Half-Elf on Tech

Thoughts From a Professional Lesbian

Category: How It Is

Making philosophy about the why behind technical things.

  • CAPTCHA Isn’t Accessible

    CAPTCHA Isn’t Accessible

    I’m just going to start this with a possibly startling fact. PWNtcha can break 90% of known CAPTCHA algorithms. If that doesn’t tell you why they’re totally useless, then I don’t know what will.

    It’s no secret that I detest and will not use CAPTCHA on any site I build. I have a math-test on one site where I get a lot, but that’s as far as I’m willing to get into that world. People often ask me why I hate it, and I tell them that it doesn’t work and it’s bad for accessibility. The fact that it doesn’t work is proven by PWNtcha pretty well, but the concept that it’s bad for accessibility seems to be lost on a lot of people.

    Screenshot from Star Trek episode 'Wink of an Eye' where Kirk is ordering dinner from the computer CAPTCHA stands for Completely Automated Public Turing test to Tell Computers and Humans Apart. In the begining, it was a great idea. The computer world had just started to try and make AI, and the first attempts at that on the Internet was to put little bots out that talked to people, asking and answering questions. That, in itself, is pretty damn cool, I agree. With working AI, we’re one step closer to ‘Computer, I’d like a bottle of Chateau Picard’s chardonnay, chilled to 68 degrees Fahrenheit, and play some Barry White at volume level 3.’ (illustrated to the right). AI is a great concept. But. What we actually got was people thinking ‘Wouldn’t it be cool if I made something that listened for key phrases and told them about my cool product?’ Basically, spam.

    An early defense against spam was that you had to enter a CAPTCHA code, which showed a picture with letters and numbers, and you entered those letters and numbers into a text field. The magic CAPTCHA verified they were the same and let you in. Pretty cool, right? Except that if there was a way for CAPTCHA to compare the image to the text you entered, then there had to be a way to reverse engineer that so a spam bot could read and enter the same code. Ever since then, it’s been an ongoing fight to make a better mousetrap.

    See, a human can easily read CAPTCHA like these:
    captcha examples that don't matter, suffice they're readable by most sighted people

    But the best ones, the ones that can’t be solved by computers, the ones that even PWNtcha says will last for a long time, are ones I look at and wince:
    captcha examples that don't matter, suffice they're totally unreadable by most sighted people

    Clearly if you make it good enough that a computer can’t crack it, you make it harder for a human to be able to understand it. In that one moment, anyone who has limited vision can’t access your site. Which means you’ve lost a visitor. If this is your business, you’ve lost revenue. And if you think there aren’t a lot of people that this will keep out of your site, think about how many people you know with some form of dyslexia. Think about how many people over the age of 40 (the age at which most of us need reading glasses) visit your site. Even if you run a trendy under-30 store, grammy may want to buy junior a new hip shirt. And don’t even pretend that older people don’t matter. Remember how long ago you were in College? Yeah, you’re getting older too, buddy.

    So they don’t work, they keep real people out of your site, and did I mention you probably don’t need it? I’ve been running ipstenu.org for a very long time (on Internet time – it’s been over a decade). I’ve had less than 20 spam posts show up on my site. None since I turned on comment approval (where I must approve your FIRST comment, but after that, you’re free to post). Akismet has caught about 50k spam posts. Bad Behavior’s caught even more (100k at last gasp) and only two ‘real’ people have ever complained about being caught (one had a virus, one had a bad firewall at school). Sure, if you’re Yahoo, you might need it, but did you know the ‘unreadable’ examples I used above were from Yahoo? Yeah. Google has a pretty basic, easy to read one, and so does Twitter. Facebook has too many, and they’re annoying. They actually probably don’t need them, either.

    Turn off your CAPTCHA. Your users will thank you.

    Continued Reading
    Inaccessibility of CAPTCHA – W3.Org
    It’s Official: Captchas Are Bad for Business – The ZURBlog
    Why you should never use a CAPTCHA – Online Aspect
    CAPTCHA Effectiveness – Coding Horror

  • I’m not a coder and I need HELP!

