Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: website

  • Catch a Session

    Catch a Session

    When I was at WordCamp Chicago in 2013, Brian Richards asked me if I’d be interested in giving a WordPress ‘Session.’ Since not everyone can make a WordCamp, what if there was a live, online, session they could watch to get the same information? Thus was born WPSessions!

    I said yes, and months went by. Then he pinged me again, asking if I was still interested, and would I might talking about eCommerce and Easy Digital Downloads? That was new! Most people want support, community, or multisite. Since I’d recently written a book about running an ecommerce bookstore, I said yes again, and on Thursday gave a session.

    If you missed it, and you probably did since I did a terrible job promoting (sorry Brian!), you can check it out at WPSessions – eCommerce for Site Owners. It’s $30 for four sessions (mine is 51 minutes long), and while my slides are online , you never get quite the same impact as seeing me give them, do you?

    http://slides.halfelf.org/wpsedd/

  • Dr. Jekyll and Ms. Hyde

    Dr. Jekyll and Ms. Hyde

    I like WordPress. I like the community and I like the way I can invite other people in on it. But. I wanted to run a site, a small site, with static content for the most part, no comments, and just the basics. So why not Jekyll? After all, I’m big on self-hosting, and while most people I know seem to be running Jekyll on GitHub, you know me. I want to do it myself, I want to have it all here.

    Six drinks later…

    DVD cover of Dr. Jekyll and Ms. HydeMy major issue with Jekyll is that the ‘Simple’ directions aren’t obvious the way everyone seems to think they are. I mean, yes, they’re simple, but they lead you to some pretty crazy misconceptions based on how websites and CMSs work, and have worked, for a long time. And given all the posts I’ve read about how terrible WordPress is, my remark on that is: No, Jekyll is not terrible, but it has an audience.

    Look, of course WordPress can be terrible. So can your car. It’s all in how you use it, what you add on to it, and what you fuel it with. I have a lot of reasons to use WordPress, and I really like it for many reasons (least of which is if you asked me to explain Jekyll to someone who emails me a PDF of a Word Doc to post on WordPress… Well, yeah, no, it’s not simple.)

    Misconception: Where Do I Install Jekyll?

    jackie-chan-memeDaFUQ?

    Okay… you think “Hey, Jekyll’s running my site so it’s all on Jekyll, right?” Nope! Jekyll is installed on my laptop. It’ll be used to create content that I will deploy to my website. Jekyll generates the webpages. Just bear with me. Yes, it also runs the site, but it doesn’t have to. In fact, it generates all of my pages into a subfolder called _site, which you can actually load as a webpage. If I copied all of that over to a folder, it’d work as is. So option one here is that I could just do that. But that’s not what I’d call ‘friendly’ and it means all my code has to be on the server where a sneaky person could go get it. Part of why Jekyll interested me is that it’s more secure by being a flat site.

    Option two is to use a Jekyll ‘front end’ deployer, like Octopress or Prose. Option three was to stop and think “Maybe I just don’t get this and I should start simpler.” It’s very odd to me to have my ‘content’ on a server, but the ‘source’ not there. While if it’s just me running a site, that’s great. But as soon as I have to tell my dad to check code out… Maybe this is a bad idea. I don’t want end-users to have to learn all this. I want to tell them “Write your content. Save it here. Magic.”

    Revise: Needs vs Wants

    When I get really bogged down in thoughts like this, I step back and ask my self “What are my needs?” That’s similar to asking “What problem am I trying to solve?” but it’s a little broader, as I may not have an actual problem, I may just need a small change.

    I’m looking for a product with a small footprint, no comments, a way to subscribe to updates (RSS or email), separate content and design (so my writers don’t mess with the layout), and it needs to have a workflow that does not involve me having to teach svn or git commands to a music major. Oh and it has to be easy for me to upgrade (one click or git pull will do).

    Say what you will that git is easy (it is for me, albeit sometimes confusing). It’s not necessary for everyone to learn. I really feel a journalist shouldn’t have to learn to use it in order to write content! Still, after banging my head on this, I finally decided I was making my life too complicated by trying to self host before I understood the actual workflow of the process. So I went one step further back and decided not to self host right now.

