Mostly Harmless

Mostly about my amusement

Category: Software (page 1 of 22)

This is not a Gutenberg Review, It’s a Blog Post

WordPress users are fantastic. This review and how the reviewer brought it back. My reply is a blog post so here we are and below is my reply.

*Reads. STANDS AND APPLAUDS!*

Hello Jan. I usually write the text all in plain form inside a blog post, then split it with some h2 h3 h4 headings and adding images.

PERFECT! Seriously, thank you for that. 😉 I read many reviews and your reply cheered me up immensely. I’ll let more qualified people reply to that.

About this not being a blog, I beg you pardon if I was OT, but then please tell me, is there an official forum where WordPress users can freely discuss about matters like this?

I’m getting very off topic but the thing with blogs is that they frequently devolve into a mess of either positivity (never saw that myself but I’m keeping an open mind) or negativity (OH YEAH, ALL THE TIME!)

The https://wordPress.org/support/ site is divided into sections for support of the WordPress code, support of plugins and themes, and reviews which is feedback.

When someone leaves a review here it is not a blog post. It’s their experience for that theme or plugin. Though as you know we’ve good software for blogging about that.

If someone leaves a review that is substantive about that plugin or theme then that’s fantastic. Gutenberg’s 4.9.8 callout had the desired effect. People are trying it and for the most part even their 1 star reviews have provided good feedback to improve it.

If someone just vents, hate posts, rage replies then that’s not for here. I don’t think you’re surprised that happens. Such behavior has a limited value and a short shelf-life here. These forums are moderated and no, that’s not censorship in case anyone wants to chime in that way.

You left a review of reviews. I commented about that as a moderator. You replied in an excellent fashion and brought it back to feedback about this plugin and editor. Much thanks!

*Drinks coffee, probably too much but here we are.*

The people who are coding Gutenberg, who are driving it forward, who support the users, who are doing this on their own time for the community are good people. These forums are 100% staffed by volunteers. I know you get that but others will read this and again here we are.

For their efforts they generally get a “thank you” but some disparage them, cast aspersions on their intentions and motivations. The whole effort gets accused by some and something negative and those users are occasionally downright mean and cruel. That may get tolerated on some blogs but that’s abuse and isn’t tolerated long here.

*Finishes off coffee, I’m sure you see a theme with me.*

Thanks again for the update. It’s the weekend so someone may not get to it soon but you’ll get a reply about your experience and some follow up questions.

Time-lapse 3D printer videos

I have two 3D printers and each has a webcam. I use Octopi (Octoprint on a Rasberry Pi) and can stop bad prints from my smartphone if I need to. Some materials are difficult to print and hours into it I can cancel the print job. I tried attaching the webcams to the printer’s heated bed so that I can get stable time-lapse 3D printer videos.

This didn’t go too well. I have both printers in Ikea Lack table enclosures and adding an arm to the bed meant that the camera would smack into the front door of the enclosure. When the bed moved back and forth the camera shook. This made for blurry videos. To address this, someone came up with software to pull it off with a stationary webcam. It’s called Octolapse and you can review the code on Github.

Software Plugins to the Rescue

My favorite software platforms can be extended by add-ons or plugins. Octoprint is no exception.

The Octolapse plugin waits for an event in the print job, moves the bed and extruder to a position you set and then snaps a frame. I use when the layer change for that event. After the frame is snapped the print job resumes. When the layer shift happens again it repeats and snaps another frame.

The results are fantastic. I turned off autofocus on the webcam to prevent some blurriness. Here’s a time-lapse of a multi-color snake I printed. It took 6 hours and 45 minutes. The video is 6 seconds long. It’s not a tall print so there’s not many layers to snap images.

The default Octopi time-lapse print is 1 minute and 37 seconds long and looks like this.

I have not tuned the Octopi video settings and the quality isn’t very good. The reason that the Octolapse version is better is because it’s not a moving image exactly. It’s a collection of sharp still photos stitched into a single video.

This is a better solution than a moving camera attached to the print bed. You can put the camera anywhere and obtain smooth, sharp, time-lapsed videos of your prints. I will probably put my webcams on a small stand and position it closer to the bed for larger full results.

It does add a little time to the print because the plugin inserts the commands to move the bed and extruder, snaps a photo, then goes back to printing. For each layer this is repeated. But the prints typically take hours to print and the time added is negligible.

