Tech Tips, Reviews, Tutorials, Occasional Rants Fri, 21 Mar 2014 05:03:09 +0000 en-US hourly 1 Top 5 Script Kiddie Mistakes Wed, 10 Jul 2013 07:29:00 +0000 Continue reading Top 5 Script Kiddie Mistakes ]]> These are the most common and most annoying mistakes I see in web development code on a daily basis. Well, Ok, it’s the things that annoyed me most TODAY, but it’s not unique. It’s mostly PHP and MySQL stuff here, but the same abuses take place anywhere the language allows it.

1. Database prefixes. I find so many database tables that use a “table” or a “tbl” prefix. Are you serious? Do you think we don’t already know it’s a table we’re looking at? Likewise, some developers find it somehow necessary to use “column” or “col” in their column names. I mean really… do you pin your own name upside down on your shirt? Seriously, this type of labeling is completely unnecessary and it probably reveals you as the half-baked amateur that you are. Label your column names descriptively: too little info is bad, but too much is no better.

The one exception I make to this rule is this: be verbose with your primary keys because you’ll use those in all of your join statements. I know it’s easier to code if every table uses the ubiquitous “id” as the primary key, but if you ever have to do complex MySQL joins for reporting queries you’ll appreciate the fact that user_id or post_id references the same thing no matter which table it’s used in.

2. Function name prefixes. If you come across a project that uses functions declared in the main namespace it’s not much consolation that the function names are all grouped by a unique prefix. It’s like that Seinfeld bit about Chicken McNuggets: “If it McComes form where I McThink it does, I don’t want to McEat it!” Prefixed functions are the pink slime of development… they might sustain you and your project, but there’s gotta be something better on the menu.

PHP’s function_exists() function goes right along with this… if you are using this to wrap your function definitions, then ask yourself why aren’t you using a class? But if you’re asking this, you’re probably “developing” in WordPress, so you may not know what a class is. Sigh.

3. No Documentation. I’m convinced any college Freshman English Lit major could hire a developer with a pretty good fill rate — all they would have to do is read the comments. If a function does not include a description and a detail of its inputs and outputs, chances are the developer is lazy, incompetent, or both. I can understand not being able to write good code, but omitting docs? All you have to do is say your input expects a string or an array or something or just tell us what the function does, and do not ever just repeat the function name to fulfill the requirement: you missed the point.

Compare this doozy, worthy of a spanking:

To this:

Can you see the difference? I don't even need to read your code: one look at your documentation and I can tell who I would want to hire. Point is this: if you are unleashing your code spawn on the populace, it's your responsibility to document it. Do not force others to wade through your code, no matter how awesome you think it is.

4. Logic in your HTML. Yes, this one is a doozy, and it's soooo common (obligatory stinkeye to WordPress here). Loops, If-statements, and other conditionals really don't belong in your HTML. They belong in a separate layer of your application. Yes, it can be very useful to have some control over your view for readability reasons, but it's so often abused that I must mention it here as a noobie-no-no. Morphine is a great drug -- it's also often abused. Don't overdo it. If you really need to tweak output or formatting in your view layer and that's the only place to do it, well, ok. But if the calculations can be done more efficiently upstream and leave you with a cleaner HTML view that doesn't force designers to learn programming skills, then why not go for the win-win and do it that way?

5. Inconsistent or mixed return values. Your function shouldn't need an interpreter for someone to use it. If it's validating input, then try returning a simple boolean true/false. Don't return a string "success" if it worked and an error message if it didn't -- that's not intuitive for anyone who's worked with regular logic-flow structures. If your function sometimes returns an array or maybe sometimes a string and oh yes, sometimes a boolean, chances are you wrote it wrong. Keep it simple. Convenience can be handy, but don't go overboard trying to handle all kinds of input. In PHP especially, don't rely on literal true/false values since PHP's data types are a bit dubious.

There's so much bad code out there. If you know an experienced developer, ask him/her to review your code. Paired programming is a great way to learn. Don't assume that what you're writing is the best or only way, and be prepared to erase lots of stuff. Iterations can breed progress.

