Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: wordpress

  • Don’t iframe Me In

    Don’t iframe Me In

    I review plugins for WordPress.org, and one of my pet peeves is when I see a plugin that purports to connect your site to their service…. using an iframe.

    I have a stock reply to those:

    Having the admin dashboard be just an iframe isn’t permitted.

    We don’t permit plugins to phone home like that (for two main reasons – security and appearance – too often people assume that they just signed into WORDPRESS and not your plugin). Please change your code to use an API or just link back to your site so they can configure things there.

    The minority of the time, this is accepted, fixed, and moved on. The majority of the time, people complain that it’s ‘easier’ or ‘not confusing’ or ‘someone else is doing it.’

    If everyone on the planet would stop using someone else doing something wrong as a reason to allow them to do it, I’d be so happy… But that isn’t the point. The point is that using an iframe in a plugin is a bad idea in general, and a horrible idea for your admin panel.

    Let me step back. Like everything else, iframes are awesome to a point. They’re a great, easy, way to include content in your site without having to include a mess of code. When YouTube was new, iframes was the only way to include videos, and they looked like this:

    <iframe width="420" height="315" src="//www.youtube.com/embed/dQw4w9WgXcQ" frameborder="0" allowfullscreen></iframe>

    You’ll notice the iframe has to specify a height and width, which means I can’t adjust my site quite as much as I want to. The other major issue here is that I’ve had to specify http, which means if my site runs https, I will have security issues. Now, there are workarounds to this (and YouTube now uses a src of //www.youtube.com/embed/oHg5SJYRHA0 to mitigate the security issue), but there’s another, cooler, aspect to how it’s all working.

    If you use WordPress, you don’t have to paste in the iframe at all, ever, because you have embeds! What the embed does is use the magic of oembeds to … well … embed! This allows WordPress to reach out to YouTube, ask how it wants to embed itself, and use either embed code or iframes or html5, or whatever else we come up with! It does this using an API (application programming interface) which let’s it talk back and forth. This same principle applies to your plugin pages. If you use an iframe, it’s a quick and dirty way to include content from your service (like a login form) on the plugin-user’s site.

    So why don’t I like people to use it? Let’s start with the login issue. The admin page could be changed to point that iframe anywhere it wants, making it easy to send you to a page that looks a lot like the ‘right’ page but isn’t. This is a lot harder to do if, instead, you have an API that securely transmits data. If someone can edit the php code of your plugin, either one is possible to be redirected, but the API details are a little harder to fake.

    Railroad bridge 'framed'

    An iframe is also a problem when you consider layout. Yes, it can make design easier in that you are in full control of the design, but you’re not in control of the rest of the site. I like the eggplant color for my admin dashboard, and if your iframe clashes with that because you don’t ‘look’ like WordPress, then it’s jarring for a user. Another worry? Adblock or Ghostery, the two most popular browser extensions ever, will often block those things.

    Finally, and for me this is the biggest one, your users won’t know where their account is. Look, I know it should be obvious when you have something that ‘makes’ an account with a service that the account belongs to the service. And yet. One of the places I help out is with WordPress.org password resets. 90% of the emails are for people trying to reset the password on their own blogs. You can’t convince me that people actually know what they’re doing anymore, if they ever did.

    So please, don’t put an iframe in your plugin as the only way I can access your admin area. It’s lazy, it’s insecure, and it’s confusing. It’s 2014. Trust me, people understand allowing their blog to connect to Twitter now.

  • Customize Network Toolbars

    Customize Network Toolbars

    This came up in the WordPress Support Forums. If you use Multisite, the WordPress toolbar (at the top of your site when logged in) has a special item called “My Sites” which shows all the sites of which you are an administrator. This is great and works as a quick jump to get to a different site really fast. It has problems, though, in that if you make a network with a bunch of sites named the same thing, it’s hard to tell which site you’re on.

    Now I know what you’re thinking! “Mika!” You say. “Mika, come on, no one has 100 sites with the same name unless they’re doing what you say is a terrible idea, and duplicating sites!!”

    Au contraire, mon frère. There are a few totally understandable reasons why this might happen. Fairly recently I was helping a school sort out Multisite, and they wanted a site for each classroom (easy) and the names of the sites would all be the same: Super Cool School – Class Frog

    And their ‘My Sites’ list was all the same.

    An example of a site list where the names aren't really readable because they're too long

    As you can see, WordPress wisely puts a practical limit on the title length, which makes sense. Now when I was faced with this problem, I remembered something that had come up in the forums, where someone wanted the ‘language’ of the site to show up in the site list, so his sites would be showing as “SiteName (en)” and so on. Since he was using the site path (en, de, etc) as the site’s slug, it was easy for him to come up with this, once I (accidentally) pointed him the right way:

    &lt;?php
/*
Plugin Name: Show Site Path
Description: Show Site Path in My Sites Menu
*/

function helf_customize_my_sites( $wp_admin_bar ) {

    $mysites = $wp_admin_bar-&gt;user-&gt;{'blogs'};

    foreach($mysites as $site) {
      $site-&gt;blogname .= ' (' . $site-&gt;path . ')';
    }
}

add_action('admin_bar_menu', 'helf_customize_my_sites');

    I say it was an accident because I did read the question wrong, but it actually gave me the answer to my schools. They too used the classroom name as the site path, so for them I changed one line:

        foreach($mysites as $site) {
      $site-&gt;blogname = '$site-&gt;path';
    }

    That was it. Now the sites showed up the way they wanted.

