I am in the process of handing over a site to someone who’s not used WordPress before and doesn’t necessarily know where what lives and how. I thought it would be a good idea for me to document how to use the free UpdraftPlus plugin.
I use the commercial version of this plugin because it is fire-and-forget for my multisite installation. But if you are running a standalone installation of WordPress then the free version is a good suitable option.
I’ve written praise for wp-cli before but it’s a toy that will never get old for me.
I was working on this problem for a friend and I needed to create a test multisite installation. I have a domain I can use aside from my main one so I setup another nginx virtual host, setup the DNS entries and used Let’s Encrypt to obtain legitimate X.509 certificates.
For creating the DB and WordPress config I used CLI commands.
$ mysql -u root -p create database leeloodallas; grant all privileges on leeloodallas.* to "brucewillis"@"loc1alhost" identified by "5oM3U36ul$tringH3re"; flush privileges; exit; $ wp core download $ wp core config --dbname=leeloodallas \ --dbuser=brucewillis \ --dbpass=5oM3U36ul$tringH3re \ --extra-php <<PHP define( 'WP_DEBUG', true ); define( 'WP_DEBUG_LOG', true ); define( 'WP_DEBUG_DISPLAY', false ); PHP $ wp core install --admin_user=yourlogin \ --admin_password=Y3a2n0tHaP3n1ng \ --admin_email=you@example.com \ --url=blog.dn7.me \ --title="Leeloo Dallas Multisite" $ wp core multisite-convert --subdomains
Yes, all the passwords and IDs are changed.
When I get into deep water (and I did) I just rm * -rf in the virtual host’s directory and in mysql drop database leeloodallas; and do it all over again.
The only thing different from other times is the wp core multisite-convert --subdomains command. I already have cookie cutter nginx configs and DNS is fire and forget. Once I had the vhost setup the Let’s Encrypt commands (also scriptable) was trivial.
WP-CLI is cool and scripting this is such a time saver.
Does email work with your WordPress installation? When someone leaves a comment on your blog or your WordPress installation automatically updates to a minor version number such as 4.4 to 4.4.1 do you get that email?
You did get those emails? Great! Now go, install and activate the Two Factor Authentication plugin maintained by George Stephanis. I’ll wait.
Now that you have done that, on the top right corner of your dashbaord is a “Howdy, User” link. Click that and select Edit My Profile. Scroll down on your profile page and enable the first two options. That’s “Email” and “Time Based One-Time Password (Google Authenticator)”.
I made the Google Authenticator my primary means of logging in. I keep the app on my password protected iPhone, it’s a one-time password (OTP) generator and it doesn’t need access to Google to work. It’s time based after all.
2FA is a means to increase the confidence when you log in that you are in fact who you say you are.
When you log into WordPress, you use an ID and password. The security is in the password and should be along the lines of “gHJjgbtjXa9FLyGkhaHR0o” which I got courtesy of my 1Password app. That password is one factor of authentication. Your password is something that you know.
The second factor is what you have in your possession. In my case it’s my Google Authenticator app on my iPhone.
When I log into my WordPress site I am prompted for my username and password. Once that is successful I am then asked for my authentication code.
Which I get from my app. If that does not work then I click on the backup method and soon get a code via email. I enter that code and I am in, which is why I asked if mail works at the beginning of this post.
My multisite installation is on a VPS and I run NTP. I have to because on a VPS the time will drift (on anything really) and if my server’s time is far enough out of sync then my OTP will not work. Or my phone could be dead but I still can access my email.
By configuring the email as a fallback I have another way to get into my installation. That email code is good till it’s used or is replaced and can get you out of a bind.
Having 2FA in WordPress as a built-in option moves the security bar farther. It increases the security posture for users and if it is an option, if it’s easy to setup then it will be adopted by users.
Yes, it will take some education for people to use it properly but that is not insurmountable.
In the past, users would install WordPress and forget to maintain them. The other day I came across a 3.5.2 installation. That was released in July 2013. In Internet years that’s ancient and there are several known exploits out there. The 3.5.x code isn’t maintained.
As of version 3.7 minor release updates are turned on automatically by default. If you installed 3.7 and did not do anything else then as of today you are or will be running 3.7.12 shortly. Major version upgrades are not automatic so 3.7.x will not update to 3.8 or even to the current 4.4.1. The major versions need to be updated by the user initiating that upgrade, although some forward thinking hosts will do it for you anyway.
Automatic updates are a result of the developers wanting the environment to become more secure. Unpatched WordPress installations were the cause of compromised sites that sent spam, spread spammy links and made the Internet neighborhood a worse place to be.
It also gave WordPress an unjustifiable reputation for being insecure because users did not maintain their code.
Having 2FA is similar to enabling TLS on your WordPress installation. If your server supports HTTPS just update your Site URL and WordPress Address, perform a little search and replace for the old http:// references to their TLS versions and you are done. More and more sites are defaulting to https because it’s easy.