    IT may be for rockstars but really, the trick to getting the best help from your techs is simple. Be honest, think about what the questions we ask you mean, be direct, and explain what you mean. Seriously. That’s all we need. Every time someone says ‘It doesn’t work’ or posts a reply in a forum ‘Me too’, we cry a little. If you’re vague, or don’t use normal terms, we may get a little pedantic on you, but the reason is that we need to make sure you have the problem we’re thinking you have before we tell you how to fix it.

    Be Honest

    The number one reason why something ‘magically’ breaks is because you changed something. This is often seen, from the end-user perspective, as an at-fault change. “I changed this, it broke, therefore it’s my fault.” And in the business world today, no one wants to be at-fault. It’s an ego thing, but it’s also a responsibility thing. Here’s a secret for you. The IT people don’t care whose fault it is. Seriously. We just want to fix the problem and make sure it doesn’t happen again. That’s all we want. So when we ask you ‘Did you make any changes?’ just tell us ‘Yeah, I modified my profile to have this line.’

    Sometimes YOU may not make the change. Sometimes you may have the server or someone else make a change. Sometimes the change seems, to you, totally un-related. It doesn’t matter. Tell us. “I didn’t change anything with IE, but I did install a new twitter app.” That may be the cause! Unrelated software sometimes is written poorly, or weirdly, or just in a way that conflicts with your other software.

    If you’re using a CMS like Drupal, WordPress or Joomla, plugins often break things in insane ways you never predicted. And server upgrades can cause conflicts with older code on your installs. Always pay attention to what’s going on with your server.

    Think about what the question we ask you means

    When we ask you if you changed anything, think about that for a moment. It’s like ‘Did you change your oil?’ That’s a pretty simple yes or no answer. But what does the question ‘What did you change?’ mean. Well pretty much it means ‘What’s changed?’ But it also means ‘What were you TOLD to change and you didn’t change?’

    The other day, I had a weird situation where someone had modified their profile a month ago to have a line to let them do something else. This was seen as inefficient, and the server guy fixed the server and told them ‘Remove any changes you made or things may break.’ They did not. Fast-forward a couple weeks and my monthly process failed. I asked if they changed anything. They said, honestly, they had not. I talked to the server guy who said ‘Well, they SHOULD have changed this…’ We changed it, it worked. Strictly speaking, they were honest, but they didn’t think about the question. They got hung up on that at-fault point. “WE didn’t change anything,” they said in email and I replied ‘Yes, but you actually were told to change that. It’s not a big deal, it’s an easy fix, but next time, remember to make the recommended changes, or at least document why you didn’t make the change. It’ll make it faster for me to debug.’

    That was singing to the wall, though. The guy was let go the next day.

    Be Direct

    This does not mean ‘Be an asshole.’ And in fact, I subscribe to Wil Wheaton’s rule: Don’t be a dick. What it means is don’t beat around the bush. I don’t need to know that you’re logging in from home and it’s distracting. I don’t need you to IM me and ask ‘How are you?’ You don’t care, and neither do I. What we care about is this: What’s the problem?

    I get a lot of IMs at work (which is why I don’t use IM at home, by the way) with people saying ‘Hello! How are you?’ and we waste about 10 minutes ‘chatting’ about stuff no one really cares about. I get that you’re trying to be polite, but you’re calling the help desk. The other problem is when someone says ‘Do you have a minute to help me?’ Honestly, rarely, but since I don’t know what you’re talking about, I can’t tell you if I have the time, so I have to say ‘Depends. What’s the problem?’

    Here’s an example of a poor IM/phone conversation with tech support (this is, by the way, an actual conversation I had recently):
    User: Hi!
    Tech: Hello, this is Jane, how may I help you?
    User: It’s Tom.
    Tech: Hello, Tom. How may I help you?
    User: How are you?
    Tech: Fine, thank you. How may I help you?
    User: Do you have a minute?
    Tech: Depends on the problem. How may I help you?
    User: I’m having a problem.
    Tech: Yes, with what?
    User: With your application.
    Tech: What’s the problem.
    User: It’s not working right.
    Tech: Okay, can you be more specific?
    User: It’s my password.
    Tech: Okay. What, specifically, is wrong with your password?
    User: It doesn’t work.
    Tech: Does it give you an error message?
    User: Oh, yes!
    Tech: And the error says….?
    User: Something about the password being bad.
    Tech: Can you try to login again and read the error, out loud, to me?
    User: Sure. Okay, it says ‘Your password is incorrect and your account has been locked out.’
    Tech: Ah. Okay, I’ll unlock your account and set your password to 123456 – Once you log in, you’ll be asked to change it.
    User: Boy, that took a long time!

