Category: How To

HSTS and Chromium
I use Chromium, which is like the super most beta beta of Chrome, for one reason: It lets me run Chrome ‘twice’ in separate environments. I have a reason for it, but it doesn’t matter for the purpose of this post. Neither does the reason why I was editing a subdomain I rarely use. What matters is this.

I went to http://test.ipstenu.org and I got this:

My bp must have dropped because my first thought was “Oh shit, I’ve been hacked!” and I got the cold sweats. After a rant on Twitter and a plea for test help, I determined this was only happening on Chromium, which was interested, and my friend Benny pointed me to this Chromium Issue: Issue 350912: Chrome fetches https URL even when http URL explicitly specified which sure sounded right.

Now the rest of the error was telling me that test.ipstenu.org was asking I use HTTPS (which it was not) and that the SSL Cert didn’t match that domain (which was correct, but again, there is no SSL cert for that subdomain). Weird, right? Why would it force https when I didn’t ask it to! But what if I was? As I read through the ticket, I saw that you could see the headers better at chrome://net-internals/#hsts so I ran that and got this:
```
mode: STRICT sts_include_subdomains:true pkp_include_subdomains:false sts_observed:1402609861.497659 pkp_observed:1402608721.515596 domain:test.ipstenu.org pubkey_hashes: [...]
```
That was odd. I knew I’d set this in my .htaccess file:
```
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
```
But from what I’d read that was getting set only if you accessed the site via HTTPS (or anything on the page was HTTPS). After all, no other browser was acting like this, not even Beta Chrome. Still I turned it off, flushed my server cache, flushed my browser cache, and deleted the TransportSecurity files from Chrome. Now it worked. Turned it back on? Error came back.

It was here I realized “Chromium has decided that if you set HSTS, you mean that everything should be HTTPS regardless of the domain…” Well that’s just peachy! I pulled the HSTS line from .htaccess and instead tossed it into a PHP file for the subdomain(s) where I needed it:
```
header("Strict-Transport-Security:max-age=15768000; includeSubDomains");
```
Now. There are two situations particular to me that make this an epic pain in the ass:

First, I’m using WordPress multisite and I have SSL turned on for one domain. Second, I’m using WMH, which means editing my vhosts file to make this work properly is more of a hassle than it’s worth.

Really wouldn’t it make more sense to check “Is this an HTTPS page? No? Okay, skip!” But this is a (to me) departure from the logic train. As my friend James (and I) understood, the logic of HSTS was “If any aspect of the page is HTTPS, force HTTPS” Instead of that happening, if you went to, say, ‘fake.ipstenu.org’ instead of going to my about page (yes, that’s on purpose), it gave me the error. If you go to ‘https://fake.ipstenu.org’ you should get a specific warning page and then a ‘shucky darn!’ page. And yet here I saw that no matter if I picked HTTPS or HTTP, I was forced to HTTPS and that’s just silly.

Does my fix work? Of course. Am I happy? Nope! Oh, and yes, I filed a bug report with Chromium. You can read it at Issue 384069: HSTS in .htaccess forces https even when not specified
13 June, 2014
Bad Replies to Bad Reviews

My plugin brother, Pippin, wrote an awesome post about How to leave a good bad review. In it, he mentions a pretty common kind of email/review:

Your crappy plugin doesn’t work. Waste of a download..

Hmm.. I should buy pro!

Fairly often, people get those as a review in the WordPress.org forums, and ask me (either as a plugin mod or a forum mod) to remove it. Most of the time, I don’t, and tell them that much.

You see, the issue is not that you got a bad review. We all get them. The issue is how you handle the review. If you get a one-star review slamming your code, and you reply with a reasonable response, then you’ve taken care of the matter in a mature, adult, responsible way. If, instead, you call them names or email them, well then, we’re into the other world.

If you’re demanding people remove a, single, one star review, in general I think you’re being childish. There are exceptions, where people are bitter and mean and everything falls into a hate-fest with slurs and pejoratives being slung around, and personal attacks galore, then you bet I’ll delete the thread. But you’ll probably get flagged for moderation too.

