Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: wordpress

  • Mailbag: I want to make WordPress.com

    Mailbag: I want to make WordPress.com

    Justin is not the only person who’s asked me this one, and it boils down to “How do I run my own wp.com?”

    I wouldn’t. It’s insane, and if you want just an inkling as to how frustrating it is, spend 8 hours a day, for 2 days, doing free support in the WordPress.com forums. That’s going to be your life. If you hate it, don’t do it. And more to the point … I don’t feel we need more generic ‘Anyone can host here.’ sites. The most successful modern one is Medium, which doesn’t give you a site like ‘ipstenu.medium.com’ but instead just share-posts everything. I’m personally not sold on the efficacy of it, but my point is I feel these gateway blogs are less and less necessary, the better we make WordPress software. We’re lowering the bar for people to own their own sites.

    If IF I was going to consider it, I’d be looking at it from the aspect of a small group of people. For example “A network for small town newspapers.” I take care of the servers and code, they just write. That’s a smaller, niche, market, but also one that probably can’t afford VIP WordPress.com. You can always expand, after all.

    But Justin actually has a security concern. Let me share in his own words:

    I want to build a service like wp.com, blogger.com but with free and commercial themes and plugins. Drag and Drop themes (Headway, Ultimatum), plugins (Visual Composer). If my site is feature-loaded, people will come, is’t that right? But I wonder why people don’t use all those nice software to build better than those companies. I want to ask, is it because people can insert malicious codes in css and javascript code editors?

    Yes and no.

    Its not the malicious codes in CSS and JS, though that is a concern. WordPress.com has a CSS editor that you can pay extra for, and the question many people ask is “Why isn’t that free?” The issue isn’t with security, it’s support. Frankly, people who need (note the word ‘need’) a managed site like that generally haven’t a clue what they’re doing in CSS for design. They need those baked and locked themes because they’re not ready for the rest without a conscious choice and a monetary investment. You’re paying more for something, ergo it’s worth more.

    But JavaScript? Well that would be security but also support. I certainly don’t want people messing with JS because it’s easier than CSS to break your site with it. Don’t believe me? Go look at everyone’s whose visual editors broke after upgrading to WordPress 3.9 because of plugins that don’t work well with the new JS settings in TinyMCE. Those are plugins, written presumably by people who know what they’re doing. And they broke.

    Is there a security risk to letting people edit CSS? No.

    Is there a security risk to letting people edit JS? Yes. And worse on Multisite (which is what WordPress.com is running) as that could break the entire network, not just one site. A bad CSS call will only break your own site on the network, after all.

    A lock on a locker

    But I think the question may be “What’s so dangerous about JS anyway?” and the answer there is “Cross Site Scripting” (aka XSS). XSS is a vulnerability that will allow hackers to inject scripts from their computer into your site, which is normally (in WP land) used to bypass the requirement to be logged in, dump garbage into the database, and then log in and create merry havoc on your site. I’ve been told up to 84% of all vulnerabilities in the web are XSS related. This may or may not include CSRF (Cross Site Request Forgery). The XSS article on Wikipedia is pretty good.

    Based on that alone, I would not allow users to make their own javascript edits. I would perhaps provide plugins to allow them to make certain adjustments, but not anything they wanted, any time they wanted. If they need that, then they need to get their own hosting on their own server, so they only blow up themselves.

    Oh and whatever you do, don’t try to become ‘the next…’ anything on your own. That way lies madness. Get some help.

  • Mapping Domains Without a Plugin

    Mapping Domains Without a Plugin

    Recently I wrote WordPress Murder Mystery. The day I released it, I got on a plane to fly to Miami, and proceeded to have a pretty awful travel day, thanks to a storm that pretty much knocked travel to the SouthEast out of commission. While I waited for my flight to DFW, I got pinged. “Hey, I can’t add anything from your store to my cart!”

