Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: administration

  • Responsibility, Responsibility, Responsibility!

    Responsibility, Responsibility, Responsibility!

    So you’ve put your blood, sweat and tears into a site. You finally made it popular. You have regular visitors who comment, retweet, like and share your stuff. You’re getting traffic and the ads are actually paying for things! Everything should be smooth sailing, right? Wrong.

    Last year, I touched on the Dangers of an Unchecked MultiSite. While that was specific to the trials and tribulations of WordPress’s (then new) feature of MultiSite, it hammered home the lesson that you, who runs the site, are responsible for what goes on there. There’s a reason I have a comment policy on this site and a terms of use. I am aware of my responsibilities, but I don’t take responsibility for everything.

    You have to look at your website like a business. If you ran a business, you would be responsible for whatever crap your employees looked at on-line, how they used their phones, etc etc. If someone uses your services to do something illegal, you’re responsible. That’s why you have to sign your life away in blood. Not that anyone reads that stuff for most things, but you do agree to not break the law when you install your operating system, for example.

    At the end of the day, when you’ve made a site, you become responsible for the content (with some exceptions). You’ll note that the Terms of Use for this site have a pretty hefty bit of disclaiming going on, and outright says I’m not responsible for the contents of any message (i.e. comment). That’s a mostly legally safe claim to make, and I’m being up front saying ‘Hey, if someone’s a dick in the comments, that’s on them.’ Later on I say I reserve the right to delete anything I damn well feel like, and I do, but the point is I’m still responsible for your antics!  That’s why a big part of running a site is moderating the community.

    If someone makes a comment you (or your visitors) deem to be offensive, it’s in your best interest to quickly take decisive action.  Make a choice, pick your stance, and stick by it.  Don’t waver or feel guilt. This is your site, your responsibility (there’s that word again). If it makes you understand it better, this is your job. The easy part of the site is building it, the hard part is maintaining it. For those of you who just spent months getting your site to look just right, the idea that something is harder than that may be daunting.

    First you put in the sweat equity to make the site. Then you spend hours researching and writing posts. You’ve already found out about how much time you have to put in fighting spammers. Now here I am telling you that you get to spend even more time and energy keeping the community of your site going. It’s okay to hate me. I actually spent more time these days keeping people in line and tending to them than I did anything else a couple years ago. That’s the real reason a lot of sites go in for moderating teams. It’s a lot of work to keep track of everything. Since then I’ve turned to what I call ‘community moderation.’ Plugins like BP Moderation (for BuddyPress users) and Safe Report Comments let your visitors flag posts for you to come back and review.

    Regardless of this, there remains one person responsible for this site: Me. I’m responsible for what people who have accounts do here. I’m responsible for what I say and what they say. I’m responsible for your comments and the ads on this site. Everything here is my responsibility and I take it seriously. To carry it up a level, if your site sells a product, you are responsible for all of that product.

    Recently there was a kerfluffle when Joost de Valk announced that his SEO plugin was being infringed on by WPMU Dev. Of course there was a public rebuttal by WPMUDev and a response to the rebuttal. Even WPCandy stepped in.

    Before everyone gets het up about this one, I honestly don’t care who’s right or wrong for the purpose of this post. My opinion, and yes, I have one, doesn’t matter.

    See, no matter what else, at the end of the day, a company is 100%, totally, unequivocally, responsible for their own products. Full stop. Everyone can agree to this (and as far as I can tell, everyone does agree on this point). No matter what, WPMU Dev is responsible for their products. No one is arguing this. The fact that they pushed a flawed product that slipped through their checks and balances is the point. They can’t blame the developer without blaming themselves for not checking his work. Regardless of if they failed to check the plugin, or forgot to tell the developer to always attribute his work, or whatever it may be, the company who hired the developer assumed all responsibility for the work which was then pushed forth in their name.

