Half-Elf on Tech

Thoughts From a Professional Lesbian

Author: Ipstenu (Mika Epstein)

  • WordPress and the Erroneous Update Message

    WordPress and the Erroneous Update Message

    DebuggingIt’s time for a little example in debugging!

    This domain is running WordPress trunk.  When I say that, what I mean is I’m running the very latest SVN, no more than four hours behind, thanks to a cron job.  At the moment I’m writing this, I’m on revision 18690.  I did this so that I could get off by butt and actually test thing without having to think about it.  To a degree, it tells you how much trust I have in WordPress and the core commit team.  My whole site runs because they know what they’re doing.

    This doesn’t mean there aren’t errors, though.  So far I’ve been very “helpful” breaking the responsive CSS on the admin dashboard.  I’m sure Helen, Andrew and Andrew just adore me right now.  Yes, that was sarcasm.  My methodology is pretty straight forward.  Just Use WordPress on ipstenu.org.  If I find a problem, make a note and bring up my local install.  I can only do this at home, on my Mac, so usually I come home with three or four notes.  Update SVN manually on ipstenu.loc (yes) and ipstenu.org.  Is the problem still there?

    Most of the time the problem goes away.  When it doesn’t, I take a screenshot and make a trac ticket (though perhaps I should add them all to the one ticket… if any of you core folks wants to tell me, please comment away!).  I’ve also taken to popping onto the IRC channel #wordpress-ui and chatting with people there before trac’ing.  Last night I found one, told someone working on the project, and she patched it right then and there.  Teamwork!

    Yesterday, I noticed my ipstenu.org site had a weird problem.  I have a subsite on the network called test.ipstenu.org (feel free to check it out).  It’s just there so when someone says “When I use this theme/plugin…” and I can quickly go look.  I make fake posts, etc etc.  It’s quite seriously just for testing.  At one point, I’d spun up bbPress on that site.  I’d since turned it off, but it was on RC4.  RC5 just came out this week, and I had an update message on only that site, telling me to upgrade it.  Instead I deleted it.  That made the update notice go away on my network dashboard, like it should, but not on test.ipstenu.org.

    Say what?

    I tried to reproduce this like mad.  I installed bbPress RC4 on my local box, activated it, left it active, deleted it, and pretty much every which way I could think of to break it.  The error only happened on that site, even though bbPress had been running on another subsite as well!  I checked on multiple browsers, and wiped cache, logged out, nuked cookies, etc. Multiple computers even! Finally I gave up and said “I need help.”

    Weird WordPress MultiSite Question

    I have a multisite and one site on that network is showing that I need to update a plugin. Every other site correctly says “No Updates!” This one doesn’t.

    I’ve poked around, but I had assumed (bad me) that the admin bar would cache that network wide, somehow. But then why is it only on one site? So I wiped and rebuilt the wp_10_options table and it still shows up.

    I haven’t the foggiest idea why it’s happening. Luckily this is only on my test site, test.ipstenu.org, but it’s maddening.

    I don’t find a huge amount of use for Google Plus, but that was great for me.  I posted, I tagged it with my WordPress circles, and went to catch my train.  It was too long for a tweet, too weird for the forums as I didn’t want people to get fussy – I’ve noticed if I raise a post, it scares people.  I guess I have ‘street cred’ on WP and some people worry when I have a problem I can’t fix right away.  Flattering.

    I got replies from Raincoaster, Brad, Ron & Andrea, and Otto, who all said “That is weird.”  Andrea pointed out that it could be caching.  Brad asked about plugins.  Otto and Ron said that if it was cached, it was network wide (which made it even weirder to only see it on one site), and then Ron told me to look in wp_sitemeta table.  I was, I admit, already looking there, but I’d gotten distracted when I found the “Add a Link” page was broken on trunk.

    Fancy Pants ManAfter Ron’s comment kicked my pants, I went to that table and thought to myself “Where are the caches?”  I knew this from ages back, that anything named _transient… was a cache.  There are tons of transient feeds in your wp_options table because the RSS feeds you see on the dashboard are cached.  Cool, right?  Well, what if, just what if one of them was corrupted?  You can delete them without hurting your site!  So I hovered my mouse over the update alert and noticed the mouseover said “1 Plugin Update.”  Then I looked at the transients and found this:

    _site_transient_update_plugins

    And I deleted it.

    And my error went away.

  • PMC Sues THR Over Open Source Code

    Bet you never thought you’d hear that one!

