Half-Elf on Tech

Thoughts From a Professional Lesbian

Author: Ipstenu (Mika Epstein)

  • HTTPS and WordPress

    HTTPS and WordPress

    Really there’s a right way and a not-quite-as-right way to handle HTTPS on WordPress. It’s not that hard to do, and if your whole site is going to be HTTPS, then the easiest way is to change your home and site URLs to be https://example.com/ and put define( 'FORCE_SSL_ADMIN', true ); in your wp-config.php file. Then you should (if this is an existing site) search your database for the old HTTP url and change that to HTTPS.

    Seriously, that’s it. That tells WordPress to be HTTPS all the way and you’re done. Of course, that doesn’t actually work 100% for everyone, because there are some silly plugins and themes that do things like this:

    add_action('wp_enqueue_scripts', 'enqueue_google_maps');
function enqueue_google_maps() {
  wp_enqueue_script('google-maps', 'http://maps.googleapis.com/maps/api/js?&sensor=false', array(), '3', true);
}

    The problem there is they’ve defined the script as HTTP and if your site is HTTPS then you’re going to get mixed content messages. And the real issue here is that means your connection is only partially encrypted! That non-encrypted content is accessible to sniffers and can be modified by man-in-the-middle attackers. This, clearly, is not safe anymore. The right way to do your enqueues is with protocol relative URLs:

      wp_enqueue_script('google-maps', '//maps.googleapis.com/maps/api/js?&sensor=false', array(), '3', true);

    Alternately you can just use the HTTPS url, because that won’t break HTTP visits and it won’t make anything less secure.

    But. Since you really can’t go in and edit all your themes and plugins, the plugin WordPress HTTPS is the way to go. That can force everything around. I know it’s not updated in a long time, but it still works. I keep thinking I’ll fork and clean it up… Well in my free time. The point of that plugin is that it lets you force everything to HTTPS, and will rewrite things on the fly. It’s a good idea.

    Instead of using the plugin, I’ve seen a lot of people do this in their .htaccess:

    RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://example.com/$1 [R,L]

    In and of itself, this isn’t wrong. This forces everything HTTP to redirect to HTTPS. The problem is you’re still actually sending data from WordPress over HTTP first, and you’re right back to opening up to man-in-the-middle attacks because the data from WordPress goes from HTTP first and that’s, say it with me kids, insecure!

    Now that said. This should be okay for most things. The POST calls should be sent securely, and all you should see on the return end is everything after that 301 redirect, but we can’t be absolutely sure about this. My buddy Jan used mod_substitute to force HTTPS (back before he moved to nginx). His code looks like this:

    <Location />
 AddOutputFilterByType SUBSTITUTE text/html
 Substitute "s|href="http://example.com/|href="https://example.com/|"
 Substitute "s|href='http://example.com/|href='https://example.com/|"
 Substitute "s|src=\'http:|src=\'|"
 Substitute "s|src=\"http:|src=\"|"
</Location>

    In doing this, he doesn’t need to worry about the HTTPS plugin I mentioned, because it forces everything with a src attribute to be protocol relative. He also doesn’t have to search/replace his content if he doesn’t want to, which makes switching back easier. If you wanted to do that. But as Jan pointed out to me, he switched to nginx because it’s easier and supports variable substitutions.

    Should you use .htaccess or nginx to force https instead of a plugin? That’s totally up to you. I use the plugin since I trust it to only mess with WordPress and not anything else I may have lying around. Also since my domains are often more than just WordPress, it’s a little easier for me to segregate their control. The flip side to this is that WordPress doesn’t redirect http traffic.

    By this I mean if you turn your whole site to HTTPS properly, you can still go to http://example.com/this-is-a-page/ and WordPress will load it as HTTP. This is and is not a bug. WordPress is (properly) trusting your server to tell it what it should be. Your server is saying “Be HTTP or HTTPS! Whatever!” Now there is a trac ticket to have FORCE_SSL really force SSL but that’ll be a while because there are a lot of complications in that change.

    So yes, for now, I would use .htaccess to add an extra later of SSL forcing, but with a bit of caution. If you’re proxying HTTPS (like you’re on a Varnish cache behind something like Pound or nginx) then you may need to use this code for your .htaccess redirect.

    RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

    The reason for this is Apache can’t always see SSL if it’s not in charge of it (because it’s proxied or handled by a load balancer), and to teach it where it really lives. The trick there is the code I just showed you may not be right because every server’s a little different. There’s a great StackOverflow post on the problems of redirect loops while forcing https that you should read.

    Good luck, and safe HTTPSing!

  • On Site Advertising: Affiliates

    On Site Advertising: Affiliates

    This is related to a series of reviewing on-site advertising I have used: Project Wonderful, Google Adsense, WordAds.

    So what about those affiliates?

    Affiliates are simply links to other sites that earn you money because, after clicking on your link, they buy something. And in my experience, they are never going to be the big money earners.

    I’ve used the following, in no particular order:

    All those links are affiliate links, by the way.

