Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: wordpress

  • Capital H Dangit

    Capital H Dangit

    My new gig at DreamHost comes with a minor ‘d’oh!’ and that is it’s a capital H. Which I seem to be incapable of remembering. So I wrote a function. I stole capital_P_dangit() and swapped the WordPress for DreamHost. To save myself from embarrassment, here it is:

    // Capital H in DreamHost
add_option( 'helf_capital_H_dangit', 'yes', '', 'yes');

if ( get_option( 'helf_capital_H_dangit' ) == 'yes' ) {
    foreach ( array( 'the_content', 'the_title', 'comment_text' ) as $filter )
        add_filter( $filter, 'capital_H_dangit', 11 );
}

function capital_H_dangit( $text ) {
    // Simple replacement for titles
    if ( 'the_title' === current_filter() )
        return str_replace( 'Dreamhost', 'DreamHost', $text );
    // Still here? Use the more judicious replacement
    static $dblq = false;
      if ( false === $dblq )
        $dblq = _x('“', 'opening curly quote');
      return str_replace(
        array( ' Dreamhost', '‘Dreamhost', $dblq . 'Dreamhost', '>Dreamhost', '(Dreamhost' ),
        array( ' DreamHost', '‘DreamHost', $dblq . 'DreamHost', '>DreamHost', '(DreamHost' ),
      $text );
}

    Now. Here’s where it gets fun. No ‘hacks’ posts will be affected by this code! Otherwise how would I show it to you here? Normally this is where you would just run remove_filter( 'the_content', 'capital_H_dangit', 11 ); in the functions file for your theme. Due to the way I’ve wrapped my various functions into mu-plugins, the down and dirty way was to wrap the above block of code with a check for if ( $blog_id != 2 ) { { ... }.

    Most of the time you won’t care about things like this. I just needed it so I could demonstrate code. I’ve done the normal filter remove here so I can also say ‘Wordpress’ in my code related posts. For proof this works, I assure you, 100%, that I typed in ‘Dreamhost’ over in my post about quitting my job and going to work for them.

    Sorry about that, Simon!

  • Managed Themes Have A Place

    Managed Themes Have A Place

    This post is dedicated to Helen Hou-Sandi, who donated to help me get to WCSF. Helen and I like to Pass the Hat, to the amusement of my former firewall team. She also encouraged me to apply for the WP job I got last week. Thanks, Helen!

    I’ve been using a managed theme on my main site (ipstenu.org) for the last few months, and I’ve decided I really like it. I’ve also started to sort out the kind of people who should be using it, and it’s not everyone.

    Let’s start by breaking down themes into their logical types:

    • A Theme – These are things like TwentyEleven, that you simply use as-is.
    • A Child Theme – These are for tweaks you can’t make via plugins or css.
    • A Parent Theme – This is a theme you know you’re going to extend.
    • A Theme Framework – Similar to a parent theme, this is a theme you build off of. It may, or may not, be a parent, however. See ThemeHybrid’s themes, or the Bootstrap theme.
    • A Managed Theme – A theme that acts like a framework and a child at the same time.

    PuzzlesThe differences between these types is slim and sounds like I’m arguing semantics. The weird magic of it all is that themes are themes, and there’s not a whole lot of difference between everything. So maybe I’m looking at themes wrong. The point of themes is that you should be able to make your site look how you want to, no matter your skill level. The problem is that with a low skill level, you don’t know how to do the things you want to. This is where managed themes come in.

    A managed theme holds your hands, and takes the burden of knowing ‘code’ off of the user. While I’m not a fan of lowering the bar too much, there’s a point when we need to make the software easy enough in all aspects and not just some. WordPress isn’t perfect, and while it’s amazing a lot of things, there’s really too much going on in others. This is why there’s room for something like Tumblr, where it’s very easy to post (if hard to make your site look ‘right’). I see WordPress needing some improvement on posting, making it much easier for people to just write, and somehow separating that from the ‘managing a website’ part.

