Mostly about my amusement

Tag: support (page 1 of 1)

Disabling select features in WordPress

One of the new features arriving in WordPress 4.4 will be the ability to embed posts from a self-hosted WordPress blog  into oEmbed consumers such as another WordPress blog. Like this.

Feature Plugin Merge Proposal: oEmbed

Neat huh? I like it, though I haven’t been able to do the same with my own posts yet. This feature will be on by default in 4.4 though it could be disabled via a plugin.

What if you want to disable all the new features?

When a new feature is rolled out, it is enabled by default. That makes sense as no one adopts a feature that is disabled. But new features are not for everyone and you can control that via a plugin.

Why a plugin? Because it’s supportable. It doesn’t need to be a plugin, it could be a simple line of code in your child theme’s functions.php file.

Going in no particular order:

Disable oEmbed provider

This only applies to WordPress 4.4 (not released yet) but install and activate Pascal Birchler’s Disbable oEmbeds plugin. That will eliminate the capability for your site to be an oEmbed provider.

Disable XML-RPC

You could use a plugin but it’s one line of code. Edit your child theme’s functions.php file and add this one line.

add_filter( 'xmlrpc_enabled', '__return_false' );

Done.

Disable emoji support

Install and activate Otto’s Classic Smilies plugin. Otto doesn’t appreciate emojis either and as an added benefit you get back the classic smilies from previous WordPress versions.

Disable Ping-o-matic and other notifications

Install and activate Scott Reilly’s Silent Publish plugin.

From the plugin page:

This plugin gives you the ability to publish a post without triggering pingbacks, trackbacks, or notifying update services.

To make this the default behavior (Silent Publish is off by default) add this one line to your child theme’s functions.php file.

add_filter( 'c2c_silent_publish_default', '__return_true' );

Now when you go to the post editor page, you will see the “Silent publish?” checked on by default.

Disable Google fonts

Some people do not like anything related to Google and that’s fine. While I personally think this makes my WordPress site look awkward, here’s a plugin that does that.

Install and activate Remove Google Fonts References plugin.

Limit login attempts

I use Jetpack for a lot of things and Brute Protect prevents known attack IPs from reaching your site. If you want to limit your login attempts without using that plugin then try this one from BestWebSoft.

I selected that plugin because it’s actively supported by the author and has many options.

Disable Gravatars

Update: I forgot about Gravatars. 😉

There are a couple of ways to do that and the absolute simplest way is use the admin >> Settings >> Discussion and scroll down to the Avatars and uncheck that box. WP beginner has a post with a video on how to do that.

Use the Disabler plugin

Some more settings (including XML-RPC) can be toggled with the Disabler plugin. You can disable the following with a check box.

  • Disable Texturization
  • Disable auto-correction of WordPress capitalization
  • Disable paragraphs (i.e. <p> tags) from being automatically inserted in your posts.
  • Disable self pings (i.e. trackbacks/pings from your own domain).
  • Disable all RSS feeds.
  • Disable XML-RPC.
  • Disable auto-saving of posts.
  • Disable post revisions.
  • Disable WordPress from printing it’s version in your headers (only seen via View Source).
  • Disable WordPress from sending your URL information when checking for updates.

I use this plugin to disable self-pings.

Plugins are not that difficult to maintain

One of the common complaints about WordPress is “Why can’t there be a check box in the admin GUI to disable these features?” A quick count above shows that would be 16 boxes to work with.

Aaron Jorbin had a good reply on the make/core blog but it may not be clear to everyone: giving users too many options makes their site more difficult to support.

Ideally, there would be one plugin for all of this (hint to Mika and the other Disabler authors) but for anyone rolling out WordPress installations, these disabled settings can hard coded into a custom plugin.

Why do it that way? Just like disabling the XML-RPC feature, it’s often just a few lines of code. A custom plugin can accomplish what you want while limiting options in the administration backend.

 

WordPress file monitoring

Over a week ago I complained about WordPress users crying security wolf and not being able to recover their blog when the “Bad Thing(tm)” happens.

Since then a real brawl developed on the support forum that could be summed up like so:

  1. One or more users is insisting that there is an XMLRPC exploit in 2.5.1.
  2. The same one or more users refuses to back this claim up with data, or apparently send the WordPress security e-mail alias any info (maybe, how would other people know what was sent via e-mail?)
  3. Many people tried to reasonably explain that such an exploit may exist but without data there is nothing to solve.

