Category: How It Works

New Math
I’m not a math teacher. I’m not a mathematician. My father, the risk analyst, is a mathematician. We used to play math ‘games’ and I thought that was normal. I was also a very odd child. My mother was convinced something was ‘wrong’ with me because I did “Number Roll” all day at school for the better part of a year. To anyone not from a Montessori school, Number Roll is a bewildering concept, where you just write numbers, incrementing by one, over and over and over again, getting the numbers as high as you could go.

Now, I was always (am still) a hands on learner. Being forced to learn anything by rote memorization is painful. But math is a little different. You can’t ‘understand’ math until you’ve mastered counting. You can’t grasp all the relationships between quantities and numbers without knowing the numbers first. It’s like you can’t learn spelling until you memorized the ABCs.

Number roll is crazy basic. On long sheets of paper, I wrote each number in order, beginning with “1”. I should stress, my mom worried about my intelligence, that I spent days and weeks and months doing this. But what I was really doing was following patterns without knowing it. I mean, I can do my nine-times tables because I know the ‘pattern’ is Plus Minus. Watch:
```
09
18
27
36
```
That didn’t make any sense to you? Start with 09. Add 1 to the left and subtract one from the right. Now it’s 18. You do this over and over and over again and it works all the way down. This repetition taught me pattern recognition in a different way and gave me insight into both counting and the meaning behind it. The nines work like that because 10 – 1 = 9, so then logically I could apply this to everything! This is where number roll was suddenly magical, as the Montessori concept is that before children can gain a meaningful understanding of quantities, numbers, and the relationships between them, they need to learn basic counting, but you should understand what counting means.

In other words, math will make more sense if you can see how the numbers fit together.

This is probably why, when I was a kid, I did my multiplication ‘backwards.’ That is, if you asked me to do 123 x 24, I did it left to right. Let me explain. This is how you probably do it:
```
 123
x 24
----
 492
246
----
2952
```
Right? You start with the bottom right, so you go “4 times 3 is 12, carry the 1, 4 times 2 is 8 plus one is 9, 4 times 1 is 4.” Most people I know would call this ‘traditional’ math. My math goes left to right, so I get this:
```
 123
x 24
----
24
 48
  72
----
2952
```
1 x 24, then 2 x 24, and finally 3 x 24. I can do this fast because I’ve memorized my times tables, but at one point a friend asked me how this was really left to right, because when you look at 3 x 24, you’re back to the old “3 times 4 is 12, carry the 1. 3 times 2 is 6 plus 1 is 7.” Well, when I do ALL all the work, it looks like this:
```
 123
x 24
----
2000 (100 x 20)
 400 (100 x 4)
 400 (20 x 20)
  80 (20 x 4)
  60 (3 x 20)
  12 (3 x 4)
----
2952
```
The difference really is I’m breaking apart multiplication into smaller addition steps. And now it makes sense to a lot more people. “100 times 20 is 2000” and so on. Once it’s spread out, it’s easier for someone new to pick up how I did it, and in a sense, why. It’s true left to right, all the way down. I don’t generally do long-form math this way any more, though, because like everyone else I had to learn the ‘real’ way of doing it, but also I started to memorize the patterns. I know without really thinking that 12 times 2 is 48. It’s a common enough equation that I memorized the answer.

That means I can do all this in that even faster way you saw above. I just know that since 1 times anything is itself, the 4 from 24 goes under the one. Sometimes I have to remember to mark my place, if I’m doing less frequently combined numbers (I don’t seem to use 7s times 9s a lot). When that happens, I usually add on the zeros:
```
 123
x 24
----
2400
 480
  72
----
2952
```
When I don’t, to make sure I keep my place, I go far left top to far right bottom, since those two have to line up. That means I know the “1 times 4” answer (4) has to be under the 1, and the “1 times 2” answer (2) is one to the left. But that’s the advantage of understanding how all the numbers work together, and sets. I know how certain numbers combine, I’ve memorized their patterns, and I can apply them backwards and forwards not because I know the equations, but because I see the pattern.

Now on to the rather controversial image I posted recently:

New Math

This shows you two ways to solve a problem. First is the ‘traditional’ way, or as I’ll call it, the fast way:
```
  32
- 12
----
  20
```
At it’s heart, this is a simple equation. Most of you went “Sure, 3 minus 1 is 2, the 2’s are the same, so 20.” Some of you went “1 plus 2 is 3, so it’s a 2…” Both are correct. Then you get the ‘new’ way:
```
32 - 12 = __

12 + [ 3] = 15
15 + [ 5] = 20
20 + [10] = 30
30 + [ 2] = 32
--------------
      20
```
And a bunch of adults just when “LolWHUT!?”