    I pulled up my laptop and thought about what I’d changed. Oh. I’d turned off domain mapping. But not really.

    Ghost Cookies

    You see, I love the WordPress Domain Mapping plugin. But I’m not using it here. No, I’m actually doing something I expressly and patently tell people not to do … because time has changed with 3.9 and it’s almost okay to do things this way. The change here is that WordPress is smarter now, and it’s safer, and you actually can just edit the home and site URLs in the Network Dashboard. But you know how I said ‘almost’ back there? Your ability to shoot yourself in the foot is directly proportional to how smart you think you are.

    What I did? It’s basic but assumes you already know how to add a domain onto another.

    1. Go to Network Admin -> Sites
    2. Edit the site in question
    3. Change the URL to the mapped domain, check the ‘change home and site URL’ box, and click update

    That was it! Three steps and everything still worked! This also let me force change a site to https all the way, and since I didn’t have content, I didn’t bother with a search/replace. If I had, I’d use that Interconnectit Script or WP-CLI for it. Still, like a wise person, I always get the domain ‘right’ before I add content.

    And at this point, everything seemed to work just fine! And so I left it as is and published my book. And as you know, it all failed, spectacularly. I rolled everything back (because I knew what I’d changed last, see? always remember that!) and it worked again, so I knew I had to have missed something big here. Since I was stuck in an airport with choppy wifi, I disconnected everything and fired up my localhost version of my site. Banging on that for a while, I saw I missed a small, but hugely important factor in the plugin.

    See most of what it does is that pretty interface to say “Pull domain.foo content from site #2 (aka foo.example.com)” and force redirects. It also lets you do cool things like “Allow users to log in from foo.example.com instead of domain.foo” but really I didn’t need any of that. The meat of the code is in the sunrise.php file, which when I studied, I realized was just doing the redirects “Send Site #2 to domain.foo” and for me, by renaming the home and siteURLs, I was already doing that.

    So what had I missed?

    define( 'COOKIE_DOMAIN', $_SERVER[ 'HTTP_HOST' ] );

    That was it. I forgot to tell it “Cookies belong to the domain you’re on.” What this means is that if you log in at example.com, the cookie you get is for example.com and not domain.foo! For the most part, this isn’t a problem since no one logs in but me … until you try to make a purchase and it validates a cookie which doesn’t match the domain. I added that to my wp-config.php (down at the end of my Multisite section, where the SUNRISE define had been earlier) and everything magically worked.

    Two lessons! First, test everything. Second, you can map domains without a plugin, safely.

    I will note that, over time, it’s possible those settings for home and site URL may vanish from display. They’re powerful and dangerous settings, and you should not mess with them without a good backup.

  • Mailbag! .htaccess questions

    Mailbag! .htaccess questions

    New thing! So many people email me for tech support, which I’m pretty clear on how you’re not going to get it. But Ken (the web mechanic) asked some pretty basic questions, and I’ve decided to answer some of them.

    A loopIn public. Lucky you, Ken. Don’t worry! These were good questions. See, one of the (many) reasons I love WordPress and the support forums is that the answers are public so everyone can see what the question was and how it was answered! This is hugely important to foster a community, so that’s why I’m going to answer this in public, with your personal information removed, of course.

    Ken’s basic concern is that .htaccess is confusing, and is there a preferred order? The answer is yes. The basic idea is that .htaccess rules are a top-down process. The server reads the file from the top on down, in order, 1-2-3. For this reason alone, it’s obvious why you don’t want a super long .htaccess file: more to read takes longer!

    The WP permalink area… Should that always be dead last?

    Yes! WordPress rules always go last. Remember what I said about top-down? If you were to put WordPress at the top, you would load WordPress, process it, and then do the rest of the rules. Which once you say that, it’s pretty obvious eh?

    Deny IP addresses/ referrers. To me it would make sense for them to be at the beginning… Would that be true?

