WordPress 2.8.6 Released and a 2.9 Preview

I got the notice last night that WordPress 2.8.6 was released to fix a pair of security holes.  So I hopped right into the admin console from my Iphone and in 2 minutes, it was updated.  If you have a WordPress installation, I urge you to update right away as well.

This will almost certainly be the last release prior to the much anticipated release of 2.9 which is our next major (feature related) release.  Aaron Brazell had a great preview on his site yesterday, and since I’m not currently running the beta, I’ll leave the full on feature review to him.  Here are the major bits to expect:

  • Enhanced image handling – scaling, cropping, and thumbnail sizing on a per picture basis.
  • Trash Can – this really goes back to the old notion we saw in newspaper editorial systems, delete doesn’t really delete, it just hides.  This will come in handy.
  • The_post_image – if you’ve ever tried to add an image to an excerpt of a post you will know why this is important.
  • oEmbed – video support, which I’ve had for years using Vipers Video Tag Plugin.
  • Custom Post Type – this is one of those CMS type functions.  It’ll make my life easier, although honestly in the past I’ve been able to make categories do my bidding with little trouble in WordPress CMS settings.
  • Comment Meta – I have no idea what to think about this one.
  • Metadata API – Another feature I’m sure I’ll use, but currently I can’t think of anything I’d use it for.  I guess this is like custom fields for everything, not just limited to posts.
  • Theme System Modification – this will allow developers to work on one theme, while real users look at another.  This has been needed for some time.
  • Rel=Canonical Optimization – seems like a little thing, but it will help a lot with SEO.

Check out the preview at Technosailor.com for the full scoop.

WordPress 2.8.5 Released

A new WordPress release came out last night. Unlike the previous, this is what they are calling “a hardening release”, i.e. it is generally designed to make the code base more secure, but doesn’t fix any known vulnerabilities.  As with all minor level releases, I suggest you update as soon as possible, if for no other reason than to stay current.

From their blog:

  • A fix for the Trackback Denial-of-Service attack that is currently being seen.
  • Removal of areas within the code where php code in variables was evaluated.
  • Switched the file upload functionality to be whitelisted for all users including Admins.
  • Retiring of the two importers of Tag data from old plugins.

We can expect to see 2.9, the next major level release within around the end of the month, certainly before mid-November.  That release will supposedly center on enhancements to image handling features.

(For those casual readers, I should probably explain that I develop sites daily with WordPress, and have for many years…hence I think my opinion on matters WordPress should have some level of importance to you…)

WordPress 2.8.4 – Update Now

wordpress-logoThe folks at Automattic released a security update for WordPress today due to a very specific bug:

…a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner.

While this isn’t an incredibly nasty bug, it does affect the admin user, which many folks use as their only point of access to the system, which is poor practice.  On my customer sites, the admin user is never actually used by anyone (except for me, and only in an emergency).  Everyone gets a user specific account and that account has the right privelidges for that user.

Click the upgrade button now, or have your web guy/gal/poodle take care of it for you.

WordPress Revision History to the Rescue

(Uh, Jeff, Kelly, move on, nothing to read here.  Nothing of interest to you at all…really…)

I had one of those moments today.  Mistakes were made.  Bad mistakes.  The “oh crap, I’m editing on the production site, not the qa or dev server” type of mistakes that immediately have you picturing your career dissipation light suddenly burning bright.

So I noticed after working on this highly important site that I’d accidently overwritten something on the live site.  Yech.

Luckily, as of version 2.6, WordPress now has Revision History.  I’ve only used the feature a few times before, and then, only when I’d gotten to an unrecoverable point on a qa server.  So in I went, and there it was…the content I’d overwritten, waiting for me, like a girlfriend I’d done wrong…

Saved.  Career dissipation light dims to nothing.

Thank you WordPress…without that my next stop was going to be the Internet Archive…

My WordPress Plugins

Over the past couple weeks, I’ve seen a lot more people making the switch to WordPress.  Why not?  The system is utterly configurable, with a plugin (or 5) for virtually every need.  The problem is that not all plugins are of the same caliber.  In fact, some are downright site killers.  Since I’ve had a close look at a lot of them, I thought you all might benefit from a look at the plugins that I use on my personal blog.