    They weren’t the first people to make this sort of error, and they won’t be the last. Making the error, in and of itself, is monumentally stupid, but you know what? We’ve all been there. We all take responsibility for these screw ups. It’s horrifying, the first time you realize you’re responsible for something that you’re not in control of, but there you are. You run a company. Sometimes things go wrong in ways you never predicted and should have, but didn’t. In 2009 Microsoft yanked code they’d stolen. I know, stealing is a dirty, hot-button word, but that’s what it is. PC World says it right:

    Third parties or not, though, Microsoft is responsible for making sure its software isn’t stolen, and it’s simply not doing the job. (Microsoft yanked code they’d stolen – PC World)

    Think it’s just software? Think again. Last winter, a small magazine called Cooks Source lifted someone else’s work, wholesale, and put it in their magazine. The author was attributed, certainly, but not compensated. When the author found out, she contacted them and asked for a $130 donation to the Columbia School of Journalism. She got a pretty awesomely horrible reply, and posted it on her livejournal. From there, the Internet exploded. (If you go to http://illadore.livejournal.com/ you can see the crazy first hand.) How far did it all go? Well the magazine is no more, after the Internet got their hooks in it. People called up the advertisers to tell them that Cooks Source was a plagiarist, and more than one advertiser bailed. Then it turned out they’d stolen multiple articles from multiple sources, non paid, and photographs as well. Let’s not get into the website, which had stolen content all over the place.

    It’s your site. It’s your name. You are responsible. Make all the excuses you want, but it doesn’t exculpate you from that role.

  • What’s Your Net Worth?

    What’s Your Net Worth?

    I get a lot of requests from people to link to their sites.  Back in the day, we all used to have massive link pages where we just listed all the cool sites we knew about.  On a fansite, I actually still have one where I list all the related sites, organized by how they’re related, separated by language, etc etc.  Here, though, you see a list on the right of links, broken down into “Websites” and “WordPress” and that’s pretty much it.

    The reason is that I subscribe to the belief of contextual links.  If a link, by itself, has no context, my reader cannot determine the inherent value of the link.  When I write a blog post, I try to put links that make sense inside my post.  On my fansite, where I have a moderately sized wiki, I link from the related page to the related site.

    Still, when people ask me to link to their site (or to friend them on Twitter/Facebook whatever) my knee-jerk reaction is “Why?” and it should be yours too!  You should always ask that when someone wants to network.  What’s in it for me?  What good will this bring me?  Do you write good content?  If you’re asking someone to link to you, you had better be bringing something good to the table, other wise you’re an unsolicited request, and no one likes those.

    Perhaps this flies in the face of my SEO advice (which is to network), but networking doesn’t mean you should cold-call everyone with a related site and ask for attention.  Sometimes networking is linking to people, but it’s also tweeting and working the community.  If you have a site about dog biscuits, hang out on the Milk Bone forum and talk to people.  If someone has a question about the best biscuits for an old dog missing teeth, and you know you wrote a great post to it, you link to it.  “Hi, Bob.  My dog is 16 and he’s got no teeth on the right side, I know your pain!  I spent a lot of time researching this problem, and hopefully this will help you. Link.”

    Look at that!  You were nice, polite, and helpful!  It’s even better if you stick around and talk to Bob some more, if he needs it.  You’re building your reputation in a productive and constructive way.(Yes, it’s a lot of work.  If you haven’t caught on to that yet, I also have a bridge for sale …)  The most important part is that you told Bob why your link was going to help him.  You put up some cred and you didn’t make it too long.

    When you think about it, the best way to get people to link to you is to get them interested in your site. The best way to get them interested in your site is to make content of value. Part of having a site with percieved value is having a site that attracts myriad walks of life. It’s a vicious circle. You have to get that foot in the door for people to notice you, and that’s what makes you popular.

    How do you get the foot in the door if you don’t want to spend all your time on related sites?

    You don’t.

    Look. If this was a brick and mortar company, you’d be advertising, wouldn’t you? You’d know you had to network your vegan dog biscuits to all the hippies and dog lovers out there, and you wouldn’t think twice about it. You’d hire that idiot kid to stand on the corner in a gorilla outfit handing out coupons, or spin a sign while dressed as a sandwich. You would spend money and time to introduce the world to your brand.