    True! The access controls (including IP blocks) first. Redirects go next, starting from most specific (about-me to about) first to general last. Then your Rewrite rules.

    Compression/Caching/mod_expires… I haven’t a clue where they most appropriately go. Securing wp-config, htaccess itself, other files, etc. … Before? After? the WP permalink block.

    I put them before my re-writes. Since I use a deny to secure .svn type files, it’s an access control so it goes first.

    So how does this work? Here’s a practical example. You want to do the following: remove www from your domains, protect your wp-config file, protect your comments and login from direct attacks, redirect some old pages from before you were WordPress, redirect your old permalink formats, and gzip/compress things. Oh and run WordPress!

    The order would go like this:

    1. Access Control: This is the part where we’re protecting specific files, but also blocking IPs. Basically it’s ‘Security First.’
    2. Remove WWW: We want to make sure everyone’s redirected to the non-www page. If you’re redirecting specific domains (like I send tech.ipstenu.org to halfelf.org), you do it here as well.
    3. GZIP: I do my compression here, though it woudl work just as well swapped out with the next one.
    4. Redirect: Here we’re talking one-off redirects like sending ‘about-me’ to ‘about’.
    5. Rewrite: The ReWrite rules are the ones where you say “Send http://example.com/2014/01/10/postname/ to http://example.com/postname/” with those rules with regex.
    6. WordPress Rules: Last. Always always last.

    And that is .htaccess!

    If you want a look at how my .htaccess is structured, see My super-secret .htaccess file, which hasn’t changed much since 2013. I do a couple things out of order, but they’re minor enough. As long as I can limit any recursive loops with the .htaccess checks, I’m doing good.

  • New Smilies?

    New Smilies?

    While the arguments for and against are pretty hot and heavy (see the trac ticket for more), it’s no secret I’m pro-new smilies. The old ones are too small, too pixelated, and too (pardon the phrase) web 1.0. They look old and out of date on my site.

    Here they are at normal size:

    Old Smilies, normal sized

    And here’s double:

    The smilies at twice size

    These are both gifs, to illustrate the size issue. Notice how they’re fuzzy?

    I want to make one thing clear, pun intended. None of my issues have to do with Retina. I don’t like ‘small’ anything. The smilies are too small, much like the font on many people’s websites, the pixelization is hard for me to identify. In fact, while I’m using the new smilies here, you’ll notice they’re bigger. Sure, cause I tossed this in my CSS:

    #wp_grins img, img.wp-smiley {
    height: 25px;
}

    And that’s all it took to make them something I felt was readable. But the beauty, and why I like the new SVG images, is that I can make them larger like that, without losing readability.

    Thankfully, due to the curmudgeony efforts of the new smilies’ biggest naysayer, Otto, we have a filter! I’ve talked about this before, in how I handled both SVG and PNG as smilies for IE. I have a couple options here. I could write some code myself, or I could use New WordPress.com Smileys (which is on GitHub for reasons, the code is fine!).

    I like the plugin a lot. I like it so much, I refactored my SSL Grins plugin to use them with the fancy pants new span code (instead of images). But… Well, I already had this done by the time his plugin came out, and I like how I accounted for things differently. The only real difference though is he uses spans, and I just swap out the images:

    <?php
/*
Plugin Name: Custom Smilies
Plugin URI:  https://ipstenu.org
Description: I like the new smilies, shut up Otto.
Version: 1.0
Author: Mika Epstein
Author URI: https://ipstenu.org/
*/

// Move Smilies
add_filter('smilies_src','helf_smilies_src', 1, 10);
function helf_smilies_src($img_src, $img, $siteurl) {
    if ( strpos( $_SERVER&#91;'HTTP_USER_AGENT'&#93;, 'MSIE 8' ) || strpos( $_SERVER&#91;'HTTP_USER_AGENT'&#93;, 'MSIE 7' ) || strpos( $_SERVER&#91;'HTTP_USER_AGENT'&#93;, 'Android' ) ) {
        $img = 'ie/'.$img;
    }
    else {
         $img = str_replace("png", "svg", $img); // Remove PNG
    }
    return $siteurl.'/code/images/smilies/'.$img;
}