This discussion was just plain nuts and went around in circles.  Complaining about a problem without providing any proof and then getting all pissy about it is totally useless.  It is entirely possible that such an exploit exists and many people replied so.  But without any providing data other than saying “I can assure you that the hack occurs via XMLRPC”, then everyone’s time gets wasted.

Fortunately, Donncha provided a page that covers the issue succinctly and today he added another post on setting up aide.  His two posts are good and anyone considering monitoring their WordPress files for modification should give this a try.

Aide will let you see if your installation files and directories have been tampered with.  It won’t protect you against HTTP POSTS or database attacks but it’s very good if someone succeeds in modifying your files.

There are ways to log what’s being sent via an HTTP POST and examine that information; if (or even when) I get hacked, I’ll try to start looking at that data.  MYSQL database monitoring, that could be interesting but for now I’m not aware of a good tool to do that.

On my OpenSuSE installation, installing aide is simple.  As root run

zypper install aide
aide --init
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
aide --check
cp /usr/share/doc/packages/aide/examples/etc/cron.daily/aide.sh /etc/cron.daily/

All of which I just did.  I ran the check option to make sure I did not create any issues with the aide.conf file.  I’ll play with the aide.conf file and see what kind of output I get when the daily cron job gets run.  If I add and modify files and I set it up correctly then I should see that in daily cron job’s output.

Update: this worked but in /etc/aide.conf change the line verbose=1 to verbose=5.  That will get you a useful output of which files and directories changed.

Optimum Online: EPIC FAIL!

Around 5:30 PM today I had gotten an e-mail letting me know that my web server was down. I figured that since my server is in my basement, I must have had a brownout. No big deal I’d deal with it when I got home.

Only it was not me for a change. My cable modem was not establishing a connection up stream.  TV was working fine, just no Internet access.

The Cablevision support phone number kept ringing busy.  When I did get through it played a message saying “If you are calling about an Internet outage and live in the following towns, then an outage has been reported.”

The message played the name of every town I had ever heard of in Long Island.  My town was listed at the last one at the very end  with “and Dix Hills”.

At 8:30 PM we got sporadic access back.  The connection is not good and it keeps going down in the middle of a page load.  I’m sure it will be all fixed before midnight. But I’m really dying to know what part of their backbone caused this outage.

Meh. It happens.  Wonder if Verizon will market this outage?

With my old ISP in Queens had a page bulletins from their NOC.  You could look and at least find out what happened and what the ETA was for a fix.  If I find the equivalent page on Optimum Online I’ll update this post.

Sigh, WordPress users and hacking

If you are not running the latest version of WordPress and you get hacked, don’t go to the WordPress forum and tell the world.  Odds are you invited the disaster yourself.

When WordPress 2.5 came out I was disappointed to find that the old version 2.3.x was basically abandoned.  There would be no more planned patches for 2.3.x just the current 2.5.  The 2.0.x branch would continue to be supported as part of the commitment to the Debian version model.

So as of right now versions 2.0.11 and 2.5.1 are supported. If you are running 2.2.x, 2.3.x, 2.5(.0), or any other version then you run the risk of being exploited.

So why do users continue to use the old versions?  Everyday there are posts in the support forum that (so far) always deals with someone’s blog getting hacked and they are not using the current 2.5.1 version (as of this writing).  Eventually someone writes “I’ve been hacked” and some other user writes “Is this a vulnerability of insert current version HERE?!? Why are the developers not doing SOMETHING?!”.

It’s like there is some axe to grind and the first one to find the axe gets 1000 gold points.  The moderators usually show great patience; I’d get ticked if I were them.  These users seriously should just avail themselves of WordPress.com and stop trying to self host a blog.

The freely available WordPress from WordPress.ORG is not commercially supported, and commercial support if often not that good anyway. So for anyone who is thinking about using WordPress.org’s software, they should be able to do the following by themselves.

You need to be able to make backups.

Read this Codex article for backing up your WordPress installation.

WordPress uses two components.  The easy one is the file system and backing that up should be trivial.  I use a shell script that creates a tar.gz archive every night.  Another cron job deletes backups that are older than 30 days.  Why fill up my disk?  The backups are not for historical use, just to get me back to the state I was 24 hours ago if need be.  30 days is too much but hey, disk space is cheap.

