Category: How It Is

Making philosophy about the why behind technical things.

SSL for One Domain on Multisite
To start with, I made a mistake and assumed, bad me, that the Terms of Service that let me collect donations for my ebooks would similarly be okay with collecting payments for said ebooks. Alas, no. “Digital goods including digital currency” are not permitted, and that was my bad. It resulted in me losing my entire account and having to fight to get my customers their money back.

Meanwhile I decided to get started on making an easy way for people to pay and stay on my site (like Stripe), and this, no matter what, means I need to have SSL.

Normally that’s not too much of a problem, but my store happens to be a subdomain of a mapped domain on a multisite. My WordPress install is at ipstenu.org. This site is actually tech.ipstenu.org, and my store (store.halfelf.org) is actually hshop.ipstenu.org (stands for HalfElf Shop…). I used domain mapping to point halfelf.org to tech.ipstenu.org, and store.halfelf.org to hshop.ipstenu.org. While I could just edit the site and home URL in the ‘Edit Site’ page, domain mapping is needed for in order to tell WordPress that the domain is really a thing.

Setting all that up was the easy stuff, though. The SSL part was something I’ve poked at before and given up, since multiple domains and one SSL cert is a pain in the ass. But today, if you go to the Half-Elf Warehouse, you’ll see it’s all SSL! (NB: It was. It’s now only SSL on pages that need SSL, to allow for better caching.)

You will need….
- An SSL Certificate
- An add-on domain
- wp-config.php edits
- .htaccess edits
- WordPress HTTPS Plugin
SSL Certs

This is the easy part. You need an SSL certificate for the domain you need to protect. If this is the only domain you want to add this on to, it’s relatively easy. If you need to add SSL on to multiple domains, check with your webhost.

I actually have multiple SSL certs. The problem with multiple SSL certs is that a wildcard one for subdomains costs around $300 (this is on Comodo), and I have three domains I need to protect on one server… Oh. Wait, wasn’t this a problem before? As it happens, I’ve got SNI on my Apache instance now, so that was fixed. I picked up a cert for store.halfelf.org and set it up, done. Except…

Add-on Domain

Why this? Well it’s funny. I used to always tell people ‘Use Parked Domains, it’s way easier’ and this is still true, it just has a caveat of ‘unless you’re trying to use SSL.’ Now that I am, I hit a sticking point where a parked domain cannot have it’s own SSL cert, but an add-on domain can. This was a simple fix. I deleted the parked domain and flipped it to an add-on domain. Then I added the certificate in for my site and now I have https on ipstenu.org and store.halfelf.org but not halfelf.org. Why? Because halfelf.org and store.halfelf.org are separate add-on domains. Had I bought a wildcard cert for halfelf.org, I could have made halfelf an addon, and store.halfelf a parked domain on top of halfelf, but this works too.

The other option, of course, is a multi-domain cert, which is too much money for my tastes, and I don’t need it all the time. I have SNI, which makes this so super easy for me, it’s silly. Just add the cert for the domain and have a party.

WP-Config

But today I only want to force one of my mapped domains to be SSL:
```
if ( $_SERVER["HTTP_HOST"] == "store.halfelf.org" ) {
    define('FORCE_SSL_ADMIN', true);
    define('FORCE_SSL_LOGIN', true);
}
```
No that was it. If it’s two domains, it’s this:
```
if ( $_SERVER["HTTP_HOST"] == "store.halfelf.org" ) { ...}

if ( $_SERVER["HTTP_HOST"] == "ipstenu.org" ) { ...}
```
and so on and so forth. Why not using an OR check? Because it failed miserably when I did that. I suspect it’s due to ipstenu.org being my main domain, but I was tired and stopped here.

.htaccess

Okay, now I want my domain to default to SSL when people visit too!
```
RewriteCond %{HTTP_HOST} ^store\.halfelf\.org
RewriteCond %{SERVER_PORT} !443
RewriteRule ^(.*)$ https://store.halfelf.org/$1 [R,L]
```
That was easy.

WordPress SSL

What about making everything on my page load SSLish? Install and activate? That was it? Oh. Okay.