Help! My Site Was Hacked! Tue, 15 Jan 2013 03:50:17 +0000 This can happen to the best of us. Hacks suck. There is no formulaic response to them that is guaranteed to fix your site, but I’m going to outline a few steps that might get you back in the saddle and hopefully help you identify the extent of the damage. The most common type of hack I see is against sites running known systems (like WordPress) where the hacker modifies the index.php file and prints extra code into the pages. This causes visitors to inadvertently download malicious code and it causes Google to black-list your site. Did this happen to you? Keep reading…

1. Verify that no sensitive data was on the server. It’s a whole other ballgame if you were storing credit card or social security numbers. In a nutshell, never store sensitive data on your server! It’s too hot to handle! Let a professional store that stuff. If you did have sensitive data on your server, you can stop reading now, because you need to hire a professional security consultant (and possibly a lawyer) to help dig you out of this mess.

2. Take a snapshot of the crime-scene. Zip up a copy of all files on the site and copy of the database. You should also get copies of your system’s logs dating back to sometime before the hack occurred. You may not need to touch this stuff ever again, but there’s a possibility that later on, a security consultant may want to look at your “bag of evidence”.

3. Restore from backup. You did have backups right? Sometimes it is difficult to know which backup to use. Inspect the backups carefully: you want to find a clean copy. Your host should be able to help identify a time frame of when the site was compromised.

4. Determine your Exposure. If your site was running WordPress (or any CMS), then your database and your database login got exposed. This is simply because if the hacker was able to write to your index.php file, he was certainly able to read your CMS’s config file (e.g. wp-config.php), and thus able to read everything in the database. You have to assume that any passwords in that database are cracked. You can never use those passwords again.

Important question #1: did you use that same password on other sites (e.g. Gmail, Yahoo, Facebook, etc)? If the answer is yes, you need to change those passwords immediately. You’re in a race against time here: any hacker with an ounce of curiosity will try logging into other sites using the credentials he cracked from your database. This is why you should never reuse a password: if one site gets hacked, the dominos start falling. You can use 1password or a similar tool to help you manage your passwords.

Important question #2: does your database login have access to other databases? If the MySQL user you used had access to other databases, you have to assume that any data in those databases was also compromised (including passwords). So you may need to force a password update for those sites too. The lesson here: NEVER grant a MySQL user access to more databases than it absolutely needs.

Important question #3: did you use the same username/password for anything else on your server? Like your FTP login or your cPanel password. If you made that mistake, then you need to assume that the hacker compromised everything that he would have been able to see with that login. If this is your cPanel or WHM control panel, then it’s possible that ALL sites on that server or the server itself were compromised. At that point, you may need to restore your entire server or set up a new one entirely. Again, if you find yourself in this situation, consult with your hosting provider or find a qualified security professional.

5. Consult with your hosting provider or sysadmin. You need to figure out what files the hacker would have had access to. In a PHP site, that means that you would have to figure out what user and group PHP was running as. If you determine that the hacker was able to get root privileges, then you have to assume that any passwords on your server were harvested and cracked, and all sites and all data on the server were compromised. At that point, you need to restore your entire server. If you determine that only your home-directory was exposed, then you can continue patching things up. Make sure that no sensitive files were anywhere in that your user’s home dir. Some juicy targets for downloading might be any notes with logins or backup files that contained other configuration files.

It’s usually not 100% clear how exactly a hacker got in… an unpatched WordPress plugin might not be as bad as an unpatched version of OpenSSH. Your sysadmin might be able to help determine the attack vector. If you want to sniff around, google names and versions of WordPress and/or plugins on — it’s a one-stop shop for hackers, so if you see something on there that matches what you were running, it’s probably a good indicator that that’s how they got in. Hopefully your hosting provider will shoot you straight about what versions of software they were running — most hosts worth their salt will keep their servers patched, and most often, it’s the users who forgot to update something on their site. If you are reasonably certain that the hacker did not gain root privileges, then you can keep going…

6. Change ALL passwords on the server. The database login credentials were exposed via the config file, so you’ll have to change your database login at a minimum, but it’s a good idea to swap out other credentials at this time too — it’s possible that there were keyloggers or other payloads that harvested those other logins, so you’ll want to update them. REMEMBER: you need to do this even if you were able to restore from backup.

