Half-Elf on Tech

Thoughts From a Professional Lesbian

Author: Ipstenu (Mika Epstein)

  • Mailbag: Site Security Plugins

    Mailbag: Site Security Plugins

    This one comes from Gabriel and WordCamp LAX:

    Hello, I met you at WordCamp LA 2014. Thank you so much for speaking there and giving me great advice. I am now in a pickle again though, I wanted to ask you as an expert. What premium/pro version of site security protection would you find to be the best for a WP site? I am now using the free version of iThemes but I want to start buying pro version of iThemes, which would be $40 a year for a client.

    I don’t use any security plugins on this site. I use Mod Security, some complex .htaccess rules, and a firewall app on my server. None of the weight of the security is on my WordPress install for a few reasons.

    This site may be a nice massive Multisite, but on this server I have a dozen other WordPress sites and not all are my own. I also have a gallery and a wiki, a forum, and a few other non-WordPress things. Using just a WordPress plugin leaves about a third of my site not protected. Worse, it means I have to be sure all my ‘customers’ are equally protected all the time and upgraded and configured right. I opted to take that out of their hands.

    Most major hosts (DreamHost, BlueHost, GoDaddy, LiquidWeb, etc) all have Mod Security and a firewall, or some equivalent. Some of them have fail2ban and others have CSF but they all do have server level protections that frankly do a better job of protecting you against a brute force attack than a plugin ever can. I’ve said this before in many different ways but I’ll spell it out again. I don’t believe a plugin is ever the best choice to protect you from a DDoS. That does not mean a plugin doesn’t help, but it does mean I would never use it as my first and only defense against attacks and hacks. The practical reason is that it makes a site slower, to have it recursively check things.

    With that said, there is a different sort of ‘protection’ to be gained from a security plugin, and that is notifying me as to what files are changed. If you’re using cPanel, WHM has a feature to email you about Recently Uploaded Cgi Scripts which emails me when certain core files on my server changes, but also when a plugin upgrades and messes with email:

    /home/ipstenu/public_html/wp-content/plugins/contact-form-7/includes/submission.php:240:
/home/ipstenu/public_html/wp-content/plugins/contact-form-7/includes/submission.php:241:       private function mail() {
/home/ipstenu/public_html/wp-content/plugins/contact-form-7/includes/submission.php:242:               $contact_form = $this->contact_form;

    That’s one of my favorite things, by the way. It’s a rare email to get, but I love getting it because I know what dangerous emails are sent. There’s also an add-on feature of CSF called ConfigServer eXploit Scanner which can be used to send emails when any file is changed. This is awesome for scanning PHP changes and even is aware of WordPress though it’s probably going to have a lot of false positives given the nature of WordPress upgrades.

    And this does get us to where I do use security plugins. Rarely, yes, but when I do use them I use products like a malware scanner to make sure my files aren’t changed without me knowing. You hear that called “Security File Integrity Monitoring” sometimes, and the idea is that I want to know when any files on the server are changed. But since Gabriel mentioned ‘for a client’ I can guess that he doesn’t have admin access to the server, which makes the whole thing a lot messier.

    The weakest leg in the security tripod is users. Sorry. Users are people. We make mistakes, we eat gas station sushi (hush, Otto, you get the point), and we don’t think about our actions.

    With that in mind, which plugin would I use? It depends on the client and how much help I think they’ll need cleaning up, and how much help I’m going to be expected to provide. I’d be inclined to hook them up with a service that can help unhack them if I’m worried about that, or if I know they can follow directions well, then a simple scanning plugin is fine.

    It’s really not a simple answer, though.

  • Why I Like Font Icons

    Why I Like Font Icons

    I really like Font Icons and I’m willing to bet there was a period of time you did to, way before we had the Internet on our phones. Do you remember Wing Dings?

    Wing Dings Example

    When I was a kid they were awesome. We used them to print up secret code letters in the ’80s, using the basic letter shift kind of cypher. Wing Dings is, at its heart, a font icon. This means it’s a font that uses shapes instead of letters, but unlike Wing Dings where I could type “cat” and get “hand arrow flag”, a modern font icon has special content terms like “f401” that you use instead. Of course those are hard to remember, and we all like to use shortcuts, which I’ll get to in a second.