  • Akismet – this one comes standard with WordPress and it’s a decent anti-spam program.  Although this morning for the first time in recent memory 8 spam comments found their way through…
  • All In One SEO Pack – I’ve done a bunch of rewrites on this package for other sites, but the out of the box SEO functionality is great.  Take the time to configure it.  Perhaps this plugin is worth a post of it’s very own at a later date.
  • Feedburner Feedsmith – this reroutes my RSS through Feedburner so I can get some meaningful stats on the black hole that is RSS usage.  I love metrics…
  • FlickRSS – I’m using this to pull in photos from my Flickr account.  I’m not a huge fan of this…
  • Google XML Sitemaps – a great plugin for SEO – BUT you have to limit it to 5000 posts if you have a large volume in your system. I have seen this plugin bring two sites to their knees.  Limiting to 5000 fixed that issue for both.
  • MobilePress – I just installed this, because my new wider format wasn’t mobile compatible.  Hence, I can’t render a true opinion here. (Note: after this post, I found this plugin was rendering the mobile version to everyone, and I turned it off.  I am fairly certain it is a wrong setting, but I can’t recommend the plugin until I see it work properly)
  • ShareThis – a great plugin to add links to the social networking sites.
  • Simple Recent Comments – There should be a simple hook to grab recent comments in WordPress, but there isn’t.  This adds one.
  • Subscribe2 – This allows you to have users sign up for email digests.  I’ve been using it for 4 months and I’m the only person signed up.
  • Twitter Tools – A plugin that will post all your blog entries to Twitter and all your Tweets to the blog.  I only use it to post my most recent tweets to the sidebar.  If you were to actually use it, you’d look like a Twitiot…
  • Vipers Video Quick Tags – a great video plugin.
  • WordPress Automatic Upgrade – the need for this goes away in the next release so don’t even bother.
  • WP Super Cache – this program utterly rules – it creates a cache that cuts down on bandwidth usage and makes your server much better able to handle high loads.  I will probably have some stats to share on this one in a week or so as I am testing it on a site at work.

Absolutely avoid plugins such as:

  • Anything offering “live” statistics or user tracking –  These plugins will create ginormous tables as they track every single hit to your site.  They also add a hit to your database which negates the benefit of having caching.
  • Anything that offers “easy database access” – It may be possible to hack your admin console, don’t use a plugin that would allow anyone to run queries from your console.
  • Anything that hasn’t been updated in over a year – that would mean that it wasn’t vetted for the watershed WordPress 2.5 release.  I guess it’d be okay if the plugin was very simple…

WordPress 2.6.3 Released, and Issues with Auto Upgrade

The folks at Automattic today released WordPress 2.6.3 which is a minor security patch to the Snoopy script they use for displaying rss feeds in the admin area.  Not an utterly crucial upgrade, but one you might want to take just to be sure your secure.  The upgrade took me 5 minutes using the auto upgrade plugin.

One issue that I noticed while using the auto upgrade plugin, which was also upgraded, was that the script failed repeatedly on the database backup step.  I was forced to skip that step (I used the database backup plugin to grab one).  If you find you have the same issue, you may want to skip that step as well.  Just be sure to get a db backup (and you should be getting those weekly!).

Now’s probably a good time to mention that we’ve got another major WordPress Upgrade on the way, 2.7, which should be here in November.  Again, there will be major changes in the Admin area as they clean it up even more and make it more useful for us.  For an overview of the new Admin UI, have a look here.

So what’s the 2.7 upgrade mean to you?  Basically it’s going to provide a more logically oriented admin area, and one in which we’ll better be able to build upon into the future.  As I’ve said before, WordPress is not longer just blog software, it has become a full fledged open source content management package, and this is yet another move in that direction.

On another front, Automattic will also be releasing the 1.0 level version of BBPress, their forum package which provides tight integration with WordPress. I’m particularly interested in this package, as I work with BBPress on almost a daily basis, but honestly, the feature list doesn’t even approach that of vBulletin or even Simple Machines.  Still, I’m hopeful for a vast improvement over the 0.9 code stream.

Geek.com Relaunched

For the past couple months I’ve been devoting a lot of my time to the re-release of http://www.geek.com – the online technology resource and community for technology enthusiasts and professionals.  We’ve added a lot of social networking tools, and also done a general wordpress/bbpress upgrade which will allow us to easily take the latest releases in the future.  

This is important on a couple of levels, first off, this is a site that has over 10 million unique users a month. That ought to put to rest the “WordPress doesn’t scale” talk I hear around the net.  Wordpress scales just fine for large sites if you set your server up properly:

Continue reading “Geek.com Relaunched”

WordPress 2.6 – It’s a CMS, Baby!

I remember when I first setup WordPress back in 2003, the old 1.x days, my comment was that “It’s just like a CMS (content management system) with most of the functionality removed.” Well, with the release of WordPress 2.6, I can finally eat my words. It’s now simply a content management system, and a darned good one at that.

That’s right, content management system. To call it a blogging platform is to sell it short. It’s now all the features I expect to see in a simple content management system, and two that we do not expect to see: it is both easy to use and easy to maintain.

Is it Enterprise level software? No, probably not, although it is certainly scalable and customizable. But that doesn’t mean it’s not in use at corporations around the globe. I know of many that now rather than calling their Interwoven contractor will fire up a new WP install for certain needs.

So here is a run down of the new features that make the difference for me:

  • Revision History: this was never a big deal to bloggers, as we generally are lone gunmen. However when you enter a multiple user environment, you need a fast and easy way to see who did what and when, plus the ability to revert to a previous version. This is a staple of the *big bad print cms editorial system* and has been a glaring hole in the WP system by my estimation.
  • Image Editing: The previous version hinted at the auto resize capability of the system by offering thumb, medium or large image sizes for anything you uploaded. Now I can select the exact width I want for the image, assign any of the data I want, link it as I wish, all within a neat little flash app. Image editing in WordPress.

