Category Archives: WordPress

The best way to test new WordPress themes

  1. Download the Theme Tester plugin for WordPress, install and activate it.
  2. Download themes from http://themes.wordpress.net/ (or maybe not, see Adam’s comment below!) and try them out without annoying your visitors by changing themes on them.

My new Theme Tester plugin allows you to change themes and view the results without the visitors to your blog seeing any changes.
There is one cavaet. Your visitors may notice some changes if your current theme uses blog options that a new theme overwrites. This could happen if for example you’re testing a newer version of your current theme or testing a theme based on the same engine as your current theme. The K2 theme springs to mind here because it’s the base for several other themes but YMMV.

I used the plugin already when I trawled the themes sites and the archives at Weblog Tools Collection for a new theme for this place. As you can guess if you’re a regular visitor, I haven’t changed theme yet, but I found a couple of very pretty designs that may make an appearance here eventually.

Slow down trackback spam with Simple Trackback Validation

I used the Simple Trackback Validation plugin for a while until I noticed these errors showing up in php_errors.

PHP Fatal error: Cannot instantiate non-existent class: snoopy in /home/www/wp-content/plugins/simple-trackback-validation/simple-trackback-validation.php on line 158

This morning I decided to fix it as the spammers have been going crazy. I spotted dozens of POST requests to trackbacks as I tailed my log files.

How to fix the plugin:

  1. Open simple-trackback-validation.php in a text editor and go to line 158. It should be this line:

    $stbvSnoopy = new Snoopy;

  2. Above that line, add the folloing line:

    include_once( ABSPATH . 'wp-includes/class-snoopy.php' );

  3. Save the file and upload to your host again.

It’s no substitute for Akismet but along with Cookies for comments it should help keep your blog spam free!

Or, as I’ve just done because this blog is being inundated with trackback spam right now (over 17,000 in the last 9 hours), I blocked off access completely with this rewrite rule. Any WordPress blog will send a pingback anyway and MT even supports pingback now!

RewriteRule ^(.*)/trackback/ - [F]

There's never been a better time to upgrade WordPress

When is the best time to upgrade your blog software?

  1. After the latest release has been out for a few weeks?
  2. When a release is so new it’s burning a hole in the ftp servers?
  3. When there have been a couple of releases because idonthavethetimetoupdateeverysingletime?
  4. Now?

The best time is right now. Spammers are taking advantage of exploits in old versions of WordPress and inserting hidden spam links in posts and using WordPress powered blogs to distribute viruses and malicious software. They’re also using these exploits to run their own code on your server.

This morning I spotted an Irish blog in my feedreader that had hidden links added to it. I contacted the blog owner and she’s going to upgrade her blog soon.

The best way of stopping them is by downloading the latest version of WordPress which at the moment is 2.3.3 2.5 and if you use use WordPress MU you should download version 1.3.3 of that. Once you’ve upgraded change the passwords of all your users. On WordPress MU sites, it’s probably enough to ask any user with site_admin access to change their password. To make your life easier, try the WordPress Automatic Upgrade plugin. I haven’t used it yet but it works for a lot of people.

If you suspect that your blog has been compromised and you have already upgraded then please change your passwords and overwrite your current install with the files from a newly downloaded copy of WordPress. It’s worth checking that no extra php files have been added too.

Running your own blog is about more than just writing and contributing to the blogosphere conversation. You also have an important responsibility to be a good ‘net citizen by keeping your software up to date.

If you absolutely cannot upgrade straight away then adding a .htaccess file in your wp-admin/ directory and adding another username and password level of authentication might help. This page describes how to do that, but it is no substitute for upgrading to WordPress 2.3.3 2.5. You should delete you xmlrpc.php too, thus depriving yourself of pingbacks and desktop blog posting abilities.

Go on, upgrade. After you do it once it doesn’t seem so scary.

Update! To find any posts with hidden links search your posts for any of the following:

  1. display:none;
  2. height:0

You can use the Search box on the posts edit page, or phpMyAdmin.
Open up phpMyAdmin, go to wp_posts, click Search and in the box next to post_content type %string% where string is one of the two options above.
That may return posts that don’t have any hidden links but it’s better to be safe than sorry.

WP Super Cache 0.6

It’s been a while since the last release of WP Super Cache, so it’s about time to release the updated code on the world!

