Posts in Category: wordpress

Securing my witterings: Cloudflare Universal SSL and WordPress

Ok, a bit unfair – my mind has clearly been infected by skimming one too many clickbait headlines: I am sorry.

I use CloudFlare for most of my non-temporary sites so I can skimp on hosting. I’m pretty sure that’s not the tagline they push, but it works well and gets rid of those annoying image loading lags for the most part with very little effort from me.

I’d been ignoring the Universal SSL stuff as I just don’t have the need for their commercial CDN, but that’s changed with the recent move to enable it for all customers, although just visiting was a mixed bag: yes, my site was served with zero SSL config on my part (and with zero webserver config), but the style sheets had gone, along with all the images.

Changing the site URI in the config of WP just gives an infinite indirect loop – the issue is not that setting but the fact that the site itself thinks it’s insecure and so all constructed links point to the insecure data. It’s the browser which refuses to accept the mixed-security assets (generally a good thing), but like XSS protection, a PITA when you’re testing.

Simple solution: download the SSL Insecure Content Fixer plugin and use the Test is_ssl() option. For me, the solution was to add a single if statement into wp-config.php which allows the plugin to know that my proxy was handling the SSL for me, and so all constructed links should be https:// prefixed. The site is now available via both methods, but once the check is in place it’s also safe to change the site config within WP, meaning that redirects kick in when accessing in plain text.

So I’ve done that: no idea if it’ll be a full-time change, but it’s possibly the first crypto-related change I’ve ever done online that hasn’t left me just wanting to give up and stick with plain-text wire-auth…

WordPress, lighttpd and HTTP 500 errors

So this has been driving me potty, but thanks to this bug report and lots of checkbox clicking it turns out that the Google Sitemap plugin v2.7 from BestWebSoft breaks the admin backend, but the plugin from Arne Brachhold works properly.

Still, not impressed at the 100% opaque 500 response from WP: impossible to debug from browser logs turned up to the max 🙁

new theme for mobile viewers

I’m a huge fan of CSS and intelligent use of it such as removing images, background colours and scaling down font sizes for print, but some things need more work. If you’re looking at this site from an iPod Touch, iPhone or Android device, you should now get a much more compact ‘just-the-facts’ style view, courtesy of WPTouch. If you have any problems, or think the layout could still stand to be improved, do let me know in the comments.

blog upgrade

Crikey. That was a bit of work – moving from WordPress 1.2 with a huge number of hacks into the latest-and-greatest version, but even though it was pretty much working, software from May 2004 (!) was starting to show in terms of flexibility and general slickness.

I’ve added some static pages for things like my reviews and Aperture hacks as they seem to be the most popular content, and I’m slowly going through the old posts to clean up bad quote marks, odd foreign characters and broken image links. Once that’s done I’ll remove this post from the front page and let it age gracefully…

A couple of my more immediate aims are to have the pages cached automatically so load times are greatly improved, automatic machine translation if you have a non-English language set in your browser (please let me know if this is a bad idea and you’d prefer to manually click on the translation flag), and the ability to open things up for guest posters, as a) it’s all the rage from 2006, and b) the number of posts might actually creep up above 1 per month.

Update: Pooh – Translation is bust 🙁 Working on it…

ah, so that’s what they do next, then

Ok, commenting is effectively disabled, so this morning there are 15 trackback spam links…

Just in case anyone wondered what ‘they’ do next, and yes, for the moment Trackback has been disabled (if it turns out to be an exploit rather than a real Trackback, then it’ll be back on again once it’s patched).

saved by javascript – what a turn up…

Given that I have always tried as hard as I can to make browsing my site (in all its incarnations) as similar as possible in both the latest standards compliant browser(s) as well as lynx/links (without resorting to browser idents, thankyouverymuch) it’s with regret that I now announce that I’ve added JavaScript to my site, and you’ll not be able to leave a comment without it being enabled 🙁

For some unknown reason, denying every single spam comment and throwing the IP’s into a banned list just doesn’t stop them – they (the bots, or possibly the spammers) are just so dumb they keep trying. And trying. And trying. And trying. Over 450 in 48 hours is more than I’m willing to put up with, when the commenting is only really there for my own vanity anyway…

So, after using Spam Stopgap Extreme with success for Nicci, I’ve added the latest incarnation wp-hashcash to mine.

blocking odd ‘comment only’ posts

For some reason, visitors to this site seem to love clicking on one or more smiley faces and then sending it as a comment. I’ve no idea why, except perhaps that they feel my site doesn’t have enough images, but if you’d like to have a little more information to go on before deciding to approve/decline the comment then adding the following lines to wp-comments-post.php will help.

Basically, the poster has to put something in one of the three fields besides the comment for it to be considered for approval – no it’s not foolproof, but I’d like to see at least a name to go on before deciding if the icon-only post is relevant, or the result of some random clickage)

For WordPress 1.2, add these lines after line 44 (or, more helpfully, after the line that says die( __('Error: please type a comment.') );

if (('' == $email) && ('' == $author) && ('' == $url))
        die( __('Error: please enter more than just your comment.') );

comment moderation feedback

Comment moderation is handy, but it’s annoying from a non-spammers point of view when it appears that the submission has simply vanished. My solution is to add an extra function to wp-includes/template-function-comments.php and a couple of lines in the wp-comments.php file that show a placeholder for pending comments with the time and date of submission (to help prevent abuse such as links in place of a user name there is nothing shown that was typed by the commenter).

Add the following function to wp-includes/template-function-comments.php:

function comment_approved() {
    global $comment;
    return ($comment->comment_approved);

Then change the line that fetches the comments in wp-comments.php to fetch all comments regardless of status:

$comments = $wpdb->get_results("SELECT * FROM $tablecomments WHERE
    comment_post_ID = '$id'
    ORDER BY comment_date");

and finally change the main comment display loop to output a placeholder message:

<?php foreach ($comments as $comment) { ?>
    <li id="comment-<?php comment_ID() ?>">
    <?php if (comment_approved() == 1) { comment_text() ?>
        <p><cite><?php comment_type(); ?> <?php _e("by"); ?>
        <?php comment_author_link() ?> &#8212; <?php comment_date() ?>
        @ <a href="#comment-<?php comment_ID() ?>"> 
        <?php comment_time() ?></a></cite>
        <?php edit_comment_link(__("Edit This"), ' |'); ?></p>
    <?php } else { ?>
        [Comment pending approval]
        <p><cite><?php comment_type(); ?> &#8212; <?php comment_date() ?>
        @ <a href="#comment-<?php comment_ID() ?>">
        <?php comment_time() ?></a></cite>
    <?php } ?>
<?php } // end for each comment ?>