    Today Deadline’s Parent Company Sues The Hollywood Reporter’s Parent Company For Copyright Infringement. They posted a link to the complaint and its exhibits. And this is where I sat up and blinked.

    See, TVLine uses WordPress. And part of their claim is that their (I assume) home-grown plugin was lifted. Specifically this file: http://www.tvline.com/wp-content/plugins/todaysnews/js/jquery.featuredarticle.js

    Now, I’ll totally allow that the site stole the code. But it’s WordPress which means the code is GPL which means … they can. They’re dicks about it, mind you, but they totally can. I’m interested to see how this one plays out.

    ETA: By ‘the code’ I mean not JUST that .js file, but the HTML, the specific WordPress calls, etc. THR actually isn’t using WordPress, as it happens.

  • Oversight and Responsibility

    Oversight and Responsibility

    I was actually asked by a handful of people what my thoughts on this were, and while part of me is loath to wade in(I’m loathe because someone will accuse me of being pro-WP or anti-Devpress, and ignore the fact that I’m a Devpress affiliate or that I don’t work for WP. I don’t pretend to know all the answers, or the reasons, but I know what bothers me.), I agree it’s something that affects the open source community. Personal attacks aimed at me will be deleted.

    I’ll let WPCandy sum it up:

    Yesterday I posted about DevPress’ offer of free memberships to any WordCamp attendees, provided the WordCamp organizers are legit and contact DevPress about their interest. A number of organizers showed interest in the comments of that post, and WordCamp Philly organizer Doug Stewart announced the deal for attendees on their blog.

    Then, last evening, WPCandy was contacted by Andrea Middleton, who took an administration role with WordCamp Central earlier this year. Middleton notified WPCandy that the WordCamp guidelines (specifically the part on fundraising), WordCamp organizers should not allow companies that are not sponsoring their event to do giveaways at a WordCamp.(Source: WPCandy – Devpress deal for WordCamps is against WordCamp Central Guidelines.)

    They cover the situation pretty well, but the comments on WPCandy and the twitterverse is what has upset me, greatly. This whole mess was blown out of proportion and could have been handled quietly and maturely off book, without any of the name slinging and pointy-fingers that I’ve seen.

    What went wrong?

    WordCamp Philly should have said “Let’s double-check about the rules, because this is a grey area.” They made a perfectly understandable human ‘gaff’ and assumed it was cool, because we all know Devpress is cool and GPL and basically awesome.

    WordPress Hand StampDevpress should have said “I want to give things away at WordCamps.  I’ll ask the head honchos at WordCamp and find out what I need to do!”  They too made a perfectly normal mistake, assuming that WordCamp Philly would do any needed due diligence.

    One of the many things I’ve learned working for The Man is that people see a server on fire and always assume someone else has reported it, right up until you run in with a fire extinguisher and shout at them.(That’s a true story.)  I always quote Lord Buckley here: If you know what to do and you don’t do it, there you bloody well are, aren’t you?

    The right thing was to look before you leap and not assume.  People made mistakes.  They could have kept it all off the funny pages, too, by being patient.  WordCamp telling WPCandy “Hey, sorry, not so much kosher.” was a polite heads up and WPCandy, being journalistic in inclinations, ran with the story.  Devpress’s rep was, understandably, frustrated and upset at the smack down and at the slowness of resolution, and it showed.  But as a ‘formal’ statement, his email is the example the need of a bit of PR.(This mess is in part why I don’t consider websites like WPCandy (and certainly not this site!) to be journalism.  There’s an attitude and (supposedly) ethics to which journalists abide and a code to follow about how to handle this.  One of them is that WPCandy’s email should have explicitly stated that Justin’s response would be posted on their blog.  I studied journalism for a year, and I know I’m not a journalist!)

    Who is right?  Devpress or WordCamp?

    A lot of ‘right and wrong’ ties into my last two big posts, about legality and morality. I’ll put it plain and simple for you: If you’re going to have a WordCamp, which is sanctioned and branded by WordPress, then you are obligated, legally and morally, to abide by their guidelines.

    The rest of the bitching is commentary. If you don’t like WordPress’s rules and regulations, don’t use them. It’s just like the theme and plugin repos. If you don’t want to follow those guidelines, then you self-host, and as long as you abide by GPLv2, everyone’s happy. But WordCamp is run by WordPress, and they get to make the rules. No one’s stopping you from making ‘BlogCamp’ or whatever you want. You could probably even get away with using ‘Word’ in the title, though you would be wise to make it painfully clear that it was not a sanctioned WordPress event.