// This is in a paren for my sanity....
{
    global $wpsmiliestrans;

    if ( !get_option( 'use_smilies' ) )
        return;
    
    if ( !isset( $wpsmiliestrans ) ) {
        $wpsmiliestrans = array(
        ':mrgreen:' => 'icon_mrgreen.png',
        ':neutral:' => 'icon_neutral.png',
     // removing b/c new versions
        ':twisted:' => 'icon_evil.png',
          ':arrow:' => 'icon_arrow.png',
          ':shock:' => 'icon_eek.png',
          ':smile:' => 'icon_smile.png',
            ':???:' => 'icon_confused.png',
           ':cool:' => 'icon_cool.png',
           ':evil:' => 'icon_evil.png',
           ':grin:' => 'icon_biggrin.png',
           ':idea:' => 'icon_idea.png',
           ':oops:' => 'icon_redface.png',
           ':razz:' => 'icon_razz.png',
           ':roll:' => 'icon_rolleyes.png',
           ':wink:' => 'icon_wink.png',
            ':cry:' => 'icon_cry.png',
            ':eek:' => 'icon_surprised.png',
            ':lol:' => 'icon_lol.png',
            ':mad:' => 'icon_mad.png',
            ':sad:' => 'icon_sad.png',
              '8-)' => 'icon_cool.png',
              '8-O' => 'icon_eek.png',
              ':-(' => 'icon_sad.png',
              ':-)' => 'icon_smile.png',
              ':-?' => 'icon_confused.png',
              ':-D' => 'icon_biggrin.png',
              ':-P' => 'icon_razz.png',
              ':-o' => 'icon_surprised.png',
              ':-x' => 'icon_mad.png',
              ':-|' => 'icon_neutral.png',
              ';-)' => 'icon_wink.png',
        // This one transformation breaks regular text with frequency.
        //     '8)' => 'icon_cool.png',
               '8O' => 'icon_eek.png',
               ':(' => 'icon_sad.png',
               ':)' => 'icon_smile.png',
               ':?' => 'icon_confused.png',
               ':D' => 'icon_biggrin.png',
               ':P' => 'icon_razz.png',
               ':o' => 'icon_surprised.png',
               ':x' => 'icon_mad.png',
               ':|' => 'icon_neutral.png',
               ';)' => 'icon_wink.png',
              ':!:' => 'icon_exclaim.png',
              ':?:' => 'icon_question.png',
        // New for me
              '>:(' => 'icon_mad.png',
              'o_O' => 'icon_surprised.png',
              'O_o' => 'icon_eek.png',
              '^^‘' => 'icon_redface.png',
              ':‘(' => 'icon_cry.png',
              ':’(' => 'icon_cry.png',
   ':whiterussian:' => 'icon_whiterussian.png',
              '|_|' => 'icon_whiterussian.png',
               ':/' => 'icon_uneasy.png',
              ':-/' => 'icon_uneasy.png',
      ':developer:' => 'icon_developer.png',
        ':burrito:' => 'icon_burrito.png',
        ':martini:' => 'icon_martini.png',
              '>-I' => 'icon_martini.png',
          ':blush:' => 'icon_redface.png',
          ':heart:' => 'icon_heart.png',
            //'&amp;lt;3' => 'icon_heart.png',
           ':bear:' => 'icon_bear.png',
           ':star:' => 'icon_star.png',
              '(w)' => 'icon_wordpress.png',
              '(W)' => 'icon_wordpress.png',        
        );
    }
    
    if (count($wpsmiliestrans) == 0) {
        return;
    }
}

    But why don’t they all show up in my comments section? Where’s the martini!? I also upgraded my plugin SSL Grins with an ‘easter egg’ of code that hides anything in this array of smiled_hide. This works on both my version of the smilies plugin and Avryl’s. and looks like this:

    $smiled_hide = array("bear", "wordpress", "martini", "developer", "whiterussian", "burrito","icon_bear.gif", "icon_wordpress.gif", "icon_martini.gif", "icon_developer.gif", "icon_whiterussian.gif", "icon_burrito.gif", "icon_bear.png", "icon_wordpress.png", "icon_martini.png", "icon_developer.png", "icon_whiterussian.png", "icon_burrito.png", "icon_bear.svg", "icon_wordpress.svg", "icon_martini.svg", "icon_developer.svg", "icon_whiterussian.svg", "icon_burrito.svg");

    Now this is possibly the jankiest, stupidest, code I’ve written in a while. I’d rather just have the words be there, and filter “If any of the values in this array is a partial match to the name of the smilie we’re looking at right now, don’t show it.” But I’m not clever enough with arrays and preg matching at this point, so I did that ugly list, and used this:

    if (!in_array($grin, $smiled) && !in_array($grin, $smiled_hide) ) {...}

    So at this point, pull requests are welcome because I’d love to clean that up!

  • It’s Better to Extend

    It’s Better to Extend

    If you’ve heard me answer the question “Why is this a plugin and not in core?” then you’ve probably heard me say “It’s better for WordPress to be extendable than to include everything.” And you’ve certainly heard me tell folks that the concept of Open Source development is different than many of you think.

    One of the many reasons I liked WordPress was that, unlike other apps, I didn’t have to spend the first week after install turning off a great number of features that I didn’t want, just to have the core application that I did want. WordPress stood apart by assuming very little. You want to publish content. That’s pretty much it in the beginning. As things changed with the times, comments and media uploading were added, but at it’s heart, WordPress has remained pretty on point.

    Simplicity.

    ExtendWordPress doesn’t want to get in the way of your content. It would rather make decisions, not options, to keep it simple. We constantly argue about better ways to simplify, how we can remove options to improve usability, how we can make things easier and faster.

    Earlier this month, my friend George ruminated on decisions and specifically talked about how to make his code serve two masters:

    To each according to their needs. Typical users need a simple, smooth, classy interface. Power users need to get under the hood. Why try to make something that doesn’t work well for either by trying to serve both?

    This is the route WordPress tries to take, and it has some pretty incredible payoffs. If you don’t need to get under that hood, your site is lean, fast, and perfect. If you do, you can totally monkey with your engine all you want to make changes. But that user who has no idea what we mean when we say “add a filter to the output…” doesn’t have to learn anything new. They can just install a plugin and go.

    By being extendable, WordPress is able to keep itself small and let you make the decision of what you need. It also lets you pick out what’s important to you, and this is a hard choice. We want a lot of bells and whistles on our sites, but we know they’ll possibly make things slow. We have to decide what we care about more, what can we sacrifice, and what must we keep.

    So when I tell people “It’s better that WordPress is extendable.” I do so understanding that I put the work on you, and not core. I’m making you do the hard part, the part of weighing options and features. The part of telling a client “No” because that awesome slider will make their page slow. I’m putting you on the spot.

    I think that may be why people get made about this whole thing, more so than the trials and tribulations of finding the right plugin. Of course finding a good plugin that won’t break is hard. You should be circumspect about plugins and themes, test them well, don’t just use them because they’re super pretty. But here I am saying that we’re lazy, over in WordPress land, and we want you to decide what you need.

    Man touching his iphoneMany of you use smartphones. Many of you buy in-app purchases. Many of you, like me, think that in-app purchases are kind of a terrible thing. Thomas Baekdal goes a step further and argues they are destroying the gaming industry. Many people argue WordPress does the same thing. The core is free and the add-ons may be free or they may cost money. Heck, I paid for this theme, it’s parent theme, and some plugins!