This is a very elegant solution. The plugin has profiles for my Original Prusa i3 Mk2s MMU and one for my Monoprice Maker Select v2. I’ve not sorted out the Monoprice (the bed needs leveling and isn’t working too well right now) but once I have, I’ll post videos from that printer too.

Wildcard certs via Let’s Encrypt

I just reduced 14 Let's Encrypt certificates down to 2. This is possible because the free service went live for wildcard certs. This has great implications for people who use the WordPress Multisite feature or routinely light up new virtual hosts in the same domain.

You can read Let's Encrypt's understated announcement here.

On my VPS I run Ubuntu 17.10 and it has a version of certbot that you can get from the official repo. Sadly, it's the 0.21 release and wildcard certs need ACME v2 support and that's only in release 0.22 and greater.

Here's what I did

On the command line I cloned cerbot from Github.

git clone https://github.com/certbot/certbot.git
cd certbot
sudo ./certbot-auto

You'll see something like so. On my main box it asked if I'm OK with installing more Python packages. A quick installation of those dependencies and I was ready to go.

Press c to cancel. You want wildcard not single hostname certs. Now type this as one line.

sudo ./certbot-auto certonly --manual --server https://acme-v02.api.letsencrypt.org/directory

The server argument is the important one and points to the new V2 API. I could modify the configuration but I'd have to remember what/where I did that. This is easier for me. Certs generated using the V1 API will work and renew with the new one so there's no worries there. The manual argument prompts you through the steps and ask what domains to use.

Normally this is not a manual process. But for the ACME V2 API, an additional check is required and I don't have a certbot plugin to interface with my DNS provider.

When prompted for the domain name I used "*.dembowski.net dembowski.net" and was instructed to create a DNS TXT record for _acme-challenge.dembowski.net as well as a file in dembowski.net/.well-known/acme-challenge/ with a generated name and content.

If you can put that file on the right web server, if you can update your DNS, then you're considered legitimate. Just make sure you wait for DNS to propagate first before proceeding. You can check if it has (at least for Google) using this link.

I have Namecheap and after a quick visit to that dashboard, I waited for the new TXT record to populate, I created that special file and hit enter.

POOF! My server was validated and the certificates were placed in /etc/letsencrypt and a few minutes later my many hosts were updated to point to that new wildcard cert. I repeated this for my other domain and I'm good.

WordPress Multisite and wildcard certs

If you are running multisite then this simplifies your life tremendously. You can and should have one virtual host for your installation. In my case, they're underneath *.dembowski.net.

In my nginx configuration, I modified the server_name line to add *.dembowski.net and I removed the other vhosts files. They were pointing to the same directory for WordPress and they're not needed anymore.

Less is more. I've been waiting for this since they announced it and lighting up new web server instances while maintaining transport level encryption is such a good thing. Let's Encrypt continues to make the web a more secure place.

3D Printed WordPress Bow Ties

Sometimes my hobbies cross over into each other. This year I attended WordCamp US in Nashville and had an idea. Why not download and make a bow tie with a WordPress logo on it?

First I went to Thingiverse and I quickly found this one. I already had the WordPress logo from converting the SVG with Fusion 360 and I began to work on combining the two files.

About an hour later I swore profusely. I had a lot of problems. My PC was a little under powered. Fusion 360 can do amazing things and you can design a V8 engine with it including all the parts. My limited Fusion 360 skills were failing me.

All I wanted to do was take the logo, position it on the tie and export the results to a new STL file for printing. But I'm not really good at manipulating imported objects that way in a tool like that.

Tinkercad to the Rescue!

Autodesk makes Fusion 360 but they also have a 3D editor that lives on the web and runs in your browser called Tinkercad. I imported the two files, positioned the logo where I wanted it and exported it for printing.

It took me all of 5 minutes. The first pass had the logo a little too thin and it broke too easily. It was also upside down; I thought the clip on bow tie would work that way. Sometimes I make poor choices.

Different Colors

Just as before with my WordPress coin, I wanted the bow tie to be one color and the logo to be another. My working printer does this like so:

  • Print using one color filament till the 59th layer. I used a tool to figure that out.
  • Move the nozzle to the corner and the print away from the nozzle. The nozzle is 200° C and that will melt any plastic it is near.
  • Beep loudly. This is an important step as the 3D printer is in the basement.
  • I remove the old filament and insert the new color.
  • Log into Octopi via my iPhone's browser and tell the printer to resume.