    KISS: GitPages

    Everyone uses GitHub Pages. So fine, so will I. They walk you through the setup, so that’s nice. It was pretty painless to make a repo. But what did that have to do with Jekyll? I can edit everything within GitHub which is nice but I don’t want that. I wanted to learn Jekyll… Scroll to the bottom and there’s a nice graphic saying I can use Jekyll!

    Now that you’re up and running, here are a few things you should know.

    And they link to the Jekyll quickstart. Okay, thank you, I can install Jekyll. How do I hook them up? I had to actually Google to find the link to Using Jekyll with Pages and frankly, after reading it… I don’t want to. Oh I did it, but it’s not “simple.” It’s a total pain in the ass. It reminds me of the old MoveableType when you had to fuss with cgi-bin. It’s all manual. And this is fine for a dev, but I don’t want to have to install this on my Dad’s laptop. Did I mention he was on Windows?

    See? Jekyll running on my laptop

    So using this for a version controllable, static website, is actually far less tolerable than I wanted it to be. I can use it, I kind of understand it (the whole source folder is confusing me a little…) but it’s not something I could easily roll out to a medium-technical person without some serious training. In fact, I need some serious training to get good at just pushing my content, and when I compare that to WordPress…

    I get why people like it, though. The static files alone are pretty cool, but it’s going to be a learning curve.

  • Your Username is Not A Secret

    Your Username is Not A Secret

    I keep seeing this pop up. “Your CMS is not secure because it makes your username/id public! Once a hacker has that, they can try to break in!” At one point I snapped “Sure, and your house isn’t secure because someone knows your address.”

    Secret FilesIt’s one of those logical fallacies that seems vaguely accurate on the surface, but really are just plain wrong. On some level, you’d think that if a hacker doesn’t know your ID, they can’t get in, but the reality is most hackers, the surface level idiots who are trying to break into any site available aren’t checking for your user ID/Name, they’re looking specifically for a vulnerability, like they did with the TimThumb accidental (D)DoS.

    In addition, they’re not usually looking for your ID when trying that brute force login attack. The practical difference between someone trying to log in with “admin” and someone trying to log in with “ipstenu” is pretty negligible, since they’re killing my server before they get in anyway.

    As I wrote this, I thought what it would be like if there was a mod_security rule that checks if you’re trying to log into a site with the username ‘admin’ and, if so, blocks you from being able to log in. Of course, there are millions of sites with millions of CMS tools, and for some you actually cannot change the admin account name away from admin.

    WordPress is not alone in thinking your username isn’t a secret. Drupal also thinks disclosure of usernames/id is not a security risk. In fact, Google doesn’t think your ID is a secret. After all, you can log in to Google’s devices with your email, and everyone whom you’ve ever emailed kinda knows that. “Oh, you emailed me from ipstenu@gmail.com? I’ll attack that!”

    Now of course, if you try to log in with that too many times, you lock your IP out. And similarly, if you try to log in to my server via SSH too many times, the same thing happens. Have I ever locked myself out? You bet. Less since I switched to 1Password and SSH keys, but it still is very effective.

    Why isn’t this built into the core of most CMSs? Because a CMS like Drupal and WordPress is not as volatile as, say, the healthcare.gov site. The danger that comes from someone getting into my blog is minimal compared to someone getting into my email. But again, everyone knows my email account, so they’ve always got one half to the puzzle right then and there.

    Top Secret FilesOne of the other primary reasons this isn’t built in to WordPress is that it’s hard to do right, and in a way that will work on all servers, and in a way that will be easy for someone to undo. I said I locked myself out a couple times, right? I can unlock myself with a device on another IP, or I can call up my webhost and tell them my IP and can they please unlock me. Now flip that to your blog. How do you handle it? Who do you call? Do you make this a ‘solvable by the host only’ problem? Can you envision your host being happy about handling that?

    Not that I’m passing the buck here. There are plugins and extensions that do this, but they’re still best used by people who already understand security than by the common man, because the people who know what to do when they have to edit a .htaccess are the ones who probably already know how to pick a secure password, or install two-factor authentication already.

