Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: support

  • When the lights go out on the Matt Report!

    When the lights go out on the Matt Report!

    Matt Mederios interviewed me ages ago. And this post I thought I’d pressed publish on and totally didn’t… Uh. Okay, sorry, Matt, consider this a late traffic bump for you.

    When the lights go out with Mika Epstein back in March literally had a power issue (the office I borrowed has a faulty sensor and timer apparently, I had no idea!) so I was in the dark for a while. Of course. But I was happy to talk about WordPress support and doing our best by you!

    I had a great time talking to Matt. I’m always nervous being interviewed, and he made it painless.

  • Lightning Bolt at Portland!

    Lightning Bolt at Portland!

    2009Logo-NoText Surprise! I’m doing a lightning talk in Portland called “Rolling your WordPress Support Character (without any code)”

    A lightning talk is a magical 5 minute thrill ride with auto-advancing slides. 20 slides. 15 seconds a piece. And … GO!

    It’s not too late to buy tickets for WordCamp Portland. Bets are being taken as to what hat I’ll wear. (Remember, I’m a rogue, not a wizard, so no pointed hat.)

  • Evaluating Evil

    Evaluating Evil

    Credit: EvalBlog
    Credit: EvalBlog
    One of the things I do at DreamHost is help with hacked sites. This means when WP is hacked, I look at it, figure out how, and explain to the person how to fix it, or how to tell their tech folks what needs doing. There are occasions where I’ll delete things for them, but usually that happens when there’s a folder or file with weird permissions.

    We have a lot of tricks with what we look for, like base64, but recently I started to find files that missed my scan, but not my “Hey, wait, wp-mai1.php isn’t a WordPress file…” check. Files like this:

    $a51a0e6bb0e53a=str_rot13('tmhapbzcerff');$a51a0e6bb0e5e4=str_rot13(strrev('rqbp rq_46rfno'));
eval($a51a0e6bb0e53a($a51a0e6bb0e5e4('eF6dWFtv6kYQ/it9qMQ5UlWBCVGtKg+JWozQaSrcU9+qKvIlBIGh6BBCyK/[...]')));
eval($a51a0e6bb0e53a($a51a0e6bb0e5e4('eF7tW1uvotqW/ivnYSe1d85JignSvcxJPXgDtQCXKNdO50TAJSqop7xw6fR/7zHm1CUqqGW91EMnK1FgzHG/[...]')));

    Now obviously I can just add str_rot13 to my checklist (nothing in WordPress core uses it), but .. how do I look for those eval strings?

    Eval is a funny thing. In JavaScript: The Good Parts, Douglas Crockford states “eval is Evil: The eval function is the most misused feature of JavaScript. Avoid it” but he’s taking JS and I’m looking at php files. So with the (current) assumption that I can ignore js I can try this(I also use ack for this half the time, depends on my mood)(You can leave out ‘exclude SVN’ stuff if you want to. Most users don’t have it.):

    grep -R --exclude-dir="\.svn" --exclude="*.js" "eval" .

    That gets me a lot of files, though, and I don’t want to parse what I don’t need to. By the way, there’s one and only one file in all of WP that uses eval() in a ‘nefarious’ way, and that’s ./wp-admin/js/revisions-js.php, which is the WordPress easter egg. That’s also the only place you’ll see p,a,c,k,e,r code. But clearly I want to look for eval( or even eval($ because that’s more exact, and that should give me a better result.

    This is a two edged sword, of course. If I’m too precise, I will miss some of their shenanigans. If I’m not close enough to what I’m looking for, I get too much. And worst of all, I don’t always know what I’m looking for. Quite a lot of finding new hacks is a world where “I’ll know it when I see it.” So let’s take it down and say I want to find no JS, nothing in .svn, and anything with eval and a paren:

    grep -R --exclude-dir="\.svn" --exclude="*.js" -e 'eval(' .

