Half-Elf on Tech

Thoughts From a Professional Lesbian

Author: Ipstenu (Mika Epstein)

  • Don’t Use WordPress MultiSite

    Don’t Use WordPress MultiSite

    Edit: It’s May 2015 and this post is still relevant.

    I talked about this at WordCamp SF 2013. Check out my slides or watch the video.

    I love MultiSite. I think it’s awesome and very helpful when you want to make a network of sites. But more and more I see people doing things where I just tilt my head and wonder why they’re using MultiSite for that particular use-case.  People seem to think that simply because they can use MultiSite that they should use it, and this simply is not the case!

    MultiSite, either by intention or effect, works best when you think of it as running your very own version of WordPress.com.  You have a network of sites that are disconnected from each other, data wise, but share the same available user base.  That means the only ‘information’ that is shared between two sites is your user ID, and even then, unless you’re explicitly granted access to the site, you’re nothing more than a subscriber.  Which is to say you can read the site, and comment.(You could get nitpicky here and point out that there are a lot more things one can do as a subscriber on a site, but you understand the gist.)  That means that while there are many perfectly valid reasons for having a MultiSite, it will never be a perfect solution for all people.

    One of the best alternatives to MultiSite is Custom Post Types.  They let you make ‘subfolder’ additions to your site and format them as you want.  There is a drawback, though, in that you cannot use YYYY/MM/DD in your permalinks for them (Otto on Custom Post Types – wp-testers email list) however I would wonder why people use that anyway these days?  The only reason I use YYYY in my URLs is that I believe there’s a date on the usefulness of these posts, and if you come back in five years, you should know how old the information is.

    Another alternative is good planning.  If you sit down and define your needs for your site before you build it out, and plan for the growth you desire, a lot of things become clear.  Think about how many different places you’d want to go to maintain your site.

    Here are some examples of sites that should not be built out as MultiSites:

    To Categorize Posts

    File CabinetThis one comes from my girl, Andrea, who reminded me of a fellow we ran into who wanted to have one site to post from, and each post would go to a special site based on the category.  WordPress already has that built in!  It’s called, get this, ‘categories.’  Now the user in question said he didn’t want categories because your URL shows up as /category/pemalink, and that wasn’t his desire.  So I suggested Custom Post Types.  /posttype/name was much better, and he could add in tags as he wanted.

    When Your Site is Homogenous

    Do you want your whole network to look and feel 100% the same?  Don’t use MultiSite.  If every single subsite is going to be exactly the same, except for content, but the content is all written the same way, you don’t need MultiSite.  Replicating the theme and settings on every subsite is a pain, and you can achieve the same result with categories, tags and CPTs.  You can even use a membership plugin to control who sees, and has access to, each CPT!(Role Scoper claims to do this, in fact.)

    Now someone will point out that this site fails that check!  If you notice, three (four, kind of) of the sites look very similar. Same general layout, same links and sidebars, but different headers.  This site could have all been done as categories and CPTs, and not needed the multisite until I hit on the children sites like the one for my grandmother.  But.  When I built it out, I decided to put my tech posts on their own page to separate the writing.  They are separate sites.  What I write here is vastly different from my blog, and that’s important to me.  The site has the same ‘feel’ in look alone: the context is what separates us.(And I have a plan for the photo blog.)

    For One Special ‘Thing’

    I’m guilty of this one.  I had a site that was a blog, and I wanted to make a ‘video’ section.  So I made a MultiSite!  Boy was that dumb.  Two admin areas, two sections for layout, and I wanted the site to still look like ‘itself.’  I caught a clue later on and converted the whole thing to Custom Post Types!  Much easier to maintain!  Now I have a smaller, faster, site.

    Users Shouldn’t Know About Each Other (AKA Separate User Databases)

    Andrew Norcross pointed this out.  If you need users to be on different sites, but not aware that they’re on a network, don’t use MultiSite!  Now, yes, there are ways around this, however it’s an auditing nightmare for any large company, and a security risk that you should be aware of before you start.

    Hidden UserCurtiss Grymala points out that if you need totally separate user databases, this is a strong case against MultiSite.  Be it for security or just obscurity, if the users need to be separated  don’t do it.  There are workarounds, but you’ll spend more time on that then updating your sites.

    Hosting Small Client Sites

    I don’t host my Dad’s site, Woody.com, even though I maintain it.  Why?  Because, as

    Cristian Antohe said, he just needs a standalone WP install.  Would it be easier for me to have one place to go to upgrade him?  Yes and no.  He’s small, he doesn’t need a lot, and he now owns his domain, his site and his email, all in one place.  It costs him $7 a month, plus the number of meals he buys me when we’re in town together, and he’s master of his own domain.  This is great for him, because if he fires me, he still has everything.  Also, if he does something weird that spikes his traffic 500% (like last month), it doesn’t affect the rest of my sites.  Factor that into your budget.  Make your client own their own data.