That's it. The bow tie came out well and I printed a few more. Did I mention that I sometimes go overboard? I printed 9.

Opensource All of The Things

The bow tie I downloaded is licensed via Creative Commons – Attribution and Thingiverse provides an easy to print attribution card HTML. Which I could not incorporate into this post except as a graphic and a link.

The 3D printer community is mostly opensource and these were printed on a Prusa i3 clone. I used Simplify 3D to slice the file into gcode but there are some really good opensource slicers such as Cura and Slic3r. I've had some bad luck with Slic3r but I think I sorted that out now.

If you want to play with this modified bow tie then you can download it via Thingiverse. Or create an account in Tinkercad and play with it there. It's an easy thing to do and is lots of fun.

WordPress Is About Responsibility

Your WordPress site (or any web site you put on the Internet) has value. Take care of it, it is your front yard and what the neighbors see. It’s your front office where you invite people to talk or do business with. Own it and take responsibility for it.

Recently on the WordPress support forums, I (not wisely) got into a security conversation. No great minds were changed, nothing new was discovered and nothing was accomplished.

In the hundreds of words exchanged, there was one tidbit sent my way that caught my attention.

Do you really think that it makes sense to expect these people to know/care about — and stay on top of — new/old security risks, manual plugin updates, manual core updates, etc.?

Yes, I do. 100%. Unequivocally.

I didn't reply there as the topic dissolved into a conversation about "blame".

I don't do blame, I'm about responsibility. Blame is for children, blame is for "It's not my/their fault" comments. Blame isn't about taking ownership, it's not a reason for something that happened. Too often blame is about excuses.

This isn't a new thing for me, I blogged about it 9 years ago. There's no shame in not having the technical ability to to maintain your site.

Software is a moving target

I recently went to a work event and one of the things repeated often was that security isn’t a state that you achieve. It’s a posture and is a response to a moving target.

WordPress powers over 28% of all web sites and that number is growing. Just as it is with popular office software and home PC operating systems, that number makes WordPress sites a very attractive target to go after. That’s why WordPress takes security very seriously.

But it’s a less than perfect world out there. Plugins and themes may not get the scrutiny that the core WordPress does. Patches happen all the time. When a minor number release of WordPress is pushed out, unless you or your host did something to prevent that, your site will update without you having to do anything.

Plugins and themes don’t update automatically, that’s turned off by default. That’s also where many sites get exploited.

Learn how to maintain your site

It’s still not a big list.

  1. Learn how to schedule backups and store them off of your WordPress site.
  2. Routinely log into your site to update plugins and themes. Or add a plugin to do it for you.
  3. Learn how to restore backups onto a blank installation.
  4. Or consider paying your host or a service to do these things for you.

Many hosts support WordPress and (for a fee) will do that maintenance for you.

Take responsibility but ask for help when you need it

I’ve not seen any surveys but I would guess that easily 80% of WordPress users don’t know how to do steps 1 through 3 above. I would also wager that half of those users rely on their host provider more than they realize.

That’s fine because most of those users may not lose sleep if they lose their blogs. People start blogs and forget about them all the time. For companies and organizations, a lost or compromised site can hurt their reputation.

If you need help or Very Bad Things™ happened, then you’ve got some options.

  1. See if your host can help you. Many host providers do offer WordPress support, sometimes for a fee.
  2. Hire someone, but be wary. I personally like companies that have real people, who interact and have a real reputation. WP Site Care is one such company, there are others. Don't just use Google, ask people who may know. Go to a local WordPress meetup and ask around.
  3. Post a support topic at the free, 100% staffed by volunteers, support forum. Notice that I put this one last?

Here’s why I put my favorite one at the end. There are no customers there, only users. If your site is on fire and you need it back ASAP then that’s just not a good option. I’ve been supporting and helping to admin those forums for years and they are top notch.

Those forums are staffed by unpaid volunteers working on their free time out of the goodness of their own hearts. Would you tell your CEO that’s your support model? You could do that. Some people have that misunderstanding and it often ends poorly. They don’t get the support they need and sadly, WordPress loses a user who didn’t realize what they were getting into.

