WP Super Cache 0.9.5 is now available.
This release fixes a number of bugs and adds a few new features. The main one being improved mobile support and improved mod_rewrite rules generation.
For more, check out the shiny new changelog.
Category Archives: WordPress
Worldwide Photowalk on MU
For all you photographers out there, did you know the Worldwide Photowalk takes place next Saturday? It’s a good chance to meet other photographers in your area. It was a pleasant surprise when I realised their website runs on WordPress MU! I’m leading the Cork City Walk (still a few places left!) on Saturday and it was nice when I recognised what it was running on.
So, if you’re free on Saturday, check out the listings page. There might be a photowalk near you!
PS. If you’re running WordPress MU, check out the alpha release of the new version. It fixes a number of bugs in the original 2.8.1 release. It’s very stable but try it out on a test server first.
Why you should limit login attempts
Some idiot at 213.155.4.184 hit all my websites over the last few days trying to login to my blogs. He fired off hundreds of automated requests probing and searching and testing my admin login. Each request had a different password. I use difficult to guess passwords but seeing the attempts was disconcerting.
I went searching and found the Limit Login Attempts plugin. After installing, a new page appears under Settings with a wealth of options:
I’m glad I did install it, it caught the same guy when he hit this blog a few hours later! You should probably install it too.
PS. Matt asked me to explain how I recorded those requests. There is a WordPress plugin that sends an email when a POST request is made but I threw this code into a file and load it with the “auto_prepend_file” directive in my php.ini (saves adding it to every installation of WordPress on my server)
if ( ( isset( $HTTP_RAW_POST_DATA ) || !empty( $_POST ) ) && $_SERVER[ 'REQUEST_URI' ] != '/wp-cron.php?doing_wp_cron' && $_SERVER[ 'SCRIPT_NAME' ] != '/wp-comments-post.php' && substr( $_SERVER[ 'REQUEST_URI' ], -10 ) != '/trackback' && substr( $_SERVER[ 'REQUEST_URI' ], -11 ) != '/trackback/' ) {
mail( "MYEMAIL@gmail.com", $_SERVER[ 'HTTP_HOST' ] . " POST request: " . $_SERVER[ 'REMOTE_ADDR' ], "URL: {$_SERVER[ 'REQUEST_URI' ]}\nPOST: " . print_r( $_POST, 1 ) . "\nCOOKIES: " . print_r( $_COOKIE, 1 ) . "\nHTTP_RAW_POST_DATA: $HTTP_RAW_POST_DATA" );
}
WordPress MU 2.8.1
WordPress MU is a multi user or multi blog version of WordPress that is used to run sites like WordPress.com.
Just a day after WordPress 2.8.1 came out and here’s WordPress MU 2.8.1. The original WordPress announcement has plenty to say about this release, but what you need to know is this is a security update and a required upgrade.
This is the first MU 2.8.x release because of course there wasn’t a 2.8 one. Make sure you upgrade to stay up to date. The handy auto upgrade facility built in to the software should kick in but if not, go to the download page and grab the new zip file. Unzip over your current install and any database upgrades will take care of themselves when people login.
The WPMU Timeline is a good place to look to keep track of what has changed. Many bugs were squashed and features added.
WordPress MU 2.8.1 beta
WordPress MU is a multi user or multi blog version of WordPress that can be used to run sites like WordPress.com.
MU Admins! Please download and test wpmu-2.8.1-beta.zip on a test server! This is a beta release that is this <—> close to being final but it needs testing by the community.
It works fine on my test server but I haven’t been able to test every last thing to death. That’s where you come in. Download it, install it, login, look around. Notice anything broken? That’s what Trac is for. Verify you can repeat the problem, open a ticket and describe how the problem can be reproduced. Well done. You’ve just contributed to a Free Software project. 🙂
PS. I know there are two “My Blogs” links in the beta. That was fixed 2 days ago. Grab the zip file from the end of this page to get the most up to date code.
Go Mobile with Supercache
I’ll be honest, I don’t have much experience with mobile content. I’ve rarely browsed the net on a mobile device. I don’t have an iPhone and don’t intend buying one but lots of people do use mobile devices to browse online.
With that in mind, and after some pestering by Vladimir I modified WP Super Cache so it will support mobile devices and operate in full super caching mode!
