Category: Design

WordPress & Security Notes From The St. Louis WordPress Developers Meetup

This week at the The St. Louis WordPress Developers Meetup we discussed tips and tricks on how to ensure your WordPress installations are as secure as possible. I’ve collected my notes below.

For further reading, check out Eric Juden’s notes as well.

Things you can do “Out of the Box”

  • Check the Codex for some general tips on Hardening WordPress.
  • Check your file permissions to make sure they are as secure as possible.
  • Change default “wp_” prefix to something unique. This is used by MySQL injections that search specifically for “wp_” (As Ken Johnson points out in the comments of the WordPress Meetup, this is probably only a good idea on new installations!)
  • Delete Default Admin account. You should never post from admin as it looks dorky and gives away that you’re using WordPress.
  • Use strong passwords! Don’t give clients the same lame password over and over. Be unique.
  • Delete unused themes and plugins. They just take up space and are yet another vector for attacks.
  • Use Akismet for managing comment spam. Not exactly security, but part of decreasing the amount of time you dedicate to meddlesome maintenance.
  • Hide your version number and change the readme.html file to something random. Nefarious people are looking for easy targets, changing things up a bit makes these automated attacks more difficult to pull off.
function remove_wp_version() {
     return '';
}
add_filter('the_generator 'remove_wp_version');

 

  • Change Salts often – you can even use this handy tool to generate new ones – https://api.wordpress.org/secret-key/1.1/salt/
  • Move wp_config.php to the directory above public_html. If they can’t get to it via the web, they can’t see your database username/password or salts.
  • Update your stuff. Here’ a list of security fixes just in 3.5.1 alone!
    • Server-side request forgery (SSRF) and remote port scanning via pingbacks. Fixed by the WordPress security team.
    • Cross-site scripting (XSS) via shortcodes and post content. Discovered by Jon Cave of the WordPress security team.
    • Cross-site scripting (XSS) in the external library Plupload. Plupload 1.5.5 was released to address this issue.
  • Find a good, respectable host! someone who keeps up with new version of PHP, MySQL, etc. – not GoDaddy.
  • When all else fails, having a good backup will be your last line. Test your backup regularly.

 

Extra Things You Can Do

Some useful plugins that can help give a piece of mind or help with managing WordPress.

 

Further Reading

http://www.netmagazine.com/tutorials/protect-your-wordpress-site-htaccess

http://wpsecure.net/secure-wordpress-advanced/

 

Themes Mentioned During the Chat

 

Join Us

If you’re thinking about attending one of the meetings I encourage you to do so. The diversity of knowledge and skill sets almost guarantees that there’s something new to learn. Everyone is approachable and there to share and grow together.

Big Data, Mining, and (Musical) Recommendation Engines

As a side project in my free time I’m helping a small business setup an e-commerce store front. One of the things we’ve discussed is the idea of a recommendation engine to suggest other items to purchase. This lead down an Internet rabbit hole where I ended up reading about The Echo Nest.
The Echo Nest is a self-described “music intelligence platform that synthesizes billions of data points and transforms it into musical understanding.“. It is widely herald as one of the largest and most comprehensive uses of data mining (to find the language and culture around music across the web) and big data (to store and present those relationships) within the music recommendation industry.
Yes! There is an industry. A substantial one. Apple’s Genius feature in iTunes, Pandora, Last.fm, Spotify – all are trying to provide relevant music based upon your listening tastes. Why? So you’ll buy more music of course!
Brian Whitman, one of the co-founders of The Echo Nest, talks in great length about the how and why behind what makes their product so unique – and so incredibly accurate. I won’t steal the thunder of the article, but needless to say, dedication and refinement are key.
This is totally sausage-making, behind-the-scenes stuff, but I encourage you to at least look it over.
Ok, so now the really fun stuff. Here’s something called The Infinite Jukebox. It uses some of the data points within the Echo Nest to create a version of a given song that never ends. It uses references within a song that are similar to other points within the song, makes some minor adjustments when needed (like tempo) and then plays the song forever. The presentation is neat as well, you can view the branches within the song where things loop and even click around the song to find points where things can loop.