There’s a good way and a bad way to handle a bad review. The bad way comes in two main types: over reactions and under reactions. The unders, thats what you see from people like AT&T or Comcast, who pretty much ignore the complaints and use their power to delete them or shut them down. The overs are people who take their “Oh my god, this customer sucks!” to twitter and everything else, and generally make fools of themselves.

When you’re asking me to delete a forum post that says “This plugin sucks, the author won’t refund me!” and you’ve made no attempt to handle the situation, I nearly always tell you to try first. “Hey, I’m sorry you’re upset. The no-refund policy was clearly stated on the order page, and I did attempt to work with you to resolve this, but you were asking for a major modification to the code that I didn’t feel comfortable with.” The rest of what I said, though, is gleaned from the paragraph long rant about how a three sentence review was hurting his ratings and no one was downloading his plugin anymore. Clearly because of one, erroneous, one star review.

Go back to Pippin’s post. At the end, he shares an exchange with a very good ‘negative’ review, and a very good response. For the most part, that’s not what I see developers and the like doing. What I see is that knee-jerk reaction to an angry post, where hate feeds hate and suddenly you’re getting a bunch of bad reviews because you’ve been feeding the anger, and it’s a circle that ends with no one wanting to use your code because you’re mean.

Recently, a developer who fell into that cycle got ‘busted’ making dupe accounts. Sock puppets, if you will. He used them to try and push his plugins, even though his main accounts were all closed. So we emailed him. We reached out and said “Hey, you know we know this is you. What’s really going on here, man?” And we started talking! He explained his side, we pointed out that the whole thing boiled down to how he’d been mistreating users, and if he could stop that, we were willing to re-enable his account and everything.

The one thing we did not do was delete his old posts, where he’d kind of lost his mind. Those bad events in the past made him who he was, for better of worse, and whitewashing the past did not change it. There was one way to change it, and that was for him to stop acting like that and to move forward, being a better person.

For that same reason, I probably won’t delete that bad review. How it changes your product is not in the deletion but in the handling. If you take the task at hand, rise up and approach it fairly and maturely, it says more about you than anything else. If you are reasonable, thoughtful, and fair, you will have a better result in your reviews than anything else I could do with that deleted. You see, I would sooner trust a product that has bad reviews and good responses, than a plugin that has no bad reviews at all. One is understandable, the other is unrealistic.

And personally? I’d hand over that refund.

9 June, 2014
C’mon Get Trac’in!
After every major WordPress release I trawl the forums and look for new superstars. I usually find one or two people who, like I did five years ago, catapult themselves into the stratosphere by taking notice of issues of communication and correcting them. That’s how that OMGWTFBBQ post was born! WordPress 3.0 dropped with a lot of changes and people lost their minds. That’s the best part of a complex release.

The worst part is people losing their minds in the wrong places.

Oh there’s nothing wrong with going batty over a change or reporting something is broken. What’s wrong is when you go into a half-dozen similar posts and repeat the exact same rant. Much like the superstars who get noticed because they’re being helpful, when you spam-rant, you become noticed in a bad way.

No release is perfect, and WordPress’ ideology of ‘Release and iterate!’ means that we know we’ll have missed something, or not totally finished another, and it’s not everything we want yet, but also that the fastest way to get ready is to get more people poking at it and breaking it. This means we know things aren’t perfect, but it doesn’t mean we ship broken code. Still, change breaks things, and some of those things are outside our control (like TinyMCE 4 changed how it implements a lot of things).

Naturally though, big changes cause loud complaints. For people who shout and demand to know why we had to change, the problem is where they do it, not so much how and with what language. The where problem is that someone will post a rant in a bunch of similar posts, or create a trac ticket when they haven’t done any debugging.

It’s pretty easy to remember that the support forums are not your personal soapbox to stand on and shout about how much everyone sucks (or is awesome, I know). The forums are a place to describe your problem and get help.

So … How DO you know when it’s time to get trac-a-lacking and make a ticket, and when it’s not?

Is it just you?

A quick search of the forums will tell you if you’re the only one with an issue. If you see one or two other people with similar issues, read deeper. Similar is not the same, so just because you both have a white-screen-of-death on the post editor does not mean it’s the same bug.

Did you do the needful testing?