    Users Need To Embed JS Into Posts

    This is not a bug, people.  Only the Super Admin on a MultiSite install has the access to include iframes, javascript, and other non-oEmbed’d data into posts! You don’t want them to!  If you’re running a MultiSite, you’re the big dog, and you’re responsible for limiting their actions to things that won’t take down everyone because they don’t understand what an insecure iframe hack is.  Yes, there’s a plugin that will let you allow this.  No, I won’t tell you what it us, because unless you’re using a 100% locked down, you approve users you know and trust with your car, site, you do not want to open this door.

    If you can’t give them they access they need via shortcodes, then they need to host themselves, or you host them separately.  Protect everyone on your network, and don’t give them unregulated access.

    Users Need To Install Themes/Plugins

    Curtiss again reminded me that MultiSite doesn’t let you let your users install themes and plugins as they want.  You can, via the use of clever themes that save settings per site (like TwentyEleven) and plugins that allow you to tweak CSS (like WordPress.com Custom CSS) give them more customization, but you cannot give them access to install plugins and themes.  Why?  Because those things will be available to everyone on the whole Network.(There are plugins to manage plugins more granularly, and only permit some sites to use certain plugins, but again, this isn’t something everyone on your network should have access to do.)  Remember, we’re sharing here!

    Same Post, Every Site

    I keep running into this one.  “I want to have the same post pushed to every single site on my network!”  I understand why people do this, I just think they’re doing it wrong.  It’s not just that MultiSite is meant to be separate (aka individual) sites, it’s that you’re diluting your content.  The more different places someone can go to in order to get the information you’re providing, they less impact you have because you’ve given them too many options.  Decisions.  Make one. Also, as Andrea reminded me, identical content in multiple places is something spammers do. Google will downgrade your site ranking if you do this.(This doesn’t impact categories, tags and archives because of the use of canonical links.)

    Mimeograph (copy)Now, one user said he needed to do this as a business decision, because each of his (mapped) domains was a separate brand.  But the separate brands had shared data.  So … they’re not actually separate, but children.  Me?  I’d have everything link the shared data back to the master brand.  McDonalds may sub-brand out happymeal.com (they did!) and make a whole separate site, but if you click on their ‘Privacy’ link, you go back to macdonalds.com!  Why?  Because the parent brand is where that stuff belongs.

    BuddyPress Separation

    This comes from Andrea again.  If you need to have totally separate BuddyPress installs, use separate installs entirely.  Just … y’know, you can do it other ways, but it’s not worth it.

    What else?

    This list could go on and on, so jump in and tell me your reasons why you’d never use MultiSite!

  • New Plugin – WP Grins SSL

    WP Grins SSL is in development. So there’s that.

  • SSL Self Certification and WordPress

    SSL Self Certification and WordPress

    I wanted to lock a single-site WordPress install down to use SSL admin because I’m a tin-foil hat wearing nerd. Or more to the point, I detest the idea of clear-texting passwords! Most of my problem was finding directions. See, I knew I had to add define('FORCE_SSL_ADMIN', true); to my wp-config.php file, but when I did that, I got an error:

    SSL error on chrome

    Turns out I’d never turned on SSL for my server! My problem then became that I don’t want to shell out $100 a year for SSL when it’s just me no my server, no one else. Once I determined all I wanted was to create an SSL Self Signed Certificate on my server, which has WHM, it got a lot easier!

    There are drawbacks to self-signing.  Firstly, every time I login on a new browser, I have to tell it ‘Yes, trust me!’  That’s annoying.  If I was using this for other things, I’d have to remember to type in httpd every time, but WordPress is smart enough to redirect that for me.  Also, back in the day, Chrome was an idiot about them and wouldn’t let me use them!  but I use self-signed without knowing it for ages, because my host set that up for cPanel and WebMail.  I’m not a business, it doesn’t bother me.  If I was, I’d charge more and shell out.

    Chrome Cert Alert

    All that error means is that “Hey, ipstenu.org signed this, and I don’t know who that is!” If you read further on that page, there’s a link to ‘Help me understand!’ and it explains:

    In this case, the certificate has not been verified by a third party that your computer trusts.

    Which is 100% true. By self signing, I’m skipping 3rd party verification and telling you to trust me. Looks scary, it’s really not if you know what you’re doing. If you’re willing to deal with this error every time you login on a new computer, then you too can SSL yourself to a little more safety!

