1,000,003 Words!

Screen Shot 2016-02-24 at 2.23.02 PM
It has happened. Muddled Ramblings and Half-Baked Ideas has rolled over the odometer and has blasted well beyond the 1,000,003-word line. I decided to celebrate by taking the day off work to throw out a bit of a redesign here; the old code simply did not support some of the cool new WordPress features I’ve been wanting to leverage. A ground-up rebuild is long overdue.

Even when you start with a fairly clean off-the-shelf theme, however, a great deal of fiddling and tweaking ensues. Some of the old widgets, like the colorful tag cloud and the sweet-o-meter, seem to be awol right now, and I’m not sure about the typography for reading my longer-winded treatises.

Also missing, and a little more difficult to bring back, is the poetry feed that was playing in the header. I’d like to bring it back, but at this moment I’m not sure where to put it.

What do you think? Too dark? Please leave comments here on the blog, while I work on getting the styling of the comments on the blog looking right.

Later tonight, after the celebratory single malt, I will compose the Inevitable Retrospective Episode.

1

wp-cli, Where have you been all my life?

WordPress updates can be pretty insecure. FTP was invented back before there was an Internet, and when when no one thought that bad people might be on the same network you’re using (why even have a password if you let everyone see it?). Ah, for those naïve and simple times!

Yet even today most of the Web-site-in-a-box products you can get to run on your GoDaddy account use FTP. I control my own server, and you can bet your boots that FTP is turned right the hell off.

It can be a hassle setting WordPress up to allow its update features to work in a very secure fashion, however. I was wrangling rsa certificates when I ran across another solution: rather than push a button on a web page to run an update, log into the server and run a command there. Simple, effective, secure, without file permission fiddling and authorized_keys files.

wp-cli does way more than updates, too. It is a tool I’ve been pining for for a long time, without even knowing it. Want to install a plugin? wp plugin install "xyz" and you’re done. Back up the ol’ database? They have you covered. Welcome to my tool belt, wp-cli!

If you’re not afraid to type three commands to update your site, rather than trying to maintain a hole in your security in such a way that only you can use it, then this is a great option for you. Check it out at wp-cli.org.

It’s Inside the Building!

You know in that horror movie where the girl is on the phone and there’s some crazy mofo who’s freaking her out but for some reason she doesn’t hang up and eventually it turns out the crazy mofo is already inside the house and really has no reason to call? I had a moment like that tonight. I’ve had a rash of spam lately, all using my Facebook identities. I waited for my spam-catchers to get a clue, but the comments kept coming. “Fine,” thought I, “I’ll just block the addresses they’re coming from.”

I fired up my diagnostics, and found the source. localhost. My server thought the comments were coming from itself! Double-plus ungood, to quote Orwell. Extra double-plus. My spam-detecting software, it turns out, recognized the evil of the comments, but was immediately overridden by the administrator. By me, or a vile piece of software pretending to be me.

I just changed a lot of passwords. I hope I can remember them later. I also set a switch that requires that all comments be approved before they go live. Alas, this is likely more an inconvenience to legit comment traffic, as the evil robot has already proven capable of emulating me and giving permission.

I also spastically updated all my wordpress plugins (I do this fairly often anyway) — including, perhaps significantly or not, the one that passes comments between here and Facebook. Later, going back, I see nothing in that plugin’s update info to the tune of “closed egregious spam hole.” But the attack vector seems to be through my Facebook identities. It may be that the conduit trusted the origin of the messages too much.

So now I wait and watch, and your comments will take a little longer to reach the page. Hopefully I can loosen things up soon.

Pardon the Dust – again


A warning sign I saw between Calgary and Edmonton.

I’m putting in a new comment system that hopefully will answer a couple of annoyances I found with the old. It may look wonky compared to everything else. I’ll probably just turn it on, see how things look, and turn it off again in a few hours once I know the effort it’s going to take to get it looking right.

In the meantime, leave a comment and tell me what you think!

Call me g2-587217eb4d0b8b1710372695336f2a58

The other day I got an email notification that someone had requested a password change for my wordpress.com account. WTF? I almost never even log into wordpress.com. But, if someone knew my member name, they could try to hack my account and I assumed that this message was a result of such shenanigans. I figured an actual change of my password was in order, just to be safe.

Then I noticed the user name on the account: g2-587217eb4d0b8b1710372695336f2a58

That’s actually not my user name at wordpress.com. Someone (a robot, obviously) created an account with my email address. Huh. I logged into the fake account, changed its password so whoever created it wouldn’t get access to it, and looked around for a way to delete the account entirely. I couldn’t find one.

I know you had a snafu that led to people’s passwords being stored less securely, and therefore a spate of “reset your password” messages issued forth, but this message was absolutely not the same as those. I am fanatic about protecting my email password (as I write about here), and I have changed it recently. There is no other sign that my email account has been compromised.

I logged in as the bogus user and checked to see if any comments or posts had been made; it appeared not. So, I set the password to something ridiculous and promptly forgot it.

The only problem is, when I leave comments on people’s wordpress.com blogs, after I put in my email it auto-fills the rest with data from the bogus account.

So, two things:
1) how did there come to be an account with an email address the bad guy almost certainly didn’t have access to?
2) how can I make that bogus account go away entirely, and never bother me again?

Damn Lies and Statistics

I read recently that WordPress “powers” more than 14% of the top 1,000,000 Web sites. (“Powers” in quotes because actually it’s electricity that powers them — lots of electricity.)

This site is also a WordPress site, and I started to wonder: Am I in the top million? A million, is, after all, a very big number, and this site does get regular traffic.

Which all begs the question, how the hell do you define “top Web site” and how does anyone know what they are? Presumably “top” sites are the ones that get the most visits, but even “visit” is tricky to pin down, and once you have a working definition there’s still the question of how the heck you measure it. Throw in game sites where a visit can last for hours — does that count for more than someone dropping in to see if there’s a new episode up in their favorite blog?

How about traffic from robots? When a robot tries to spam this site, does that count? How would the counting mechanism differentiate that from a legitimate visit?

For that matter, what’s a “site”? Does wordpress.org count as a single site, or is each blog hosted there counted individually? Is the difference whether the owner bothered to register their own domain?

All that aside, the slightly-depressing truth is that this is probably not one of the top million sites, no matter how you figure it, even counting spam-bot visits. Yep, there are probably more than one friggin’ million Web sites more popular than this one. Most of those sites will have a specific purpose — sites for businesses both local and international, political and news sites, comics, and so on (and of course porn).

I have a hard enough time sticking to a single topic in a given episode that the idea of staying on a subject for the whole damn blog is ridiculous. But I digress.

Most content? I’d probably be in the top million in that category. There’s a lot of stuff here. Oldest still-active sites? I might even crack the million line with that measure. How many sites have been continuously active since 2003? That’s like, a century in Internet time.

So I probably get the top-million most persistent award, if nothing else. Maybe I should make that a tagline for the site when I un-Flash the banner: “One of the million most persistent Web sites in the world!”

2

Bad Behavior, CloudFlare and Google Bot

This blog has several layers of protection from the evils of the outside world, but those layers don’t always get along. One problem that I had is pretty common among CloudFlare users, and the documentation provided by the relevant players has a hole in it – a key nugget of information that can make all the difference.

The nugget follows in due course.

My first line of defense from ne’er-do-wells and miscreants is CloudFlare. They stop most of the bad guys before they even reach my site. Still, for some sorts of attacks, when there’s doubt it’s better to let the bad guy through. It may turn out to be a good guy.

A program called Bad Behavior is my next line of defense. It sits on my server and quickly spots liars and weasels. For dangerous-looking attacks, that’s the limit. But, when there’s doubt and the site itself is not at risk, Bad Behavior will let the attack through.

At this point, ‘attack’ means ‘comment spam’. Everything else is stopped before it reaches this stage. Most of the comment spam has been stopped as well, but some has been given the benefit of the doubt. That’s where Akismet comes in. This layer spots the rest of the comment spam, and it can be much more aggressive since it doesn’t actually delete the spam, it puts it into a bin for future review. So, legitimate comments can be rescued by an alert blog admin.

It works pretty well. Three spams actually got through all the layers last week, the first time any have gotten through in quite some time. Somewhere, a spammer popped a bottle of bubbly.

So comment spam is pretty well thwarted. Hooray! Unfortunately, for a while I had a pretty big problem. Search engine robots were being denied. I fell off Google and Yahoo! and all the rest, and traffic to this site dwindled.

Note: according to this article, Bad Behavior has been updated to avoid the following problem. Yay! You should still install the CloudFlare plugin and the Apache module if you are able.

Here’s what was going on:

  1. Googlebot said ‘hey, muddledramblings.com, show me page x’.
  2. The request must get past CloudFlare. No problem. They see it’s the real Google bot and pass the request on to my server.
  3. Bad Behavior is next. They look at the incoming message and see something that claims to be a Google bot but It’s not coming from Google. It’s coming through CloudFlare. Bad Behavior says, “You are a lying sack of dingo dung and a false Google bot. You are obviously evil and you may not pass.” Google is shut out. The other legitimate robots are cut off as well.

This problem is pretty easy to fix, but not quite as easy as WordPress admins would like to hope. CloudFlare has code that you can install on your server that will straighten the whole problem out. Basically it tweaks incoming messages so that the original source appears instead of CloudFlare. This bit of fix-it code is available as a WordPress plugin, so you can install the plugin and rest easy.

But that’s the thing that tripped me up and is not explained in the docs. In the case of working with Bad Behavior, the WordPress Plugin is not enough.

The catch is that Bad Behavior does its magic before the CloudFlare plugin can do its magic. So, even with the CloudFlare plugin firmly installed, Bad Behavior will reject Google bot and all his pals.

There are two simple solutions: 1) Install the CloudFlare Apache module, which kicks in before anything else is run. This is preferable to the WordPress plugin anyway, because it’s a system-wide solution. 2) If you don’t have that level of control over your server, turn off Bad Behavior. It’s a shame to lose that layer of protection, but not devastating; there’s some overlap between what CloudFlare stops and what Bad Behavior stops. You still have two layers and your own alert management to fall back on.