Nerd Stuff – Tech Tips, Reviews, Tutorials, Occasional Rants Fri, 21 Mar 2014 05:03:09 +0000 en-US hourly 1 Top 5 Script Kiddie Mistakes Wed, 10 Jul 2013 07:29:00 +0000 Continue reading Top 5 Script Kiddie Mistakes ]]> These are the most common and most annoying mistakes I see in web development code on a daily basis. Well, Ok, it’s the things that annoyed me most TODAY, but it’s not unique. It’s mostly PHP and MySQL stuff here, but the same abuses take place anywhere the language allows it.

1. Database prefixes. I find so many database tables that use a “table” or a “tbl” prefix. Are you serious? Do you think we don’t already know it’s a table we’re looking at? Likewise, some developers find it somehow necessary to use “column” or “col” in their column names. I mean really… do you pin your own name upside down on your shirt? Seriously, this type of labeling is completely unnecessary and it probably reveals you as the half-baked amateur that you are. Label your column names descriptively: too little info is bad, but too much is no better.

The one exception I make to this rule is this: be verbose with your primary keys because you’ll use those in all of your join statements. I know it’s easier to code if every table uses the ubiquitous “id” as the primary key, but if you ever have to do complex MySQL joins for reporting queries you’ll appreciate the fact that user_id or post_id references the same thing no matter which table it’s used in.

2. Function name prefixes. If you come across a project that uses functions declared in the main namespace it’s not much consolation that the function names are all grouped by a unique prefix. It’s like that Seinfeld bit about Chicken McNuggets: “If it McComes form where I McThink it does, I don’t want to McEat it!” Prefixed functions are the pink slime of development… they might sustain you and your project, but there’s gotta be something better on the menu.

PHP’s function_exists() function goes right along with this… if you are using this to wrap your function definitions, then ask yourself why aren’t you using a class? But if you’re asking this, you’re probably “developing” in WordPress, so you may not know what a class is. Sigh.

3. No Documentation. I’m convinced any college Freshman English Lit major could hire a developer with a pretty good fill rate — all they would have to do is read the comments. If a function does not include a description and a detail of its inputs and outputs, chances are the developer is lazy, incompetent, or both. I can understand not being able to write good code, but omitting docs? All you have to do is say your input expects a string or an array or something or just tell us what the function does, and do not ever just repeat the function name to fulfill the requirement: you missed the point.

Compare this doozy, worthy of a spanking:

To this:

Can you see the difference? I don't even need to read your code: one look at your documentation and I can tell who I would want to hire. Point is this: if you are unleashing your code spawn on the populace, it's your responsibility to document it. Do not force others to wade through your code, no matter how awesome you think it is.

4. Logic in your HTML. Yes, this one is a doozy, and it's soooo common (obligatory stinkeye to WordPress here). Loops, If-statements, and other conditionals really don't belong in your HTML. They belong in a separate layer of your application. Yes, it can be very useful to have some control over your view for readability reasons, but it's so often abused that I must mention it here as a noobie-no-no. Morphine is a great drug -- it's also often abused. Don't overdo it. If you really need to tweak output or formatting in your view layer and that's the only place to do it, well, ok. But if the calculations can be done more efficiently upstream and leave you with a cleaner HTML view that doesn't force designers to learn programming skills, then why not go for the win-win and do it that way?

5. Inconsistent or mixed return values. Your function shouldn't need an interpreter for someone to use it. If it's validating input, then try returning a simple boolean true/false. Don't return a string "success" if it worked and an error message if it didn't -- that's not intuitive for anyone who's worked with regular logic-flow structures. If your function sometimes returns an array or maybe sometimes a string and oh yes, sometimes a boolean, chances are you wrote it wrong. Keep it simple. Convenience can be handy, but don't go overboard trying to handle all kinds of input. In PHP especially, don't rely on literal true/false values since PHP's data types are a bit dubious.

There's so much bad code out there. If you know an experienced developer, ask him/her to review your code. Paired programming is a great way to learn. Don't assume that what you're writing is the best or only way, and be prepared to erase lots of stuff. Iterations can breed progress.

Securing Your Email via 2-Step Verification Fri, 11 Jan 2013 20:53:14 +0000 It is vitally important to keep your email account as secure as possible. Google is one organization that emphasizes security, so take advantage of it! For Google Mail, it is easy to enable 2-step authentication. The idea is simple: in order to log in, you must provide something that you know (your password) and something that you have (your phone).

Think about this for a moment… normally if someone gets ahold of your email password, they could read your email (or impersonate you!). Think about it a bit more: once a hacker is in your email, they can visit other sites (like Facebook, PayPal, or ???) and they can easily click the “I Forgot my Password” link, and POOF: they’ll be able to log into any site that uses that email address.

The bottom line is that a hacked email account can start a chain reaction that can destroy your digital life. But with Google Mail, there are steps you can take to prevent this.

Here’s a brief video showing you how to set this up. If you’re not the domain administrator, then you can follow along with steps 4-7 below.

Enabling 2-Step Authentication in Google Mail

If you are not the domain administrator (e.g. if you are an employee) and you know that your domain administrator has already enabled this, then you can jump to step 4.

  1. Log into the Google Mail account that is the administrator for your domain.
  2. Click the Gear icon at top-right and click the “Manage” Link. That should bring up the administrator control panel.
  3. Click on the “Advanced Tools” tab, then check the box labeled “Allow Users to turn on 2-Step authentication”.
  4. Head back to the mail page by clicking the “Mail” link at the top of the screen. (If you’re not the domain administrator, this is where you would begin: inside your Google Mail home page).
  5. Click your email address at the top right: this should open a drop-down menu. Click the “Account” link next to your account avatar image.
  6. Click the “Security” link in the left-hand menu.
  7. In the “2-step Verification” section, click the “Settings” link and enter in a valid phone number.

See also Google’s official documentation.

Using Mail Applications

For our friends using iPads, smart phones, etc. and who are running a Mail application, you have to set up an “Application Password” for these applications. These single-use passwords are intended for use by a single application, and they bypass the 2-factor authentication. This is necessary because some applications don’t yet support 2-factor authentication, so the application-specific passwords offer a workaround that still takes advantage of the stronger security features.

The Importance of Unique Passwords Mon, 05 Nov 2012 17:30:47 +0000 Continue reading The Importance of Unique Passwords ]]> This is a topic that Brian and I have spoken about in several posts, but take a minute to think about it: what could happen if a hacker cracked just one of your passwords? You may not think your information is really very special… so what if someone reads your email to your mother, right? Well, let’s think about this a bit…

I just read Parmy Olson’s We Are Anonymous, and one of the most devastating hacks carried out by the hacker group Anonymous was against the cyber security firm HBGary Federal and its CEO, Aaron Barr. One exploit gave the hackers password hashes, which were then cracked, so suddenly hackers had Aaron’s passwords out in the open: “kibafo33”.

But here’s where things get nasty: Aaron (who should have known better), used the “kibafo33” password on multiple sites including Twitter, Yahoo, and World of Warcraft. So with a single weakness in a single web page, suddenly, his whole digital world unraveled. The hackers were not gentle: Aaron basically lost his job, his reputation, and had to move to a new house just because some juvenile hacker-pranksters were out for a laugh. It’s not much consolation that the Anonymous hackers were eventually discovered and arrested.

So just think: what juicy bits of info could someone read in your emails? Are there naked photos in there? Do you have emails in there you’d prefer your wife/girlfriend/husband/boyfriend don’t see? Did someone ever email you a password to some other site? What’s on that other site?