    These directions will only help you if you’re using a VPS or dedicated server. You’re going to do all the work in WebHost Manager.

    1. Go to Main >> SSL/TLS >> Generate a SSL Certificate and Signing Request
    2. Fill in the fields – the passwords have to be alphanumeric, and remember to use the right domain. If you use www.example.com as your default, use that.  I use just example.com for all my sites so I did that.
    3. Save the data to a text document.
    4. Go to Main >> SSL/TLS >> Install a SSL Certificate and Setup the Domain
    5. Import your certificate data (or paste in from text)
    6. Select Submit

    If it works, Apache will restart and you’re done!  If not, you have to read the error.  My problem came with the domain details:Browse/details

    I was able to skip steps 1-3 and just go right to ‘browse’ since, apparently, at some point I’d done them before.  The problem was for my second site, it’s on my shared IP, which meant I had to put in the User of ‘nobody’ instead of the user name.  Not a big deal.

    After that, I was done and could log in to my site via SSL!

    But wait… What about MultiSite?  Well if you’re using subfolders, this is great.  Subdomains, however…  See the host name has got to be the domain name:  halfelf.org in this case.  So if I wanted to make one for all my subdomains… Owch.

    Then I thought that maybe, just maybe, the computers were smart enough on their own.  So I did this:

    Create a New Cert - Wildcard

    And then this:

    Wildcard certificate install

    Now, since I already had an ipstenu.org cert, I had to delete that one first. But once I did it, I was done. I turned my multi-site into something a little more secure!

    And now you can too.

  • All Subs Are Equal

    The Drebbel For years we’ve told people “The only difference between subdomains and subfolders is that search engines see subfolders as being all a part of the same site, and subdomains as separate sites.

    That may not be true for very much longer.

    As August ended, Google dropped this little bomb casually:

    Most people think of example.com and www.example.com as the same site these days, so we’re changing it such that now, if you add either example.com or www.example.com as a site, links from both the www and non-www versions of the domain will be categorized as internal links. We’ve also extended this idea to include other subdomains, since many people who own a domain also own its subdomains—so links from cats.example.com or pets.example.com will also be categorized as internal links for www.example.com.

    via Official Google Webmaster Central Blog: Reorganizing internal vs. external backlinks.

    This is, I think, a good thing. They make sure you understand that ipstenu.wordpress.com won’t be the same as jane.wordpress.com, which makes sense since their own blogger platform runs off subdomains as well. Somewhere in their logic they know ‘Aha! Ipstenu doesn’t own wordpress.com! But she does own Ipstenu.org.’

    To reiterate,  this only affects things in Google’s Webmaster tools:

    This update only changes how links are displayed in Webmaster Tools. It doesn’t affect how links are valued in relation to the search algorithm or ranking. It has nothing to do with Panda, nothing to do with keywords, nothing to do with PageRank.

    I fully expect that it’s going to change and expand.  Since most of us end up registering our ‘master’ domain (i.e. ipstenu.org) off Google Webmaster, they can easily leverage the data they already have in order to tweak search engine results.  Another tactic would be to start using a new meta type tags.  After all, the big guys already organized schema.org (which isn’t as picked up as it might be yet).

    schema.orgSidebar: Schema.org’s problem is how complicated it is to fold into CMS tools.  If they’d started by releasing this with a couple plugins/extensions for the popular open source tools like Drupal, Joomla, MediaWiki, MovableType and WordPress, which as they’re open source, they could have, we’d be way ahead of the game.  As it stands, the one WordPress plugin I’ve seen requires you to import SQL tables!  If they get schema ironed out so it’s simple and easy to use, then we can add in ‘parent’ or ‘main’ site parameters to our code and every search engine can know ‘halfelf.org is internal to ipstenu.org, but taffys.ipstenu.org is not.’  And wouldn’t that be cool!

    Personally, I have ipstenu.org, ipstenu.org, halfelf.org and so on all listed separately in Google Webmaster right now.  I could do that with subfolders as well, to track data internally to itself (i.e. each subdomain/subfolder), and still track them at the master level with the main domain.

    So no effect on your SEO or ranking or any of that stuff, but a nice change for Webmaster Tools.

    Where do you see this going?

  • WordPress and the Erroneous Update Message

    WordPress and the Erroneous Update Message

    DebuggingIt’s time for a little example in debugging!

    This domain is running WordPress trunk.  When I say that, what I mean is I’m running the very latest SVN, no more than four hours behind, thanks to a cron job.  At the moment I’m writing this, I’m on revision 18690.  I did this so that I could get off by butt and actually test thing without having to think about it.  To a degree, it tells you how much trust I have in WordPress and the core commit team.  My whole site runs because they know what they’re doing.

