Tag: coding

Local Backups
You heard about CodeSpaces didn’t you?

On June 17th they got hit with a DDoS. It happens. On June 18th, the attacker deleted their data. And the backups. Because the backups were on the same server… You can read the story here and make up your own mind.

But that brings us to this. Are you making your own, personal, backups?

My server makes entire server backups every day and collocates them, but I also have my own backups of my own, personal, data. Not my email. If that blew up today I would lose nothing I can’t get back. That’s right, I don’t keep much email. If it’s important, I store it on my laptop, on iCloud or Dropbox, and I backup my laptop to TimeMachine. Oh and I check that backup regularly.

So how do I backup my sites? It’s three fold.

On the Server

I use a DB script from Daniel D Vork. He backs up files to DropBox, which is cool, but for me, I have this script on my server and it stores to a non-web-accessible folder called ‘backups’:
```
#!/bin/bash
 
USER="your_user"
PASSWORD="your_password"
OUTPUT="/Users/YOURUSERNAME/backups"
 
rm "$OUTPUT/*gz" > /dev/null 2>&amp;1
 
databases=`mysql --user=$USER --password=$PASSWORD -e "SHOW DATABASES;" | tr -d "| " | grep -v Database`
 
for db in $databases; do
    if [[ "$db" != "information_schema" ]] &amp;&amp; [[ "$db" != _* ]] ; then
        echo "Dumping database: $db"
        mysqldump --force --opt --user=$USER --password=$PASSWORD --databases $db > $OUTPUT/`date +%Y%m%d`.$db.sql
        gzip $OUTPUT/`date +%Y%m%d`.$db.sql -f
    fi
done
```
That script is called every day at midnight via a cron job.

Bring it local

On my laptop, under the ~/Sites/ folder, I have a folder for each domain. So there’s one for ipstenu.org (which is where this site lives), and in there are the following:
```
backup-exclude.txt       backup.sh          log.txt
public_html/
```
The public_html folder is a full backup of my site files. It’s not that crazy, don’t panic.

The backup.sh file does an rsync:
```
#!/bin/sh

cd $(dirname $0)

TODAY=$(date)
echo "
-----------------------------------------------------
Date: $TODAY
Host: ipstenu.org hosted sites
-----------------------------------------------------\n" > log.txt

echo "Backup files..." >> log.txt
rsync -aCv --delete --exclude-from 'backup-exclude.txt' -e ssh backups@ipstenu.org:/home/ipstenu/public_html/ public_html > log.txt

echo "\nBackup databases..." >> log.txt
rsync -aCv --delete --exclude-from 'backup-exclude.txt' -e ssh backups@ipstenu.org:/home/ipstenu/backups/ databases >> log.txt

echo "\nEnd Backup. Have a nice day." >> log.txt
```
Backups is not the name of the account but I do have a backup only account for this. The backup-exclude.txt file it calls lists folders like ‘cache’ or ‘mutex’ so I don’t accidentally back them up! It’s simply just each file or folder name that I don’t want to backup on it’s own line. And yes, I like pretty output in my logs so I can read them when I’m having a brainless moment.

The cd $(dirname $0) at the beginning is so that I can call this from other folders. Remember! If your script uses relative paths to access local resources, then your script will break if you call if from another folder. This has a reason why in the next section.

Automate that shit!

I’m on a Mac. I decided I wanted that backup to run every time I logged in to my computer. Not rebooted, logged in. And waking from sleep. That became problematic, but let’s get into this code.

Writing the scripts

First I made a new folder called ~/Development/backups and I’ll be stashing my code there. In there I have a couple files. First is website-backup.sh:
```
#!/bin/sh

/Users/ipstenu/Sites/ipstenu.org/backup.sh
/Users/ipstenu/Sites/othersite.net/backup.sh
```
Basically for every site I want to run backup for, it’s in there. This is why I have the change-directory comment on the backup scripts.