    WordCamps are an extension of WordPress.org and the WordPress Foundation, which means that they are not community ‘owned’ products, though they are community driven.  Maybe people are forgetting that, at the end of the day, the responsibility for WordCamp, and WordPress, is not us.  We’re the result, and the reason, but not the responsibility.  If WordPress vanished tomorrow, we could fork it and move on, make our own forums, and actually be okay.  But right now, we’re all taking advantage of a free product.  We give up our time and our efforts for something that doesn’t directly make us money.

    Why isn’t the community in charge?

    That points right back to the heart of the issue for me.  The community isn’t in charge because it’s not a Big Dog.  At the end of the day, every project needs someone to stand up and say “This is what we’re doing.”  We need a big dog, someone to be in charge, and someone to draw a line.  A lot of people have made noise that this should be a person the community votes on and approves.  I disagree.

    WordPress was never about ‘community’ in that sense.

    The community doesn’t provide oversight to the plugins, the themes, or the forums on WordPress.org.  Sure, we volunteer our time, but we don’t all have trac commit privileges, do we?  We are not where the buck stops for this, and we have to keep that in perspective. You can tout all you want about doing what the ‘community’ wants, but the community provides ideas, suggestions, dreams and hopes. Someone else looks at the bottom line and says yes or no.

    Fly Again - Some rights reserved by cornerofartThat’s really very freeing to me.  That makes it easy for me to say ‘You know, I really hate this new thing.’ and I don’t feel like they’re going to revoke my license.  As long as I keep it all in perspective and remember that I don’t have to like it, but as long as I play this game, thems the rules, and it’s okay.  You can support the tool without loving every aspect of it, and no one says otherwise.

    The responsibility of oversight belongs with WordPress, not you or me, and the fall out does too.  A community has trouble being in charge like that because oversight ‘committees’ rarely work to anything but mediocrity.  As it stands today, WordPress is benignly governed by a company who listens, pays attention, and respects us, even if they don’t do everything each individual wants, and they keep their eye on the scope. (Perhaps by comparison, you should read up on the growing pains Drupal’s had recently.  Not enough oversight there, perhaps, but I have to study more about their entire situation to know for sure.)  If everything goes great, we ignore our overlords, and when we don’t like something, we vilify them.

    Why are you so mad about this?

    The vilification.

    I’m upset to see people being mean to each other. People are blaming each other, calling names, and pointing fingers. Of course this is a situation that makes people angry and emotional, but if we’re running a business, we don’t get the luxury of doing that publicly anymore. You no longer speak for yourself, you speak for your group.(I run a fan website for an actress.  Every single time I speak my own speculation about the TV show she’s on, someone assumes I know something secret and am not telling them, or I’m hinting at what’s to come.  I no longer am able to speak for me the fan because of this.  Trust me, I know how daft it is, and I hate it.)

    But the problem is I see a lot of name calling aimed at one person alone. That really bothers me because it looks like people are attacking a person and not remembering that the WordPress Foundation manages WordCamps. NOT the community. NOT the sponsors. NOT you or me. Hell, not even the volunteers who are doing the work!

    The Foundation.

    If you have a problem with WordCamp and the WordPress Foundation, do the right thing and take it to them.

    Most importantly, we need to be patient with each other. You don’t change the world in a day. Sure, we’re used to a fast paced world, where decisions are made on a dime and the whole status quo changes in the time it takes to svn up. But things still need to happen with thought and understanding. We have to look at the whole situation. And that’s why with responsibility comes the need to have oversight.

  • Multiple “Share This” On Your Front Page

    Multiple “Share This” On Your Front Page

    So you want people to be able to easily share your posts, and you install Jetpack and configure it so that the happy icons only show up on posts and pages (since you can’t make it show on only posts).

    Share This Settings

    Then you decide to make a Static Front Page so everything looks pretty. Except you get multiple instances of the sharing links! That isn’t what you wanted at all!

    The problem is that the when you make a static front page, it’s actually not an index page. It is simply a page using a template. Strictly speaking, it’s not an archive page, nor an index page, and because of that it’s treated like any other page and the ‘share this’ settings treat is ‘correctly’ by showing itself every time a page/post is called. I did report this to Jetpack, by the way, and they were a bit torn on if this is Jetpack being silly or something that needs to be addressed in core (that is, does WordPress need to grow up and treat a static front page as an index page).