2FA is like that, it’s a step in the direction of users taking their security into their own hands. It’s educational too, meaning that once it’s setup and working you’ve learned something new.
Mika Epstein, myself and others expressed reservations not about having 2FA built into WordPress. We like this idea. Our concerns were along the lines of “How can we walk the user through disabling 2FA if they bork it badly?”
The idea we expressed was that this should be enabled by editing the wp-config.php file by hand, just as you have to do when you enable multisite. If you can do that successfully then you are technical enough for 2FA. The words I used were “you need to be this tall to enable this feature”.
I don’t think that anymore. If someone’s email is working then they can get back into their installation with the emailed access code.
What I’d like to avoid is the situation that exists with password resets. If you look at the WordPress Codex article about resetting your password then you may understand.
For manual password resets I encourage users to add a line to their theme’s functions.php file but that can be dicey. If they typo that file they can break their whole site. That’s still more appealing for me than trying to walk a user through using phpMyAdmin.
Manual password resets is difficult for regular users. If they can enable 2FA and have a not too difficult way to disable it then any reservations I’ve had are gone. I know this is being worked on and I would really like to see this properly put into WordPress 4.5.
It’s something that can make the Internet neighborhood a more secure place to be.
I’m more of a Network Monkey, but whenever I can provision something just using an ssh session I smile. Many hosts use WP-CLI already and I’ve installed it on my VPS too.
This morning I wrote up a small script to go to my test vhost directory and did the following.
All this was performed without using a mouse or web GUI. (Okay, I checked the avatar setting via /options.php, but I didn’t have to.)
Here’s the script with sensitive details changed.
#!/bin/bash cd /my/notsecret/www/vhosts/bang.dn7.me # Setup a new WordPress installation wp core download wp core config --dbname=tothemoon \ --dbuser=testuser \ --dbpass=3c962761afbf9ab40a2e75346809c8cf wp core install --admin_user=jan \ --admin_password=Rea11y*ot7y^assWiRd \ --admin_email=example@example.com \ --url=bang.dn7.me \ --title="Bang! Boom! Pow!" # Update some options and my account info wp option update blogdescription \ "What could possibly go wrong?" wp option update comment_moderation 1 wp option update comments_notify 0 wp option update moderation_notify 0 wp option update comment_whitelist 0 wp user update 1 --first_name="Jan" \ --last_name="Dembowski" \ --display_name="Jan Dembowski" # Make sure plugins and themes are all up to date wp plugin update --all wp theme update --all # Clean up the default post and page wp post delete 1 --force wp post delete 2 --force # Wapuuvatar is cool. Install, activate # and set to the default avatar wp plugin install wapuuvatar --activate wp option update avatar_default dwapuuvatar # Let's play with the Baskerville theme wp theme install baskerville --activate # Now to import the theme unit test data wp plugin install wordpress-importer --activate curl -O https://wpcom-themes.svn.automattic.com/demo/theme-unit-test-data.xml wp import theme-unit-test-data.xml --authors=create # Clean up in aisle seven wp plugin deactivate wordpress-importer wp plugin delete wordpress-importer rm theme-unit-test-data.xml # My test site is also TLS so I'll fix # all the things to point to the encrypted URL wp search-replace http://bang.dn7.me https://bang.dn7.me # All done
I previously dropped the test installation’s database and created a new empty one. A quick “rm -rf *” (which wise people never do) in the right vhost directory and I ran “bash install-bang.sh”.
It works like a charm. Smart web hosts can and do tie WP-CLI into their provisioning setup. I happened to setup my vhost with TLS and mysql in advance but with a little backend work this can be easily automated.
If you have a test server to play with then give WP-CLI a try. You’ll get a better understanding of both WordPress and the command line.
In the long history of my of my blog (over 900 posts), I’ve done many things that were… ill-advised. I’m still recovering from messing up my media library somehow. All the images load but a couple of galleries disappeared.
While playing with the Wapuuvatar plugin I noticed that my recent 60 or so posts were showing my Gravatar photo but the older posts where showing a Wapuu. I thought I ran into some weird bug in the plugin. Ha! The plugin is fine. My old posts were set to post_author ID=0.
There is no such author ID but fixing it was straight forward. Here’s what I did.
To get an idea of how bad the problem was I ssh’ed to my server, cd’ed to my installation and ran this command.
wp post list --fields=ID,post_title,post_name,post_date,post_author --url=blog.dembowski.net
This command outputs a neat table and the fields on the CLI include the post_author ID.
I wanted to see those fields and since I’m running on multisite I had to specify the URL. Yep, the recent posts were set correctly but almost all of the old ones were set to post_author=0. I probably could use wp-cli to fix it but I ended up using mysql commands.
wp db export ~/author-munging-save-me.sql
Backup your database, backup your database, backup your database. Don’t rely on your existing backup, just make a new one.
From my wp-config.php file I copied the mysql database name, user ID, password and table prefix. I then ran this command.
$ mysql -D mydbsitedbname -u mydbuser -p
Which put me on the mysql command line. The idea was to fix each post where the post_author=0. Easy!