At work we’re looking at ways of using the topics of big data, mining, and recommendation engines to provide better healthcare. Reading about The Echo Nest gives me some ideas on how these technologies could impact the care we give! If you have your own ideas or suggestions, please leave a note below.

What I’d love to see from Flickr

A few comments from my good friends John Lamb1 and Kurt Werstein had me thinking about what I like about Flickr and why I keep using it when so many people have moved to Facebook, Google+, Zenfolio, 500px2 and the like.

I’ve been an enthusiast photographer for a while. According to Aperture I have taken over 26,000 photos in the past 7 years. I’ve recently started investing more time (and by association, money) into my hobby of photography with a recent camera purchase.
I’ve shared over 3,000 of my photos on Flickr. I love it and have consistently used Flickr since 2005. Recently it’s been chided as having missed the boat on things like social and mobile, but for reliably sharing images and finding other photographers (and their photos) it’s the best solution I’ve found yet.
I’m also an Aperture person, so I love the integration between the two. It makes my workflow more efficient and less frustrating than alternatives. In the past I would load the images into a folder, sort by hand to find those worth editing/sharing, load into Photoshop, edit and then export. Then, finally, upload to Flickr.
Aperture handles that all for me, even keeping the EXIF data intact including titles for my pics. Best part is that it can auto-create sets and import keywords to tags to boot!
While I’m a Flickr fan, I do admit that there are a few things that Flickr could improve in their offerings to avid and professional photographers alike. I’ve been jotting notes down for a few weeks now as I’ve thought about my relationship with Flickr. I have a few idea that I think are worth sharing.
I’ll update this article as I think of new things and hopefully as Flickr adds these features over time I’ll get to mark a few out. If you have a suggestion or an idea, please leave a comment.

Professional Views

Lightbox view on Flickr is great, but one click and you’re back to the normal Flickr. Give photographers the option to set themes for sets or collections. Great for pointing clients to review a set of photos.

Password protected sets or collections

Speaking of photographers sharing specifically with clients, let photographers share their stuff in a controlled way via passwords without requiring guests to have a Yahoo! account. Great for sharing proofs (or final edits) to a select group or individual client. I could see this being very popular for photographers shooting corporate events, weddings, birth announcements, etc. See Vimeo’s handling of password protected videos as an example.

Better monetization options

Give photographers a cut of print sales, more third-party companies to print to and allow photographers to create a ‘store front’ for select photos. Like the professional views idea above, let photographers edit a few areas to make things look professional.

Individual licensing

This is related and a fairly recent trend. Cut out the middlemen (Getty, Shutterstock, etc.) and let people (professional, semi-pro and casual) market directly to other individuals looking for photography.

Less page refreshes, more visible metadata

 

 

I’d love quicker access to common metadata – having to click and wait for a second page load sucks. I love looking at a photo at a large size and seeing what other people are doing with the same gear – or with gear I’m interested in. I love photos where I go, “Huh, how did they do that?”
Make this a modal AJAX element of the information. When I click the + next to the ‘Taken with a xx’ have some of the high level EXIF data present such as lens, aperture, shutter speed, ISO and time of day.

 

 

Update: It’s not perfect (I think it should be higher on the page) but Camera Settings (EXIF) is now on the photo page!

Better mobile apps

The current Flickr mobile site and iOS app are rather lackluster. Let people upload from their smart phone to the site without the app. (iOS 6 FTW!) Allow group participation on Flickr to be as easy as Facebook or Twitter for mobile interfaces. Let me comment and share to groups with ease. I want to see notifications when people comment on a photos, add as a favorite, or reply to a comment.

Better Groups

Groups are great nodes in the big web of photographers on Flickr. They’re focus points of attention across a sea of individual photos. Give Flickr groups a shot in the arm with a more modern interface. Threaded comments, voting and collapsible navigation. Let me see past comment history from folks. Allow folks to upload more than 6 photos at a time and give me Facebook-like notifications when activity has occurred in a group. Let people like a photo directly from every embed – like you can in justified view. Use the tags, titles and set/collection names to suggest related groups that I might be interested in. Do I tag a lot of photos in Seattle? Invite me to Seattle-related groups. Are most of my photos taken at night? How about some night photography groups?