    While they’re hashing this out, you can fix it yourself, which is a relief to those of us who ran into this.

    The easiest (and actually best) way is to use the WordPress template hierarchy to your advantage. If you use a front-page.php file instead of a static front page, WordPress knows that it’s an index page. This is the best way because you don’t make any extra ‘calls’ to the code. WordPress tucks it away on it’s own. To do this, if you’re using a page template, just copy the template (say page-snarfer.php) into front-page.php and call it a day. Depending on your theme, you may need to add a call to any special classes being called. (I know that if you use Hybrid Core, you need to add a call to page-template-home for it to format right.)

    But sometimes you can’t do that. Like if you’re on MultiSite and you use the same theme for multiple sites and you don’t want them all to have the same style of front page. Well now we have a minor problem. First thing to do is turn off sharing for the page you’re using as the static front page.
    Turn off sharing

    Doing just that brought me to this:
    One Less Share This

    In this case, I’m using a static front page with some content, formatted via the Twenty Eleven “Showcase Template” to show recent posts below my content. The first post shows up as an excerpt and then the rest show as titles with links (apologies for the different color):
    Multiple Posts - One Share This

    So for this theme it works perfectly and I’m happy as can be. This method also works if you’re using a Static Front Page without a page template!

    Double Rainbow For The Win But. That doesn’t work for all themes. And this is where we have to do the ugly things we don’t want to do. We have to edit CSS. In and of itself, this is pretty easy but I think it’s a poor choice because all this will do is hide the icons from displaying, and that means the code still gets rendered and call and that means you’re putting more work into loading your page than you need.

    Sometimes you just can’t fix it the best way, and acknowledging that, here’s how to do it. First, you must be using a page template for your static front page. (I said this once before, but it bears repeating: If you’re not using a page template, you can fix this by just turning off the sharing for the page.) Open up that template and look for something like this:

    <div id="primary" class="showcase">

    Once you’ve found it, you just have to add in a CSS call:

    div#primary.showcase div.sharing {display:none;}

    That says “In the primary.showcase div, if anything’s using the div sharing, hide it.” Not the most elegant or efficient way about it, but it gets the job done.

  • TimThumb and the Pseudo (D)DoS Effect

    TimThumb and the Pseudo (D)DoS Effect

    Over the course of a day, my server rebooted httpd twice. That’s not a common thing for me, as after days and hours of work, I managed to finegal my server into a semblance of stability so it could handle massive loads. At first I thought it was due to my traffic spike of an increase of about 1500% (no I did not screw up a decimal place there, my traffic went from a couple hundred to nearly 4000 in one day). Then I thought that couldn’t be right, because my traffic had actually mellowed out by the time I was crashing.

    So I went to my emails and pulled up the Apache Status log and noticed that 70% of the calls to my site were GETs to pages like this:

    /wp-content/themes/newsworld-1.0.0/thumb.php?src=/g0../0d1.
    /wp-content/themes/DeepFocus/tools/timthumb.php?src=/g0../0
    /wp-content/themes/TheProfessional/tools/timthumb.php?src=/

    Thumb Wrestling And thanks to that massive spike in traffic, my server was slowing down to the point that HTTP was becoming unresponsive and it had to reboot itself. In short, the TimThumb exploit was causing my server to behave like it was under a Denial of Service Attack, even though I don’t use TimThumb! My server was able to handle this, but if I’d been back on my old Shared Server, I’d probably have not gotten a text from the server at 11pm saying “Man, we had to reboot, but it’s okay now. Can I have a beer?”, but instead woken up to ‘Dude, where’s my website!?’ And this is with having a fantastic web host who cares and takes the time to help me out.

    Normally this is where I’d tell you what to do if you’ve been infected via the TimThumb exploit, but Cleaning Up the TimThumb Hack covered it pretty well. Just remember this, if you have been infected, you must reset all your passwords. This is true of any and all hacks. As soon as someone has access to meddle with files on your server, you could be hurt worse than you know. At the very least, you need to read the post “Technical details and scripts of the WordPress Timthumb.php hack” by the guy who ‘fixed’ TimThumb.

