Half-Elf on Tech

Thoughts From a Professional Lesbian

Author: Ipstenu (Mika Epstein)

  • URL Validation

    URL Validation

    I was writing a script for a rather complex series of checks on a website. I wanted to do what I thought would be simple. I wanted to grab the website headers and parse them to check if a site was WordPress or not.

    That was a weird and wild trip.

    In theory, this is all the code you need:

    filter_var($url, FILTER_VALIDATE_URL)

    But as it turns out, that’s actually not the best thing! I started using it but found that I could break it pretty easily and, since I was writing a tool I knew would be used by end-users (who are exceptionally creative when it comes to breaking things), I googled around and found this blog post on Why URL validation with filter_var might not be a good idea.

    Yikes! All I was mad about was that FILTER_VALIDATE_URL thinks http://foo is okay, even when you tell it you want the damn host.

    In the end I used this Strict URL Validator code but even then I had to wrap it around this:

    	// Sanitize the URL
	$gettheurl  = (string) rtrim( filter_var($_POST['url'], FILTER_SANITIZE_URL), '/' );
	$gettheurl  = (string) $_POST['url'];

	if (preg_match("~^https://~i", $gettheurl)) {
		$gettheurl = "https://" . $gettheurl;
	} elseif (!preg_match("~^(?:f|ht)tp?://~i", $gettheurl)) {
	    $gettheurl = "http://" . $gettheurl;
	}

	// Is it a real URL? Call StrictURLValidator
	require_once 'StrictUrlValidator.php';

	if ( StrictUrlValidator::validate( $gettheurl, true, true ) === false ) { 

		// Do the needful
	}

    In many ways, this makes some sense. What is and isn’t a URL can be tetchy to check. http://foo is real. I can use it locally. That’s why http://localhost can exist. And we can’t just say “if not .com/org/net” anymore (if we ever really could). But boy is my code clunky.

  • If You Know What To Do

    If You Know What To Do

    I tweeted this a few days ago.

    If you keep letting people make bad choices, they will KEEP MAKING BAD CHOICES!!!
    Developers, please stop letting your clients do things that you know are wrong! Change the web with your power!

    A few people joked about Nokia phones. I joked about sliders and auto-play videos.

    But the real issue, the crux of this, was marked when the following reply hit my stream:

    this is tougher when there’s a buffer of account execs, project managers, c-levels, stakeholders in the way 🙁

    Yes. It is. So what was I really talking about and what does this mean?

    If You Know What To Do…

    You’re an expert. You’re an expert designer, developer, programmer, writer, whatever it is you know you’re great at. You are. Let’s put the imposter syndrome issue on the shelf and accept our greatness for what it is.

    You know what’s right and what’s wrong. You know that keyword stuffing is bad. You know that not putting in alt/title tags for your images is bad. You know that auto-playing music will make us all want to kill you. You know that no one actually enjoys sliders. You know that mobile-first is the future. You know that CAPTCHA is inaccessible to many people. You know that China blocks WordPress.com.

    You know a lot of things. You’re an expert. And you’ve been hired to be that expert.

    … And You Don’t Do It …

    We’ve all been there when someone on your project team says that ‘sliders improve conversation rates.’ And most of us have replied with a link to http://shouldiuseacarousel.com/. We’ve told them how they suck. We’ve pointed out the security issues with them. We’ve shouted about how putting an ad in the middle stops people from clicking to the end. We’ve brought up mobile issues and lamented their speed issues.

    And then there are the times you don’t. There are times, more often than not, where you just go along with the flow. You hear “We need a slider.” and you do it. You just do it. It’s okay. We all did.

    While there are reasons to go along with your committee, there are reasons not to. Is a slider worth getting into a fight with people about? Probably not. But what about keyword stuffing? What about the slider that you know has security issues? What about those things you know will kill SEO? Do you say no? Do you stand up and say “This is bad and here’s why.”?

    … There You Bloody Well Are, Aren’t You?

    Those things you hate on the web? They’re our fault. Nor yours, ours. We don’t fight back when we know things are bad ideas. When we don’t stand up and say “This is not safe” then we are breaking the web. We have no one to blame but ourselves.