The other file is my launchd file, called com.ipstenu.website-backups.plist and I got this code from stackexchange:
```
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>Label</key>
   <string>com.ipstenu.website-backups</string>
   <key>Program</key>
   <string>/Users/ipstenu/Development/backups/website-backup.sh</string>
   <key>RunAtLoad</key>
   <true/>
</dict>
</plist>
```
Instead of copying the file, though, I did a symlink:
```
ln -sfv /Users/ipstenu/Development/backups/com.ipstenu.website-backups.plist ~/Library/LaunchAgents
```
This lets me change it if I need to, which I doubt I will. I’ll just edit that .sh script. The filename of the plist is intentional to tell me what the heck it is.

But wait, what about waking from sleep? Logging in from a sleeping computer is not the same as a log in to a Mac, and there’s no built in tool to monitor sleep and wake for some reason. There are apps that can do it, but there’s also SleepWatcher, which can be installed via Brew! Since I’m running an rsync, it’s not a big deal to run multiple times a day. Heck it may actually be faster.

First we install Sleepwatcher:
```
brew install sleepwatcher
```
Now Sleepwatcher looks for user scripts named ~/.sleep and ~/.wakeup which sure makes my life easier. My ~/.wakeup file calls website-backup.sh, and while I could have it repeat the code, I chose not to for a reason. I know my backup scripts will live in ~/Development/backups/ so I can add a new one for something else without messing around with more than one file.

Do you remember launchd a moment ago? We want to use that again to tell Sleepwatcher it’s okay to run on startup or login. This time, since we’re only using Sleepwatcher for sleep and wake, we can symlink the sample files to the proper LauchAgents directories. In my case, it’s only running for me, so it’s all local:
```
ln -sfv /usr/local/Cellar/sleepwatcher/2.2/de.bernhard-baehr.sleepwatcher-20compatibility-localuser.plist ~/Library/LaunchAgents
```
If you’re interested in doing more with sleepwatcher, read Mac OS X: Automating Tasks on Sleep by Kodiak.

Finally we’re going to load both of these commands into launchctl:
```
launchctl load ~/Library/LaunchAgents/com.ipstenu.website-backups.plist
launchctl load ~/Library/LaunchAgents/de.bernhard-baehr.sleepwatcher-20compatibility-localuser.plist
```
Now every time I log in on my laptop, it runs a backup, be that a real login, or a wake-from-sleep one.

And remember, this is on top of my full server backups and my personal git repository for my code, so I have my data backed up in the important places. Everything on my laptop is backed up to the TimeMachine, so really I can just look back a year or three and find that html file I used once.

The other thing I do is check these backups pretty regularly. I scheduled a day every month to check that everything’s working right, that the files are restorable, and that I feel secure. Thus far, the most I’ve lost has been 16 hours of work on a Wiki.
20 June, 2014
Reset the Net Gotchas
All my domains will not be HTTPS by the end of 2014.

Sorry. It’s one of those things that just isn’t (at this time) something I can pull off. If I only had one domain and everything was subs, I could get one wildcard subdomain cert and be done with it. But with the number of domains I have it’s not feasible. Which brings me to what I think one of the major issues with our desire to protect the net is… But let’s step back!

Yesterday, as you may have noticed, was Reset The Net day. It was a call to action, much like we did when we went dark one day.

Now on this site, I’m using the Internet Cat Signal, which cleverly updates itself as I need to alert people to crap like this. The tldr is that the NSA is spying on us. I leave that plugin on all the time, it fires up when there’s something people need to know. It doesn’t slow down my site, and I hope it brings awareness to folks who otherwise have no idea about this stuff. About 75% of my traffic on this server can be described as people who don’t know about any of this.

What have I done for this? The recommendations are to use HTTPS, HSTS, and PFS. Since HeartBleed, I enabled PFS. This is a non-logical sort of thing to do, in that few people seem to explain how to do it. On my box, which uses WHM, it was pretty easy. In my WHM Panel, I went to Apache Configuration -> Global Configuration -> SSL Cipher Suite. Then I picked the PCI Recommended suite, not the default, and rebuilt the configuration. Then I went to Apache Configuration -> Include Editor -> Pre Main Include and, for all builds of Apache, added this:
```
# Enabling PFS
SSLHonorCipherOrder On
SSLProtocol All -SSLv2
# CVE-2011-3389
SetEnvIf User-Agent &quot;.*MSIE.*&quot; nokeepalive ssl-unclean-shutdown
```
The last bit lets me support any IE 6 users who visit my store. But as I said, I don’t have SSL on for all my domains. So what are my HTTPS issues?

