Elliott C. Back: In Aere Aedificare

With the release of their latest version of Wordpress, 2.5, the official Wordpress site has undergone a redesign by Happy Cog studios:

The main page has been refreshed in boring, pastel colours, and prominent links to their Wordpress for Dummies book via Amazon affiliate link and their hosting affiliate suggestions have been added. I’m honestly not impressed with the redesign, which has included work on the administrative interface:

It’s as if they took the strong ideas and colors of Wordpress past, watered them down, spaced them out, and made sure everything looks sufficiently web 2.0 without actually adding a substantial improvement. Every administrative screen now looks different and inconsistent with the others. If I upgrade, I’m definitely going to miss the old theme. On the other hand, no work had been done since Wordpress 1.5 on the administrative look and feel, so any work, regardless of how it feels, is welcome. Perhaps this is just a stepping stone to a truly better admin panel?

The WP 2.5 release notes blog post indicates some other nice changes:

• Multi-file upload with progress bar
• EXIF extraction (the photobloggers will love this)
• Password strength meter
• Few-click plugin upgrades (I am expecting some 0day exploits here)
• Built-in galleries
• A new Shortcode API (Isn’t this just BBCode ripped off?)

I’ll probably end up installing this with the next release of my own blogs and themes, as the features look promising.

Techcrunch has a hilarious exchange of fire between Wordpress founder Matt Mullenweg and Six Apart’s evangelist Anil Dash over the relative merits of Wordpress and MovableType:

Anil Dash: “WordPress 2.5 is about to be released, and we wanted to encourage WordPress users to upgrade. To Movable Type.”

Matt Mullenweg: “Six apart is getting desperate, and dirty.”

Anil Dash: “Desperation is resorting to name-calling and slander instead of substance — if there’s a factual error, i’m glad to fix it.”

I’ve written before about how I personally prefer Wordpress to Movable Type because it offers me an unprecedented open source experience, tons of community support, and easy hackability. It’s also pretty damn fast, so I don’t worry about my server crashing or overloading.

However, it’s also totally ok in the competitive marketplace of free blogging software for one manufacturer to directly tote its own features in comparison to another piece of software. What’s wrong with saying that Movable Type has features x, y, and z that Wordpress is still dreaming of?

Update: Mullenweg, of Wordpress, has followed up his Twitter with a post Wordpress Is Open Source, in which he says “I had held off criticizing [MovableType and Six Apart] after they went OS and before they decided to start an all-out confrontation because that’s not generally what OS projects do to each other.”

Taking Paul’s great article How To: Bulletproof Server Backups with Amazon S3 a step farther here’s an easy way to automate your Wordpress database backups. First, follow all the steps to get ruby and the s3sync client installed. Once that is setup, create a text file somewhere with the databases you’re interested in. I called mine s3backup-db.txt:

[root s3sync]# cat s3backup-db.txt
db-one
db-one-user
db-one-pass
db-two
db-two-user
db-two-pass

Then you’ll need to make a folder for your backups, which I put in /home/s3backup/. The shell script that does the backups is as follows:

#!/bin/bash

BUCKET=your-bucket-here
BACKUP=/home/s3backup/
ROOT=/root/s3sync/
NOW=$(date +%m%d%y)

if [ $(($# % 3)) -ne 0 ]
then
echo “Wrong number of arguments!!”
exit
fi

i=0
while [ $# -gt 0 ]
do
DBNAME=$1; shift
DBUSER=$1; shift
DBPWD=$1; shift

echo “Backing up MySQL db ‘$DBNAME’ with ‘$DBUSER:$DBPWD’”
nice mysqldump -u $DBUSER -p$DBPWD -C -q $DBNAME | gzip -9 > $BACKUP$DBNAME.$NOW.sql.gz

cd $BACKUP
tar -r -f backup.$NOW.tar $DBNAME.$NOW.sql.gz
rm -f $DBNAME.$NOW.sql.gz
cd $ROOT

i=$(( $i + 3 ))
done

nice ruby ${ROOT}s3sync.rb -r –ssl –progress ${BACKUP} $BUCKET:
rm -f ${BACKUP}backup.$NOW.tar

This will dump a file called backup.040506.tar in the Amazon bucket you picked earlier containing the full database backups of the arguments you specified. You can run the script like this, and it will produce a little bit nicer output than Paul’s bare-bones backup:

[root s3sync]# cat s3backup-db.txt | xargs /root/s3sync/s3backup-db.sh
Backing up MySQL db ‘*****’ with ‘****:****’
Backing up MySQL db ‘*****’ with ‘****:****’
Update node backup.080507.tar

The next step is just to set it up with cron to run every night at midnight:

[root s3sync]# crontab -e
crontab: installing new crontab
[root s3sync]# crontab -l
0 0 * * * cat /root/s3sync/s3backup-db.txt | xargs /root/s3sync/s3backup-db.sh

If you want an easier way to backup all your databases than specifying some of them, just use your MySQL administrative password and username with mysqldump’s –all-databases parameter. However, on my host there are things like Plesk databases I’m not particularily interested in backing up, so this works better for me. Just make sure you make s3backup-db.txt u=rw so that no one but root can see those passwords:

-rw——- 1 root root 148 Aug 5 13:40 s3backup-db.txt

I’ve been getting a lot of Wordpress comment / trackback spam pointing to Squidoo these days, because it doesn’t valid the HTML markup users can enter into their pages. This makes it easy for spammers to put in an iframe with an external src that basically redirects the browser to their spam (usually porn) page. If the javascript were nice it would look like this:

window.onload=function(){
    window.location = "http://wpi.biz/in.cgi?5&parameter=porn";
}

The page you get redirected looks like a bunch of adult-themed Youtube vidoes–they’re just images, actually, which I’ve censored–that prompt you to download something that’s probably spyware. I didn’t really investigate this further, it’s obviously very evil:

The code actually sitting on Squidoo’s servers looks like this:

And the comments left on my blogs are of the form:

New trackback on your post #1852 "Coding Horror:  Hot Tech Blog"
Website: hot ebony men (IP: 190.72.74.193 , <a href="http://190-72-74-193.dyn.dsl.cantv.net" title="http://190-72-74-193.dyn.dsl.cantv.net" target="_blank">190-72-74-193.dyn.dsl.cantv.net</a>)
URI    : <a href="http://www.squidoo.com/some-nasty-url/" title="http://www.squidoo.com/some-nasty-url/" target="_blank">www.squidoo.com/some-nasty-url/</a>
Excerpt: hot ebony men…

I’ve sent email to both the Akismet team and the Squidoo team about this, hopefully they will:

1. Implement kses-based filtering on their html input *immediately*
2. Add some spam-weight to the squidoo domain until this is fixed

There’s no excuse for an XSS attack of this simplicity to exist. Javascript, iframes, etc should be disallowed. Just let basic markup through, and strip out the rest! For now, I also recommend adding the word “squidoo” to your blacklist in the Wordpress discussion options.

Update: According to the Squidoo blog, iframes will banned as of July 12th. I can’t think of anything you can do with an iframe that you can’t do with regular HTML except untrusted stuff, like redirects or arbitrary JS.

Good Wordpress theme are hard to find now that the market it deluged with sponsored-link bearing crap. A search for “wordpress themes” in Google brings up advertisements to the max, most of which seem to be created by color-blind SEOs looking to get link-love and a buck with Google. Still, there are truly great new themes being made, you just have to be able to separate them from the noise.

Why? I want to add something to the WP Theme Community, which is my selection of the best themes. This post is intended to cut down on the noise.

It looks like Wordpress’ default theme should have. Simple, with three columns, nice blue colors, and big text. It’s also got the Kubrick inspired top header image for your customization or monetization delight.

The thing that got me about this one is the brilliant use the left and right column whitespace to put up a patterned background / extra-wide border.

Iceburgg, dogg. The one thing that can be said about this cute, blue, cold, colorful theme is that it suits–and only suits–a winter season. If you were to use this as your general theme, you should probably customize and genericize all the graphics to taste.

The only thing I don’t like about gridlock is the large, grey right hand column, which seems out of place with the rest of the theme. Overall it has a very magazine-style text-based approach that works well.

Unique, this theme is thick. It’s got Web 2.0 written all over it, with big regions of text and color. The innovation is in the massive right-sidebar and header which wrap the content with text, rather than widgets or images.

Yep it’s the same theme directory again, but this one gets a nod for its well-done colorspace and menu bar. The image overlay hovers are beautiful, and the blue colors make it look as good as Windows Aero.

Bartelme, again, shows us how it’s done. I thought I’d end this list with BIG BANG, and here it is. This is the theme that powered his site until he recently redesigned it into a sleeker, sharper look. If you like wide, you can’t get wider than this. And, it’s professional–this guy’s a web designer by trade!