This plugin allows a WordPress blog to be served directly from static HTML files just like another popular blogging engine.

When this plugin was originally released some users noticed strange folders being created in the root folder of their blogs. I was never able to replicate it and despite my efforts to track down the bug it remained unfixed. Well, I fixed that bug thanks to whooami and to Jennifer who allowed me to login to her server and debug my script. Barry was astute enough to figure out why it happened.

Other changes include:

  • Compressed cache files are deleted properly now, props John Pozadzides.
  • Documentation got a serious update. I added a FAQ, and the Troubleshooting section has been expanded.
  • The .htaccess is not updated until the user clicks a button in the backend now.
  • The listing of cached files is gone for this release as it was inaccurate. It didn’t include super cached files.
  • The backend admin page has been rearranged slightly. Advanced features go at the very end, and if you’re only using the WP Cache functionality, the Super Cache items disappear. The mod_rewrite check and .htaccess items are only enabled if Super Cache is enabled now.
  • Not all blogs have permalinks ending in a slash so I added a slash back into the mod_rewrite rules. If you use .html at the end of your permalinks you’ll appreciate this. props Michael R Aulia for that.

One more thing to note. If your blog is visible at a URL with or without the www you should decide which one is more important to you and download the Enforce www preference plugin. Super cached files are stored in a directory named after the hostname so if you go to the www URL and someone else goes to the url without the www they won’t see the static html file. Deciding on one URL avoids any issues with duplicate content too which is probably much more important too.

Grab WP Super Cache 0.6 from the download page!

Please sir, can I have more?

A poor urchin goes up to the headmaster, “Please sir, can I have more comments?”
The headmaster looks down from his perch and with a grimace says, “Not before you show me your cookie!”

Well, the poor lad never did get any more comments. He didn’t have the right cookie, but you can. Just grab my Cookies For Comments plugin and anyone who leaves a comment on your blog will need the correct cookie. That will stop quite a bit of comment spam dead in it’s tracks.

It’s the first release and fairly simplistic, but it should give some comment spammers a headache for at least 10 minutes. It’s about time they upgraded their spamming tools anyway. According to my log file, it had stopped over 18,600 spam comments in the last week or so. The rest got handed to Akismet and it stopped several thousand more. They’ve been busy haven’t they?

So, should you use this instead of Akismet? Not a chance. This will only stop the brain dead comment spammers who use automated bots to post to the comment form. Trackback and pingback spam and spammers who either use poorly paid human slaves or browser based user agents will defeat this.

If you use a caching plugin such as WP Super Cache make sure you clear the cache after enabling this plugin. Also, I’m not sure what will happen with those plugins that merge CSS files together.

Thanks Dan for the idea!

How to successfully spam blogs (and how to fight back)

What you’re about to learn isn’t anything new. It’s not particularly earth shattering either, but a lot of people don’t know it.

NOFOLLOW DOES NOT WORK (properly)

You may have noticed legitimate looking comments on your blog from people with suspect names. Usually the name will be a brand name, service or literally anything that sells. The commenter’s website is obviously related to that business. Why do they bother using special keywords when Google is supposed to not follow those links? Do they know something you don’t? Yup. They know that keywords, even on nofollowed links, matter. I’d provide reference links to SEO blogs explaining this but then they’d know I’m reading and they might shut up.

So, how do you go about spamming blogs? (And how do you defend against those spammers?) Here are two examples:

How to spam a niche blog

George, who runs 858graphics obviously makes signs in San Diego. I’m sorry that his store was egged last year, but he’s obviously trying to manipulate Google. Unfortunately, he succeeded. He is #2 in Google for “San Diego Signs”. Strangely enough there are no links to his website.

How to spam a niche blog

This second guy isn’t quite so successful, and to think he’s spamming my poor Shih Tzu, Oscar. The spammer’s domain is near the bottom of the first page of a Google search for Shih Tzu Checks. That’s still pretty good considering he doesn’t have any links to that page either.

How did these guys find my blog? The first guy searched for WordPress blog posts with comments. The second looked for a page saying, “leave a reply”, an open invitation to spam if ever there was one!

Out of curiosity I followed the Google search a recent spammer used. On the blogs surrounding my blog in that search I found traces of him everywhere. He left legit looking comments but the link was always full of keywords for his business.