    But at the same time, managing the website, making it look right, is crazy hard. There are a lot of options and a lot of possibilities. Anyone who’s tried to make a site for someone else knows how much like banging your head on a wall it can be. So when you’re new, and you can’t afford to hire the big guys to make a site, but you want flexibility without having to learn code, where do you go?

    Managed Themes.

    Look, I love a sexy Theme Framework. I’m a huge fan of ThemeHybrid. But part of why I love it is that I can get into the nitty gritty code, tweak functions, and go to the races. I spend a lot of time tweaking backends and testing layouts and messing with functions. But not everyone likes to do that, nor should they. I’m not a super snazzy theme designer, they’re not super awesome writers, it’s differences that make the world go around.

    For the last few months, I’ve been using Genesis Theme and I have to say, if I was going to make a site to turn over to someone who I knew was somewhat savvy but not super technical, I’d pick that. It’s not ‘easy’, but this is something that a middle-of-the-road person could pick up, make their way through, and grow and advance as needed. It’s a perfect way to make your site not look ‘standard’ while still not meaning you have to be all action/hook/function skilled. After all, it takes a while to grow into that.

    Managed themes aren’t for ‘me’ most of the time. I know that’s weird to say when you note that I’m using one. I’m really a framework sort of girl. I love the nuts and bolts. But when I don’t want to spend a whole day (like I just did) tweaking a child theme into submission, and just pick up and go and not look like an out of the box site, a Managed Theme is the way to go. I don’t have to worry about telling someone ‘Just edit the functions.php…’ when they want to change something. There’s a nice GUI for them.

    I’ve played with a couple, but I have to say the only one that impressed me enough to give them a second chance was StudioPress’ Genesis Theme. Part of why I gave them a shot was because one of my best friends works there. But after half an hour of using it, I thought “This is easy.”

    Who are Managed Themes for? They’re not for the newbies, and they’re not for the masters of all they survey. But if you, like me, don’t really like designing themes, and you’re not always wanting to pick apart code, grab a managed theme. I may still lean towards the Parent Theme Templates for myself, but right now, looking at a site my father wants, I’m looking at those managed themes.

    They’re pretty darn cool.

  • My Custom PostTypes Live in MU

    My Custom PostTypes Live in MU

    This post is dedicated to Boone Gorges (aka ‘WP Boone’ to me), who donated to help me get to WCSF. My brother is also named Boone, so even if WP Boone wasn’t so awesome, I’d like him.

    Brain - You must useCustom Post Types. I really dig them, as a great way to make ‘kind of’ pages, without making a million pages. They don’t ‘order’ as well as pages, and default to publish date, but really that could be adjusted. The point, and I have one, is that they’re often a great alternative to Multisite, and I use them a lot.

    There are lots of plugins that can make these for you, but I prefer to do it myself in a function file, becuase it gives me more flexibility for what is, let’s face it, a complicated sort of thing.

    In this example, I’m going to make a ‘drawing’ custom post-type, like the one I just added to my photoblog. First I made a file called photo-cpt.php and in it put a header:

    <?php
/*
Drawing Name: Photos CPTs
Drawing URI: http://photos.ipstenu.org/
Description: All Photos custom code.
Version: 1.0
*/
?>

    Notice I am not telling you to put this in a functions file. I never put my CPT in my theme’s function, becuase I always make my CPTs able to work with any theme. By making it a stand-alone ‘plugin’ file, I can put it in mu-plugins and run it automatically. More on this in a minute.

    The code itself is split into two sections. I learned this method from Justin Tadlock, who has a nice, if very techy, primer on Custom Post Types in WordPress. I freely admit, once I figured this code out, I saved it off line and copy/paste it where I need, replacing the terms (Drawing/s) for what the new CPT is.