    Unless I’m making a post that has a direct link to them, like I’m discussing them specifically, they don’t get a lot of traffic. The problem is, like ads, where do you put affiliate links for the best traction?

    In a weird way, links like those are why spammers spam links. They trust people will click on the random links and buy a product. If you turn your affiliate links into banner ads, then you can be more successful, but now you just have more and more cluttering up your site.

    This is pretty much why I suck at them, though. I don’t enjoy marketing. I hate the push of sales. The way I buy things is I look around, I ask around, and I test. I know what features I want and, if I don’t, I actually do ask people for help understanding them.

    I’ve read multiple essays on how to effectively be an affiliate, and the advice boils down to what CopyBlogger says about being honest and authentic.

    But I do reviews rarely, which means affiliate links are just these links that sit around and look link ‘powered by’ links, which they really are. I will say that I don’t have an affiliate link for anything I don’t use.

  • Mailbag: Finding A Rogue WordPress Setting

    Mailbag: Finding A Rogue WordPress Setting

    After helping someone track down a weird WordPress setting, he asked the logical question:

    How did you even find that!?

    The issue was that a person was missing the menu option to edit their themes. I asked if they were also missing the menu option for editing plugins. As soon as he said yes, I knew it had to be the define to disable the plugin and theme editor:

    define( 'DISALLOW_FILE_EDIT', true );

    That literally says “No editing files!” So we looked first in the wp-config.php file for it and came up empty. Now as much as we yell at people for editing functions.php or at themes for creating a mess of settings that aren’t needed, I knew the fastest way to find it was this:

    $ grep -R 'DISALLOW_FILE_EDIT' ./wp-content/

    And as expected, that gave me a file: ./wp-content/plugins/ninjafirewall/lib/firewall.php

    Since we had wp-cli, I opened that file and looked for the term:

    // Disable the plugin and theme editor ?
if (! empty($nfw_['nfw_options']['disallow_edit']) ) {
       define('DISALLOW_FILE_EDIT', true);
}

    Then I ran this: wp option get nfw_options

    If you don’t have wp-cli, just pop into the database and look at the option value for nfw_options — either way you’ll see this:

    array (
  'logo' => 'https://www.example.com/wp-content/plugins/ninjafirewall/images/ninjafirewall_75.png',
  'enabled' => 1,
  [...]
  'disallow_edit' => 1,
  [...]
)

    I’ve snipped out a lot of the data, but you can see that disallow_edit is set to 1.

    We had the user change that setting. Imagine that. It worked!

    The moral of the story? Don’t make settings changes without reading what they do!

  • On Site Advertising: WordAds

    On Site Advertising: WordAds

    This is part of a series of reviewing on-site advertising I have used: Project Wonderful, Google Adsense, WordAds.

    My experience with WordAds has been a little spotty. In terms of revenue, it’s far superior to ProjectWonderful. That said ProjectWonderful (and Google Adsense) have some aspects that make WordAds less than attractive.

    I used WordAds for about 13 months, and while I loved the plugin they made, and I loved the support, the problems I have are with the system and the quality of ads. I want to stress that this is a ‘review’ of their beta product. I knew what I was getting into with a beta, but there were issues with the system that went beyond what I’d normally accept for a beta.

    A beta is expected to be functional and usable if buggy. WordAds was functional, but I had no control and no information, which made it unusable.

    I had no control over ad placement, which normally I would say is the ‘fault’ of the plugin, but in reality it’s clearly the decision of the service. It provides two ads: one below the first post on an archive page and one below the post content itself on a single post. The ads are exactly the same shape. Most of the time this is fine. On some of my sites, which use ‘non traditional’ layouts, it made them very, very janky.

    Additionally I have no control over what ads show. The default ads tended to lean towards ClickBait. I don’t like that, but it’s pretty minor since default ads always kinda suck no matter what system you use. Still, I couldn’t pick and close ads I found offensive. The winner for this service is Project Wonderful. For WordAds I had to right click, get the information of what had loaded, and send that in to get it blocked. Given that most users just say “Did you know you had a Rand Paul ad on your site?” this was impossible to manage for me.

    When I combine this with the lack of information … Here’s the ultimate reason I called it quits. There’s no dashboard. There is no way for a user to see analytics. I had no way see what ads are doing well and where which means I could never evaluate the impact of them on my layout. Like many professionals, I review SEO impact and ad displays. I couldn’t do that at all on WordAds to the point that they had to email me a report of my earnings.

    I was told the manual emailing of revenue was a temporary stop-gap while the new system was put in place. Six months later, not only was I still getting emails, but I actually didn’t get one for a month and had to politely ask someone on staff. They were, as always, totally awesome about it, but I felt the underlying current was they too were feeling the strain of a lack of automation. It felt like there was no managerial and resource investment in what should be a killer product.

