How To White List JetPack Servers.

JetPack is a collection of WordPress power tools maintained by the WordPress creators Automattic. It will, among other things, provide you with site stats and analytics, automatic social network sharing, 24/7 uptime monitoring, and access to a high-speed content deliver network for images.

Many of JetPack’s features use the infrastructure, and to use it on a self-hosted WordPress install – like the one you’re looking at right now – the WordPress XML RPC interface has to be accessible to the servers. The problem with that approach is that XML RPC interface is one of the favorite attack vectors for WordPress hackers script kiddies. So the interface is ideally locked down and made inaccessible unless it’s strictly necessary to make it available.

To get JetPack to work properly it’s necessary to make the XML RPC interface accessible from the in-ter-net. But you don’t want every single Russian basement dweller to get access: Ideally, you just white list the JetPack servers.

Continue reading "How To White List JetPack Servers."

Independent Publishing.

The site’s design is beginning to feel stale again. I’m popping in at least once a day, just to check that everything is A-OK, and now I’m starting to get too used to how things look around here. The current theme, the Editör, was introduced a little over a year, and one year seems to be the expiration date for most of the designs I’ve used on this site.

There is an almost infinite amount of WordPress themes available, both free and premium. And, man, have I looked at a lot of them to find the right look, feel, and feature set. I was close to shelling out $50 for a theme that probably would have worked without too much tweaking, but decided I couldn’t rationalize spending that much money now on something like that. So, in the end, I’ve resolved to trying a basic, but clean, open source theme called Independent Publisher.

Independent Publisher is a good staring point for a theme, but it has a few shortcomings, most of them related to navigation. But it’s nothing a few tweaks can fix. And since it’s all open source, maybe I can contribute something back to the original project. I’ve already had one pull request approved, so things are moving along.

The plan is to make enough changes to the CSS so that my highly customized A Picture a Day and A Book a Month sections look all right, then activate the theme. That means that many features, like the use of my very own wp-days-ago WordPress plugin, will disappear – but it won’t be anything you can’t live without. The actual content will still be here, and I’m aiming to gradually add everything that goes missing again over time.

Update: And we’re live! A lot of missing features, and some minor bugs. But that’s to be expected after only four or so hours of work. I’m way past my usual bedtime, so it’s time to head off to sleep. If you notice any major issues, please let me know.

A Short Evening With Ghost.

I’ve been playing around with Ghost this evening, and reached the sober conclusion that it’s not for me. At least not yet. If you’re planning to launch a brand new blog, and you like simplicity and a platform that is very far from being feature bloated, I’d strongly recommend Ghost. But if you’re like me; currently running a WordPress site with 2,000+ (i.e. a shitload) of posts and pages that you want to convert to the Ghost platform, you might want to sit on the fence for a while.

Here are a few good reasons why, most of them related to the process of moving your content from WordPress to Ghost:

There’s no automatic update process

If you’re used to WordPress, you’re also used to the luxury that it’s updating automatically now, fixing critical security vulnerabilities and bugs without you having to hold its hand. Ghost doesn’t do that, you have to manually update the core code yourself. In a world where there is just a matter of time before someone finds a gaping security hole in anything connected to the internet and uses it to butt rape everyone, automatic updates are essential.

Continue reading "A Short Evening With Ghost."

Ghost Writing.

During its 16-ish years long life, this site has been powered by a few different content management systems. First, it was Greymatter, then a simple one I wrote myself in PHP, called Bugger as an homage to Blogger, and for the last 7 years, WordPress has been in control.

WordPress is great for blogging, and it can be used for a lot of other things as well. It can, for instance, be turned into a complete e-commerce platform without too much effort. A lot of options and features can often lead to a piece of software becoming bloated and confusing, but thanks to its plugin architecture, WordPress has not fallen into that particular trap. For me, the only real drawback with WordPress is that it’s written in PHP. It’s not that PHP is bad per se. Contrary to what you usually hear, it is possible to write beautiful code in that programming language – but it’s also incredibly easy to write crappy code.

The problem with WordPress being written in PHP is that when I modify themes, play around with plugins, and write site features like A Picture A Day, PHP is the natural path to take. Being fluent in PHP is great, but it’s not something that helps me build knowledge I can use professionally. The programming language is more or less dead and forgotten in my line of work, these days it’s all about JavaScript – both on the client and server side.

Just a couple of days ago, I came across a blogging platform that might enable me to continue to feed you people with average quality writing, and the same time make me more comfortable with JavaScript: Ghost.

Continue reading "Ghost Writing."

How To Secure WordPress. Again.

I’ve been using WordPress to power this site for many years now, and I’m not the only one doing that: According to the WordPress Wikipedia article, the Content Management System (CMS) was used by more than 23.3% of the top 10 million websites as of January 2015. That number makes it a prime target for hackers and script kiddies around the world.

WordPress’ security record isn’t exactly great. There are many reasons for that, among them WordPress’ support for extensions like plugins and themes. Many of these plugins and themes are slapped together by developers who have no clue about the importance of securing their code against known vulnerabilities. This has often resulted in many popular extensions being wide open gates into the inner workings of WordPress, making it very easy for bad guys to ruin everyone’s day. WordPress itself also hasn’t been a stranger to having major security vulnerabilities. That it’s written in PHP hasn’t exactly helped, and security wasn’t really something the core developers put much effort into until recent years. But the latter is, thankfully, getting better. The WordPress core is now updating itself automatically, and this feature will be enabled for plugins as well soon.

But even though security has become a focus, both for the core WordPress team and at least some plugin and theme developers, you should still make a bit of an effort to enable additional layers of security to your WordPress site. Most of the work is done, rather ironically, with the help of plugins.

Continue reading "How To Secure WordPress. Again."