    What I wanted to do here was sort out how to block people who were looking for timthumb.php files (I can’t block thumb.php as I use that filename elsewhere). Reading up on Perishable Press’s Stupid .htaccess Tricks it’s clear we can do this:

    # prevent viewing of a specific file

 order allow,deny
 deny from all

    That should simply block access. An .htaccess block is a pretty simple way to reduce your server load, because people are getting punted before they get very far into things. Still, it’s something I have to install on each account on my server. Right now they’re just hammering ipstenu.org, and this is not the only domain on my server. This is, by the way, the same problem with using a plugin like WordPress Firewall. It’s a fantastic idea, if all you have is one account on a server. Protect yourself.

    I don’t. I run a VPS, and I have four domains here which I should be protecting. It’s easy enough to make that change on all four, plus two other external servers, but is that the best use of my time? I say no. I think I should automate as much of this as I can. What I really want is to say ‘If you’re looking for timthumb.php, then the odds are you’re looking for security vulnerabilities, and you need to just die in a fire.’ Or at least firewall block them. Seeing as I already have CSF on my server, it was logical for me to start there.

    Ice Blocks floating in the lake - Sarah OhBlocking an IP is easy, and I can do it via command line or GUI. Auto-detecting a URL though, is more complicated. Part of me thinks that, much like I can auto-block someone who tries to log in with any ID 10 times in a row, I should be able to add in a file pattern somewhere. Turns out you can’t, at least not the way I wanted. Instead, you have to do it differently.

    TimThumb’s exploit scanner isn’t actually a DDoS Attack, but it acts like one. A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make your site unavailable. Basically they hit your site with so much traffic that it’s incapable of its job: serving up webpages to happy readers! That’s why I call this a pseudo (D)DoS attack. The goal of the scanner is to see if you’re using Timthumb and, if so, to be evil. It’s not really distributed (i.e. multiple computers at once), though because of the number of people running the exploit scanner, it can seem that way. The side effect is that your site is hammered and can’t do what it wants. Which leads us to Connection Tracking.

    CSF has a tool called ‘Connection Tracking’ which lets you limit how many times a specific IP can hit your site at once before they get tossed to a shit-list. I set this to 300, and told it to only scan ports 80 and 443 (because I need to have unlimited FTP, and sometimes I log in from different IPs – yes, my home IP is on the whitelist).

    Connection Tracking. This option enables tracking of all connections from IP addresses to the server. If the total number of connections is greater than this value then the offending IP address is blocked. This can be used to help# prevent some types of DOS attack.

    Care should be taken with this option. It’s entirely possible that you will see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD and HTTP so it could be quite easy to trigger, especially with a lot of closed connections in TIME_WAIT. However, for a server that is prone to DOS attacks this may be very useful. A reasonable setting for this option might be around 300.

    Setting this up is a little less obvious for the new person. Go to WHM > Plugins > ConfigServer Security & Firewall and look for “Firewall Configuration”
    CSF Firewall Configuration

    Click on the button, look for CT_LIMIT and change it to 300.
    CT_LIMIT settings

    Scroll down, click ‘Change’ and then restart CSF.

    Now, you could put this as low as 100, or as high as you want, but I did some reading and 300 seems like something not too likely to trip innocent people up, but just enough to catch the bad guys. I may way to lower this to 200 or so, but I know that a lot of people come to one part of my server for the image gallery, and they tend to open lots of pages at once. I don’t want to hurt them. The other thing to keep in mind is how short is the block time. The IP block is set for 30 minutes, which isn’t much at all, but it could be just enough to make the transient DDoSers go away. ETA: As of February 2012, I’ve actually lowered this to 50, and it’s made a world of difference! My day to day CPU is a little higher, but the number of spikes that caused outages has dropped.

    I’m not doing this to stop the people who want to bring my server to its knees. I’m doing it to stop the people who are ‘scanning’ for exploits. A true DDoS is hard to block because as soon as I block it, I have to defend against it again and again. CSF would be like a sump pump in your flooded basement, always running until it burns out the motor. It comes from too many sources, and for the little guy (i.e. me), I may just have to shut things down for an hour and wait it out. But these scanners, well, I can block them with this trick, and not hurt my server doing so!

  • United States Patent: 8010458

    An online social network is provided in which members of the online social network control who may view their personal information and who may communicate with them. The members control who may view their personal information by setting a visibility preference. A member may not view another member’s full personal profile if the measure of relatedness between the two is greater than the visibility preference of the other member. The members also control who may communicate with them by setting a contactability preference. A member may not communicate with another member if the measure of relatedness between the two is greater than the contactability preference of the other member.

    via United States Patent: 8010458.

    It’s official. The US patent office is useless.