Verify!

Hey! Looks good! Actually I’d had a problem when I first ran this.

Yeah, that little yellow triangle. What the heck did it mean? I trotted off to Why No Padlock? and got an error:

SSL verification issue (Possibly mis-matched URL or bad intermediate cert.). Details:
ERROR: no certificate subject alternative name matches

That didn’t help me at all, so I viewed page source and looked for http://store and didn’t find anything. Then I looked at the console and saw that it had an error on some JS:

//Moral? Always read the ToS.
5 February, 2014
Poor Customer Service

I have to start this with a confession that I screwed up and lost my WePay account.

I lost my WePay account for something that was totally my mistake. I have no complaints about that, I screwed up and missed the clause in their ToS that says you can’t use it for digital goods. This needs to be stressed: this was no one’s fault but my own. You can think it’s a stupid clause as much as you want, but it’s theirs, and I agreed to it and broke it. On accident. But ignorance of the law is no excuse. I know this, I support this. I have no quarrel with this.

My issue is how I found out, and what WePay did about it when I had questions.

How did I find out I was in violation? I got this email:

It seems you’re using WePay for one or more of the activities prohibited by our Terms of Service. Unfortunately, you can’t use WePay to accept additional payments. Any pending payments will be canceled and you won’t be able to withdraw funds at this time.

More specifically:

We are unable to process payments for digital goods including ebooks.

Thank you for understanding and we apologize that we couldn’t offer a better solution.

It’s a nice email, all told, but it doesn’t explain things. Like … if pending payments are canceled, do they get refunded? What about completed payments? Do those get refunded or do I get my money? At first, I had about $70 stuck in some weird degree of transaction hell. Now it’s down to under $20 and I’m still struggling to get a good answer as to where that money goes. Will I get it back? Will my customer get it back?

I logged into WePay and everything looked … normal. I checked my payment pages, as myself, and they were active. Logically I thought they had disabled my payment API and would be refunding money, but I could find no information on that on my pages. Then my friend Kat pinged me to tell me my Donation Page for ebooks was down. THAT is how I found out my account was actually disabled.

I emailed them and right away and was direct that I knew, understood, and accepted, that I was at fault, but I asked if they meant by “Unfortunately, you can’t use WePay to accept additional payments.” Forever? Everything? It was over and done with? I felt that was pretty nice, all told. I understood that it was my bad, but I wasn’t clear on what they meant by the wording and asked for clarification.

They replied with that yes, this account was good and done and gone forever more. I could no longer use it though paradoxically when I was logged in, there was no obvious mention of this. The only way, logged in, to tell I was persona non grata was to try and withdraw my money. Then it said to contact customer service. But my support guy said all was not lost, I could make a new account, and as long as that didn’t break the rules, I would be allowed to stay, “Your current account though, can not be utilized unfortunately.”

It was a strange way to tell me “Your account has been suspended.”

But okay, that’s fine. I accepted this and replied asking if my customers, the couple who were in some various state of pending (I think it was a total of $19.50) would get their money back. And this is where my tale went from ‘Stupid me’ and right into ‘What the hell is wrong with WePay?’

The initial email I got was at 4:12pm. I didn’t see it until nearly 8pm but I replied right away when I figured out what it meant. I did not know, at that time, that they only did support from 6am to 6pm Pacific, but since I got a reply within 30 minutes, I assumed, like you would, that they had 24/7 support. The second email, my question about the refunds, was sent at about 9pm, and there was no reply by 11pm. As anxious as I was, I went to bed.

In the morning, there was still no email, so I sent another asking for an update, and repeating the question, at about 6:30am. After two more hours, I thought something was up. Normally you get a reply telling you there’s a ticket. Instead I got asked to ‘rate’ my ticket; it had been closed. Instead of replying via email, I logged into their system and marked the ticket as unsatisfactory, with a now angry rant that I was trying to get an answer. Then I forcibly reopened the ticket and put in BOTH my emails asking for the same information.

All I wanted to know was if the people who paid me, and whose money WePay put a hold on the payments, get THEIR money back?

I know I screwed up. But that money, if it’s not mine, is theirs and not WePays.