A little self-education goes a long way. Don’t be afraid to ask questions about your WordPress site. At the end of the day it’s your responsibility. Learn and create a plan to maintain it and keep it running.

Don’t accept blame for what happens to your WordPress site. Take responsibility instead.

Tin Foil Hat Gravatars

Sometimes I do overthink things. I wrote a plugin to protect Gravatar image URLs.

Continue reading

Scrape IFTTT Instagram media into WordPress

I’m a photography nut. I love using my DSLR, I’m mad about film cameras and I use Instagram all the time. I’m also a WordPress user and I have a problem with Instagram: the photos are not preserved on my own site. To fix that I installed the amazing DsgnWrks Instagram Importer plugin and I’ve been using it for years.

While testing WordPress 4.6 beta the plugin stopped working for me. I raised a support topic and I am convinced that my setup has changed. I do not doubt that the problem is mine somehow.

I’m not proficient enough to locate where the break is and I really wanted to share my Instagram photos via my blog. So I created another WordPress account on my photo blog and with my IFTTT account I used this “Instagram to Blog” recipe. That worked, but it loaded the image from Instagram and used the IFTTT URL shortner for link.

I really wanted a copy of my photo on my own server.

I know less about IFTTT recipes than I do the plugin. But I do know how to use WordPress actions and filters so I wrote a small plugin to do the following.

  1. Via the publish_post action look in the content for Instagram image sources and extract those URLs. The wp_extract_urls function is made for this.
  2. When found import those into the WordPress Media Library and attach it to the post using media_handle_sideload.
  3. Make that new attached image the featured image for the post.
  4. Look for IFTTT short URLs and expand them using a simple function I wrote.
  5. Once that’s done then publish the post.

You can view the code via this Gist link. I have that saved and activated as a plugin on my photo blog.

This isn’t the ideal approach for me but it works. The IFTTT recipe successfully publishes a post when I submit a photo to my Instagram account. I’m taking that data and scraping images from another web site. Generally speaking that’s not cool but until I find a cleaner way to do it I’ll have to live with it.

How to use UpdraftPlus when The Bad Thing™ happens

I am in the process of handing over a site to someone who's not used WordPress before and doesn't necessarily know where what lives and how. I thought it would be a good idea for me to document how to use the free UpdraftPlus plugin.

I use the commercial version of this plugin because it is fire-and-forget for my multisite installation. But if you are running a standalone installation of WordPress then the free version is a good suitable option.

Continue reading

Did I mention I like WP-CLI?

I’ve written praise for wp-cli before but it’s a toy that will never get old for me.

I was working on this problem for a friend and I needed to create a test multisite installation. I have a domain I can use aside from my main one so I setup another nginx virtual host, setup the DNS entries and used Let’s Encrypt to obtain legitimate X.509 certificates.

For creating the DB and WordPress config I used CLI commands.

$ mysql -u root -p

create database leeloodallas;
grant all privileges on leeloodallas.* to 
"brucewillis"@"loc1alhost" identified by "5oM3U36ul$tringH3re";
flush privileges;
exit;

$ wp core download

$ wp core config --dbname=leeloodallas \
--dbuser=brucewillis \
--dbpass=5oM3U36ul$tringH3re \
--extra-php <<PHP
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', false );
PHP

$ wp core install --admin_user=yourlogin \
--admin_password=Y3a2n0tHaP3n1ng \
--admin_email=you@example.com \
--url=blog.dn7.me \
--title="Leeloo Dallas Multisite"

$ wp core multisite-convert --subdomains

Yes, all the passwords and IDs are changed.

When I get into deep water (and I did) I just rm * -rf in the virtual host’s directory and in mysql drop database leeloodallas; and do it all over again.

The only thing different from other times is the wp core multisite-convert --subdomains command. I already have cookie cutter nginx configs and DNS is fire and forget. Once I had the vhost setup the Let’s Encrypt commands (also scriptable) was trivial.

WP-CLI is cool and scripting this is such a time saver.

2FA should be built into WordPress core

Does email work with your WordPress installation? When someone leaves a comment on your blog or your WordPress installation automatically updates to a minor version number such as 4.4 to 4.4.1 do you get that email?