When I saw this math problem, the first thing I did was the same as you “Why 15!? What?” I mean, we’ve all been told “Show your work, don’t pull numbers out of thin air!” Then I thought back to when I was a kid trying to understand this whole math thing. Fives were easy to remember: 5 10 15 20. It’s either a 0 or a 5, and the number in front went up by 1 every 0. We all kind of got that pretty fast. Number Roll (see?) taught me that concept really early on. That was my lightbulb moment.

“OH! We’re adding X to 12 to get to the 5s, then we add Y to get to the tens, then Z to get to the base of 32 (30), and add the leftovers Q. Add up X, Z, Y, and Q, you get 20!”

This is what I would call “the long way” however the thought occurred to me that this was a number roll-less way to try and teach children how numbers came together! Common Core (which is where this comes from) is actually sneak-teaching kids algebra, while at the same time giving them a reference for that rote memorization they had earlier. You remember your 5 times tables? This is how we use that information in a practical application!

Part of the difference comes in if you think about subtraction as ‘Something new’ or ‘backwards addition.’ I tend to think of it as backwards addition, and multiplication is ‘Faster addition’ (division is ‘faster backwards addition’). I was fairly young when I realized that all math was really, at it’s heart, the same, it was just the formula you slapped in to make it messy. Everything comes down to adding for me, always. We’re all just playing fast ways to do things and solve problems, and this is starting with the long way first.

All this comes back to what Richard Feynman wrote in the essay New Textbooks for the “New” mathematics:

If we would like to, we can and do say, ‘The answer is a whole number less than 9 and bigger than 6,’ but we do not have to say, ‘The answer is a member of the set which is the intersection of the set of those numbers which is larger than 6 and the set of numbers which are smaller than 9’ … In the ‘new’ mathematics, then, first there must be freedom of thought; second, we do not want to teach just words; and third, subjects should not be introduced without explaining the purpose or reason, or without giving any way in which the material could be really used to discover something interesting. I don’t think it is worth while teaching such material.

It’s his third point that I believe Common Core is trying to address. How many of you were taught the purpose of your times tables, after all? How many of you understood the reason besides ‘so I can pass the class’ that we learned to think of numbers and how they were put together? A lot of people seem to think that Feynman didn’t like kids to learn the application of math, to understand what it meant, but that’s incorrect. He rallied against new math because it lacked word problems and applications of use! Yes, you hated those word problems, but they were meant to teach you application. Instead most people learned how to pick out the important bits and do the math as a simple formula to which they could apply that rote memorization.

There’s a problem with this, though, and Common Core has the same problem that New Math does and that the ‘traditional’ way did back when I was a kid, so this is nothing new. It forces kids to learn in one way, and one way only. I was incredibly lucky in that my father let me do math my own way (he found it interesting), and once I showed my work (see above) he and my teachers saw that I had in fact achieved the absolute goal of number roll: I internalized the connection between math equations and the numbers.

Rote memorization has a place. You memorize the tables, you can do math faster, and things like calculus will be surprisingly easier to you because all you have to do is put the numbers into the formula. At the same time, some of the other concepts will be a struggle because you don’t get the connections, you only know memorization and implementation.

I will note that once you’ve memorized this stuff, it’s all a lot faster. I tend to count on my fingers when I’m trying to math days of the week (like today is the 5th, so next Wednesday is 12th) because I’m messing with names (Wednesday) and numbers, and then I have to remember how many days are in March, but I can do all this in my head, including calculating tax. And no, I don’t think it’s ‘cheating’ to use a calculator. The point is understanding what the relationships between the numbers are, knowing what formula to apply when and where, and enjoy it.

That was the goal of New Math, you know. To make math something kids wanted to do. You should read Feynman’s “Surely you’re joking, Mr. Feynman!” and follow his account of being on the board to set up these new curriculums, and you’ll see exactly why they continue to fail over and over. It’s a pity, too, since I bet some kids are looking at the Core method and there’s a lightbulb going on over their heads. I hope parents aren’t scaring their own kids off math because the adults don’t understand this new stuff.

Of course, a lot of this is the fault of the school system, in that the parents aren’t taught what the kids are learning or why. If you’re learning something at school, and at home your parents go “What? This is bullshit!” you’re going to have a harder time learning and accepting. Don’t believe me? Creationism. You’re welcome. The point being you have to reinforce what a kid learns at school in the home or they have to come to terms with the dichotomy of difference at a stage when they don’t understand enough of the world to get what that meant.

