Articles tagged: wordpress

#New project problems

1100 days ago

As I mentioned, I had the idea for CFFSW some six months ago. Part of what took me so long to make any progress was a giant amount of faffing about that can only come from knowing enough to be dangerous. In the end, I settled on Wordpress as a platform, knowing it was the one that I would be least tempted to divert my time from building the content to building the platform.

There are a few reasons for that. The first and most obvious being that Wordpress is extremely mature, thus making it far less likely that I should ever need to “go under the hood”. A second one is that it’s PHP, a language I have no desire to develop any competency in.

Something that made me lean away from Wordpress is my experience a couple of years ago, when Wordpress installs were getting exploited left right and centre (especially on Dreamhost). Trying to clean those up was a painful experience, but Dreamhost have made it a lot easier to upgrade Wordpress installs almost immediately (I either get an email with a link to click, or I get an email saying they’ve done it for me) which helps. I tidied up my Dreamhost practices a bit by having only one domain per user (here I mean unix user, I typically only deal with these when installing new things, thereafter most things have a web interface) and also enabling ‘Enhanced Security’ for each of those users (it boggled my mind to learn that this was not the case already). Although Dreamhost claim to enable this by default now, if you make a new user at the time of making a new domain (probably the most common use case) it’s not enabled. So much for that. I digress…

My first iteration of CFFSW actually involved a concerted effort in investigating various Python static-website generator options, and I even chose one (Nikola) and built a first draft. I was quite happy with, it was feature-enough-ful, looked shiny and new enough (thanks Bootstrap), the author/mailing list was responsive, I could write entries in Textile markup (same as Textpattern, which this blog uses) and hey, static sites do not get hacked! I thought I was golden.

But then… I put it down for four months, and when I picked it back up, a huge amount of development had passed. I discovered it is in fact possible for a project to be too active (or maybe, not yet stable enough).

And I remembered how annoying it is to install stuff from source on every computer I use in order to update a blog, which turns out to be at least four. Web interfaces do have their convenience.

However, I have an idea (which I haven’t tried out yet). Github lets you edit/add new files via the web interface, and they do a formatting preview for Textile and other markups. So I can basically use Github as my web interface to updating my blog. I just need to set up some mechanism that rebuilds/reuploads the pages when new commits arrive. (I can accept that requiring a src clone, because it should rarely need updating.) NB: if anyone can point me to some scripts/projects along this line, please do!

Finally, why not more Textpattern? I am quite used to it, but there are several factors against it:

  • Security: Requires more work to update, which means I’m more likely to leave it out of date for longer (FTPing files, Wordpress has spoiled me)
  • Far harder to change themes (which is why this blog still looks how I felt c2008)
  • PHP

If I use a Python static site generator I can do a little platform-building when I feel the urge. It never goes away completely. :)

tags: , , , , , ,

Comment [3]


Security 101: updating web-based software

2592 days ago

So I saw two talks at LCA about security: Joh Clarke’s Hackers, Crackers and Security Basics, and Mark Piper’s Web application security, OPEN style. I still remember seeing Joh’s So you want to be a sysadmin talk in Melbourne 2 years ago, and mainly just my jaw dropping open for the whole talk at how she casually just knew this amazing amount of stuff that I had barely even grazed against. It was equally scary and awesome, and both talks this year were the same way.

Anyway, I had good reason this week to think that is more than time that I started to pay more than the bare minimum attention to security. And I thought about all my installed web things (mainly Textpattern and Wordpress), and how I don’t have any way to keep them systematically updated, unlike my desktop. Thanks to Ubuntu’s Update Manager, I get annoying red warning icons until I bother to update my system packages. So I actually do it within like a day of them being released.

So I was thinking how can I get these notifications… maybe I need to write some Update Manager-like little program to give me a taskbar icon when a new release comes out. So I need to know something about daemons and some basic GUI thing…and how do I detect when a new release comes out? The Textpattern blog doesn’t have a category just for release announcements. So how about the code? Google Code has a bunch of project feeds, but none of them seem to be “new release”. Oh well, maybe I can pray the trunk is stable?

Hmm. Then I was thinking, hey, I can solve this at a higher-level… just make the code update itself. As long as my webhost has the same VCS as the project, and I checkout the code from the dev branch, and the projects have a commitment to a stable trunk, I should be fine. Just make a script that does an “svn up” and put it in cron. In fact Werdna set this up for the Wikimedia Australia MediaWiki installs with his Wikimedia sync script, although there it updates to the version that is live on Wikipedia, rather than the utter-most bleeding edge.

But sadly, is not as revealing as MediaWiki. In fact I can’t find any easy indication about which version it is running. So maybe that won’t work. OTOH, Wordpress has email & RSS notifications for new releases, and in the admin side a nice notification, which works well if you are updating it regularly, not so much for abandoned/finished sites.

Hm, Wordpress does have instructions for Updating WordPress with Subversion, including “Tracking stable versions”, but they don’t have an automatic method of telling when a new release is available. So close!

But wait… I just checked the Dreamhost panel and under one-click installs, they have an option for “Upgrade everything, now” and then “Automatically upgrade everything to the latest version”. Too good! That covers MediaWiki and Wordpress, but I guess I have to roll my own somethingorother for Textpattern.

Updating a-go-go…

tags: , , ,

Comment [1]