Tag: wordpress

WordPress Plugin Script

I don’t like the automated plugin installer. I don’t know why, I just don’t. I have this stupid simple script I use instead. I cleaned it up before posting here. It’s a lot more complicated than my WordPress Upgrade Script because it has to check for the latest release of the plugin via the subversion repository and clean up weird characters (because people write code on Windows, Linux and Mac and everything else!). This is one of the few times I assume that if you don’t specify a version, you probably want the latest and greatest.

#!/bin/bash

####################################################################
# WORDPRESS-PLUGIN.SH - WordPress Plugin Script for BASH SHELL     #
#                                                                  #
# This script will download and copy up the specified WordPress    #
# plugin to the account. By default it gets the latest version,    #
# but you CAN specify trunk or whatever version you want.          #
#                                                                  #
# Author: Mika Epstein                                             #
# URL: https://halfelf.org/scripts/wordpress-plugin-script/    #
#                                                                  #
# Usage: ./wordpress-plugin.sh plugin [version]                    #
#                                                                  #
# plugin  == the 'ugly' name of the plugin (i.e. wp-super-cache)   #
# version == the FULL version number (i.e. 0.1.2)                  #
#                                                                  #
# This program is free software; you can redistribute it and/or    #
# modify it under the terms of the GNU General Public License as   #
# published by the Free Software Foundation; either version 2 of   #
# the License, or (at your option) any later version.              #
#                                                                  #
# This program is distributed in the hope that it will be useful,  #
# but WITHOUT ANY WARRANTY; without even the implied warranty of   #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the    #
# GNU General Public License for more details.                     #
#                                                                  #
####################################################################

if [ "$1" = "" ]
then
  echo "EXIT: FAILURE! You didn't specify a plugin name.  Kinda need that."
  echo "Syntax is ./wordpress-plugin.sh plugin [version] "
  exit
fi

if [ "$2" = "" ]
then
  # We're getting the readme from the repo and using that to calculate the latest stable release.
  wget -qO $1-readme.txt http://plugins.svn.wordpress.org/$1/trunk/readme.txt

  if ! [ -f $1-readme.txt ]
  then
    echo "FAILURE: The plugin is goobered in the WordPress repository, so we can't determine the latest stable release."
	exit 1
  else
    tr -cd '$2' < $1-readme.txt > $1-readme-tr.txt
    VERSION=.`awk '/Stable/ {print $3}' $1-readme-tr.txt`
    rm $1-readme.txt $1-readme-tr.txt
  fi

else
  # Quick check if someone wants the trunk build with a 'You sure?' 
  # double check.
  if [ "$2" = "trunk" ] # start trunk check
  then
    read -p "Are you sure you want to install the TRUNK version? (y/n) " -n 1
    if [[ ! $REPLY =~ ^[Yy]$ ]]
    then
      echo
	  echo "You have opted NOT to install the trunk build of $1."
      exit 1
    else
      echo
      VERSION=
    fi
  else
    VERSION=.$2
  fi # end trunk check
fi

# Download the plugin
wget http://downloads.wordpress.org/plugin/$1$VERSION.zip

# If the file didn't download, then you probably got the URL wrong. Fail.
if ! [ -f $1$VERSION.zip ]
then
  echo "EXIT: FAILURE! Could not download $1$VERSION.zip - Did you get the version and plugin name right?"
  exit
else
  echo
  unzip -q $1$VERSION.zip
fi

# This is ONE LAST CHANCE. If you say anything other than yes, then it cleans up.
read -p "Last chance.  You sure you want to install the plugin $1 v$VERSION for $USER? (y/n) " -n 1
  if [[ ! $REPLY =~ ^[Yy]$ ]]
  then
    rm -rf $1/
    rm $1$VERSION.zip
	echo
	echo "EXIT: You have chosen NOT to install WordPress $1 at this time."
	exit 1
  else
    echo
  fi

# This is a quick check to make the directory if it's not there.
# Change this if you want to install to a subfolder or whatever.
if ! [ -d public_html/wp-content/plugins/$1 ]
then
  mkdir public_html/wp-content/plugins/$1
fi

# Copy the files up to root public_html
# Again! Change this if you want to install to a subfolder or whatever.
cp -r $1/* public_html/wp-content/plugins/$1/

# Post install clean up with a 'I don't know what you did!' error.
if [ -f $1$VERSION.zip ]
then
  rm -rf $1/
  rm $1$VERSION.zip
  echo "SUCCESS! You've downloaded the plugin $1 (version $VERSION). Now go activate it!"
else
  echo "POSSIBLE FAILURE. Could not clean up the files, so there's a chance everything went pear shaped."
  echo "Please review your WordPress plugins and remember: Blame Nacin."
fi

exit

30 December, 2010

WordPress Upgrade Script

I don’t like the automated updater. I don’t know why, I just don’t. I have this stupid simple script I use instead. I cleaned it up before posting here. But this is what I use when I want to upgrade my various installs to the latest version, or the nightly build. I didn’t bother to put the svn stuff in here, since the script I use for that is fairly weird and particular to me.

#!/bin/bash

####################################################################
# WORDPRESS.SH - WordPress Upgrade Script for BASH SHELL           #
#                                                                  #
# This script will download and copy up WordPress to the account.  #
# It's pretty simple, with the bare minimum of error checking. So  #
# be careful.                                                      #
#                                                                  #
# Author: Mika Epstein                                             #
# URL: https://halfelf.org/hacks/wordpress-upgrade-script/     #
#                                                                  #
# Usage: ./wordpress.sh version                                    #
#                                                                  #
#                                                                  #
# This program is free software; you can redistribute it and/or    #
# modify it under the terms of the GNU General Public License as   #
# published by the Free Software Foundation; either version 2 of   #
# the License, or (at your option) any later version.              #
#                                                                  #
# This program is distributed in the hope that it will be useful,  #
# but WITHOUT ANY WARRANTY; without even the implied warranty of   #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the    #
# GNU General Public License for more details.                     #
#                                                                  #
####################################################################

if [ "$1" = "" ]
then
  echo "EXIT: FAILURE! Call this as './wordpress.sh VERSION', you nut!"
  exit
fi

# Quick check if someone wants the nightly build with a 'You sure?' 
# double check.
# This sets the URL, as it's different for the nightly builds.
if [ "$1" = "nightly" ]
then
  DOMAIN=wordpress.org/nightly-builds
  VERSION=wordpress-latest
 
  read -p "Are you sure you want to install the NIGHTLY build? (y/n) " -n 1
    if [[ ! $REPLY =~ ^[Yy]$ ]]
    then
      echo
	  echo "You have opted NOT to install the nightly build of WordPress."
      exit 1
    else
	  echo
    fi

else
  DOMAIN=wordpress.org
  if [ "$1" = "latest" ]
  then
    VERSION=latest
  else
    VERSION=wordpress-$1
  fi
fi

# Download WordPress
wget -q http://$DOMAIN/$VERSION.zip

# If the file didn't download, then you probably got the URL wrong. Fail.
if ! [ -f $VERSION.zip ]
then
  echo "EXIT: FAILURE! Could not download $VERSION.zip - Did you get the version right?"
  exit
else
  echo
  unzip -q $VERSION.zip
fi

# This is ONE LAST CHANCE. If you say anything other than yes, then it cleans up.
read -p "Last chance.  You sure you want to install WordPress $1 for $USER? (y/n) " -n 1
  if [[ ! $REPLY =~ ^[Yy]$ ]]
  then
    rm -rf wordpress/
    rm $VERSION.zip
	echo
	echo "EXIT: You have chosen NOT to install WordPress $1 at this time."
	exit 1
  else
    echo
  fi

# Get rid of hello dolly and akismet 
rm -rf wordpress/wp-content/plugins/akismet
rm wordpress/wp-content/plugins/hello.php

# Copy the files up to root public_html
# Change this if you want to install to a subfolder or whatever.
cp -r wordpress/* public_html/

# Post install clean up with a 'I don't know what you did!' error.
if [ -f $VERSION.zip ]
then
  rm -rf wordpress/
  rm $VERSION.zip
  echo "SUCCESS! You're on WordPress $1."
else
  echo "POSSIBLE FAILURE. Could not clean up the files, so there's a chance everything went pear shaped."
  echo "Please review your WordPress install and remember: Blame Nacin."
fi

exit

The fix to ‘Oh shit, I installed WordPress 2.1 instead of 3.1!’ is to re-run it correctly, by the way. So long as you haven’t logged in to your site, you won’t update the database, so a backout is always a re-run, even in the real world.

30 December, 2010

My plugins are ready for 3.1

I did a quick run through my plugins, and everything is ready for 3.1, even the tricky wicket of Register IP – MultiSite, which is now Version 1.0.

New things:
Register IP – MultiSite works for both 3.0.x and 3.1, single and multisite. The fix put in by the dev team means that the same actions will work for all site types! Yay!

Disabler now lets you disable the 3.1 admin bar (thank you, Ozh!) but NOT as a default option. Remember, Disabler is meant to allow you to pick and choose what you want to disable. If you want a site-wide/mu-plugins type setup, you’ll want to use Ozh’s plugin Disable Admin Bar.

Thoughts:
I’m seriously tempted to ‘sunset’ Recently Registered since it’s fugly and doesn’t work right.

25 November, 2010
Spam / Splog Wars
If you run a blog where anyone can comment, no matter what the software du jour is, you’ve had spammers. There’s really no way around it. As soon as someone comes up with a great, easy, way for you to share content and open discussion with other people, the door opens for people to use that great, easy, way to spam you.

A lot of people take spam for granted. We get junk mail, we get telemarketers, we get spam. It’s a constant of life. And spam is just like junk mail and telemarketers. They want to get your attention, they want you to click on their links, and they want your money. Some spammers link to actual products (usually sex products) and others link to sites that will infect your computer with a virus. The end result, oddly enough, is the same. They want you, and your visitors, to click on their links and somehow make a profit. The cost overhead is so low that even if just one of my visitors clicks on a link and buys something, they’ve made a huge profit. (By the way, if a post looks like spam, don’t click on their links. Only give your money to reliable companies. Research them, ask around. Be smart.)

A spammer posts spam comments or uses your site to propagate their crap. A splogger is a spam-blog. A blog that only exists to pimp the same crap. If you have an open-registration CMS site where anyone can make a blog, you will get sploggers. Some people will argue that WordPress is less secure because it gets more splogs than Joomla. I would disagree. More people use WordPress’s built in ‘anyone can make a blog!’ feature than Joomla, so it’s a better target if you’re a spammer. You’re going to get more bang for your spam-buck, so you aim for the biggest target.

No matter what type of tool you use for spam-trapping, remember that the best tool you have is your eyes, your brain, and your common sense. YOU are the number one, best defense, against spammers. Yes, this means you have to give up of your free time to maintain the site, to monitor the new blogs, to monitor the new comments and users, and stop them. While some posts can be hard to determine if their spam, if you check the email, the URLs and the context, usually you can sort them out.

Unless you have a dedicated team of people monitoring your site for trouble, it’s hard to keep up. This is where I start throwing in tools to help my site. There are three levels of defense: Server, Account and Application. I’m not linking to many tools, since a lot of this is preference. I like certain tools, other people like other tools. At the end of the day, no matter how good your tools are, the human element is required to be attentive and aware of the site. I’ve blogged before on the dangers of an unchecked multisite, and they remain true. Running a website is work. If you’re not willing to put the time in to maintain, monitor, and defend your site, something bad will happen to your site.

Server Level

Set up a good firewall. I use ConfigServer Security & Firewall, which checks against Mod Security and bans people who hit it too hard. This prevents a lot of automated spammers and also stops them, once they GET in, from being able to send out spam emails. A good firewall does wonders for other reasons too, but only if you configure it correctly. ConfigServer has a test it can run to see if your setup is good or middlin’ or poor, and I check it every time I upgrade. Oh yeah, keep current with your firewall tool, too!

Account Level

I hesitate on this one, but .htaccess can be used to ban IPs. I don’t like to do this and, generally speaking, don’t do this. If someone skirts by my firewall, I’m not going to block them at the IP level, since there are probably some legit users. Also, the firewall is automated, whereas my .htaccess I’d have to manually update. The point of a good tool is that you don’t have to fiddle-fart around manually too much! That said, there are ways you can kill spammers and sploggers via the .htaccess.

D’Arcy Norman came up with this awesome way to stop them on WordPress Multisite:
```
# BEGIN ANTISPAMBLOG REGISTRATION
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-signup.php*
RewriteCond %{HTTP_REFERER} !.yourdomain.tld. [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://someotherpage.tld/ [R=301,L]
```
Credit: D’arcy Norman.net

The part I like best is that if you change wp-signup.php to where ever it is your site has a signup page, you can make this work with just about anything. What it does is check the POST requests (which is the server request when you submit a form) for the page wp-signup.php. If those requests do not come from your domain (which if you click on the sign-up button, they must), then it sends them to http://someotherpage.tld/. I send them to a page that says they’ve been caught as a spammer, and to behave better.

If you must use an .htaccess blacklist, I would strongly suggest you follow D’Arcy’s advice and block them from accessing your registration page only. His thermonuclear option is above and beyond what I need, but I can see it being useful.

Application Level

Once you’ve set up your server and account as best you can, you have to start modifying your application. Thankfully, any modern CMS has a good plugin or extension system, and you can leverage that. Sadly, most modern CMS have the same problem of keeping up with the spammers. The tools used are pretty much the same.

Most CMS have a limited array of built-in tools. WordPress has a way to make all first-time posts require approval for example, but really when you get down to it, you want to throw in some plugins/extensions/modules that are designed to help.

Content Moderation

Blacklists are simple. Here is a list of people I don’t want to have access my site. Done. There are the usual caveats for this and the same warning applies as with .htaccess IP blocking: you may block legit users. Personally I prefer moderation lists versus delete blacklists. They put the possible spammer into a bin for me to review and approve or not. Blacklists and mod lists work best, I’ve found, for spam comments rather than splogs. I know, normally, no one on my site will be talking about viagra, but what happens if they have a question about it? The term is on my moderation list. (Funny but true story. I had the word ‘sex’ on a mod filter on another site. Suddenly people were talking about how sexy someone was, and all the posts hit my mod filter. Sometimes these terms are great to block out, but sometimes you forget how they’re really used.)

That said. There are good, reliable, blacklists. Stop Forum Spam and Project Honey Pot both are blacklists maintained by the community, and get enough information that they can be use reliably. There’s also Spamhaus, but that’s mostly email. You can use these on most applications as well.

Behavior

There’s actually a plugin called Bad Behavior, which is a great example of what I mean. Bad Behavior the app analyzes the HTTP headers, IP address, and other metadata regarding the request to determine if it is spammy or malicious. What I mean by the term is simply ‘Is the visitor coming to my site from a legit browser?’ See, spammers don’t use the normal browsers that you and I use, so if someone comes from a special method to my site, they’re probably not a good person.

Behavioral monitors learn as they go, or as they’re updated, and can be pretty effective. Sometimes people on archaic browsers (IE 6, for example) will get nailed by false positives. There’s not a whole lot I worry about with those, since any browser since 2005 is usually safe to go. There are two people who hit my sites regularly who’ve run into this problem, and once I sorted out what they were doing (Netscape Navigator 4 came out in 1998 and IE 6 came out in 2001), I told them ‘Look, the site will look like crap anyway. Upgrade.’ One guy couldn’t, the other switched to FireFox and admitted to being much happier anyway. (I don’t believe in supporting browsers pre-2005 at this point. I monitor my site stats for them, but realistically, it’s not going to happen. Upgrade, people. You’ll be happier.)

CAPTCHA

Personally I hate these. CAPTCHA is named after ‘capture’ and is a contrived acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.” It looks like this:

The idea behind CAPTCHA is that it should provide a problem easy enough for all humans to solve while, at the same time, prevent standard auto-fill software from filling out the form. Sounds great, but the problem is people have created software to read the CAPTCHA files. Personally, I love the fact that we’re making AIs smart enough to parse this stuff, but it hurts CAPTCHA because in order to defeat the AIs, they tend to become harder and harder to read for real people. Also, most CAPTCHAs are not friendly to people with limited accessibility. If you have dyslexia or glaucoma, they’re of the devil. I would never consider using one on my site unless forced to.

Human vs Computer Test

Originally CAPTCHA just meant any challenge/response to stop automated form fillers. Since it now is used, almost exclusively, to refer to those images, I’m pulling out Human Tests. A human test is when you have a question, or form, that requires thought to answer. Like ‘Who’s buried in Grant’s Tomb?’ We all know the answer is ‘Grant’ so you type that into a text field when you register or comment, and magically you have access. I’m fond of simple math questions like ‘What is 12 + 8?’ but also good are site specific questions. One on my friend’s site is about Marg Helgenberger, and they use questions about Marg (like ‘what’s the last name of her character on CSI?’).

The reverse is to trick the computer. Put a hidden checkbox on your site, that is NOT human readable, and if that box is checked, aha! Spammer! That’s a pretty cool trick if you can make it work.

Do you have tips and tricks you use?
12 October, 2010
Dig Yourself Out of a Hole – Multisite Edition
When I started my first MultiSite install, I didn’t want Blog #1 to be the main ‘dashboard’ site. The reasons why don’t matter. What does is that when you make seemingly simple changes, you have to be aware of how things work, as a whole, and be willing to take risks to fix them.

Site #1 was my test site and has since been deleted
Site #2 was a vlog which still exists
Site #3 is my ‘main’ site, the front page of it all
Site #6 is my saved Tweets
Site #7 is a documentation site
Site #8 is to save my Formspring posts

I know it’s weird. Bear with me. At first I was going to use Site #1 as an ‘all posts!’ site, like Andrea suggests you do with sitewide tags plugin, but then I realized that I wanted a splash page and then some fancy ‘Hi! Welcome!’ stuff with links to the vlog, blog, etc. Once I decided I wanted site #3 to be the ‘main’ site, I made that switch by editing two things.

First I went into Super Admin >> Options and changed my main site to #3:

Then I edited my wp-config.php file to say:
```
define('SITE_ID_CURRENT_SITE', 3);
define('BLOGID_CURRENT_SITE', '3' );
```
Now to be honest, I think that I only need one of those, but I’m totally stumped about that now. At the time, I just saw they were both set to 1 and I changed them to 3. Everything worked! Great! This was done.

Then I went to create site #4. And it didn’t show up. So I made site #5, ditto. Decided that was weird as hell, I went into phpMyAdmin and after some poking around, deleting sites and re-adding, I found the wp_blogs table and saw this:

Rationalizing that since I could see Blogs 2 and 3, and their site_id was 1, I changed it to this:

And again, things seemed to work just fine. Until I started trying to use the new iPad WordPress app. Or add anything to post to my blog. Like Formspring. Nothing worked. The blogs couldn’t be found, and third-party apps sometimes crashed. Again, I thought ‘Maybe the site_id should be 3!’ So I changed it to this:

Not only did that not work, it broke things. Quickly, I changed it back and frowned. I was obviously missing something, but what!? I started looking around for all instances of site_id and found the wp_sitemeta table! Most of the entries had site_id of 1, but some had 3.

I changed the wp_blogs table again, knowing it would break things, exported the whole wp_sitemeta table as a backup, and then ran a quick SQL search and replace, changing 1 to 3 and got this:

Now the whole site worked from front and back end, so I went to Formspring and tried to add my site. And guess what? It worked! It also magically fixed my iPad/WordPress testing woes.

So the lessons learned are “Never give up!” and “Never make changes when you don’t know what you’re doing!” Actually, no, not that second one. The lesson is to be bold with your solutions. Don’t panic and be willing to take a risk. I took backups before I started playing around, and I knew at worst, I could restore my site in 30 minutes. Because I had an escape plan that took me back to where I was, I had no fears about my changes. When you have nothing to lose, that’s when you should jump forward and try something silly!

I doubt the actual details of all this will help you, since I don’t think anyone but me was boneheaded enough to screw around like this in the first place. But seeing that someone else has seriously screwed themselves up, shot themselves in the foot, and come out feeling super smart should, I hope, encourage you to stay calm, think it through, and make a stab at something that seems right. When the wave rocks your boat, hang on and don’t be afraid to swim a bit.
20 September, 2010
com or org? Which WordPress is Right for Me?

There are two WordPresses. This confuses lots of people, to the point that Matt Mullenweg has implied he’ll never name something like this again. It’s almost as confusing as pages vs posts, which is a whole different post.

WordPress.org – The location of the software you can download and install your own WordPress blog on your own server.

WordPress.com – The often free blogging software anyone can sign up for and have hosted by WordPress.com. It’s like Blogger or LiveJournal, only better because it’s WordPress.

So which one is better? .com or .org?

I usually tell people that I can’t answer that question, or to google it, or I ask them what they want to do. It’s not an easy question to answer, but I’m going to try here.

First, I want to point out that there is no shame in not wanting to host your own blog. Seriously. It’s work, and anyone who says otherwise is an idiot. You have to stay up on your software versions, plugins, themes, etc etc and … Yeah. Work.

So here it is, in all it’s glory: If all you want is a blog, and you don’t mind a few basic themes? Use WordPress.com. There. Done. If you’re willing to pay, you can even customize your CSS or download other themes, and have your own domain name.

A friend asked me recently if she should use wordpress.com or self host. My email is verbatim:

Don’t worry about where you want to be in 10 years, worry about where you want to be in a year, but only in the broad strokes. It’s like learning to paint or draw. You start with the big, simple, concepts, and learn how to do the rest as you go. If you think ‘I want something like Ning’ or ‘And I want forums’ or a wiki or whatever, well, then don’t use .com. But if all you want is a blog? Just use WordPress.com and you’re done.

Except, see, it’s really not that simple.

When people on WordPress.org forums ask this question, I usually tell them to read Don Campbell’s post “WordPress.org vs WordPress.com – Which One Should I Use?” It’s pretty straightforward and helpful. Lately, people have followed up that advice with ‘Okay, great. Why is one better than the other?’ Even people who read the official WordPress.com vs. WordPress.org article by WordPress ask that.

I firmly believe that better is subjective, and it really depends what kind of blogger you want to be. However there are some obvious benefits to self-hosting.

WordPress.com limits your free themes. If you want some fancy CSS or your own domain name or more storage, you have to pay for it. At a certain point, you will end up paying the same as you would for a hosting plan, and you’re getting ‘less’, in that you still can’t install your own plugins or third-party apps! No Wiki, no gallery. Nada. On the other hand, you pretty much never have to worry about your upgrade going bananas, or hanging .maintenance files that make you think your site is down, or incompatible PHP/SQL versions. You get the most pain-free upgrade possible.

That said, if your blog grows and becomes popular, you will outgrown the free hosting. You’ll need to pay more for hosting. You may even have to pony up for VIP hosting if you make it big like Cute Overload. Free only takes you so far, and you get what you pay for. Pay nothing, and there’s a limit to what you’re going to get.

But wait, you don’t pay a thing for WordPress.org! Does that mean you get nothing? No, it means that there is a limit to what you get. Free support, sure, but from people who fill in on our free time. Yes, our. I waste a lot of time helping people with obvious question, pointing out typos, and earning karma credit by trying to be a good person. There are a lot of people with a sense of entitlement, that this software should do everything without needing to know what’s going on. Listen, you weren’t born knowing how to use Microsoft Word. Some people go a lifetime without touching macros, while other people can’t fathom their life without key commands that resize and reformat sections.

There is no one true way to nerdvana, folks. There’s no one perfect operating system, no one perfect blog software, no perfect phone. It’s all what you want, what you can use, and where your comfort zone is.

So why would I pick WordPress.org over WordPress.com? Flexibility, growth and options. I want the ability to grow and do everything that might come down the road. Of this, WordPress, my blog, is a small part. I want SubVersion, videos, galleries, you name it.

Why would I pick WordPress.com over WordPress.org? I wouldn’t. But I do suggest it to people now and then, when I look at their needs and say ‘You know, this is a great place to start.’ If they outgrow the .com, they can export their posts and comments over to a self-hosted install with a bit of effort. And the work required to do that is pretty typical of the savvy you’re going to need to support yourself going forward.

Which is better? No one can answer that for you, but hopefuly some of the advice here will get you started in answering it for yourself.

17 August, 2010