It took six more hours for someone to reply to that question. I poked their Twitter account about it, and was told that my 11pm email was outside support hours. I asked (via Twitter) for someone to look at my ticket please, and got no more replies from them. At this point I put my effort into getting Stripe up and running, making my own donation page, and figuring out how PayPal handles invoices again.

At this point in the game, I was no longer annoyed and understanding, but pissed off and vocal.

I probably sound angry, and I am. I’m angry at myself for not reading the ToS. I’m angry that WePay actually has a ‘no digital goods’ rule for a online payment service in 2014. I’m angry that I didn’t get a warning and a chance to correct myself. I’m angry that their UI made it so I couldn’t see I was actually suspended. I’m angry that their support system which said ‘reply to this email to reopen the ticket’ decided to turf my mails instead, with no notice.

I’d been with WePay for over four years. I really liked them because they were everything PayPal was not! You can customize a donation page with a pretty URL, or send a custom invoice that looked personable. And back four years ago, I didn’t have to fight to get answers, I got a freakin’ phone call asking me if everything was okay. Yes, I remember that call and said “Well DAMN, this is great!” That was customer service worth lauding, and why for so long I’ve told people to use WePay.

This experience was not WePay. I told them “It’s like finding out your favorite actor is a racist.”

Customer service will make and break you. Customer perception is a huge part of that. WePay went from a service I adored to one that I outright dislike now. And no, I’m not mad at them about shutting my account, I’m mad at them for how they handled it. How they talked to me, how they dealt with my questions, and how I waited almost 6 hours for a reply during business hours, but got them quickly outside them. The money has being refunded to my customers, and I have personally apologized to them for my mistake. I’ll miss you WePay, and I wish you could be less stupid about digital goods. I hope you change your mind one day, but even then I won’t be back. My accounts are deleted, we are no more.

The coda to all this is that on January 16th, WePay announced they were shutting down everything except their API. No more buttons, no more donation pages, no more crowdfunding, no more store. Just an API, like Stripe, only you can’t sell electronic goods, making it officially the least useful of all the online API stores out there. Way to take a great product and kill it.

29 January, 2014
SEO Advice I Ignore

I watch a lot of WordCamp presentations, and I pick up on a lot of ‘advice’ people give. Some of it is, I feel, useless. Today I want to tackle all the SEO advice I’ve seen and read lately that doesn’t matter as much as it might, or at least, not enough to make me change.

Before that, though, I want to stress the one part of SEO that will matter, now and forever, no matter what Google does, and that is to have Good Content. Second to that is to have a good network of people who link to you, share your posts, and retweet them. Human interaction is the best measure of your SEO. If people are sticking around, you’re going to be okay.

Don’t Use Dates in Your URLs

While my SEO hero, Yoast, isn’t a fan of dates in URLs, here’s what he says:

“Putting the date in the URL has very few benefits, if any. I’m not a fan because it “dates” your older results, possibly getting a lower click through over time.”

So I use them here, and on my personal blog, as example.com/%year%/%postname%/ for a couple reasons, but it boils down to the fact that dates matter with the content I provide. The first thing I look at when I see a post about a technical subject is when was it written. Then I read the post to see if it mentions a specific version of the product. If there’s a notice at the top like “Read the updated version…” then I’ll go open both and read the older and the newer.

The point is, as Jen Mylo might say, technology changes. And because of that, it should be obvious when a post took place. So I firmly think dates matter for the humans. And since they don’t matter for SEO, use what makes you feel good. Of course… shorter URLs are better. I’d suggest more people use categories if they could manage to only post in one category at a time. Still, go to https://halfelf.org/recovering-your-cape/ and you’ll be redirected because WordPress is really good.

Use Related Posts

I can see why people think this is important. Establishing cross-links between your old posts can pull new readers over. But I find this is more important in getting the search engines to scan your older content. I cross link between posts manually all the time, not to get better SEO, but to help my readers see where I came from before. So I don’t need to have them automagically made for me. This comes back to good content. My good content is relating posts in the best way possible, and making sure they’re the best links to relate.