The mysql database is the other component.  The same backup script also creates a text dump of my entire WordPress database.  This copy gets gzipped and added to my file backup.  The mysqldump command is your friend and should be used.

You need to be able to know how to restore those backups.

The Codex has a good article on how to restore your blog database here.

Making the best backups is pointless if you don’t know what to do with them when the “Bad Thing” happens.  Take your backup and restore it to a WAMP or LAMP installation on your own PC.  If you need a Windows Apache Mysql Php setup, use Google and install the one you feel comfortable with.  In Linux just add the packages (See this link for Ubuntu).

Once you have the Apache web server, Mysql, and PHP running locally on your PC then start playing.  Install WordPress locally, restore your backup and just change the name of your installation in wp-config.php to localhost and test.  To adjust your local installation to run on your PC just add these two lines to the copy of the wp-config.php on your PC:

define('WP_SITEURL', 'http://localhost');
define('WP_HOME', 'http://localhost');

Then on your PC point your browser to http://localhost/ and test it.  Beat it up; it’s a local copy on your PC.  Go nuts on it and confirm that your posts, categories, tags, comments, etc. are all there.  Anything on your PC that you mess up in WAMP or LAMP should be no big deal.  Just start over if you get lost.

Play with it until you understand what you are doing, because when you DO lose your blog you’ll need to do this for real.

Practice performing an upgrade on your PC’s local copy.

That sounds like a plan right? Some plugins don’t work with the latest and greatest version.  If the version you are running is vulnerable to an exploit then you don’t need that plug in.

Security updates are the number one driver for minor number version releases such as 2.5 to 2.5.1.  Yes, there are bugs but they usually are tolerable.  Exploitable code is serious business and usually gets fixed quickly.

Once you are comfortable with upgrading and testing your local installation, upgrade your real blog.  I personally keep good backups and know how to restore them so I never bother with this step.

If you know how to backup and restore your blog, then even if the upgrade is bad, you will be able to put it back the way it was before the upgrade.

Dell XPS 700 still no useful ETA

This morning checked my Dell XPS 700 status page. Originally it was supposed to ship last Tuesday July 25th but on that day it got bumped to today August 1st.

This morning I checked and the status now says August 8th. Any bets what it will say next week?

Still no call from Dell regarding the offer of a free upgrade to a Core 2 Duo.

Here’s the time line:

  1. Ordered the XPS 700 on June 18th.
  2. ETA was originally July 25th shipping.
  3. Updated July 25th to new ETA for shipping August 1st
  4. Update August 1st to August 8th

What’s really funny is that there is that the new status requires me to click on a “I agree to this delay” link for FTC reasons. The link does not work; it gets a nice error page of 404 – File not found.

Dell is not the company they used to be (Updated)

Dell XPS 700 from CNET's web siteAfter pushing my old PC up hill long enough I ordered a new kick ass Dell XPS 700 with a 24 inch wide LCD panel. I’m getting the black one.

I had received an e-mail about how to check the status online and the estimated ship time was set for over a month when I ordered it. As the time went by I had contacted their customer service and asked if the system was going to be built. I was told that as far as they could tell they would make the date.

I ordered the Dell June 18th Father’s Day. The estimated ship time was today July 25th. As of 10:10AM today Dell’s system sent me the e-mail notifying me that I was in for a disappointment.

So I called the Dell customer number and after 2 minutes of informing the system that I did not know my customer number or order number (I do but I have learned to hate the machines). Eventually I got a real human being.

The call was professional. Phrases such as “Parts are hard to come by” and “if you’d like I can expedite the order” were said. The rep was able to upgrade to next day shipping for me so I am placated for now.

I am on for shipping Tuesday August 1st but unfortunately I expect to get another e-mail. I know that I am getting a new to market system but Dell should be able to gauge availability based on the fact that they have been doing this for a long time.

Dell XPS 700 image from CNET’s web site.

Update: In this day and age, you’d think I’d check via Google or Engadget before calling Dell. Per Dell’s Blog (see item number 2) I expect to be able to upgrade from my ordered Pentium D to the Core 2 Duo.

Core 2 Duo, that’s a bad name it trips up the tongue. On the web site it says “an option of either a free upgrade to a Core 2 Duo processor or a Dell gift card” so naturally I am going for the upgraded processor.

The blog site clearly states that you should wait for Dell to call you, but reading the comments from the customers I figures I would get pro-active and call them. I waited until lunch time and called the number for customer service number.

Read more