    The reason I love them is that I am a monkey with a crayon when it comes to design. Did you ever try to make an image that, when you rolled the mouse over it, it changed color? Like the official Twitter image you wanted to spin when the mouse hit it? We used to do that with images, CSS sprites, and combine all the images into one large image, load it once, and then with the magic of CSS have different bits load at a time. Sprites and Bitmaps can do that, but adding in new icon to the set took time and Photoshop and if you’d lost your designer in the meantime you were out of luck. Font icons lower the bar and make it easier for everyone who can’t design.

    Font icons are easy to style. You can resize, recolor, flip, shadow, and apply rollover effects with just some basic CSS. They also scale well which means they were pretty much born for retina. No matter the size of your device or the quality of your screen, the font icon will never look jagged and blurry.

    So how do we use them? It’s only three steps and the third is beer. Seriously, though it’s really that simple. Include the font family, just like you would a google font, or do it locally. Call the icon, show the icon.

    1. Include the font in your site
    2. Call the icon you want with the span html tag 
      <span class="genericon genericon-aside"></span>
<i class="fa fa-beer"></i>
    3. Drink a beer [ficon family=FontAwesome icon=beer color=brown size=3x]

    That beer is a font icon by the way.

    There are plugins, for most of the popular ones, that will let you insert using shortcodes. Those are easy to use for when you want to put an icon in your post content. I wrote two of them, Genericon’d (which brings Genericons to your site with shortcodes) and Fonticode (which lets you apply shortcodes to most of the major font icons, provided they’re already included in your theme or another plugin). But wait, there’s more!

    As I mentioned, you can use them in CSS, and by that I don’t mean you can style them. What I mean is you can use CSS to call a font icon and put it in a menu, which is a little trickier since you need to use the before call, and that is a little weird. I talked about how to do this before in ShareDaddy Genericons (which is now useless since Jetpack went and did that for everyone) but the point is that you have to mess with CSS and it looks like this:

    div.sharedaddy .sd-content li a::before {
    font-family: 'Genericons';
	font-size: 16px;
	color: #fff;
}

div.sharedaddy a.sd-button>span {
    display: none;
}

div.sharedaddy .sd-content li.share-twitter a::before {
    content: '\f202';
    color: #4099FF;
}

    As an example, this is a pretty basic one. The magic sauce here is that I say “Before all my links, use the font family Genericons with this size.” And then “Before Twitter, I want to show the content \f202″ That happens to be Twitter’s icon. The color I used is also the official Twitter blue. You can get even fancier and I suggest reading Justin Tadlock’s post on Social nav menus.

    The obvious next question is where can you find font icons? Here’s a non-exhaustive list.

    I will note that some of these are not GPL, so it’s on you to check the licenses for what you want to use them for. Like Glyphicons? You can use their Halflings font freely, but not the full Glyphicon pack. Similarly, Icomoon has a couple font packs that aren’t free and for full distribution, but does have one you can use. So please, please, be careful and be aware. You can use the non-GPL ones on your own site (most of the time) but you can’t package them in a theme or plugin.

    Before someone asks, let me talk about Dashicons. That comes in core, so you don’t need to worry about including that. I wouldn’t use it on your site, since it’s meant for the WP Admin back end and nothing more and the size is a little off because of that. You can totally use it on your plugins. So instead of making an image, you can use a Dashicon to be the icon on the menu sidebar. This may one day change, but not today.

    All this love doesn’t mean everything’s awesome. There are some issues, like how Icon Fonts Are Ruining Your Markup. And you should read Ten reasons we switched from an icon font to SVG for some great reasons not to. You also need to keep in mind accessibility, like screen readers, and for that check out Bulletproof Accessible Icon Fonts.

    Nothing’s insurmountable, and the easy of a font icon without having to mess with GIMP or Photoshop or pretend I know what I’m doing with art is worth it all for me.

