The Code Cave

WordPress 2.6 has been been trouble.  There’s been confusion about whether it would be out in July or August.  There was one date in the road map, and one in Trac.  On Sunday night, Charles Stricklin and I recorded episode 43 of The WordPress Podcast and I stuck with the August date that was in the Trac tool used for development. 

Then the next day Ryan Boren sent this reply to the WP Testers mailing list the next day:

On Mon, Jun 23, 2008 at 1:01 PM, Kirk M wrote:
> Do my eyes deceive me or am I seeing a due date of July 7th for the release
> of 2.6 with a fall back for July 14? Any reason for the releasing a month
> early? I’ve barely setup my test sites figuring I had a month to go ye;). 

[Ryan Boren Replied:]
There was some confusion because the roadmap had July and trac had
August.  Given that all of the features went into 2.6 early and that
its been running this whole time on wordpress.com and lots of our
personal blogs, a shorter beta seems doable.  I think we can launch
the beta cycle now, pound on it until the 7th and decide if it’s
ready.  If not,  pound it another week and decide of it’s ready.  I
merge 2.6 to wordpress.com almost daily and get tons of feedback in an
instant.  I’m pretty confident in being able to finish off 2.6 in a
few weeks.  We won’t be adding any more features to 2.6 so there’s no
need to linger for an extra month.  Also, a July 2.6 release allows us
to consider an early September 2.7 release that focuses on pulling in
some of the GSoC work.  That work would be too much to try to push
into an early August 2.6 release.

Ah, well you win some you lose some.  At least I wasn’t the only one who thought it would be August.

Since then a much more controversial debate has arisen.  Westi made the announcement that WordPress 2.6 would have the XMLRPC feature turned off.  XMLRPC is the technology that allows programs like Windows Live Writer, MarsEdit, ecto and other external blog editors use to communicate with your WordPress blog.  Here is what Westi had to say about it in his announcement:

WordPress 2.6 will be more secure out-of-the box including better support for running the admin over SSL and changes to disable the remote publishing protocols by default.

We have choosen to disable Atom Publishing Protocol and the variety of XML-RPC protocols by default as they expose a potential to be a security risk.  So from WordPress 2.6 onwards you will need to go into the Settings->Write page and enable them individually if you want to use them.

Mac software developer and MarsEdit creator Daniel Jalkut believes this to be a fundamentally wrong choice.  He’s said so on the wp-hackers list and on his website:

WordPress’s decision to shut off remote access by default is analogous to a bank offering unrestricted drive-through access to its cash machines, while requiring pedestrians to ring a bell and wait for a security guard to open the door to the machines.

Also worth considering: if a service is disabled by default for security considerations, what message does that send to people who choose to, or who are encouraged to turn the service back on? It sets up a perception of insecurity which may not even be warranted. If the remote publishing interfaces are insecure, they should be fixed, not merely disabled!

I think that’s somewhat misleading.  It makes people think that the switch has to be set  over and over again.  It is much more like, when you open a savings account, checking either the box that says you want an ATM Debit card and/or the box saying you want to access the account through the online site. Eliminating either of those options would make your money more secure.

I agree that there is an issue with people upgrading and finding that MarsEdit, Livewriter or whatever doesn’t work. That is easily solved by keeping the XML interface off by default on new blogs, but not changing the behaviour for upgrades.

But why not just “fix” the security issues?  Well the truth of the matter is that you can no more "fix" all security risk in xmlrpc than you can "fix" it in any software program.  It is a moving target.  New methods are thought of and software improvements introduce new avenues never thought of, even if there is a layer between the final interface and the database.  So even if WordPress was completely clean in 2.6, how can you prove that it is secure in 2.8 or 3.0.

Is xmlRPC secure in WordPress 3.0?  I don’t know it doesn’t exist yet.  But I do know if it is disabled for new blogs, that the new WordPress 3.0 blogs won’t face an XMLRPC security risk.

Aaron Brazell is in the middle of a GREAT series on how to enhance WordPress.  He’s been going through several of the questions that have been presented to b5media’s support forum.  I’ve found his solution for Category Based Themes very interesting because I expect the Google Summer of Code 2007 WordPress Project I am mentoring may build upon this and similar solutions.

 Here’s his guide to this series as it exists today:

Series Guide

1. WordPress FAQ: How Do I combine Blogs?
2. WordPress FAQ: What’s up with the Amazon Plugin with WP 2.1.x?
3. WordPress FAQ: How Do I Use Category Themes?
4. WordPress FAQ: Where did my Preview Link Go?
5. WordPress FAQ: How Do I Use Child Pages More Effectively?
6. WordPress FAQ: How Do I Fix the Blogroll Category Issue in WordPress 2.1

I’m looking forward to seeing what else Aaron presents to us!

