘Cancel Culture’ but I do believe in consequence culture. Do I think you should be ‘canceled’ for telling a single off-colour joke 5 or 10 years ago? Hell no. But do I think you should be canceled for telling multiple jokes, being a defensive jerk when called out on them, and showing your literal penis to people? Hell yes.
Actions have consequences. Or at least they should. And the problem we’re facing is that by making an Open Internet, which I’m in full support of, we failed to put in any way to enforce consequences. Everything is silo’d so I can ban you from site A or B, but not C or D. Worse, because you can make another email or get a new IP, I cannot permanently ban you forever, just from each account.
Basically? We built something so wild and free and open, we cannot contain or control it anymore.
Can We Fix It?
This is the part where I tell you how much I hated making this post.
See, I have no idea. Seriously.
Even if we make the internet ‘invite only’ (as if that was possible), it’ll still be abused. But I don’t think that means we should do nothing. I think we’re not doing enough to make it difficult and hard for abusers and harassers to get a foot in the door. We’re making it so the only way people can protect themselves is to simply not be social online. Given the pandemic, I suspect you can all see why that’s a flawed prospect.
Everything we need to do needs to be balanced. For example, it’s easy (and probably right) to say we need to begin to disrupt ‘anonymity’ but… What about people who can’t say who they are for fear of retribution? I immediately think of all those kids out there who are terrified for their ultra conservative, homo-hatin’ family members to find out they’re queer? They should be allowed to be anonymous and learn that there’s a world out there who loves them.
I do like to bag on Twitter and Facebook for their lack of nuance when it comes to handling harassment and abuse, but I am also a realist. At their scale? How the hell do you tackle things? The only answer is really to throw more humans at it which would make more jobs, but it’s some of the most soul destroying work you’re ever going to do. And they don’t see it as a beneficial investment, so they’re not going to pay the people who do this a solid wage, with great health care, rotating them in and out so they don’t flame out.
WangGuard worked in two different ways: as an algorithm that I had been refining for 7 years, and which was getting better as the sploggers evolved, so that it was always one step ahead of them, and also as human curation, in which I reviewed many factors, among them sites of sploggers to see if their content, could improve the algorithm and make sure that it worked correctly both when it was blocking or not blocking a site. The great secret of WangGuard was this second part. Without it WangGuard would not ever have become what it was.
This human component is what I have been doing for 7 years, and also what has led me to close WangGuard (along with other considerations that are not relevant).
And I have to agree with Jose, doing that job eats at your soul. The ‘fix’ is to change the world, and that’s just exhausting.
What Can We Do?
When you make a product, ask yourself “How can this be abused?” If you can’t think of anything, look around the room of the people you’re working with. Are they all from the same ethnic or socioeconomic background as you? Get people who aren’t. Get minorities in the room. Get PoC, get women, get queers, get kids. Get people who didn’t go to college, those who did, those with and without children, those from other nations. Get them and ask them “Hey, what’s the worst thing you could do to someone else with this?” Ask them “Do you see any flaws?”
And then? Listen to them. If women tell you “That’s going to make it impossible to stop people from sending us dick-picks” take it seriously. But for the love of Pete the Plug, take them seriously.
This means we are all going to have to accept when we’re wrong, when our ideas have flaws, and learn from those moments. It’s hard! We don’t want to hear our great idea is screwed up, but sometimes it is.
We’ll never change the world for the better if we cannot change ourselves.
So here’s a fun question… Say you’re being harassed or bothered by a single person. Do you block them?
This should be a simple answer, right? Obviously block. If you block, you don’t have to see them, they can’t get to you, it’s great. Except, as anyone who’s been harassed will tell you, if the person is particularly an asshole, they will make more accounts with which to try and contact you! I’m not joking when I saw my particular headache has used over 100 separate emails. Even if you report them to the email services as soon as possible, some will tell you “There’s nothing we can do to prevent abuse.”
That’s a different issue for another post. This one is … do I block or not?
The ‘dude’ in this story is an amalgamation of at least five separate men, all of whom did the same thing, and all of whom claim to be ‘woke’ feminists. No names are mentioned nor will they be, but I suspect they’ll see themselves…
The ‘splain Drain
There’s no way around this one, and some people I know on Twitter do this. If you block people on an account, they use another. I’ve blocked people for being perpetual mansplainers. Like someone who was offering advice on how to travel after it was mentioned a friend and I were going to a specific location he was familiar with. Now, you’d think “Oh but he meant well, right?” The problem was he had a history of un-thinking hot-takes. We were going to a specific convention (not WordCamp) and we knew we’d be working that con basically 12 hours a day, making notes, recording interviews, and so on. Our goal was not to to that town and party, it was work.