    All this comes back to something blindingly obvious though. Everyone is going to know part of your access. The reason we tell people not to use ‘admin’ as a login ID is not because it’s more or less secure, but because it makes it easy for script kiddies to target. Remember, most of the time when you’re being attacked it’s nothing you did personally, it’s just a script running. When it’s someone who has an absolute vendetta against you, your userID is the least of your concerns.

    The crux of the matter here is that your username is not a point of authentication, it’s a point of identification. Giving you an identification (I am Ipstenu) is not the same as giving you data that can be used to authentication (my mother’s maiden name is Jones; I was born in Battlesboro, VT; My favorite superhero is the Flash). There’s a reason we call them ‘Secret Questions’ as they’re both identification and authentication. Only I would know these things. And no, that’s not true, which is why secret questions are pretty useless. The more obscure they are (my first maths teacher) the less likely I am to remember them correctly. “His name was Smith… Now did I put in Dr. Smith, Mr. Smith, or Smith? Oh wait, how did he spell Smith? Smythe? Smyth? I know people with all those spellings! Which was he?”

    So no. Your user ID is not a secret, nor should it be. I spend no time hiding it.

  • Welcome the Warehouse

    Welcome the Warehouse

    It’s January and my ebooks are now located at http://store.halfelf.org/ and managed by Easy Digital Download. The WordPress Multisite books have been seriously updated for WP 3.8, with new screenshots, new plugin recommendations, and some simpler layouts. If you downloaded them before, you may want new copies now (and there’s a new one on plugin support!). But let’s go back to EDD.

    It was really that easy

    About three years ago, I thought about selling my ebooks on a dedicated site (ebooks.ipstenu.org) but it never worked right, and I didn’t like it. Then I tried just tracking the downloads with a plugin, but that was more work and I was getting a little twitchy and obsessive about the metrics. So for most of 2013, the downloads weren’t tracked at all on this site. But when I was redesigning my site, I knew that I really wanted to try this plugin my friend Pippin wrote: Easy Digital Downloads

    I want to note that I had decided to play with the plugin before I read Chris Lema’s post on Easy eCommerce & Membership Sites using WordPress. Which doesn’t have anything to do with anything except that he’s right, it’s easy, and anyone can do this. And as Chris pointed out, the tools can make it fast and easy for me. A couple years ago, I’d tried to make an online store for my wife and ended up telling her “This is too complicated, I can’t do it. Let’s use Etsy.” But that was physical products and this is digital, and we’re in California now which has a different law about selling digital items that is so clear, I understand it at first glance.

    Publication 109, Internet Sales

    Your sale of electronic data products such as software, data, digital books (eBooks), mobile applications, and digital images is generally not taxable when you transmit the data to your customer over the Internet or by modem. However, if as part of the sale you provide your customer with a printed copy of the electronically transferred information or a backup data copy on a physical storage medium such as a CD-ROM, your entire sale is usually taxable.

    That is so much clearer than anything iBooks or KDP ever said, it’s hilarious. Since my stuff is all 100% digital and I live in California, there will not be taxes, which means I can sell things off my site, not have them be ‘donate if you want.’ Don’t panic, now they really are “Pay if you want.”

    About the Warehouse and Pricing

    If you’ve checked it out, you may notice the default price is no longer zero but $7.98 cents. As I started working on this, I really did get all the way through with a zero option before I realized … that was dumb.

    Icon of a BookI had a couple logical reasons for pricing at zero when I started out with this two years ago. First of all, I was entering unknown territory without any information. Secondly, I wanted to get my name out there. Third, I didn’t want a hassle. I still agree with Cory Doctorow about how DRM is evil, and the problem with only selling books is that people don’t really know if they like your writing, or if the book is worth it. Mind you, everyone could read my blog and sort that out for themselves, but I understand there’s a weird leap about paying even $0.99 for something you don’t know about.

    But let’s think about what this means. With a normal book, you buy it, you own it, and if you hate it you can bring it back for a refund. With eBooks on the Kindle or iBookstore, you ask for a refund, they take the book back. Since I’m DRM free, I don’t have any way to revoke the book if you want a refund. Yes, that means if you demand a refund on the Kindle you keep the book and I get bupkis. (Two people in the history of ever have asked for a refund – both accidentally clicked ‘Buy Now’ twice.)