7. Update all your files. Update your server (if possible), your version of your CMS, any plugins, any themes, etc. Basically, if you can re-install something on your site, do it. You don’t know for sure if the backup had the same vulnerability, and it’s possible you may just be repeating this exercise in a few weeks if the same vulnerability is exploited again. Really the only stuff you want to keep is stuff that you (or other users) generated, i.e. content. Everything else should be re-installed from a trusted source. Inspect your content carefully for any strange code or payloads… it’s possible that the backup you restored from may not have been clean.

8. Notify Google. Presumably, this whole affair got your site black-listed from Google, so once you’ve cleaned up the damage, you need to fill out a form with Google and request that they re-scan your site. Often you have to specify what steps you took to clean things up. You should expect your site to black-listed for 48 hours. Sometimes you’ll be back online faster than that, but the time frame is not predictable.

Hope this helps those people who have found themselves in this unenviable situation. If you need more of a post-mortem than this, or if you need more protection moving forward, you can look into monitoring services or having a penetration test done. Security is one of those areas where it can be hard to know when to stop — it is a journey more than a destination, and at some point you have to strike a balance to get a setup that has acceptable risk.

Securing Your Email via 2-Step Verification Fri, 11 Jan 2013 20:53:14 +0000 It is vitally important to keep your email account as secure as possible. Google is one organization that emphasizes security, so take advantage of it! For Google Mail, it is easy to enable 2-step authentication. The idea is simple: in order to log in, you must provide something that you know (your password) and something that you have (your phone).

Think about this for a moment… normally if someone gets ahold of your email password, they could read your email (or impersonate you!). Think about it a bit more: once a hacker is in your email, they can visit other sites (like Facebook, PayPal, or ???) and they can easily click the “I Forgot my Password” link, and POOF: they’ll be able to log into any site that uses that email address.

The bottom line is that a hacked email account can start a chain reaction that can destroy your digital life. But with Google Mail, there are steps you can take to prevent this.

Here’s a brief video showing you how to set this up. If you’re not the domain administrator, then you can follow along with steps 4-7 below.

Enabling 2-Step Authentication in Google Mail

If you are not the domain administrator (e.g. if you are an employee) and you know that your domain administrator has already enabled this, then you can jump to step 4.

  1. Log into the Google Mail account that is the administrator for your domain.
  2. Click the Gear icon at top-right and click the “Manage” Link. That should bring up the administrator control panel.
  3. Click on the “Advanced Tools” tab, then check the box labeled “Allow Users to turn on 2-Step authentication”.
  4. Head back to the mail page by clicking the “Mail” link at the top of the screen. (If you’re not the domain administrator, this is where you would begin: inside your Google Mail home page).
  5. Click your email address at the top right: this should open a drop-down menu. Click the “Account” link next to your account avatar image.
  6. Click the “Security” link in the left-hand menu.
  7. In the “2-step Verification” section, click the “Settings” link and enter in a valid phone number.

See also Google’s official documentation.

Using Mail Applications

For our friends using iPads, smart phones, etc. and who are running a Mail application, you have to set up an “Application Password” for these applications. These single-use passwords are intended for use by a single application, and they bypass the 2-factor authentication. This is necessary because some applications don’t yet support 2-factor authentication, so the application-specific passwords offer a workaround that still takes advantage of the stronger security features.

The Importance of Unique Passwords Mon, 05 Nov 2012 17:30:47 +0000 Continue reading The Importance of Unique Passwords ]]> This is a topic that Brian and I have spoken about in several posts, but take a minute to think about it: what could happen if a hacker cracked just one of your passwords? You may not think your information is really very special… so what if someone reads your email to your mother, right? Well, let’s think about this a bit…

I just read Parmy Olson’s We Are Anonymous, and one of the most devastating hacks carried out by the hacker group Anonymous was against the cyber security firm HBGary Federal and its CEO, Aaron Barr. One exploit gave the hackers password hashes, which were then cracked, so suddenly hackers had Aaron’s passwords out in the open: “kibafo33”.

But here’s where things get nasty: Aaron (who should have known better), used the “kibafo33” password on multiple sites including Twitter, Yahoo, and World of Warcraft. So with a single weakness in a single web page, suddenly, his whole digital world unraveled. The hackers were not gentle: Aaron basically lost his job, his reputation, and had to move to a new house just because some juvenile hacker-pranksters were out for a laugh. It’s not much consolation that the Anonymous hackers were eventually discovered and arrested.