Not that having multiple choices is great for every kid. Some people freak out when there’s more than one right answer, especially in math which in the beginning is remarkably straightforward (like spelling). There’s one right answer, but now you’re giving them multiple paths (spelling has this too, by the by: color, colour; grey, gray). It breaks brains. This, perhaps, is a little bit why WordPress is “Decisions, not options.” Maybe we’re giving people the options too soon, but when it comes to learning, we adults should already know there isn’t one ‘right’ way to learn and master skills. And with math, there isn’t going to be one perfect way to get those base concepts into their minds.
5 March, 2014
Why Not Multisite?

My most popular post ever has been Don’t Use WordPress Multisite, which I wrote in 2011. It’s 2014 so it was time for a revisit of this concept.

The point I made in 2011, and again at WordCamp San Francisco in 2013, was that while Multisite is amazing and awesome and wonderful, it’s got limitations. I love it, I think it’s perfect for me, but I always keep those limitations in mind and try to educate people as to what they are. I think I have a pretty good grasp on them by now, and so does Nacin:

@jbenton @Krogsgard Basically read everything @Ipstenu has written (including when she suggests to not use it).

— Andrew Nacin (@nacin) December 20, 2013

This may make you wonder what I could possibly say that hasn’t been said before? The questions remain the same, but the answers change a little as time goes by. I want to stress that for every single reason I’m going to list as a case for not using Multisite, I probably have broken. Rules aren’t meant to never be broken, their meant to make sure we understand what and why we’re doing what we’re doing.

The absolute number one aspect about Multisite that you cannot forget is this: Multisite is for running multiple WordPress blogs (aka sites) on one install (aka a network), with separate content but a shared base for code and users.

If I was to make it a rule it would be this: Don’t use Multisite unless you want to run multiple WordPress sites, each with their own admin section.

But …

You know how I made that list of reasons? Like you don’t need it to categorize posts and make a site that’s all the same (or even all different), and I still firmly think that no one has any reason in the world to have a site that duplicates content 100%. Sometimes you do need Multisite for this stuff. Or rather, sometimes you can use Multisite, and it’s not the wrong choice!

You don’t need Multisite

WordPress comes with categories so just use that. Want to remove the word ‘/category/’ from your permalinks? WordPress SEO (by Yoast) can do that, as can No Category Base. Need to limit an author to a category? Use Author Category! In addition, there are Custom Post Types, which you can create for each ‘category’ and then limit authors using Custom Post Type Privacy.

WordPress comes with categories and Custom Post Types which let you keep your site looking exactly the same from page to page to page, which is awesome. This is, in an essence, what WordPress was made for. If you don’t want your ‘sections’ to look the same, hey theme templates will let you customize the look and feel of each category (or CPT) as you want. WordPress is crazy flexible, and plugins are phenomenally wonderful to let you customize WordPress to the nth degree. Like categories as subdomains, which means it’s theoretically possible to do the same for a CPT. I know you can map CPTs to domains already.

Before someone gets all snippy about how too many plugins make your site slow, I have to point out that too many poorly written plugins do this. It’s not the number, it’s the quality. A bad theme can slow your site down too, and I see that every single day.

You could use Multisite

So why would I use Multisite for those situations?

What if your ‘sections’ aren’t just meant to segregate content? Like you’re selling eBooks and you want to run a whole special ecommerce tool for tracking and payment. Or maybe you’ve got a membership tool and want to set up a news site where people can register and write, but keep them off the ‘main’ site where you’ll be linking featured content back. What about a site that will exist for a year to represent an event like a WordCamp, and then be ‘retired?’ Suddenly we’re talking categories in a different light, and maybe, just maybe, Multisite would work for this.

It’s easier in Multisite to totally re-skin a section because it’s using its own theme. You can quickly spin up a child theme just for one site, or use a plugin like the CSS Editor that comes with Jetpack to allow each site it’s own custom CSS.

Because each site is separate, I can limit plugins and prevent load creep per site. Not every ‘section’ needs the same plugins, after all. And at the same time, the ones that do can be network activated. Also a growing number of plugins are taking Multisite into consideration, like W3 Total Cache now lets the network admin configure a large amount of caching settings for the network as a whole! This number grows every day.

Which Should I Use

There isn’t one perfect answer here, but that’s true of all things WordPress. I think my cardinal rules of Multisite are mutable and all colored with a great deal of “It depends.” For every single reason I wouldn’t use Multisite, I also would (and probably have) used it. You have to take into consideration supportability most of all, though. Multisite’s worst flaw is that it leads to cases where your eyes are bigger than your stomach, and your network becomes huge and unwieldily before you’re ready to cope.