The cost is insane. Let’s look at wildcard ssl, which is what you want for *.example.com situations. It’s pretty much $100 a year. That’s not too bad until you factor in how many domains I have on this server. Six family members, six of my own sites (including short domains like helf.us). So that’s either $1200 a year, which is obscene, or $145 a year at the cheapest I could find, and that’s for the simple green lock and no wildcards. For the big green bar, it’s back to around $1000 a year. Oh and I forgot one of my domains, so that’s $164 and $1047. Now I could totally afford the $164 a year, it’s doable with my ad revenue (which pretty much breaks me even at the end of a year) but….

It’s slower. Look, I get it how it’s important to be secure, but right now, the nginx proxy setup I’m using doesn’t work on HTTPS. That sets me back some since using it has sped up my site considerably. I know how to (and have) set Google Pagespeed to play nicely with HTTPS, so I’d be back to where I was before. This isn’t bad, it’s just not a great experience. Right now I have a secure login, secure email, a fully secure store, and ssh/sftp only, so the only place your data could get ‘sniped’ is when you’re leaving a public comment on my public site, which makes me less worried than I might be. Even my git repo is secured.

Also it’s hard. And no, that’s not an excuse. PFS (Perfect Forward Secrecy) isn’t easy to add to your servers, and it’s way outside the realm of what most people can do. Hell, it’s outside the realm of what I’m comfortable doing. It took until my server had the specs for OpenSSL that will support PFS for me to do it. The point is, this part has to be done by the webhost for most people, and that is a big issue. It’s not easy or fast to upgrade servers, and it’s far, far more persnickety than updating WordPress. It’s complex, and you have to think about everyone on the server. Again, not an excuse, just a caution that it takes a while to finish up.

Speaking of WordPress, multisite isn’t great at it. In fact, it’s less great than normal WP. I have two sites with SSL right now, ipstenu.org and store.halfelf.org. Ipstenu is only SSL on the back end, but even with that, there are inconsistencies. First, all the links are HTTPS, so when I click on “My Sites” the link to NON HTTPS sites are using HTTPS, which doesn’t work. Also if I made a new domain, it defaults to HTTP and not HTTPS. So I have to edit that manually. This is annoying, thought not insurmountable, and I know it’s something being worked on.

In the end, the absolute biggest reason I’m not switching to HTTPS is that the only person who needs secure communication are the people logging in or the people buying things, and I’ve taken care of that. For the rest of you, know that my store is secure, my logins are secure, and if you’re commenting on the site, for god’s sack, don’t post anything you don’t want people to know!

I’m sure in a few years if not months all this will change, but this is where I am today. The racket with SSL certs costing that much needs an easier solution, and then the rest will fall into place.
6 June, 2014
All is Revealed
I had some issues with SEO Slides in the past, mostly around how it’s not quite what I need while also being more than I need and less. I banged around this for a while, before I remembered that I’ve seen a lot of people use WordPress for slides in a way that I never really loved, while others used something decidedly not WordPress.

Step back.

I don’t believe that I should use WordPress all the time just because I’m a WordPress person. I thought about what I want from my slides:
1. A way to load them locally or remotely
2. A way to control them and see my notes
3. Usable on mobile
4. Embed-able by me and me only
5. “SEO” friendly
That last one really means “HTML should be readable so a screen reader could make sense of it for the blind.” And that’s really the primary reason I ended up with SEO Slides to begin with. But when I stepped back to really think about what SEO Slides did, and what I needed, I realized that while I really do love it, it made it harder for me to make slides.

Let me explain. SEO Slides’ interface is not the WordPress post editor. I suspect, if it was, I’d be happy since I can mangle HTML there all day long. But SEO Slides doesn’t let you at the source code of the page, you have to use their GUI, and I was having a hell of a time with things like centering and floating and wrapping… All things I’m a boss at with HTML.

In addition, I’d recently discovered serious limitations with pageload, especially on mobile. The fixes in 1.5.0 didn’t fix it for me (actually it became worse with my slides taking over fifteen minutes to load, at which point I gave up). This is not to say I don’t love SEO Slides and what it does, it just didn’t fit my personal workflow. As much as I loved it when I did my EDD presentation for WP Sessions, I wasn’t satisfied.