  • Mailbag: One Analytics to Bind Them

    Mailbag: One Analytics to Bind Them

    Mailbag on Monday because Angie Meeker asks:

    Do you have an article about getting Google Analytics right on Multisite, so SA can see indiv stats for each site, but also parent. Where the SAdmin owns the entire GA account (site owners don’t need their own GA account)

    There are a few ways to do this, and they’re all pretty easy.

    Google Mod_PageSpeed

    This is the ‘easiest’ way if you already have PageSpeed installed. You can put in your GA filter in the .htaccess and be done with it:

    ModPagespeedEnableFilters insert_ga
ModPagespeedAnalyticsID <Analytics ID>

    That’s actually what I do here, because I’m incredibly lazy and I have Pagespeed set up on my server. I can even make this a little more special by using if statements in Apache 2.4:

    <If "$req{Host} == 'www.domain.com'">
    ModPagespeedEnableFilters insert_ga
    ModPagespeedAnalyticsID <Analytics ID>
</If>

    Graph Background

    MU Plugin

    But if you’re still on Apache 2.2 or don’t want to mess with .htaccess for whatever reason, then you should try an mu-plugin, my favorite things in the world. And all you have to do is this:


    // Paste your Google Analytics code here

  • Mailbag: Translations

    Mailbag: Translations

    The second hardest thing about translations is trusting the translator.

    I sometimes joke that I barely speak English, so when someone said he translated my entire ebook about Multisite into French, I was delighted and scared. While I do kind of understand French, I’m not qualified to translate it, so having someone else do it would be a fantastic offering. But since I can’t translate it, I have no way of knowing how to gauge if they understood my meaning, which is hard enough to figure out in English.

    After a while, I decided to tell him that I’d like to see them, but I wasn’t sure if I’d want to put them up online to sell or give away. Of course he was welcome to give them away all he wanted!

    French Fries

    The problem isn’t that I trust him, or not, but that I don’t have a failsafe. With coding, I have coworkers who can spot check me. With blog posts I could use an editor, and it’s the same with books. If this was a contracted book, I’d be able to let my publisher find someone we all agree fits the bill. When you’re on your own, it’s a lot harder.

    The same goes with my plugins. I don’t actually package anything in my plugins by way of translations. The closest I have is my Varnish Plugin, which has a folder on github for people to store translations. Since they don’t have to be included in core, it’s easy enough for me to say “Use at your own risk.”

    With code, there’s a lot more you have to do in order to make your code translatable though. With my books, I just write. With my code, I have to remember to escape properly. Which I nearly never get correct the first time out. With code, you have to remember from the start to write your words in a way that can be translated, and you have to worry every time you change things that it will be broken for everyone on the next update.

    It’s chaining, really, to realize I can’t just ‘write’ in my plugin like I do on my blog.

    So what’s the question and the answer? Should you translate your work? Maybe. You should always make it translatable, but whether or not you should manage the translations is a really strange question without a perfect answer. Unless you’re fluent in two languages.

    I keep the following links bookmarked, just to keep me on track when I start editing any plugin, and I try to work backwards to fix all my old ones, but it’s really slippery.

  • Mailbag: I Don’t Woo, But I Do CPT

    Mailbag: I Don’t Woo, But I Do CPT

    A preface to this, I don’t actually use WooCommerce so I can’t give anyone a specific answer to that, but Geovanni asks:

    Im in a pinch. I have a woocommercesite and i want to make a part where i can have users who already registered can have their your own URL and page where they can make post. I read a post u made on http://wordpress.org/support/topic/allow-users-to-post-events-on-their-own-page?replies=6 ,but u didnt say anything about how u got it to work or if u have. Can you help me?

    This was a post from two years ago, where someone asked the following:

    I’m working on a WordPress site that will allow artists to post their own events. I can’t find a plugin that will allow these posts to link up to their own pages. Each user that registers has their own URL and this page has all of their information. I’m trying to make sure that the tour dates posted aren’t ending up on every users page!!

    Any help would be greatly appreciated!

    I suggested that one could accomplish this with Custom Post Types, which was a theoretical remark, since I didn’t have the details, but when the OP later said “I need everyone to be able to create an event and post it on their own page…” I agreed it would probably be a better fit for Multisite, since they may have more than one of their own events.

    Lightbulb on a table

    So what did I mean about Custom Post Types? Well sometimes the answer is to think about the problem in different ways. Obviously the easiest thing in the world is to tell people ‘their’ page is http://example.com/author/name, and then have them post in a specific category (say… events). Thus all events are in an event group, and everyone has their own page. But I also know users can be a little confused by WordPress and categories, so you have some options here, when it comes to management.