The one rule I’ve yet to break, and one I strongly feel no one should, is this: Never use Multisite if your users cannot know about other sites.

Other than that? Hey, the world is your oyster!

Multisite is big. It’s daunting. It’s complicated. It’s still, and probably will always be, harder than running a single blog, which makes sense. You’re no longer running a site, you’re running a network.

3 February, 2014
Is SEO Best Handled by a Plugin or Theme?
I’m not an SEO expert, but I know a heck of a lot more than many people who claim they are. For the record, I’ve been messing with SEO since it was ‘correct’ to put hidden text in the source code of your site. I used to spend time getting sites to rank well on Lycos and Altavista, back when I was but a wee intern for my friends. It’s fair to say I’ve been around the block with SEO.

I don’t consider myself an expert because of skill, though in the last couple years, I’ve decided not to keep up as closely with things like schema, mostly because I don’t have to. I still retain a solid grounding in what does and does not make for good SEO (content!), and I understand that part of good SEO isn’t just content, it’s how the content is displayed for the reader, but also how the information is sorted for the computers at search engine companies.

Credit: Plymouth UK
About every couple months, someone asks me if I prefer using a theme or a plugin to manage my SEO, and I have been giving the same answer for a couple years now. I don’t use either.

This does not mean that the themes I use aren’t ‘SEO’ optimized, of course. It means that I don’t use their ‘extra’ features. I use, primarily, StudioPress’ Genesis Framework right now, and that comes with an SEO settings page which I never use. Ever. In fact, I turn it off in any child theme I make. This is not because I don’t think that it’s useful, but that what I do ‘use’ for SEO is already included.

My SEO consists of making my content fantastic, using a theme that includes schema headers (or adding them myself if not), and following the guidelines Yoast outlines in his article WordPress SEO Tutorial. I don’t do everything he says (he likes ‘category/postname’ for permalinks, I like ‘year/postname’ but if date doesn’t really matter, I use category instead), but I do read and think about what it means.

That’s the crux isn’t it? I don’t blindly follow advice, or use a plugin or theme because people say I have to. I read, I think, and I come to logical conclusions, and I apply them after I write my post.

For example, Yoast says not to use ‘stopwords’ in titles and make them SEO friendly. I take this to mean your human readable title should be gripping, but the title slug should be short, to the point, and descriptive. So I customize every single title. I come up with four or five before I post, and then when I have one with a good grab, I tweak the title slug to be as short as possible, while still being descriptive. Sometimes I’m better at this than others, but I keep working it.

Next I customize my ‘publicize’ lede. This has to be good and it has to be short. I know I’m using my helf.us yourls, so the URL itself will be tiny, but that doesn’t mean I should use just my title for Twitter. I customize it, trying to make it a little more witty and pithy, to reflect me and my readers. Finally I customize my excerpt. Oh yes, my excerpts are all custom written, and they are intended to grab you hard. Like Yoast, I feel the only well written description is a hand written one, and I do it. For everything.

This puts me at a funny disadvantage. Most plugins and themes I’ve seen tend to want you to make a custom meta description. There are plugins (like the one I do use, listed further down in this post) that allow you to use your excerpt as descriptions, but I’ve never quite understood why themes make this so hard. In Genesis, I have a field for “Custom Post/Page Meta Description” in every post, which if I use it, will change the meta value for description.

When I dug into the code, I saw that it was pulling this:
```
genesis_get_custom_field( '_genesis_description' );
```
Clearly all I need to do is make that default to what I want. And when I figure that out, I’ll let you know. Right now, all I could do was remove Genesis’ function and replace it with my own. Not elegant at all.

Now all that said, there are times when I see to ‘improve’ upon the SEO I’ve been given, because someone else is handling the content will far less care than I give. When that happens, I grab Yoast’s WordPress SEO Plugin. But for the most part, I don’t do anything on a regular basis that involves having to ‘customize’ my SEO, so it’s infinitely portable to any theme I want.
2 December, 2013
Facebook: Scam Artist

Stop me if you’ve heard this one…

“Gain 500 likes! Just use our service!” or maybe “Click here to read how to get 1000 followers!

If you’re like me, you hear that, laugh at the silly scammers, delete/block as spam, and move on.

But … what about when you get this in your notifications:

That’s not spam, it’s not a scam*, and it’s terrifying to consider. Facebook is sending me, as a ‘page’ owner, a suggestion that the only way to increase my likes (i.e. my presence on Facebook), is to pay them.