It doesn’t take much imagination to realize how thoroughly you can be screwed over by losing control of just one of your online accounts. If you have used the same password more than once, then take the time fix that now. We’ve mentioned it before, but LastPass is a great browser plugin to help you store passwords securely and make the task of managing multiple passwords much easier.

]]> 2
Review of Web-based Project Management Software Sat, 31 Dec 2011 05:00:52 +0000 Help! I gotta keep track of everything I gotta do! There is help available to track your projects, you just got to know where to look.

A lot of developers, designers, students, and even web-hobbyists have a lot of items on their to-do lists for any particular site or project. You have to remember to fix that one CSS glitch, or rewrite a page to use some new function… the lists can be long and daunting. If you’re like me, you’re likely to forget half the stuff you need to do, and if it weren’t for project management software, I might as well stay in bed.

To put it mildly, there are *a lot* of applications out there that help you track bugs and manage projects, and this article only looks as a handful of them. Although the general purpose of these web-applications are similar, there are substantial differences in the pricing models, features, and usability, and hopefully this article will help you identify an application that is right for you. Or, if you’ve never really thought about using one before, maybe this article can help show you why project management / bug tracking software is good to have around.

This post only covers project management. I’ve discussed invoicing softare in another post. Some of these packages include time-tracking and invoicing, but that’s just a “nice-to-have” for the purposes of this article.

DISCLAIMER: I am not affiliated with any of these companies. None of the links in the article text are affiliate links; I don’t get a kickback or commission on referrals, I’m merely sharing my opinions and experiences using the software in the hopes that it’ll help inform the decisions of others.

Here’s the list… some of these are hosted solutions (software-as-service), and some you have to download and install.


Cheapest Option: Free

# Users: unlimited

Wiki?: yes

Notes: This suite of Apps seems like they were hoping to get purchased by Google Apps… kinda similar, but more labored somehow.

My Intervals

Cheapest Option: Free

# Users:4


Notes: You can get 1 project for free… but the functionality is limited.

Bit Bucket

Cheapest Option: Free

# Users: 5

Wiki?: yes

Notes: yet another solution…


Cheapest Option: Free

# Users: 2

Wiki?: Yes, called “Notebooks”

Notes: This is one of my favorites for hosted solutions. I recommend Unfuddle — it’s not a silver bullet, but Unfuddle is a great tool for maintaining sanity: clean, simple, and easy to use. If you pay a little bit, you can unlock the best features.

Code Spaces

Cheapest Option: $3.99/mo

# Users: 2

Wiki?: yes

Notes: I felt the manager here was heavy… sorta Windowsy in a bad way, as in the interface needs to lighten up, but did have a good set of features.

Feng Office (Formerly OpenGoo)

Cheapest Option: $59/mo

# Users: unlimited

Wiki?: yes

Notes: this is a popular solution for its thoroughness. — you have to install it on your servers, which is actually a good thing for people storing sensitive info.


Cheapest Option: Free

# Users: unlimited


Notes: This one you have to download and install on a server that runs PHP and MySQL — it includes features for sales teams. It’s built using the ATK framework.

Project Pier

Cheapest Option: Free

# Users: unlimited

Wiki?: yes

Notes: you gotta download and install this PHP/MySQL app. This is like the PHP cousin of Redmine, so if you don’t have the ability or resources to work with Ruby on Rails, this is a nice option.


Cheapest Option: Free

# Users: unlimited

Wiki?: Yes

Notes: This is a clean app — another one you have to download and install yourself. It’s a nice option (try the demo). The only thing I didn’t care for was that the app relies heavily on icons, so it’s hard to get your bearings. Good German engineering!


Cheapest Option: Free

# Users: Unlimited

Wiki?: Yes

Notes: This is my favorite. It’s not perfect, but it’s a clean interface and easy to navigate. The major downside is that you have to install this yourself. Can you install Ruby on Rails on your server? No? Then this might not be for you.


Cheapest Option: Free

# Users:unlimited, but only 1 project.

Wiki?: Yes

Notes: although this is hugely popular hosted solution and it’s well integrated with many software projects, this does not have a good ticketing system, and it does not tie into code versioning (e.g. SVN), so I don’t fully comprehend its popularity. It’s pretty good, but it seems over-hyped.


Cheapest Option: $25/mo

# Users: unlimited

Wiki?: yes

Notes: This integrates with their Kiln product to tightly integrate bug tracking with code revisions. There’s another product Trello that does visual project organization, but to be honest, I’m kinda confused by these interrelated projects.

Pivotal Tracker

Cheapest Option: $7/mo (free for non-profits)

# Users: 3

Wiki?: sorta

Notes: This is a serious app from the boys in Boulder for agile development — they’ve really thought through the way that large projects should be managed. It’s a hosted solution, but they can install it in on-site if needed.


Cheapest Option: Free (for open source), otherwise $15/mo

# Users: 10

Wiki?: yes

Notes: another clean app. This is a hosted solution.

Google Code

Cheapest Option: Free

# Users: unlimited

Wiki?: yes

Notes: This option is available ONLY for open-source projects. It’s clean, with an easy interface. Updating wiki pages and bugs seems to triggers errors not infrequently, but I recommend this for any open source project.


Cheapest Option: Free

# Users: unlimited

Wiki?: yes

Notes: A lot of projects use this (e.g. WordPress): You download and install it. It’s written in Python and can run on several common databases.


Cheapest Option: Free

# Users: unlimited

Wiki?: yes

Notes: It’s functional, but the UI/UX is pretty crusty. Sorry to poo-poo the hard work of the devs here, but I never felt like I could get clients to use this app… it’s a bit disjointed.


Cheapest Option: $10/mo

# Users: 10

Wiki?: Yes

Notes: This is popular with big corporations. The biggest disadvantage of this is that it’s HEAVY: you gotta have a rock-solid sysadmin to setup Tomcat on your server to install this behemoth.


Cheapest Option: Free

# Users: unlimited

Wiki?: no

Notes: this is a powerful Perl application used by Firefox that can be the public face of your app. You have to download and install this.


Cheapest Option: Free

# Users: unlimited

Wiki?: Yes

Notes: this thing is on fire — GitHub is THE thing right now. It’s wiki is a pain in the ass compared to Google Code when it comes to formatting special characters. Paid plans get private repos.

Hopefully that’s a good list to help you narrow down your choices. If that’s not good enough for you, check out Wikipedia’s comparison of issue tracking systems

]]> 4
Why GoDaddy is a Horrible Host Sat, 24 Dec 2011 19:16:44 +0000 GoDaddy sucks… their dashboard is completely un-navigable, their shared hosting has repeated errors, their VPS hosts are so poorly configured that they can’t even run updates on themselves, their CEO murders elephants for his own amusement, and they think that a few Superbowl ads featuring Danica Patrick will somehow make us forget how bad they suck. And now this…

You may remember my earlier comparison/rant of VPS Hosting Providers. GoDaddy was on that list of hosts to avoid, but recent events have loaded my arsenal with rant-fuel and I cannot contain myself any longer: GoDaddy is a horrible web host and a terrible company that not only wastes your time and money, it may actively be trying to F you in the A!

The Technical

First, the the technical stuff. This is stuff that actually happened. These are facts, and I invite any other developer to share similar experiences. I got a call late Friday night from a frenetic client with the horrible words: “THE SITE IS DOWN!!!”. Any developer who has heard those words on a Friday night knows that they can kiss their weekend goodbye, and so it was.