The advice? Lots of places to have fun, how to handle working conventions, etc etc.
Now. Anyone who actually knew us and followed our tweets knew that my friend and I had all that locked down. We’ve worked cons before, ones way the hell bigger than this one, and we knew how to handle ourselves. We knew how to optimize our packing, how to prioritize, and we were not asking for advice or help. Simply, we said we were excited to go to this event.
Again, you could think “Oh but he meant well.” The thing was, he took zero time to read the room. He didn’t scroll back and see the older tweets, he didn’t see any of the conversations prior. He saw one moment, and jumped in. All of the other comments were about who we were going to meet/interview, how nice it would be to be at a convention like that, tech talk about devices and charging and packing and carrying. We weren’t going to go to party, we weren’t going to go to fancy restaurants. We had jobs.
If you’re a woman in tech, you’re tired of that behaviour. Because now it’s suddenly your job to roll back, re-explain everything, and thank this person for their time but you’re good. And I have to tell you, it’s exhausting to do that over and over and over. I cannot begin to tell you how many times my reply to someone has been “Thanks, but per the discussion, we’re doing X. Please re-read the whole convo.”
It is an ongoing, perpetual drain that men (and yes, I do call out men here) jump in with ‘help’ without giving anyone the respect and time to actually read the freaking room. They don’t do the research, they don’t read the scroll back, they don’t even ask “Is this all sorted out or can I help?” They assume that you need help, and they believe they’re the one to do it.
Mute Them
I’m sure a lot of guys I know are pissed off at me right now, but guess what buddies? That’s why I mute a lot of you. Some women too, yes, and if a single one of you idiots jumps in with ‘not all men!’ I will escalate and block you, because the ‘all’ isn’t the point. The point is that a majority of men (especially in tech) do this. They are the Hero. The Saviour. The Champion. They can help YOU!
So when people, of any gender, jump into my timeline and offer advice where they clearly have not read a blessed thing, I mute them. The guy I’m talking about who mansplained? Wanna know what he did? He kept on explaining how he was trying to help. My friend told him “Thanks but no thanks.” and I didn’t reply at all, but he went on. So I blocked him. And that sucked, because he was someone I did like as an acquaintance. I’d even gave him asked-for advice to get a better job. He has one now, and I’m happy for him.
Anyway. Blocked him, moved on, and a couple years later he had yet another hot-take which was also entirely wrong. It really doesn’t matter what the subject was, but what matters is I was complaining about a stupid part of a contract that told me I was to do thing A in advance of a release but also not to do thing A until after the release.
So I complained about this on twitter, remarking how daft it was. One of the blokes I’d muted hopped on the reply-train to tell me that’s because I wasn’t really part of the process.
Repeat that meme above, eh. Signed contract. Told I was supposed to to X for the process, but also not to do it… And if you’re wondering “Mika, didn’t you block him?” yes, yes I did. He used another account to contact me with another bad take. A 100% incorrect take, born of his own ignorance about the subject matter and the contract. I replied, correcting his assumption (and at that time not realizing who he was).
The next reply from him was that he actually had understood but he wanted to say something ‘different.’ At that point I thought ‘this sounds like one of those guys …’ and I looked at the account. Oh yes, it was. But I thought maybe he was redeemable, maybe he’d changed, and I asked him if he had any experience or expertise in this area at all (it’s not WordPress related). That reply was the nail in the coffin. He said it was a joke, he offered to explain the joke, and he said I knew who he was, and his credentials were available.
Right. I replied, told him the joke wasn’t funny and if it needed to be explained, it was a bad joke, and I muted him.
My thought process was as follows:
Someone who always replies with ‘jokes’ isn’t someone I feel like listening to.
People who reply constantly with ‘jokes’ aren’t listening to me in the first place, they’re listening for bullet points they can joke about.
The ‘it was a joke’ defence suggests it wasn’t a joke, he knew that, and he’s hurt I called him out.
Anyone who tells me his credentials are online, and yet flat-out cannot be bothered to correct his assumptions about mine is disrespectful.
I already blocked his personal account.
Why not block?
Well. As you can see from this story, I had already blocked him and he was using a secondary account to follow me and comment on things. Did I know, prior to the conversation, that he was in charge of that account? Not at all. I had no reason to look. Now that I have looked, I see his feed is still filled with low-key racism and ignorance all over the damn place. He probably doesn’t even see that, and if he figures out this post is talking about him, he’s probably livid.