    That’s a lot better, and in fact, this is a good start! But it’s hard to read because of how long the lines are:

    ./foo.php:eval($a51a0e6bb0e53a($a51a0e6bb0e5e4('eF6dWFtv6kYQ/it9qMQ5UlWBCVGtKg+JWozQaSrcU9
./foo.php:eval($a51a0e6bb0e53a($a51a0e6bb0e5e4('eF7tW1uvotqW/ivnYSe1d85JignSvcxJPXgDtQCXKN
./wp-admin/includes/class-pclzip.php://      eval('$v_result = '.$p_options[PCLZIP_CB_PRE_EXTRACT].'(PCLZIP_CB_PRE_EXTRACT, $v_local_header);');
./wp-admin/js/revisions-js.php:eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}('6(4(){2 e=6(\\'#Q\\').v();2 i=\\'\\\\\\',.R/=\\\\\\\\S-;T"<>U?+|V:W[]X{}\\'.u(\\'\\');2 o=\\'Y[]\\\\\\\\Z;\\\\\\'10,./11{}|12:"13<>?-=14+\\'.u(\\'\\');2 5=4(s){r=\\'\\';6.15(s.u(\\'\\'),4(){2 t=16.D();2 c=6.17(t,i);r+=\\'\$\\'==t?n:(-1==c?t:o[c])});j r};2 a=[\\'O.E[18 e.y.19.1a\\',\\'1b 1c. 1d .1e.,1f 1g\\',\\'O.E e.1h 1i 8\\',\\'9\\',\\'0\\'];2 b=[\\'<1j. 1k \$1l\\',\\'1m. 1n 1o 1p\\',\\'1q, 1r. ,1s. 1t\\'&#93;;2 w=&#91;&#93;;2 h=6(5(\\'#1u\\'));6(5(\\'1v\\')).1w(4(e){7(1x!==e.1y){j}7(x&amp;&amp;x.F){x.F();j G}1z.1A=6(5(\\'#1B\\')).1C(\\'1D\\');j G});2 k=4(){2 l=a.H();7(\\'I\\'==J l){7(m){2 c={};c&#91;5(\\'1E\\')&#93;=5(\\'1F\\');c&#91;5(\\'1G\\')&#93;=5(\\'1H..b\\');6(5(\\'1I 1J\\')).1K(c);p();h.v().1L({1M:1},z,\\'1N\\',4(){h.K()});d(m,L)}j}w=5(l).u(\\'\\');A()};2 A=4(){B=w.H();7(\\'I\\'==J B){7(m){h.M(5(\\'1O 1P\\'));d(k,C)}N{7(a.P){d(p,C);d(k,z)}N{d(4(){p();h.v()},C);d(4(){e.K()},L)}}j}h.M(B.D());d(A,1Q)};2 m=4(){a=b;m=1R;k()};p=4(){2 f=6(\\'p\\').1S(0);2 g=6.1T(f.q).1U();1V(2 g=f.q.P;g>0;g--){7(3==f.q[g-1].1W||\\'1X\\'==f.q[g-1].1Y.1Z()){f.20(f.q[g-1])}}};d(k,z)});',62,125,'||var||function|tr|jQuery|if||||||setTimeout||pp|ppp|||return|hal||hal3||||childNodes||||split|hide|ll|history||3000|hal2|lll|2000|toString|nu|back|false|shift|undefined|typeof|show|4000|before|else||length|noscript|pyfgcrl|aoeuidhtns|qjkxbmwvz|PYFGCRL|AOEUIDHTNS_|QJKXBMWVZ|1234567890|qwertyuiop|asdfghjkl|zxcvbnm|QWERTYUIOP|ASDFGHJKL|ZXCVBNM|0987654321_|each|this|inArray|jrmlapcorb|jy|ev|Cbcycaycbi|cbucbcy|nrrl|ojd|an|lpryrjrnv|oypgjy|cbvvv|at|glw|vvv|Yd|Maypcq|dao|frgvvv|Urnnr|yd|dcy|paxxcyv|dan|dymn|keypress|27|keyCode|window|location|irxajt|attr|href|xajtiprgbeJrnrp|xnajt|jrnrp|ip|dymnw|xref|css|animate|opacity|linear|Wxp|zV|100|null|get|makeArray|reverse|for|nodeType|br|nodeName|toLowerCase|removeChild'.split('|'),0,{}))
./wp-admin/press-this.php:		var my_src = eval(
./wp-admin/press-this.php:			var my_src = eval(
./wp-admin/press-this.php:							eval(data);
./wp-includes/class-json.php: * Javascript, and can be directly eval()'ed with no further parsing
./wp-includes/functions.php:		if ( doubleval($bytes) >= $mag )

    Okay, lets get smarter!

    grep -R --exclude-dir="\.svn" --exclude="*.js" -e 'eval(' .|cut -c -80

    Now I’m telling it to cut up after 80 characters, because it’s easier to pick out the bad with just that much. Look:

    ./foo.php:eval($a51a0e6bb0e53a($a51a0e6bb0e5e4('eF6dWFtv6kYQ/it9qMQ5UlWBCVGtKg+J
./foo.php:eval($a51a0e6bb0e53a($a51a0e6bb0e5e4('eF7tW1uvotqW/ivnYSe1d85JignSvcxJ
./wp-admin/includes/class-pclzip.php://      eval('$v_result = '.$p_options[PCLZ
./wp-admin/js/revisions-js.php:eval(function(p,a,c,k,e,r){e=function(c){return(c
./wp-admin/press-this.php:		var my_src = eval(
./wp-admin/press-this.php:			var my_src = eval(
./wp-admin/press-this.php:							eval(data);
./wp-includes/class-json.php: * Javascript, and can be directly eval()'ed with n
./wp-includes/functions.php:		if ( doubleval($bytes) >= $mag )

    Part of the reason this works is I know what I’m looking for. WordPress, in general, doesn’t encrypt content. Passwords and security stuff, yes, but when it does that, it uses variables so you would get eval('$v_result = '.$p_options[PCLZIP_CB_PRE_EXTRACT].'(PCLZIP_CB_PRE_EXTRACT, $v_local_header);');, which remains totally human readable. By that I mean I can see clear words that are easy to search for in a doc, or via grep or awk without being forced to copy/paste. I can remember “PCLZIP underscore CB…”

    RandomCharacters_320Those random characters are not human readable at all. That’s how I know they’re bad. Of course, if someone got clever-er, they would start naming those variables things that ‘make sense’ in the world of WP, and I have a constant fear that by pointing out how I can tell this is a hack, I give them ideas on how to do evil-er things to us.

    It’s for reasons like this that I, when faced with a hack or asked to clean one up, always perform Scorched Earth Security. I delete everything and reinstall it. I look for PHP and JS files in wp-content/uploads, or .htaccess files anywhere they shouldn’t be (in clean WP, you have two at most: at the root of your site and in akismet). I make sure I download my themes and plugins from known clean locations. I’m careful. And I always change my passwords. Heck, I don’t even know what mine are right now!

    But none of this is static enough for me to say “This is the fix forever and ever” or “this is how you will always find the evil…” By the time we’ve codified and discussed best methods, the hackers have moved on. The logic of what to look for now may not last long, but the basic concept of looking for wrong and how to search for it should remain a good starting point for a while yet.

    Do you have special tricks you use to find the evil? Like what Topher did to clean up a hack?

  • When Your Code Doesn’t Self-Alert…

    When Your Code Doesn’t Self-Alert…

    If you don’t want to read this whole post, there’s a big takeaway for anyone who releases code: Please make sure you have an easy way for people to be notified to a new release.

    The Story…

    Alert me nowI use WordPress a lot. It’s made me lazy on a lot of things, like version control. It’s also made me incredibly complacent when it comes to updates. You see, WordPress has a massive API system and servers which allow you to get in-app alerts to any needed updates. Click to upgrade and done. It’s second only to Chrome, which just updates.

    Now there are pros and cons about automated updates, and some things, like my server software? Hellz no, son, I don’t auto-upgrade that! Yes, I auto-upgrade cPanel and other server tools that I added on, but PHP and Apache and MySQL? No, those are things I have to stop and make damned sure I know what I’m doing. Why? Because they’re not ‘add on’ software, they’re the core functionality of my entire webserver, and if I mess them up, I am up shit-creek.

    If you’d asked me last year ‘Should WordPress auto update itself like Chrome?’ I would have shouted no, very loudly. And now here I am, doing it. Personally I’ve been using Gary’s Automatic Updater on all my sites for months now, because I know my WordPress setup is tight. I love the Chrome and Firefox auto updates, because I don’t customize those things ever. While I do customize the hell out of WordPress, I do it smart and I do it right. My code is doing_it_right() and the plugins or themes I add on to my sites are all well vetted and Elf Approved. The same can’t be said for everyone, but after a lot of thinking, I think if WordPress auto-updated, people would have an initial clamor of pain with all the shitty code out there that broke, and then the bad code would Darwin itself right on out of use.

    But that’s not the point of this. In my head there’s a difference between ‘core software’ like PHP, and ‘app software’ like WordPress. The lines are clear, they should never be crossed. Auto-Updating works for apps, not for core. And what happens when your app doesn’t even auto-alert for updates? How do you handle updates?