The site in question was hosted on a GoDaddy shared host. Ok, so what happened? Well, it’s an eCommerce site that required that a certain port be open for incoming and outgoing requests in order for the site’s software to communicate with the credit card processing (hosted on secure site somewhere else). Without warning, GoDaddy changed their firewall rules and they closed that port. Oops. That prevented the site from doing any business.

So what’s more frightening here? The fact that GoDaddy shut down this port without any warning, or the fact that they denied ever having that port open in the first place? In a separate incident, I had another GoDaddy server upgrade its version of PHP from 4 to 5. Any application developer will know that such a dramatic change in the underlying code can be catastrophic. And it was: the application completely broke because much of the code was not compatible with PHP 5. So the point of the story here is that I have personally experienced massive server changes on GoDaddy servers without any warning and sometimes without any acknowledgement. This is just not acceptable for any web host, and to date, I’ve only experienced this with GoDaddy.

And then it gets worse. The client wanted to keep his GoDaddy account, so he forked over the money to get a Linux VPS with GoDaddy. Man. The provisioning took over 12 hours and several calls to tech support. The GoDaddy dashboard is awful, and their ticketing system is equally poor: you can’t see your open tickets (!!!), so you have no idea what status they are in. You can chat with the techs (if the chat window doesn’t crash before you get through to somebody), but you cannot see any updates or add any information to your requests… you have to call to get information, and this can take a looooooong time.

But eventually GoDaddy got it up (heheh), and I started to configure the Linux Server with Plesk. Now the site required PHP 5.2.4 or greater, but the server shipped with PHP 5.1.6 (CentOS). There was no option to select different distros or different setups other than Plesk or cPanel on CentOS. So I started to get the server ready for take-off by updating packages and compiling a new version of PHP. I tried to download core updates… but out of the box, the repos were not correctly defined, and the VPS could not update itself. So I tried to run some updates by hand — we just needed PHP 5.2.4. So I tried to download and compile it. But the damn thing kept hanging. After some googling, it turns out that GoDaddy intentionally spikes the CPU which causes memory allocation failures. So the Plesk setup as offered by GoDaddy could not even put its own pants on.

So we had to pay an extra $10/month to get a WHM/cPanel server. So it was another 12 hours of provisioning (turns out the process hung, but without the ability to see the status of the ticket, I only got this info when I phoned in). But basically the same thing happened with the cPanel server: EasyApache could not finish executing due to memory/CPU throttling (not even on the command line). Something on those servers was completely F’d. As usual, GoDaddy techs denied everything, even when confronted with error logs. It was ridiculous and a waste of time for me and for the client (who hadn’t been able to sell anything on his site for about 48 hours at this point)

The final bit of ludicrousness was when we requested a separate IP address for the server so we could install the SSL certificate. With LiquidWeb, getting an extra IP address takes about 60 seconds. With GoDaddy? It took about 6 hours. Blink blink.

So the final solution here was to move this site over to my own server, which only took an hour or so. Instead of taking all weekend, it took only an hour. The conclusion is that GoDaddy is really good at creating billable hours, but not at actually having a working product.

The Non Technical

The non-technical stuff here is a bit more subjective, but it’s equally unflattering. You may remember the controversy when GoDaddy CEO Bob Parsons bragged about shooting and killing an elephant and a leopard. Mr. Parsons tried to play it off as some kind philanthropy because “elephants are destroying Zimbabweans’ crops”. In my opinion, anyone arrogant and/or stupid enough to justify their actions with a statement like that really deserves a punch in the dick. LEOPARDS DON’T DESTROY CROPS. And if Bob Parsons really cared about the plight of Zimbabweans’ crops, he’d do something more effective like fund charity organizations in Africa or help them build a fence. I mean, seriously… have you seen his Video Blog? Arguably, the elephant and leopard got treated more humanely with bullets to the face than those of us who watched a 61-year-old man ogle the scantily clad women grinding against him while he lectured us on “hiring great employees.”

Bob evaluates his employees greatness

And remember my disgust with QuickBooks? Looks like Bob had a hand in that as well: apparently, he sold his accounting software to Intuit in 1994.

And now with the internet censorship laws coming up in relation to the “Stop Online Piracy Act” (aka SOPA), we see that GoDaddy is a political animal. First they came out in support for SOPA. Then after a “maelstrom” of internet backlash, they later discontinued support for SOPA. But what bothers me is the casual internet citizen is fooled by this token gesture. It seems that it was a calculated move by GoDaddy where they make a public statement to placate the sheople, but behind closed doors, they still are working to game the system for personal gain and the expense of public freedom. This article about a judge forcing domains to be transferred to GoDaddy was alarming. How much does the system have to be corrupted if the legal system is ORDERING domains to be transferred to GoDaddy? Why does this sound like Iraq under Saddam Hussein where oil companies were ORDERED to do business with Saddam’s relatives. It just stinks to high heaven.

What to Do

Get your sites off of GoDaddy. They are Ok as a registrar if you can tolerate their idiotic dashboard and general ineptitude, but you’re wasting your life and your money if you host with them. Gotta love developers: here’s a good reference for how to move your domains off of GoDaddy: Moving Domains off of GoDaddy, but really, if you want to stick it to GoDaddy then you should call them and tie up their phone lines as much as possible. Have them walk you through how to transfer your domains…. step…. by…. step.

Sign up to boycott Godaddy here.

Find another registrar. NameCheap offers pretty much every TLD you can think of, and they at least as cheap.

If you need some good VPS hosting, I still have some space on my server: you get more horsepower than you’d get on your own VPS, and you don’t have to spend all the time setting the thing up. Contact me if you’re interested.

]]> 9
WordPress vs. MODx Tue, 19 Apr 2011 17:04:56 +0000 There are a lot of Content Management Systems (CMS’s) out there, so I wanted to give a blow-by-blow analysis comparing two of them: MODx and WordPress. I feel oddly qualified to do so: Brian and I just authored a book on WordPress plugin plugin development (WordPress 3 Plugin Development), and I am a MODx Solution Partner who was invited to speak at the MODxpo conference in Dallas last year. I’ve used both flavors of MODx (Evolution and Revolution) and WordPress while building somewhere around 50 web sites over the past couple years, and I like both systems. I have even contributed a couple plugins for both systems (e.g. Custom Content Type Manager for WordPress). So after the urging of some friends and colleagues (like Kris), I’m organizing my techno-ramblings into a coherent article.

I’m going to walk through a series of areas and compare and contrast both how both CMSs work in those areas. The comments here apply to WordPress 3.x and (mostly) to MODx Revolution, but MODx Evolution is mentioned where appropriate.

Basic Stuff

System Requirements

WordPress 3.1 MODx Revolution
Server OS ???
  • Linux x86, x86-64
  • Windows XP
  • Mac OS X
Web Server
  • Apache ???
  • NGINX ???
  • Apache 1.3.x or Apache 2.2.x
  • IIS 6.0+
  • Zeus
  • lighthttpd
  • Cherokee
  • MySQL 4.1.20 or higher (5.0+ recommended)
  • MyISAM table types
  • MySQL 4.1.20 or higher (excludes 5.0.51)
  • Default table encoding of UTF-8
  • InnoDB and MyISAM table types
PHP Version 4.3+ (5.2+ recommended) 5.1.1+ (excluding 5.1.6/5.2.0)

  • Running as FastCGI
  • safe_mode off
  • register_globals off
  • magic_quotes_gpc off
  • PHP memory_limit 24MB or more

PHP Modules ???
  • zlib
  • JSON
  • cURL
  • ImageMagick
  • GD lib
  • PDO, with database driver
  • SimpleXML

*Source: WordPress requirements, MODx requirements

If the requirements for MODx Revo look insanely detailed, ask yourself this: “do you really want to be guessing whether or not your server will support a given app?” MODx Revo does a pretty good job of testing for the necessary requirements during installation, so you don’t have any unexpected surprises.