    Look at how long that was. Want to see the GOOD version of the same conversation?
    User: Hi, Jane, it’s Bob. I’m having a problem with your Foobar application. When I try to login, it says my password was incorrect and I’m locked out. Can you help me?
    Tech: Sure thing, Bob. I’ll unlock your account and set your password to 123456 – Once you log in, you’ll be asked to change it.
    User: Thanks!

    Look at how much faster that went because Bob was direct and to the point. He got his problem fixed really quickly because he came prepared. And if the Tech had been busy, he could have easily transfered the call, or opened a ticket, or done a variety of things.

    Oh and for the record, I answer the phone: Company name, this is MY NAME. How may I help you?

    Explain What You Mean

    In my previous example, Bob got to the point and explained what the error was right away. This falls under ‘Explain what you mean.’ The phrase ‘It’s broken’ has lost all meaning, if it ever had any. And due to the complex nature of computers, even if your problem as simple as a botched password, we really do need you to explain ‘When I try to log in, the software says my password is invalid.’

    If you have a weird error, take a screenshot. They are rarely a bad idea, and can sometimes streamline a problem from ten minutes of talking ‘Okay, where is the icon?’ into a quick ‘Oh! Yeah, I know that one.’ If you get an error message, use the exact error with the exact verbiage, in your support request. Also remember to put your screenshots in a generic format. While PDF, RTF and DOC (and DOCX) are mostly universally readable, XPS is not. PNG is also a great one. Anything that is readable only by proprietary software is a bad idea, even if you know the other person has that software!

    Also be descriptive about what you’ve already done to trouble shoot. Don’t say ‘I did everything I could find online!’ That’s vague. Say things like ‘I tried to reset the admin password via SQL, email, PHP, and the emergency script.’ That’s descriptive and tells us what we can skip! On the other hand, don’t get all pedantic. Likely it doesn’t matter if you logged in from home or from work if your email crashes every time you read an email from Bob. On the other hand, if you can get to a website from home and not work, the odds are location does play a factor. While you should be descriptive, think about relationships between what information you’re providing and what your problem is. Later on, you might be asked ‘Does this work if you try it at home?’ But we probably won’t ask if it works on your Mac, if it’s a Windows Only application. Again, think about the questions and the relationship.

    Don’t get mad when you’re treated like a noob

    If you’re a user, sometimes when you provide a limited amount of information, techs default to the lowest common denominator. If you ask a question which we think is pretty standard, is answered in the FAQs (or by 5 minutes in Google), we tend to assume you’re new at all this, and pitch you the simple answer. This means you DON’T get told how and why something works, just how to do it. This means you may get what looks like a flippant response. This does not mean we, techs, think you’re an idiot. It means we can’t tell, from your post, if you’re a BOFH or a bean counter. So we assume bean counter and if you reply ‘Yeah, I did all that.’ well it’s your own damn fault for not telling us what you did in the first place.

    I try not to treat people like rank newbies, but. But. Sometimes I get a question that is mind-numbingly obvious with ten minutes of looking. Asking for help should be the last resort for some people. Like if you’re running a blog on your own server, you need to learn how to help yourself. On the other hand, at work, you should call for help when the software breaks. Someone is paid to fix it, and you should utilize them. Of course, if the techs have made a quick FAQ ‘if you get this error, you need to delete this temp file’ you should read it and try it.

    How to write a good help request

    So you’ve read all that and you want some examples?

    For your help desk at work, it’s pretty simple:

    I’m using software FOOBAR and when I try to do BAZ I get the following error: . I’ve included a screenshot. I was able to do BAZ yesterday, and I have not installed any new software.