Greed is Good

I need to stop and tell you that I have absolutely no problem paying for things. Facebook provides a free service, and if they want me to pay them to promote my wares above and beyond the word-of-mouth business I’m doing, that’s awesome! Same with Twitter. These are business, and I’m totally copacetic, no, I’m totally in favor of paying them for above-and-beyond. Do I, as a user, like those ads? Generally no. But do I, as a business, appreciate them? Hell yes!

And there in is the line between the goals. As a user, my goal is to do what I want without a hassle. As a business, my goal is to get users to interact with me to convert them into users on my site, and thus profit like an Underpants Gnome. The reality is, of course, not that simple, but as we like to say, there ain’t no such thing as a free lunch. The dichotomy of social media is never more apparent then when I want to put on my business hat and try and evaluate the usefulness of any marketing campaign.

Blackmail is Bad

There is, however, a major difference between being “greedy” (asking people to pay extra for extra things) and what Facebook is actually doing. You see, Facebook intentionally throttles you. Facebook stops a large percentage of your traffic from reaching the people you follow. I wrote that a year ago, and guess what? It’s still true. So what they’ve done is create a false economy. This is not like virtual gold farming, where I pay someone to mine for junk on a game, and turn around and sell it at a higher price. That actually makes a certain amount of sense in an open economy. Instead, Facebook is creating a situation where your hard work is absolutely meaningless, and the only way to get what you want is to pay.

At least with Gold Farming, if I wanted to put in the time and effort, I could see the same results.

Director of Product Marketing for Facebook, Brian Boland, told TechCrunch back in 2012 that their behavior of only letting 12% of people who follow your business see your post isn’t bad, because “… there are pieces of content you create that are interesting, and there’s some that are not.” (Your Average Facebook Post Only Reaches 12% Of Your Friends – TechCrunch, Feb 29, 2012.) I don’t know about you, but that doesn’t make me happy. Someone else is deciding if something I said was interesting or not?

Viral is Voted On

The way we expect social media to work is like this: I make a post, people who follow me like it and repost it via likes or retweets, so people who follow them see it, read it, and the circle continues. So to many of us, it’s outright galling to hear that Facebook has always decided what is and isn’t ‘interesting’ and promoted your crap accordingly. Essentially they’re using Edgerank to decide if your content is worth sharing. The catch-22 of course is there is a practical limit to how organically you can increase your Edgerank score. That means to get higher, you have to pay, and now we’re back to blackmail.

Now I, as a user, can change my feed to sort by ‘recent posts’ and not ‘most popular.’ And I, as a business, can write ‘more engaging’ posts and get my engagement (this is a technical FB term) up. I can get a pretty high engagement by posting at the right target audiences, and using catchy titles/content (which I do anyway). But it’s unclear, to say the least, that these things are happening! Had I not read the first article about the 12%, I wouldn’t have known to look for the others and see this was always the case and how to ‘fix it.’

By the way, I don’t think requiring a user to make a change is a fix, I think that’s a cop out. Also that change resets every time you log in, or reopen your browser. Just like the chat setting I turn off every other week. Clearly Facebook ‘knows best.’

Expectations are Engineered

This reminds me of a story my friend Yesenia Sotelo (of SmartCause Digital told me: Why Charity Engine Quit Facebook. When I read that article, I was amazed that they had ever treated Facebook like an email list. You see, what they used to do was send a message directly their followers about news and services, using Facebook messages as their page. After all, people opt in to liking your page, so only people who wanted to communicate with you would do that, right? Nope!

We want you to connect with your fans in the most effective way possible. That’s why as of September 30 you’ll no longer be able to send updates to fans using Facebook Messages. The best way to make sure your content is seen is to post it on your Wall so people see your updates in their news feed.

Interesting how that’s not ‘effective’ isn’t it? That’s right up there next to Facebook telling me they know what content of mine is interesting before any human gets to interact. I don’t believe their AI is that smart. Popularity is not just math, it’s got to do with the pulse of reality as well as the flavor of the day. Release your product on the same day as a natural disaster? Poor timing, and you probably won’t be as ‘interesting’ as the time you release your new Dodgers themed product the day they clinch a playoff berth. Those aren’t things you can bank on, of course.

Truth is Terrible

The truth is this: Trust no one.

Facebook’s bottom line is not yours. Neither is Google’s or Twitter’s. If, for now, your goals align with theirs, then great. But remember you’re not their audience, you’re their prospective customer, and you get what you pay for with them.

