Thoughts From a Professional Lesbian
I don’t know why I never knew this. Did you know you can drag a file to the ‘select file’ button on Chrome?
You know the button, right, this one that just says Choose File:
I happened to be testing if the drag/drop area was working (it wasn’t) and I noticed the button changed colors when I dragged the file over it:
So I let go and it was there:
And yes, it worked. This will save me hours of work!
Have you ever tried to log in to WordPress and have the login page just refresh with no errors?
No, I don’t mean that Multisite Login Loop.
After upgrading a bajillion people to WordPress 4.0 on DreamHost, I noticed something a little weird. People couldn’t login and they didn’t get an error. They would put in their ID and password and the screen just refreshed. So I took a look and decided to start with the obvious tests.
Assuming that the username and password were correct, I checked what happened with a fake account and password. I put in ‘admin’ with a password of ‘areyouduckingme?’ (which no one but me would use) and expected to see a nice login error like this:
I did not. Right away I knew what was wrong. There was a miss-match with the home and site URLs!
At DreamHost, we allow you to pick if you want to force www or non-www or not at all for your domains, and I always go to check what the customer did there, just to see. If they picked ‘neither,’ then I’ll usually flip it to non-www because I hate www in your domain and I’m fixing things. Of course, if they have set it to www or no-www, I make a note and honor that.
Then I go check the home and site URL and make sure they’re both the same in so far as the domain does. If one is www.domain.com and the other is just domain.com, and 50% of the time, it was this all along. The other 50% is that WordPress thinks it should have www and the domain settings think it should not. The point here is that everything needs to match up nicely when it comes to your domains.
It’s also a good idea to check the .htaccess to see if they’re forcing it one way or the other in there (I do).
And you’re done. Refresh the page, see if you can login. Should be magic.
Of course the question is then why did this happen, and the answer is that WordPress is trying to make it harder for people to break into your site. Part of these means making sure that cookies match domains properly, and when you have an inconsistency like www.domain.com and domain.com, the cookie is invalid and WordPress doesn’t know where to go. It wants to go to one but gets tossed to the other.
I love Project Runway. Seeing people be that dramatic and traumatic over making clothes is fun, plus I love the design. One of the best parts is when Tim Gunn steps in as a mentor. He rarely tells people exactly what they need to do, but he will give them his opinion. It’s the way he handles critique that makes him impressive. Recently he had a new show called Under the Gunn where he let other people mentor some young designers, and that show was, shall we say, less than spectacular.
One of my favorite designers, Nick Verreos (aka Uncle Nick), was one of the worst mentors. Instead of helping his mentees, he did the work for them and made their designs look more like him. He drew for them, he sewed for them, he even gave them ideas.
That’s not the Tim Gunn way.
When people ask you for advice on their work, it’s hard to not insert yourself into the process and put your own self into the work. You, too, are a smart, creative person. That’s why they asked you! So how do you keep yourself out of your advice and let people learn?
Boy that’s hard.
You have to let go of your own ego to do this. You have to be willing to remove your own desires from the equation, and instead of saying “Do this” you have to suggest “What if you did it like this?” It’s a classic case of leading the horse to water, but you really are the one who is going to show them the land where the ideas are and nudge them along.
One of the things I do a lot of is plugin reviews, and many times I see people reinventing the wheel. I don’t often put value judgements on plugins, and in fact I try hard not to do so. But when I see someone taking the hard road of handling a feature, like wanting to put autoplay in all YouTube videos, I wonder why they’re inventing a new oembed and shortcode and not filter oembed_fetch_url and have it check if it’s youtube and, if so, put in the arguments for autoplay?
But… Do I tell them “Here’s the code you want” and give it to them? Will that make them better developers? No, it won’t. Instead, I have to explain why reinventing the wheel isn’t a great idea.
Any time a plugin replicates functionality found in WordPress (i.e. the uploader, jquery), you’ve done something wrong. It’s a security risk, for one, as the features in WordPress have been tested by many more people than use most plugins, so the built in tools are less likely to have issues. But more importantly, you’ve given people too many ways to do one thing. A user doesn’t want to remember seventy shortcodes. They want to know “Hey, I know pasting in my video URL makes it show up on WordPress! I’ll do that!”
They want the easy, and you need to remember to give them the easy.
Similarly, advice on what’s right should lead towards what’s easy. What’s easier for you to maintain, to develop, and support. I know what works for me, but when I’m teaching someone how to update plugins and they ask me “What tool do you recommend?” I say “What do you already use and like?”
That’s my secret, by the way. I teach and mentor by trying to learn what they already know, what they’re already comfortable with, and then explain how to do things better or faster with those systems. But I try not to show them “This is the way to do it.” I stress this is A way to do things, unless what they’re doing really is a reinvention of the wheel, without making the wheel any better.
If you’ve ever watched baseball on TV (which is rare for me, I prefer the radio), you may have seen some of the most incredible faces that athletes make. This is Pitcher Jared Weaver of the LA Angels:
He looks crazy, doesn’t he? He’s also an insanely good pitcher. He can make a ball do things just by changing how he holds it or points his elbow. It’s a gift. It’s not really a useful one to a lot of people, but it’s certainly not something I can do. He doesn’t worry about the silly faces he makes (I hope) because he can see the results are worth it.
One of my most popular tweets ever is this:
Everyone screws up code, no matter how awesome a professional you are. Accept it.
