I guess the one downside to switching from sk.log to WordPress is that I’m no longer protected, security-wise, by everyone’s favourite method, security-by-obscurity. It’s the trade-off, I guess. I no longer have to maintain my own code (yay), but WordPress is a huge target, simply because of its popularity and scope. Of course, considering it’s scope — and the fact that its code is easily obtainable — it’s actually pretty secure.

If you install it right. Which most of you probably don’t. So, without further preamble, here’s Dee’s “quick” WordPress Security check-list…

The Database

1. Never, ever, ever, ever ever use your domain’s CPanel login as the username and password for your database. Some hosts nowadays won’t even let you, which is a Very Good Thing. This isn’t just a WordPress thing, either; you should never run any webapp using these credentials. For those of you on hosted on other people’s domains, this also holds true for not making your database login and password the same as your FTP login and password.
2. Do create a new database and user account just for WordPress. Sometimes this isn’t possible or practical, but if you can, you should.
3. If your website is called, say, void-star.net then for godssakes do not make your database name something like vsnet. Think of your database name like a second password, and try and make it something hard to guess.
4. Speaking of passwords, do make yours hard to guess. There is (probably) no reason for you to ever use your script’s database account interactively, or to ever have to re-enter the password, so it doesn’t matter if you forget the login details.ⁱ Hit up a random generator and get yourself something long (no less than eight characters) and full of symbols, numbers and upper- and lowercase letters. Hell, make a shorter one for the DB username too, while you’re there.
5. When you assign your WordPress database user to the database, it’s a good idea to limit the rights it had. Admittedly, the rights WordPress needs (SELECT, INSERT, UPDATE, DELETE, CREATE, DROP) are pretty broad, but still. It’s the principle of the thing.

The Filesystem

WordPress has some funky auto-updating stuff (with more getting added every release), and while that’s awesome, get your hands away from chmod. Most hosts nowadays run something called phpSuExec, which runs your PHP scripts as your user account rather than the “anonymous” Apache user. This means they’ll be able to interact with your files directly, without any special (i.e. anonymous) permissions. Note that this won’t protect you from weaknesses in the script itself, but it can stop some remote exploits.

If, for some reason, your host doesn’t use phpSuExec… find a new host.

WordPress

WordPress itself is surprisingly free of vulnerabilities, if you take into account the scope of the product. And, okay, that statement maybe runs counter to the “common sense” view, but the WordPress developers have generally been fairly savvy about jumping on issues as soon as they arise. What this means for you as a user, however, is that it is imperative that you update your WordPress installation whenever a new version is released. WP’s structure has always made this a fairly simple process,ⁱⁱ and post-2.7 it’s even easier (one button click; yum).

The other major security issue at the default admin account. The fact that WordPress continues to insist on calling this account ‘admin’ after all this time is a little baffling, considering that a large number of WP vulnerabilities rely on this account having this name; including, of course, a straight-out brute-force password crack attempt. There’s not a lot you can do about a brute-force password attempt in WordPress, other than follow general good password security practices.ⁱⁱⁱ It’s a failing of the script.

The first thing you should do, however, is either rename your default admin account or de-privilege it somehow. Everyone has a different method for doing this. Users with existing blogs — who’ve probably been using the admin account since they installed — will want to go into the database (probably via phpMyAdmin) and change the username manually. Users with new blogs have it a bit easier; they can simply create a second account, assigned it the Administrator role, then either demote the “old” admin account down to Subscriber or simply delete it completely.

… and More?

That’s a start. It’s a good start, true, but there’s always more you can do, if you’ve a mind to. As always, a good place to start is WordPress.org itself.

1. Of course, if you do, you can always check the config file. ↩
2. So long as you use the API in the way it was intended… but that’s a whole separate rant in and of itself I think. ↩
3. I feel compelled to point out, that having a highly complex password doesn’t stop a brute force attack, only slows it down. It’s still entirely possible that the first string a cracking script attempts is going to be your password, even if it is sixteen random alpha-numeric characters with uppercase and lowercase. It’s not likely, but that’s probability for you. Having a password made up solely of a dictionary word significantly increases the likelihood it’s going to be broken, and note that dictionary-based hacks are not fooled by a) non-English words, or b) doing things like replacing the letter ‘a’ with the number 4. Seriously, they’ve thought of that. ↩

Mirrored from void-star.net β. Comments are preferred on the original.

Well, since JournalPress should now be compatible, I’ve converted β over to WordPress 2.7 RC 1.