    What am I getting from people not paying for the books? A whole lot of reading, that’s what. 3% of people who got 70 pages of Multisite knowhow paid ‘something’ for the book. And I’m not ungrateful to them. Getting that book out was really part of the whole process that landed me my job, speaking at WordCamps (which I surprisingly enjoy), and I’m incredibly happy with my life. But still, nothing from nothing, carry the nothing, does leave a person feeling a bit grumpy cat.

    So would I incur the wrath of the Internet by saying that, as of 2014, you have to pay for the ebook? I think I would have. Especially since I said I would never force people to pay (even tweeted that whilst working on the site). With that in mind, I decided to do this differently and have it default to pay, but also super easy to not pay. My wife called it the “RTFM Tax” because if you read the site, you’ll see the code, and pay nothing.

    Photo of a gateway into Mumbai, India

    On the sidebar is a notice about discounts for either 100% or 50% off. There’s also a ‘secret’ code of PIGS which drops the price of one ebook to $0.99, which is the cost of Angry Birds. I thought it would be funny.

    How did I come up with the price of $7.98? Amazon helped me here. Initially I mathed the average donation to $8, and I adjusted my price on the KDP a couple times before I sussed out that people actually like non-even numbers like $7.98 so I did that and then publicized the discounts. No matter what you pay, you get to download the epub and the pdf. The ebooks are all DRM free. You’re still permitted, no, encouraged to duplicate and give ’em away.

    Think of it like a GPL plugin you bought. Yes, you pay for the code, but once you bought it, it’s yours to use, burn, give away, or expand on. The one thing you can’t do is resell it as if it was yours. Which I hope you think is fair.

    Let’s have fun with ebooks in 2014! After all, my next ebook is about … ebooks.

  • Your Website is Work

    Your Website is Work

    I spend a lot of time teaching people, and also giving directions (which I seem to have to send out repeatedly) only to be faced with a remark that doing all these things to manage a website is hard and time consuming and complicated and painful. It takes a lot of effort for me not to reply like this:

    Life IS pain, highness. Anyone who tells you differently is selling something

    Of course it’s hard. Malcom Gladwell, in his book “Outliers: The Story of Success,” posits that it takes 10,000 hours of work to become an expert at something. Anything. Now, believe that or not (and yes, some people are naturally gifted so maybe they can do these things faster or achieve an even better expert level than you), the fact remains that we all had to learn skills.

    What’s interesting is this is nothing new. We know this. We’ve known it for years that we have to put in the sweat equity. But people look at a website as being “easier” and think it’s really all a ‘set it and forget it.’ But it’s not. It’s never been that way. Making a website and walking away is dangerous not because you might get hacked (which you might), but because people will walk away when there’s nothing new.

    At WordCamp Chicago, I talked about this. There’s a difference between how someone like Ron Popeil sells things and how Julia Child did. No one can argue she wasn’t successful, but she, like Chris Lema sell you on yourself, rather than ‘You need this one thing to be a success.’ If I stick to my food analogy, Emeril sells things but Alton Brown sells you skills.

    This just comes back to the basic understanding of needing skills, some skills, to keep your website up and running. We’re not all going to be hard core coders, nor should we be, but we do need a modicum of technical savvy to use the tools. Our technology gets more complicated, and while I know WordPress is concerned with that, even plain HTML is complicated to figure out that first time. The bar is there, and you have to master jumping it, or even peeking over it, to get through your day.

    A website is work. The health of your website is directly proportional to the work you put in, and as we all know…

    If you haven't got your health, you haven't got anything.
    “If you haven’t got your health, you haven’t got anything.”

    I would like to propose we all, for 2014, be shamelessly honest (to steal a phrase from my company). Be upfront, direct, and truthful. When people say “Is WordPress easy?” we say “It can be, but remember, no matter how easy a tool is, your website is still going to be work.” I would like us to stop selling our tools because they’re so easy a caveman can do it, and start selling truth about how it’s being used. “Everything gets easier the more you use it.” and “The more familiar you get with this, the easier everything becomes.”