    I’m a new user of FOOBAR and I can login, but when I click on BAZ, nothing displays in my right hand menu pane. Included is a screenshot.

    I need to use FOOBAR. How do I get it installed on my PC?

    Not too hard, eh? At work, generally people know if you’re an end user, a developer, or a programmer, and can skew support thusly. For public support forums, however, we have no idea so here’s a good idea:

    I’ve been using FOOBAR since version 2 and I recently upgraded from 2.9 to 3.0. Now when I try and add a new BAZ, I get an access denied error with the following output. I’ve disabled all my plugins and re-copied the files up. Same problem. I’m using a linux server and I have PHP 4.

    Variations of that rarely go amiss. Also remember on CMS support forums, most of the people there are volunteers, so calling them names will get you shunned, if not banned. On free forums (WordPress, Drupal, etc), you’re NOT a paying customer, so don’t expect to be treated like one.

    Do you have advice for the best ways to handle support requests, as a tech or a user? Sing out in the comments!

  • Internet Anonymity and Impersonation

    If you’ve visited this URL, I know who you are. I know your browser, your IP, your OS, your screen size, how you got here, who your ISP is, what country you’re in, and really, that’s a lot of stuff. It doesn’t matter if you post on this site or not, I have a way to log who you are.

    Did that scare you? Well, it should and it shouldn’t. Every website on the net has this ability, and some are more honest about what they do with that information and some are not. I use it to optimize content for my visitors, and to block my current bevy of South African residents who are harassing me.

    Five years ago, I wrote an essay for my office about how people on the internet know who you are. The intent was to raise awareness in my co-workers as to how people knew who they were, and what actions made them obvious to site-runners that they were who they were.

    Someone asked me once if it was possible to be anonymous on the net, and I told him, seriously, “Sure, don’t log in.” Expecting to be able to be truly, 100%, anonymous is like expecting to be able to come to someone’s house and never tell them your name or show them what you look like. They’d kick you out, have you arrested, or worse. A website is a house, and the same basic rules apply. You’re a guest.

    If you run your own website, be it a small, weird blog about everything, a tech blog, or a fansite, you have people who come by and will eventually be a dick. This is just a constant in life. But that means you have to keep an eye on your site, upgrade it to keep out the ones who want to hack, and find ways to keep out the ones who just want to be trolls. I’ve written a couple plugins (Ban Hammer and Impostercide) to help me with that, but at the end of the day, no plugin can be as smart as your own brain.

    Recently, in the Impostercide comments, someone asked me if Impostercide could stop anonymous users from impersonating each other. And the answer is no, no it cannot. See, Impostercide (and any similar plugin) needs to check against a list, and really, all you have is the list of members. So if someone anonymous tries to use a members email or login handle or URL, well that’s easy to catch! Sure, some people might have the same URL, but that’s pretty unlikely unless they’re running a business together… Like Ron and Andrea. I may want to rethink that part, now…

    Anyway, the point is you have to have something to check against. Anonymous users aren’t registered, so the only ‘check’ you have is IP address. In theory, you could jigger the check to say ‘If the user ID/email has commented before, check to make sure the IP is the same, and if not, flag it as bad!’ Except that wouldn’t work, since, for example, I login with multiple IPs. The world is just too mobile for that to work in any decent automated fashion. Instead, you need to use your brain.

    As a site runner, when I see a questionable comment, I make a note of the IP address first and then the email. If it’s a specialized domain (like ipstenu.org, something personal), I go to the site and check it out. If the site looks legit, I match the IP. Does it come from the same general region as the website? Does it come from the same general region as where the website says the person lives? If it’s someone I’ve seen around my sites before, does it sound like their other posts? Does the language match their website? Do they post on forums I frequent and sound like they normally do? You’d be surprised how easy it is to notice when someone doesn’t sound right. There will be an odd turn of phrase or a strange typo.

    I’ll give you a true example.