Overall, I’m in a bit of a mixed mind about the new version. Some of the admin panel changes are pretty cool, but I’m not keen on the grey and blue theme (not enough contrast… and I never thought I’d be saying that). It took me about half a day to wrangle with the new wp_list_comments() comment API, and I was almost ready to give up in annoyance before I realised it supported a function callback for overriding the default style. Thank gods. I spent a couple of hours fretting over the fact that my comments didn’t seem to be threading in my dev site, before realising that they were only having that issue on one page. Which then didn’t follow me when I gave up and uploaded everything.

So it all works.

For those of you who’re curious, the custom comment function I use is:

( Read more... )

And while I'm posting code, I also knocked up something quick to display JournalPress-compatible currents somewhere either above or underneath a post. This'll be rolled up nicer into the next release, but for now:

( Read more... )

What a productive weekend. Or something.

Edit: Yes, yes. I know the code breaks LiveJournal. Bite me. Okay, less so now. This was a quick fix in WP-Syntax to stop it freaking over the WordPress visual editor:

    $code = htmlspecialchars_decode( wp_syntax_code_trim($match[3]) );

Mirrored from void-star.net β. Comments are preferred on the original.

Sometimes, people out there ask me a question about void-star.net, and I have to give them the following answer; "The CMS made me do it."

Hi there, my name's Dee and – at the time of writing, at least – I'm one of the last blogs on Earth that doesn't use WordPress.

It's not my fault, honestly. When I started this site – way back in 2001 when it was called synthetickiss.com – WordPress did not exist. Hell, b2 didn't either. PHP, at that time, was a fairly new language and it'd only just started creeping hand-in-hand with its platonic life partner, MySQL, into the web sphere. I knew about the language because it was what Scot had picked to write the revision of grep with, and I figured that if a language was good enough for Scot then it must be A++ awesome.

At the time, the idea of using a database-driven engine for a blog was kind of novel. Most everyone at the time used Blogger, which was a very different beast than today. Essentially, you'd give the service your FTP details, and it would push out flat-text files for your posts and archive. Crazes of SSI and PHP includes came around and went, all attempting to add flexibility into what was essentially an inflexible system. The only other system available at the time was a Perl CGI script that I swear was called Greymatter but references to which I can no longer find on the Intrawebs. There was no PHP/MySQL solution.

So, in the latter half of 2001, I decided to write one.

It was called sk.log; the "sk" in honour of the acronym for my site at the time. I'd originally intended to release it publicly – and even did, for a while – but the development of b2 started shortly after I was mired in my own script, and rocketed to healthy popularity.

I stuck with sk.log for the next seven years. Despite its flaws – and there were many – and despite its complete and utter lack of anything even resembling an admin panel, I'd written it and, as such, it was idiosyncratically mine.

A while ago, I made a list. Kinda of like New Year's Resolutions, I guess, except it was, like, September. The list contained two things:

1. Join a gym.
2. Migrate v-s.net to WordPress.

I looked at my list for all of about a day, before chucking the whole thing into the "too hard" basket. Except… I did end up joining a gym. And I've been going, on average, five times a week for the last three weeks.

So that just leaves on thing left to do…

Mirrored from v-s.net. Comments are preferred on the original.

The hardest thing to know is where to start.

So you remember this thing yesterday? Well, The project-space is up, as the currently somewhat-unimaginatively-titled FenPress α. It's currently an extremely raw WP-MU install, but it covers the basics of that platform. You can:

• Sign up.
• Create a blog.
• Crosspost your blog to the single LJ Server account of your choice.
• Muck about with a suite of plugins and themes.
• Create as many secondary blogs as you want.
• Create shared secondary blogs.

Now. The hard part. And the problem I've had ticking over in my head since last night is where the hell do I even start? I know what features people want and – theoretically, at least – I know how to write them. But the interoperability sucks, because everything is so dependant on everything else.

Oh, and the LJ cross-poster uses a depreciated function I don't know how to replicate; hooray. But I've fudged it and works for now (I think).

So. Where to start? I think a lot of my problems come back to the fact that WP doesn't have a real concept of an easily-accessible profile page. So that's a good start. If someone's got a profile page then you can friend them. So I can work on the friends system. Then, with that in place, I can work on post permissions. Similarly, I can do a "join this blog" option for group blogs (a.k.a. communities).

The one thing I think might give me issues is an equivalent of a friends page. WP MU assigns every blog a different suite of tables, which looks like it might mean a huge and complex array of joins. Then again, it does have a "last updated journals" list, and really an f-list is similar to that, only filtered. So, we'll see. But the perms stuff comes first.

Small steps. The biggest hurdle here is learning the WP API. The code itself is simple.

