K-Squared Ramblings

Bits and Pieces

At lunch today, I saw a woman, probably in her 50s, wearing a fitted black T-shirt that said, in sparkly letters, “BOTOX”. Srsly. I couldn’t find any pictures of the design, but a commenter here says it’s a promo handed out to staff at plastic surgery clinics.

Comic-Con has completely sold out. Hmm, let me rephrase that. There are no more memberships available for this year’s Comic-Con International in San Diego.

Spam Karma has gone GPL — After years of support Dr. Dave has decided to stop maintaining his spam plugin and turn it over to the open-source community. The project is now on Google Code.

WP 2.6

I just upgraded this site to WordPress 2.6. I probably should have held off a bit, but there were some things I really wanted to be able to use, like the new Gears support, version history on posts, Opera-related fixes (too bad Gears doesn’t work with Opera yet), and improved image management. And the theme and plugin APIs are supposed to be “pretty much identical,” so there wouldn’t be much risk of breaking anything.

Call it an impulse.

Fun facts from the Dashboard: This is the 1,649th post on K-Squared Ramblings. Hard to believe. Also: there are currently 2,744 comments. Admittedly that includes local pingbacks, but still, that’s a heck of a lot of comments!

Judging by the comment IDs, roughly 40,000 spam comments have been deleted since this blog went online. Fortunately, most of those are handled automatically by Spam Karma. And just think, that’s not counting however many Bad Behavior blocks before they even get processed!

WordPress Update & Plugin Request

WordPress 2.5.1 is out, with a slew of bug fixes and one “very important security fix” which will reportedly be disclosed soon. It’s worth upgrading ASAP. You don’t want your blog hacked.

Highlights are listed at that first link, but for me the most noticeable change was a fix in the new media uploader. When uploading images on Linux, the thumbnail+properties form would display 3 times, none of them actually usable, for each image uploaded. Once I clicked on the gallery and went back, it was fine, so I could still use it, but it was an extra step that shouldn’t have been necessary. I kept meaning to report the bug, but it looks like someone got to it ahead of me. Thanks, someone!

And now, a request to WordPress Plugin Developers. When you release a new version, please tell me what has changed. Some plugin authors are good about this, including announcements on their web pages. Some even include a changelog with the download. But some don’t do either, and the only way to find out is to download the new files and compare them to the old ones using a tool like diff.

Now that I think about it, putting a “release notes” section in each entry in the Plugin Directory would go a long way toward making this work. It would put the information right there in the directory, and it would encourage plugin authors to compile the information int he first place.

Avatars!

Since Gravatar was bought by Automattic, the service has been a lot more stable. I had already re-enabled them on this blog before WordPress 2.5 came out with built-in Gravatar* support.

Not everyone has a Gravatar, though, so many comment threads just show the default icon, over and over. Not only does this look boring, but it misses out on the whole point of using an avatar: providing an easy at-a-glance visual distinction between each author.

When I first used Gravatars on this site, I set it up to use a giant first initial as a fallback. Now, I’ve been trying out two plugins that will automatically generate avatars for people who don’t have their own:

• Wavatars builds up cartoony faces using geometric shapes. Interestingly, it’s by Shamus Young, author of the screencap-based webcomic DM of the Rings and writer of Chainmail Bikini.
• WP_Identicon sounds like a Transformers faction, but produces a geometric pattern as inspired by Don Park’s Identicon, which built a similar image based on a visitor’s IP address. The same author also has one that generates cartoon monsters, which appears to be one of the earliest implementations of this concept.

These plugins will use a Gravatar if available, or else generate an image based on the commenter’s email address (if supplied). That means each comment by the same person should use the same image. Other blogs using the same plugins at default settings will come up with the same avatar for each commenter, as well. The images are stored in a cache, so each only has to be generated once.

Once I made sure both plugins worked, I showed the results to Katie. We ended up settling on Wavatars, since faces are easier to recognize than patterns. (Though the patterns are really cool!)

You can try out the automatic avatar by leaving a (relevant, please!) comment on any post. Or you can run over to Gravatar and set up an icon of your choice!