    <?php
	add_action( 'init', 'create_photos_post_types' );

	function create_photos_post_types() {

         /* Labels for the Drawing post type. */
        $drawings_labels = array(
                'name' => __( 'Drawings', $domain ),
                'singular_name' => __( 'Drawing', $domain ),
                'add_new' => __( 'Add New', $domain ),
                'add_new_item' => __( 'Add New Drawing', $domain ),
                'edit' => __( 'Edit', $domain ),
                'edit_item' => __( 'Edit Drawing', $domain ),
                'new_item' => __( 'New Drawing', $domain ),
                'view' => __( 'View Drawing', $domain ),
                'view_item' => __( 'View Drawing', $domain ),
                'search_items' => __( 'Search drawings', $domain ),
                'not_found' => __( 'No drawings found', $domain ),
                'not_found_in_trash' => __( 'No drawings found in Trash', $domain ),
        );

        /* Arguments for the Drawing post type. */
        $drawings_args = array(
                'labels' => $drawings_labels,
                'capability_type' => 'post',
                'public' => true,
                'has_archive' => true,
                'can_export' => true,
                'query_var' => true,
                'rewrite' => array( 'slug' => 'drawings', 'with_front' => true ),
                'taxonomies' => array( 'post_tag', 'category'),
                'supports' => array( 'title', 'editor', 'excerpt', 'thumbnail', 'custom-fields', "photos-post-settings" ),
        );

        /* Register the Drawing post type. */
        register_post_type( apply_filters( 'photos_drawings_post_type', 'drawings' ), apply_filters( 'photos_drawings_post_type_args', $drawings_args ) );
	}
?>

    Looking at this, it’s actually surprisingly straightforward what I’m adding and where. The weird code of $domain is a variable I’ve defined elsewhere, and lets me translate if I need to. I probably won’t but it’s a good practice to get into. By splitting out my labels into their own variable, I’m able to break them up and make it more readable. As Otto says, good code doesn’t need inline documentation becuase it’s readable. You can see the names, and the fields, I’m adding, and they magically become self-explanatory. Then in my drawing arguments, I again make a variable with the settings. Pull in the complex labels, then I can break out the next arguments into something readable.

    Trucks and Buses Must Use Low Gear You can read all the various options in the codex article for register_post_type(), which is the function I finally call at the end.

    If you wonder why I have the whole thing wrapped in an action, it’s becuase in other places I actually add multiple post types to a site. This lets me put them all in one action, call it once, and walk away. As long as each CPT has a label, arguments, and registration, they’ll all run.

    Below that action, I have one to add my CPT to my ‘right now’ section on the dashboard. I got this from James Laws over at WP Ninjas, and really it’s one of my favorite things.

    <?php
// Adding to Right Now
	add_action( 'right_now_content_table_end', 'photos_right_now' );
 
	function photos_right_now() {
  
          // drawings
          $num_drawings = wp_count_posts( 'drawings' );
          $num_p = number_format_i18n( $num_drawings->publish );
          $text_p = _n( 'drawings', 'drawings', intval($num_drawings->publish) );
          if ( current_user_can( 'administrator' ) ) {
            $num_p = "<a href='edit.php?post_type=drawings'>$num_p</a>";
            $text_p = "<a href='edit.php?post_type=drawings'>$text_p</a>";
          }
          echo "\n\t".'<tr class="first">';
          echo "\n\t".'<td class="first b b-drawings">' . $num_p . '</td>';
          echo "\n\t".'<td class="t drawings">' . $text_p . '</td>';
          echo "\n\t".'</tr>';

	}
?>

    Taking a step back, there’s this interesting line in my arguments:

    'taxonomies' => array( 'post_tag', 'category'),

    All this does is say ‘I want to use post tags and categories in my CPT.’ And in this case, it’s the same ones as I use for my normal posts. You can do a lot more with it if you wanted, but I believe in KISS.

    To loop back around, however, why do I put this in an mu-plugin? First and formost, it’s portable. No matter what theme I use, it comes with me. As I talk about this method in No Children Necessary, it really comes into play here more than anywhere else. On a single, traditional, WP install, I just toss it in and walk away. It’s code, I don’t want my end-users playing with it, so a non-editable file is perfect. For Multisite, I really just add if ( $blog_id == 2 ) { ... } around the whole thing. I could do it just on the actions, but this is easier for me. I can see right away ‘Oh! Site 2.’

