Monthly Archives: April 2008

Armchair Scaling Experts

random($foo): Internet Asshattery, Armchair Scaling Experts Edition. If you’re not the largest site using a given piece of software or framework and you’re having more trouble than someone who is, you’re doing it wrong.

With WordPress specifically, there are hundreds of sites I can point to that scale just fine to meaningful traffic levels with no caching, plugins, or anything. If your server is tuned for serving static files instead of dynamic requests, then a plugin to make WP output static files is a fine band-aid, but only if you don’t have the access or expertise to properly configure things in the first place. (In which case you should consider alternative hosting, help, or a hosted service like WordPress.com.) But people like to think that (1) they’re bigger or more special than anyone else or (2) that the 5-6 layers that sit under WordPress have nothing to do with its performance.

I don’t expect everyone to know about this, it’s very much a learning-by-doing thing and everyone’s situation is different. But at least operate with the assumption that if there’s someone bigger running without troubles that they (or sufficient Googling) might be able to help you out.

See also: the shockingly ignorant comments (over 200 at this writing) on this post. There are some smart people in there, but they’re drowned out by “wind0z sux!” and “that’s what you get for using (PHP|MySQL|WP|IIS|RDBMS)…”

Here’s a WordPress blog doing just fine:

Optimism Tax

Around 1:00 am on Halloween, I hailed a cab with a friend. “Drive around to the front of this building. Can ya leave the meter running while I go inside to tell our friends that we’ve left? Thanks, man… I appreciate it.”

A few minutes later, the cabbie told my friend to run inside and get me because he was in a hurry and had someone waiting.

John “Halcyon” Styn beginning a story on the Optimism Tax, which I paid today in the form of a GPS, some sunglasses, and an original PalmPilot. “[A] small price to pay to be able to continue trusting people.”

New Spring Design

Time to come out of your RSS readers and visit the site. In celebration of Spring, Summer, the new domain, and WordPress 2.5 I’m launching a new version of Photo Matt / Ma.tt. Here’s a before and after picture:

Old and new ma.tt

A couple of functionality changes you’ll notice:

  • Thumbnails and photos are now much larger. (Especially photos, now 840px wide.) Imagine it like going HD, you’ll definitely enjoy it more on broadband.
  • I’ve brought back the photo tech details like aperture and focal length.
  • In addition to posts and asides, I’m now doing new post types: galleries, quotes, videos, and highlight photos.
  • You can now click on a photo to go to the next one, making  browsing galleries easier.
  • The header is a lot shorter, so you get to the content faster. You can’t say I have a big head anymore. 🙂
  • I’m starting to use the new taxonomy bits in 2.5 to tag people, places (geotagging), things, and concepts in the various photos. (More on this later, still a bit broken.)
  • This is the first iteration of this site that is powered entirely by WordPress. (I know, 5 years late. The cobbler’s children go shoeless!) Before it was a cobbled together set of PHP includes and software like Gallery. Now 100% WP.
  • Gravatars are much more prominent. I wonder if there’s a way to only allow comments from people with Gravatars? It looks so much better.
  • Name has changed from Photo Matt to Ma.tt, tagline is the same.

The fine design was executed by Nicolò Volpato, the same talented fellow who did the last design. My concept was to evoke Spanish talavera, inspired by my trips to Spain and Argentina and pottery at my parents’ house like this, this, and this. It was a lot of fun to work with Nicolò on and I already have a few ideas for Fall. 🙂

I’ve been noodling on the implementation for months now. Last night I had just arrived from New York and it turned out the Jay-Z/Mary J Blige concert in Oakland got postponed so I found myself with a bit of time on my hands and decided to tie up all the loose ends. There are still a ton of things broken like the photo border on portrait images, I still have 15k old photos to import, and you may see the old design on some older pages, but I wanted to get it out there. There are also some weird things, like Firefox seems to back the background image blurry while it’s razor-sharp in IE and Safari. I feel like I’ve seen that somewhere before.

Finally I’m hoping to release a lot of the work I did here, including a version of the old theme, the plugin + script I’m using to resize all my old images on the fly, the taxonomy stuff, and some core improvements to WP to make some of the things I’m doing here easier. (I got lazy and did some direct SQL queries, etc.)

SecurityFocus SQL Injection Bogus

Since people are asking, this so-called alert on Security Focus appears to be completely false and has no information that an attacker or the WordPress developers could use. It is completely content-free, except for making claims that every version of WP since 2.0 is vulnerable.

Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.

A valid security report looks like this, it usually includes sample code and a detailed description of the problem. The WP security team was notified of the KSES problem and it was fixed in 2.5. You can impress your friends by saying whether a security report is valid or not, so it’s a good critical facility to pick up.

All that said, there is a wave of attacks going around targeting old WordPress blogs, particularly those on the 2.1 or 2.2 branch. They’re exploiting problems that have been fixed for a year or more. This typically manifests itself through hidden spam being put on your site, either in the post or in a directory, and people notice when they get dropped from Google. (Google will drop your site if it contains links they consider spammy, you’ll remember this is one of the main reasons I came out against sponsored themes.) Google has some guidelines as well, what to do if your site is hacked. If I were to suggest WordPress-specific ones, I would say:

Continue reading SecurityFocus SQL Injection Bogus