    It’s hard. It’s very hard to do this. You will fight tooth and nail over stupid small things. You will struggle with people telling you that you don’t know anything. And you will feel that nagging doubt of imposter syndrome.

    You’ll also lose sometimes. And that’s okay. The point is not to win all the time, the point is to educate. The point is to stand up and work to make the web better and not fall to the status quo of what you know is wrong. If you do that, if you keep teaching them and educating and explaining, you will chip away at the wrong and make it right.

    But if you’re not willing to do any of that, then you’re making everything worse.

    What was I actually talking about?

    I was complaining about a theme that didn’t allow you to edit the footer. You had to make a child theme to edit the footer, which is fine in and of itself, but it’s not very friendly. It’s a theme with a bazillion bells and whistles to add CSS and change colors, and yet it failed on the most basic of all things. You cannot edit the footer unless you understand the nature of child themes.

    There is a developer out there who’s trying to make a plugin that does all this for the user. His code is a nightmare not because he is a bad coder but because he’s working with a piece of shit theme that throws errors with WP_DEBUG and I haven’t even tried Theme Check on it. I’m afraid to.

    But he’s out there, trying to make things better for people and I think he needs to stop. He’s working with a theme that isn’t worth it. He’s trying so damn hard to make the web better, but he’s failing because he’s starting from a place where everything is broken to begin with.

    Simply put, he’s working to try and shine shit.

    Don’t help people use things that are broken. Fix them the right way. Fix the theme or, if they won’t fix it, stop using it and stop recommending it. It’s not worth your effort if they know what’s right and they won’t do it.

    There they bloody well are. Aren’t they?

  • Mailbag: Getting Started as a Freelancer

    Mailbag: Getting Started as a Freelancer

    Neil asks:

    I am a web technician and proficient in Wordpress. I’ve worked on a number of WP sites, as well as other types of scripts/sites. Some of my work has been volunteer, and assisted by Dreamhost’s non-profit hosting. Would you have any suggestions as to how or where one might be able to start in obtaining freelance work? I know it’s a bit presumptuous but I thought I’d ask- I’ve seen many of your posts in the Dreamhost forums helping out. Kindest Regards, Neil

    I should preface this with a reminder that I’m not a freelancer for a reason. I hate the constant hustle of it.

    I don’t think I’m really qualified to answer this one. But you know who is? Chris Lema. And you know who talked on the Matt Report about how to become a great freelancer?

    But that doesn’t answer where one gets freelance work.

    If I had to start from zero, I’d pick the WordPress Jobs Board and snag a couple people there. Chris Lema supports Codeable, though, so that’s also a really good pick.

    Hey readers, who do you use?

  • How Hackers Find You

    How Hackers Find You

    I made a bold statement that pissed someone off. I told him that hackers don’t use Google to find vulnerable sites and attack them.

    They don’t, you know. Sure, they can do that, and I’m certain some of them run scripts to collect a list of people to hit up, but that’s incredibly inefficient. The only kinds of people who do that, who get lists of websites to touch, are people who for good reasons need to do that. Like maybe running a script to ping all your domains and trigger a WordPress automatic update by kicking off cron. And sure, a hacker could use a tool like WPScan to collect all the awesome information. But they don’t.

    But like I said, doing that is inefficient. The longer it takes a hacker to find you, attack you, and break you, the more likely it is that you’ll be upgraded. With WordPress in specific, the moment that hacker hits your site, your WP install has probably already begun the upgrade to make you more secure. Assuming that, what a hacker wants, what they need, is to hit you once, hit you right, and hit you hard.

    What a hacker really does is use that annoying BotNet to distribute an attack on as many websites as possible in one blast.

    Do All Hackers Do This?

    I should clarify something. When I say ‘hackers’ I don’t mean a specific person who is out to get you, in particular, and wants to destroy your site. Those attacks take as much tech smarts as they do social engineering. When I talk about hackers who are taking down sites, I mean the ones who know about a plugin or theme or core exploit to your site and are going to en masse blast the hell out of the internet to take ’em all down or leave their backdoors for whatever they do with these sites. Perhaps I should call them script kiddies, since many are.