Have you tried:
- flushing any caching plugins you might be running, as well as server and/or browser caches.
- deactivating all plugins (yes, all) to see if this resolves the problem. If this works, re-activate the plugins one by one until you find the problematic plugin(s). If you can’t get into your admin dashboard, try resetting the plugins folder by FTP or PhpMyAdmin (read “How to deactivate all plugins when you can’t log in to wp-admin” if you need help). Sometimes, an apparently inactive plugin can still cause problems. Also remember to deactivate any plugins in the mu-plugins folder. The easiest way is to rename that folder to mu-plugins-old
- switching to the Twenty Fourteen theme to rule out any theme-specific problems. If you can’t log in to change themes, you can remove the theme folders via FTP so the only one is `twenty fourteen`. That will force your site to use it.
- manually upgrading. When all else fails, download a fresh copy of the latest.zip file of WordPress to your computer, and use that to copy up. You may need to delete the wp-admin and wp-includes folders on your server. Read the Manual Update directions first.
(Can you tell I use that a lot?)

Does it happen on a clean install?

The best testers test on a test site. Even on my personal, I don’t code on it, laptop, I keep a copy of MAMP handy, as well as a pure test site on a live server. But I’m weird. Still, if you’re even considering making a trac ticket, have a test site and test it there before you click that ‘new ticket’ button. It may feel like an extra hurdle, but having that clean test will make sure you’re not losing your mind sometimes.

Have you asked anyone else about it?

I admit, this works better if you know people, but if you do know someone, just ask. I bug my coworkers sometimes “Hey, do you see this? No? Okay…” It helps me sort out if I’m being crazy or not, and sometimes just asking “Anyone know why I might get this error…?” gets amazing results. Again, this works best if you have a network already, so don’t worry about this too much.

Hope you’re right…

Even I don’t know if it’s right to make a ticket all the time. I hesitate over those buttons a lot, and often delete the whole thing. It’s not super simple to know, so you have to make your best guess.
30 May, 2014
Nginx Proxy
Will you all quit nagging me now? I kid. Very few of you actually got on my case about nginx.

Nginx is a HTTP server and reverse proxy, which is a really fancy way of saying “It runs websites.” Most people still use Apache, and Nginx is perceived as being faster with how it serves static files. My issues with it are twofold:
1. I don’t just run WordPress here
2. I need my .htaccess for those other things
Yes, there are older webapps that don’t support nginx. But at the same time, what if I could have my cake and eat it too? What if I could use nginx to serve up the static files and apache for the rest? That would mean I would be able to install nginx on my CentOS 6 box as a reverse proxy.

It’s actually not that hard, but let me explain why this is a good idea. Apache takes up a lot of server memory, which nginx does not. Nginx is awesome at static files, but not the best at dynamic, and you’ll need a module like php-fpm for that. But… One of the sites on this server has a gallery that takes up 50% of the webspace of all accounts on the server. Stop and ponder that for a moment. While I do have server-side caching (memcached and ZendOptimizerPlus) running, adding in nginx up front means my images would be served faster.

Speaking of faster, by putting nginx in front, it makes it so only true http requests get passed on, which protects against attacks like DDOS and other brute-force attacks that aren’t nginx-related. I still have (and use) mod security, of course, as well as ConfigServer Firewall. More on that later. Let’s get this sucker installed!
```
yum install nginx
```
Install Nginx

Oh, sorry? Was that supposed to be harder? It’s not. This is pretty much the simple part.

Install nginxCP

Normally my next step would be to configure nginx (see Ben Tasker’s CentOS: Using NGinx to serve static files and Apache for dynamic for details) and apache. Unlike Ben, I have WHM on my server, which means when I build apache it’s with Easy Apache, which means any edits I make to my httpd.conf file get lost when I rebuild, which I do for when I need to upgrade PHP. It’s not super rare, nor is it super common. Still, I don’t really want to mess with it more than I have to.

So I took the time to research my options, and came up with nginxCP and cpnginx. The real difference is CPNginx comes with a service to help you (yes, it’s pay). Since I’m an Open Source woman, I did nginxCP. The cost ($55 a year) for cpnginx was not a deal breaker, since they had a trial.