    This doesn’t mean there aren’t errors, though.  So far I’ve been very “helpful” breaking the responsive CSS on the admin dashboard.  I’m sure Helen, Andrew and Andrew just adore me right now.  Yes, that was sarcasm.  My methodology is pretty straight forward.  Just Use WordPress on ipstenu.org.  If I find a problem, make a note and bring up my local install.  I can only do this at home, on my Mac, so usually I come home with three or four notes.  Update SVN manually on ipstenu.loc (yes) and ipstenu.org.  Is the problem still there?

    Most of the time the problem goes away.  When it doesn’t, I take a screenshot and make a trac ticket (though perhaps I should add them all to the one ticket… if any of you core folks wants to tell me, please comment away!).  I’ve also taken to popping onto the IRC channel -ui and chatting with people there before trac’ing.  Last night I found one, told someone working on the project, and she patched it right then and there.  Teamwork!

    Yesterday, I noticed my ipstenu.org site had a weird problem.  I have a subsite on the network called test.ipstenu.org (feel free to check it out).  It’s just there so when someone says “When I use this theme/plugin…” and I can quickly go look.  I make fake posts, etc etc.  It’s quite seriously just for testing.  At one point, I’d spun up bbPress on that site.  I’d since turned it off, but it was on RC4.  RC5 just came out this week, and I had an update message on only that site, telling me to upgrade it.  Instead I deleted it.  That made the update notice go away on my network dashboard, like it should, but not on test.ipstenu.org.

    Say what?

    I tried to reproduce this like mad.  I installed bbPress RC4 on my local box, activated it, left it active, deleted it, and pretty much every which way I could think of to break it.  The error only happened on that site, even though bbPress had been running on another subsite as well!  I checked on multiple browsers, and wiped cache, logged out, nuked cookies, etc. Multiple computers even! Finally I gave up and said “I need help.”

    Weird WordPress MultiSite Question

    I have a multisite and one site on that network is showing that I need to update a plugin. Every other site correctly says “No Updates!” This one doesn’t.

    I’ve poked around, but I had assumed (bad me) that the admin bar would cache that network wide, somehow. But then why is it only on one site? So I wiped and rebuilt the wp_10_options table and it still shows up.

    I haven’t the foggiest idea why it’s happening. Luckily this is only on my test site, test.ipstenu.org, but it’s maddening.

    I don’t find a huge amount of use for Google Plus, but that was great for me.  I posted, I tagged it with my WordPress circles, and went to catch my train.  It was too long for a tweet, too weird for the forums as I didn’t want people to get fussy – I’ve noticed if I raise a post, it scares people.  I guess I have ‘street cred’ on WP and some people worry when I have a problem I can’t fix right away.  Flattering.

    I got replies from Raincoaster, Brad, Ron & Andrea, and Otto, who all said “That is weird.”  Andrea pointed out that it could be caching.  Brad asked about plugins.  Otto and Ron said that if it was cached, it was network wide (which made it even weirder to only see it on one site), and then Ron told me to look in wp_sitemeta table.  I was, I admit, already looking there, but I’d gotten distracted when I found the “Add a Link” page was broken on trunk.

    Fancy Pants ManAfter Ron’s comment kicked my pants, I went to that table and thought to myself “Where are the caches?”  I knew this from ages back, that anything named _transient… was a cache.  There are tons of transient feeds in your wp_options table because the RSS feeds you see on the dashboard are cached.  Cool, right?  Well, what if, just what if one of them was corrupted?  You can delete them without hurting your site!  So I hovered my mouse over the update alert and noticed the mouseover said “1 Plugin Update.”  Then I looked at the transients and found this:

    _site_transient_update_plugins

    And I deleted it.

    And my error went away.

  • PMC Sues THR Over Open Source Code

    Bet you never thought you’d hear that one!

    Today Deadline’s Parent Company Sues The Hollywood Reporter’s Parent Company For Copyright Infringement. They posted a link to the complaint and its exhibits. And this is where I sat up and blinked.

    See, TVLine uses WordPress. And part of their claim is that their (I assume) home-grown plugin was lifted. Specifically this file: http://www.tvline.com/wp-content/plugins/todaysnews/js/jquery.featuredarticle.js

    Now, I’ll totally allow that the site stole the code. But it’s WordPress which means the code is GPL which means … they can. They’re dicks about it, mind you, but they totally can. I’m interested to see how this one plays out.

    ETA: By ‘the code’ I mean not JUST that .js file, but the HTML, the specific WordPress calls, etc. THR actually isn’t using WordPress, as it happens.