And I promptly ran an update on the wrong table in my database.
A quick check showed me that nothing changed for what I was trying to fix. I’m not sure what I broke but I am sure I would be sorry if I didn’t fix it pronto.
I wasn’t worried because I had that backup and ran this command.
$ mysql -D mydbsitedbname -u mydbuser -p < ~/author-munging-save-me.sql
You see, I like to poke at my site and while I don’t always break it I have done horrible things in the past. Everyday I make a full automated backup and once a week backup all of my files and I know how to restore the full database. I could rely on last night’s file but why bother? I just made a new one before working on the database.
I forgot that I was running multisite and that this blog is the second one in my site. The wrong post_author ID was 0, the correct ID is 1. I re-ran mysql on the command line and used this:
UPDATE myprefix_2_posts SET post_author=1 WHERE post_author=0;
A quick check and I’m good. The only thing that was updated was the post_author where I wanted it to be. I’m sure I would have caught this eventually but using the Wapuuvatar plugin pointed it out to me sooner.
Update: That broke things. The Gravatars on the front page went away. I rolled back the database and will look at being a little more selective on how I update the post_author.
Update for the update: When Twenty Sixteen only sees published posts from one author then the Gravatar isn’t displayed on the main list of posts. Nothing broke and I assigned Lily’s 3 posts to her account. 😉
Featured image photo by masatsu 
I like CSS. It’s clean, (mostly) standards based and while not all browsers will agree on goofy features, some basics should just work. CSS3 Flexbox support should be on that list for current versions of browsers.
Guess which browser doesn’t support “flex-direction: column”? Internet Explorer will not be updated by Microsoft for anything except security patches. The CSS works fine in the Edge browser.
In my last post I described how to get CSS to visually crop and center featured images. With Internet Explorer 11 the cropping worked but the image wasn’t vertically centered. The “overflow: hidden” did it’s job but the image displayed from the top and the rest was hidden.
This is not a new problem and I found this article on how to use a little jQuery to make a browser do it’s thing. When it’s one image then you can use the class assigned to it.
I ended up adding this class to each featured image.
mh-thumbnail-<?php the_ID(); ?>;
Then I outputted this script where any featured image was.
<script type="text/javascript">
jQuery(document).ready(function() {
var imageHeight_<?php the_ID(); ?>,
wrapperHeight_<?php the_ID(); ?>,
overlap_<?php the_ID(); ?>,
container_<?php the_ID(); ?> = jQuery('.mh-thumbnail-<?php the_ID(); ?>');
function centerImage() {
imageHeight_<?php the_ID(); ?> = container_<?php the_ID(); ?>.find('img').height();
wrapperHeight_<?php the_ID(); ?> = container_<?php the_ID(); ?>.height();
overlap_<?php the_ID(); ?> = (wrapperHeight_<?php the_ID(); ?> - imageHeight_<?php the_ID(); ?>) / 2;
container_<?php the_ID(); ?>.find('img').css('margin-top', overlap_<?php the_ID(); ?>);
}
if( BrowserDetect.browser == 'Explorer' ){
jQuery(window).on("load resize", centerImage);
}
});
</script>
That sucks. It’s doable, but I needed to use “the_ID()” because each featured image needed it’s own calculation to center correctly.
I did not want that “jQuery(window).on” to fire for anything except but Internet Explorer. jQuery removed the ability to easily detect the browser and for good reason: you should write scripts based on the browser’s capabilities and not the version or software vendor. My javascript skills are worse than my CSS.
I ended up using this script and I can detect “Explorer” now. Adding a line to my child theme’s functions.php file took care of that.
wp_enqueue_script( 'mh-browserdetect', get_stylesheet_directory_uri() . '/browserdetect.js' );
The end result is that for any current browser the CSS does it’s job. For Internet Explorer the javascript gives it that little push to get it to play nicely. I haven’t tried Internet Explorer 8 but I’m not sure I care to.
Working with version 11 already made me feel like I need a bath.
I’m lazy and I like to try and figure out how to get the results I want without a lot of work. In the recent past I’ve uploaded featured images that were 1200 pixels wide and varying heights. I’m playing with a child theme of Twenty Sixteen and wanted to center crop the existing featured images.
I could have re-sampled the cropped images one at a time in Photoshop Elements or ImageMagick (for some CLI bash shell fun). Or I could have used the Regenerate Thumbnails plugin and let that go. Instead I messed with CSS until it worked the way I liked.
Hardeep Asrani
""The uploader hasn't made this video available in your country." The force isn't strong ..."
Automatisch, zentriertes Zuschneiden des Featured Image bei WordPress – www.feutl.com
"[…] Der original Blog Eintrag stimmt von Jan Dembowski. […] "
Jan Dembowski
"Good questions! * Looks * Here's the links to the items I purchased ..."
Matt Brandon
"I like this combo. What diameter band and clasp did you get ..."
Robert Donat
"Seiko pieces are my favorite choice when it comes to diver's watches.Their craftsmanship ..."