But again, this isn’t about Mr. Mansplainer, it’s about why I didn’t block him right away. I muted him.
I didn’t block him because I don’t want to encourage him to make a third account (or use another one he already has) to try and talk to me. I just don’t want to hear from him.
And that is a decision that women online make every day. We recognize that blocking people just makes them madder and that sometimes they jump around and use more accounts to be jerks. It’s happened time and again to me, I’m sure it will again, and it’s why I heavily mute people all the time.
Amusingly enough, I’ve been blocked by a couple people I’ve muted, one of whom screamed murder because I didn’t accept his DMs. I don’t accept DMs from anyone I don’t follow for a reason: I’m tired of people being assholes. So it wasn’t personal, John Doe, but way go.
Okay but … How can I mute on my site?
You mean comments and contact forms? Good question!
First? Turn off comments and remove your contact form. You don’t need them most of the time. If you do want them, for the love of the flying spaghetti monster, use the comment moderation tools! In WordPress go to Settings > Discussion. Now, add in their info. Twitter handles and emails go directly into the Disallowed list. First names (especially if they’re common) go into the moderation list.
But this is also where I’m kind of a bad person. See, if I have someone who is a jerk in emails and I know they may use a contact form, but as I’ve been saying since 2014, you should be able to blackhole their messages. By blackhole I mean their emails should appear to be sent, but you never see them.
In short? They’re treated like spam. This sometimes has the side effect of them being flagged as spam elsewhere, which is why I’m kind of a bad person, but to be honest I don’t care at this point. I want them to go away.
The downside to this is a lot of plugins don’t have a way to do this. I have spent a lot of time writing code for Contact Forms that actually blocks people (or spams them) when they’re people I’m done wasting my time with. I do think more contact forms need to make this a built in option. “Use your Disallowed lists to block …” but that is a different conversation.
How can I make sure I’m not muted?
If you’ve gotten this far, and you’re angry or you think I’m an asshole for blocking you or posting ‘about’ you, first you should know this: this post is actually about five separate guys. So if you’re seeing ‘you’ in this, you’re not alone, and I’m probably not the only person who wrote you off. Here’s my advice:
Think before you reply. Read the tweet/post, look at the other replies or the followup posts. If you’re not sure, err on the side of respectful caution.
Stop all ‘hot takes’ and ‘joke’ replies unless you know the other person really well.
If you met someone at a WordCamp or chatted online, you DO NOT actually know them really well! You are causal acquaintances.
If someone tells you ‘that isn’t a funny joke’ you reply “Sorry.” and shut the hell up.
If you have to explain the joke, you screwed up, it wasn’t funny, and you’re the one in the wrong.
If someone blocks your account do not use a second account to get around it.
If you’re super mad that someone disagreed with you, walk away. You don’t owe them your time.
If you’re blocked, don’t ask why you’ve been blocked.
Now once in a while people will hit me up and ask why they were muted/blocked. I’ve replied to one of them, and that was because I took one look and thought “Hang on, I like him! What the hell?” And I looked and found out my old block tool had caught him for retweeting someone I’d blocked (he was explaining why the other guy was a dingus). I’ve turned that off.
And I know someone is thinking “Wait, you said don’t ask.” Here’s the thing, that person I unblocked? Did not ask! He just pinged in another venue and said “Hey, I read about your dad dying and I wanted to say how sorry I am. You always talked about him so kindly. I would have tweeted but apparently I’m blocked. I’m sorry for whatever I said.”
Isn’t that nice? It caught my attention. I looked, I unblocked. Because that was someone who acted like a human, didn’t expect a goddamn thing from me, and wanted to treat me like a human.
Lately I’ve been getting a lot of ‘vulnerability’ reports.
I use the term loosely because the reality is these are not actually serious vulnerabilities. A couple months ago I started getting a lot of weird reports like this:
A FLAW FOUND ON YOUR WEBSITE!
Website Security Vulnerability Notification
Hello, a security researcher reported a security vulnerability affecting [your] website via [company] coordinated and responsible disclosure program:
Those can be super scary! Is there really a massive issue?
No. But I know why it feels that way. And frankly I think a lot of these people are targeting the wrong group. Let’s get into it.