    I have a sort of twitter stalker/idiot, who pretends to be a famous person, and kisses up to me and asks I verify her celeb account as legit (this is because I run a fansite for said famous person, and I met her once). Recently she posted on my fansite blog. Her comment immediately was flagged by my moderation filter, because it was a new post from a new email address. I do this for all new comments on all sites I run. And even then, if I approve a post I’m not sure about, I manually put it in the moderation list for a while.

    What my idiot, apparently, did not know, was that when you post to a blog, it records your IP address. I looked up the IP, since someone who’s purportedly a celebrity should come from, oh, perhaps the general Los Angeles area. Or maybe her agency. But no. It’s from South Africa. South Africa happens to be where another twitter account, one that regularly harassed and insulted me, was located. In fact, if I went to that account’s twitter page, right there under location it says ‘South Africa.’

    Armed with that information, I opened up the fake celeb and the troll twitter pages, side by side, and matched time-stamps of tweets. Oh look. All tweets are roughly around the same timeframe (hours that are pre and post school for South Africa, but weird for someone in the USA).

    The lessons to take from this are simple. First is ‘Never piss off the sysadmin’ but only slightly less well known is this: If you’re going to pretend to be someone else, you need to be really good at hacking the internet, in order to hide who you actually are. And if you think someone’s being impersonated, well, it’s pretty easy to double check and follow up. If someone contacts you and says ‘Hey, that’s not me!’ follow up right away and assume they’re them. Kill both comments and email asking ‘which one’s you?’ But err on the side of caution.

    If you’re a commenter, use your brain. Never assume the person running the site doesn’t look at your data and make some snappy deductions from it.

    For a site runner, remember there is no better weapon to fight impersonators on the internet than to use your brain and think things through logically.

  • What is Cloud Hosting?

    This came up because I’m considering moving to cloud hosting. I don’t have to, yet, and since it’d cost me an extra $25 to $30 a month, I’m not planning on it just yet. (Actually, it would be pretty much WHAT I pay now, if I drop cPanel, which is an extra. But for the extra $20 I get ‘cPanel + Fantastico as well complete support of base operating system and all cPanel services. Proactive service restoration is provided.’ I don’t care about Fantastico (and tend to uninstall it), but the base OS support is useful and cPanel just makes life easier for me. Yes, I’m lazy.) But wrapping my head around the ideas behind cloud computing was a weird trip.

    A few years ago, I had a job as a Citrix tech, which meant my job was to take software normally installed on your PC, install it on a server, and somehow trick the PC into thinking ‘When I run Word, it’s actually running on this distant server, and not my desktop, but everything pretends it’s on the desktop.’ This was called a thin-client deployment, because the client (i.e. the PC), only has to have a very little bit of processing power to run things like Adobe Photoshop. By the way, fat-client means ‘everything runs on your desktop.’

    For the really old hands at this, you’ll remember when all PCs were just dumb terminals that connected to the mainframes, and you ran everything off the mainframe. Guess what? Thin-client stuff is kind of the same thing. The programs you run via thin-client basically only exist when you run them. The rest of the time, they’re not available on your PC. This is good and bad. It’s good, because a company can save millions by pushing out low-end, weefy desktops to everyone. It’s bad, because they then have to turn around and spend the millions on the servers and the network. If the server or network goes down, no one gets to work.

    What does that have to do with cloud computing? Cloud computing takes the thin-client idea of ‘on demand’ usage to a new level. Right now, ipstenu.org lives on a server (a VPS to be specific) with four other domains. I pay a flat fee for the server space, a specified amount of bandwidth, a limit of CPU, and some IP addresses. With cloud computing, I would pay a flat rate for hosting, but if I need more CPU, I can easily get more by clicking a button. And when I don’t need more? It goes away.

    Suddenly my server is able to adapt! It scales up and down on an as-need basis. Think of it like your heating bill. In the summer, when you don’t need it, the cost per month goes down. In the winter, it goes up. And unlike the gas company, you don’t pay more during winter because it’s a set, year-round rate. Woo! Or, as the video I’ve linked to below would say, it’s like a Tax. The meter keeps running at stoplights, but it runs slower, so you pay less.