    I’ve already mastered using git as a ‘deployment’ tool, and svn has been old hat for me. That means I know how to quickly update my code, but I need to know when to do this.

    The Solutions…

    There is a light at the end of the tunnel. There are some easy ways you can keep track and, conversely to the devs, make it easy to keep people up to date, and it all starts with the code’s website. You do have a website for your code, right?

    Check the website

    If there’s a blog, there’s probably an RSS feed. This is really easy, since most (if not all) blog and CMS tools use RSS.

    about-groupsNo RSS? No blog? Maybe there’s a mailing list. This is actually my favorite option. I hate email, but I love getting emails for software updates like that. If that’s not your thing, see if the mailing list has an RSS feed. I know people use Google Groups for a cheap mailing list, and if you visit the Groups page and click on the about link (see the image, not the dropdown, the link), you get a whole mess of RSS options!

    rss-options-groups

    This only works for public groups, but why would a private group be an announcement list for your app releases anyway? If it’s private, get used to email.

    Speaking of mailing lists, MailMan, my list of choice, does not have RSS feeds. It’s the old spavined mule of lists, I know, but for people who love it, check out MailMan-to-RSS.(The irony I feel in writing that, which is the opposite of how I handle things with my post2email plugin, is deep and unfathomable.)

    But what about those other guys? You know who I mean, the guys who use GitHub as not just a version control tool but their code host? After all, Github Pages are pretty cool, and free, so why not? Time for a practical example.

    My amazing friend Mel made a site for Dashicons. They’re like Genericons for your WP Dashboard, and if you’re using MP6, you’re looking at them now. (Mel pointed out to me she did not make all the icons, only some, but the site is hers, so her I pick on.) The site is awesome. It’s fantastic that people can make sites like that, and you can even put a custom domain on it.

    But look at it! No feeds!

    Thankfully, Github pages are built on Jekyll, and you can set up feeds. But let’s be frank, if it’s not automatically set up for people, they’re not going to do it. And most people don’t do the ‘blog’ part of their Github page sites either. Now what?

    Well thankfully, for anything on GitHub, since most people push releases with tags (note to self…), you can use this for rss: https://github.com/user/project/tags.atom — Sadly, I couldn’t find one for branches.

    The Real Answer…

    Look, at the end of the day, if you’re releasing public code, it’s incumbent upon you to make a way for your users to be able to find out, easily, when you’ve updated. Expecting them to come to your site and check is not going to work. Making an automated way to push your code, your changelog, and your update notices to people, will put it all in one go for you and make it easy. If, like me, you’re afraid people will end up getting too many alerts, make it a blog post and only do it when you know you’re ready.

    Making it easier to get alerts for needed upgrades is going to make everything safer, in the long run. Think of all the security patches people are missing, just because we don’t get notified of them!

    Now if you’ll excuse me, I need to sort out how to better use branches and tags.

  • A Theme By Any Other Name

    A Theme By Any Other Name

    When I redesigned my sites earlier this year I struggled with some concepts that later drove me away from child themes and into the arms of custom plugins. The issue at heart is that the term ‘theme’ is used in far too broad and encompassing a manner, which confuses people when they find out there are different types of themes. And no, I don’t mean responsive vs static vs mobile. I touched on this earlier in the year when I reviewed the very concept of managed themes, but apparently I didn’t do it well enough.

    After some talks on WP-Hackers, I’ve got a better list.

    • Theme – The traditional theme.
      • Child/Parent Themes
    • Theme Framework – Can be used as a traditional theme, normally used as a parent.
      • Starter Theme – Never used as a standalone theme, only used to build themes.
      • Managed Theme – A theme that acts like a framework and a child at the same time.

    So let’s look at them in order.

    Theme

    Example: TwentyEleven, Buttercream, pretty much anything in wordpress.org

    This is the most basic, simple, normal theme in the world. It works right out of the box. You can make a child if you have to, but most people don’t. Themes may or may not be built off of a Theme Framework, but they can all be used as is, no alterations needed.

    Child / Parent Themes

    The short version here is that child themes are built off a parent. A parent can be any of the themes here (Theme, Managed, or Framework). A child theme can never be a ‘theme’ however, it can never stand on it’s own. And there are some themes that don’t support children at all. The parent/child relationship muddies the waters quite a bit when it comes to understanding what type of theme you have, but I would go with the basic rule of “If a theme requires another theme to be installed separately, it’s a child theme.”

