Elliott C. Back: In Aere Aedificare

With the release of their latest version of Wordpress, 2.5, the official Wordpress site has undergone a redesign by Happy Cog studios:

The main page has been refreshed in boring, pastel colours, and prominent links to their Wordpress for Dummies book via Amazon affiliate link and their hosting affiliate suggestions have been added. I’m honestly not impressed with the redesign, which has included work on the administrative interface:

It’s as if they took the strong ideas and colors of Wordpress past, watered them down, spaced them out, and made sure everything looks sufficiently web 2.0 without actually adding a substantial improvement. Every administrative screen now looks different and inconsistent with the others. If I upgrade, I’m definitely going to miss the old theme. On the other hand, no work had been done since Wordpress 1.5 on the administrative look and feel, so any work, regardless of how it feels, is welcome. Perhaps this is just a stepping stone to a truly better admin panel?

The WP 2.5 release notes blog post indicates some other nice changes:

• Multi-file upload with progress bar
• EXIF extraction (the photobloggers will love this)
• Password strength meter
• Few-click plugin upgrades (I am expecting some 0day exploits here)
• Built-in galleries
• A new Shortcode API (Isn’t this just BBCode ripped off?)

I’ll probably end up installing this with the next release of my own blogs and themes, as the features look promising.

Techcrunch has a hilarious exchange of fire between Wordpress founder Matt Mullenweg and Six Apart’s evangelist Anil Dash over the relative merits of Wordpress and MovableType:

Anil Dash: “WordPress 2.5 is about to be released, and we wanted to encourage WordPress users to upgrade. To Movable Type.”

Matt Mullenweg: “Six apart is getting desperate, and dirty.”

Anil Dash: “Desperation is resorting to name-calling and slander instead of substance — if there’s a factual error, i’m glad to fix it.”

I’ve written before about how I personally prefer Wordpress to Movable Type because it offers me an unprecedented open source experience, tons of community support, and easy hackability. It’s also pretty damn fast, so I don’t worry about my server crashing or overloading.

However, it’s also totally ok in the competitive marketplace of free blogging software for one manufacturer to directly tote its own features in comparison to another piece of software. What’s wrong with saying that Movable Type has features x, y, and z that Wordpress is still dreaming of?

Update: Mullenweg, of Wordpress, has followed up his Twitter with a post Wordpress Is Open Source, in which he says “I had held off criticizing [MovableType and Six Apart] after they went OS and before they decided to start an all-out confrontation because that’s not generally what OS projects do to each other.”

A lot of people talk about Wordpress performance, and how to get a webserver to perform as efficiently as possible. However, without a quantifiable methodology to testing website performance, you can’t actually talk about it. ApacheBench (ab) is the solution to the problem of measuring website performance. What is ApacheBench? The man page provides a suitable answer:

ab - Apache HTTP server benchmarking tool

ab is a tool for benchmarking your Apache Hypertext Transfer Protocol (HTTP) server. It is designed to give you an impression of how your current Apache installation performs. This especially shows you how many requests per second your Apache installation is capable of serving.

If you have installed apache or apache-devel, you should be to simple invoke ab by typing it on the command line. For example, to benchmark my own site here, I would write:

[root ~]# ab -n 10000 -c 100 http://elliottback.com/wp/

This says “make 10,000 concurrent requests to host elliottback.com via http and request /wp/ on 100 threads.” The result of this is the following report:

This is ApacheBench, Version 2.0.40-dev < $Revision: 1.146 $> apache-2.0
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright 2006 The Apache Software Foundation, http://www.apache.org/

Benchmarking elliottback.com (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Finished 10000 requests

Server Software: Apache/2.2.6
Server Hostname: elliottback.com
Server Port: 80

Document Path: /wp/
Document Length: 34331 bytes

Concurrency Level: 100
Time taken for tests: 13.596345 seconds
Complete requests: 10000
Failed requests: 0
Write errors: 0
Total transferred: 346230000 bytes
HTML transferred: 343310000 bytes
Requests per second: 735.49 [#/sec] (mean)
Time per request: 135.963 [ms] (mean)
Time per request: 1.360 [ms] (mean, across all concurrent requests)
Transfer rate: 24868.08 [Kbytes/sec] received

Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 1.6 0 20
Processing: 8 134 12.7 132 190
Waiting: 4 134 12.7 132 190
Total: 16 134 12.1 132 190

Percentage of the requests served within a certain time (ms)
50% 132
66% 134
75% 136
80% 137
90% 145
95% 160
98% 175
99% 179
100% 190 (longest request)

According to these numbers, my dual core server can do 750 requests per second, fulfilling each within about 150ms each. That’s pretty fast, probably because I know the secrets of Wordpress Optimization. If you make every layer as fast as it can be, and cache heavily, you too can see lightening fast Wordpress installations!