*What’s a Gravatar? The intent is to be a Globally Recognized Avatar. You upload an image to Gravatar and associate it with your email address. Then any site with Gravatar support will be able to display your image next to your posts. Right now it’s mostly used in blog comments, but it could easily be worked into forums, wikis, etc. The Gravatar Blog mentions other uses they’ve seen people apply it to, such as plugins for Thunderbird and the Mac OS X Address Book

Note: I did notice one important drawback to the WP_Identicon plugin: it’s very inefficient at generating the images. When I first visited posts with long comment threads, like Another One Bites the Dust (174 comments) and Songs Not to Play at a Wedding (87 comments), WP_Identicon took over a minute to generate all the icons and maxed out the server’s CPU. Sure, the images are cached, so it’s only really an issue when you first install the plugin (unless you get a lot more people commenting at once than we do here), but to compare, Wavatar on an empty cache finished the same posts in just 4 seconds and 2 seconds, respectively.

Upgraded to WordPress 2.5

I’ve upgraded to the just-released WordPress 2.5. The new admin interface is very nice, especially the ability to upload more than one image at a time (though I think they might want to test uploading a single picture a bit more [edit: Maybe it's specific to Firefox 3 beta 4---on uploading one image, it shows the control panel three times instead of just once.] [edit2: Maybe it's on the Firefox beta, but the Linux version of Flash Player. It works just fine on the same version of Firefox on the Mac.] [edit3: It's definitely the Linux Flash Player; I tried it with Opera on Linux and had the same problem.]).

I’ve adapted my theme to use new built-in support for Gravatar and optimal titles instead of the plugins I was using before.

All the stuff you’ll see appears to be working just fine so far. A couple of minor glitches with some admin plugins (WP-Amazon takes two clicks to show or hide instead of just one), but no biggie.

There was one issue during the upgrade. I’ve been using XCache for WordPress to improve site performance. I was asked for the XCache admin login & password during the database upgrade. I couldn’t remember them, so I renamed object-cache.php and hit “cancel” on the password prompt, but it seems to have upgraded everything fine.

The one really annoying thing is that the Bad Behavior anti-spam plugin conflicts with the new media uploader (it’s already on the WordPress 2.5 Plugin Compatibility list). There are two issues. First, “Shockwave Flash” is apparently used by spambots, so it was listed in blacklist.php (code 17f4e8c8). Second, it seems Flash is mixing and matching HTTP 1.0 and HTTP 1.1. If I remove it from the blacklist, it trips condition a0105122, which indicates an Expect header appearing in an HTTP 1.0 request. Removing that test allows it to upload, but the test catches a lot of spam…

Edit: I tried out the visual editor again, as it was billed as “it doesn’t mess with your code anymore.” Sadly, it does mess with your code. It disappeared an image in one post, and it still replaces semantically-neutral <i> tags with <em> tags, even when you’ve entered them manually. <em> is for emphasis. When you italicize a book title, you are not emphasizing it. By replacing one tag with the other, it adds inaccurate semantic meaning. This is just as incorrect as using <h5> to get small text instead of using it for a level-5 heading.

Spam Switch

With the recent rash of Trackback spam, I finally bit the bullet and am now experimenting with Akismet in addition to Spam Karma. I’m not sure how well they work together, or, at this point, which plugin processes the comment first. Update: I’m trying Akismet on its own for now. Or, more precisely, Akismet as the sole second line of defense. Bad Behavior is still holding the front line.

Update (Feb 14): I’m now back to using Spam Karma 2, but with a plugin that uses Akismet as one of the score components. This seems to be working well, as SK is able to block the ridiculous stuff (100 porn links in one comment, etc.), and Akismet is able to catch the trackback spam that’s been passing SK2 by temporarily including an inbound link.

The big problem I had with Akismet was that aside from the age of the target post, the blocked comments weren’t sorted or filtered in the admin interface. I was having to look through ~30 comments a day for false positives. Spam Karma will show only the borderline comments by default, and uses a table structure that makes it easier to skim.