So as I contemplated my vodka over Passover, I came to the possibility that maybe WordPress was totally overkill for slides. Maybe, like with a Gallery, it was too much and too complicated for something that should be more simple. To me, HTML is simple. It’s straight forward, direct, and I still use it every day. With the exception of paragraph tags, I wrote this post in HTML mode.

I did what comes naturally to me. I went and poked around what some of my friends have done (and kept up or not…) and finally decided that I was going to try out reveal.js.

Wow.

Installing was simple, just a git clone. And while the directions claimed you can’t use speaker notes unless it’s running locally, I found this not to be the case. Maybe it’s because I’m on Chrome, or maybe that’s not updated. Either way, it’s awesome for me since I can suddenly control my slide-deck on my laptop. Making my own slides was also pretty basic, I made a folder for each deck, tossed in the images and the index.html, and went to town. It’s really that easy to do, though I wish there was a basic, example, and not just the big one. Still, a search and replace of HTML is super fast.

It loads faster than SEO Slides, works better on my iPad, and the only thing I can’t do is embed. I’ll live. I’m also sure it can be done, since http://slides.com/ (the freeium version that hosts it for you) has an embed ability. The other massive gain is that it’s smaller. When you upload media to WordPress, you get multiple images, and I have to pre-load each page (or load it on the go). This gets heavy since I like background images and pretty things.

With reveal.js, I just upload one image and I’m done. It loads everything at once, since it’s one HTML page, and the image (while large) is just reused. And that was good enough for me. Also I get to use remotes.io to remote control my slides from my notes (I use the iPhone app Scan, by QR Code City, and paid for it because I hate ads).

I may go back to SEO Slides (who should consider an import from reveal… Hmmmm) but this works for me now. We’ll see if I love it in the long term. I suppose I should actually read stats and see if anyone but me even cares about the slides…
14 May, 2014
Easier Control

In a WordCamp I heard a developer say something along these lines:

“I include my own jQuery because it’s easier and I can control things.”

The moment he said this, I clamped my mouth shut and bit my tongue. It was not the subject of this presentation, and multiple other people in the room had already pointed out that WordPress has it’s own version. Afterwards, someone remarked she saw steam coming out my ears. All I said in the room was “We reject themes and plugins from the .org repositories for including their own copies of jQuery.” and then shut up. After all, I was in the room because I wanted to learn about something I didn’t know, and that wasn’t jQuery.

It’s sad that my major takeaway from that talk is too many people sacrifice sustainability for ‘ease’ and ‘control.’

You may think that if you force install your own jQuery, you can be sure a random upgrade of WordPress won’t break your theme. You have full control over the theme, after all. And you may think that you can make your theme or plugin faster if you compress all the JS together yourself, rather than having WordPress load a dozen separate files. Those thoughts are both true, but you’re wrong. You’re never ‘master of everything’ unless you only use WordPress core and the themes and plugins that you built. And even then, you’re still not.

While it’s perceived as easier and faster to write code if you assume you know the truths of your website and will always be it’s master, the fact is the assumption is plain ignorant. These days, it’s rare you’re ever the sole developer of a site. You may be hired to make a theme, I’m hired to make a plugin, and someone else is titularly in charge of both of us, but probably doesn’t know a lick of code while still being the driving force behind the website. Not to mention we’re not the webmasters of the site. That may be some intern nephew of the boss, who will take over once we’re done.

And that is exactly where using our own versions of scripts will get us into trouble.

You’re master of your plugin, or your theme, but you’re not master of the rest of the world. Even if you’re making it on spec for someone for a specific purpose to be used on a specific site, there’s no guarantee that it’s the only time and place your code will ever be used. There’s no assurance that then 10 other plugins you tested with today will never upgrade, or that they won’t add more. If you get hit by a bus tomorrow, there’s no promise your code will remain untouched. Basically we’re running on pure arrogance that not only are we crystal clear about the present, but we’re totally perfect about knowing the future. And that just ain’t possible.

So. How do I explain why including your own jQuery in a theme or plugin, instead of enqueuing the one with WP, is bad?

