Author: Ipstenu (Mika Epstein)

Don’t Be Afraid of Looking Foolish

If you’ve ever watched baseball on TV (which is rare for me, I prefer the radio), you may have seen some of the most incredible faces that athletes make. This is Pitcher Jared Weaver of the LA Angels:

He looks crazy, doesn’t he? He’s also an insanely good pitcher. He can make a ball do things just by changing how he holds it or points his elbow. It’s a gift. It’s not really a useful one to a lot of people, but it’s certainly not something I can do. He doesn’t worry about the silly faces he makes (I hope) because he can see the results are worth it.

One of my most popular tweets ever is this:

Everyone screws up code, no matter how awesome a professional you are. Accept it.

When I wrote it, I was laughing at myself for seriously bolluxing some code and pushing it live too soon, which happens to the best of us. I knew I messed up as soon as I saw the first error report, and pushed a fix right away.

What I didn’t do was worry about how it made me look.

Oh don’t get me wrong, I knew it looked bad, and it was embarrassing, but I’m not afraid of making mistakes. I didn’t let the fear of looking bad stop me from trying something new and experimenting and making a change. I knew there was a chance to end up with egg on my face, but I knew there was also a chance I would make everything perfect and ‘save the world.’ Or at least make my code awesome for more people.

We’re going to mess up. We’re going to make mistakes. We’re going to break things. While we try hard not to do that, the glory, the hero within us comes to play not when we’re perfect, but when we recover. Mistakes will be made, accidents happen, and you will screw up.

What will you do when you make a mistake?

24 September, 2014
The Mindset of Security
I talked at WordCamp LAX this year about KISS Security, keeping it simple and being aware of what it is you’re doing. Because security isn’t about the right passwords, and upgrades, and plugins, and .htaccess, it’s about you doing what’s right. And in fact, while I did mention some plugins, some features on servers, and I certainly was willing to give my advice and opinion on them, I don’t recommend one security plugin over another. Instead, I talked about the mindset of being secure.

Don’t be stupid

My mother is one of the few people I know who has almost completely conquered the will to be stupid.

Miles Vorkosigan on his mother, Cordelia Naismith Vorkosigan
Brothers in Arms by Lois McMaster Bujold

If I can not be stupid, then I can be secure. Sounds easy, but ignorance is the lynchpin of stupidity, and you must defeat that first. But they’re not actually stupid at all. They’re just uneducated and this whole WordPress thing is new, and the security stuff is scary.

With that in mind, I aim more towards education when I help people. When I debug a site, I send the customer a two-fold email. The first is the tl;dr stuff. “You were hacked because you’re on WordPress 2.6 and your theme and plugins had backdoors due to old, vulnerable code.” That’s the easy part. Then I explain in detail how I found the hack, why it was a problem (like did you know inactive themes can still be visited in your browser and, as such, are vulnerable?) and some details on how to fix it, even though I know they’ll still make mistakes. But I get them started with understanding what I’m looking for and why I think it’s bad.

Use Common Sense

The reality of security is that we’re all ignorant, at some point in time, of what we’re doing, of what it means. Identity theft can go on for years because people don’t monitor their credit card statements. We get ripped off by not checking receipts. We give away our credit cards without thinking. We all do dumb things in the moment and regret everything. We have 20-20 hindsight. And getting to the point where we don’t do that, where we think first, takes deconstruction of myths, education, and trusting your gut.

Don’t Get Overwhelmed by the Hype

Stop me if you’ve heard this one. “You’ll be hacked unless you install a plugin.” Or maybe this one… “You’ll be hacked because you installed a plugin!” It goes on and on. Should you upgrade? Of course! But do I think upgrading alone is the answer? Heck no! Upgrading, being concerned with plugins and themes, using good passwords… those are all important, but they’re not going to be the end all of everything. They don’t make you smarter, and that’s why I hate them. What they really do is make you lazy. You think that because you have them, you’re safe, and you stop being aware.