    The Internet is the exact same way. So when you cold-email someone and say ‘Hi, I really like your stuff! Will you link to me site?’ you need to bring your A Game. You need to sell your work, explain to me why you’re worth space on my site, and how come I should read your blog. Just saying ‘I, too, am a blog about vegan dog food!’ doesn’t cut it for the bigger sites. You can’t expect people to spend all their time checking out people they should link to, especially if you’re not already linking to them. Think of it like coming up with a good cover letter for your resume. You want people to read that page and go “Yeah, this cat is cool!”

    Your links make or break you, but more important than who links to you is who, and how, you link to others. If you link to every dog site in the world, links from you are worthless. If you’re discerning and link only to the ones that mean the most to you, or are the most like your own site, then you’ve shown the ability to tell the difference between any old site and one of value. You’ve made yourself worth something.

    And when you’re there, you won’t need ask people to link to you any more. That’s when you’ve made it.

    Just don’t think it’ll happen all in one day.

  • On the EU Cookie Law

    On the EU Cookie Law

    ETA: Please check out Trac #19622 – There will be a new way to do this in WP 3.4

    I’m going to be bold and tell you that the new EU law, that goes into effect in the UK on May 25th, is going to be impossible to track and enforce, it’s being handled backwards, but besides that, it’s actually a pretty good idea.

    For most people outside the EU, we have no real idea about what’s going on, so here’s a short recap. As of May 25th, a change to the EU law will require businesses to request permission from visitors to their websites before they can store information about their identity, history and preferences via third-party cookies. You can read the whole details in the proposal or Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services. Those links are full of legalese.

    Now, I do want to point out that this only affects people who live in the EU. Arguably, it also only affects people who host sites in the EU, and you may be able to skirt around it by hosting in the US or Canada, but that’s a lawyer conversation. Basically, if you live in the EU and have a website that acts as a business, you’re kind of screwed. If you just have a blog with 100% personally controlled content and cookies that only come from your domain, you’re fine. The cookies, including the kind WordPress drops on your site, are not the kind they’re talking about. If your cookie is only tracking information used on your site (login information, recent comments, etc), you’re fine. If the cookie comes from someone else (like Google Analytics or Project Wonderful), then you need to explicitly tell the visitor and obtain their consent.

    This is done for a pretty good reason, when you get down to it. When you go to a restaurant and pay with your credit card, you trust that neither the credit card company nor the restaurant are going to turn around and give your personal information to some other company who uses it for their own purposes. Legally, they have to ask you for permission to use your info, and that’s why sometimes they ask for your zipcode when you’re checking out at a store (and also why you’re totally allowed to say ‘no’ when they ask). Third-party cookies, that is those put down by someone other than the domain you’re visiting, should also be ‘agreed’ to. The EU argues that just visiting a site with Google Ads does not constitute consent.

    Item #66 in the directive:

    Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spy­ware or  viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities

    That’s a pretty hefty thing to get through, but it clearly spells out that third party cookies are when they’re on about. And in that, they’re right. There should be transparency to all this. We should know when we’re being tracked around the internet. But they’re wrong in making this the sole responsibility of the website owners. This is not to say that, as a website owner, I’m not responsible for the cookies my site puts down. And this is not to say that, as a website owner, I’m shouldn’t tell people how cookies and personal information I collect are used on my site. But to say that the ‘solution’ is for me to alert you with “Hi, the EU says I have to tell you about cookies and make sure you’re okay with them on your computer.” or not to use things like Google Ads, Facebook Like buttons, or Twitter integration is unenlightened.

    The issue is not that I, as website owner, am using third party services, and it’s not even that I’m using those services in an ‘hidden’ way (I use Google Analytics on this site, which you can’t easily tell unless you look at my source code). The issue is that those services are using cookies to track you between sites. But it’s easier to go after you than it is to sort out how to go after them, at the end of the day.