    This is obviously not going to work for everyone, but sometimes just looking at the next option will give you a new idea.

  • Getting Involved – Notes

    Getting Involved – Notes

    In case you missed it, I spoke Saturday, August 4th, at WordCamp San Francisco. I had 15 minutes to talk and was asked to talk about the community, getting involved, and that sort of thing. Knowing there was a short time, I decided not to do slides, and instead wrote ten 3×5 cards with my notes. I’m kind of a badass that way.

    The video should be up online in a little while, and I’ll embed it here, but for now, here are my cards.

    WCSF Logo

    1. Getting Involved: Log On, Jump In, Help Out
    2. I volunteer for WP. Forum mod, Ideas org/despamming, plugins, Make support (lead thingy)
    3. Instead of talking about me, I want to explain why you, the community, are important. Encourage you to jump in and help out.
    4. What is the community? Writers/Bloggers, plugin/theme devs, people who dream in code, all of us.
    5. Giving back helps. What’s the point of WP? Part of good software is how it works, and the community is the embodiment there of. Without us, it’s nothing.
    6. Why should I help? Becuase you know and they don’t. Because you will learn more. Becuase you will be inspires.
    7. How can I help?
      1. Write Questions: use WP, come back with questions & suggestions
      2. Answer Questions: help out with those Qs! Learn what happened and why
      3. Fix things: Educate, code, educate!
    8. But … I don’t know the answers. They’re mean. They’re stupid/arrogant/ignorant. They’re impatient.
    9. No one is more important. No users == less inovation. No devs == less change.
    10. Just do it! You were new (we aren’t born knowing). There are no stupid qustions. Be patient (everyone). Make WP Better.

    There you go! When the video’s up, I’ll elaborate more, and comment on what I was thinking (other than ‘don’t rush’ and ‘don’t puke’). I did suggest people answer five questions for every one they ask, since you guys are smart cookies and I know you can bang out five easy questions in 30 minutes. Half an hour. I promise it’ll make you feel better.

    Also the video has an extra secret Passover joke.

  • The Perception of Security

    This post is dedicated to Frederick Townes, who donated to help me get to WCSF. I use his rock ’em sock ’em W3TC plugin on this site, as it happens.

    TSA TieThe TSA is a funny thing. They make us go through all these hoops and ladders to make it look like we’re safer. They check us for weapons, they check us for bombs in our shoes, and essentially they check for everything they know about. And we call it ‘Security Theater’ because it actually doesn’t make us one inch safer.(If you’re really interested, go read Bruce Schenier‘s books. The security methods in place pre-9/11 are the ones that have caught the bad guys. None of the new stuff has.)

    At work, I have a product from a vendor that has pretty insecure passwords. I can’t make them expire, I can’t make them require special characters. In fact, you can pick a blank password if you want. There’s no security and most people use the same password (123456) because of it. It was up to me to invent something more secure, and I sat and studied the login form for the app. This was a locked down product, so hooks and actions, like we use in web apps, were unknown. But there was a hidden option, down in the bowels of an ini file, that was for ‘advanced username options.’

    Unlocking that option gave me rules for usernames, just like you’d think. But how is that going to make things safer? We already used login ids of our initials plus a number, so if I could leverage that somehow, maybe I could do something. My idea was that if the login name was always pre-filled, and uneditable, with the same ID you logged into the computer with, then in order to ‘hack’ into someone’s account, they would either need their LDAP password, or the person would leave their PC unlocked. I thought it was genius, and after some fiddling around, found how to extend the settings to allow that.

    Months later, the Auditors come around and say it’s not secure enough. We need to change the passwords more often. Even though the desktop password is the most secure of all passwords we use, and even though leaving your PC unlocked is a fireable offense, they said that since someone could gain access to your PC, the bad password was a problem. I remarked that they had a lot more to worry about in that case, and pointed out the vendor didn’t have a fix. They’re still arguing that one.