  • Even Better Drag And Drop!

    Even Better Drag And Drop!

    Not that long about I realized you could drag a file to the “choose file” button.

    On Chrome you can also drag it from the download bar.

    Here’s my file on the download bar:

    DFW with a file in my downloads

    And when I click and drag it up…

    DFW with a file in my downloads, dragged up to the text area

    Sometimes it’s really the little things that brighten my day. This works for the ‘choose/select file’ buttons as well, and clearly works in WordPress for media. This also means when I download an image from one of my favorite free image sites, I can click on it in the download bar to edit it and then drag the image from the bar to upload the edited image. I never have to open the downloads folder.

    Of course, my downloads folder gets pretty full after a while.

  • Why You Can’t (Always) Catch Cache

    Why You Can’t (Always) Catch Cache

    Or rather, why you don’t want to cache.

    When speeding up a site, the first thing we always talk about is streamlining the site. Ditch the redundant plugins, clean up the code, get a lightweight theme, dump the stuff you don’t use, and upgrade. Once you’ve done that, however, we talk about caching, and that is problematic. Caching is tricky to get right, because you can’t cache everything.

    Actually you can, but you don’t want to cache everything, and you really shouldn’t.

    The basic concept of a cache is ‘take a picture of my website in this moment.’ We think of it as a static picture, versus the dynamic one we use for WordPress. That static picture is not so static, though. You call CSS and JS still, and you call images. But the idea there is not to call PHP or the database and thus your site will be faster, as those are the slowest things.

    Great, so why don’t I want you to cache everything?

    Missed Catch

    The obvious answer is latency. If you’re designing a site or making a lot of style changes, you need to disable caching because otherwise you get a lag between edits and displaying text. But there’s also server latency.

    When we talk about things like PageSpeed (I use mod_pagespeed my server) to improve web page latency and bandwidth usage, we’re talking about actually changing the resources on that web page to the best practices. This sounds great but we have to remember that by asking the webserver to do the work before WordPress (such as having PageSpeed minify my CSS and JS), we’re still making the server do the work. Certainly it’s faster than having WordPress do it, but there will still be a delay in service.

    The next obvious answer is security. There’s some data you flat-out don’t want to cache, and it’s pretty much everything in wp-admin (on WordPress). Why? If you have multiple users, you don’t want them getting each other’s content. Some are admins, some aren’t, and I know I don’t need my guest editor seeing the post about where I’m firing her and why.

    Actually, we’ll extend this. Very rarely do I want my logged in users to see a cache at all. They’re special, they’re communicating and making edits on the fly. Having them see cached content, and constantly refresh it, will be more draining on my server than just loading the content in the first place. Remember the extra load caused by PageSpeed (or even your plugins) generating the cache? That would be constantly in progress when a logged in user made a change, so let’s skip it all together.

    Tagging on to that, you also don’t want to your admins and logged in users to generate a cached page. This isn’t the same as seeing a cached page, I don’t want non-logged in users to see the version of the site a logged in one gets. A logged in user on WordPress gets the toolbar, for example. I don’t want the non-logged in ones to see it.

    Finally we have to round back to security. If I have SSL on my box and I’m using HTTPS to serve up a page, no way no how do I want to cache anything related to users. In fact, I may not even try to cache JS/CSS either. The basic presumption of https is that I need security. And if I need security, I need to keep users out of each other’s pockets. The best example of this is a store. I don’t want users to see each other’s shopping carts, do I? And your store is going to be https for security, so this is just one more feature there of.

    Of course, there are still things to cache. I setup PageSpeed on my https site so it will compress images, make my URLs root-relative, and compress and minify HTML/CSS/JS. But I don’t have a traditional cache with it at all. This does mean as we start to look towards an https-only world (thank you Google) we’re going to run into a lot of caching issues. All the quick ways we have to speed up our sites may go away, to be replaced by the next new thing.

    I wonder what that will be.

  • Working With A Translator

    Working With A Translator

    Well I messed that up.