Always Use Images

Images are pretty, I agree, but I think it’s more important to use images that matter. You don’t have to use images all the time. Certainly people like them, it breaks up the monotony of a post, but for SEO, you should worry more about your alt/description fields than having an image. Also remember to compress your images, please. It’ll make your site run faster which will help your SERP. When in doubt about an image, leave it out. Or use something silly.

Suomi: Jymyjussien pelaajat vaihtokopilla
Source: WikiCommons

Never Change Your URLs

While this is just good advice, as long as you have good redirects for your old links to the new ones, you won’t lose your Google Juice. So yes, you can change your URLs. I do it all the time, but I’m proud to say that links from fifteen years ago still work. They redirect to the new URLs, of course, but they work because of those redirects, and my Google Juice is amazeballs.

Keep Posts under 600 (or 750) Words

I laughed a lot here. While people like Otto marvel at my verbosity, and other people tell me “Your posts are too long!” when I cut a post back from 2000 words to 1000 it’s not because of SEO, it’s readability. If a 4000 page post is the most popular on your site and CNN links to it, I’m pretty sure your SEO won’t get hurt. Your post should be as long as it needs to be to clearly and accurately communicate what you’re trying to communicate. That’s your rule. Keep with it. Now, if your human readers tell you that you’re too verbose, that’s something else.

Use Subdomains

I’m going to quote Matt Cutts (aka Mr. Google) here, on the subject of sub-domain vs sub-folder:

“They’re roughly equivalent. I would basically go with whichever one is easier for you in terms of configuration, your CMSs, [and] all that sort of stuff.”

Can we move on now, please?

Use Menus

Okay, yes, you should use Menus, but I’ve seen people stuff every possible link into a menu, and then be upset no one sees the menu item that’s four tiers down. I barely use menu tiers, or if I do I limit them to one, and only one, sublevel. So the SEO advice of jamming everything into a menu is just useless, and given how people are using it like keyword stuffing, I bet Google’s next release (Penguin, Panda…. Pterodactyl?) will check if the CSS or HTML5 code indicates a menu and, if so, ignore it. I know I would.

Anything Else?

What do you think is just plain ol’ outdated or wrong SEO advice?

27 January, 2014
It’s Never A Good Time

One of the biggest things I learned working for a bank was that there is never a good time for an outage.

Take, for example, my ongoing argument about how we had to reboot servers with as little downtime as possible during our deployment process. This is pretty simple, right? If you have to reboot something, it has to be turned off for a little while. Now with a clustered distribution setup like we had, with ten servers in three locations (30 servers), we would deploy to every server in location A, reboot, then B and so on. Now naturally this causes an outage in each location, and we always had different ideas about how to handle it.

One option would be to have the second step of our deployment process be to put up a ‘Sorry’ page, saying the service was offline, and then push to all three locations at once. That minimized downtime to about thirty minutes on average. We’d push the code zipped up to the servers as step one, sorry page was two, gently disconnecting inflight traffic without losing any transactions was three, and unzipping new files was four. If needed, reboots were five, and then six was to remove the sorry page. Pretty fast, right? The downside was that there was an outage, and if we had a problem it would take longer to fix.

The other main option would be to turn off location A, shunt all active users to B and C, upgrade, and repeat. This took longer, usually around 90 minutes, but no service outage, right? Right…? Nope! The problem with shunting users was that we had to wait until the transactions were done before we could redirect them to the new server, which meant servers at locations B and C would be handling a sixth more traffic each, which meant when A came back online and we sent traffic to it, it was more than we had moved off it, so it took longer. Oh, and now A has new code, which B and C does not, so now we have two versions of the service running, and we can’t dynamically flip people around. We have to check service versions before our Round-Robin would work.

Now, in both cases, the longest part of the process was usually the ‘gently disconnect all inflight traffic’ part. But you can see how it gets super messy really fast. The reason this was always a point of contention was that we really didn’t want our customers to have downtime because there was absolutely never a good time for everyone. We picked Thursday nights at ten pm Central for our updates, since we were a Chicago based company, but as time went on, we had to move some to Friday, which you’d think would work for a bank. After all, no one does business on weekends?