“Picture this. Your theme has jQuery 2.0. So it de-enqueues WPs and re-enqueues yours. My plugin is using version 1.7. I do the same thing. Bob’s plugin uses 1.11, HE does the same thing. Joanne over there properly uses WP’s. Which one of our jQuery files wins?”

The problem is that you’re emphasizing short term gains (speed of development, speed of site) over long term sustainability (regression conflicts, duplicate files). You’re making your life a little easier, and actually harming the website you’re trying to make because tomorrow, you will be gone and they’ll be trying to figure out why the site is so slow. Or why it’s breaking when they upgrade Jetpack. After all, you tested with Jetpack, right? You were selfish, short sighted, and just … wrong.

But it’s okay. You can learn to do things better. You can do it right with your code and fix those mistakes. You can let the wookie win, and let WP control what it’s supposed to control, while only augmenting what you must control. And you can do it all in a friendly, sustainable, updatable, extendable way. Which is how WP wants it.

Oh and how to I handle minification? I have a proxy service do it for me. In my case, Google’s mod_Pagespeed compresses and combines all my JS and CSS to make it one file that loads faster.

2 April, 2014
Resilient Responses in Reviews
I review a lot of code. A lot.

On average, I look at around 100 plugins and themes (combined) per day. If I’m not reviewing code for the WPORG plugin repository, I’m debugging sites for customers, writing my own code to make it better, testing patches for WordPress, and pretty much dancing the dance a lot. I like this sort of thing a lot, since I get to see all sorts of different methods to madness, and it improves my abilities to see people doing it right and wrong.

That said, I’m not the best coder in the universe. I don’t claim to be, I don’t plan to be, and I don’t worry that I’m not. We all have our skills and mine is not to be a psycho awesome super coder. Mine is debugging, breaking, helping people debug and break, and writing. We call that support, generally, and it’s a noble profession! But more on that another day. The fact is I don’t know all the code in WordPress. I’m guilty of doing_it_wrong() often enough. And yet, I don’t see my ignorance to be a detriment to what I do.

In an article “Probability and Possibilities”, my father talks about how we react to natural disasters, and how that impacts how we predict them, and their costs. Near the end, he talks about being prepared by having resilient responses, and lists the following traits of those people/groups:
1. Drawing on experience
2. Questioning that experience
3. Intuition
4. Improvisation, or making the most of materials at hand
5. Listening and speaking
6. Examining preconceptions
7. Ignorance + knowledge = wisdom
8. Recognizing and taking advantage of luck
I didn’t realize it at the time, but my dad raised me to be resilient, because those eight traits are ones I apply constantly to my code reviews. It’s because of those that I’m able to do all those plugin reviews, even when I don’t know all the right moves. As a senator once said, I know it when I see it.

Many times, I’ll review a plugin and flag it saying “This is not secure” or “This is not done properly” and sometimes I’ll take a moment to explain exactly why, but given the sheer volume of reviews I need to get through to keep up my end of the review process I will often use some standard ‘predefined’ replies. I don’t review all plugins, nor do I reply to all the emails, though sometimes I know it looks like I do. Still, if one person has to review 25 plugins a day, and craft a reply for half of them (yes, about half the plugins we get need some sort of reply that isn’t ‘approved!’), how am I, a non-uber coder, capable of actually knowing that the code is wrong?

I’m going to tell you the biggest secret of support ever. You ready?

You don’t have to know how to fix what’s wrong to know that it is, in fact, wrong.

That’s it. Not knowing how to fix things was, I admit, one of the leading causes as to the impostor syndrome feelings I had when writing my WordPress Plugin Support ebook. But the thing was, I knew that the code was right or wrong most of the time. Oh, sure, I make a couple mistakes, but if I see someone calling wp-load.php directly in their code, I’ll tell them it’s not permitted and then they get a canned reply as to why, with some general suggestions.

I stopped worrying about not being able to help someone debug their own plugin for a couple reasons, though. It’s (generally) not my job to help you write your own code. If you have a jquery conflict or need help calling WP functions outside of WP (please don’t), I can help you with a search or suggestions where to ask, but just because I don’t know the answer doesn’t make my telling you that you’re not permitted to do something in the WPORG repository invalid.