WordPress offers its “famous” 5-minute install, and I give them credit where credit is due: WordPress is a simple web app to install, but to be fair, installing MODx Evolution is also very straightforward.

MODx Revolution has beefier requirements, and it’s far more likely you’ll run into troubles setting up your webserver permissions or PHP extensions (e.g. PDO). Moving a Revolution install to a new server is also a tricky operation that requires some patience (see this how-to).


In short, WordPress and MODx Evolution are easily installed on practically any web server that supports PHP and MySQL. MODx Revo takes longer to install and configure and it requires a beefier server.


Hands down, MODx offers the gold standard in templating. Expression Engine is a healthy second place, but only in my days of doing Perl development with the venerable Template Toolkit did I encounter a templating system that followed good MVC architectural principles as well as MODx.

What does that mean? It means that if you’re a front-end designer who likes to roll your own HTML and CSS, then MODx will grant you total freedom to implement the designs you want, whereas WordPress may result in headaches and holes punched in your walls (no comment on the convoluted mess that is Drupal and Joomla templates). I’ve posted previously about creating templates in MODx Evolution and how to import existing layouts into MODx Evolution, and the process in MODx Revolution is nearly identical (the only difference is the format of the placeholders).

In MODx, you can easily have multiple templates (i.e. layouts), and use any one of them for any page. In WordPress, the ability to use a specific template is possible only with pages, not posts. The thing that really gives me convulsions is understanding how WordPress formats its special pages, e.g. a category page, or an author page. See the image below as a reference for how WordPress formats page requests.

WordPress Template Hierarchy
WordPress Template Hierarchy

See the official WordPress docs for Template Hierarchy for more information. I honestly have a hard time fathoming that this is the solution that actually got implemented… what other crazy ideas were on the drawing board?


If having a specific HTML/CSS layout for your site is more than a “nice-to-have”, then MODx will save you many hours; the time to rework layouts in WordPress can be considerable and some of the PHP hacks are not trivial, whereas MODx templates are easy to create, modify, and maintain.


MODx offers nearly infinite menu flexibility through use of menu-generating PHP Snippets, primarily WayFinder, but it’s not aimed at the average user. WordPress has a built-in GUI for creating menus, but I have experienced some bugs with it when using custom content types. Your WordPress theme may not support more than one or two menus, so in the end you may end up writing some code in your tmeplates (e.g. using my Summarize Posts plugin) so you can list the posts that you want to see.

In a nutshell, WordPress offers an easy GUI, but if you need more customization MODx’s flexibility here is far greater.


WordPress has a huge number of user-contributed plugins available, whereas MODx has relatively few. The sheer number is not a good comparison, however; I downloaded and tested hundreds of plugins in the process of writing my WordPress book, and the number of plugins that are unusable due to sophmoric errors or plain-old bad coding is huge. I estimate that at least half of the plugins in the WordPress repository are unusable, and perhaps only a tenth of them are worth using. There are crufty plugins in the MODx repo to be sure, but the playing field is more even than you might think.

The real difference here comes when you have to write your own code: MODx is a lot easier to work with with a shorter learning curve for a majority of code, whereas learning the ropes of WordPress plugins requires more guidance (hey, did I mention we wrote a book about that?).


This is an area that is hard to discuss unless you’re a geek, but in a word, MODx offers a robust and well-architected MVC framework under the hood that can make writing custom plugins (Snippets, manager pages, et al) a breeze. The work done by Jason Coward and Shaun McCormick is really astounding.

Some of the limitations to WordPress are really staggering: it is basically a stateless application, so by default it does not use sessions, and nearly all of its API functions exist as procedural functions in the main namespace, so naming collisions are a big concern when authoring plugins. This makes certain functionality damn near impossible in WordPress. For example, creating a WordPress application with a login portal and access to custom data models would require an enormous amount of time. Even accessing WordPress’s posts and categories is difficult at times; I basically had to rewrite core WordPress functionality with another plugin (Summarize Posts) just to get the menus and summaries I needed for one recent site.

Another severe limitation is WordPress is that all extensions to the core occur via plugins that are triggered by system events (confusingly they are loosely categorized into “actions” and “filters”). This construct can be awkward at times, and the WordPress architecture is showing its age as the number of events exponentially increases, whereas the amount of documentation for them continually wanes. Realistically you can get WordPress plugins to do just about everything you need using only a handful of events, but debugging someone else’s plugins is a nightmare: there is no centralized location listing which events are being hooked into, and new events are often created and executed on the fly. Debugging WordPress plugins is like Alice’s trip down the rabbit hole: majorly trippy,and you don’t know if you’ll ever come out.

User management is another area where MODx dwarfs WordPress: Revolution can handle totally granular control of permissions, but it is admittedly overly complex for 90%+ of use cases. Evolution offers a much more sensible permissions scheme that covers most use cases.

MODx offers much more sensible implementations of custom code: like WordPress it uses event-driven plugins, but it also uses custom PHP snippets which can be placed anywhere on a page or in a template.

Another impressive feat is how MODx Revolution has abstracted the database into a separate coding layer — that means it is relatively easy to interface with custom database tables (or even to other database engines) using code that is completely database agnostic (support for SQLite and PostGREs is in the works). That’s some seriously geeky stuff that has kept me awake at night trying to comprehend how they accomplished that. MicroSoft has even worked directly with the MODx team because MODx’s architecture is flexible enough that it can run on an all MicroSoft stack (i.e. IIS and MS-SQL). I can’t think of a single other system that switch-hits as well as MODx.


If the site you are building is more of a web application that requires a lot of custom coding, go with MODx; the level of maturity in the underlying MODx framework is light years ahead of WordPress, but be advised that the coding in MODx is sometimes so advanced, it takes a very senior developer to understand what’s going on. If you decide to do a more serious application-type-project in WordPress, be sure to allocate extra time to augment or rewrite the core code. If you’re doing basic extensions or variations of a simple site/blog, then WordPress plugins can do that pretty well, so don’t overcomplicate things.


WordPress offers a clean manager dashboard for its administrators which relies on the jQuery JavaScript library to provide AJAX functionality and smooth user experience. It’s pretty easy to find your way around.

WordPress Manager dashboard
WordPress Manager dashboard

MODx underwent a huge change in its manager dashboard between Evolution and Revolution, and the Revolution dashboard is overwhelming for many. Evolution’s dashboard is cleaner and snappier.

MODx Evolution Dashboard
MODx Evolution Dashboard

MODx Revolution’s manager dashboard is still being optimized. It’s based on ExtJS. For those of you not familiar with ExtJS, it was based on YUI (the Yahoo User Interface library), and it offers some fatastically powerful features for building interfaces for web applications. My only complaint with it is that it’s heavy: the MODx Revo dashboard can take a long time to load, and sometimes clicking on buttons and links feels unresponsive.

MODx Revo dashboard
MODx Revo dashboard


Do not make your decision about which system to use based on the dashboard alone — that’s like marrying a girl for how big her tits are. I know some clients who have loved and hated the dashboards in both systems. Again, MODx offers more flexibility if you want to change the dashboard behavior. The big difference here is simple: WordPress gives you a super clean view of your posts based on time whereas MODx gives you a hierarchical view of your posts.