    Why Do Hackers Do This?

    I have no idea.

    It used to be we hacked sites to prove we could. Then we hacked them to get in and get information we wanted. Then … somewhere along the line we started to hack to deface and leave viagra links. I don’t know what ‘good’ the hackers get out of the end result. It doesn’t make sense to me, but then again, I don’t understand why people buy most ‘as seen on TV’ things.

    How Do Hackers Find Your Site?

    One (kind of cool) thing they can do is, once they find one site, using a tool like SameIP to collect a list of everyone else on the server. That’s great for attacking people who are on shared hosts because they all have the same IP. And once they have your domain on their own list, they keep it and will hit you forever.

    But what if they just want a list of all 23% of the internet running WordPress? It’s not that hard. BuiltWith, for example, has a list of many of the WordPress sites.

    Certainly it’s not that hard to do. There used to be a site called Hacker Target that had a list of all WP sites: https://hackertarget.com/100k-top-wordpress-powered-sites/ The URL doesn’t work anymore but the idea is there. One could take such a list and just attack it.

    Similarly, if you happen to be on an insecure server, one could hack the server and from there collect a list of all domains (since the server has to know it’s domains) and, in the case of a very insecure server, get all the domains on the network, and attack all of those. The shell commands aren’t all that terrible.

    The point is, both of those methods are far, far, faster than just grabbing a google for ‘this plugin’ or even ‘this error.’

    How Do Hackers Find Out What You’re Running?

    This is where people step in and say “WordPress shouldn’t announce it’s version to the masses!” It should, because of what I say the next section (see “Do Hackers Care What You’re Running?”), but the short is that your site content tells them. They can run scrapers to pull your site data, the layout, the way files are stored, and they can tell. It’s like figuring out what car you’re driving.

    In fact… Think about that for a second. What kind of car are you driving? Does having the car logo on the car make it more or less secure? It may, if there’s a specific ‘hack’ for your car, but the trained professionals will still know, even if you pull off the logos, so in the end, you’re not really protecting yourself.

    Do Hackers Care What You’re Running?

    No, they don’t. Sorry. They don’t. Once a hacker has a list of websites, they don’t care if you run WordPress or Drupal or Joomla or Ghost. They’re going to attack with what they know is vulnerable and keep at it until they have a success. Then they take that success and leverage it to get to the next site. And on and on.

    So when you get hit by 100 bot-net computers, being tagged for timthumb when you don’t even have it installed, that’s what’s going on. They do not care what you’re running.

    How can you protect yourself?

    Use a good host who cares about security. Use up to date versions of all web tools and their extensions. Follow those tools and get updates regularly as to any security issues with them.

    WordPress is not “Set it an forget it.” You have to keep paying attention.

  • Design for Multisite or DIE

    Design for Multisite or DIE

    I don’t mean you need to design all your code to have special Multisite features. I mean that if you’re not writing code to work on multisite, you’re probably doing a lot of things non-optimally and not fully WordPressy. When you write your code with Multisite in mind, you’re actually writing it with the basic tenants of WordPress itself. It forces you to think about how WordPress is used, how it might be used, and how you can be flexible and extendable.

    Let’s throw out the idea of network options and activation for a moment and consider the ways we can write our code to make it work for Multisite and the world. The truth is that if you’re coding ‘for Multisite’ in many ways your coding for WordPress in the best way possible.

    Calling Files

    There’s a time and a place for ABSPATH but it’s as a last resort. There’s a time and a place for get_bloginfo('url') but it’s not to call .'/wp-admin/admin.php either. Did you know admin_url() will get the url to the admin area using the right protocol (http or https) for you? And it works for Multisite. Instead of hardcoding your paths or assuming everyone has WordPress installed in the root of their website (they don’t), use the functions and template calls WordPress has created.

    Oh and stop supporting the old WordPress 2.x ways of determining folders. It’s 2015. We’re good.

