Why running beta can be bad, even if you know what you’re doing.

A while ago—about the last post on this blog—I decided to start running Trunk. Since 3.6 was a few weeks away at that time and I wanted to know what was going on with Post Formats, I also modified the site to utilize some of the fun new functions.

Then the Post Format upgrades were pulled from trunk. Then I updated all the WordPress sites on my server to 3.5.2. Except the site running trunk updated to the latest trunk version. So now my theme is referencing functions that don’t exist…. and this happens:

from the_coding_love()
from the_coding_love()

This site is overdue for a new theme.


It’s got a weird name; apparently it was named after an Al Capone henchman. Nitti is the font that IA writer selected for their popular writing apps. It’s monospaced, beautiful, and I want to put it in my code editor. In fact, I’d be happy if pretty much everywhere I did writing had this font.

If anyone is feeling particularly like they’d love to buy me a license, I’d like, at least, the standard and web version of Nitti basic light, Nitti basic light italic, and Nitti basic light bold—six fonts total. Having on hand Nitti regular and Nitti regular italic would be nice to have. Pricing is in euros, so at the moment that doesn’t help.

Nitti Light in IA Writer
Nitti Light in IA Writer

Thirty before Thirty

Thirty things I’d like to accomplish before I turn 30. I put it here so the internet might hold me accountable.

  1. Finish a WordPress based choose-your-own adventure theme that I’ve been working on (intermittently) with my sister for the past few months…
  2. Finish a WordPress theme for composers / solo musicians that I’ve been working on with some musicians over the past year or so…
  3. Finish my eBook about WordPress for artists and the accompanying theme that I’ve been working on for the past year…
  4. Go on a long backpacking trip. The Wonderland trail would be nice.
  5. Get a passport
  6. Use my passport
  7. Work at some other place for a few weeks or a month via Airbnb or other arrangements.
  8. Successfully brew my own beer. Successful means it actually tastes good
  9. ████████ (redacted for privacy)
  10. Visit D.C. and New York
  11. ████████ (redacted because it’s a surprise)
  12. Get (either buy or rent) a home that can support a large enough table to host ongoing game nights. Host them.
  13. Learn how to do letterpress printing and do a reasonable run of nerdy greeting cards
  14. Convert one of these little hobby things into a second income stream. Actual dollar amount is irrelevant for the purposes of this goal. Should be reasonably self sustaining and steady.
  15. ████████ (redacted because it’s personal)
  16. Get something funded on kickstarter
  17. Actually write the letter to BSA and send it.
  18. Plan costs, itinerary, and logistics for a through-hike of the PCT — including what it would take to get it funded via kickstarter
  19. Take a class. Any class. Writing, typography, graphic design, computer sci, whatever.
  20. Pay off truck
  21. Pay off student loans
  22. Have at least a three month cushion in savings as defined by whatever my expenses are when I turn 30.
  23. Through-hike the Wildwood Trail (It’s kind of cheating, because I was already planning to do this, before devising this list. I don’t care, I want the quick win)
  24. Get good photos/headshots taken for gravatar, twitter, speaker headshots, etc.
  25. Learn the basic of Adobe After Effects and make something cool.
  26. Get a dog.
  27. Migrate all of my sites to an nginx unmanaged host.
  28. Read 30 books
  29. Don’t touch a computer for a week
  30. undecided

Responsive Advertising

There’s been a lot written about the problem of advertising on responsive devices. Quite a bit less has been written about potential solutions. Virtually nothing has been written about solutions that take into account the way things currently are.

Thing is, I need that solution. So, I’m defining my problem here as a way of thinking through it. If I figure out a non-compromising solution, I’ll post it later.


  • Advertising cannot simply be “display:none” on smaller screens since that will count as an impression, and for CPM we don’t want to bill people for times their ads weren’t actually displayed.
  • Advertising code sucks, it comes in iframes, and javascript, and flash, and does it’s very best to be it’s own entity on your page without any regard for anything.
  • Responsive design uses media queries to resize the page, but media queries can’t turn on and off advertising (see the display:none thing). We’re also going to ignore UA sniffing server side because that defeats the purpose of responsive.