    Having earnings be a black box is a crappy user experience. Having analytics be a ‘just trust us…’ world is useless if I want to improve my site quality and revenue. I’m all for set-it-and-forget-it (which is ironically why I love the plugin), but the user experience for the service itself was disheartening.

    Review

    • Ease of Registration: 4/5
    • Ease of use (on WordPress): 5/5
    • Ease of use (non WordPress): 0/5
    • Customizable: 0/5
    • Control: 1/5
    • Analytics: 0/5
    • Revenue: 3/5

    When they get out of beta, I may check them out again, but right now I don’t feel comfortable having my eggs in an invisible basket.

  • On Site Advertising: Google Adsense

    On Site Advertising: Google Adsense

    This is part of a series of reviewing on-site advertising I have used: Project Wonderful, Google Adsense, WordAds.

    Google Adsense is the grand daddy of ad systems, and if you can use it, it’s got the highest rewards. In the last 3 years, they’ve streamlined and upgraded and made the system incredibly nice to work with.

    I stopped using Adsense for the 3 years prior to this experience because I was frustrated with the lack of control. That’s far less the case today. You can now allow and block ads far more granularly than before. You can blacklist specific domains or specific types of ads. While it’s a little derpy to get the URLs, I was able to blacklist some anti-gay sites right away.

    Even though I still wish they’d just blacklist those people from making money in the first place (not Rand Paul, the hate sites), Google’s doing a much better job than they used to, and I feel morally better about it.

    Of course, while there are a bajillion WordPress plugins for it, there’s no official Google Plugin and because of that, I don’t use any plugin. The same code I wrote up for Project Wonderful is easily applied to how I want to use Google Adsense.

    Also Adsense remains the highest earner of any revenue stream I’ve used. Their current system even includes a scorecard, updating regularly, that explains how your site is doing:

    My scores are 5/5 mostly

    That ‘Site Health’ score being a 4 is due to WordPress putting ‘render blocking javascript‘ in the header. I’ll live. Everything else is fine.

    The interesting thing about Adsense is that Google’s rolling out something new. Google Contributor. And if you have adsense then it’s already on:

    Google Contributor is active

    I’m not entirely sure how it works, and I kind of want to see it be such that people can pick a site to sponsor, but the idea is a game changer I’m excited for. This alone was why I went back to Adsense.

    Review:

    • Ease of Registration: 4/5
    • Ease of use (on WordPress): 3/5
    • Ease of use (non WordPress): 3/5
    • Customizable: 5/5
    • Control: 3/5
    • Analytics: 5/5
    • Revenue: 4/5

    Adsense is old, but it’s aged well and Google’s treating it with love. It makes money, they appreciate that, and it shows.

  • Mailbag: Headers Already Sent

    Mailbag: Headers Already Sent

    Yasha from Russia asks for guidance!

    Hi I was searching on ways to resolve get header error in WP and saw your posts, which helped a chap with his website. I am a total beginner and having a nightmare with a divi template I am trying to upload. I have tried a ton of solutions on line and nothing worked. I would be grateful if you could provide me with some guidance. Unfortunately I am not in a position to pay you, but should our path cross I would be happy to offer you a few fine Belgian beers. Thank you in advance

    I don’t drink beer (I can’t stand fizzy drinks, I know, it’s tragic).

    I have to preface this with the honest truth. I hate Divi Templates. I’ve reached out to them under my company hat a couple times, never heard back, but I cannot stand their theme because of the first line in header.php for every single theme I’ve ever seen from them.

    <?php if ( ! isset( $_SESSION ) ) session_start(); ?>

    Pardon me while I rage flip a table.

    Why do I hate this? Sessions aren’t friends with caching. A session is used to store information for a user and have it accessible across all the pages of your website. Cool, right? The problem is a session is also saying “This user gets unique content and should have a unique experience.”

    Which kinda tells caching, and specifically Varnish caching, to take a long walk. WPEngine doesn’t allow you to use them because of that.

    But all that aside, how do you debug that Headers Already Sent?

    1. Turn on wp_debug
    2. Read the error
    3. Kill the plugin (or theme) causing it

    I hate to say it’s that simple, but it usually is.

    Warning: Cannot modify header information - headers already sent by (output started at /example.com/wp-content/themes/applesororanges/functions.php:60) in /example.com/wp-includes/pluggable.php on line 962

    That error means the problem is in the theme applesororanges and you check by swapping themes.

    When you get around to these, it’s a bit messier:

    Warning: Cannot modify header information - headers already sent by (output started at /example.com/wp-includes/functions.php:3560) in /example.com/wp-includes/pluggable.php on line 962

    The bit in ‘output started at…’ is a wp-includes folder! It’s unlikely core has bad code, so here you have to turn off all the plugins and switch to a default theme. There’s a reason that’s the way we debug, by the way. It’s hands down the fastest way to see if it’s you or not.

    If turning off all the plugins fixed it, great. Now turn them back on, one at a time, until you break it again.

    Remember! Sometimes it’s the combination of the plugins and theme that caused the problem, so be ready to pick a second best theme or plugin.