I’ve been getting a lot of Wordpress comment / trackback spam pointing to Squidoo these days, because it doesn’t valid the HTML markup users can enter into their pages. This makes it easy for spammers to put in an iframe with an external src that basically redirects the browser to their spam (usually porn) page. If the javascript were nice it would look like this:

window.onload=function(){
    window.location = "http://wpi.biz/in.cgi?5&parameter=porn";
}

The page you get redirected looks like a bunch of adult-themed Youtube vidoes–they’re just images, actually, which I’ve censored–that prompt you to download something that’s probably spyware. I didn’t really investigate this further, it’s obviously very evil:

The code actually sitting on Squidoo’s servers looks like this:

And the comments left on my blogs are of the form:

New trackback on your post #1852 "Coding Horror:  Hot Tech Blog"
Website: hot ebony men (IP: 190.72.74.193 , <a href="http://190-72-74-193.dyn.dsl.cantv.net" title="http://190-72-74-193.dyn.dsl.cantv.net" target="_blank">190-72-74-193.dyn.dsl.cantv.net</a>)
URI    : <a href="http://www.squidoo.com/some-nasty-url/" title="http://www.squidoo.com/some-nasty-url/" target="_blank">www.squidoo.com/some-nasty-url/</a>
Excerpt: hot ebony men…

I’ve sent email to both the Akismet team and the Squidoo team about this, hopefully they will:

1. Implement kses-based filtering on their html input *immediately*
2. Add some spam-weight to the squidoo domain until this is fixed

There’s no excuse for an XSS attack of this simplicity to exist. Javascript, iframes, etc should be disallowed. Just let basic markup through, and strip out the rest! For now, I also recommend adding the word “squidoo” to your blacklist in the Wordpress discussion options.

Update: According to the Squidoo blog, iframes will banned as of July 12th. I can’t think of anything you can do with an iframe that you can’t do with regular HTML except untrusted stuff, like redirects or arbitrary JS.

Good Wordpress theme are hard to find now that the market it deluged with sponsored-link bearing crap. A search for “wordpress themes” in Google brings up advertisements to the max, most of which seem to be created by color-blind SEOs looking to get link-love and a buck with Google. Still, there are truly great new themes being made, you just have to be able to separate them from the noise.

Why? I want to add something to the WP Theme Community, which is my selection of the best themes. This post is intended to cut down on the noise.

It looks like Wordpress’ default theme should have. Simple, with three columns, nice blue colors, and big text. It’s also got the Kubrick inspired top header image for your customization or monetization delight.

The thing that got me about this one is the brilliant use the left and right column whitespace to put up a patterned background / extra-wide border.

Iceburgg, dogg. The one thing that can be said about this cute, blue, cold, colorful theme is that it suits–and only suits–a winter season. If you were to use this as your general theme, you should probably customize and genericize all the graphics to taste.

The only thing I don’t like about gridlock is the large, grey right hand column, which seems out of place with the rest of the theme. Overall it has a very magazine-style text-based approach that works well.

Unique, this theme is thick. It’s got Web 2.0 written all over it, with big regions of text and color. The innovation is in the massive right-sidebar and header which wrap the content with text, rather than widgets or images.

Yep it’s the same theme directory again, but this one gets a nod for its well-done colorspace and menu bar. The image overlay hovers are beautiful, and the blue colors make it look as good as Windows Aero.

Bartelme, again, shows us how it’s done. I thought I’d end this list with BIG BANG, and here it is. This is the theme that powered his site until he recently redesigned it into a sleeker, sharper look. If you like wide, you can’t get wider than this. And, it’s professional–this guy’s a web designer by trade!