Everybody wants a blog, just like everybody wants a shiny new car. Authoring blogs has been a core competency of WordPress, and they get massive props for making them very simple to setup: out of the box, you can get a blog up and running with integrated tags and categories and comments within minutes. It’s really what WordPress is all about: blogging. WordPress even has some nice security features in place with its Akismet spam filter.

Contrary to some of the on-line murmurings out there, both versions of MODx can run blogs, but until MODX 2.2, the process to set them up was painfully laborious in comparison. The Articles extra for MODX gives you a quick and easy blog — it can even import your posts from WordPress, so the gap between the two systems is closing quickly. The only thing it doesn’t do as well as WordPress right out of the box is its taxonomies (tags and categories): you still have to do some configuration to get those configured how you want them, but as the docs say:

“MODx Revolution is not blogging software, but rather a full-blown Content Application Platform, it doesn’t come pre-packaged with a cookie-cutter blogging solution.” 


If your priority is to get a blog up and running as quickly as possible, and you have few requirements for supporting any other content, then WordPress is the way to go. Starting with MODX 2.2, however, you can use its “Articles” extra, which gives you simple blogging functionality, with many of the features available to WordPress.

Custom Content (CMS functionality)

If blogging is where WordPress shines, then CMS functionality is where MODx clearly has the upper hand. WordPress does support custom fields for its posts and pages, and in version 3.x, they support additional “post types”, so finally WordPress is getting some traction as a CMS, but it’s still a bit of a toy in comparison to MODx.

One of the biggest problems with WordPress as a CMS is its lack of support for sensible custom fields: for each post or page, you have to manually add the same custom fields over and over again, and by default, the custom fields are always simple text fields. I have attempted to rectify this in my Custom Content Type Manager plugin, and my plugin does a lot to give WordPress CMS capabilities, but it still represents a series of awkward workarounds that stretches the WordPress core nearly to its breaking point.

One related area here is how MODx can manage and serve static files via what MODx calls “Static Resources”. This is a great way to enforce permissions on viewing, streaming, or downloading static files (e.g. PDFs or Flash movies). WordPress just flat out can’t do that.

Although MODx offers greater flexibility, WordPress’ integration is a bit cleaner for the manager user (it’s a holy pain in the ass for the developer, but if you download my plugin you should avoid this unpleasantness). When WordPress registers a new “post type”, you get a nice menu icon in your dashboard and it’s really clear to the manager that he/she is adding a new post, page, or movie (etc). For example, if you want to add a movie post, you’d click on “Add Movie”. It’s really quite logical. In MODx, this same type of distinction occurs at the template level. Architecturally, this makes sense, but it’s confusing for the manager user, because it may not be at all clear that they need to add a “normal” page (i.e. resource), and then choose to use the “movie” template. I’m planning a MODx plugin to help rectify this UI “wart”.

A custom post type in WordPress
A custom post type in WordPress


If you have to display multiple types of content on your site (e.g. an eCommerce site), then MODx offers far greater flexibility, but it does take longer to configure. If your CMS requirements are simple and you don’t need to worry too much about customizations, then WordPress can do that very well and very quickly.


SEO is the an cyclical buzz, and at the moment, a lot of SEO guys are hailing WordPress as the holy grail of search-word wad-shooting. To be blunt, I think SEO is largely an over-hyped crock of crap. If you build a well-structured site with good content, your pages will show up in search results: if there is a site out there with awesome content that is not showing up in relevant search results, I have yet to see it. Search engine optimization is often a pseudo-science practiced by get-rich-quick marketeers who are convinced that they can turn lead into gold by over-hyping a site with various gimmicks. 90% or more of SEO should have to do with creating good content, and perhaps the last 10% of your efforts should go into polishing your site. It can be used to improve search results, but it tends to fail when you try to make search results come out of thin air. Too often I have seen companies do this the wrong way around: they spend 90% of their time publicizing a site that is a vapid cesspool instead of spending their time making a site that’s worth visiting. At best, SEO techniques are constantly changing as Google updates and refines their indexing algorithms. If you optimize your site today and Google farts tomorrow, all of your work may be for naught. Do your due dilligence, but it’s just not worth spending inordinate amounts of time tring to beat Google at their own game.

Rants aside, both systems offer ample ways to do search engine optimization. Assuming that you have good content, the rest of the process boils down to having well structured HTML (which relies on a solid templating system), and the ability to effectively index your pages. WordPress offers built-in taxonomies (categories and tags) for flagging your posts, and MODx can be set up to do this rather easily by using an Auto-Tag custom field (a.k.a. a MODx “Template Variable”).

MODx offers a much more flexible system for generating URLs (basically you can use any URL you want for any page). WordPress does offer flexibility here, except for its special pages (e.g. category listings or author pages).


Comparing SEO features between MODx and WordPress is a moot point: both systems allow you to adequately structure your content and your site.


No system is 100% secure. MODx has had relatively few serious exploits; WordPress has had many, no doubt due in part to its popularity. For what it’s worth, I have had WordPress and MODx Evolution sites hacked, but not yet a Revolution site. It’s hard to quantify how secure an application is… I’d love to see the detailed forensic results of a penetration test against default installations of both CMS’s. In general though, the WordPress architecture is primitive and more ripe for being hacked: it’s more difficult to lock down spaghetti code. WordPress also offers many more plugins, and the plugin authors tend to be less experienced, so their code is more likely to have security holes.

There are many fingerprinting utilities out there that will attempt to locate known weaknesses in plugins, and WordPress is more easily fingerprinted; MODx Revo allows you to change default locations for the MODx manager or to even remove it from public view altogether. There are some discussions in the MODx Forums about how to harden MODx, but I haven’t yet seen a detailed how-to on how to eliminate the most common attack vectors. There are also good posts out there for hardening WordPress.

I reported a nasty vulnerability in phpThumb that affected MODx and numerous other CMS’s (phpThumb is a popular image manipulation library), but the MODx Revo architecture prevented the exploit from succeeding on Revo (good job to Shaun and Jason for architecting the connectors in the way they did).


I feel that MODx Revolution is probably more secure, but there are no guarantees when it comes to security. No system is bulletproof, so you best have redundant backups on hand and follow the recommendations of Basic Web Security no matter which system you’re on.


This is another area that is pretty black and white in my opinion: WordPress support sucks. Although WordPress is more popular if you look at the numbers, you wouldn’t know it if you post questions in the WordPress Forums. I have rarely gotten any useful answers (if I got answers at all): anything beyond simple inquiries tend to go unanswered, leaving me alone in the dark reverse-engineering damn near everything.

My other gripe with WordPres is their weird distinction between and You can host your blog at, and then you get more support, but it is effectively software as service: you can’t upload plugins and you can’t modify code, so the interface suddenly becomes a bit like BlogSpot.

By contrast, the MODx Forums are full of helpful people. It’s a great place to be: it’s not uncommon to get responses from the core team on almost any level of inquiry, from trivial to cerebral meltdowns. There are some superstar participants, such as Susan Ottwell and Bob Ray, who have both contributed immensely helpful posts and tutorials on how to use MODx. MODx also offers commercial support; it’s still in its infancy, but for a yearly fee, you can get access to a kind of “MODx hotline” and get help resolving MODx issues on your sites.


In the same breath as support, I must mention documentation. In general, documentation for both systems is lacking, in some areas painfully so. While using WordPress, I have often I have searched for hours trying to find a way to do a certain thing, only to end up grepping through the code base and deciphering the raw code myself. Frequently the official documentation has holes or in some cases, it’s just plain wrong. The best resources for some advanced WordPress features are blogs written other developers.

