Half-Elf on Tech

Thoughts From a Professional Lesbian

Category: How It Is

Making philosophy about the why behind technical things.

  • Arbitrary Component Upgrades Are Not Helpful

    Arbitrary Component Upgrades Are Not Helpful

    Often WordPress gets shit for still supporting PHP 5.2. In fact, while they recommend 5.6 or up, WordPress still works on 5.2 and probably will for years to come, even though everyone knows PHP 5.2 is buggy, insecure, and not supported. No sensible webhost still uses it if there’s an alternative, but sadly there are reasons why some hosts are stuck on it.

    Why does WordPress still work on 5.2? Because there’s little benefit to be had in upgrading, and only harm. As I’ve said before, in the name of progress we run the risk of running ourselves right off the cliff. There’s nothing in 5.4 that WordPress needs. Please remember that I am a stickler about needs vs wants, there’s a lot we want, but nothing that is critical and that cannot be accomplished in a PHP 5.2 world. One day that will change, and when it does, we’ll rethink this whole argument. But right now, there is no need.

    My fear with a PHP 5.2 upgrade is that the people we would hurt with it are the ones least capable of resolving the problem. If we showed users an alert on their admin dashboard saying “You’re using PHP 5.2, please contact your hosting administrator and ask them to upgrade to a modern, secure, version of PHP” then we’re telling the wrong people something. It’s not the users who need to hear this, it’s the webhosts. And speaking as one? We know. Not only do we know, we actually care more than you do, and we’re working on it for everything not because of WordPress and it’s 25% market share, but because we know it’s the right thing to do.

    But this is not a PHP version debate. This is actually a reflection on something happening today. You see, WordPress still uses the 1.x branch of jQuery. Why? Again, it works. There’s no reason to upgrade to jQuery 2.x and doing so would break things. Among other reasons, WordPress still supports IE 8 which is used by 11% of computers out there. That’s not a small number. In fact, 11% of WordPress sites still use PHP 5.2! You see the situation? 11% is not insignificant.

    This comes up because Bootstrap 4 has decided to drop support for the jQuery 1.x branch. As far as I understand, they don’t want to support IE 8 and it’s 12% smaller. There isn’t a single code benefit that is included in jQuery 2.x that Bootstrap is using and, since jQuery 2.x is compatible with 1.x, you can switch back to it right now without any loss. But they don’t want to support IE 8. In fact, they don’t support it, and from that perspective it sounds wise, doesn’t it?

    It’s not.

    WordPress includes its own version of jQuery (still on the 1.x branch) and many other similar JS files, which have all been rigorously tested with both WordPress and many of the most common plugins. In order to provide the best compatibility and experience for users, WordPress asks that you not package your own (especially not an older version) and instead use wp_enqueue_script() to pull in WordPress’s version. There are many reasons for this but the simplest are as follows

    1. WordPress has jQuery. Save diskspace and leave your own out.
    2. If every plugin and theme removes WordPress’ jQuery and uses their own, there’s a potential for conflicts. Who’s jQuery wins?
    3. Using your own jQuery changes the way WordPress plugins and themes may work in unexpected ways.

    Can you remove jQuery and use your own? Of course! You just can’t host your code on WordPress.org if you do that.

    Now, there’s a missing metric here. What the percentage of sites using Bootstrap are on WordPress? For that I’m going to have to extrapolate. Looking at builtwith trends, it looks like 1.8% of the entire Internet uses a site with Bootstrap. Joomla 3.x uses v1.11.3, Drupal 7.x uses jQuery 1.4.4, and Drupal 8 will use 2.1.4. Remember this is a total rewrite of Drupal, though. They do not concern themselves with backwards compatibility when they jump to new versions, and that means you cannot measure the percentage of sites on the internet that will use Drupal 8. We can reasonably assume, since WordPress is fully backwards compatible, that the 80% of WordPress users who are on the 4.x branch will upgrade to 4.4 in December, and continue to do so for the future.