Mirrored from v-s.net. Comments are preferred on the original.

You're changing your heart.
(Oh, oh, oh.)
You know who you are.
(One, two, three, four, five, six, nine and ten.)
Money can't buy you back the love that you had then.

Quoted From: FEIST, '1234'

Well, I know it will come as a shock to you all, but the wank over at LiveJournal has erupted again after SUP announced they're trialling a new 'Sponsored' account type; essentially you'd get the features of a Paid account, but without paying anything. In return, your journal would be brand-locked to a sponsor, affecting your layout and userinfo, and possibly giving the sponsor a modicum of editorial say over your journal's content. You wouldn't know it from the hype, but SUP is only currently trialling this for its Russian userbase. Predictions of its success vary wildly, but they're all irrelevant for the purposes of this post, because what I'm going to do instead of complaining is, for once, to try and offer some help.

So, here it is. Sick of LiveJournal but don't know how to live without it? Don't worry, you're not alone. And you also wouldn't be alone in following the exodus of people who are flowing out of places like LJ and into the private blogging market. Getting out is not as hard as you think, nor does it cut you off from your existing friends and communities. Sure, there'll be some adjustment required and you can't move expecting everything to be exactly the same as you left it. Because it won't be; it'll be better. Trust me, you'll like it once you're in, I swear.

So, without further ado, here's Dee's beginner's guide to migrating to WordPress from LiveJournal¹.

Step #1: Finding A Host

Here's the thing, you want a journal with no ads and no editorial interference? Well, the good news is that there are literally hundreds of nice people out there with a vested interest in helping you out. The bad news is you're going to have to find them (but it's not that hard).

Your first option is to sign up at WordPress.com. WP.com is a commercial entity, however, and while they're not as ad-saturated as LiveJournal, they've still got 'em and by putting content there you're still living at the direct behest of a company. Plus, some of the features we're going to be using later on are locked-out. So it's probably not a great option. (In fact, for the rest of the post I'm going to assume you're not doing this.)

Your real second choice is to find someone's personal domain to mooch off. This is called 'sub[domain] hosting' and almost everyone who has a private domain nowadays offers it for free. In a nutshell, you find a domain name you like (say, void-star.net), insert some wrangling, and the net result is you come out the other end with a subdomain all of your own (say, you.void-star.net). You can then do pretty much whatever the crap you want with it, including sticking a blog there. It's fun, I swear; I've been doing it since circa 1999.

But where do you start looking? Lists like the ones at Get What You Give, Link Lounge and Despair.nu. And, yes, even yours truly. Or ask your f-list; you'd be surprised who owns what. Some things to keep in mind when you're looking for subdomain hosting:

• You'll need somewhere that will run WordPress. This is pretty much everywhere; your main requirements are PHP and at least one MySQL database. The host you apply to should be able to help you set these things up.
• Your host will have access to your files. That's just the way it is, and while most hosts are pretty good, don't leave the password to your GMail or bank account lying around on a shared server (or, in fact, anywhere).
• Make sure you get a host that gives you your own FTP login, that will only allow access to your directory (some hosts try and share one login between all hostees; this is bad, don't do it).
• Your host will have a host, which they likely pay money to (or, possibly, their host has a host). Try not to get them in trouble; if you're unsure about any of your content, ask them first. 9,999 times out of 10,000 it will be fine.
• If you haven't done this "standing on your own two e-feet" thing before, make sure you get a host who's happy to help you figure out things like how to set up scripts and use FTP. Most are; some will even do basic installs for you.

The third option is to (gasp) register your own domain. Domains are pretty cheap nowadays; if you're paying over $10 a year for a .com, .org or .net you're paying too much. The hardest part here is finding a decent registrar; I mostly use GoDaddy but I wouldn't say they're the best option on the table (they tend to be difficult if you accidentally let your name lapse, and they upsell). Once you've got a name, you'll still need some hosting; there are people (again, yours truly) who offer free domain hosting. Otherwise, you're looking for something paid; DreamHost has always been popular, as is Site5, while I use Surpass Hosting. If you've got a computer that's constantly connected to the 'net, you can even host your own (I'll finish writing the other half of that tutorial one day, honest)!

Yes, incidentally, you read that right; owning your own domain costs less than a paid LiveJournal account. Just so you know.

Step #2: Installing WordPress

WordPress is one of the most common blog tools currently in production. It's a mighty fine product, hence I pimp it so much. And it's really, really piss-easy to install.