MODx’s documentation is also frustratingly AWOL on a number of topics, but least the MODx code base is integrated with a standard documentation publishing system so if needed you can see for yourself how the functions are structured without having to grep through the code base. The vibrant MODx forums fill in a lot of the holes in the documentation, and that’s a huge benefit for any open-source project.


If you need support for your site, especially guaranteed support, then only MODx offers a paid support service; WordPress doesn’t offer a paid support option.


WordPress can handle a huge number of posts, but it does get bogged down with a large number of pages, and there are lots of whisperings about this (e.g. here). I suspect it has to do with WordPress’ convoluted templating system (see above), which makes me wonder what the limits are on custom post types.

MODx Evolution suffered from a limit of approximately 5000 resources (in MODx, pages and posts are types of resources), but that limit has been corrected in an upcoming release thanks largely to the efforts of Charlie over at

MODx Revolution has no such limits: it offers a great built-in caching system that allows it to serve pages very quickly. It has been benchmarked as twice as fast as Expression Engine (see this blog post).

More importantly, MODx Revolution was built with scaling in mind: it stores session data in the database, so it is easily deployed on load-balanced servers. This is hugely important if you are building a site that might one day get massive amounts of traffic; WordPress can be deployed like this, but such usage is not generally anticipated. I don’t know of many large commercial sites running WordPress (in fact, I only found one:


MODx is by far the more mature option here if you anticipate building a large site.


I do like both systems, and I use them both daily. WordPress has a much lighter footprint and is easier to use for a large number of use-cases: if you just need to get a site out the door fast, then WordPress is really hard to beat. WordPress is plug-and-play for just about everything and that saves you hours of setup time, so it can be the right solution for a majority of sites. But the more customizations you require (particularly in scripts or in layouts), then the more appealing MODx becomes: WordPress has thousands of plugins available, but if those aren’t meeting your needs, I’ve found certain types of customizations to be extremely difficult in WordPress whereas most often, MODx handles them with ease. Doing things like building web applications with strict formatting requirements is much easier in MODx because it’s built more as a launchpad for customizations: it’s really more of a content management framework (CMF). MODx Evolution is the best system I’ve used for building small to medium sized informational/brochure sites, WordPress rules as the blogging king, and I’ve been very impressed with how easily I can build web applications using MODx Revolution. There isn’t one tool that’s right for every job; the more projects you complete, the better idea you’ll have as to which system will accomplish your requirements more easily, and hopefully this article helps you spot more of what each system is good at.

]]> 25
Comparison of VPS Providers Mon, 18 Apr 2011 16:08:13 +0000 So you’ve graduated from the world of shared hosting providers and it’s time for you to set up your own big-boy hosting package. You need a Virtual Private Server (VPS) of some sort, but the options are dizzying because these services have become a commodity: it seems that nearly everyone is peddling some variation of them. Well, we feel your pain. And I feel my own pain… I’ve dealt with a number of hosting providers over the past few years, and I’m writing this article to share with you my opinions. I’ve set up accounts for myself or for my clients on all of the following systems, and here is my unbridled opinion of each of them. Keep in mind that these reviews and opinions relate primarily to using the services for web hosting.

These aren’t affiliate links unless otherwise indicated (hey, if you want to throw us a bone for saving you the pain of experiencing these guys yourself, then please, feel free to click the affiliate link: it costs you nothing and it is your way of saying “thanks for saving me the trouble of learning this stuff the hard way”).


LiquidWeb has impressed me with its clean integrations and its “heroic support”. That doesn’t mean they’ve been able to fix every problem I’ve had, but to be fair, a lot of the tricky stuff was weird 3rd party installs that *I* struggle with greatly. But they have been very responsive in their tickets and I’ve never felt abandoned or in the dark.

The standard VPS’s offer a good value, but if you need more horsepower, their SmartServers offer a nice combination of virtual/cloud and dedicated qualities, and it’s a good combo for many folks. These come by default with WHM/cPanel, so it’s easy to set up sub-accounts with their own logins. Throw me a Bone (affiliate link)

Media Temple

This is a popular option, although I’m not sure why… their cloud servers go down frequently, they’ve had several pretty severe security issues, and using SSH on their servers is a holy pain in the ass because SSH dumps you in some foreign directory miles away from your home directory, whereas FTP takes you to your home directory. What? Yes, it is obnoxious and confusing, and they disconnect your SSH session after 5 minutes, which is approximately 1 minute less than the time it takes you to RTFM through your notes and emails to find where the hell your home directory is or which command you need to run to escalate yourself to the proper user to be able to do anything useful. MediaTemple uses Plesk to offer control panels to their clients, and Plesk is a nightmare if you ever try to do any sysadmin work on the command line. I’ve had a couple clients on MediaTemple, and it just seems like it’s a rocky road with bumps in the service and difficulties in doing basic tasks. It’s not the worst out there, but I wouldn’t rate MediaTemple as anything better than mediocre.

I do not recommend these guys. They do have a nice looking site and what looks to be a nice product, but my experience with them was wholly negative. “Jeez”, you might be thinking, “don’t flame a brother in writing!”, but sit down around the campfire and let me tell you why I feel completely comfortable doing so….

It all started when I set up a VPS server with and I signed up for their paid snapshots knowing that I was liable to screw up my server at some point and I’d want to roll back to a snapshot image. Sure enough, I borked my server by removing the sqlite package, which completely destroyed the functionality of my yum utility (don’t ever do what I did, by the way). “No problem”, I thought, “I’ll just roll back.” Well, the restoration process had a fatal flaw, which completely toasted my server. After using their “restoration” utility, I didn’t just have a server with a broken yum utility, I had a completely fried server (ooo… that’s a bad code taco on that one). The people over at were completely unwilling to admit the problem. I wasted about 2 days waiting for them to either fix the problem or to just come clean and say “hey, we’re really sorry, but we had a glitch in our snapshot utility so we only have partial backups of your server.” No. They hemmed and hawed and wasted my time for 2 days until finally one of the techs admitted that there had been a problem. I think he was probably later executed by firing squad for insubordination and refusing to tow the party line. I needed to clock in about 40 hours (all un-billable, by the way) to rebuild the server from scratch, and they acted like the Soviets when Chernobyl blew up: in typical fashion they denied anything happened until European scientists started measuring massive amounts of radiation and said “uh, comrades… did something happen at your reactor?”

While waiting days for a response (all while my server and all of its sites were completely down), my patience got exhausted, so I finally threatened to make a blog post like this one. The CTO jumped in saying “I was approaching this in the wrong way”. I listed the several tickets that I had filed that had gotten no response for 48 hours (even ones that *he* had initially responded to). And then even the CTO stopped responding to my requests for information (read: he must have known how badly they screwed up). His response was literally an advertisement: he blabbed on about how awesome their servers were and what great new offerings were available. I felt like he had just run over my dog, and instead of apologizing for killing my best friend, he was yammering on about awesome his car was with its dual-hemi’s, turbo-charged engine and high-performance tires. The final “kiss my ass” message they sent me was a legalese “F-U” which basically stated that none of their services, including backups, were guaranteed. Seriously, I don’t often say stuff like this this in writing, but can go french kiss a donkey’s ass. I gave them every opportunity to respond to my questions or to justify their actions, and they ignored me, so I feel I’m being more than fair.

So dealing with cost me several thousand dollars, it almost cost me a client, and their ineptitude set me back on several high priority projects, and their response to a completely legitimate issue was childish and unprofessional, and my requests for just basic professionalism were ignored. So there you have it: my rant against Use their services at your own risk.