18 November, 2013
My Super Secret .htaccess File
This came up back in April in the comments of WordPress Login Protection With .htaccess, where I remarked my .htaccess was pretty long and weird. It came up again when I was doing a MeetWP presentation about hacked sites and some security.

So what is it? Actually less long and weird these days. I’ve been trimming stuff out. But since people ask, here it is, broken out into ‘chunks.’

Security

Everything in this section is for security purposes. That is, I feel it helps my site be safer.
```
# Tinfoil Hat Stuff
Options +Includes
Options +FollowSymLinks -Indexes
```
This is basic .htaccess stuff, says to allow includes and symlinks, but stop indexes. This means if you go to halfelf.org/wp-content/uploads/ you don’t see anything, even if I don’t have an index file.
```
### Blocking Spammers Section ###
<files wp-config.php>
order allow,deny
deny from all
</files>
```
Now we’re into a little odder bits. This stops anyone from surfing to my wp-config.php file. It shouldn’t matter, PHP won’t let it load the content, but if my PHP is off, it protects me just in case!
```
# Stop protected folders from being narked. Also helps with spammers
ErrorDocument 401 /401.html
```
This is because of the next section. It gives a nice error for 401s, which WP normally gets gitty over. And not the fun way.
```
<IfModule mod_rewrite.c>
# Stop spam attack logins and comments
	RewriteEngine On
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
	RewriteCond %{HTTP_REFERER} !.*(ipstenu.org|halfelf.org|ipstenu.org|otherplace.net).* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
 # SVN & Git protection
	RewriteRule ^(.*/)?(\.svn|\.git)/ - [F,L]
	ErrorDocument 403 "Access Forbidden"
</ifModule>
```
Ahhh, yes. Here I say “If you’re coming to wp-comments-post OR wp-login and you are NOT refereed by one of my domains, sod off.” And then it says “Oh and if you’re looking for .svn or .git files? Go away.” This isn’t perfect, but it works for some of the botnets. The fun part is that the rewrite sends them back to themselves, which should cause annoying things to happen. Don’t want that? Redirect them to fbi.gov. Actually, if some tool had a page “Redirect botnets here…” I would use that, but generally I send them to http://lmgtfy.com/?q=wordpress+botnet because I’m that sort of kid.

Speed and Bandwidth

Now that I’m safer, lets speed this stuff up!
```
<IfModule mod_rewrite.c>
 RewriteEngine on
# ultimate hotlink protection
 RewriteCond %{HTTP_REFERER}     !^$
 RewriteCond %{REQUEST_FILENAME} -f
 RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$               [NC]
 RewriteCond %{HTTP_REFERER}     !^https?://([^.]+\.)?(ipstenu.org|taffys.org|halfelf.org|poohnau.us|ipstenu.org) [NC]
 RewriteRule \.(gif|jpe?g?|png)$                                 - [F,NC,L]
</ifModule>
```
First up, stop the hotlinks! I got the idea from Perishable Press, and it stops you from embedding my images. This means my site is faster, as you’re not sucking up my bandwidth. I get 5G so it’s not too much of a concern right now, but it’s the principle of the thing. Don’t hotlink images!
```
### Caching Section ###
# mod_pagespeed
<IfModule pagespeed_module>
	ModPagespeed on
	ModPagespeedEnableFilters defer_javascript,combine_javascript,move_css_to_head,insert_dns_prefetch,insert_image_dimensions,inline_preview_images,resize_mobile_images
	ModPagespeedDisallow */FOLDERNAME/*
	ModPagespeedEnableFilters insert_ga
	ModPagespeedAnalyticsID UA-MYCODE-4
</IfModule>
```
I use Pagespeed on my server, so here I’ve added in my extra rules. Not everything is active for all sites. This is my default WP rule-set though, and it works well. I have it skipping a couple non WP folders, who have their own rules inside on their own .htaccess files anyway. If you don’t have pagespeed? Skip this section.
```
# Expired
<IfModule mod_expires.c>
<Filesmatch "\.(jp?eg|png|gif|ico|woff)$">
    ExpiresActive on
    ExpiresDefault "access 1 year"
</Filesmatch>

<Filesmatch "\.(css|js|swf|mov|mp3|mpeg|mp4|ogg|ogv|ttf|xml|svg|html)$">
    ExpiresActive on
    ExpiresDefault "access 1 month"
</Filesmatch>

    ExpiresDefault "access 2 days"
</IfModule>
## END EXPIRES ##
```
Oy. There are a couple ways you can control all these things. One is the way I did (filesmatch) and the other is ExpiresByType image/jpg "access plus 1 year". Is one better than they other? I don’t know. Not that I’ve managed to see, but I find the filesmatch to be easier to read and add things too. It’s shorter. Does that make it better? Only in so far as my management goes.
```
#Gzip
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript text/javascript font/opentype font/truetype font/eot application/x-font-ttf
</IfModule>
#End Gzip
```
Finally we have gzip, which compresses and makes things smaller and thus faster. Using gzip saves me about 80% in filesize, so it makes things faster to download and, thus, display. If you’re using this in your .htaccess, do not also try to use it in plugins/extensions for other web apps, that way likes double compression and garbage on your pages.