    Now I will say the math for all how much all this costs, sorting out what you need, is a bit heinous. I ended up chatting with my webhost about what I would need, based on my current usage. They have their own traditional webhosting setup as well as a cloud service, and since I adore them to no end, I decided it would be smartest to just ask them about it. Yes, it would be a hassle to move everything, and likely my subversion stuff would break and need to be re-installed, but it’s definitely a better bang for my buck than to use something like a dedicated server.

    There are downsides to all this. The biggest one is security, which panics a lot of people. On cloud computing, you’re back to the same sort of place you were for shared hosting. When you need more CPU, you get another ‘slice’ of the cloud (it’s a mixed metaphor, sorry). The slices still need servers to run on, obviously, and each webhost has the option of slapping together a bunch of servers quickly and poorly, or doing it the right way. And, sadly, a lot of webhosts are leaping into the cloud without looking, shoving servers together, and not thinking about security. To those people who worry, I remind them that cloud or not, your server’s security has always been about your webhost.

    In August of 2010, it was determined that Network Solutions (a big webhost) had over 500,000 compromised websites. Reported on by Armorize Blog, they proved that any time you made a parked domain, Network Solutions put a widget on your site that served up malware and could infect PCs. This was a default widget, something that showed up if you didn’t check any boxes, on newly registered domains.

    From the horses’ mouth, Network Solutions spokeswoman Susan Wade provided this statement when asked for comment: “Regarding the widget incident from the weekend, our security team was alerted this past weekend to a malicious code that was added to a widget housed on our small business blog, growsmartbusiness.com. This widget was used to provide small business tips on Network Solutions’ under construction pages. We have removed the widget from those pages and continue to check and monitor to ensure security. Reports of the number of pages affected are not accurate. We’re still investigating to determine the number impacted.”

    Basically, Network Solutions own website was hacked and shot a ton of other sites.

    You want to complain about cloud being insecure, go ahead, but remember that your security depends on your host being a good soldier, same as always. WHich is why I recommend LiquidWeb and their Storm On Demand Hosting.

    The other thing people complain about with cloud is they can’t touch their physical server. Personally, I don’t care. The virtualization of data is a big thing, and most people actually never see their server. Mine’s somewhere in Michigan I think. Making backups isn’t easier or harder with a cloud, so you can still have a good backup of your data for emergencies. Everyone should have a backup.

    Should you move to cloud? If you’re on a VPS and starting to get too big for it, then yes. The cost is a good reason but also you’re just going to get more flexibility. If my server needs grow (which is to say, if I start crashing the server again), I’ll be moving to cloud for sure.

    Still confused? Watch this video and it will explain it in a very straightforward, amusing, manner:

  • com or org? Which WordPress is Right for Me?

    There are two WordPresses. This confuses lots of people, to the point that Matt Mullenweg has implied he’ll never name something like this again. It’s almost as confusing as pages vs posts, which is a whole different post.

    WordPress.org – The location of the software you can download and install your own WordPress blog on your own server.

    WordPress.com – The often free blogging software anyone can sign up for and have hosted by WordPress.com. It’s like Blogger or LiveJournal, only better because it’s WordPress.

    So which one is better? .com or .org?

    I usually tell people that I can’t answer that question, or to google it, or I ask them what they want to do. It’s not an easy question to answer, but I’m going to try here.

    First, I want to point out that there is no shame in not wanting to host your own blog. Seriously. It’s work, and anyone who says otherwise is an idiot. You have to stay up on your software versions, plugins, themes, etc etc and … Yeah. Work.

    So here it is, in all it’s glory: If all you want is a blog, and you don’t mind a few basic themes? Use WordPress.com. There. Done. If you’re willing to pay, you can even customize your CSS or download other themes, and have your own domain name.

    A friend asked me recently if she should use wordpress.com or self host. My email is verbatim:

    Don’t worry about where you want to be in 10 years, worry about where you want to be in a year, but only in the broad strokes. It’s like learning to paint or draw. You start with the big, simple, concepts, and learn how to do the rest as you go. If you think ‘I want something like Ning’ or ‘And I want forums’ or a wiki or whatever, well, then don’t use .com. But if all you want is a blog? Just use WordPress.com and you’re done.