These guys offer a simple no-frills hosting package, and I’ve used them for several dev projects over the years. Nothing fancy, but they are responsive to the requests, and I’ve only had minimal fuss with their servers and their control panel is easy to navigate. They may not give you as much RAM as some for the price, but they do give you lots of CPUs (like 16!). I like these guys and I give them a good thumbs up. There is no cPanel type dashboard for sub-accounts, so this one is only for command-line sysadmins only.

This is another no-frills VPS system that offers some pretty nice stats for the price: lots of RAM and a good amount of CPU. They offer a few more options than VPSLink (e.g. you can pay extra to get an external backup volume mounted to your server), and they are a bit more scalable, but I didn’t find their admin panels very intuitive, so I’ve lost time fumbling through them. There is no cPanel type dashboard for sub-accounts, so this one is only for command-line sysadmins only, but still a solid thumbs-up with these guys.


Ah yes, now even GoDaddy is offering VPS services (hey, we said this stuff is becoming a commodity). The prices there look competitive, but my experiences with GoDaddy as a host have been mindbogglingly poor. Their shared hosting is a complete disaster — hands down, it’s the worst I’ve seen… they arbitrarily limit functionality, it takes hours to complete tasks that take only minutes on other hosts, and all for a cost that is higher than their competitors. I even had one of their techs tell me that the MySQL dump was “working perfectly” when the log file showed clearly that there was an error. Blink. Are they blind? Or just stupid? They also had zero understanding of how DNS records worked, so they weren’t able to offer any assistance in configuring a custom zone file. Furthermore, their dashboard is impossibly confusing to navigate. Do you know that weird castille soap by Dr. Bonner? I’m pretty sure the intern that did the layout for that soap is the same person who did the UI for GoDaddy’s control panel because I always have to dial their support # when I have to do anything in there.

Did the same guy do GoDaddy's control panel layout?
Layout designed by GoDaddy: Worst Layout Ever

I mean seriously… can you read that?

So even though these look like competitive prices, I have severe reservations about using GoDaddy as anything more than a registrar. Hey, I want to jump on Danica Patrick as much as the next horny guy, but maybe if they spent some time cleaning up their site and services instead of Super Bowl ads and models, they’d have a product worth recommending, but as it stands, you should pass on GoDaddy as a host.

Amazon cloud EC2

This is a popular option because hey, it’s Amazon… but I’ve found EC2 cloud stuff to be a pain in the ass to use simply because you get lost on the command line. It’s worse than MediaTemple from a command-line standpoint. In my opinion, being on the cloud means your data theoretically is always there (there are outages), but if you’re coming in via SSH, then you can’t find it. Haha. Only sort of kidding there. In general, this isn’t a very nice option for those people doing simple web hosting types of services. It’s more appropriate for companies doing persistent application deployments.

Other Providers

I feel obligated to mention the following 2 providers because so many people I work with recommend them highly:

I don’t have first hand experience with them, so I can’t comment directly.


There are a lot of options out there, but with enough time, patience, and trouble-shooting elbow-grease, you can find a web host that works for you.

]]> 5
Releasing New Versions of your WordPress Plugins Sat, 05 Mar 2011 08:40:22 +0000 Continue reading Releasing New Versions of your WordPress Plugins ]]> If you are a WordPress plugin developer, then this post is for you. There is very little documentation on how to effectively use the WordPress Subversion repository, and the repo architecture is critically flawed in its structure making “kosher” usage seem entirely buggy. Worse yet, the support in the WordPress forums is practically non-existant. For a more thorough explanation of this process, see our book on WordPress 3 Plugin Development Essentials, which features an entire chapter on dealing with SVN and the WordPress repository.

Below is the short summary of what is presented in the video.

How to release updates to your WordPress plugin (quickie version)

  1. Make the updates to your code, fix any errors, add new features.
  2. Update your plugin’s main file (the one with the information header) so that it references the new version of your plugin, e.g.
    Version: 0.5
  3. Update your readme.txt file to describe the changes you have made, but DO NOT change the Stable Tag. This number must point to an existing directory inside your repo’s tags directory.
  4. Save your files, then commit your changes to the SVN repo, e.g. svn commit . -m "My new version is ready"
  5. Tag the new version using the SVN copy command to copy the trunk new a new numbered directory in tags, e.g. svn copy
    Remember: the tagging operation is just a copy operation.
  6. By performing the tagging (i.e. copy) operation, a new directory has been created inside the tags directory. So only now can you safely update your readme.txt file’s Stable Tag, e.g.
    Stable tag: 0.5
    That number acts as a pointer to the corresponding folder inside of the tags directory (it would point to in this example).
  7. Commit your changes to the readme.txt file. This will ensure that the Stable Tag attribute points to the newly created version: svn commit . -m "Updating the stable tag"
  8. You should be done now, but the WordPress SVN repository has been so problematic…. keep an eye on your plugin’s download page and verify that the changes get picked up. The changes should be picked up within 15 minutes or so… if they don’t get picked up, look at the downloaded zip file carefully… does the link say one thing but the name of the zip file says something else? It’s easy to mix things up, so if you get stuck, try reviewing the steps here.

How to release updates to your WordPress plugin (Long Version)

Ok, that was too quick? Well, we left out some important geeky points. The way WordPress’ download page works is that it looks at the readme.txt file at the HEAD of the repo, and then it follows the value listed there for Stable tag. If the Stable tag lists version 0.8, then the information from tags/0.8/readme.txt is used to generate your plugin’s information page and the files in tags/0.8 are packaged up into a zip file and that’s what downloads when the user clicks the download link.

Can you see the problem with this setup? Normally, when you tag a directory in SVN, that copy is treated as a read-only reference, but in this setup, it is frequently easier and less prone to errors for you to go into the tags directory and make your edits. This is normally a bit no-no for version control!

So the safer way to do this is to develop your plugin normally inside the wp-content/plugins directory and submit to the trunk as you normally do. Once you’re ready to publish a release, go to a new folder somewhere on your hard drive and checkout your ENTIRE project, trunk, tags, and all. Then you can do your tagging operation locally, e.g. svn copy trunk tags/0.9, and that will give you a new directory. You can update that directory’s readme.txt file and your plugin’s information header, then commit all of your code (trunk and all tags folders).

Hope that helps los dudes.

]]> 4
Basic Web Security Mon, 10 May 2010 18:00:51 +0000 Continue reading Basic Web Security ]]> Web security is a huge topic, and this article only intends to cover some of the most basic issues and increase awareness of how carelessness or ignorance can lead to exploits. Ultimately, what you don’t know can hurt you, so it’s in your best interest to learn as much as you can about your site and the technologies it relies on. Here’s a brief run-down of some fairly common mistakes I’ve come across and what you can do to either avoid them or lessen your vulnerability.

Suspected Malware Site!
You've been F'd in the A!

Make Rolling Backups

If you do nothing else, make sure you are backing up your site and its databases. So long as you know if/when your site fails (or is hacked) and have the ability to roll back to a known good state, you have little to fear.

Make SURE you practice restoring a site from your backups! An untested backup is worthless. Nothing is worse that THINKING you have a viable backup only to discover that it is actually corrupted.

As your backup needs mature, consider storing them offsite, e.g. on Amazon’s S3 service.

I’m supplying two of my most-used backup scripts for those in need. These are fairly simple, but they will work on shared hosts. They will backup a web site’s files and its databases.