1. First up, make sure you've got that MySQL database set up. You'll get four pieces of information with it: a host name (usually localhost, but not always), a user login, a password and a database name.
2. Download the latest WordPress distro.
3. Unzip WordPress somewhere on your computer. Find the folder that contains readme.html.
4. Read the readme, and follow the instructions. They are very easy; remember to fill in your database details (the ones we noted above) when asked.
5. For step #4, you'll need an FTP client. My favourite is FireFTP; a plug-in for Firefox. Your host should have given your an FTP server, a username and a password.
6. If you do something wrong at any point, you can delete everything and start again. It's all good; everyone screws up the first couple of times. Ask your host to help you or, at worst, me.
7. Anyway, if you've followed all your instructions correctly, you should have a glimmering new WordPress install. Take a moment to inhale its shiny beauty.

Step #3: Configuring WordPress

So, we've got a blog. Now, what're we going to do with it? The WordPress admin panel can be a bit confusing if you've never seen it before, but the tool is tremendously powerful and – believe me – its admin is much easier than most other blogging/CMS tools. Don't be afraid to muck about, change some values; at this stage, anything you break you can un-break easily, so go nuts. Make some test posts, some test pages, a test blogroll.

One of the things you definitely want to do while you're here is make 'neat' permalinks. These mean that instead of URLs like /?p=123, you get something 'human readable' and bring great kudos upon yourself. To change these, visit Settings > Permalinks in your admin panel. Note that this will require the creation of a special file in your blog folder. On most modern hosts, WordPress should be able to upload this itself; if not, it'll give you instructions on what to do.

To block search engines from your blog, visit Settings > Privacy. To stop your blog from notifying directory services of updates you make to it, visit Settings > Writing and delete the text from the box under Update Services.

Settings > Discussion has options for comments. You can set moderation and pingbacks (attempting to notify other blogs when you've linked them; the blog software on the 'receiving end' needs to understand these, and for the record, LiveJournal doesn't), as well as the use of Gravatars. Gravatars aren't as flexible as LiveJournal's user icon system but, well, you win some your lose some.

Step #4: Making it Pretty

The most important step; themes! Now, you can certainly have a stab at making your own (and as someone who's done both, believe me they are much easier to make than LiveJournal themes), but there are jillions of people out there in internet land who are keen to make free WordPress templates for you to use. The hardest part is finding good ones, but a good place to start is Smashing Magazine, which goes around periodically rounding up some really sweet ones.

Installing WordPress templates is also easy: Download, unzip and upload the folder into /wp-content/themes. Then visit the Design section in your admin panel; wow!

Step #5: Making it More Like LiveJournal

Thing is, you aren't going to be able to replicate all of LiveJournal's functionality with WordPress. LiveJournal is more community orientated than WordPress, which is more of a publishing tool. Such is the price of freedom. That being said, there are some things you can do, and they're all going to be accomplished via plug-ins. Like themes, there are thousands of WordPress plug-ins out there, all with varying functions and levels of awesomeness. Installation is pretty easy; download, extract and upload the files to /wp-content/plugins. Then go to Plugins in your control panel and press 'Activate' as appropriate. That's (usually) it.

The first one is putting in threaded comments. Out of the box, WordPress supports these technically but the ability isn't implemented in the UI for some reason. Probably the most mature solution for this out there is the Brian's Threaded Comments plug-in. This plug-in is one of those ones that requires a slightly different installation, so make sure to read install.txt carefully.

The one thing that is hard with WordPress is making the equivalent of f-locked posts. You can start to add this functionality with plug-ins like Post Levels, but it's never as smooth as LiveJournal's system and it requires getting your friends to register at your blog. There are also other fun things like your locked posts not appearing in your RSS feed (so how do people know you've made them?). On the other hand, WordPress does know how to natively password protect entries (under Password Protect This Post at the bottom of the Write > Post screen), so experiment a bit to try and find what you like.

Finally, the one really easy feature to duplicate is LiveJournal's 'Memories'. We're going to do it with a super-fun service called del.icio.us. Sign up for that, install the handy browser extension and get bookmarking! Getting these into your WordPress blog is also easy. You can either post all your bookmarks for the day as batch post, or simply add the RSS feed from your account to your sidebar. To do the latter, visit Design > Widgets and click RSS; in the box that pops up on the right-hand side (you might need to expand it by pressing Edit), fill in the URL for your del.icio.us feed (it will be http://feeds.delicious.com/rss/username), check other options as appropriate and hit Save Changes.

This, of course, is only really scratching the surface of what you can do. For a much, much more extensive list of modifications, see this list.