    Arguably, this is also being done to protect the website owners. If a visitor agrees to have the cookies, then you’re not longer on the hook if they complain. How are they going to (1) verify that (a) you did ask first and (b) they did consent, and (2) enforce this at all? The only way this can be enforced is if someone (or a program) goes to every single website hosted in the EU, or owned by someone who lives in the EU, and checks them for cookies without explicit consent. This could be automated, and emails could be automagically sent out to the site-owners, who would in turn have to look at their software and ads and deduce what’s making the cookies. Already, the UK has said they know companies won’t meet the May 25th deadline and don’t plan to enforce the law yet.

    Let’s say that they decide they will enforce the law. How can they verify that a cookie for your site is on someone’s computer? WordPress saves cookies in the name of wordpress_verylonghashkey, where your HASH key is specific to your install. Now they do show up as ‘from’ the website domain.tld but they can be forged. The easiest way is to copy cookies from one computer to another (I just did that when I moved everything from my old desktop to the new laptop). Another way is to take the information I have in my cookie, and tweak it to apply it to someone else’s site. That way requires a lot more savvy, more information than I’m providing here, obviously, and it’s incredibly hard, but it can be done.

    If they only rely on cookies that show up when your site is visited, they have to come up with a way to verify that it’s your site that put down the cookies and the visitor agreed to have the cookies put down. They have yet to explain how they’re going to be checking sites, which means you, as a site owner, still have no idea exactly what is and is not illegal to do. Sort of hard to protect yourself against an unexplained law, and it’s worse when you remember that “ignorance of the law is no excuse.” That should cut both ways. Ignorance in creating the law is no excuse.

    There’s already a way for users to stop cookies from being stored on their computers. Every browser out there has a way to turn off cookies. Most have a way to say ‘Don’t allow third-party cookies.’ If that’s not enough, Don’t Track Us has plugins for most browsers that let you block tracking plugins.

    To make this work, the EU needs to explain how they’re going to determine if you’re in violation of the law, and how they will enforce it. They also need to take this to the streets and tell the third-party cookie makers to stop. There are ways that third party tools can work around this, and one of which could be to tell people when they log in to FaceBook “We reserve the right to use your login credentials and other account information stored in cookies on other sites.” After all, the cookie belongs to FaceBook! Or we could just not use cookies at all for that sort of thing. But that has to change at the source of the matter, the third-party, and many of them don’t tell people that their cookies are used in such a way.

    As it stands, this law won’t be enforceable, it won’t be understandable, and it will cause more hassle with the wrong people without protecting anyone at all. It’s still a great idea, but it’s just not going to work this way. All they’d done is made a law to tell people that their hot coffee is, indeed, hot.

    Further Reading

  • Stopping Stalkers

    Stopping Stalkers

    We’ve all been there. One day you’re out enjoying the net, and the next you have a complete and total turd making your online life hell! What do you do? There are a lot of answers to this, but really it boils down to two types of reactions. You have to change your behavior, and you have to change your online accessibility.

    Changing your behavior is pretty obvious. Once someone starts abusing you online, calling you names, or just angry-ing up your blood, walk away. This is the hardest thing in the world, but do it. Most idiots will stop once you stop feeding them, which is why we always say ‘Don’t feed the trolls.’ When people go past your garden variety gnome moron, however, and start harassing you (and you know there’s a difference), you need to do more than just change how you react. Basically you need to stop making the problem worse. If you’re angry, you log off, walk away and grow the hell up, or you deal with the shit-storm you created.

    On the technical side of things, there’s a lot you need to do. If you’re on Facebook, Twitter, MySpace or any public forum with this person, you block them. If they evade the block by making new accounts, report them. Most sites have a policy about this, and the more you have to report them, the more likely they’ll get banned. Always remember to mention ‘I blocked this guy because as he was harassing me. Now he made to do it again.’ This will take a lot of doing, and a lot of arguing, but it will get things done. Block them on IM, Skype, everything you can think of that they might have.

    Once you’ve taken care of them on sites outside your control, let’s look at your site, which is the meat of this post.

    If you have a stalker, you want them to stop being able to contact you, right? If you have a blog, block their email in the comment blacklist. Just turf ’em. You don’t need to see them. If the harassment is bleeding into real life, I would moderate them instead, since you might need the comments for later proof in a legal case, but the effectiveness of that is in doubt right now (it’s too easy to fake that stuff). Make a note of the IP address and block that as well.