    First of all, there are plugins like Restrict Categories, which let you restrict users to a category. That works, but if you don’t want the URLs to have 

    /category/

    in the slug for just that one thing, you really do need to look at Custom Post Types. That leads us down the road of things like AAM – Advanced Access Manager which will let you make a custom role for ‘Event Manager’ who can perhaps manage all events, and ‘Event Poster’ who can only post.

    All this does highlight a flaw/annoyance in WordPress, and that is complex roles. WordPress’s role system is, at once, stupid simple and crazy complex. It’s a total headache to restrict people to specific areas, and in general, I hate having to do it because I find I spend more time messing with that than I do working on the site. At the same time, I dislike giving people more ‘power’ than they need. I can’t make a person a ‘comment moderator’ without giving them access to write/edit posts, for example, which is not a far-fetched wish. You can use plugins, like Disqus, to do that, but that means you’ve offloaded comments, and I don’t like that.

    Of course… for the question posited by Geovanni the answer is “Use WordPress Multisite.” Install WordPress, activate Multisite, give the user a site, let them go to town.

    That, of course, may not answer all his questions.

  • All Comments By Email

    All Comments By Email

    By default, when you look at the list of comments on your WP Admin dashboard, you get a list like this:

    The Edit Comments page

    On that list, if you click on the IP address of the commenter, you go to all comments by that IP, but if you click on the email you get a mailto link, to let you email the person. That’s great, but as my friend, and fellow fansite runner, Liv pointed out, a lot of people post from multiple IP addresses these days, but only one email. What she wanted was for the icon that gave you the number of approved comments to link to that person’s approved comments.

    Me, being the sort to poke around, decided to see if that could be done. I already knew how to filter columns and tables, after all. What I learned was that there actually isn’t a filter for those columns, and the only way around it was to replace it. This means I was going to have to rebuild everything, and in doing so, I wanted that email address to be a link to the search. While annoying, it was pretty easy:

    &lt;?php
/*
	Plugin Name: Easy Comment Search By Email
	Description: Changes the default link for emails in the comment lists from mailto links to search results for that address.
	Author: Mika A Epstein (ipstenu)
	Author URI: https://halfelf.org

Credit: https://wordpress.stackexchange.com/questions/83769/hook-to-edit-an-column-on-comments-screen
 */

class ecsbePlugin {

	public function __construct() {
		add_action( 'admin_head' , array( &amp;$this, 'column_style') );

	add_filter( 'manage_edit-comments_columns', function($columns) {
		unset($columns[&quot;author&quot;]);
		$columns_one = array_slice($columns,0,1);
		$columns_two = array_slice($columns,1);
		$columns_one[&quot;author-new&quot;] = &quot;Author&quot;;
		$columns = $columns_one + $columns_two;
		return $columns;
	});

	add_filter( 'manage_comments_custom_column', function($column, $column_id) {
		
		global $comment_status;
				$author_url = get_comment_author_url();
					if ( 'http://' == $author_url )
							$author_url = '';
					$author_url_display = preg_replace( '|http://(www\.)?|i', '', $author_url );
					if ( strlen( $author_url_display ) &gt; 50 )
							$author_url_display = substr( $author_url_display, 0, 49 ) . '&amp;hellip;';
	
					echo &quot;&lt;strong&gt;&quot;; comment_author(); echo '&lt;/strong&gt;&lt;br /&gt;';
					if ( !empty( $author_url ) )
							echo &quot;&lt;a title='$author_url' href='$author_url'&gt;$author_url_display&lt;/a&gt;&lt;br /&gt;&quot;;
	
					if ( current_user_can( 'edit_posts' ) ) {
						$author_email = get_comment_author_email();
					
							if ( !empty( $author_email ) ) {
									echo '&lt;a href=&quot;edit-comments.php?s=';
									echo $author_email;
									echo '&amp;amp;mode=detail';
						   		if ( 'spam' == $comment_status )
									echo '&amp;amp;comment_status=spam';
								echo '&quot;&gt;';
								echo $author_email;
								echo '&lt;/a&gt;&lt;br /&gt;';
							}
							
							echo '&lt;a href=&quot;edit-comments.php?s=';
							comment_author_IP();
							echo '&amp;amp;mode=detail';
							if ( 'spam' == $comment_status )
									echo '&amp;amp;comment_status=spam';
							echo '&quot;&gt;';
							comment_author_IP();
							echo '&lt;/a&gt;';
					}
		
		}, 10, 2 );

	}

 	public function column_style() {
		echo '&lt;style type=&quot;text/css&quot;&gt;
			#comments-form .fixed .column-author-new {
				width: 20%;
			}
		 &lt;/style&gt;';
	}

}

new ecsbePlugin();

    The plugin needs a way better name, though, because this is just … bad. The array slice in the beginning was to remove the first item and replace it, without having to do a lot of overly wrought arguing with possible columns.

    That said, this is the sort of thing I may submit a patch for in core, since IPs change a heckuvalot more now, and while that’s a great way to find some serial-accounts and sockpuppets, sorting by email helps you find people being trolls. Both would be good, and I don’t think a lot of us email people. If anything, I’d change the author NAME to be a mailto link.

    Food for thought.