THIS ARTICLE IS OUT DATED. Please see: http://www.TheCodeCave.com/EasyWPUpdate for the current release.

Well I’ve upgraded the 35 Second upgrade script significantly for this release.

Here’s a summary of the new features:

1. Customizable options at the top of the script
2. Works for unlimited numbers of blogs with just updating the header
3. Optionally performs Web update steps as well
4. Optionally performs backups of all WP related files
5. DISABLED: Performs a Database Backup
6. Backups are to a directory of your choosing suffixed with “today’s” date
7. Can now upgrade blogs in a WordPress directory or any other
8. Respects the tmp directory on your server
9. Can be modified to perform nightly refresh of all blogs from a local tarball
10. Can be customized to retrieve beta releases
11. Can be customized to retrieve from WP.org’s archive folder

This hasn’t had a lot of testing yet outside of my blogs, but it has worked BEAUTIFULLY for me and as you can see I am running Version 2.0.6 thanks to spending 5 seconds this morning to update all of my blogs.

Here is the text to download: (link)

Perhaps the easiest way to get the file is to telnet into your account and run this line:
wget http://www.thecodecave.com/downloads/tcc_wp_upgrade

Then give yourself execute permissions on the script, choose your own or run this:
chmod +x tcc_wp_upgrade

If you get errors, remember that you might be dealing with passing the script through Windows and may have tacked on an extra CR at then end of each line… You should be able to fix that by using an SED command something like this
tr -d ‘\r’ tcc_wp_upgrade > xx && mv -f xx tcc_wp_upgrade
(Thanks to Prec on FreeNode #SED)

Then edit the file to your specifications using VI or whatever. I use NetDrive to make my website Drive X on all of my machines and then use Notepad2.exe to edit it and enforce the Unix line endings.

Right now I REALLY would like to have only proficient people run this script. It has only been tested on my sites.
This script messes with your files. If something really horrible goes wrong, you could lose information. I’ve done my best to ensure this doesn’t happen, but literally everything I know about bash I learned in the last month writing this script. A good programmer can go from any language to any language with relative ease (and bash IS a language), but we can’t know everything about how it works on all systems. That only comes with experience.

When you run this script, please come back here and report your results.

Thanks!

Here’s the source for those that want to see it online:
(more…)

I was going to post this to wp-hackers in reply to a couple other posts but decided it was WAY to off topic
[wp-hackers] Close old comments and pingbacks: feature or plugin? Jamie Holly
[wp-hackers] Close old comments and pingbacks: feature or plugin? David Chait

I decided it is too off topic and Robert Deaton would get on my case again. I didn’t want to waste the typing. So you all get an extra post today…

> I’d have more fun designing for a site getting .75M hits/day –
> send me some of that traffic!

0.75m is 0.75m, Kudos to Jamie. Actually I guess its .36m/day between the two sites. Still in large part, I ignore hits when figuring out how my sites are doing…

More specifically, I can’t see how it much helps in comparing two sites either. My reasoning: To go to an extreme, if a site is Flash based, I’d assume the hits/visit is low as it would be with a largely text based site - perhaps even < 10 hits per visit. If a site has lots of graphics and little tag images (translation flags, "new" buttons, whatever), I would assume the hits/visit are WAY higher. My hits per visit is around 47 - I suspect I should try to lower that. So, if I use only hits as a measure and compare myself with a text based site with 12 hits per visit, my hit count would be four times higher but we would get the same level of traffic.

And even that ratio is subject to the definition of “a visit”. I use two different stat engines to evaluate my sites: AWStats and WebStatistics. AWStats often reports “Unique Visitors” to be as low as 1/3 of the “Unique Visits” reported by WebStatics. Part of the difference there is the visitors/visits issue, another part is awstats filtering out search engines and another part of it is AWStats has a much more liberal definition of what constitutes a single “visit”. I’m just not certain that I have a number of people spending an 1+ browsing my site. It’s really cool if I do, but I suspect it is people returning to the site (tab) once or twice within a 2 hour period.

Am I correct in saying that the ONLY way to compare the traffic between two sites is to look at the same stat by the same stat engine on both sites (e.g. comparing “Number of visits” in AWStats.)?

Am I way off on this? As I said at the beginning. 0.75m/day is 0.75m. That’s more traffic then any of my current sites will ever see. What is the best method of measuring a blog’s popularity? I know it isn’t alexa…

I currently have half the traffic of my wife’s site but Alexa sure doesn’t show that…
http://www.alexa.com/data/details/?url=Thecodecave.com
http://www.alexa.com/data/details/?url=www.knitchat.com

Denise’s site has been around for almost two years vs four months for my site. So, I’m pleased with my progress. “My unique Visitors” have been doubling each month. I don’t think that will happen this month since I have missed half a month of posts, I expect only a 20% increase over last month… But all’s good…