    In fact, block the IP from your server via .htaccess:

    order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
allow from all

    If you have a firewall on your server, toss the IP in there as well. This servers two purposes. Most importantly, you no longer have to deal with nasty comments, but also, you are no longer feeding the troll, because the troll can’t get in. Of course, this isn’t perfect, as most of us use multiple IPs because our addresses, even with high speed, will change. This will only become more and more futile as we get into IPV6. In fact, you may recall I once said Don’t block IPs. When I said that I was talking, specifically, about spammers and bots. Blocking them by IP is futile. But blocking your stalker? Actually effective in certain cases, because some stalkers aren’t very technical. Alas, it’s only some. When you have a smart stalker, who knows how to use proxy servers to their benefit, you have to start learning tricks like How to Block Proxy Servers via htaccess.

    This won’t stop everything, of course, and I generally spend a bit of time with my firewall (I use CSF), activating the Real Time Block Lists (RBLs) and adding in certain countries to my block list using CC_Deny. I don’t like doing that, but sometimes you have to. I’m a pretty big advocate of Bad Behavior which, while it runs via PHP, can be instrumental in stopping bots. That helps me sort out proxy servers, since once you understand how Bad Behavior works, you can check its logs and weed out the proxy servers. Grown up Geek’s post on How We Block Proxies, Bots, Scrapers, Trolls & Assholes is an invaluable resource here.

    This also doesn’t stop email, and I personally filter all of mine on the server level. This does mean I keep the emails on my server, but again, this is something useful to have if these things ever go to lawyers. If you use IMAP, generally it’s okay to keep the emails up on the server, but it’s also a good idea to save them as .eml files to your computer, as they store all the data needed to trace back the emails. Most of us never need this, but the CYA is worth it.

    When things start to spill over into your ‘real’ life (or at least your physical world), don’t be afraid to go get a lawyer. Yes, this will cost money, but if you’ve done all this and can use it to prove this person is escalating their behavior, a good lawyer will know how to get you a restraining order. If you’re not being stalked today, lucky you! I would strongly suggest you do a few things in advance, though! You already know not to put anything out on the net if you don’t want it found, but I would also say that if you registered a domain, consider making your registration private. That will hide your address and phone number. If they’re calling your phones, the phone company can block them, and it’s definitely worth your while to ask them to do so. Peace of mind is part of the reason, but the other is that if you ever end up in court, you can show them the phone company records.

    A word of legal advice, here. The courts recently ruled that an IP address is not a person. This means that even if you have a bunch of emails and comments and whatever from a specific IP, that alone won’t be just cause for a warrant to break the door down. That’s a good thing for most of us, and means you’ll have to do detecting the old fashioned way.

  • WordPress MultiSite – New Dashboards

    WordPress MultiSite – New Dashboards

    Back in the WordPress MU and the recent WordPress Multisite 3.0.x days, we had something called a ‘Dashboard Blog.’ This was the ‘main’ site of your install, and ostensibly was the default blog to sign users up to and control them from. This was also where you, the admin, had the Super Admin menu. So what were those things for and why were they moved? After all, a lot of people will tell you they worked just fine.

    The simplest answer is that it’s considered good design to separate the ‘user’ interface from the ‘admin’ interface. That’s why, when a regular user with the lowest role possible logs in to a regular (non-MultiSite) WordPress install, they see a very limited site. They see a dashboard, their profile, and that’s it. You want to keep the subscribers out of your meat and potatoes. Pursuant to that, there are plugins like WP Hide Dashboard that kick users to just their profile. I love that plugin, because it hides the man behind the curtain. If the Dashboard of WordPress is not a part of your desired experience (and really, it only is for the people who run the site), then you keep Dorothy, Toto, the Scarecrow, the Tin Man and the Cowardly Lion out, Ruby Slippers or not.