    Even if we cannot claim that 25% of Bootstrap sites are on WordPress, we can argue that with all major CMSs currently using jQuery 1.x, Bootstrap is about to kick a significant portion of their audience to the curb. Of course, not even 2% of the Internet is using Bootstrap. Will that be a great loss for the Internet? Not really. But it will incur a massive lost to Bootstrap.

    This real life example is precisely what I mean when I say that I worry about the user experience with our bold assumptions in our projects. Bootstrap’s logical assumption, that since they don’t support IE 8 there will be no loss by moving to components that don’t support IE 8 either, is a fallacy. They are thinking only on one level. They’re only seeing the ‘benefit’ (and I use this term loosely) of formally ending support for a user-base they never supported in the first place. This won’t impact their users, so it doesn’t matter.

    What they’ve neglected to consider is that their userbase actually encompasses other people who support IE 8. So while we know that no one using Bootstrap and WordPress supports IE 8, simply by dint of using Bootstrap, this new jQuery version actually forces them to exclude them, instead of passively. And by doing this, they will shortly find plugins and themes that use Bootstrap 4 rejected from the repository, which will only harm adoption of Bootstrap as a framework.

    This isn’t a threat. This is reality. This is the difference between “We don’t support IE 8” and “We would rather not support IE 8 than be compatible with 25% of the Internet.”

    Looking at it that way, it’s a simple call.

    Put jQuery 1.x back in. Make 2.x a recommended option. And move on.

  • I Am The 20%, And So Are You

    I Am The 20%, And So Are You

    We speak of innovation in WordPress. We present new features like post embeds and emojii, things not everyone wants to use on their sites, things that slow down sites, and we tout how we are making things better.

    But do we consider all the users when we do this?

    One of the tenets of WordPress, one of the core philosophies, is that we make decisions, not options. And we base these decisions on the 80% rule. We say if a feature will not be used by 80% of the user base of WordPress, we won’t add it.

    In early November, WordPress reached the 25% saturation threshold. We have, generally, taken that to mean that WordPress powers 25% of the Internet. A more accurate statement by W3Techs is this:

    WordPress is used by 58.7% of all the websites whose content management system we know. This is 25.0% of all websites.

    That means sites like my library (which is using Jekyll) or a site built by hand because it’s 5 pages are still considered. Jekyll and Github pages might skew the spectrum, but I’m going to give them the benefit of the doubt, that they know how to adjust for that. The statistics are really quite impressive.

    But with that volume of users comes a great responsibility.

    952,795,650 websites and counting. If we take away the 75% that are parked domains and redirects, we have 238,198,912 websites. Let’s call it 240,000,000. Of those, 25% are WordPress. 60,000,000 websites on WordPress. 48,000,000 users is 80% of that. Realistically, since we all have multiple websites, I’ll say 45,000,000 individuals.

    We are now trying to build websites and predict the behavior of 45,000,000 users.

    And you know what? I’m not excited about it. I was a little excited when we hit 16% but when we hit 18% and then 20%, I started to be filled with dread. The numbers of who uses WordPress are skyrocketing, and while I should fear the edge of the cliff, the day the inevitable WordPress killer steps out of the shadow and destroys us (by the way… that totally happened to Windows and Mac, didn’t it? They’ve been top dogs for even longer…), I worry that we’re now crossing a different line.

    When we start to propose things like embedding posts, or speeding up WordPress by shunting legacy code to a plugin, or dropping support for shortcodes, I fear we’re about to walk off the cliff ourselves.

    Let me paint you a picture of our world.

    We have spent a decade (close to 11 years) teaching people to use plugins. We explain that the exhaustive feature set of WordPress is best served by plugins. We have created a moderated, but not curated, repository of themes and plugins. We allow multiple plugins for innovation, for solving problems in new ways, and for demonstrating the myriad ways which one can use WordPress. Similarly we have taught them that themes are the right way to design and style a site, and themes can also be at the forefront of these innovations.