    Except, see, it’s really not that simple.

    When people on WordPress.org forums ask this question, I usually tell them to read Don Campbell’s post “WordPress.org vs WordPress.com – Which One Should I Use?” It’s pretty straightforward and helpful. Lately, people have followed up that advice with ‘Okay, great. Why is one better than the other?’ Even people who read the official WordPress.com vs. WordPress.org article by WordPress ask that.

    I firmly believe that better is subjective, and it really depends what kind of blogger you want to be. However there are some obvious benefits to self-hosting.

    WordPress.com limits your free themes. If you want some fancy CSS or your own domain name or more storage, you have to pay for it. At a certain point, you will end up paying the same as you would for a hosting plan, and you’re getting ‘less’, in that you still can’t install your own plugins or third-party apps! No Wiki, no gallery. Nada. On the other hand, you pretty much never have to worry about your upgrade going bananas, or hanging .maintenance files that make you think your site is down, or incompatible PHP/SQL versions. You get the most pain-free upgrade possible.

    That said, if your blog grows and becomes popular, you will outgrown the free hosting. You’ll need to pay more for hosting. You may even have to pony up for VIP hosting if you make it big like Cute Overload. Free only takes you so far, and you get what you pay for. Pay nothing, and there’s a limit to what you’re going to get.

    But wait, you don’t pay a thing for WordPress.org! Does that mean you get nothing? No, it means that there is a limit to what you get. Free support, sure, but from people who fill in on our free time. Yes, our. I waste a lot of time helping people with obvious question, pointing out typos, and earning karma credit by trying to be a good person. There are a lot of people with a sense of entitlement, that this software should do everything without needing to know what’s going on. Listen, you weren’t born knowing how to use Microsoft Word. Some people go a lifetime without touching macros, while other people can’t fathom their life without key commands that resize and reformat sections.

    There is no one true way to nerdvana, folks. There’s no one perfect operating system, no one perfect blog software, no perfect phone. It’s all what you want, what you can use, and where your comfort zone is.

    So why would I pick WordPress.org over WordPress.com? Flexibility, growth and options. I want the ability to grow and do everything that might come down the road. Of this, WordPress, my blog, is a small part. I want SubVersion, videos, galleries, you name it.

    Why would I pick WordPress.com over WordPress.org? I wouldn’t. But I do suggest it to people now and then, when I look at their needs and say ‘You know, this is a great place to start.’ If they outgrow the .com, they can export their posts and comments over to a self-hosted install with a bit of effort. And the work required to do that is pretty typical of the savvy you’re going to need to support yourself going forward.

    Which is better? No one can answer that for you, but hopefuly some of the advice here will get you started in answering it for yourself.

  • Why doesn’t the WordPress auto-upgrade work?

    This came up recently with the WordPress upgrade to 3.0 (and subsequent 3.0.1 bug fix). A lot of people had problems upgrading from WordPress 2.9.2 to 3.0, and for the most part, the fixes were simple.

    There was a known ‘memory bug’, where WordPress didn’t request enough memory from the server when upgrading and, since 3.0 is a bit bigger than 2.9.2, it failed. This was fixed with the plugin Memory Bump. Once you upgraded to 3.0, you could remove this plugin, because the new WordPress version took care of it on it’s own. There were other issues, though most of them seemed to be plugin conflicts or people using weird versions of PHP. I even had a note I kept handy:

    Memory Issues
    Per naicin

    We’re in the process of pushing out a plugin for this: http://wordpress.org/extend/plugins/memory-bump/

    In the meantime, you can also add this to your wp-config.php file:
    define('WP_MEMORY_LIMIT', '256M' );

    The issue is that WP *may* need more than the default 32 MB to upgrade to 3.0, due to the increased package size over 2.9. This is a “known issue”.

    3.0 handles this by always bumping you to a very high memory limit in the admin area, so you won’t see this once you’ve hit 3.0.