This way, though, I get the proverbial best of both worlds.

Random Tech Bits

Taking a break from the fire commentary:

Apple: Finally pre-ordered Mac OS X Leopard, removing the temptation to run out to an Apple store or Fry’s this weekend (though I’ve been meaning to put some more RAM in the Windows box). Saved a few bucks by ordering from Amazon ($10 off the family pack, would’ve been $20 off the standard box), and picked the free shipping so that I won’t be tempted to install it until there’ve been a few days’ worth of bug reports.

Meanwhile, I’m wondering when Safari 3 comes out for Windows and Tiger. Tonight at 6:00? Monday? I’m looking forward to this putting some of the new CSS3 capabilities into the hands of potentially 5% of the web audience.

Opera: Speaking of web browsers, Opera 9.5 beta came out yesterday. In addition to lots of work on rendering & site compatibility (as seen through the last few weeks’ worth of alpha releases), they’ve launched a new service called Opera Link. It’s primarily a bookmarks sync service, plus a web-accessible interface. So you can automatically sync multiple copies of Opera—including Opera Mini—and also be able to access those bookmarks from Firefox, IE, or a computer where you’re a guest (friend, computer lab, cafe, etc.). I think the biggest impact here is going to be syncing between the desktop and phone, like Safari on the desktop and the iPhone.

On the other hand, imagine adding a bookmarklet or Firefox extension to more easily update from—or even fully sync with—other browsers. Or better yet, a way to synchronize Opera Link with, say, del.icio.us, which can integrate fully with both Firefox (via an extension) and Flock.

Spam: I’m astonished that, with the amount of comment spam that hits this blog (many thanks to Bad Behavior and Spam Karma for helping stem the tide!), I’ve only netted 7 comment spammers for Project Honeypot since they started tracking comment spam 6 months ago. I guess the software is smart enough to only hit the real forms?

Wordpress: Just released version 2.3.1 with a bunch of bugfixes and (of course) a security fix. Updated.

Updating Again: WordPress 2.3

Well, I’ve updated the site to Wordpress 2.3. Let me know if anything’s broken.

The closest thing to a problem was just that I didn’t know I had to run the tag importer manually. I assumed it would be run during the upgrade. No biggie, I went to Manage/Import, ran the importer for Bunny’s Technorati Tags, and waited a few seconds. (I already knew I’d have to adjust the theme.)

I guess fewer things can go wrong if it waits for you to tell it which tag format to import, the one time you actually need it to, instead of having the updater try to guess between 5+ structures (and no structure!) every single time you update for the foreseeable future.

Anyway, I’ll probably be trying out some new themes over the next few days, so don’t be surprised if the site changes appearance wildly. It seems about time for a change.

Theme Testing:

• Blue Box, with a custom logo & splash image (one of our photos from Waikoloa) & some minor tweaks. (Sep. 24)
• Still tweaking Blue Box. Trying to condense the extraneous splash image with the title bar. (Sep. 25)
• I think I’m going to stick with this theme for now. I’ve added some workarounds for IE6 to (mostly) handle the changes I made. (Sep. 26)

To do: small-screen compat, put recent links back in the sidebar, fix the duplicate IDs in the Links widget. Maybe clean up the 60-item list of monthly archives. (Sep. 27)

• Cleaned up the giant archive list via Flexo Archive Widget. Unlike others I’ve tried, this one won’t hide all the links if JavaScript is disabled. (Sep. 29)

Patch…Friday?

I suppose it’s best to release the security fixes when they’re ready, because any time you pick is going to be inconvenient for someone, but lately it seems like Friday is suddenly in style.

Last Friday saw the release of PHP 5.2.4, on the Friday before—in the US, anyway—a 3-day weekend. This morning Apache released security updates for all three supported branches of their webserver. And this evening—yes, Friday evening—WordPress 2.2.3 came out.

Which reminds me, I’m going to have to start looking at the betas for WordPress 2.3. I think it’ll be a good time for a redesign. Maybe pick a new theme and tweak that one, maybe try my hand at actually designing one. I wonder if the new tagging system can import Bunny’s Technorati Tags.