Be Diligent about Passwords

You’ve probably heard this a hundred times before, but it is really important:

  • NEVER use the same password twice! Ever!
  • Avoid short passwords! Length before strength. Try mixing up combinations of smaller units, e.g. “AlphaBetaCharlie” instead of “abc”. Be creative. You can have strong passwords that are easy to remember!
  • Store your passwords in a safe place, e.g. in a password manager like KeePass or in an encrypted disc image
  • Change your Passwords Frequently! Literally, put this in your calendar so you remember to do it on a periodic basis. This helps avoid brute-force attacks.
  • As a secondary line of defense, you can put an .htaccess password on your manager pages. All this does is slow down a brute-force attack by forcing the attacker to crack an additional password.

Password Protecting Directories using .htaccess

This adds an additional layer of authentication to a site or to a page; it’s not meant to substitute for more robust firewall rules or active filtering, but it is easy to set up.

First, create a username and password in a file that .htaccess can read. This can be done on the bash command line using the htpasswd command:

htpasswd -c /path/to/htpassword/file name_of_user

Next, add the following to your .htaccess file. Be sure you reference the file you just created above:

AuthName "Protected Area"
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /path/to/htpassword/file
Require valid-user

For some more detailed information on .htaccess passwords, see this page.

Stay Patched

Make sure you’ve got an updated version of your operating system, your scripting language (PHP), your database (MySQL), and your software (WordPress, MODx, etc.). Sometimes applying patches can be scary, but it’s a lot less so if you’ve got those rolling backups in place!

I want to make mention of a very useful tool: SimpleScripts. It’s available on Bluehost accounts; it provides one-click installs of many web software packages (like WordPress and MODx) and it will alert you to update them when you log into your cPanel. It’s a real time-saver!

Clean your Room!

  • Do not install superfluous/untrusted software on your site! Don’t go dumpster diving for code that’s going to end up on a public-facing web site!
  • Shut down services you’re not using (e.g. blog posts) because it takes more time to secure them.
  • Do not store backups or sensitive data inside your document root!
  • Encrypt sensitive data
  • Check permissions.
Proper web site folder structure
Don't put backups or database dumps in your document root!

Make sure you organize your site’s files in a way that ensures that only you have access to sensitive data like backups or database dumps. These should NEVER be stored in the publicly viewable document root!

Cross Site Scripting

Behold the terror that is:

<?php print $_GET['x']; ?>

That code should NEVER be used on a public site because it effectively gives free access to the public to put whatever they want on your site! This type of code often sneaks into pagination links or into code that re-populates forms, e.g.:

<input type="text" name="myfield" value="<?php print $_POST['myfield']; ?>" />

where the ‘myfield’ variable contains something like:
" /> <script src=""></script>

For a list of values you might want to try pasting into form fields to see if they are secure, check out this great cheat sheet at

In the end, be REALLY aware of any user-submitted data. Users can put their own data into ANY form field, and into any cookie, so anything in the $_GET, $_POST, or $_COOKIE arrays (and also the $_REQUEST array) is inherently insecure and should be carefully filtered. These are like the STDs of the web!!!

For articles about web hacks and some good real-world examples, check out other articles on

Don’t Take Cookies From Strangers!

If you thought cookies were somehow immune to the area of security threats, they are not! It’s easy to write your own! The Firefox Web Developer plugin lets you easily create your own cookies. This is great as a web developer, but it can also be a sneaky tool for a hacker to introduce unintended code to your application, so filter cookie contents as carefully as you would the user-submitted forms.

Cookies also store the PHP session id; all $_SESSION data is stored on the server, but the unique key that associates that data with the user is stored in the user’s cookie. If one user authenticates, it’s possible for another user to make requests using that $_SESSION id! Especially with applications that require a login, it’s good practice to get a new session id using session_regenerate_id().

Filtering data

Every time you submit form data, you should write your regular expressions very carefully so your application accepts ONLY clean, valid data. In general, if you can keep input as simplistic as possible, it tends to be easier to secure. Integer only inputs are “safer” than alphabetic inputs. Alphabetic input is safer than input that accepts HTML tags, and so on.

Consider the following filters:
Type-Casting to force integer only values:
$x = (int) $_GET['x'];

Alphabetical Characters Only:

// Accepts only letters a-z (case insensitive)
function alphabetical($str)
if ( preg_match('/^([a-z])+$/i', $str) )
return $str;
return FALSE;

For PHP coders, get familiar with the preg_replace() function: it offers a more standard regular expression syntax (the often emulated Perl syntax). Also have a look at the strip_tags() function.

Frame Buster

A common trick used in phishing scams or to perpetrate click fraud involves iframe-ing a site. Basically, the “trick” relies on the HTML iFrame tag to make one site display the contents of another without being obvious to the casual user.

One partial solution to this common attack vector is to use some simple javascript that checks to ensure that the page the parent page and not being iFramed:

if (top.frames.length!=0)
// -->

Do a Google search for “frame buster javascript” to find other examples.

SQL Injection

This is a very broad topic, and there are numerous ways that SQL-injection might be used to compromise a site, but they all rely on the same principle: you construct strings of SQL statements and issue them against your database. If a malicious user is able to put his own data into one of those strings, it’s possible that a user can execute queries on your database that you never expected. This often gets back to form-validation and the ever important task of filtering user-submitted data!

Here’s a not-so-hypothetical PHP example:

$username = $_POST['username'];
$sql = "SELECT * FROM `users` WHERE `username`='$username'";

where $username contains something like:
'; INSERT INTO users (username, password) VALUES ('hacker_dude', MD5('xxxxxx') )

When that executes, 2 different queries are sent to the database instead of one, and if your’e not careful, it can allow an attacker to gain access to parts of your site and delete or steal data.

One strong line of defense against this type of attack is using a robust database driver that allows for the use of prepared statements (available since MySQL 4.1): where you prepare a statement once, then execute it multiple times with only certain defined variables changing. What this does is it allows you to define your query and only let the user supply the variables to be used in that query. This is a much more sensible option than letting the user essentially construct the query from scratch.

More mature database driver libraries (such as phpmysli) will allow you to use prepared statements.

You should also get familiar with escaping quotes in your database queries; this isn’t anywhere as effective as using prepared statements, but sometimes you have to use statements that aren’t prepared, so get familiar with how to escape strings before sending them to the database. In PHP, use the mysql_real_escape() function.

Finally, consider setting up special database users and roles to handle different types of queries. If a query is hijacked, it can only execute with the same permissions as the database handle. In other words, you wouldn’t grant delete or insert permissions to a database handle that was used only for selecting data. It’s more work to set up your database handles this way, but it may help prevent an attack from succeeding.


Watch your cornhole. There’s a lot going on a web site, and there are a lot of ways to abuse the technologies that run them. If you understand how the exploits occur, you’ll be better prepared to prevent them.

]]> 2
Get EASEUS Data Recovery Wizard for Free (Giveaway) Fri, 08 Jan 2010 10:13:35 +0000 Continue reading Get EASEUS Data Recovery Wizard for Free (Giveaway) ]]> EASEUS - Data Recovery Wizard Need to recover some important files? For a limited time, EASEUS is giving away a version of their Data Recovery Wizard. It ordinarily costs $70.

Giveaway Link

The Data Recovery Wizard is capable of recovering deleted files, but it can do much more. It can also help recover files on a disk partition after an accidental format, or even restore a lost partition.

Supported filesystems include FAT and NTFS, and supported operating systems include Windows 2000, XP, and Vista (32-64 bit). Unfortunately, it appears that Windows 7 is not officially supported.

Did you miss this giveaway, or want to try a comparable freeware program? Give Recuva a shot.

]]> 1