I hope you laughed a little at that.

As the Internet makes it more and more possible to work at any hour, we find that services need to be available at any hour. The whole concept behind ‘business hours’ making things standard never really worked for everyone. I mean, if your company was 9-to-5, you would have to do the brunt of your personal business on lunch and breaks. At least today, if I needed to run a personal errand at 2pm, I can just leave and come back to finish my work. Can’t do that at a bank, though! People need to come there to get their work done, so you have to be there.

It’s really annoying, and it comes down to a simple fact: There’s never a good time to turn something off.

This came up recently a friend asked what I was doing at work on December 24th and I replied “The usual. Answering tickets, making the Internet better, closing vulnerable plugins.” He was surprised and asked if I felt mean closing people’s plugins on Christmas Eve. This lead to me teasing the hell out of him for nagging me one weekend with two emails, a slew of tweets, and a text, asking for help with a problem (the last email was, I kid you not, ‘never mind, I read your ebook!’). While I was annoyed then, he apologized and we’re still friends (if the teasing didn’t indicate that already).

But it did bring up something important to him. The time he had to work on his side project was weekends and nights. The time I had to provide random help was weekdays and maybe Sunday. For him, to have his friend and Multisite Resource not available was killing his ability to finish the project. Now, he freely admitted that banking everything on asking someone for free help was a terrible business model, and since then he’s stepped up, read the books, practiced on his own, and he’s now a pretty darn good admin for a network.

Still, on December 24th, he asked if there was a ‘worse’ time to close someone’s plugin. “Sure,” I replied glibly. “The day their mother died. The day their car broke down. The day their tech quit. The day of their product push. The day we upgrade WordPress….” He realized I had a lot of examples and conceded the point. There’s never a good day because we don’t know what’s going on in your life. We can’t know. I’m not actually psychic, after all.

Sometimes people like to complain that we don’t ‘run WordPress’ like a business. If we did, we’d never close a plugin on a Friday night, or on the eve of a major holiday, or without warning, or … You get the idea. And they’re partly right. If WordPress.org was a business, a lot of things would be different. We’d have any easier way to warn people and put shutdowns on a timer, or delete accounts, or help everyone who posts in the forum. But the mistake here is not ‘ours’ for making WordPress what it is, but in you for expecting a free, volunteer, community to act like a company.

Cause we ain’t.

So while it’s never a good time to close a plugin, or reboot a server, or install new software for everyone, we’re going to have to do it at some time. An individual can’t be available 24/7 because we have to sleep, and we have other things to do. So accept that it’s just never a good time, fix it as soon as you can, and carry on.

22 January, 2014
Why I Write eBooks
Shamelessly I steal the subject from Chris Lema. Again.

I write because I read. A lot. Someone told me they wanted to read 30 books in a year, which is about 2 a month, and I looked sheepish. I read about a book a week, depending on the book. It took me 2 weeks to get through The Hunchback of Notre Dame, and I read more when I’m traveling since I enjoy reading on planes. I’m a reader because my elementary school teacher, Nancy Sager, told me the best way to become a good writer was to read. So I read voraciously. Sometimes it’s books, sometimes it’s a graphic novel (and yes, I consider them a book, though I don’t count them on my ‘book a week’ list). I read and re-read and critique in my head.

But this isn’t why I read books, it’s why I write them. Like Chris, I write because I’m lazy. The whole reason I wrote WordPress Multisite 101 was because I had a Word Doc with all that information in it, scattered, and when I started to make a table of contents, I thought that I could do it better. So I did. Similarly, I wrote the next two books for the same reason. I had all this information, and I could have made a ton of blog posts, but it’s actually easier for me to pick up that one book, search for the phrase, and find what I needed.

I also write because I have a story to tell. I don’t publish these as often if at all (good luck finding it), but I write fiction. Mystery novels, crime stories, that sort of thing. I write because I get these ideas and I want to tell the story. That translates well to my technical writing because people remember a story better than dull facts. I know the facts that Anne Bolyen, Jane Seymore, and Catherine Parr were all beheaded because of a song! Hilariously, the song is wrong, and it’s Anne and Catherine Howard who were headless, but how the Sweet Saint Marian can anyone tell with their heads tucked underneath their arms!

