A while ago—about the last post on this blog—I decided to start running Trunk. Since 3.6 was a few weeks away at that time and I wanted to know what was going on with Post Formats, I also modified the site to utilize some of the fun new functions.
Then the Post Format upgrades were pulled from trunk. Then I updated all the WordPress sites on my server to 3.5.2. Except the site running trunk updated to the latest trunk version. So now my theme is referencing functions that don’t exist…. and this happens:
It’s got a weird name; apparently it was named after an Al Capone henchman. Nitti is the font that IA writer selected for their popular writing apps. It’s monospaced, beautiful, and I want to put it in my code editor. In fact, I’d be happy if pretty much everywhere I did writing had this font.
If anyone is feeling particularly like they’d love to buy me a license, I’d like, at least, the standard and web version of Nitti basic light, Nitti basic light italic, and Nitti basic light bold—six fonts total. Having on hand Nitti regular and Nitti regular italic would be nice to have. Pricing is in euros, so at the moment that doesn’t help.
There’s been a lot written about the problem of advertising on responsive devices. Quite a bit less has been written about potential solutions. Virtually nothing has been written about solutions that take into account the way things currently are.
Thing is, I need that solution. So, I’m defining my problem here as a way of thinking through it. If I figure out a non-compromising solution, I’ll post it later.
Advertising cannot simply be “display:none” on smaller screens since that will count as an impression, and for CPM we don’t want to bill people for times their ads weren’t actually displayed.
Responsive design uses media queries to resize the page, but media queries can’t turn on and off advertising (see the display:none thing). We’re also going to ignore UA sniffing server side because that defeats the purpose of responsive.
In time for WordCamp San Fransisco and WordCamp Portland, I’m trying out a new theme. After leaving the realm of freelancing to work full time for 10up my theme became almost instantly obsolete.
This new one is designed to focus more on writing with the hope (read: dream) that I’ll blog a little bit more. As such, I’ve focused hard on things like getting everything to align to a baseline grid. Plus, I wanted an excuse to use slabtext.js and I dared myself to use purple.
Win or lose, this is probably what I’ll be going with or a while. More tweaks to come: better syntax embedding & highlighting, footer widgets, custom post types for projects, post format support…
So for a while it looked like I actually might be regularly writing things for the blog. At least it looked like it to me. Possibly. Maybe. Then I got hired by a top-tier web development agency: 10up, LLC and I moved to Oregon and my life has been all sorts of busy since.
This means it’s time for another re-design of this site despite this one not even being completed. Since I’m not going to use it as a client landing page any more, I think I’ll re-focus attention on blogging about WordPress, UiX, Web Design, etc and have a separate section that can serve as landing pages for community projects. But that’s a weekend project vying for attention with all this other stuff:
Coming up quickly (happening right now) is WebVisions Portland. I’ll be there on Lorelle VanFossen’s panel with a few other WordPress experts from the Portland area. If you happen to be headed there, our panel is Friday (May 18th) in the afternoon, stop by and say hi!
Totally unrelated, but Sunday is a World War II living history event in Adair Village, OR. Adair Village exists because of the WWII-era Camp Adair – a training and staging installation for troops eventually headed overseas. If you’re into that stuff and in the area, stop by the WWII barracks… Unfortunately I’m not really sure where they are, but the city is quite small – someone’s bound to know… We’ll be there in the early afternoon
This Monday evening (May 21st) will be my second attendance at the Portland WordPress User group meetup. The topic is all about editing the codex – I’m looking forward to being there.
It’s taken me hours to track this thing down. I’ve found bits of code in the database, a huge PHP file hidden in the images directory, another bit of code in a template file of an unused theme, and another bit of code inside the active theme’s functions.php file. It’s a freakin’ mess. I’d like to share some of what I’ve learned about how to bust this stuff and maybe even prevent it in the future, but I’m warning you — before we go any further — it’s going to take time.