Better Stats

I’m spoiled by Google Analytics, WordPress.com and Facebook metrics. Flickr gives you some basic stats, but I’d love to see timeline views for individual photos over a range greater than the past 30 days. Let me see how different ways of publicizing my photos impacts its views over time.
Give photographers better stats on where people are coming from. A lot of my referrals are internal to Flickr. Tell me where on the site are they coming from. Are most of my views from random keyword searches, groups I participate in, people who are contacts, etc?

Find people

Help me find people with similar tags, group membership, geographic location of photos (and profile). One of the great things about Instagram is the ability to quickly find existing friends from Facebook and Twitter. (Yes, I’m aware that the Twitter contact function was removed in a recent update.) Figure out a way to plug me in to as many folks as possible. Make recommendations intelligent and unobtrusive.
This is really just a list of desired features and not a deeply substantial or cohesive strategy for moving Flickr forward. I do enough of that in my day job!
I hope these ideas give a hint of a bigger picture and some suggestions to move things forward. I know there are smart, passionate and creative people working on Flickr – people who are far more intelligent than I in figuring out what Flickr needs.
I have high hopes for those folks. There’s plenty of positive movement with Yahoo’s new CEO, the great team that continues to support Flickr and the recent news about the SVP over Flickr having a past as a National Geographic wildlife photographer. I don’t think Flickr is dying, but I do think it needs a good shot in the arm.

Star Treck Replicator Version 1.0

“So once you have a design on your computer, you can prototype a single copy on your desktop fabricator—or upload it to a commercial manufacturing service and generate thousands. Essentially, you “print local” on your MakerBot and “print global” with cloud manufacturing services ranging from Shapeways and Ponoko to Chinese mass-production facilities found through Alibaba.com. Modern CAD software like the free Autodesk 123D even offers wizards to make it simple to go from one copy to many. All you have to do is click the right buttons, enter your credit card number, and you’re in the manufacturing business. The services will even ship the finished goods directly to customers.”

– The New MakerBot Replicator Might Just Change Your WorldWired

I’m sure Starfleet started with extruded colored plastics as well. This is impressive stuff and for $2,000 it’s getting more affordable for hackerspaces, DIY groups, schools and colleges – not to mention the individual.

Remix

“Remixing is the adoption, alteration, and recombination of pre-existing cultural texts (songs, literature, paintings, etc.) to create something new.” (Wikipedia)

Remixing is not inherently a negative word. It has become one for many people due to it’s often used association with copying and plagiarism.

Copying something is directly reproducing the existing work with no new interpretation and no credit to the original artist. This does nothing to move things forward. It is duplication.

Remixing is paying homage. It’s being aware of the elements of a prior work that inspire you and being untroubled (on purpose or unexpectedly) of those that don’t.

If someone came to you after giving a presentation on a new idea, product, service you were developing and said, “That’s just a remix of Picasso and thermodynamics.” it would be considered negative. This is because someone used the word remix using the negative definition; of copying and plagiarism.

It would also be rude to approach anyone after a presentation with negative laden criticism, but that’s another story.

If someone came to you after presenting your work and said, “That’s an interesting approach. I never thought to combine Picasso and thermodynamics.”. That would be a complement. The critic would have made the connection (explicit or implicit in your presentation) between two previous works and seen the unique value of combining the two inspirations.

All work is influenced by prior work. Which in turn was inspired by even older prior work. Continuing ad infinitum. No new work exists without influence – even if that influence is to do the exact opposite!

I see remix (and the surrounding culture) the penultimate way of expressing how we’re all interconnected – that every action ripples out and causes new twists and turns down unexplored paths. This is comforting, positive and powerful. It moves things forward and is an intrinsic part in making anything new.

—-

Inspiration can also happen within a single body of work. See this image of BMW cars over the years and this one of Apple iPhones.

Another recently oft-cited example of remix at work: http://gizmodo.com/343641/1960s-braun-products-hold-the-secrets-to-apples-future

Side note: I chuckled to myself while writing this. I just remixed the negative language of remix to come up with a positive definition of remix. I remixed remix.