Add support!

This is a really short bit to add in support for filetypes I use that aren’t always standard:
```
# Add filetypes
AddType application/x-mobipocket-ebook mobi
AddType application/epub+zip epub .epub
AddType video/ogg .ogv
AddType video/mp4 .mp4
AddType video/webm .webm
```
Rewrites

In general, this is useless to everyone else, save as an example.
```
### Massive Redirect Section! ###
<IfModule mod_rewrite.c>
RewriteEngine On

# Apple Touch Icons
RewriteRule ^(.*)-precomposed.png /code/images/apple/$1.png [L,R=301]
RewriteRule ^apple-touch-icon(.*) /code/images/apple/apple-touch-icon$1 [L,R=301]

# Ipstenu Moves
RewriteCond %{HTTP_HOST} ^blog\.ipstenu\.org
RewriteRule ^(.*) https://ipstenu.org/$1 [L,R=301]
RewriteCond %{HTTP_HOST} ^ipstenu\.org
RewriteRule ^blog/([0-9]{4})/([0-9]{2})/(.*)$ https://ipstenu.org/$1/$3 [L,R=301]
RewriteCond %{HTTP_HOST} ^ipstenu\.org
RewriteRule ^blog/(.*)$ https://ipstenu.org/$1 [L,R=301]
RewriteCond %{HTTP_HOST} ^ipstenu\.org
RewriteRule ^wp-content/blogs.dir/1/files/(.*)$ https://ipstenu.org/wp-content/uploads/sites/1/$1 [L,R=301]
RewriteCond %{HTTP_HOST} ^ipstenu\.org
RewriteRule ^(.*)favicon.(ico|png)$ /code/images/favicons/ipstenu.ico [L,R=301]

[NB: This sort of thing is duplicated for other domains which also had things moved around]
</IfModule>
```
I cut out a couple of sections, where what I did with the ‘Only redirect ipstenu.org’ stuff is repeated for each site. I built much of that after reading my 404 logs and determining what needed to be redirected. Everything is commented and in logical sections, so I can easily find and remember what the heck I was doing.

This is the longest section, the stuff under # Ipstenu Moves and such, because they’re accounting for files that moved a million years ago. But the moves section is pretty straightforward too, as you can see where things went. I try to keep it as compact as I can. Sometimes I go through and make them more and more efficient, as I learn new tricks.

What used to be here?

I used to include the 5G Blacklist 2013 and/or the 2013 User Agent Blacklist (or whatever the current versions are), but now I don’t have it on all my sites because of the work I’ve been putting in on my firewall and ModSecurity instead. Every once in a while, someone tells me I’m putting too much work on Apache to handle the hackers and spammers, and I generally reply “Better Apache than WordPress.”

Regularly, I go through my .htaccess and see what I can push over to ModSec. I also trim down my PageSpeed rules into things that work on most sites, things that only work on this site, and things that work for everything. This is why there’s no blacklisting here, it’s all handled by my firewall and mod_security and that’s that. I like to take the load off of apache and .htaccess and PHP and make the server do the work.

Why not nginx?

Per site configuration is still a pill. No, really that’s it. It’s a hassle to re-do everything I have in htaccess, I can’t just toss a .nginx file in there on the fly without restarting nginx, which means for shared hosts it’s just not gonna happen. Sucks. For managed hosting, where you don’t allow users to make those changes, sure, it’s great. But that’s not my use case. I may use it for a Varnish in front server one day, after I rebuild everything from scratch.
30 October, 2013
Don’t Fear The Auto Update

I was not surprised to see the backlash to Auto Updates. We spent a lot of time trying to figure out how to explain to people that while you can disable it, we really, really, really, really, don’t want you to, and basically ended up with a Codex page that explained how to configure it and then Nacin’s followup post that is, indeed, the definitive guide to disabling updates. But people hate it or love it, and there’s no middle ground. This was, as I implied, somewhat expected.