When I wrote it, I was laughing at myself for seriously bolluxing some code and pushing it live too soon, which happens to the best of us. I knew I messed up as soon as I saw the first error report, and pushed a fix right away.
What I didn’t do was worry about how it made me look.
Oh don’t get me wrong, I knew it looked bad, and it was embarrassing, but I’m not afraid of making mistakes. I didn’t let the fear of looking bad stop me from trying something new and experimenting and making a change. I knew there was a chance to end up with egg on my face, but I knew there was also a chance I would make everything perfect and ‘save the world.’ Or at least make my code awesome for more people.
We’re going to mess up. We’re going to make mistakes. We’re going to break things. While we try hard not to do that, the glory, the hero within us comes to play not when we’re perfect, but when we recover. Mistakes will be made, accidents happen, and you will screw up.
What will you do when you make a mistake?
I talked at WordCamp LAX this year about KISS Security, keeping it simple and being aware of what it is you’re doing. Because security isn’t about the right passwords, and upgrades, and plugins, and .htaccess, it’s about you doing what’s right. And in fact, while I did mention some plugins, some features on servers, and I certainly was willing to give my advice and opinion on them, I don’t recommend one security plugin over another. Instead, I talked about the mindset of being secure.
My mother is one of the few people I know who has almost completely conquered the will to be stupid.
Miles Vorkosigan on his mother, Cordelia Naismith Vorkosigan
Brothers in Arms by Lois McMaster Bujold
If I can not be stupid, then I can be secure. Sounds easy, but ignorance is the lynchpin of stupidity, and you must defeat that first. But they’re not actually stupid at all. They’re just uneducated and this whole WordPress thing is new, and the security stuff is scary.
With that in mind, I aim more towards education when I help people. When I debug a site, I send the customer a two-fold email. The first is the tl;dr stuff. “You were hacked because you’re on WordPress 2.6 and your theme and plugins had backdoors due to old, vulnerable code.” That’s the easy part. Then I explain in detail how I found the hack, why it was a problem (like did you know inactive themes can still be visited in your browser and, as such, are vulnerable?) and some details on how to fix it, even though I know they’ll still make mistakes. But I get them started with understanding what I’m looking for and why I think it’s bad.
The reality of security is that we’re all ignorant, at some point in time, of what we’re doing, of what it means. Identity theft can go on for years because people don’t monitor their credit card statements. We get ripped off by not checking receipts. We give away our credit cards without thinking. We all do dumb things in the moment and regret everything. We have 20-20 hindsight. And getting to the point where we don’t do that, where we think first, takes deconstruction of myths, education, and trusting your gut.
Stop me if you’ve heard this one. “You’ll be hacked unless you install a plugin.” Or maybe this one… “You’ll be hacked because you installed a plugin!” It goes on and on. Should you upgrade? Of course! But do I think upgrading alone is the answer? Heck no! Upgrading, being concerned with plugins and themes, using good passwords… those are all important, but they’re not going to be the end all of everything. They don’t make you smarter, and that’s why I hate them. What they really do is make you lazy. You think that because you have them, you’re safe, and you stop being aware.
I came up with that in 2010, the Tripod Theory of Security when it comes to websites. In order to be smarter about security, I have this pretty simple tripod theory.
If everyone holds up their leg, the security of your site is locked down. If you have a responsive webhost, secure software, and good behavior, you’re going to be happy, the odds are that a WordPress upgrade never breaks your site, and you’ll be safe for a long time to come. Awesome! But as someone wailed at me at a barbecue, “How do you get to that point when you can’t CODE!?”
The most simple answer is the most obvious. Know what you’re getting into with software. The plugins and themes you use are ones you should know about. Read the readme, follow the FAQ. Don’t be afraid to ask questions about features you want. But the best thing you can do is use your brain and think. When we grab code and don’t think about who wrote it, where it came from, and what it means, we open ourselves up to disaster, and we may as well be posting our passwords on the front of our websites. Taking that moment to be aware that hey, maybe a nulled theme is a terrible idea will save you.
The biggest thing to do, though, is not to research everything to an inch of it’s life, but to stop and think. When we jump in to things without any forethought or awareness, when we ignore that nagging feeling of doubt, we run the risk of being stupid. Gas station sushi is still sushi, right? And sushi is totally awesome. Well. Yes. But it’s also a fast track to spending the rest of your day in the bathroom. And you know this. Your gut knows these things because of your experiences, and when they outpace your knowledge, that’s when we get those momentary blips of “This is a baaaaaad idea!” Listen to them. If it helps, picture a relative looking over your shoulder going ‘tsk.’ Admittedly, mine would be Taffy holding a glass of wine, saying “Don’t be stupid, Mika.”
Practicality matters, though. I can’t just say “Find code by a WordPress Core Developer and never worry a day in your life” because everyone can make mistakes. Instead of looking for perfection, I look for behavior. I want to see a developer is active, both in general and in the overall community. I want to see how they respond to people, either in the same terms and language they use, or if they’re always super-technical. I want someone who understands what they’re doing, even if they’re not always right, and I want someone who can balance out the need for fixes with the annoyance of an update every day.
I’ll be speaking at WordCamp Ventura on the topic of plugins and approving them. Or not.
WordCamp Ventura County will be November 8th, 2014 at Green Art People, Ventura, CA. Tickets will be on sale at http://2014.ventura.wordcamp.org/ soon, but in a weird (yes Konstantin, I think it’s weird) move, all the speakers are set in advance! Like before you buy a ticket you’ll get to know that I am, indeed, speaking.
