One of the problems with adding a million custom meta boxes is that you have to arrange them in a way that doesn’t make the post editor suck. In today’s example I have the following custom meta ‘items’: Featured Image: 1 Taxonomies: 3 Dropdown selections: 3 “Rating” scores: 4 Text Boxes: 6 (1 plain text, 5 TinyMCE) That’s a lot of data.
I get asked this a lot. It comes with the territory, but people ask me to help them monetize their plugins all the time. And my answer is always the same. As much as I am a strong advocate of people making money off of WordPress, and as much as I support plugin and theme devs in their work, I’m not out here to help you run your business.
You know that box on the side of your posts? With “Publish” and it has some information? What if you want to add more information to it? Jetpack does it. Yoast SEO does it. You can do it too. We’re going to be using a hookable action called post_submitbox_misc_actions that fires after the post date information.
A constant refrain for my security reviews of plugins and themes is to sanitize everything. And sometimes my pedantic nature of sanitizing everything leads people to ask me why I don’t trust users. The short answer is “Because I am one.”
One of the topics I discuss regularly with developers it that of access. When writing any code, we must always consider who should have access to it. Not in the ‘who can look at my code?’ aspect, but that of who can run the code.
For the first time in over three years, there will not be a post about tech or tech adjacent items today. Today, March 8, 2017, is International Women’s Day. And today I do no work. Read more about A Day Without a Woman.
Democratize Publishing. We say that a lot in WordPress. We boldly state that the goal of WordPress is to democratize publishing through Open Source, GPL software. I’d like to turn that on it’s ear for a moment. The purpose of the REST API is to democratize reading.
WordPress 4.7.1 and 4.7 were vulnerable via the REST API. Any unauthenticated user could modify the content of any post or page on a site. Since the release of the information, a surprisingly large number of users failed to update to 4.7.2 and, thus, were hacked.
Someone asked me why WordPress always says it’s going to delete files and data when it only removes the files and not the database options. There are two parts of the answer to this, one being a little historical and the other being a bit unhelpful.
I’m talking a lot about security. There are reasons for that. If you’re not keeping your online behavior safe, you’re in for some headaches. Two-Factor Authentication (TFA or 2FA) is one of the better solutions as it protects you by requiring you to have a password and a physical object in order to log in.
Forward secrecy is actually what it sounds like. It forwards on secrecy. This means that the secret keys you have won’t be compromised even if the server’s key gets hacked. The way it works is by constantly changing things. Basically it’s rotating its encryption forever.
In the middle of debugging what turned out to be an unrelated problem, my friend James pointed out that my server was throwing a warning about the RC4 cipher. When you want to transmit secure data, you use a cipher to encrypt the data. RC4 is a (hah) cipher.
Ignore the fact that Google’s going to downgrade your sites if they’re not HTTPS soon. That’s not what I’m talking about. I’m a strong proponent of Net Neutrality and Freedom of Speech. I certainly intend to speak up and write and protest in the coming weeks and months, just like I have my whole life.
It’s hard to know what the future will be. When initially building out a site, it’s a game of guesswork to name things. You want to name them to be long term sustainable, but without a crystal ball, there will be missteps. Take, for example, the case of custom taxonomies.
At the bottom of every page on my site is a little bit of info declaring copyright: “Copyright © 2017 Mika A. Epstein” How do I do that and not have to update all my site themes and widgets every year? With code, of course!
As of WordPress 4.7, the visual editor no longer has a button for underline. There were a lot of reasons for this, but primary are two: Space is not limitless. Underlining looks like links. Naturally someone complained that we were breaking style guides: When referencing a source of information it is correct form to underline the title of the source.
Pretty regularly, people complain that I’m being pedantic and stubborn about security. They argue that their home-grown filters and regular expression checks are more than sufficient for sanitizing and validating data. Invariably I tell them “WordPress has a function for that. Please use it. Don’t create your own.”
I’m a writer, an artist, a dreamer, and a contributor to open source. I have the time to give back to the community, to continue to learn and grow, and to make more of the Internet a better place for everyone.
Last Friday we had the first ever LGBT+allies party at a WordCamp. It wasn’t really the first time we all got together, but it was the first time we stated to the world that this was what we were doing. How did it go? We sold out our 150 tickets.
In 2013 I made a silly little plugin called Genericon’d which let you include Genericons on your site in a theme independent way, complete with shortcodes and flexibility for other plugins and themes that might be using it. In 2016, Generico became Genericons Neue.
I’m speaking at WordCamp US. Someone I don’t know pinged me and said they were happy to see I was speaking, and they’d be there from their country. I haven’t the foggiest idea who they were or why they were telling me this.
“Your guidelines should be so clear as to not permit so much wriggle room,” he said. I started at my screen for a moment, feeling my neck heat up with the sheer arrogance of his implication. Besides the fact that I did spend quite a bit of time trying to make them as transparent and clear as possible, it’s a known impossibility.
Ask 100 women online where the live, and the majority will give you a vague answer. California. Chicago. LA. Orange County. Those are enormous locations. While you probably could have found me in Chicago, if you asked enough people, you’d need to know a lot more than just the city.
You’ve probably heard the analogy that being a heterosexual, white, cisgender, Christian male is playing the game of life at its easiest setting. Most things are aimed at you, from consumer products on down to expectations. Being those things causes you to come from a place of privilege, even if you’re poor.
I wear a lot of hats in the Open Source World. I help teams. I represent and direct others. I herd the cats of software. I allow my name to be known. People talk about how we’re doing a good job, working hard, working together trying to make things better.