    You keep using that word. I do not think it means what you think it means.This is not to say that our tools can’t be easy and shouldn’t be easier, but we have to face the facts that no matter how easy we make WordPress, or Drupal, or any tool, our presence on the Internet will remain work. And work means that sometimes you’re going to have to learn new, harder-for-you, skills to keep up with everything, or spend money to hire someone to do things.

    No one can tell you how easy something will be for you, and I think we need to stop telling people “Don’t worry, it’ll be easy.” When I tell someone they can fix a hacked site, I tell them they can without losing their content, and while it can be overwhelming and scary, if they can copy files between folders, they can do this. By being honest about the work that goes into your website, the more prepared they will be for the inevitable moments of pain and difficulty, and the easier it will be for them to solve those problems.

  • Sometimes The Answer Sucks

    Sometimes The Answer Sucks

    I’m good at what I do. I’m really good. I’m an expert, and I’ve rarely run into a WordPress site I couldn’t fix, or at least get back to usable. This doesn’t mean I can code everything, but it means I can take a broken site and get your content back. I can’t, however, perform miracles all the time. You saw how I said ‘rarely’ right?

    The real issue here is that sometimes the answer I give people is a horrible, terrible, sucky answer.

    Scotty_JefferiesTubeWhile Montgomery Scott always saved the day giving the engines more power, and skipping through the Jefferies Tube like the most bad-ass red shirt in existence, the sad reality of life is that sometimes we can’t save your website. If we can’t figure out why it broke, we may not be able able to fix it.

    For example, a site suddenly lost all the plugin settings. They were just gone. Poof. No one had done anything, so the obvious cause is the database having a snafu, right? Well no. The DB was checked, everything seemed in order. We tried a restore, no-go. At that point, the only thing I could tell the person was to re-apply all the changes again, manually. The user was pissed off and it’s totally understandable why! I was pissed off. I couldn’t solve a problem and yes, when I can’t solve things, I get very upset with myself. And I was upset that the answer was so sucky! Redo your hard work? What a crock! But no matter what I did, no matter how I tried to pull the settings back, I was just getting further and further down that rabbit hole, and I knew I absolutely had to cut my losses.

    Kirk_AngryIn all likelihood, someone did something without checking it was right and without making a backup first. This happens. We know we shouldn’t mess with ‘production’ but we all do it. So that means sometimes we’re really reckless and we shoot ourselves in the foot without protection. While we can, and do, try really hard not to be stupid anymore, accepting that you (or perhaps your captain) has made a boneheaded mistake is really important. Equally so? Accepting that cleaning up that mistake may not be the answer we wanted to hear.

    No one wants to hear ‘Start over.’ That’s pretty much a given. And yet we’ve all done it before. When I studied music, the number of times I had to start over because I’d made a mistake is uncountable. When I was learning to connect pipes in plumbing? Oh I ripped things out a hundred times before getting it right. I even restarted this entire blog post a couple times. And that’s not the only time the answer sucks. You changed user roles and capabilities and now you can’t log in? Congratulations, you get to reset them and start over.

    I could go on with example after example of things we do, without realizing how dangerous they are, and how much trouble they get us in, but I suspect the point is made. We do amazing things to ourselves and can’t always fix them. Should you be upset when it happens to you? Of course. And should you be annoyed when you didn’t do anything and they break? You bet! But ….

    Your website is like a car that’s always running. Eventually something is going to break, and when it does, the only hope you have of salvation are your backups. Everything really comes back to that, doesn’t it? I deleted the wrong table in a DB and had to restore the whole thing from the day before. Lost a day’s work. Nothing to be done to fix it but that. I had a file, for no reason I could see, go corrupt and refuse to let me edit it. Thankfully the backup was the version I wanted to edit, so I deleted and re-uploaded and moved on.

    These things will happen.

    The answer will suck.

    Decide if you’d rather spend your time complaining about how it’s sucky, or if you want to knuckle down and get to work.

    Scotty and Scotch

    Or drink scotch.