The plugin now filters out requests from the most common mobile user agents and serves those requests in “half on” WP-Cache mode while serving the rest of your visitors static html files. As I’ve said many times before, the speed differences between both modes is negligible for normal traffic but it’s a nice safety net in case your site is inundated.
Only thing is, I want people to test it first before making a final release. Grab the development version from the download page and give it a whirl.
Your mod_rewrite rules in the .htaccess file have to be updated but if you delete the “WPSuperCache” rules they can be regenerated by the plugin next time you load the admin page.
There are also a number of other bugfixes and enhancements too so check out the Changelog.txt for more details.
I use WordPress Mobile Edition here and last Sunday I noticed an extra 10,000 requests from Google using odd looking “mobile useragents” like this one:
SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)
The actual mobile device changed but the Google bit stayed the same and all requests came from 66.249.71.2
Eventually I figured out that Google was adding my site to the “mobile” section of their index. Presumably to be served from here. Cool, another way of getting to my site.
PS. the development version also has a small modification to make it go faster by not checking file modification time on each request. This could help on really busy servers.
WordPress MU Catchup: big merge, wpmudev goes gpl and MU support
Exciting times in the world of WordPress and WordPress MU. Last weekend’s announcement by Matt that WordPress MU would merge into WordPress caused a flurry of activity and questions on twitter and on blogs, most notably with speculation that WordPress.org would run on MU and by jeffr0 who asked me on IRC what was happening.
Basically, the thin layer of code that allows WordPress MU to host multiple WordPress blogs will be merged into WordPress. I expect the WordPress MU project itself will come to an end because it won’t be needed any more (which saddens me), but on the other hand many more people will be working on that very same MU code which means more features and more bugfixes and faster too. It also means no more marathon code merging sessions. I certainly won’t miss that.
Meanwhile in the real world, there’s more merging to be done. WordPress 2.8 is expected next Wednesday and it has introduced fancy new stuff I haven’t finished fixing yet in WordPress MU. Expect an MU 2.8 beta sometime next week I hope.
In what I first thought was fabulous news, James Farmer has announced that WPMU DEV Premium has been relaunched. The site offered premium support for WordPress MU for a very long time. It also sold proprietary plugins which I’ve never agreed with (because of the conflict with WordPress) but now all plugins are GPL licensed.
Then I found out that you need to signup and pay a subscription fee to download them. I’m conflicted about it, because if I’m honest, while they’re sticking to the letter of the GPL, the spirit may be lacking.
So, should you signup there for a month, download all their plugins and upload them to WordPress.org? It’s tempting isn’t it? But no, you shouldn’t. This is real income for James, Andrew and company. If their plugins are uploaded elsewhere will they be updated? Will you signup for another month and grab them all again and upload each and every one to separate Subversion repositories? Will you provide support when things go wrong? I didn’t think so.
If it really bothers you that GPLed plugins are not available “free as in beer” then write your own and support it. It’s not something to be done lightly.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.
Of course, WPMU DEV aren’t the only MU support people in town. Check out Ron & Andrea’s musupport.net and of course I recommend the Automattic Support Network where you’ll find me and the rest of Automattic.
WordPress MU 2.7.1
WordPress MU is a multi user or multi blog version of WordPress that can be used to run sites like WordPress.com.
This release of WordPress MU has been much delayed but I think it’s been worth the wait. Included in this release are a number of new features and many bugfixes. Get it from the MU download page.
Update! In the final rush to get this post written I neglected to add that this release fixes a vulnerability in the importer system that would allow an untrusted user to run PHP code. Thanks to Alexander Concha for discovering the vulnerability and to Barry Abrahamson who recognised that some servers treat unknown file types as PHP scripts.
One more reason to upgrade.
New features and changes include:
- A revamped plugin system thanks to Andy Peatling. Plugins installed in the plugins directory rather than mu-plugins can be activated and deactivated on all blogs with one click.
- The admin bar was removed. It’ll be stuffed into a plugin instead. Must talk to Viper007Bond about that.
- A new “My Blogs” page where a user’s blogs are listed and personal “per blog” settings can be configured. It’s empty right now but it’s easy to add settings to it via plugins. Imagine having a different “Display Name” on each blog you write on! See SetupMenu and HandleFormPOST in the just removed admin bar for example code. That code uses actions rather than filters but it’ll get you started.