    Theme Framework

    Examples: Hybrid, Genesis

    These themes are crazy robust. It’s like taking a normal theme, giving it steroids, and then handing you toolkits to expand it. Theme Frameworks can be used as a theme themselves, but often are treated as either Starters or Managed (see below). Frameworks come with a bunch of new, extra functions, along with documentation. Oh yes, these babies are documented so the theme guru can carry on, or the newbie can learn all about how themes work.

    There are two types of Frameworks (and this is where people will disagree with me a lot).

    Starter Theme

    Example: _s, Bootstrap, Hybrid

    These are used to build a parent theme off of, and cannot stand on their own as a theme (they’re skeletons). No one actually uses the theme as a theme on it’s own without forking and adding in their bells and whistles. These are turned into full-blown themes, and use the normal parent/child relationships from there out (which is why they’re a subset of frameworks). The starter theme itself is not a stand-alone theme, however, and the person who builds their parent theme off these ‘framework’ is responsible for updating their theme when the framework is updated.

    Managed Theme

    Example: Genesis, Thesis

    A managed theme is usually built on a framework, but unlike a starter theme, these can be used as is if you want. The real difference is not that, however, but that everything that you should be doing is within the WP Dashboard. All CSS tweaks, and even functions, can be added there-in, and not the functions.php files. Sometimes these are just parent themes that you don’t make children off of, ever, and others are children themselves of a framework. The best ones have a way to export your theme settings. To make things easier, you’ll find a lot of plugins that do what most people want, and they never need to edit code.

    Drawing The Lines

    What is a theme and what is a plugin, then? I was trying to explain this to a non-techy the other day, and jokingly said “You know how Barbie has all those clothes you can put on her, like the ski outfit? That’s a theme. A plugin is the Barbie Camper.” As horrific as the metaphor is, it’s not inaccurate. The theme changes the design, the plugin changes the function. Many theme developers hate putting code like Custom Post Types into their themes, because they feel that code should be separate from theme, and you should be able to keep your content, no matter what theme you’re using.

    For a long time I never used ‘starter’ as a theme designation, because to me the word ‘framework’ meant ‘a frame I build off of.’ With the conversations I had on wp-hacker in mind, I have reclassified themes into two types. Themes and Theme Frameworks. That’s it. That’s all you get. And yes, that means I think a Starter Theme is a framework. Look, Genesis, Hybrid-Core, and Bootstrap are all themes that someone uses to build other themes. They’re all frames that people can use to paint their own masterpiece.

    When you start looking at managed vs starter, it gets clearer. I call Genesis managed because that’s how the end users will see it. It’s not a starter, because people don’t fork Genesis to make a new theme, they use it and make children.

    The following explanation is using the two frameworks I’m most familiar with.

    Hybrid is a Starter Theme Framework. People download it, extend it into their own theme (see Oxygen, News, etc, all of which are stand-alone themes in the repository), and use those themes as full born ‘traditional looking’ themes. They can make children theme, but the point is not that Oxygen (built off Hybrid) is a theme or not, but that Hybrid, it’s source, is not a theme, but a Framework. They are separate things.

    Gensis is a Managed Theme Framework. It remains a separate parent theme, and technically can be used as is (it’s a very nice basic theme), so in that way it’s a Framework, but people don’t take that as a base theme and extend it like they do Hybrid. When you make a child theme of Genesis, it’s a true child theme, and never a copy of Genesis, renamed, and extended. Thus, Genesis could be a framework, but it’s really a managed theme because you never fork it, you always manage it via the dashboard or a child theme. Genesis is a theme built off a framework, and no one else uses that framework but Genesis.

    If you treat everything like a nail, you’ll always use a hammer. And a nail will go wherever you want if you hit it hard enough. I don’t suggest that, by the way, and as a principle of forcing your way on everyone, it’s not a good one. Treating all theme types as exactly the same will get you into trouble. If I extend one the nail/screw metaphor, one reason themes take on so much is that they can’t install plugins. Managed themes are a great example of themes crossing the line between being a hammer (theme) and a screw (plugin).

    A starter theme framework is Home Depot. All the tools are there, there’s even some help, but you’re going to pick out your tools and your lumber and build what you want. When you need more, you can invent and create anything you want. You may have to go back to the store and buy more nails and screws, but your limit is your own ability and imagination.

    A managed theme framework is Ikea, with that Ikea Toolkit. It has all the parts you need, and while you can hack the bookshelf into a standing desk with little work, and no extra parts, you’re meant to use it out of the box and follow their directions to design differently. And when you need more, there are plugins to add on to what you have to make it more. Within limits.