You did get those emails? Great! Now go, install and activate the Two Factor Authentication plugin maintained by George Stephanis. I’ll wait.

Now that you have done that, on the top right corner of your dashbaord is a “Howdy, User” link. Click that and select Edit My Profile. Scroll down on your profile page and enable the first two options. That’s “Email” and “Time Based One-Time Password (Google Authenticator)”.

2fa-setup-page

I made the Google Authenticator my primary means of logging in. I keep the app on my password protected iPhone, it’s a one-time password (OTP) generator and it doesn’t need access to Google to work. It’s time based after all.

What is two factor authentication (2FA)?

2FA is a means to increase the confidence when you log in that you are in fact who you say you are.

When you log into WordPress, you use an ID and password. The security is in the password and should be along the lines of “gHJjgbtjXa9FLyGkhaHR0o” which I got courtesy of my 1Password app. That password is one factor of authentication. Your password is something that you know.

The second factor is what you have in your possession. In my case it’s my Google Authenticator app on my iPhone.

When I log into my WordPress site I am prompted for my username and password. Once that is successful I am then asked for my authentication code.

authentication-code

Which I get from my app. If that does not work then I click on the backup method and soon get a code via email. I enter that code and I am in, which is why I asked if mail works at the beginning of this post.

Mail needs to work. So does good time keeping.

My multisite installation is on a VPS and I run NTP. I have to because on a VPS the time will drift (on anything really) and if my server’s time is far enough out of sync then my OTP will not work. Or my phone could be dead but I still can access my email.

By configuring the email as a fallback I have another way to get into my installation. That email code is good till it’s used or is replaced and can get you out of a bind.

2FA needs to be built into core

Having 2FA in WordPress as a built-in option moves the security bar farther.  It increases the security posture for users and if it is an option, if it’s easy to setup then it will be adopted by users.

Yes, it will take some education for people to use it properly but that is not insurmountable.

In the past, users would install WordPress and forget to maintain them. The other day I came across a 3.5.2 installation. That was released in July 2013. In Internet years that’s ancient and there are several known exploits out there. The 3.5.x code isn’t maintained.

As of version 3.7 minor release updates are turned on automatically by default. If you installed 3.7 and did not do anything else then as of today you are or will be running 3.7.12 shortly. Major version upgrades are not automatic so 3.7.x will not update to 3.8 or even to the current 4.4.1. The major versions need to be updated by the user initiating that upgrade, although some forward thinking hosts will do it for you anyway.

Automatic updates are a result of the developers wanting the environment to become more secure. Unpatched WordPress installations were the cause of compromised sites that sent spam, spread spammy links and made the Internet neighborhood a worse place to be.

It also gave WordPress an unjustifiable reputation for being insecure because users did not maintain their code.

Having 2FA is similar to enabling TLS on your WordPress installation. If your server supports HTTPS just update your Site URL and WordPress Address, perform a little search and replace for the old http:// references to their TLS versions and you are done. More and more sites are defaulting to https because it’s easy.

2FA is like that, it’s a step in the direction of users taking their security into their own hands. It’s educational too, meaning that once it’s setup and working you’ve learned something new.

What about the Support Team’s concerns?

Mika Epstein, myself and others expressed reservations not about having 2FA built into WordPress. We like this idea. Our concerns were along the lines of “How can we walk the user through disabling 2FA if they bork it badly?”

The idea we expressed was that this should be enabled by editing the wp-config.php file by hand, just as you have to do when you enable multisite. If you can do that successfully then you are technical enough for 2FA. The words I used were “you need to be this tall to enable this feature”.

I don’t think that anymore. If someone’s email is working then they can get back into their installation with the emailed access code.

What I’d like to avoid is the situation that exists with password resets. If you look at the WordPress Codex article about resetting your password then you may understand.

For manual password resets I encourage users to add a line to their theme’s functions.php file but that can be dicey. If they typo that file they can break their whole site. That’s still more appealing for me than trying to walk a user through using phpMyAdmin.

Manual password resets is difficult for regular users. If they can enable 2FA and have a not too difficult way to disable it then any reservations I’ve had are gone. I know this is being worked on and I would really like to see this properly put into WordPress 4.5.

It’s something that can make the Internet neighborhood a more secure place to be.

« Older posts

© 2018 Mostly Harmless

Theme by Anders NorenUp ↑