- The site admin can now set a Global Dashboard blog for users who don’t have blogs. Those users will be added to this blog rather than the main blog. The default role of users on that blog can also be set but if they’re not “Subscribers” they won’t be moved if you change the Global Dashboard.
They’re the major changes. Smaller changes include notification of failed blog upgrades [1728], MU will now ignore free space checks when importing posts [1725] and lots more. Check out the timeline for further details.
If you’re running WordPress MU 2.7 you can upgrade from inside the Dashboard. The system will notice that a new version is out and will lead you through the upgrade process, just like in regular WordPress. Plugins can be updated as well through the familiar plugin upgrade process as long as your plugins are hosted on the WordPress.org Plugins Database.
As always this release would not have been possible without the help and encouragement of many people along the way. I know I’ll leave out someone if I try to list everyone but I appreciate all the help people give working through tickets, and helping on the forums.
PS. WP Super Cache was updated today too. New features include an option to stop caching for logged in users, it doesn’t cache previewed posts, and it displays cache size summary information on the admin page now.
PPS. Happy birthday Adam! 2 today and Dad’s finally getting away from the computer now! 🙂
WordPress MU 2.7.1 beta 2
WordPress MU is a multi user or multi blog version of WordPress that can be used to run sites like WordPress.com.
The 2.7.1 release is very close now. I have just uploaded wordpress-mu-2.7.1-beta2.zip for your enjoyment.
2.7.1 has taken longer than usual to come out, mainly because of the large number of bug fixes and new features in this release. Highlights include:
- A revamped plugin system thanks to Andy Peatling. Plugins installed in the plugins directory rather than mu-plugins can be activated and deactivated on all blogs with one click.
- The admin bar settings can be customized by any user for each blog via the “My Blogs” page. The code here is still rough, and may not make it into the final release. Please help clean it up!
- The site admin can now set a Global Dashboard blog for users who don’t have blogs. Those users will be added to this blog rather than the first one.
- And many more bugfixes you can read about on the MU Timeline
I think this release is just about good enough to put on a production server, but test it first on a development server and backup your old install if you’re really paranoid. All I’ll guarantee is that this software will take up space on your server. I need your help to test it.
If you’re a jQuery fiend or CSS styling guru, your help with the “My Blogs” page would be very much appreciated. My ugly code hides settings that aren’t relevant, but the page isn’t pretty. Use Trac or contact me through this site if you have ideas or code to contribute.
I’m glad to say that once MU 2.7.1 does come out. Upgrading from 2.7 should be as easy as clicking the Upgrade button in the dashboard. I tried upgrading from 2.7 yesterday and my test server upgraded itself after 1 or 2 false starts.
‘Course, if you’ve modified core files (naughty!), those changes will be overwritten and you’ll have to manually upgrade.
Thanks to everyone who helped me with patches, code snippets, ideas and with ticket updates on Trac.
Three links for WordPress developers
- WordPress Coding Standards. I used to be a big fan of the “curly bracket on it’s own line” but many years ago that was beaten out of me. Coding standards can be a subjective preference, but they’re very useful when reading code created by others.
- Data Validation. It’s vitally important that the data your web application accepts is checked for any malicious code. The new $wpdb->prepare() function is something every WordPress plugin author should be using if they have to use the database directly.
- WordPress Nonces. A nonce makes sure that a request you’re sending your blog was one you meant to send. Without a nonce, another site could have your browser load an image on it’s site pointing at your blog’s admin page to do an administrative task. You don’t want another site fooling your browser into doing something malicious do you? See Cross-site request forgery on Wikipedia for more.
If you write plugins for WordPress, please take the time to read through those pages above and learn how to use the security tools on offer. I know of at least one very popular WordPress MU plugin that doesn’t use nonces and I’ve only looked at the code of a couple of them. Most plugins don’t use $wpdb->prepare() yet as it was only introduced in recent versions of WordPress.
As a user of Free Software, you already know that “Free” doesn’t mean “Free as in beer”, it’s “Free as in speech”. If you know anything about software development help plugin authors by looking over their shoulders and checking their code. There is a cost to everything. In Free Software that cost is helping to test or fix bugs in the software you value and enjoy.
PS. WordPress MU 2.7.1 beta 1 is out, as is WP Super Cache 0.9.3 which has even more fixes for those running the latest PHP5 builds. Bloody register_shutdown() and it’s object destruction caused me no end of grief debugging that.