Reasons why people hate it have varied from “I want to control my own updates!” to “This 3.7 upgrade broke something, so clearly you’re not ready!” Oh and don’t forget “You suck, I hate this! Why would you default this to on!?”

I want to stress one really important thing here. The automatic background updates for WordPress are for minor updates only. We’re not talking about auto-upgrading people from 3.7 to 3.8, but just 3.7 to 3.7.1 – These are small, minor, updates. When someone comes to me and complains that major releases don’t always work, I have actually said, “So? We’re not talking about major releases.” And of course, “You are making good backups on these super important websites, right? Right?”

It’s really easy to get bogged down with all the variable permutations about what updates could include and forget that WordPress started out simple. Yes, it’s defaulted to “on” because after intensive testing, and careful thought, WordPress core devs are pretty darn sure that these minor updates, which are more often than not security related, will not break a site. I’ll get back to breaking sites in a second. The point is that minor updates were picked specifically because it’s known that major upgrades can often break things.

Why is it defaulted to on? This is my reasoning here… Because the people who wouldn’t turn it on are the people who need it most. If they don’t know it can be turned on, they won’t do it. And they need it. The people who don’t read all the nerdy things are the ones who are still running WordPress 3.4 (no I’m not kidding). I spend a lot of time debugging WP without ever seeing or really ever looking at their site. I know a lot of users don’t upgrade because of laziness, or fear, so I want to address this (see? told you I’d get back to breaking sites).

Don’t fear updates

I said this on Twitter: If your site breaks every time you update WordPress, it’s time for a theme and plugin audit.

So what’s an audit? How does one audit?

It’s really simple. I have a longer presentation I give on this, but let’s go over how simple and basic this is.

Who is the author?

This is really obvious. With one exception, every plugin I use that’s made by core developers is updated to fix problems right away. It’s tested on versions of WordPress in the Beta stage, or even on trunk. It’s reliable because the author is reliable. Using a plugin by Mark Jaquith? No fear!

How active is the author?

Sometimes even I have no idea who that author is, so I look them up. And I want to see how active they are in WordPress. If someone is engaging on trac and writing plugins and themes, and posting about WordPress, yes, I take the time to read up on them. Remember, I’m auditing the plugin! So I want to see that this author is active and writes or contributes in a way that I approve of. That helps me trust them. Now I’m not expecting them to code as prolifically as Nacin, or write as frequently as Chris Lema, or even scour trac like Scribu. I have realistic expectations. One of my favorite developers is ‘try-lingual’ when it comes to CMSs, so I’ll check on her to see if she’s able to keep up with all the myriad CMSs her code works on. She knows about every release coming up? No fear!

How popular is it?

The more a plugin is used, the more people are banging on it in a diverse myriad of environments in ways the author probably never imagined. This is good. This means that the odds are higher than normal that the plugin will work on a bog-standard setup. It also means if I have a common server type (shared) it will probably work. The odds also go up for a more active volunteer environment. Popular plugin, used by thousands? No fear!

How often is it updated?

This is a careful thing. I don’t particularly worry if a plugin is old (i.e. not updated in over two years) if the plugin is simple, or made by someone very reliable. Heck, I haven’t touched the code in Impostercide in years, but I do update the readme every couple of WordPress releases to avoid people thinking it’s been abandoned. That said, I do like to see if the complicated ones are at the very least updating their readmes to say “yes, compatible up to the most recent version.” That tells me not only are they testing, but they’re aware of what’s going on in WordPress. Updates are reasonable? No fear!

What does the code look like?

This is hard. This is really hard. I review plugins, and write them, and it’s just plain hard okay? If I’m lucky, I don’t actually have to do this. Examples? Okay, try StudioPress’ Genesis Theme. I don’t look at their code, unless I need to make a child theme. Even then, it’s a case of trusting them to do the best by me. I believe in their code more than mine most of the time. Another example? Anything managed by WordPress.org. But what about the rest? When it’s simple, I can read through the code, make sure it’s not doing anything nefarious and move on. When it’s not, I hire someone else to do it. You heard me. I pay people to do what I can’t because an audit of code is important. Now I don’t do this for every site. Personal/play sites? I may wing it, knowing I make good backups. But a big, company site? Oh you bet every single line of code was checked. Good code? No fear!

Really? No fear?

No. Not really. You have to keep in mind that none of these are absolutes. I don’t look at just one thing and say “Done, I have no fear.” I mean, I say ‘no fear’ in these explanations, but the truth is it’s the combination of these things that makes me fear less. WordPress is doing a good thing here and I’m not afraid of it.

And in case you’re wondering, I’m using auto-updates on all my sites.

28 October, 2013