Scare Tactics
In the case of all the ones I got, there was only one that I felt actually was. But first, here’s what people reported:
The PHPInfo Page was public
Directory indexing
People can list users (aka User Name disclosures) via the REST API
Your xmlrpc is showing
Incomplete SSL Protection
Your email records allow spoofing/DMARC compliance
The last one? Absolutely an issue. I thanked that person and kicked them some money. But the others? They’re issues, but they’re also incredibly minor! Heck, this user name listing ‘vulnerability’ does not take the following into consideration:
It’s on a site where every author has a page
We have an ‘about us’ page that lists everyone anyway
Strong passwords are enforced
We have a firewall
The only way I could really improve that would be to enforce 2FA, which I’m contemplating for admins. But that begs the question… is this a vulnerability?
Okay, let’s ask why does this work? It’s known that WordPress has a REST API. This API can be used to list public information about registered users. Now the API does ‘expose’ the user data for everyone who’s authored a public post that is shown in the REST API. Posts and pages and some custom post types included. If the user hasn’t authored posts, you won’t have permission. So again, we’re only able to list public authors. Okay.
Could that be bad? Sure. In the same way having a front door couldbe bad if someone kicked it in. But ‘security’ isn’t why I would ever consider blocking that. We literally list all the authors publicly already. If someone wants to use wp-json to grab them, cool. It only shows public information we displayed already, after all.
Why would I consider blocking? To ensure stability. That is, people hammering my site to find out that I’m not user #1 on HalfElf (surprise!) makes my site slower. But… I have a firewall and Mod_Security, and IP Tables, which means if you hit my site enough, it’ll block you. Also a lot of stuff is cached, like it should be. Which means this is not a ‘vulnerability’ but more of a ‘best practice notice’ in my opinion.
And finally … FFS why are you telling individual site owners this!? If you really think it’s a security issue, take it up with WordPress!
How Do You Stop Them?
Well, generally you fix the ‘issues.’ Even if you think it’s full of shit, you fix it. So okay, what do we do?
PHPInfo? Locked it down. I use it for regular checks of other things. If you’re not, just delete it.
Directory Indexing? I put this at the top of my .htaccess (and yes, you should, I’d removed it for some tests):
### Prevent Directory Browsing ###
Options All -Indexes
XMLRPC? I said “Nope, not gonna change.” Because I use the WordPress iOS App.
SSL? You’ll want to check your setup on things like SSL Checker or Immuniweb or SSL Labs. I found SerpWorx’s tool to be invaluable for spelling out what was missing. The easiest by far was SecurityHeaders.com. For that, I ended up adding this to my .htaccess:
### Extra Security
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header always set Expect-CT "max-age=7776000, enforce"
Header set Referrer-Policy "same-origin"
Header always set Permissions-Policy "geolocation=(); midi=();notifications=();push=();sync-xhr=();accelerometer=(); gyroscope=(); magnetometer=(); payment=(); camera=(); microphone=();usb=(); xr=();speaker=(self);vibrate=();fullscreen=(self);"
</IfModule>
The one thing I left out was Content-Security-Policy because that one is crazy complex and needs a lot of testing since a lot of content on the site is remote and needs special rules.
Email/DMARC? That took a lot longer, and I had to talk to my email provider to sort it out. But you can run your domain through the MXToolBox checker and see what you’re missing. It’s going to make you cry. Email sucks.
Now. This means on that site if you go to example.com/?author=1 you will not go to someone’s page. But if you go to example.com/author/ipstenu/ you still would. Which IMO points out how stupid that ‘vulnerability’ is. Yes, I am aware you can see the authors. Oooooh. You’re supposed to!
Conclusion?
A lot of those vulnerability emails are bullshit. I politely reply “Thank you for your concern however we are not blocking access to that because the API is used by other things. It’s considered to be public knowledge anyway.” I may end up writing a form letter.
And the sucky thing is that one of the sites that collects all that stuff relies only on the reporter to determine if it’s resolved. Both issues they have for the domain in question? 100% resolved. But they say ‘unpatched’ … probably because I told both reporters I’m not paying them.
I added this to my profile:
We do not accept reports of basic WordPress functionality, such as the Rest API being active, the use of xmlrpc.php, the enumeration of users, etc. Those are an acceptable risk. Please don’t bother reporting them, they should be addressed with WordPress directly, not end users.
By the way. The bug bounty program that keeps emailing me? Uses WordPress. And guess who’s site has /wp-json/wp/v2/users available to list all their public authors? Yeah. Because it’s not a goddamn major issue.
I know someone’s gonna point out it could be a major issue. Sure. Like having a window means your house or car could get broken into. That doesn’t mean you remove all the windows!
We use cookies to personalize content and ads, to provide social media features, and to analyze our traffic. We also share information about your use of our site with our social media, advertising, and analytics partners.