    That said, we have not yet managed to teach people how to pick a plugin or theme. They think it’s on WordPress.org, it must be safe. In general, the majority of themes and plugins on the WordPress.org repository are better written than their premium counterpart. Please note: majority – the minority of stunningly well written themes and plugins are not to be discounted, but let’s be real folks, they’re the minority. At the same time, the majority of plugins on the repository are crap.

    So let’s recap. If you take all the plugins in the world and round them up, more of the best ones will be on the WordPress.org free repository, but so will more of the bad ones. Following me still? Okay.

    Now end users, the majority of our 45,000,000 users, do not know how to pick a good plugin from a bad one. They don’t know how to read, or even skim the code to find out if it’s secure or not. They rely on maybe a quick search for reported issues, if that. They look, they find, they use. Of course they do. We told them to. We linked them to these plugins and said proudly we had found their solutions.

    On top of that, we’ve failed to teach them the importance of upgrades. WordPress core handles security updates, but since plugin and theme developers aren’t all as tenacious and consistent about their updates as WordPress core, we cannot always push updates of themes and plugins. WordPress is reliable. Not everyone else is. Not every one of the 50,000 plugins in the repository can possibly be.

    This means we don’t have the ability to just update everyone’s site with themes and plugins right away. We just don’t. There are some plugins and themes that will break when we do, or cause each other to break. Worse, there are some plugins and themes that don’t offer updates. Which means we have created a world where people don’t know they need to upgrade to be safe, or that they have to upgrade if they plan on using WordPress 4.6.

    And oh yes, we’ve taught them the importance of upgrading WordPress core very well. We’ve cajoled webhosts into upgrading WordPress core for them. We certainly upgrade WordPress core. That’s why over 80% of sites on WordPress are on the 4.x branch. We did our job well, but not fully.

    So when you talk about removing features from shortcodes, or dropping support for PHP 5.2, I think that the people who would be hurt by this would be the people least able to understand why.

    These people use plugins and themes and don’t know that Johnny Dev used old code. And if Johnny doesn’t update his code in time to meet the changes to the shortcode API, or there’s a bug that makes it not work in PHP 5.4, the user gets hurt.

    And when the user is hurt, they don’t blame Johnny Dev. They blame WordPress.

    They blame WordPress because we told them to install plugins and use themes. And they trust us. And in that one move, we have betrayed the trust.

    That’s the cliff I see us rapidly approaching. And that is the cliff I fear more than anything else. Our idealism and hope may drive us off the edge before we realize it.

    We developers, we builders of WordPress, are the 20%.

  • Mailbag: Why Won’t You Help Me From Myself?

    Mailbag: Why Won’t You Help Me From Myself?

    I won’t name names here but I suspect people know who I’m talking about it. Please note, any comments naming names will be deleted. They deserve a chance to redeem their name and exactly who they are is not the issue.

    We never received any advice when we asked. Only warnings.

    A company made a new plugin, released it on WordPress.org, and then emailed a lot of people about it.

    It was brought to my attention first as a potential plugin violation. Was someone culling emails of the plugin install and using that to send email? A quick check of the code showed that was not the case and I informed the reporters as such.

    But then people said “I don’t even use this plugin and I got emailed.”

    At this point, I dropped them a note and explained that sending out spam email like that was going to piss people off. Lo and behold, their plugin was filled with one-star reviews.

    In the end, the asked the plugin to be deleted because they felt they could never recover. And I had not helped them, only warned them. This was true. I had not offered to help them make peace. I’d told them what was about to happen. And it did.

    Why didn’t I help them? Simply, I’m not their marketing department.

    As I said. Who they are doesn’t matter. They aren’t the first person to have this problem and they won’t be the last. And the question they’re really asking is two fold.

    First, why won’t I delete bad reviews based on people not liking getting spam. Second, why won’t I fix the problem.