Because of all this, my basic approach will mimic what I picked up from this article: http://www.ravelrumba.com/blog/responsive-ads-real-world-ad-server-implementation/ In essence, we set break-points in javascript that correspond with ad locations being turned on and off. Then, on page load, the javascript will put ads in the locations where ads are visible.

Additional difficulties

  • I have one theme being used for several sites, each of which have different advertising tracking/placement codes. Those codes need to be set in the WordPress administration panels somewhere
  • Codes differ for mobile and non-mobile ads.
  • Ads are being served from two sources (not just one ad network), so the embed code varies in structure.

Trying a new look

In time for WordCamp San Fransisco and WordCamp Portland, I’m trying out a new theme. After leaving the realm of freelancing to work full time for 10up my theme became almost instantly obsolete.

This new one is designed to focus more on writing with the hope (read: dream) that I’ll blog a little bit more. As such, I’ve focused hard on things like getting everything to align to a baseline grid. Plus, I wanted an excuse to use slabtext.js and I dared myself to use purple.

Win or lose, this is probably what I’ll be going with or a while. More tweaks to come: better syntax embedding & highlighting, footer widgets, custom post types for projects, post format support…


Catch up: Joining 10up, WebVisions, WCSEA, PDX-WP

So for a while it looked like I actually might be regularly writing things for the blog. At least it looked like it to me. Possibly. Maybe. Then I got hired by a top-tier web development agency: 10up, LLC and I moved to Oregon and my life has been all sorts of busy since.

This means it’s time for another re-design of this site despite this one not even being completed. Since I’m not going to use it as a client landing page any more, I think I’ll re-focus attention on blogging about WordPress, UiX, Web Design, etc and have a separate section that can serve as landing pages for community projects. But that’s a weekend project vying for attention with all this other stuff:

Coming up quickly (happening right now) is WebVisions Portland. I’ll be there on Lorelle VanFossen’s panel with a few other WordPress experts from the Portland area. If you happen to be headed there, our panel is Friday (May 18th) in the afternoon, stop by and say hi!

I was able to secure a last minute ticket to WordCamp Seattle and will be driving up for the day to be there. Plan on attending my coworker, Zack’s, presentation titled “There’s a function for that…

Totally unrelated, but Sunday is a World War II living history event in Adair Village, OR. Adair Village exists because of the WWII-era Camp Adair – a training and staging installation for troops eventually headed overseas. If you’re into that stuff and in the area, stop by the WWII barracks… Unfortunately I’m not really sure where they are, but the city is quite small – someone’s bound to know… We’ll be there in the early afternoon

This Monday evening (May 21st) will be my second attendance at the Portland WordPress User group meetup. The topic is all about editing the codex – I’m looking forward to being there.

WordPress Anti-Hacker

4:00AM. I’ve deleted a line of obfuscated javascript from my client’s website probably 20 times now — once every 10 to 20 minutes. In between I’m staring at lines of information from the raw files, scanning through hundreds of WordPress files, and inspecting database entries to try and find why this line of code keeps coming back. The code is some seriously bad stuff: it creates a small iframe, loads in code from some crazy location (usually China or Russia) that causes the browser to download a .PDF file that’s infected with a trojan. It’s also attempting to set and modify existing cookies to siphon affiliate linking from places like Amazon.com.

It’s taken me hours to track this thing down. I’ve found bits of code in the database, a huge PHP file hidden in the images directory, another bit of code in a template file of an unused theme, and another bit of code inside the active theme’s functions.php file. It’s a freakin’ mess. I’d like to share some of what I’ve learned about how to bust this stuff and maybe even prevent it in the future, but I’m warning you — before we go any further — it’s going to take time.