    The problem is the auditors want to be able to feel safer. They know and understand LDAP security, ergo all things must comply. It is a benchmark of safety which, in many cases, isn’t going to make things safer. If you got my LDAP password, you now have access to everything I log into at work. That isn’t safe at all, is it? It’s a single point of failure.

    Security CameraRecently, someone asked why WordPress doesn’t let you move the wp-admin folder around, and that doing so would be safer. Actually they accused WordPress of being egotistic for not letting you move the folder, and for putting meta info in the source code. But let’s not get into where they’re wrong on that end. Why doesn’t WordPress let you move wp-admin? Certainly they could put the effort into decoupling the various places where it’s hard coded, put in a define you could override, just like we do for wp-content. Then you could move it where ever and you’d be happy. I cannot speak for the developers, but looking at the code (not insurmountable, just annoying), I see it as security theater.

    Moving the wp-admin folder simply cannot make your site safer. It just can’t. Look at it logically, you still have to be able to get the folder, ergo people will still be able to figure it out. The rule of the web has always been ‘If it’s on the web, people will take it.’ Normally this applies to pictures and text, but when we extrapolate it to include source code, like for open source code, which is there for the taking, we reach a point where anyone can look at WordPress’s code and determine how to quickly figure out where the admin folder has been moved to. We have now put in extra work for a very teeny tiny benefit, that can easily be circumvented.

    But isn’t that benefit worth it? Not when you look at the costs. Computers do what we tell them to, every time, every day, repeatably. When we go in and complicate our code, we introduce more human errors. The more possibility for errors, the more likelihood that we’ve missed something. So by adding in a way to move wp-admin, we run the risk of screwing it up and making things less secure. Would you rather have the brains staring down WordPress and trying to make things actually more secure, like by preventing XSS vulnerabilities, or locking down nonces and cookies, or would you like them to make you feel better?

    Furthermore, there are the themes and plugins to consider. Now we have to update all our themes and plugins that are doing_it_wrong() in the first place, and get them to join the new world order of right. Yes, they should have done things right in the first place, but some don’t because the old way still works. What happens when they don’t update? We’ll have to leave some deprecated code in there so the old wp-admin still works and … oh. Well that didn’t do you any good, now, did it?(NB. I’m certain there is a way to do this. I just don’t care enough to verify it, as you’ll see in a moment.)

    This has everything to do with the fact that open source software is open source, and ‘hiding’ anything means it’s always going to be easily reverse un-hidden. Moving wp-admin is called ‘Security by Obscurity’ and it’s a waste of time. It’s just not effectual in the long run, it doesn’t protect anything, and the only time someone knowing my WP version or where it was installed would worry me is if I didn’t upgrade and there was a known hack on the older versions. Even then, Hackers will just try the same attack even if I’m protected (which I know from the TimThumb debacle, where my server was scanned for the file exploit – I don’t use timthumb, but they scanned me all the same).

    When you make me draw the line between where I’d want ‘my’ developers spending time, and the options are ‘feel good security’ and ‘make the damn product actually more secure’ … I think you know where I stand.

    What about you? What aspects of ‘security’ do you feel are just window dressing?

  • Forever Alone No More

    Forever Alone No More

    Forever AloneA lot of us work on projects by ourselves. We’re the ones who build a website, alone. We write a plugin, again alone. When we do colaborate with others in the making of our site and codes, it’s often a cumbersome, kludgy, thing at best. The advent of code management systems like SVN and GIT make the actually coding process easier. Now multiple people can make changes, branch and fork, merge and combine to fix all sorts of problems.

    But web-development, for your personal site, is still in the dark ages.

    Here’s my workfolow:

    • Review changes
    • Open Coda2
    • Edit file
    • Preview changes
    • Push file

    Now that’s a huge improvement since the old days, when I would edit, FTP, and so on. I still use Transmit to run a sync/backup every day before I start editing any files, but that just goes back to my paranoia. It gets harder when you use something like WordPress, because the old days of being able to easily preview your site and how it looks doesn’t exist anymore. That’s part of why the totally incredible Theme Customizer is totally incredible.