    For the first, it’s because the experience of your plugin begins with how someone is introduced to it. If the first experience I have with a product is a racist or sexist ad, I will not use it. If it’s a product I was considering using, I might leave a comment or review saying “I would have used this but…” That was my experience. It doesn’t matter than I never used the product if my experience with it beforehand was strong enough to inspire me to leave a review.

    For the second, I can’t fix your problem. You did this to yourself. You had a poorly conceived of ad campaign and it shot you in the foot. You aren’t the first person to have this problem and you won’t be the last. You’re just someone else who screwed up and was hit by the social monster.

    And you know what? It sucks, and it’s not fair, but it’s something you did to yourself. Yes, you did it by accident, but covering it up doesn’t make it go away.

    We all screw up. We all have to apologize. If it was me? I’d reply to every single one star review and tell them I was sorry, it was a bad idea, I won’t do it again. And then I’d donate money in WordPress’ name to the EFF, explaining that while I can’t compensate them for the plugin without it approaching bribery, I can endorse the protection of our online privacy, which I flagrantly disrespected.

    It won’t be perfect, but it gets you started.

  • Octopress

    Octopress

    A brief history lesson. In the beginning there was Jekyll, a website generator that created static sites for you to deploy to your server. And then there was Octopress, a ‘framework’ for Jekyll that actually was a fork of one guy’s Jekyll site.

    Octopress is basically some guy’s Jekyll blog you can fork and modify.

    That’s a direct quote from Brandon Mathis, the creator and curator of Octopress. But it wasn’t a framework like WordPress people think of Frameworks. It wasn’t like Underscores, which is just a theme framework. It really was more like a one-click install for Jekyll, that had someone’s theme on it.

    Wisely, Mathis is working on changing this. Starting with Octopress 3 (currently 3.0.11) it’s a Jekyll add-on. While there is no ‘migration’ explanation yet, if you’ve never used Octopress, it’s a great time to start.

    How to Install

    Add this line to your application’s Gemfile:

    gem 'octopress', '~> 3.0'

    And then execute:

    $ bundle

    You can also install with bundler if you want, but it works out about the same in the end.

    How to Use

    I was stuck using bundler on my personal computer. That meant to use Octopress I had to do this:

    $ bundle exec octopress COMMAND

    Sucks, doesn’t it? After reading Ben Hamill’s post about ‘never typing bundle exec again’, it was fixed! I used the Ruby fix since it’s just me on the project.

    Now I can use octopress as my command prefix.

    What I Dig

    The deploy is way better than my own. Just put that out there.

    Also there’s a draft command!

    $ octopress new page _legal/terms/

    That will make the file /_legal/terms/index.html and I’m happy. If I want to use custom templates, I can do that too:

    $ octopress new draft "New Article" _news/2015/articlename --slug articlename --template _template/news --date now

    Sadly I can’t move the template folder. I wanted to store it in _jekyll/templates/ but that’s not an option. Also moving things to the _drafts folder is a little techy at best, since they assume you want to make posts and I’m making collection pages.

    Most of the time I do exactly what I was doing with MediaWiki, and that is to copy the content of an existing file into a new one. Most of the time I just copy the file, rename, and edit it. It’s not perfect, but it works and I know I get the right layout that way. I plan to look into why drafts is so touchy about where things are, and how to make it behave better with collections, but Octopress 3 is still in the early stages.

  • The Security of a Lifetime License

    The Security of a Lifetime License

    A few years ago, before I started working for DreamHost but after I decided I wanted to do WordPress all the time, I bought the StudioPress All Themes Package. For $500, it gave me a lifetime access to all their themes, all their future themes, support, and more. So I tucked away all my ad and ebook income for a while and bought it the day before a 50% deal hit. Of course, right? Brian being a wonderful guy, saw my amused tweet and credited me the difference.

    Since then, I’ve pretty much been a nothing but StudioPress shop. Almost every site I run on WordPress is using StudioPress themes. I’ve gotten free upgrades for all their themes, free versions of the ‘pro’ themes (all the HTML5 friendly ones), and it’s very much been worth it to me.

    But licensing is a strange subject. Chris Lema recommends charging annually (instead of monthly). And while I have a lifetime subscription, the unlimited free support will be leaving this world soon. From what I’ve heard, this only impacts support. To be honest, I’ve filed less than ten support tickets in five years. And it’s not because I’m savvy. There’s very little that I need help with to use Genesis themes. They have pretty darn good directions on how to reproduce their demo sites, they have code snippets, and they have a friendly self-help forum.

    Basically, this code is tight. Right now I’m using the Generate Pro Theme on this site, but I also bought Utility Pro theme from Carrie Dils (worth it). The child themes rarely need updating, and all I ever have to worry about is the parent Genesis theme being updated, which is easy as pie. They have their own updater.

    My friend Amanda Rush (also a StudioPress fan) wonders if this heralds the end of days of unlimited forever support and licenses. I suspect so. Will I be annoyed if I have to start paying for updates? Maybe, but mostly because I have a serious concern about security.

    Let me paint a picture for you. I get a free parent theme or plugin, it could be Genesis (the StudioPress parent theme) or WooCommerce (a popular ecommerce plugin), and I purchase an ‘add on’ of a child theme or an extension plugin. I pay for a year, and I’m happy. The add-on does what I wanted, I get my updates, and everything’s cool. Then one day, 370 days later, there’s a major issue. A massive security hole and suddenly my site is vulnerable!

    My license has run out.

    Do I get the update or not?

    Do I get notified of the update or not?

    I’ve seen this play out over and over again with sites like CodeCanyon and ThemeForest. How do people who have purchased a product get alerted properly and given the ability to update? We’re spoiled because if Jetpack or WooCommerce itself has a critical hole, those plugins are free in the WordPress.org repository. And I know, from working on that team, that if there’s a big enough issue, then the free plugins get updated and the update is pushed out to everyone. It’s rare, but when it happens, it’s for the benefit of everyone involved.

    The sad truth is most one-off shops can’t do that. WordPress.org can update all branches of your plugin. If you’re properly using versions for your plugins and themes, then you can release version 2.3.1 to fix a bug, but also fix that bug on 2.2.4 and 2.1.9 and so on. And yes, WordPress can push those branches (2.3 and 2.2 and 2.1) so even people on older versions can get fixed.

    To the best of my knowledge, no one else does that yet.

    And, perhaps worse, some won’t even consider letting you have the security update because your license isn’t up to date.

    All that said… Should you buy it, knowing you may not get support and updates forever? Yes. Right now, the StudioPress Pro Plus All-Theme Package is on sale. $262.46 for every theme plus third party themes. The sale goes on until the 16th, so grab it this weekend.

    It’s an investment I’ve never regretted.

  • Quick Notes on Ruby and Jekyll

    Quick Notes on Ruby and Jekyll

    I feel like I should be writing about Once Upon A Time at this point…

    Let’s take a moment to talk about our stack here.

    • Ruby is a dynamic, reflective, object-oriented, general-purpose programming language.
    • Ruby libraries are bundled into gems.
    • Jekyll is a gem that can publish static websites.
    • Bundler lets you list all your dependencies required for the project you’re working on.
    • A Gemfile is a file in which we can list gems for the aforementioned dependencies.

    Still with me?

    This matters because you can use a Gemfile to define your standard libraries for a Jekyll site. The general idea is that you install Bundler:

    $ gem install bundler

    Then you make a Gemfile in your Jekyll folder:

    source 'https://rubygems.org'

gem 'jekyll', '>= 3.0.0.pre.beta9'
gem 'jekyll-oembed', :require => 'jekyll_oembed'
gem 'jekyll-last-modified-at', :require => 'jekyll-last-modified-at'

    What this does is it defines what version of Jekyll I want to use and some of the gems I want to use. For example, if I wanted to add Jekyll Compose to all the users of my Git repository, I would add this:

    group :jekyll_plugins do
  gem 'jekyll_compose'
end

    Now all they have to do is run bundle after their git pull, and they get the new requirement.