The install directions are quick:
```
cd /usr/local/src
wget http://nginxcp.com/latest/nginxadmin.tar 
tar xf nginxadmin.tar
cd publicnginx
./nginxinstaller install 
```
A reboot of the httpd service and now all my non-SLL sites are served up on nginx!

Configure nginxCP and Apache

I love when I can just slap it on and go, but I run ConfigServer Firewall to save my ass from DDoS, so I knew I’d be getting a slew of ‘Suspicious process’ alerts from my firewall once I added in a new feature. The fix is to add this to csf.pignore:
```
# nginxCP
exe:/usr/local/sbin/nginx
```
That was all I needed! Emails, by the way, from CSF have plummeted. I was worried I wasn’t getting any emails or logs from my servers for a while. But then I re-checked my logs to see what was happening. See I used to get a lot of emails like this:
```
Failures: 5 (mod_security)
Interval: 300 seconds
Blocked:  Permanent Block
```
They stopped, because nginx didn’t let them get to Apache and CSF. Mind. Blown.

Results?

Everything worked out of the gate, so I sat and watched my server load. Per-expected, since an httpd restart flushes my PageSpeed cache, the load spiked at .52 (this is still low). Then it dropped to .31 and then to .20, and it pretty much stuck around the .10 area. Memory, however, dropped for a while. That’s good! Slowly as things settled in, I made sure to post something new on a news/fan site, and watched things not go up very much.

Nothing is weirder than watching your load drop to 0. The 93% memory is not a bad thing. On this server setup, I want to see somewhere around that at any point in time. The first time I saw it, though, I flipped out and my friend Benny (who is a cPanel goddess) calmed me down and explained how the ‘storm’ server worked. Real memory usage is about 40%, when load is above .40.

The big spike was installing. The normal spikes at 14:00 and 14:30 were posts made in WordPress before nginx was installed. The ones at 16:00 and just after 17:00 are WP posts as well. That’s a nice change.

Problems?

SSL. Wouldn’t you know? Now you can use nginx as an SSL revese proxy, but it would obviate my cpanel add in, which right now seems a little smarter for long term sustainability than doing it 100% manually. The less I have to remember when I’m rebuilding apache, after all, the better.

Still. Part of why I’m looking at nginx seriously is to speed up my SSL site which gets less caching by it’s nature. Weighing the pros and cons, I decided to stick with nginxCP as my theory is that by speeding up the rest, SSL will in turn be faster since there’s less memory being sucked up. Oh and I did check cpnginx about SSL, and they don’t support it either. That’s alright for now. I’m sure the future will change.
28 May, 2014
It’s Not Beer It’s Homebrew
If you’re a rookie getting your hands around all this webdev stuff, and you’re on a Mac, you may have already come to a rude awakening when you find out that, for reasons unknown to man, Mac decided we didn’t need wget.

That’s how I was introduced to Homebrew.

I love wget, because it’s a super simple and fast way to download something. wget http://wordpress.org/latest.zip is the fastest way for me to download a zip, and I use it regularly. So one day, when deving code, I realized I needed a plugin. I went to wget it and got a horrible message.

-bash: wget: command not found

After searching around, I was about to download, compile, and install wget when a comment on StackExchange said “Try Homebrew.”

Everyone’s dersive comments aside about how ‘real’ programers don’t install packages (seriously people), I said to myself “Ipstenovich,” I said. Yes, I call myself that sometimes. “You use yum to install packages on your server because it’s easier and safer. Why wouldn’t you use the same thing here?” Over to http://brew.sh/ I went and stared at the installer command like a fish.
```
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
```
The call ‘ruby -e’ means “run Ruby and tell it to call this URL externally…” And then it clearly was calling github for an installer. It’s tough to decide to trust a new program but after some serious banging around, I trust the Homebrew.