It was the day of a big release. A major release. A release that had been announced weeks, if not months, in advance. Everyone who was anyone knew that today was the day. So why not publicly drop the news of a major issue with the project in the middle of that release?
My friend Andrea recently complained about confusion between support licenses and the GNU Public License: When the Terms says, “licensed under the GNU general public license” but the pricing page makes buyers select “use on 1/5/unlimited sites.”
The following is the original notes on my WCEU talk about WordPress reviews. It’s more or less what I said, though the video will no doubt be up soon. This is a true story. In late 2014, a man violently assaulted a woman who left a bad review on his self published ebook.
I was looking into moving a site from Font Icons to SVGs for a few reasons. The primary is that, with an SVG, images will look crisp on all monitors, including the non-retina displays. They literally look better on my crappy old MacBook, instead of just on my iPad.
In a nutshell, the paradox is this: The more likely a person is to test Beta and RC, the less likely they are to have bad code. When people wonder why problems like the recent jQuery flub manage to make it all the way into the wild, they tend to assume the issue is not testing enough.
Let’s say you have some custom taxonomies in WordPress. And let’s say you want to add a special field to them for an icon. How would you do it? There’s a cool plugin by someone I know that can do this, called WP SVG Icons and it works great.
It’s not a problem. Only admins can use this. I’d pushed back on a plugin that wasn’t validating their post input wisely. Instead they just slapped sanitize_text_field() around everything and called it a day. One of the myriad reasons I’ll push back on a plugin is improper sanitization.
We are, for the most part, accustomed to getting our way. We have a problem, we contact support, they fix it. Once in a while, however, support says ‘No.’ There are technical limits to all products. Due to our own failures of imagination, we cannot foresee every possible iteration of usage for the things we build.
It’s a simple question. How do I make my site login secure? My answer is simple. Use https for your admin dashboard and use a strong password. My gmail user ID is firstname.lastname@example.org My WordPress.org username is Ipstenu. So is my Twitter handle. Facebook? Yep. GooglePlus even.
People died. While we can easily get lost in the implications of preventing deaths and understanding why a mass killing happened, there is one fact we’re left with. The FBI have asked Apple to write a backdoor into the iPhone code to allow the FBI to brute-force entry into an iPhone.
This is not about my plugin of the same name. For my first ‘real’ adult job, I was asked if I knew what WinINSTALL was. “Its like WinImage,” they said. I had no idea what they were talking about. I thought I was applying for a software testing and deployment gig, and that sounded like images.
Working with a host isn’t just sending in tickets into the abyss and hoping they answer them. Whether you’re communicating on behalf of a client or for your own benefit, it’s not the same as working with fellow developers. You need to approach a host with different expectations and explain situations in different ways in order to get the best results.
You’ve heard about it. Calypso, the WordPress desktop editor for Macs. I’ve been using it and I’m going to give you a quick rundown on what I like and what I don’t. First of all, it’s Open Source, which is great to look at. Anyone can poke at it and play with it.
Takayuki Miyoshi is one of the best developers for WordPress you probably don’t know about. Miyoshi-san is quiet, thoughtful, and had written a handful of plugins you probably do know. Like Contact Form 7. He’s also written a wonderful multilanguage plugin called Bogo. He gave his very first presentation in English about why he uses free plugins.
I won’t name names here but I suspect people know who I’m talking about it. Please note, any comments naming names will be deleted. They deserve a chance to redeem their name and exactly who they are is not the issue. We never received any advice when we asked. Only warnings.
Becuase I’m active in the support forums, people find me and ask all sorts of questions. Like Charlie. I want to totally delete my word press account. I will PAY you to do this. Why?
This blog has a cool trick in the comments section. The ‘reply’ link in comments will auto-generate your reply starting with “@person: ” and it does that with my plugin @Reply Two. The name is a pun because it’s a fork of the plugin @Reply (which has the slug reply-to), but it also has a ‘reply to’ feature (two …
I ended up turning it all off for one reason only. I keep getting a 522 error on cloudflare.com. Now. I have a working theory that it happens when I’m hitting my own site a lot (be it for development or as recently, a lot of traffic I need to reply to), but what would happen is I got an error 522 on my sites.
Really there’s a right way and a not-quite-as-right way to handle HTTPS on WordPress. It’s not that hard to do, and if your whole site is going to be HTTPS, then the easiest way is to change your home and site URLs to be https://example.com/ and put define( ‘FORCE_SSL_ADMIN’, true ); in your wp-config.php file.
I love wp-cli. It makes my life so much easier in so many ways. I’ve added in some basic commands to some of my plugins because it makes things easier for others. And as it happens, adding wp-cli commands to your plugins isn’t actually all that hard.
Lately there have been a lot of talk about the issues within various communities. It might be the shit storm over in Reddit land, it might be the drama in WP World. It doesn’t actually matter for the purposes of this post.
When I was new on the interwebs, people told me things like “Don’t bump your posts” or “Don’t nag people.” I took those lessons to heart, and even though this new online message board thing was awesome and addictive and a great way to talk to people all the time, it introduced us to a new/old problem of instantaneous gratification.
I try not to make this site about my personal grievances about people and attitude, and only about my code, but it does come back to code many times. “I thought you knew what you were talking about. Never mind.”
How you react to adverse situations is what makes or breaks your business, not the fact that you had one in the first place. Taylor Swift recently penned an open letter to Apple Music.
Recently there were a couple WordPress plugins with fairly major security fixes. But you wouldn’t know it by looking at their changelogs. The changelog is a section of a product’s readme that describes what changed. For most people, it’s a list of items like this: The problem many people have is that last one is often left rather vague.