Step #6: Importing Your LiveJournal Entries

They're not going to go to waste; you can, indeed, import your old LiveJournal entries into your brand spanking new WordPress blog. Handy instructions on how to do this are here. Note that this might take a while, because you're probably going to be restricted on the size of the file you can upload (it's a PHP thing). Still, it's totally doable.

Step #7: Exporting Back to LiveJournal

Leaving LiveJournal is all well and good, but I'm guessing that – like me – you've still got lots of mates there and you don't want to abandon them. No worries! You can still export the posts from your shiny new blog back to your old LJ friends. As usual, there's more than one way to do it.

The first one is to set up a Syndicated account at LiveJournal using the RSS feed of your new site (it's probably /feed if you've changed to short URLs as above). As an option, this one kinda sucks since your friends (bless their hearts) will likely have a habit of commenting on the syndicated entries, and you won't get notifications when they do.

A much better option is the LiveJournal cross-poster. This will automagically mirror your blog entries into your existing LiveJournal; as far as your friends are concerned, it'll be (almost) like you never left! But you, on the other hand, won't have to worry about SUP plastering your journal with ads or deleting your account for 'inappropriate' content. Schwoit! (On the other hand, if you're one of those "get off my content, SUP!" types, you're probably after the feed option.)

Step #8: Homing Your Fen Content

Got fic, art or manips? Then I've got good news for you; WordPress will help you organise all this stuff much better, using its static pages feature (Manage > Pages and Write > Page). These are hierarchical (Page Parent on the write screen), so you could create a page for 'fics', a sub-page for 'DCU' and a pages beneath than for individual stories.

Do art or vids instead of fics? No worries; WordPress has a handy upload and embed wizard for these, too.

There's two things you should know about Pages. The first is that they don't appear in the RSS feed for the site. So if you make a new one, and want to announce it, that's a blog post.

The second one is about comments. Now, theoretically you should be able to comment on Pages in WordPress but it's not always enabled in all templates. Check this thread for more info.

Step #9: LiveJournal, Your Way

Okay, so you've set yourself up a new blog, you're crossposting it to your old LiveJournal – no disruption of service required – and you've re-homed all your old fic and art from the posts it was previously buried in and onto static, categorised Pages. What now?

Now, we go back to LiveJournal. The whole point of moving is not to leave the place cold-turkey, but rather to find a new home for our content, free from management interference and ads. Chances are, you've still got a lot of friends left over at LJ, and probably a buttload of communities, too. So, what to do about that?

Well, obviously your friends page is still there, and the truth of the matter is that there's no real replacement for the communities on LJ, short of getting the entire lot to follow you to a privately hosted forum. So to participate, you're going to have to go back. There are, however, a couple of things you can do to make this experience a little more enjoyable.

Firstly, invest in an RSS reader. This can be a standalone client (Thunderbird, for example) or an online service such as Bloglines. A fun fact about LiveJournal is that all accounts – communities and users – have RSS feeds, and you can read them without ever touching the site itself. The URL for a user's RSS feed is http://username.livejournal.com/data/atom while for communities it's http://community.livejournal.com/username/data/atom. RSS feeds don't get notification of f-locked posts, of course, which kinda bites, but they're good for reading communities at the very least. Good news, everybody! Turns out this isn't true, and you can read f-locked posts at LiveJournal via RSS. See this article for details (info care of no_lj_ads).

Secondly, get the LiveJournal Addons for Firefox (y'all do use Firefox, right?). This natty extension will give you a heads-up on new f-list posts, messages and other random events. Net result: Less time spent actually on LiveJournal, no loss of content.

And finally, for godssakes get Adblock Plus. Now not only are you using LiveJournal's facilities, but you're not viewing any ads while you're there, and thus not helping their revenue. You're a grade-A moocher!

Step #10: Profit!

So, that's all there is to it, kids. Now you too can have an ex-LiveJournal blog without actually having to sacrifice much in the way of your overall LJ community experience.

And, best of all, when people start bitching about censorship this and ads that, you can rock back on your heels with a hearty, Puritan HA! HA!, safe in the knowledge that you are safely ensconced on your private server and screened from the damage by your RSS feeds and your Firefox addons. And, who knows; if your friends see how easy it was for you to go, maybe they'll start moving off-server too.

Zero content, zero investment.

Good luck with the exodus.

Edit: Wouldn't you know it, there's even a pre-existing LiveJournal community dedicated to exactly this process! lj2wordpress. Natch.

1. Note that for the rest of the post, when I say 'LiveJournal', assume I also mean InsaneJournal, JournalFen, DeadJournal… in fact, any site that runs on the LJ codebase. ^

Mirrored from v-s.net. Comments are preferred on the original.