    It’s also a little problematic if you share a site. Let’s face it, maintaining a website with other people is a pain. When my fellow site-folk want a small change, they can make it, but I have no way to easily roll that back without comparing my personal backup with the new one, and go make a diff. Sure I can do it, but it takes time, and it’s a hassle. A lot of the time, too, my fellow admins aren’t as good at certain things (like CSS, or tables, or PHP) as I am, and I have to bail them out. In and of itself, that’s okay. It’s why they keep me around and fee me brownies, after all.

    FacepalmHave you ever had someone else make a change while you’re on vacation and call you in a panic, even though you’re on Bora Bora and have no internet, because this ‘one small tweak’ to the sidebar caused the site to go white, and they closed their file-editor, so they can’t control-z?

    A lot of us cowboy code. I sure do. I’m often banging away on my sites in vi when I want to make a fast CSS change. Clearly sustainable for a professional environment, this is not.

    But… What if? What if you had a way to update the code on your site, like your personal mu-plugins or the theme, and make the changes ‘live’ but still have a way to roll back when you accidentally blow it all up?

    And what if I told you that a WP dedicated host has an answer. Yeah, WP Engine figured it out.

    Upfront disclosure: I don’t use WP Engine. I have a lot of non-WP sites on my servers, and many of my sites aren’t using just WP. I have a VPS and I’m very happy with it. But if you want a good host to run your WordPress site that’s the step between your own VPS and WordPress.com, I strongly recommend them. Yes, it’s more expensive than many other hosts, but I am a firm believer in ‘You get what you pay for.’ With WP Engine you get hosting, upgrades, backups, and support for $30 a month. And now you also get Git. They’ve come up with a Git-push-to-deploy method for their hosting platform.

    Did that sound like gobbledygook? Hang on. This actually isn’t something ‘new,’ as the technology’s been around for a while, but this is something new for webhosting and WordPress hosting. WP Engine’s applied it to their servers, making version control possible. It’s like how we’ve always combined version control and staging to make a ‘development platform’ and now you get that in WP.

    Okay, if you’re like me, and a total raw rookie at Git, you sat here and went ‘What the hell is this ‘push to deploy’ stuff?’

    At it’s heart, push-to-deploy and push-to-live is really a fancy, buzz-wordy way of saying this: I have a git branch that is the dedicated to my site version of my code. If I edit that branch by pushing my changes to it, I have created a version-controlled update of my site, which is beneficial in case you need to roll back a change, or pin-point a specific change.

    Okay, maybe that’s still unclear. You’re going to have to take a look at git.wpengine.com to really see how they’re applying the technology. Git, like SVN, is one of those things that makes a lot more sense once you sit down and use it a few times.

    Really, my biggest hurdle is always wrapping my head around git’s application of branches and merging and a decentralized database. It’s complex and powerful. Vincent Driessen wrote a brilliant explanation of a successful Git branching model, complete with diagrams, that explains all this way better than I could. His examples will show you exactly what’s going on, and that a ‘push to deploy’ is really just another sneaky way of using git to manage your changes in a controlled way.

    Don’t get the wrong idea. There’s nothing wrong with being sneaky to control all this, when you get down to it! It’s the perfect-world a lot of teams have been looking for, for many years. Having this built into your webhost, so you don’t have to come up with your own solution, is going to be amazing for small companies that will, over time, have a slew of developers. Someone new comes along? Hand them your primer on naming conventions and merge rules, let them fetch the repository, and off they go. Everything is right there, as safe as your backups.

    I can’t say if this will revolutionize things, but it’s a harbinger of change which web dev has sorely needed.

    Check out WP Engine’s Git FAQ (where they explain all the nitty gritty about handling version control, so if you’re a nutjob like me and want to run aortic, you can), or just read their getting started guide. The directions are clear enough for a Git newbie like me to understand.

    Unlike Capistrano or RAMP, this hasn’t been released outside of WP Engine, but that makes sense as it’s all homegrown and built to their servers. This should be interesting to watch how other WP (and non WP) managed hosts handle the next wave of support.

    Related: