WordPress 2.6 has been been trouble.  There’s been confusion about whether it would be out in July or August.  There was one date in the road map, and one in Trac.  On Sunday night, Charles Stricklin and I recorded episode 43 of The WordPress Podcast and I stuck with the August date that was in the Trac tool used for development. 

Then the next day Ryan Boren sent this reply to the WP Testers mailing list the next day:

On Mon, Jun 23, 2008 at 1:01 PM, Kirk M wrote:
> Do my eyes deceive me or am I seeing a due date of July 7th for the release
> of 2.6 with a fall back for July 14? Any reason for the releasing a month
> early? I’ve barely setup my test sites figuring I had a month to go ye;). 

[Ryan Boren Replied:]
There was some confusion because the roadmap had July and trac had
August.  Given that all of the features went into 2.6 early and that
its been running this whole time on wordpress.com and lots of our
personal blogs, a shorter beta seems doable.  I think we can launch
the beta cycle now, pound on it until the 7th and decide if it’s
ready.  If not,  pound it another week and decide of it’s ready.  I
merge 2.6 to wordpress.com almost daily and get tons of feedback in an
instant.  I’m pretty confident in being able to finish off 2.6 in a
few weeks.  We won’t be adding any more features to 2.6 so there’s no
need to linger for an extra month.  Also, a July 2.6 release allows us
to consider an early September 2.7 release that focuses on pulling in
some of the GSoC work.  That work would be too much to try to push
into an early August 2.6 release.

Ah, well you win some you lose some.  At least I wasn’t the only one who thought it would be August.

Since then a much more controversial debate has arisen.  Westi made the announcement that WordPress 2.6 would have the XMLRPC feature turned off.  XMLRPC is the technology that allows programs like Windows Live Writer, MarsEdit, ecto and other external blog editors use to communicate with your WordPress blog.  Here is what Westi had to say about it in his announcement:

WordPress 2.6 will be more secure out-of-the box including better support for running the admin over SSL and changes to disable the remote publishing protocols by default.

We have choosen to disable Atom Publishing Protocol and the variety of XML-RPC protocols by default as they expose a potential to be a security risk.  So from WordPress 2.6 onwards you will need to go into the Settings->Write page and enable them individually if you want to use them.

Mac software developer and MarsEdit creator Daniel Jalkut believes this to be a fundamentally wrong choice.  He’s said so on the wp-hackers list and on his website:

WordPress’s decision to shut off remote access by default is analogous to a bank offering unrestricted drive-through access to its cash machines, while requiring pedestrians to ring a bell and wait for a security guard to open the door to the machines.

Also worth considering: if a service is disabled by default for security considerations, what message does that send to people who choose to, or who are encouraged to turn the service back on? It sets up a perception of insecurity which may not even be warranted. If the remote publishing interfaces are insecure, they should be fixed, not merely disabled!

I think that’s somewhat misleading.  It makes people think that the switch has to be set  over and over again.  It is much more like, when you open a savings account, checking either the box that says you want an ATM Debit card and/or the box saying you want to access the account through the online site. Eliminating either of those options would make your money more secure.

I agree that there is an issue with people upgrading and finding that MarsEdit, Livewriter or whatever doesn’t work. That is easily solved by keeping the XML interface off by default on new blogs, but not changing the behaviour for upgrades.

But why not just “fix” the security issues?  Well the truth of the matter is that you can no more "fix" all security risk in xmlrpc than you can "fix" it in any software program.  It is a moving target.  New methods are thought of and software improvements introduce new avenues never thought of, even if there is a layer between the final interface and the database.  So even if WordPress was completely clean in 2.6, how can you prove that it is secure in 2.8 or 3.0.

Is xmlRPC secure in WordPress 3.0?  I don’t know it doesn’t exist yet.  But I do know if it is disabled for new blogs, that the new WordPress 3.0 blogs won’t face an XMLRPC security risk.

When working with graphics files on your blog, it is always smart to optimize their size for their targetted use. A simple corner picture does not need an original size of 8.1 mega pixels. On a windows machine, MS Paint can handle that sort of transformations, with a little pain and bloodshed. I’ve also written and posted here a console app to do the dynamic resizing. Gimp is awesome, but it is over kill.

I strongly encourage Windows users to check out Infranview. You might look at the site and say “Oh it is just a viewer”, but it is soooooo much more than that. Though it is the one of the best picture viewers out there, it also handles basic graphic manipulation better than most other software out there, even the pro stuff.

File resizing is very simple. However following their “It is trying to be simple for beginners and powerful for professionals.” goal, it allows you to, in the advanced menu, choose from various resampling methods in case the image just looks wrong when you resize it. Most programs use the 1 method the programmer preferred and you are stuck with it.

You can get it here:
http://www.irfanview.com/

and once you load the plugins from here:
http://www.irfanview.com/plugins.htm

(I prefer this mirror for downloads.)

You’ve got a powerful graphics manipulation tool that can even accept any photo shop 8bf plugins that you have lying around.

(BTW xnview is a infranview knock off, but it does have pocketPC and Smartphone support and works nicely as a viewer on those platforms)

If you are at WordCamp 2007, one of the best sessions was Google’s own Matt Cutts discussion on optimizing your WordPress blog. You can see the whole presentation over on John Pozadzides site’s One Man’s Blog. Here is the link. You can see in Matt’s Whitehat SEO tips for bloggers slide show that one of the things that WordPress “suffers from” is that you can reach the same data from multiple sources.

You can get to the same article by browsing by category, by day, month, year etc. etc. etc. Each time Google sees the same data repeated on your site again, it hurts your site a little bit more.

This bit of code will help fix it. It goes into the header part of your blog and will tell Google that it should ignore all of the pages that are not the orginal source of the article.

Here you go:

OK It’s been a couple days now and this news is only spreading. If you haven’t heard already, there is an attack out there that allows the Admin PW to be compromised for any WordPress 2.1 and 2.0 blog. Only 2.2 and the yet unreleased version of 2.0 are safe and it will stay that way. The 2.1 is not a maintained version. So far, I’ve heard nothing about the plans to release a new 2.1. So at this point, for most people running 2.1, your only choice is to upgrade to 2.2.

I’ve stolen the admin PW of several 2.1 sites under my control and tested the sites of some of my friends to make sure they were safe even though they hadn’t upgraded.

There are two things that may make your 2.1 DB safe:

1. Your user named Admin is NOT user number 1.

2. Your database prefix is NOT wp_

If you want to upgrade safely and quickly, try my script.  The latest post about it is always at: http://www.thecodecave.com/EasyWPUpdate
If you want to see how we handled this at b5media, read here:
Guide to Disaster: How The Tech Team Handled WordPress Security Flaw

digg my story?

Starting week number three at b5media and things are really starting to click.

I feel like I’ve settled in just a bit and I’m ready to get some real traction.  b5 is really growing and it’s great.  Over the last two weeks I’vehelped add a bunch of new sites to the network and we’ve got a number more coming in.

There’s a new theme that is being rolled out to a bunch of the blogs and I’ve helped with that, but due to the way it was implemented, we had some load problems as large common sections of html were being generated over and over again.  It was causing WAY more CPU usage than it needed to.

So, our excellent linux guy Sean pointed me to a PECL module I’d not used before: memcached.

To quote http://en.wikipedia.org/wiki/Memcached:

memcached

 

From Wikipedia, the free encyclopedia

memcached is a general-purpose distributed memory caching system that was originally developed by Danga Interactive for LiveJournal, but is now used by many other sites. It is often used to speed up dynamic database-driven websites by caching data and objects in memory to reduce the amount the database needs to be read. Memcached is open source and released under a BSD license. It uses libevent.

Memcached lacks authentication and security features, meaning it should only be used on servers with a firewall set up appropriately. By default, memcached uses the port 11211.

Memcached’s APIs provide a giant hash table distributed across multiple machines. When the table is full, subsequent inserts cause older data to be purged in LRU order. Applications using memcached typically layer memcached requests and additions into code before falling back on a slower backing store, such as a database.

The system is used by several very large sites. Some well-known websites that use memcached are:^[1]

• LiveJournal
• Slashdot
• Wikipedia
• SourceForge
• GameFAQs
• Facebook
• b5media (Added)

It’s worked really well so far.  A few apache recompiles later and bam!  CPU load goes bye-bye.  With the initial partial rollout on a single channel we’ve tremendously reduced the load on the servers making 80 cache pulls per second instead of doing all of the db lookups and xml code generation.

I’m convinced!

I’m going to do some further implementation this morning we should be sitting sweet by EOD.

I’m also feeling good because I got the whole family up and did a morning workout in the new execise room I’ve setup in the garage.  I’ve also got Akaza hits nice and loud…

I’ve also got to send an email out to my Google Summer of Code student and we’ll get rolling on that this morning.  I’m looking forward to a good week.

Oh! and my pictures will be transfered by the end of the day so I can tell you all all about my toronto trip as I said I would two weeks ago…

Cheers all!

Well, things went well today.   I added blogs to the  b5network, came to the rescue of some sites that were having trouble and got further into the infrastructure of b5.

I also got added to the b5 team blog listing.  That instantly takes me up to over 135 blogs linking into me.  So that’s a nice side bonus I hadn’t thought about.

Aaron has written a very nice welcome note on his blog today in The Tech Team Adds a Fourth Member :

Yesterday, I posted the announcement about Brian Layman joining the b5media tech team. We’re really excited about hiring him because we have some big plans. Brian is classified as “big guns” in my book. He’s got a lot of development experience and is one of the more active people in the WordPress developer community.

It was important that we found someone who understood the way WordPress worked and operated and how to make it dance. Unlike some competitors, we shout from the roof that we’ve drunk the WordPress kool-aid and aren’t going back. While we’ve toyed with Drupal and other software packages, we know who our daddy is and that’s WordPress.

Brian’s joining of b5media marks a redeclaration of our WordPress allegiance. It’s really great to have him on board!

I also got some details of the exciting stuff I’m going to be working on in the upcoming weeks.  Let me tell you, we’re gonna…

well actually I can’t tell ya… So you’ll just have to wait to see what kind of goodness will be coming out of the b5 in the near future.

(removed blog list as I have a better way to access this now)

Long time readers of mine my might have had a suspicion.  You see when I have something big that I can’t talk about, I get severe writers block.  I can’t talk about what I want to talk about so I go from a one to two quality post a day period down to NOTHIN’ for three weeks!

Well this time it was VERY big!  After a 17+ year career as a Delphi programmer, I’ve started a new carreer.  Today was my first day working for b5media.  I am now one of an ever increasing number of professional making my living off WordPress, PHP and other Open Source programming. So, at the end of the day, I’m breaking the day of silence in the blogosphere with a post about joy and success.  That seems a more fitting remembrence.  Progress and fullfilment rather than silence.

You can read the official announcement here: “Brian Layman Joins Tech Team“.  It all started just over four weeks ago when I got a call from Aaron Brazell.  It was a fast whirlwind since then.  I’ll tell you all about my trip to Canada, dozen or so trashed cars, the flaming car of doom, all about b5media and other exciting goodies over the next few days.  There have been loads of firsts and progress being made on the Delphi for PHP front over the last two weeks that I’ll post about too.

For now, though, I just wanted to share the good news!

And Oh yes, I let my wife scoop the story.  She was soo excited about the chance to get a scoop!  No, Aaron, that pic wasn’t from today, but a month or so ago.  But I’m not making any promises I won’t be out there sometime…

See also: My interview with b5media

Aaron Brazell is in the middle of a GREAT series on how to enhance WordPress.  He’s been going through several of the questions that have been presented to b5media’s support forum.  I’ve found his solution for Category Based Themes very interesting because I expect the Google Summer of Code 2007 WordPress Project I am mentoring may build upon this and similar solutions.

 Here’s his guide to this series as it exists today:

Series Guide

1. WordPress FAQ: How Do I combine Blogs?
2. WordPress FAQ: What’s up with the Amazon Plugin with WP 2.1.x?
3. WordPress FAQ: How Do I Use Category Themes?
4. WordPress FAQ: Where did my Preview Link Go?
5. WordPress FAQ: How Do I Use Child Pages More Effectively?
6. WordPress FAQ: How Do I Fix the Blogroll Category Issue in WordPress 2.1

I’m looking forward to seeing what else Aaron presents to us!

Well, it’s been a Busy,  three weeks here.  Things are finally falling into place.

Sometimes that just happens. 

You swing into these intense periods where things go 90 mph.  

It all started when my wife’s latest commissions check on her book buys her a sweet tablet PC, gets me a motorcycle and now (if it ever stops raining and snowing) I’m back on two wheels after 11 years! (pics soon!!!).  (All you Delphi knitters go and buy her book please!  I know you are out there!) 

Then CodeRage goes into full swing and starts vying for my attention.   Oh, and I also signed the papers refinacing the house.  Then my yard collapses into a giant cess pool, only to be replaced by a mud bog the following week.  Then I’m approved as a Google Summer of Code WordPress mentor and suddenly I’m back to reviewing resumes and project propsals!   It’s like I’m back in my old role of Director of Software Development again.

And then I land the after-hours job of converting CodeGear’s 90 blogs over to WordPress MU.   Yes, you can pinch me, I’m working for the Borland Corporation. 

THEN on Friday the Delphi for PHP field test ends and D4P is been released!  (If you are interested in the product, you can download a 1 day trial here. )  Well, that means it’s time to announce something else I’ve had in the works for a while. 

Coinciding with the release of Delphi for PHP, I’m announing an upcoming community site called “Designed for PHP” at http://www.D4PHP.com.  The tagline for the site is:

Designed for PHP - Bringing the Delphi mindset to PHP development.

This site, created using Delphi for PHP, will not only host a VBulletin  forum but will include articles, reviews, and product announcements pertinent to the soon to be thriving Delphi for PHP community.  I’m in the process of connecting with authors, moderators and administrators who are intersted in joining me in this venture.

 Now, obviously I’ve got some things that will be taking up my free time over the next couple weeks.  But I still hope to get some feed back from you all as to what you’d like to see at the site.  Some ideas from people I’ve already discussed this with include:

1. Community forum - Software has been purchased, the forum is up and being configured.
2. Integration with the NewsGroups - This idea fed off of a question from Serge Dosyukov and I know just how to pull it off.  The Delphi for PHP newsgroups will be part of the Forum and if all goes well (my host sometimes has restrictions on comunication with outside servers) they will be fully integraed with the ability to post to the groups directly from the site under your own login name.
3. Component & Component package reviews
4. Plenty of user created demo videos - it’s easy to do and free!
5. ???

and THAT’s why I am announcing this before it is fully up and running.  I want to know what else YOU’D like to see out of the site.  Do you have any thoughts or suggestions?  I’ll be doing work off and on with the site over the next two weeks and working with some interested parties who can get the ball rolling, but we need ideas and a goal for when, in about a month, I can give it some dedicated attention.

 So, do you want to see on D4PHP.com?  Does anyone remember “The Delphi Super Page”?  If you do, what made THAT page so great?  Pre-2000, there was no where else a Delphi programmer needed to go.   Why was that?  Any thoughts?

 Jot them down here or wander over to http://www.D4PHP.com/forum and express yourself!  Let’s see what this can turn into!

A WordPress Explosion

That’s right folks there are gonna be about 90 new WordPress blogs out there. Blogs.CodeGear.com, Borland’s home for Employee Blogs, and Blogs.TeamB.com, home for a sqad of volunteers who support the CodeGear community,  are leaving the open source .Text  solution behind forever.  And they are moving to WordPress MU, baby! 

What the heck are .Text and WordPress MU (Myooo? Moo?) anyway????

.Text is a .NET 1.1 blogging software package said to be at the top of the heap back before 2004 ended.  2004 was the year of it’s last update.  Meanwhile WordPress MU is a Multi User wrapper around the current source code for the very popular WordPress blogging softare.

OK… Spill the beans…

“How do I know all this juicy gossip?”, you might well ask.  Well, it just so happens that those 90 or so blogs are going to be converted by none other than YOURS TRUELY! 

That’s right, as of today, a goal I had dreamed about back in 1987, as I helped my highschool computer teacher figure out how to use Turbo Pascal (and supplied the school’s pirated copy of Fortran 77 too SHHH!!!) has finally been met: I am now a Borland CodeGear (contract) Programmer.  How cool is that???

I pitched this project to Allen Bauer back in February.  Their current implementation of .Text seemed somewhat dated and limited in its ablities, from a readers perspective.  I knew that even just working evening hours and weekends, I could quickly turn their site around and give them something MUCH more robust.  I’d not heard anything back from Allen.  So, I’m not certain if my original suggestion had anything at all to do with the fact that John Kaster went looking for a WordPress developer or not.  Either way, I saw a post by John asking for someone experienced in WordPress, and I leapt at the opportunity.  Well, as of tonight, it’s official.  The “Please welcome Brian Layman” email has gone out to the powers that be.  And after a few conversations,  I’m now set up with all sorts of CodeGear goodness that I can tell you absolutely nothing about! MWAHAHAHAHAAHA!

Seriously though, this is gonna be a great project to work on and I’m going to be enjoying every moment of it. I’ve done my share of blogs and sites, (I actually should be anouncing another new site tomorrow btw), but an 88 site conversion is certainly exciting enough to raise an eyebrow or two on any WordPress developer’s face.   I just want to thank John Kaster for allowing me the opportunity to participate in this project.

So, keep your eyes out for the switch over sometime in the not too very distant future.   I’ve just begun work tonight, learning the ins and outs of their current infrastructure.  If all goes well… well, actually, I’ll leave the end of that sentence up to the fine folks at CodeGear.