There are some sites out there that can give you some pointers on telling if you’ve been hacked, but it seems that the big, in-your-face, method is getting a browser or search engine warning:
I think most people’s reactions fall into two categories: WTF!? and “not again…”
Unless you happen to be a system admin, I think the first step, really, should be to contact your web host provider for a few reasons:
They may be able to very quickly pin-point the vulnerability, so you can patch it. Or at least point you to the file that is causing issues.
If it’s their fault, they can start working on the problem
If it’s going to affect other people they can take action to mitigate that risk
Here’s a good example: The recent spate of hacked WordPress blogs was due to an incorrectly configured server at a major hosting company *cough* network solutions… *cough* I suggest opening up an urgent trouble ticket or sending an email to your hosting company that says something like this:
Dear web hosting provider,
My website has been compromised and is now displaying in Firefox|Chrome|Google as a malicious site. I’m currently taking steps to determine the issue and solve the problem. I wanted you to be aware in case the vulnerability is server-side, or the hack could effect other websites on our shared server or database. I am running WordPress 2.9 (and list any other web software you have installed such as osCommerce, etc — there is no need to list plugins or themes).
My website url: http://
Please let me know of anything you find during your investigation.
After that’s taken care of, here’s what I recommend you do.
Make a complete backup of your site, right now. Yes, with the bad code and everything. This includes the database. Whatever hack you got may be able to wipe your entire installation — or your web host might! I use wp-db-backup to backup my database, and FileZilla FTP to backup my files.
Download and install the WP-Exploit scanner — It’ll give you a list of files with hinky code inside them that you can then go edit. It will also scan your database for weird code that you can delete.
Manually scan through all, yes all, of your wp-uploads folder looking for anything strange. Specifically a .php file floating around in there (other than the very first index.php), or an image or other file that you never uploaded.
Download your raw access logs (this is something the server administrator sets up, usually through cpanel) and scan through those. Pay special attention to any POST requests to strange pages, or GET requests with very strange data in the request.
If you are using anything less than the current version of WordPress, upgrade now.
Cross your fingers and hope the hack doesn’t come back.
An apple a day, keeps hackers at bay
Once you’ve gotten past all the hack mess — or if you never got there in the first place — here are some ways to keep your WP installation a bit less hacker prone:
The #1 way to prevent your blog from getting screwed with is by keeping your WordPress installation updated with the latest version. A lot of times, the WordPress team will patch zero-day bugs and push out an incremental upgrade. A zero-day bug means it’s a vulnerability that has been known (published) for zero days. As soon as that new version of WP hits, the timer starts ticking.
The above bit of advice usually comes with a partner: backups! While they aren’t going to keep you from getting hacked, they can make recovery a lot less painful. At least keep regular backups of your content (database and wp-content folder).
If you haven’t ever seen your wp-config.php file, download it and make sure that your authentication keys are set to something. This is not okay:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
Now, if you’re a power user, you’re probably rolling your eyes a bit. Perhaps you should head on over to the codex article on hardening WordPress. Everyone else should probably do a search for “security” in the WordPress Plugins repository. There’s a lot of duplicated functionality, so pick a plugin that is easy to use and scans your configuration for weaknesses. There’s a lot there, so just remember that the #1 way to keep your site safe is by keeping it updated.
Before: Search for “Recent Posts.” Get “cForms II.” What? In fact, there were many plugins that would come up in the search results time and time again. Even when searching for an exact title you’d get these oddities.
Now: Search for “Recent Posts” and low and behold a popular Recent Posts plugin pops up in the #1 spot. TDD Recent Posts — my plugin — now comes up in the 9th spot. Not bad.
The search enhancement has been done on the WordPress.org side of things, so it’s an immediate change for everyone without any downloads or upgrades necessary. Props to Matt and the Automattic Team for getting this one ironed out.
If you want to try it out login to wp-admin, expand the “Plugins” menu, click on “Add New” and you’ll find your search box.