    Image editing in WordPress
  • Image Resize: Now I can resize to any size I want (just upload the image, click “insert to post” then you can reopen the image by hovering over it in the editor, clicking the edit image that will appear on the image, and you’ll see you have complete resize options.
  • Add Style Code to Image: Also, now I can edit style code directly into the image editor. This is the main reason that you always see my images aligned on this blog to the right, I never took the time to add a padding-right: 3px; to the style sheet, so I didn’t like the way it looked. These styles can now be added directly in the editor.

  • Image Caption: Then there’s the image caption feature – again, I can just write in a caption and I’ve got an image caption. One of the little things, but it’s been missing from this (and many other cms systems) for a long time.
  • More Edit Info In Editor: I can now at a glance see the last save time, last edited by and word count info. Also, I have direct link access to see comments, manage comments, manage all posts, manage categories, manage tags, and view drafts. Basically the stuff I need if I’m a production editor working on numerous posts, is right there, so I don’t have to go looking.
  • Better Plugin Management: I love that they have separated my active plugins from my inactive plugins. Of course, it just highlights to me that if I am not using a plugin it should be removed.
  • Gears Integration: Typically when we start to add so much functionality via a browser, performance starts to drop. I haven’t seen any issues, but WordPress has added Gears support to handle this. Just click the “turbo” button in the far upper right hand corner.

The single biggest feature though, is one that will come in handy for the lone gunman blogger: they will now be able to do an automatic (single click) update for WordPress when a new version comes out. That’s a huge feature, and will help the less technical stay up to date and secure.

So far, the only issue I’ve seen is that my Tag Suggest Plugin appears to have stopped working. A very small price to pay. I was able to update the site in about 10 minutes, most of which was spent downloading and uploading files. For the first time I did an autoupdate on the recently updated plugins, which was sweet.

Congratulations to the Automattic team and happy Blogging Content Managing to all!

(An after thought a day later: I should probably mention that I’ve got 10 high volume multiuser sites running on WP, where we use it as a CMS, some getting over 10 million visits a month. This update brought in the final bits the system needed in my estimation...)

MySQL Table Locking & WordPress Scalability

I ran into an interesting issue recently, and since I had so much trouble finding a solution, I’ll post about it.

We have a very large WordPress site with somewhere around 32,000 posts. Sometime during may the database (MySQL 5.10) started to randomly crash, taking along with it the Apache server, etc. Every time the crashes occurred, we’d find that the number of users had climbed over the available processes, in this case, 501.

We went through a whole host of possible causes, most notably a quick cleanup of some rather dubious plugins, etc. Then we upgraded our wp-cache to Wp Super Cache, which has been tremendous. Our standard 30-40 mysql connections dropped immediately to an average of 2 or 3. Even though we still had the random database crashes, now the Apache process would continue to run, often serving pages throughout the outage. Actually the whole thing was quite astonishing.

In the end, our DBA Glenn Nadeau suggested we take a look at the size of our tables. Sure enough, our wp-posts table had climbed to 32,000 rows. Apparently when you query over 30,000 rows, MySQL will lock the tables. Hence our issue.

After a little searching we found the get_posts() function was being used in one of our templates to return pretty much everything from the posts table, even though all but 20 results were being discarded in the next line of the script. A simple date limit on the query brought it’s execution time down from 35 seconds to milliseconds.

get_posts() is a standard WordPress function that we often use in our templates. Be very careful if you have a large site with tons of posts that you limit the query. As they say, be careful what you ask for, you may just get it. 😉

WordPress Security 101

Last Wednesday I delivered a presentation entitled “WordPress Security 101” which got the discussions started in earnest about WordPress Security among our team.

Here are the takeaways:
  • Keep your blog up to date
  • Don’t use plugins that aren’t in general public use unless you know who wrote them or have thoroughly reviewed the code
  • Forms for reader upload/feedback are the single biggest point of attack – be sure if you code one you use the WordPress “Nonce” function to keep junk off your server
  • Watch out for other programs you may add to your site
  • Keep up to date on both OS and DB – if your host doesn’t do this, get a new host
  • Keep your WordPress installation up to date.  Recent versions will warn you that there is an update available
  • Remove the XML-RPC file if you don’t use an external blog editing program.
The problem we face is that WordPress is an open source program, hence it’s code base and db schema are generally known items.  Since it is in wide use, it is frequent target for attacks.  The good news is that it is patched quickly when vulnerabilities arise.  However, many bloggers never update – I could show you several 1.x level installations – and these are highly insecure.
Let’s get up to date people…and for God’s sake make sure  you get a backup of your database weekly, as well as keeping a local copy of your wp-content/uploads folder – that will allow you to recreate the site if the worst happens.