    My Recommendation

    Use what you like, but understand what you’re using.

    Themes are very personal. A plugin is easy, you want something to fit a specific niche, you find it, you use it. You may pick one over another based on ease of personal usability, but the final function is the real deal breaker. A theme, on the other hand, has to look right and feel right to use, and that’s very, very hard. No matter which one I use, and I use a theme, a framework, and a managed all on my sites, I make sure it meets my feel-good and my needs. I know I’m perfectly comfortable hacking functions to bend to my whim, but if I was handing over a theme to someone less techy, I would think twice.

    When you’re making a site for someone else, think about how much you want to support. The more complex a theme, and the harder for the users to edit it, the more calls you get. Even when you’re making a site for yourself, you have to know what kind of theme you have, and the best way to edit it. If you’re using a stand-alone theme, built on a framework or not, once you know how to use child themes you’re good to go. But a managed theme may be a new learning curve for you, so remember to take time and ask around for how to use this theme the best way.

    The best thing about learning to use a managed theme is that they’re usually used to the newbies, so for an experienced theme dev, that learning curve is short and shallow. You already know how to find the docs, read them, and apply them. You know that there will be options, between editing functions.php and using a plugin, and you can weigh the pros and cons for yourself and your clients.

    Understand what you’re using, understand how it works, and use what makes you happy.

  • Encrypted Search Terms

    Encrypted Search Terms

    A recent stats viewing, with search terms high-lighted.I haven’t seen a lot of people kvetching about this, which surprises me.

    If you like to look at JetPack’s stats and happen to giggle over your search terms, you may have noticed encrypted_search_terms showing up. Your search terms are what other people use in order to find you. So for example, someone found my blog by typing “forever alone” (which doesn’t make any sense to me, but okay).

    About a year ago, Google made search more secure, by letting you search via https. If you’re logged in to Google anything, you will be searching via https, which means no one knows what you searched for. Jetpack sees it as ‘encrypted search terms’ and Google Analytics sees it as ‘not provided.’ This is all great for the user, and the tin-foil hat me loves it! Except that now all we users see is encrypted search terms, instead of anything of value.

    As the number of people who use Google whatevers grows, the value for my search terms is going to plummet. In fact, taking a look at things, my ‘not provided’ numbers have doubled. It used to be that maybe 1% of searches showed up like this. I was around 13% for an average month in January, and now I’m looking at 30%. I am losing the ability to see what search terms are good for my site, and this makes it hard to manage my SEO.

    Oh. SEO. I hate you.

    I laud Google for doing this and at the same time decry them. Yes, having users protected while they search is awesome, it means my data is safe and it’s less easy for people to mess with me. As a user, I think this is good. As a website guru, I wince a lot. Without the feedback of users’ search terms, it’s very hard to know what does and doesn’t work. And the worst part is the majority of your users don’t even know they’re doing this. They know they’ve signed in to Google email, and they’ve signed in to Google+, and that’s it. They don’t know the ramifications.

    I don’t pretend to be an SEO expert, but what I do claim is to have common sense, and to valiantly fight against the will to be stupid. It’s pretty obvious to me that encrypting my results rips out my ability to, for free and with no cost to my users, be able to determine what works and what doesn’t on the fly. Many times, when I tweak a site, I follow the stats and see what pages are hit more often, by whom, and when. Now there are work arounds to loosing that immediate feedback, but when you think about it, almost all involve you having to pester your users.

    A/B testing is the least intrusive way about it, but for a lot of people, it’s complicated to do on a small, simple website. The basic idea is to ‘draw’ users to two different versions of the same site, and see which one gets more traffic. Max A/B is a good WordPress plugin for that. That said, your users may notice that the site one of them sees isn’t the same as another, and it means you have to up-keep two versions for a while.

    Google Is WatchingGoogle, naturally, isn’t very consistent here. They generate their live traffic information via your cellphones. Whenever an Android user opts into location tracking, Google constantly monitors their location. If a whole mess of users are slowing down on the 405, guess what? Traffic. Now, arguably your data is ‘safe in their hands’, but that’s impossible to prove. If you haven’t yet, read Cory Doctorow’s “With A Little Help”, especially the story “Scroogled.”

    Basically what Google’s saying is ‘You can’t use their data, but we can. Trust us.’ Nothing makes me start to trust someone less.