    Weird Errors and blank screens
    Rename your plugins folder to plugins-old (via FTP or SSH) and see if that fixes it. If so, name the folder back to plugins and reactivate your plugins, one at a time, testing between each copy.

    Believe it or not, those two answers were probably 90% of what I posted on the WordPress forums for the better part of a week. That and ‘Yes, these plugins don’t work on 3.0 yet’ (and I had a list for that too!).

    Then came Zarathustra — I mean WordPress 3.0.1 — and people began to have new issues. The most common was something like this:

    Downloading update from http://wordpress.org/wordpress-3.0.1.zip…
    Unpacking the update…
    Verifying the unpacked files…
    Installing the latest version…
    Could not copy file.: [some file]
    Installation Failed

    The file would be different for pretty much everyone.

    As far as I know, we’ve not found a fix yet, however I pointed out that when the auto-upgrade fails, you should try installing the update manually. It’s not that hard. It’s basically copying files to a server and if you can’t do that, I don’t think you should be running your own self-hosted site. This is why I run the techside of a site for someone else. Know your limits, I always say (my limits self-tests haven’t always been non-destructive, by the way).

    In this support post for the failed install, riddle said:

    I’d like to get back to the original poster’s point: 3.0.1 automatic upgrades are too unreliable for the very WP admins who most need one-click upgrades.

    ipstenu’s reply (“This is a problem with your server setup, most likely, not WP. The most likely reason would be that your PHP setup doesn’t like the way WP 3.0.1 is unzipping and copying files.”) misses the point. If there are common PHP configurations under which the automatic upgrade won’t work, then at a minimum the upgrade script should test for them before breaking the site.

    And I replied:

    You just hit the nail on the head as to WHY automagic upgrades fail.

    There aren’t config standards for PHP and server software that are across the board on every server known to man. Each company has their own settings and standards, and even then (as I pointed out to a coworker yesterday), unless you clone a machine onto the exact hardware, you’re still going to have an inexact copy.

    Servers are snowflakes, man. It sucks, but that’s it.

    WordPress is able to say ‘Your server must be able to do these things to RUN WordPress’, but even then, someone may have a wildly weird setup where stuff works poorly. It’s the nature of the beast and it’s impossible to test everything.

    If the automatic upgrade fails, do it manually. It’s not that hard (copying files). Heck, it’s easier than installing manually the first time!

    And really this is the problem with all software, web or otherwise. There’s a reason software has ‘minimum requirements.’ It’s the bare minimum someone tested on and the software worked. WordPress says ‘To run this software, you need PHP 5.2 and MySQL 5.0.15’ (as of of 2011, so get on that now!) and that’s pretty much it. That’s all you need to have WordPress run, but that’s not all you need to do everything you could possibly do with WordPress, and this includes those pretty auto-magical upgrades.

    For what it’s worth, I come at my viewpoint from someone who spent 3 years doing application testing. I had to make sure all the apps used together worked together on every computer. Which is impossible. There’s no way I could promise that every app someone might use will always work on a computer with every other app. To make our goal realistic, we ‘certified’ applications, and would list any known conflicts, as well as everything we knew it worked well with or needed tweaks.

    Knowing that, and knowing that servers are setup with just as much variation as desktops, means that when someone says that WordPress should have standards it works on I think they’re just naive. There’s really no such thing as a ‘standard.’ There’s no standard location for temporary files, there’s no standard location for a home folder, and there sure as hell is no standard setup for installing PHP on a Red Hat box. There are variables galore that could cause all sorts of issues. There are application conflicts, configuration miss-matches, setup issues and, of course, the fact that there are so many different types of ‘standard *nix servers’ that are used, with hundreds of patches and tweaks, that the target’s moving so fast, I think it just hit you in the head.

    So why doesn’t your automated upgrade work when you click the button on WordPress? The possibilities aren’t endless, but they’re pretty thick. You’re better off learning how to do the manual upgrade if you have wild errors no one’s seen before.

    And I hold by my belief that if you can’t perform a manual upgrade, you need to rethink your capabilities of running a website on your own. If you’re running MultiSite and you can’t do it, you’re going to be in a world of hurt one day, and I will do the ‘Told you so’ dance.