Stuffing keywords in nofollowed links certainly helps rank for keywords.

So, you want to know how to fight back? It’s very simple if you’re using WordPress:

  1. Install my Comment Referrers plugin. That will add a line at the end of the moderation emails with the referrer of the visitor. Some referrers should ring alarm bells!
  2. Install Delink Comment Author. This plugin removes the link the comment author left as their URL. I modified my install so it removes the email too as I moderate comments from new users.
  3. I was planning on coding this next plugin, but I found Lucia’s Link Love first and that saved me the trouble. I modified mine so it doesn’t hyper link the name of a comment author who has left less than a certain number of comments. See this comment as an example. That “Landscape Artist” never came back to my blog again so his “name” isn’t linked to his site.

So, chances are a few more people are going to try this technique now that I’ve blogged about it. I bet many more blog owners will be more vigilant of it now though. It’s your blog. If you don’t want to be pawn to a spammer then fight back!

Edit: Here is my version of Lucia’s Linky Love. Just rename this file to .php and drop into your plugins folder. If you’re not logged in or have a comment cookie in your browser you should see some comment author’s names won’t be linked.

How China Digital Times moved from MT to WordPress

Can you improve performance when moving from a statically generated site to a dynamic environment? You can if the conditions are right. In the case of CDT, publishing times were a nightmare with Movable Type. Search performance was horrible, and the comment spam problem caused such a drag on the server that we’d had to disable commenting altogether. Now, with the site fully tag-enabled, searchable and comment-able, loads are down dramatically and publishing times have dropped from 15 minutes to a few seconds.

Notes on a massive WordPress migration. Scot moved the China Digital Times site with 16,000 posts and 6,000 tags from Movable Type to WordPress and saw a huge performance increase. Nice.

Will Prologue bring the Twitters back?

I bumped into Tom Raftery in Cork Airport on my way to Arizona. As luck would have it, we were both on the same flight to London, although he was going to Munich for a conference.
Unfortunately we weren’t sitting near each other on the plane but in the airport he said he spends more time in Twitter than reading blogs. That came as a surprise to me, but I’m sure it’s happening to many other busy people too.

That’s one reason I’m excited about Prologue, the new Twitter-like theme for WordPress. Automattic is already using it internally as a private discussion tool and for a group of disparate people spread all over the globe it’s a really useful tool to find out at a glance what each of us is up to.

Tom lives and breathes social media all day long. I’ll have to ping him on Twitter to read this and get some feedback from him!

I’m already thinking it might be an easy way to introduce blogging, social media and networking and Twitter to some of my non-blogging friends who slave away in offices all day long. Set up a private blog on WordPress.com, activate the Prologue Theme and invite them all on as contributors. They probably use RSS aware browsers too so keeping up to date on what’s happening should be a simple task.

Prologue is a perfect fit for WordPress MU too. You’ve already got many users who probably chat on your support forums. Let’s get our thinking caps on and create some sort of group blogs so people can converse right within the blogging environment!

Interested? Download the theme and play with it. It’s GPLed. Also, keep an eye on Joseph and Matt who will be updating the theme.

Finally, Matt describes Prologue really well:

Prologue was designed for something different—easily setting up and sharing a dialogue within a fixed group. It puts aside the standard “behind the scenes” method of blogging and makes the act of posting part of the experience. It creates a kind of archived and searchable conversation, like an IM window that’s archived, taggable, and accessible from any web browser.

WordPress MU 1.3.2

WordPress MU 1.3.2 was tagged earlier today. This is a major security update that brings together the fixes in WordPress 2.3.2 and a number of critical WordPress MU specific security problems.

Details of the fixes will be posted to the WordPress MU forum next week to give administrators time to upgrade. This release should be seen as an urgent upgrade.
Thanks to Alex Concha for his help with this release.

Please note: If you have plugins that uses options.php to save it’s options you must whitelist those options using the new add_option_update_handler() API. More information on this can be found on this forum post.

Download WordPress MU here

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Here are a few options.

  • uBlock Origin is a free, open source, ad blocker for your browser.
  • Use pi-hole if you have a spare Raspberry Pi on your network.
  • Set the private DNS settings on your phone to dns.adguard.com to block adverts and trackers.