Ah, there’s the crux isn’t it? Someone was doing code in a totally janky way. It happens. Most of the time, we end up doing this by accident, not knowing there’s already a WP function or action to use for it. We reinvent the wheel by accident. Let’s pretend this guy was using his own copy of jQuery. Now, as we all know, you don’t need to do that! WordPress comes with jQuery and you can just enqueue it. So there’s a canned email we send, explaining you can’t include your own, nor can you call it remotely, please use ours.

The reply comes back “My code won’t work without my own.”

So I reply to the effect of “Please correct your code to work with our version of jQuery. The most common cause of these conflicts is not writing your code to work in no-conflict mode.” And then there was a series of links.

He replied, “Why don’t you just tell me what I did wrong?”

I explained I would if I could. But I don’t know his code, I’m not awesome at jQuery, I don’t care to reverse engineer everything to figure out exactly what’s broken, and it’s not my plugin anyway. So … no. I don’t know how to fix it, but I do know that, having listened to a lot of smart people and having read a lot of code, that the primary cause is an issue with no-conflict mode. So I can Google that and get wp_enqueue_script() – jQuery noConflict Wrappers as a hit (this is the WordPress Codex) and read that this happens if you use the $ shortcut, so I take a second look at his code, determine this is the case (though perhaps not the cause of all issues), and reply back with that info and a link. I’m helpful.

He doesn’t agree. “If you know so much, you should fix it.”

No, sorry. This time I explain I don’t know much more than that as I’m not great with JS yet, and now I expect to get smarmy commentary on how, if I don’t know how to fix it, I don’t have the right to tell him it’s wrong. After all, I’ve heard that a hundred times before. Instead, this guy says “Yeah, I don’t know either, so who am I to judge? Okay, any suggestions where to ask for help?” After picking my jaw off the floor, I sent him to wp-hackers and stack-exchange, after doing a quick search to see what other direct links might help, including one on SE that looked like the absolute answer. He came back, said the SE answer was it, and everyone was happy!

I solved the issue by being resilient, and giving the ultimate support. Also now the guy has the tools to do it himself next time.
31 March, 2014
The Responsibility of Freedom

I’m sure you know there are clubs out there that re-sell WordPress products at a far lower cost than their original source. This post is not about that being right or wrong via the GPL, nor is it about the morality.

This post is about responsibility.

In my home office hangs a poster “Flynn Lives” which I have to constantly remind me “I fight for the users.” It’s a nerd level joke most of my fellow developers and support gurus get, but many people I help would not understand the point. My job, as a WordPress Support Guru, is to help people. This is simple, straightforward, and obvious.

My other job, though, is to make their lives easier and better. It’s my responsibility, when I write code, to make it do something to make someone’s life easier. Even if the only person it helps is me, the point is that someone is being helped. If it’s just me, it’s really easy to support myself. “Hey, Ipstenu, you know this broke?” “Yeah, added to my list!” But when it’s someone else, how does that change?

I firmly believe there’s an expectation of support with all plugins and themes hosted in the WordPress.org repository. Period. That means, yes, I have code I don’t put up there because I don’t care to support it. But I know that expectation puts responsibility on me as more than just “Someone who writes code.” I can’t just write code, drop it into the world, and never support it.

“But Ipstenu,” I hear you say. “Isn’t that what WordPress.org does? It just dumps WP into the world. I never see the devs in the forums!”

You’re not WordPress.org. You’re not that big, that complex, and that intricate. Unless you’re BuddyPress-levels of plugins, and you’ll notice they have support forums. Instead of directly supporting WP, the core devs of WordPress who are dedicated to WordPress have people like me, who traipse about the forums and help. And when I see broken things, I either take it to trac or help the person who found it do so. My determining line is “Can I fix it? Okay, I’ll trac it and patch it.” If I can’t, I help them. Low hanging fruit.

The point here is that all this wonderful software came with a responsibility to make it great and help people. What does this have to do with sites like those Justice League Clubs that offer cheap/free versions of pay-wall’d software? They’re not helping you.