Upgrading again: WordPress 2.2

Well, WordPress just released version 2.2 with a bunch of new stuff. I’ve upgraded the blog, and things seem to work so far — even on PHP5! They also included my workaround for the RPC bug in PHP 5.2.2.

I also upgraded the comments preview plugin, which now uses the actual post+comment page to show you the preview instead of showing a page that’s almost the same, but sorted in reverse.

At some point I need to test current versions of WP-Cache again, and see if WordPress’ internal cache works with PHP5 yet. And maybe it’s time to try a new theme. I’ve been tweaking this one pretty much since WP 2.0 came out.

Automattic Stats, or PHP 5.2.2 vs. WordPress XMLRPC

Experimenting with the new Automattic Stats Plugin that uses the WordPress.com statistics infrastructure to track traffic. So far, so good… except for one problem. Titles and links are missing from all the “most visited” posts. They’re just listed as numeric IDs.

Update: Actually, today’s posts seem OK. The plugin seems to just send the blog ID and post ID. I’ve been trying to figure out how the central server is retrieving the permalink and title. It doesn’t look like Bad Behavior is blocking it. And it doesn’t seem to be using the RSS feed, since posts that are still on the front page (and presumably still in the feed) are also showing up as numbers. *grumble*

Update 2: I just noticed that all of the number-only posts show the same placeholder graph showing “Region A” vs. “Region B” for 2003-2005.

Update 3: It’s a problem with WordPress’ XMLRPC interface, and affects other uses (like connecting with Flock). I’ve got a workaround, though (see comments).

Update 4 (May 10): Thanks to the pingback below from dot unplanned, it’s confirmed to be a bug in PHP 5.2.2. With any luck, the workaround will cease to be necessary when the next PHP bugfix is released.

When tags vanish

Since upgrading to WordPress 2.1.3 a few days ago, I’ve noticed tags disappearing on some of my posts. I currently use Bunny’s Technorati Tags, which stores them in custom fields.

It turns out there’s been a known problem since WordPress 2.1 was released two months ago. Some plugin hooks have changed, and plugins that used to only get called during post editing are also getting called during comment publishing. I grabbed an updated version of the plugin, and it seems okay now.

Oddly, most (but not all) tags survived unscathed during the two months running earlier 2.1 releases. It’s only since moving to 2.1.3 that it’s been consistent. Oh, well, at least it prompted me to find the fix.

WordPress 2.1.1 Security Alert

Sometime in the last 3-4 days, someone managed to alter the download for WordPress 2.1.1, adding a remotely exploitable security hole. The WordPress team has declared the release “dangerous” and has issued an update, WordPress 2.1.2, taken from the clean source plus a few fixes. If you run WordPress 2.1.1, upgrade ASAP!

Things worth noting:

• The SVN source that the developers use was not altered.
• Older versions, such as 2.0, don’t seem to have been affected.
• If you downloaded 2.1.1 when it was first released, it’s probably okay.
• 2.1.2 also includes a fix for a cross-site scripting vulnerability discovered a few days ago, so it’s worth updating anyway.

I still had the tar archive of 2.1.1 from when I grabbed it the day of the release, so I compared its contents to the 2.1.2 archive. The two files mentioned in the announcement, feed.php and theme.php, aren’t any different, confirming that the initial release was unaffected. That’s also where I saw the changes for that XSS bug.

*sigh* It’s always something…

WordPress Broken on PHP 5.2 Again

Upgraded to WordPress 2.1.1. Supposedly should’ve fixed the PHP 5.2 problems. In reality, they’re worse unchanged. Bug 3354 is marked fixed, but it seems to have only been fixed on the 2.0 series. Read the rest of this entry »

WordPress 2.0.7 security & feed fix

Just upgraded to WordPress 2.0.7. It fixes a security issue with certain versions of PHP, and it also includes the fix for the feed problem in 2.0.6 and a couple other minor fixes.

According to the announcement, WP 2.1 should be out by the end of the month. Looks like it’s almost time to see how many of my customizations will work with the new version.