    When WordPress 3.0 came out, it was a bit of a chimera. We’ve got all sorts of weird parts where we call things blogs instead of sites, and from the back end, it’s really confusing. The sad thing is we cannot declare fiat, fix it all, and move on, because that would break backwards compatibility. Did you know WordPress is backwards compatible, nearly all the way to the start of WordPress 1? (17 Reasons WordPress is a Better CMS than Drupal – Mike Schinkel, Dec 1st, 2010) In order to be able to upgrade from WordPress MU (which was a fork – i.e. a totally separate version – of WordPress), the fold-in of MU to regular WordPress was a lot of work and duplication. There are some things I’m sure the devs would have chosen to do differently in a perfect world, but they decided the headache for them was worth it because it was beneficial to the users. For that alone, I laud them and owe them beers and coffee.

    One of the many drawbacks of that mentality is the users are very much used to getting what they ‘want.’ The users think ‘This worked before, it will always work, therefore, it’s cool to do it now.’ Take (not for random example) the issue with the /blog/ folder in the main site of any subfolder install. (Switching to WordPress MultiSite Breaks Links – Mika Epstein, 14 July, 2010) Back in the 3.0 days, we had a work-around to fix this, but that was a ‘bug.’ We were all taking advantage of a flaw in the system, and that flaw was plugged (mostly) in 3.1. Of course, fixing the flaw meant breaking things, and those people who were not up to speed on the dev channels (which in this instance included me) went ‘Hey, what the hell!?’ We were angry, we were upset, and then Ron told me that it was bug and I stepped down.

    A lot of people are still annoyed by this, and while there is still a buggy workaround, it’s not something I would generally suggest be used for my clients (myself, yes). Then again, the original tweak wasn’t something I considered using for clients, since I was always aware that WordPress’s stated intent was to make that /blog/ slug customizable. And I hope they do.

    What does this have to do with the new dashboards? It’s another change WordPress implemented to ‘fix’ things people didn’t see as broken. The people are wrong.

    Now don’t get all het up, thinking I’m drinking the WordPress Kool-Aid. There’s a vast difference between being ‘WordPress is always right, WordPress can do no wrong’ and the acceptance that what WordPress did was for a good, understandable, reason. In software development, I’ve learned to distance myself from the all too personal feelings of investment in my product. Many times, the product needs to be designed in a certain way to work better for the majority of people, and many times, I am not that person. Look at JetPack. This is a fantastic plugin for people moving off WordPress.com and onto self-hosted WordPress. It has absolutely no meaning to me, and I won’t be using it. But it’s great for the target audience. I accept that I am not that audience, and I look at the product with as unbiased an eye as is possible.

    I have to look at the Network Admin and User Dashboard the same way.

    The Network Admin was moved from a Super-Admin sidebar menu to it’s own section, in order to provide a clearer delineation between Site Admin (in charge of one site) and the Network Admin (in charge of all sites). (Network Admin – Trac Ticket) (Network Admin – WordPress MustUse Tutorials, October 21, 2010) This is a basic, normal, every-day bit of separation in my everyday life. For one app I use, I even have a totally separate ‘Admin App’ to use when I want to control the whole network, versus just one part of it. It’s done for security, but also to kick our brains over and go ‘Hey, moron, you’re in the Network admin section!’ Our brains need that kick, and it lessens the human errors. In doing this, we also found the plugin management was separate. Per-site admins saw the non network-activated plugins only. The Network Admin had to go to the Network Admin section to see the network-activated plugins and the must-use plugins, though many plugins needed to be recoded to handle this move. (Adding a menu to the new network admin – WordPress Must Use Tutorials, November 30, 2010) While this is annoying and takes a little time to get used to, this is good, sound UI/UX. It’s called “Separate of Duties” in the buzzwords game, and it’s really a blessing.

    Once they moved the Network Admin, the devs took a shot at getting rid of the Dashboard Blog. (Personal Dashboard – trac ticket) Once you moved the super users off to their own network, there’s no need to sign-up users to a main blog. I assume this was originally done becuase you had to hook them in somewhere with 3.0, to make them be a ‘user.’ Well, now WordPress.org Multisite now behaves like WordPress.com. You sign up for a blog but unless you get assigned a role to the blog, you’re not a ‘member’ of the blog. And you know… that’s sensible. You have no real role as a psudeo-subscriber. Nor do you need on.