    Saving Files

    Saving data to the disk means everyone can read it. Duh, right? Well, where do you save uploaded files? You use wp_upload_dir of course. That works on Multisite just fine. Instead, if you hardcode in /wp-content/uploads/myplugin/ then you’re saving things for everyone. If you’re not using the WordPress options to grab the upload directory, then your code won’t work on Multisite and everyone will be sad.

    This extends to where you save your cache files. Did you know there’s a plugin that saves the cache to the plugin folder itself? Besides the fact that the cache didn’t have a way to flush and grew to 700megs over the year the person used it, that cache was for all the sites in the network. All. Saving the cache to a unique location (I suggest /wp-content/pluginname-cache/siteID) prevents cross contamination of cache.

    Saving Options

    If you write a plugin that, to save its data, it creates a new DB table and saves it there, that can be okay. But if your plugin on update then drops that table and recreates it… That was not pulled at random, by the way, I was reviewing a plugin that did that. Instead he should have been using the function update_option() to create (and update) the options. And yes, it knows.

    But that’s an extreme, I admit. What isn’t an extreme is people creating their own tables. It happens a lot. And when they do, they often forget that we have $wpdb->prefix which means they force create wp_mypluginname instead of $wpdb->prefix . "mypluginname" … guess which one’s smart enough to know it’s on Multisite?

    (If you want to make a network table use $wpdb->base_prefix and use update site option for network wide options, yes, we know the naming conventions are weird.)

    Theme Customizer

    Not everyone can edit theme files. Not everyone can make child themes. On a Multisite, the only person who can do that is the Super Admin. Site Admins have no access to edit files or upload themes. Worse, if you make a change to a theme, everyone who uses that theme gets the change. What happens when a site wants a special header and your theme doesn’t allow those to be edited via the customizer? The customizer is there for a reason. Use it. At the very least make things hookable to allow plugins to do simple things like change footers. Please. Please. That’s one of the things that themes get wrong constantly.

    What Else?

    What do you think would be improved if people ‘coded for Multisite’?

  • Mailbag: Network Shared Media

    Mailbag: Network Shared Media

    Doug asks:

    On the WP Forums (at https://wordpress.org/support/topic/multisite-with-one-media-library) you posted this comment:

    Ipstenu (Mika Epstein) Half-Elf Support Rogue, Volunteer Forum Mod & Plugin Referee Posted 1 year ago # http://wordpress.org/plugins/network-shared-media/ Keep in mind, this is generally something that kills your site’s performance.

    Unfortunately, the thread is closed so I can’t ask you to elaborate through the forum. So can you elaborate via email reply on exactly where or how the “performance is killed” as a result of installing & activating the `Network Shared Media` plug-in? Thank you, -Doug

    The problem is that WordPress Multisite was built to be multiple separate sites. You used one install of WordPress, one install of all your themes and plugins, and one ‘user base,’ but outside of that, the sites are all separate. Which plugin is active is different, which theme is used is different, and most importantly your data is segregated.

    Your data includes your media.

    The concept of ‘sharing media’ is a great one. If you have a network, you would want to have a way to share all common media in a way that every site can call it and insert it. But the way most plugins (including the one mentioned above) go about it is by doing sql queries:

    $blogs = $wpdb->get_results( $wpdb->prepare("SELECT blog_id, domain, path FROM $wpdb->blogs WHERE site_id = %d AND public = '1' AND archived = '0' AND spam = '0' AND deleted = '0' ORDER BY registered DESC", $wpdb->siteid), ARRAY_A );

    The code, in and of itself, isn’t bad, but that’s just to get a list of sites on the network. Then you have to check if each user has access to upload files to the site. Then you have to use switch_to_blog to go to each site and load the images.

    What happens if you have a lot of sites and a lot of images?

    Your site is slow.

    We’ve made a lot of improvements on that end, but extensive DB queries when you have to cross paths like that can be ‘expensive’ on a computational level. Not to mention those large DB queries can cause headaches if you use database caching. All that data has to be generated and cached on every load. That too will slow your server down.

    Now this won’t always make your site slow, but if you use it and you end up with a slow site, I’m not surprised.

    The next logical question, of course, is do I have suggestions or alternatives? I don’t. I actually do suggest people use that plugin if they need shared media. Or I suggest they don’t use Multisite.