Now that you have the song in your head, you may think about how much easier it is to memorize scripts and poems and songs than it ever is to remember the list of British kings. That’s because a story makes it easier for most of us. And I like telling stories.

So I write because I want to have any easy way to find things, and because I want a fun way to remember them.

Interested in reading them? They’re about WordPress:
What’s that last one? It’s Eric Mann’s fault. He said if I wrote a book about making an ebookstore, he’d buy it. And then Chris Lema said he’d do an intro. So fine. Here’s a 33 page ebook on making an ebookstore with Easy Digital Downloads. Enjoy the release of ebookception: WordPress eBookstore
20 January, 2014
Font Size Matters
I’ve been complaining about this for years.

I wear glasses. Thick, coke-bottle, I have an astigmatism so bad any time I get a new eye-doctor, they tend to boggle that my eyes are as healthy as they are being as crap as they are. No, I’m not legally blind, but I am wearing glasses any time of the day I want to see.

Amusing anecdote time. I did acting as a kid, and I used to not wear my glasses for it. My mother was always terrified I’d fall off stage not being able to see it, but I actually can make out some things. The color on the edge of the stage was enough, and I also counted my steps. I’m great with walking around at night, no glasses, to go to the bathroom. But the point is if you find pictures of me above the age of three, I’m wearing glasses. Before that I could see ‘enough’ that I didn’t want to wear them, but afterwards, I gave up and only took them off for official pictures. Now I argue “No one will know me without my glasses” (something I proved in High School when I wore contacts and a dress to a fancy party and my boyfriend didn’t recognize me).

So I have bad vision. And for years I would CMD++ to make the WordPress admin readable. It was just too small for me. I’d complain to people, I’d make my own admin skins, and I’d beg UX/UI people to put it on their radar. When MP6 came out, I rushed to install it because the subtle font increase and style change made everything readable for me.

Here’s an example from Pippins Plugins. Now, Pippin’s my friend and co-plugin-reviewer. I love his work. His site is just a wee bit too small for me:

Pippin’s Normal Size

Pippin’s +1

Pippin’s +2

Generally I’d like a +1.5 view for his site, and bless his heart, the whole site scales wonderfully when I do increase the size. But I find his default font size (13px) is just a smidge too small for me, and a 14px is so much easier to read long term. The same thing happens for me on WordPress.org’s support forums

For reasons of this ilk, I use a Chrome add-on called Stylish to force font sizes (and layouts) where applicable.
```
#subscription_checkbox {
display: none;
}

#pagebody {
font-size: 14px;
}
```
The first one is to hide that blasted subscription checkbox (which I never want to check), and the second makes the page body size 14. Suddenly it’s all legible for me! And yet, on the occasions where I’ve point out that the font’s a bit small, the masses all tell me “Oh but I can read it fine!” I know as the age of developers creeps up and more and more people end up having less than perfect vision, things will skew up somewhat.

Except the odds really are they won’t. As we get older, we bring in younger, and the cycle will remain. And this makes me wonder if there will ever be a point at which we have a medium where the folks with great eyes and the ones with poor ones are both happy.

I’ve heard tell that 16 pixels is the best but really the perfect thing is 100% easy to readability. And that’s where I think that we’re still failing our readers.

Font sizes really are still too small for a lot of people, and the WordPress dashboard is certainly not innocent. If it was, I wouldn’t have had to write an mu-plugin that does this:
```
/* Dashboard */
.postbox .inside,
.stuffbox .inside,
#the-comment-list .comment-item h4,
p, .wp_attachment_details label[for=&quot;content&quot;],
#dash-right-now .sub p,
.wp-editor-area {
	font-size: 14px;
}
```
Yes, that’s what I have to do to make the dashboard readable. And no, I don’t think ’14’ is too large. It scales nicely on my iPad and my iPhone, and my desktop. But I know I won’t win this fight for a long time, so I’m going to take what I can and celebrate than MP6 is making WordPress at least a little easier to read for me.
17 January, 2014