    As I pointed out, part of the goal with moving the menus to Network Admin is that the whole ‘Dashboard Blog’ concept was a massive annoyance to everyone code-wise and UI wise. Having to say “Oh yeah, the main site is the master site and it’s where I control the universe” is logistically unsound. Much like you cannot in-line edit posts, you should not be mixing up Admin and User areas. So to further that separation, your users are not assigned to any site when they register. I find I need to repeat, a lot, that in most cases, this has no effect on usability. It doesn’t affect my BuddyPress site at all, because the users are the users. They just don’t have blog access. They can comment, which is all they need to do for me, and they’re happy. If they need to make posts, I can add them if I want to. But now I have security, knowing they can’t accidentally get in and poke around.

    Like it or not, it’s not going away. And most of us won’t need it to come back. I do know that some people do need it, and are struggling to find a way to auto-assign users a role on their main site at ID creation, so if you know of a fix for 3.1, please share it!

  • Has your site been exploited or victimized?

    Has your site been exploited or victimized?

    Nothing frosts my lizard more than someone saying ‘WordPress has been hacked!’ and I’ve finally decided it’s just a case of ignorance.

    I’ve been using WordPress since around the famous 2004 MovableType bait’n’switch, when they decided to go paywall. That was not what made me switch to WP. In fact, I had already installed a b2 site in order to allow anyone in my family post a story about my grandmother (and I should really put that back online one day…). It was a lot of little things that made me switch, and I don’t really regret my choice. MT is very useful, very cool and very impressive, but it wasn’t what I wanted or needed.

    Yesterday, Byrne Reese posted about how WordPress Won the Blog War. He’s a former Movable Type project manager, so I presume he knows what’s he’s talking about. As a former member of the MT community (under a non-Ipstenu handle) and current heavy user of WordPress, it’s very entertaining to hear a behind-the-scenes view of the ‘war.’ I never saw it as a war, and as anyone who knows me can attest to, I’ve never been a rabid fanboi for one OS or another, one product or another, simply because of who makes it. I like my iPad, but if it doesn’t work for you, I’m more than happy to help you find an alternative. I believe in finding the product that works for you.

    What really caught my attention in the post were the comments. The very first had this gem by Matt Haughey:

    Now that they’ve won the battle, I think the biggest problem for WP now is two-fold: One is the constant threat of exploits with your own WP install. It’s crazy and like running Windows 95 without patches. Everyone I know with a self-hosted WP has been exploited in the last year or two and worries about it regularly.

    Two facts:
    1) My WordPress install has never been hacked in the 7 years I’ve had it.
    2) I do worry about it constantly.

    About a year ago, my server was hacked. Ironically it came three days after I’d posted about WordPress security. How was I hacked? Because I followed insecure practices. I’ve touted, for a while now, that security is a tripod:

    • The Web Host is responsible for making sure the sever itself is up to date with the latest patches etc, and that the server is configured in a safe way.
    • Web-apps are responsible for not unleashing needless insecurities to the system.
    • The end-user we pray to the flying spaghetti monster that they’ve not done something to violate security out of ignorance.

    I was hacked because I violated security, which made my server open to attack, which thankfully resulted in my Web Host bailing me out (have I mentioned I love them?). I went to a website on an non-virus-protected PC (yes, Windows), I got what I thought looked suspicious pop-up in IE from a site I knew and trusted, and while the pop-up was there, I opened an FTP (not secure FTP!) connection to my server. I seriously could not have been stupider. Thankfully it was easy to fix, and I since turned off FTP (it’s SFTP or nothing). Actually I also wiped Windows XP off my computer, but previously it was required for my work.

    On Byrne’s post, Mark Jaquith (a WP developer) remarked this:

    I haven’t seen an up-to-date WordPress install get directly exploited in around five years. Seriously.