There are some sites out there that can give you some pointers on telling if you’ve been hacked, but it seems that the big, in-your-face, method is getting a browser or search engine warning:

Firefox's example attack site warning
Firefox's example attack site warning

I think most people’s reactions fall into two categories: WTF!? and “not again…”

Unless you happen to be a system admin, I think the first step, really, should be to contact your web host provider for a few reasons:

  • They may be able to very quickly pin-point the vulnerability, so you can patch it. Or at least point you to the file that is causing issues.
  • If it’s their fault, they can start working on the problem
  • If it’s going to affect other people they can take action to mitigate that risk

Here’s a good example: The recent spate of hacked WordPress blogs was due to an incorrectly configured server at a major hosting company *cough* network solutions… *cough* I suggest opening up an urgent trouble ticket or sending an email to your hosting company that says something like this:

Dear web hosting provider,
My website has been compromised and is now displaying in Firefox|Chrome|Google as a malicious site. I’m currently taking steps to determine the issue and solve the problem. I wanted you to be aware in case the vulnerability is server-side, or the hack could effect other websites on our shared server or database. I am running WordPress 2.9 (and list any other web software you have installed such as osCommerce, etc — there is no need to list plugins or themes).

My website url: http://
My username:

Please let me know of anything you find during your investigation.

After that’s taken care of, here’s what I recommend you do.

  • Make a complete backup of your site, right now. Yes, with the bad code and everything. This includes the database. Whatever hack you got may be able to wipe your entire installation — or your web host might! I use wp-db-backup to backup my database, and FileZilla FTP to backup my files.
  • Download and install the WP-Exploit scanner — It’ll give you a list of files with hinky code inside them that you can then go edit. It will also scan your database for weird code that you can delete.
  • Manually scan through all, yes all, of your wp-uploads folder looking for anything strange. Specifically a .php file floating around in there (other than the very first index.php), or an image or other file that you never uploaded.
  • Download your raw access logs (this is something the server administrator sets up, usually through cpanel) and scan through those. Pay special attention to any POST requests to strange pages, or GET requests with very strange data in the request.
  • If you are using anything less than the current version of WordPress, upgrade now.
  • Cross your fingers and hope the hack doesn’t come back.

An apple a day, keeps hackers at bay

Once you’ve gotten past all the hack mess — or if you never got there in the first place — here are some ways to keep your WP installation a bit less hacker prone:

The #1 way to prevent your blog from getting screwed with is by keeping your WordPress installation updated with the latest version. A lot of times, the WordPress team will patch zero-day bugs and push out an incremental upgrade. A zero-day bug means it’s a vulnerability that has been known (published) for zero days. As soon as that new version of WP hits, the timer starts ticking.

The above bit of advice usually comes with a partner: backups! While they aren’t going to keep you from getting hacked, they can make recovery a lot less painful. At least keep regular backups of your content (database and wp-content folder).

If you haven’t ever seen your wp-config.php file, download it and make sure that your authentication keys are set to something. This is not okay:

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);

If they look like that, go to the authentication key generator at wordpress.org and get yourself some new ones.

Now, if you’re a power user, you’re probably rolling your eyes a bit. Perhaps you should head on over to the codex article on hardening WordPress. Everyone else should probably do a search for “security” in the WordPress Plugins repository. There’s a lot of duplicated functionality, so pick a plugin that is easy to use and scans your configuration for weaknesses. There’s a lot there, so just remember that the #1 way to keep your site safe is by keeping it updated.

WordPress Plugin Search is Beautiful

wordpress logo under a magnifying glass

The “new and improved” WordPress plugin search has been available for a little while now (a few hours anyway) and I just had the opportunity to try it out.

It’s glorious.

Before: Search for “Recent Posts.” Get “cForms II.” What? In fact, there were many plugins that would come up in the search results time and time again. Even when searching for an exact title you’d get these oddities.

Now: Search for “Recent Posts” and low and behold a popular Recent Posts plugin pops up in the #1 spot. TDD Recent Posts — my plugin — now comes up in the 9th spot. Not bad.

The search enhancement has been done on the WordPress.org side of things, so it’s an immediate change for everyone without any downloads or upgrades necessary. Props to Matt and the Automattic Team for getting this one ironed out.

If you want to try it out login to wp-admin, expand the “Plugins” menu, click on “Add New” and you’ll find your search box.

PS: WordPress 2.7.1 is available now. It fixes some security issues, so let’s get those backups (then updates) done.