Security Tripod

I came up with that in 2010, the Tripod Theory of Security when it comes to websites. In order to be smarter about security, I have this pretty simple tripod theory.
1. Your Webhost (server)
2. Your software’s developers (WordPress)
3. YOU (everything else)
If everyone holds up their leg, the security of your site is locked down. If you have a responsive webhost, secure software, and good behavior, you’re going to be happy, the odds are that a WordPress upgrade never breaks your site, and you’ll be safe for a long time to come. Awesome! But as someone wailed at me at a barbecue, “How do you get to that point when you can’t CODE!?”

Education

The most simple answer is the most obvious. Know what you’re getting into with software. The plugins and themes you use are ones you should know about. Read the readme, follow the FAQ. Don’t be afraid to ask questions about features you want. But the best thing you can do is use your brain and think. When we grab code and don’t think about who wrote it, where it came from, and what it means, we open ourselves up to disaster, and we may as well be posting our passwords on the front of our websites. Taking that moment to be aware that hey, maybe a nulled theme is a terrible idea will save you.

The biggest thing to do, though, is not to research everything to an inch of it’s life, but to stop and think. When we jump in to things without any forethought or awareness, when we ignore that nagging feeling of doubt, we run the risk of being stupid. Gas station sushi is still sushi, right? And sushi is totally awesome. Well. Yes. But it’s also a fast track to spending the rest of your day in the bathroom. And you know this. Your gut knows these things because of your experiences, and when they outpace your knowledge, that’s when we get those momentary blips of “This is a baaaaaad idea!” Listen to them. If it helps, picture a relative looking over your shoulder going ‘tsk.’ Admittedly, mine would be Taffy holding a glass of wine, saying “Don’t be stupid, Mika.”

What I Look For

Practicality matters, though. I can’t just say “Find code by a WordPress Core Developer and never worry a day in your life” because everyone can make mistakes. Instead of looking for perfection, I look for behavior. I want to see a developer is active, both in general and in the overall community. I want to see how they respond to people, either in the same terms and language they use, or if they’re always super-technical. I want someone who understands what they’re doing, even if they’re not always right, and I want someone who can balance out the need for fixes with the annoyance of an update every day.
22 September, 2014
WordCamp Ventura

I’ll be speaking at WordCamp Ventura on the topic of plugins and approving them. Or not.

WordCamp Ventura County will be November 8th, 2014 at Green Art People, Ventura, CA. Tickets will be on sale at http://2014.ventura.wordcamp.org/ soon, but in a weird (yes Konstantin, I think it’s weird) move, all the speakers are set in advance! Like before you buy a ticket you’ll get to know that I am, indeed, speaking.

WC Ventura: Introducing Mika!

19 September, 2014
Self-Update Your Plugins

When your plugin is hosted on WordPress.org, this isn’t a problem at all. But if you’re selling your own work, or hosting it on a non WPORG resource, there are other concerns. You see, if you host a plugin on WordPress.org, your plugin can’t have it’s own updater script. You have to use the default .org updater. This is just fine, except when you have an add on that you want to be pay-only. Then what?

Take a look at Easy Digital Downloads. You can get the main plugin from WordPress.org, and if you buy add ons from their site, they get magical updates too! How did they do that? They put an updater script in the main plugin which is then called by the paid extensions. You can even use their Software Licensing add ons to run your own updates on your server! If you want to sell on their site, they’ll help you take care of that too.

Todd Lahman also has an WooCommerce API manager, so if you’re using WooThemes, you’ve got that covered too.

Speaking of self hosting, if you’re hosting your own code on Github, then you want to use Andy’s Github Updater. While it’s not allowed on .org (sorry Andy), this will let you push updates from your GitHub or Bitbucket hosted WordPress plugins and themes.

My buddy Norcross has his own free updater for you as well.

You can also look at services like Auto Hosted or WP Updates, both of which promise to make it even easier and faster for you.

Jeremy Clarke has a automatic theme/plugin updater as well if you still want to be self hosted.