Oh, in the short term they’re helping you by giving you something for free. They’re getting you further in your site development than ever before. However that help ends at the provisioning level, because you aren’t paying for support from these resellers, you’re paying for product. That’s okay, so long as you know what you’re paying for, and a lot of people don’t. If people did know what they were paying for, they wouldn’t use nulled themes with base64 backdoors in them.

The ethics and morals of reselling someone else’s work aren’t at play here. Yours are yours, mine are mine, and that’s just fine. What is at play is what are we paying for, what are we providing, and what are we devaluing when we resell someone else’s product?

Devaluing is the easier one. People sell products at cost in order to make money. It’s simple. I work for a company that sells space on a computer and world wide availability from anyone to that space. We sell it at a price that allows us to make money, but also that allows us to hire amazing people like me who work on WordPress, write some of the code, test it, and otherwise spend all this time on WordPress, just because it’s software you use!

The value of the product is, again, not just in the product, but in the service. And the service is more than just access and accessibility, but also in the support you get. No matter what people think, we aren’t just rolling around in money and laughing at you. We reinvest that money in ourselves, our hardware, the software (some of which we give to you). But what we always do is support that. Sometimes the support isn’t what you want to hear, but we do our best to solve problems, or explain why we can’t.

So what are you paying for? Support! In the end, you’re pretty much always paying for support. You buy Microsoft Office and you don’t get the kind of support you get with WordPress, but you pay a lot more money. Where’s the support? When Word crashes, it sends (or asks you if it can send) a report back. That report gets noticed and acted on so that if it’s solvable, it’s solved. The next upgrade you get has a patch, and that crash doesn’t happen again. That’s support!

You can also get actual support from Microsoft (though I know of no one who’s done so). They have people who write fantastic help docs and who monitor their forums and twitter. If you took Word (let’s pretend that was legal) and resold it, would you have all that?

But that’s a quite extreme example. WordPress plugins are significantly smaller in scale than MS Office. So why is Office (and Adobe Photoshop etc) so expensive if they don’t give you half the help that the free WordPress product does? There are a lot of reasons. Patents and copyright are expensive, and frankly we’re all willing to pay for it. When Apple dropped the price of the new OS down from hundreds to $25, we were all suspicious. When it became free, we flipped out.

But Apple wisely noted that making us pay that much money wasn’t helping them as much as it might. Free gives you a certain brand loyalty because we get to try before we buy. And we will buy those apps and those app add-ons (though I don’t fully approve of games that force you to pay to play all the time). We buy them because after we get the base product for free, we see the real value in the cost of the other products and we’ll pay for them willingly. Apple takes responsibility for their free software in interesting ways. We have to pay for assistance (most of us via the Genius Bar). And in the WordPress ecosystem, that too is what you pay for. The help.

So back to this whole “I’ll take your paid software and give it away” thing.

What are we paying for? I’ve heard tell that ‘Paying for support’ is a rip off. So is paying for documentation. I can see why some people balk at paying $25 a year for ‘support’ they may not ever need, and I’ve seen some companies work by letting you pay per-ticket. Though that makes people feel like you’re nickel-and-diming them, and I do agree it can come across that way. And yet that support which they so casually toss aside like an old shoe is where these free-software-clubs fall down.

There is one club that says they will support all the plugins they re-host. Many of us are suspect at the possibility of that actually working well, though given the odds of how small their sales will be to start with, it may end up sustainable. The problem is that they’re not going to be patching upstream. They’ll fix your issue, and then when the real source pushes the next version, they get to reapply their patches. Strikes me as a lot of work.

Is the payment system for some WordPress plugins and themes broken? I don’t think so. I think it’s not optimal for the user nor for the developers just yet, but monetizing these things is still relatively young. There will be mistakes and bad choices along the way. Finding the balance between the freedom of the GPL and the desire to make a living is difficult.

The ultimate responsibility we have with WordPress is to give back. We give back with support and with improving things for everyone. If we’re just doing things for ourselves, after all, we don’t share them. Are these clubs failing in those responsibilities? Not yet. But all eyes will be on them if they do.

12 March, 2014

Tag: coding

Local Backups

On the Server

Bring it local

Automate that shit!

Writing the scripts

Reset the Net Gotchas

All is Revealed

Easier Control

Resilient Responses in Reviews

The Responsibility of Freedom