    I’ve never been on a panel before, and I’ve never worked with a live translator before, except once and that was ASL which is different. This time, at WordCamp Tokyo, I was on a panel to talk about the Worldwide Community of WordPress, and other things, and we had a wonderful translator with us, Shinichi Nishikawa. But I’m afraid we made things very hard for him.

    My father, who’s more experienced, gave me a critique later and I have some points to share with everyone.

    • Speak one sentence, wait for it to be translated, then move on.
    • Keep your English simple.
    • No cliches, idioms, or slang. Not even technical slang.
    • No jokes. They won’t translate. Don’t even try.
    • Don’t laugh at yourself either.

    It’s remarkably hard to do this. I’m getting a little better at it, because my father’s wife is Japanese. While she understands some English, I would say her English is better than my French, and she’s mostly fluent in French. So we dance between three languages to try to communicate. With that in mind, I find myself trying for the smallest, easiest, most common words when I want to explain something.

    For example, at dinner she was trying to say that my father has no sense of direction. This is true, but in Japanese there’s a word to mean ‘you lack this skill.’ You can apply it to anything, and as we were talking about it, she asked what the word was, in English, for someone who has no sense of music. We explained it was ‘unmusical’ or ‘no sense of music’, but I also mentioned ‘tone-deaf.’ This lead to us saying things like “You are tone-deaf in driving!” Where English will put a modifier on the word, the Japanese have a second word to add in front that puts the proper emphasis.

    Understanding that one, small, thing changes what words I want to use when explaining WordPress (or anything) to someone who doesn’t speak my language natively. I’ve done this before, with normal conversations and travel, but doing it for WordPress was very hard because we’re used to things like ‘doing_it_wrong()’ and even ‘Howdy, Ipstenu.’ Those are small words we think of as normal and simple, but their concepts are so large they lose something in the translations.

    Besides just words, I’ve learned we definitely need to translate our brochures into the language of the country we’re in. Not having the pamphlet be in Japanese was a killer. Also our little DreamHost Robots need names!

    Our DreamHost Robots

    Everyone thought our mascots were adorable, but they needed names. Since we have three stickers, one of them being tiny, I said we should call the little one “Yume-chan” because Yume (夢) means Dream in Japanese, and ‘chan’ is a diminutive. My father calls me ‘Mika-chan.’

    Wapuu Just for an example, Wapuu is the mascot of WordPress in Japan. So really anything small and cute like this needs a name.

    Knowing that, I feel more prepared next time not just should I come again to Japan, but also in general for how I present at a WordCamp. Every time I come to one, I learn a little more and a little more about myself, WordPress, and how we all communicate.

    WordPress democratized publishing in more than just your website, after all.

  • Portable Charging

    Portable Charging

    I travel a lot, and as of last WordCamp San Francisco, I realized I needed a way to charge my phone on the go. The issue was that I wasn’t always in a place where I could easily use a plug, and outlets didn’t always work. So I wanted something I could carry with me, plug in while at a restaurant and charge when I wasn’t using it.

    After asking around, I picked up an Anker, which claimed it could charge my iPhone 5 twice. I’ve tested it at 1.75 charges, but that’s usually good enough for me. This year, I got two more types. An Anker from WordCamp NYC and a PowerBank from WordCamp Miami.

    My four chargers, prepping for Tokyo!

    Hands down, the Anker wins. The PowerBanks don’t hold as much of a charge as the Ankers, and they don’t retain their charge quite as well. They’re smaller, so this makes sense to me. Less battery capacity. But the fact that they lose their charge faster means I have to always remember to charge them up. The Anker? Well I didn’t charge the WordCamp NYC one after I got back from NYC, and when I went to charge it up almost 2 months later, it was still half charged. In the same time span, the PowerBanks were dead.

    The downside for all chargers is I have to remember to charge them, which is why they’re pretty useless for my wife who never remembers to charge her phone, and asking her to remember to charge another device won’t work at all. But for me, I toss the two Ankers into my purse and about once a month I charge them up. Or if I’ve used one, I charge it right away. That way, when I get stuck in an airport for god knows how many hours, I’m doing just fine.