Once installed, which doesn’t take long at all, I ran the check brew doctor which told me a couple things:
1. I’d installed SVN and Git on my own (truth) so I needed to change my .profile (with directions how)
2. I had a half-baked attempt at installing ImageMagick that needed cleaning (with suggestions how)
3. I had MacPorts still in my /opt/ folder, that needed removing (with directions how)
4. I needed to install xcode command line tools (with directions how)
5. xQuartz was out of date
6. I hadn’t updated my brew list in a bajillion years
Most people won’t have that last one. I did once have an older install of Homebrew that I’d never really cleaned up. However the other ones took me about an hour to clean up properly, because I was watching Fargo (the movie) at the time. Once installed and set up, I was able to install wget and upgrade it. Ditto OpenSSL (because Heartbleed, you know). It’s great.

Homebrew is pre-1.0 which means there can and will be issues. Don’t panic, for most of what anyone needs, this is perfect. It’s also good at upgrading when you need to:

The little beer mug is awesome.

One of the nice things about Homebrew is that it doesn’t use (nor advocate the use of) sudo. This is really good for security and makes me feel much safer.

Go forth, rookies, and install Homebrew! It will make your development much happier!
21 May, 2014
Review: Sitespeed.io
Let’s get this part out of the way first…

Like most people, I have a suite of websites I check when I’m trying to figure out how well a site does with regards to speed. Google PageSpeed Insights, ySlow, GTMetrix (which does both), Pingdom Website Speed Test, Bytecheck… The list goes on and on. We want as many checks as possible in understanding what’s causing sites to be slow and what is not.

When I added in nginx I wanted to test everything again, and as I made my way down my list I thought “Isn’t there a way to do this and go make a coffee?”

Sitespeed.io analyzes my site while I make coffee. It’s Open Source. It’s forkable. It’s easy to install. Since I’m on a Mac, I used Homebrew (which I’ll post more about in two days) but you can git clone, or download the zip, however you like.

Once installed, you run a sitespeed.io call:
```
$ sitespeed.io -u https://halfelf.org
```
This takes a little but creates a folder off your home directory: ~sitespeed-result/halfelf.org/2014-05-14-14-59/ and in there will (eventually) be a lot of files including an index.html. That one you open up in the browser. The scan definitely takes longer than a sitespeed check, but it’s also more in-depth in the ways I always wanted from sitespeed. Also since it’s HTML, I can toss it online and share with people.

What I noted first was a ton of errors. Sad panda.
```
phantomjs[88651:507] CoreText performance note: Client called CTFontCreateWithName() using name "Open Sans" and got font with PostScript name "OpenSans". For best performance, only use PostScript names when calling this API.
```
It also had a lot of crashes, which was when I wondered if everything was on the right version. Again, checked in with Homebrew, upgraded phantom,js, and tried it again. This time no errors (yay!)

But then the process finished and I looked at my score. 81.

So I dug into the results and looked at first my home page.

You have 2 javascripts in the critical path and 8 stylesheets using 0 extra domains

[…]

This page has 8 external stylesheets. Try combining them into fewer requests.

And it showed me what those were. Weirdly, I saw WP was calling jquery on it’s own, as well as the JS I minified and compressed with mod_pagespeed. Interested, I checked three other sites on my server, and they all have the same issue. It blows my mind that no other tool had pointed that out before. The stylesheets I knew were from my fonts. While I minified them all, I did not combine them because it made my font-icons break. I upgraded mod_pagespeed for Apache 2.4 and haven’t looked at that since, so I tried it again indeed, it worked now.

I slowly worked my way down the list, noting things that I could easily fix. One thing that would ding me hard was my use of webfonts. Also not using a CDN still dinged me. Still, by using Sitespeed.io, I was able to see more exactly what was slowing my site down and why, and what I could sacrifice. Some things are going to be unavoidable (like “You are using an old version of JQuery: 1.11.0 …” ) and the multiple domains (google.com, wordpress.com, etc), but really the fact that I can narrow in with specific issues is perfect.

There are a whole mess of options, like I can take screenshots with each page, restrict the scan to specific pages (or exclude others), check in mobile, test in specific browsers (note: this is more complicated!), and much more.

So welcome, Sitespeed.io, you’re in my toolkit now!
19 May, 2014

Category: How To

HSTS and Chromium

Bad Replies to Bad Reviews

C’mon Get Trac’in!

Nginx Proxy

It’s Not Beer It’s Homebrew

Review: Sitespeed.io