    I thought about this for a moment, and had to nod. This is true for me as well. Every WordPress install I’ve seen with problems has been due to the web-host or the end-user being insecure. Even when that end-user is me, I’ve yet to have WordPress itself hacked. This does not mean I think WordPress can’t be hacked, just that it’s actually a pretty secure little tool by itself.

    Then Mark went on to say this:

    All of the large scale instances of WordPress being compromised lately were because of web hosts who don’t prevent users on one account from accessing files on another account. In these cases, WordPress wasn’t exploited so much as it was victimized due to a lower level security issue on the server.

    He was far more succinct then I’ve been able to be on the matter, but I’ve touted for a long time that the problem is WordPress, but it’s not WordPress’s fault. Ask anyone in IT why Windows has more viruses than a Mac, and most of us will tell you it’s because Windows is more popular. More people use it, so more hackers/spammers/crackers target it. I wouldn’t say, in 2011, that Windows 7 is more vulnerable than OS X, but I would feel comfortable saying that it is targeted more.

    The answer is the same when I’m asked why WordPress gets so much spam. Because it’s used a lot! The more prevalent your product is (i.e. the more successful it is), the higher the likelihood is that some jerk with a kiddie script will try to attack it. This is just a fact of life, and I’m not going to get into how to solve it.

    What I feel we need to be aware of is the education of the user base for any product. My father once gave a memorable lecture I caught when I was about six or seven, about our expectations with computers and why AI was never going to be like we saw on Star Trek. “Ignore the man behind the curtain!” he said to the crowd. Back then, I had no idea what he meant. Today I realize that it was two-fold. On the one hand, we think ‘Automate everything! Make it all just work!’ That’s the magic box theory of computers. It all just works and we don’t have to do anything. The reality is that there is always a man behind the curtain, making the magic happen.

    The ‘two-fold’ meaning is that (1) we want everything to work perfectly without manual intervention, and that’s just not possible and (2) we don’t want to have to learn WHY it all works, just make it magically work.

    My savvy readers are, at this point, thinking “But if I don’t know why it works, how can I fix it?” To them I shrug and agree that you cannot be expected to fix anything you do not understand. Furthermore, the less you understand something, the more likely you are to inaccurately blame someone/something. Which brings us back to why I hate when people say ‘WordPress has been hacked!’ Actually, I hate it when they say anything has been hacked (Drupal, Joomla, WordPress, MovableType, etc etc etc).

    We have a few choices at this point. We can stop ignoring the man behind the curtain and learn how the levers work ourselves, or we can accept that we’re not clever enough and hire someone. Either way, we should always take the time to sort out what’s wrong. When my cat was, recently, in the kitty ER for bladder stones (she’s fine now), racking up a $1000+ bill for services, I wanted to know all about what caused them, why did the food work, etc etc. I’m not a vet. I would never make it through medical school (I don’t like blood). But I know how to use my brain. As my professor, Dr. Lauer, told me in high school, “We’re teaching you how to think, how to talk to adults while you’re a child, so you know how to be a person.”

    Teach people how to think. You’d never take your Mercedes Benz to Jiffy Lube for an overhaul, so why are you trusting a $5/month webhost without a phone number to support your business? You wouldn’t take your child to a back-alley doctor, so why are you hiring some guy with blink-tags on his site to fix your website? Use your brain. If your webhost tells you ‘Sorry, we can’t help you,’ then take your money someplace else. Website support should always include them taking backups at least every day (you may only get yesterday’s backups, but they should still have ’em). A good host will help you when you ask specific questions.

    My host (there’s a link on the top right) will answer the phone 24/7, they helped me craft a backup strategy, un-do the hack on my server, trace down what was using up so much CPU, bead mod_security into submission … the list goes on and on. My point here is not that you should use them (though if you do, tell them I sent you!), but that you should find a host who supports you to the level you need. The brunt of what you pay for hosting is an insurance policy. You’re paying them to bail you out when (yes, when) you need help, and if you’re only paying $5 a month, then you should only expect that level of return.

    Educate yourself, educate your host, but have realistic expectations.