If you’re using ThemeForest, there’s the Envato WordPress Toolkit, which your users (not you) will need to install on their sites to get updates. I don’t know if there’s a way to include an updater in your packaged theme or plugin, but that toolkit needs to be all over the place for users. That it’s not brings all the issues you see with their products being out of date.

There are hundreds of other ways around this. And really, there’s no excuse to not keep your plugins and themes up to date, no matter where they live. Keep those users updated and make it easy for them to do it! What resources do you use when self-hosting a plugin or theme, to keep it on the up and up, and keep everyone updates?

17 September, 2014
Mapped Domains And Google Search
The other day I was surprised to learn that Google still looks for tech.ipstenu.org

Kind of.

If you go search for it, Google still believes that URL is a real thing: https://www.google.nl/search?q=site:tech.ipstenu.org

Some of those URLs were made long after I mapped the domain, by the way. And yes, of course I have a 301 redirect for the subdomain.
```
<If "%{HTTP_HOST} == 'code.ipstenu.org' || %{HTTP_HOST} == 'tech.ipstenu.org' ">
    RedirectMatch 301 (.*) https://halfelf.org$1
</If>
```
What’s going on here? Strictly speaking, Google’s right and stupid. The URLs are correct, but Google should be honoring the 301 redirect. Because it’s not, you have to tell it not to trawl your subdomains and use a robots.txt file, just for your mapped subdomains.

First we’ll need to make a special robots.txt file, like robots-mapped.txt, and put the following in it:
```
User-agent: *
Disallow: /

User-agent: Googlebot
Noindex: /
```
This tells Google to sod off. Then you need to specify when to use this special file, and that brings us to the lands of options. Since .htaccess is a top-down file, that is it reads from the top of the file down, you can get away with this:
```
RewriteCond %{HTTP_HOST} = (code|tech).ipstenu.org
RewriteRule ^robots\.txt$ /robots-mapped.txt [L]
```
Just have that above any redirect rules for other things. But what if, like me, you’ve got Apache 2.4?
```
<If "%{HTTP_HOST} == 'code.ipstenu.org' || %{HTTP_HOST} == 'tech.ipstenu.org' ">
    RedirectMatch 301 ^/robots\.txt /robots-mapped.txt
    RedirectMatch 301 (.*) https://halfelf.org$1
</If>
```
Of course, that sends tech.ipstenu.org/robots.txt to https://halfelf.org/robots-mapped.txt which is scary but still works, so don’t panic.

Another way to do it would be to have a massive rewrite for all my subomains:
```
# All Mapped
<If "%{HTTP_HOST} == 'code.ipstenu.org' || %{HTTP_HOST} == 'tech.ipstenu.org' || %{HTTP_HOST} == 'photos.ipstenu.org' ">
    RedirectMatch 301 ^/robots\.txt /robots-mapped.txt
</If>
```
I will note, it should be possible to have (code|tech).example.com work in there, instead of all those OR statements, but I’ve yet to sort that out (corrections welcome in the comments!).

The last step is to fight with Google Webmaster Tools. Add your subdomains and you should get this on the robots.txt checker:

If you don’t, don’t panic. Go to the Fetch as Google page and tell it to fetch robots.txt. That will force it to recache. Once you have it right, ask Google to remove the URL from their index, and in a few days it’ll sort out.

It’s very annoying and I don’t know why the 301 isn’t honored there, but oh well. At least I can make it work.
15 September, 2014
Did You Know …. Gravatars

I we helping someone debug their gravatar recently. There was a long back and forth about your WordPress.com vs WordPress.org account when he couldn’t log in, and once we sorted that, we wanted a way to check if the Gravatar was actually working. Lo! There’s an easy way:

https://en.gravatar.com/site/check/

You can put in anyone’s email and get their Gravatar, which is a great check for people on, say, WordPress.org complaining theirs isn’t working when it totally is, had they used the right email.

There are some things I wish Gravatar had, though, like the ability to drag-and-drop new avatars instead of the old click-here-to-select interface that feels so very, very, old now.

12 September, 2014