    Let’s take Easy Digital Downloads, a plugin I use. It’s free. I have six specific add-on plugins for it, though to do things I want. One I wrote, three are free, and two I paid more for. Why is that okay? Because unlike the model of paying to speed things up, EDD lets me pay to add what I NEED. I needed a PayPal alternative (PayPal is free by the way), so I bought Stripe for my users who can’t use PayPal. I wanted (not needed) a way to let people pick prices in some places, so I decided to buy that as well. But everything else has been free. That’s nothing like the In-App payments, that’s what they wanted to be but didn’t manage.

    So it’s better to extend because I decide what I want, and I decide where to spend money, and I decide what to do. WordPress without those extensions? Still works. There are hundreds of options to do what I did totally for free, legally and morally free of implications too. I paid for the speed and connivence, but I didn’t have to worry about things I didn’t want or need because I didn’t add them.

    I like the place where I decide what I need.

  • The Person of WordPress

    The Person of WordPress

    I read Manga, pretty much like every comic book nerd from the 1980s. I got hooked on some fairly grown up stuff as a tween, and today I read the stuff with entertaining and semi realistic stories. One of them I read is called “Space Brothers” about, get this, two brothers who decide to become astronauts. When the story starts, the younger brother, Nanba Hibito, is poised to make his first trip to the moon, while the older brother, Nanba Mutta, is fired for head-butting his boss. As the story goes on, Mutta overcomes obstacles and is accepted into JAXA, Japan’s version of NASA.

    It’s during his first lecture as a newbie wanna-be astronaut that the lead of the support staff draws the Japanese character of Person on the white board:

    Kanji for

    And he tells them a famous person said this:

    The character of person shows that people are living by supporting each other.

    I was unable to verify the quote, but it sounds somewhat reasonable to me. Still, in looking at it, I thought that the stroke on the right seemed to be supporting a bit more than the one on the left. So did the character in the manga, who went on to explain that some people support more than others, but they do so with the intent of boosting the others higher. That’s why the leftmost stroke is taller.

    Now, Japanese has three written languages: hiragana, katakana, and kanji. For those unfamiliar, you can read a brief explanation from Ancient Scripts, but the person character I used above is from kanji. There’s a historical basis in kanji that look like their meanings, so this interpretation isn’t outside the realm of possibility.

    When I look at WordPress, I see that leftmost character as being the path taken by the people who manage to write amazing code. And I see myself as the rightmost character, who tests and debugs and supports them. I feed information into them as I find it, I help others to do the same and solve their problems. I am, indeed, a support guru.

    There’s nothing wrong with this. If it wasn’t for me, and people like me, WordPress would fall over. I said this at WordCamp SF in 2012: If there weren’t users, there would be no WordPress. All of us, the users and the support people and the random one-plugin developer and that person who edited a theme once, we’re all the reason WordPress is still being used as well as it is. The app was made useful and deemed useful.

    But consider the modern version of the character.

    Modern Kanji for Person

    This may seem strange if you’ve never read about kanji before (I was once deeply into a manga about caligraphy), but it has it’s own version of print and cursive. Here are all the various ways one might write ‘person’ in kanji:

    Variations on 'Person' in Kanji

    Now you may notice that’s a Chines Kanji exemplar. It’s the same thing for around 70% of the characters. And in this case, it happens to be the same.

    If I was to extend my previous thought, that the support arm of WordPress helps it reach new heights, I would look at the modern character and say that the two arms keep each other from falling over and, only when combined, can they reach the future of marvelousness.

    That’s a bit cheesy, I know, but the point is that we’re not alone. We don’t work on open source in a vacuum, we work together, relying on each other, to make everything better for everyone. We’re equal partners in the work of creation, even if we don’t see it as such all the time.

    I don’t know what the kanji is for Open Source, or if there even is one, but I hope it represents people for being the crux of it all, always helping people.