So just think: what juicy bits of info could someone read in your emails? Are there naked photos in there? Do you have emails in there you’d prefer your wife/girlfriend/husband/boyfriend don’t see? Did someone ever email you a password to some other site? What’s on that other site?

It doesn’t take much imagination to realize how thoroughly you can be screwed over by losing control of just one of your online accounts. If you have used the same password more than once, then take the time fix that now. We’ve mentioned it before, but LastPass is a great browser plugin to help you store passwords securely and make the task of managing multiple passwords much easier.

]]> 2
How to Simply Rip DVDs in 64-bit Windows Sun, 08 Jul 2012 22:33:41 +0000 Continue reading How to Simply Rip DVDs in 64-bit Windows ]]> Handbrake iconIn the past, we’ve looked at how to easily rip DVDs on the Windows platform. That method still works great, unless you’re on a 64-bit version of Windows. For those of us now running Windows 7 64-bit, we have a problem: DVD43 – a required decrypter used in the previous tutorial, does not get along well with 64-bit versions of Windows.

The Solution – Handbrake with libdvdcss

There’s an easy solution to this problem, and it only requires the installation of one software program. I’ve migrated to the mighty Handbrake for all my DVD rips. First, install the 64-bit version of Handbrake. As of this writing, the latest version is 0.9.6.

With Handbrake installed, make a mental note of its installation location (probably C:\Program Files\Handbrake). Next, download the libdvdcss-2.dll file from Handbrake’s repository. Here’s a zipped copy of my working file (libdvdcss), just in case.

Take your copy of libdvdcss-2.dll and put it inside your Handbrake installation folder, as noted above. Finally, rename the file to libdvdcss.dll.

Handbrake folder with libdvdcss


Let’er Rip

You can now launch Handbrake and rip DVDs as usual. The full Handbrake guide is here, but one quick-and-dirty guide is to:

  • Choose your DVD from the Source button
  • Select your Title (you’re probably looking for the one with the longest duration – that’s the full video)
  • Pick a Destination for your ripped video file
  • Choose a Preset on the right side (I tend to stick with Regular – Normal)
  • Hit the big, green Start button, and let’er rip!
Handbrake - Main window
Handbrake – Click to enlarge

That should do it! You should now be able to decrypt and rip DVDs on Windows 7 64-bit. On a personal note, I’m impressed at how little time it takes to rip a full-length movie on modern hardware versus just a few years ago. I’m showing my age, but I fondly recall ripping DVDs using my beloved antique workhorse from 2001: an AMD 1600+ processor with 512 MB of DDR 133. Ripping a single DVD might have taken 8 hours or more! Today, it takes minutes. You kids today have no idea how lucky you are.

Okay, that’s enough nostalgia for this old timer. Get off my lawn, and I’ll get back to ripping my DVD collection. 🙂

Microsoft takes another hit: NGINX tops IIS Wed, 11 Jan 2012 05:24:23 +0000 Some bloggers have suggested that ripping on Microsoft is going out of style… but this week Microsoft’s beleaguered IIS web server got bested by the open source NGINX web server.

Web Server Statistics
Microsoft IIS goes down

My beefs with Microsoft are many, however, I will tip my hat to Bill Gate’s many generous donations to charity. That’s really the most remarkable thing about Microsoft: it gave birth to one of the most magnanimous philanthropists of an entire generation, and no words can express thanks for that.

BUT…. historically, Microsoft’s products have typically been poor knock-offs of existing technology. You get an inferior product AND you have to PAY for it: it’s the worst kind of insidious lose-lose situation imaginable.

Let’s take a quick waltz through history and review products that Microsoft has ripped-off (thank you David A. Wheeler):

  • BASIC: Microsoft’s BASIC was released in 1975, but BASIC itself had been invented back in 1964
  • MS-DOS: 1981 Microsoft released this hastily written knock-off of Unix.
  • Windows: Released in 1985, clearly inspired by Apple’s Macintosh (which, in turn, had been inspired by Xerox PARC).
  • Windows NT/2000: finally provided limited multi-user capability by liberally borrowing ideas from the pre-existing VAX VMS and Unix systems.
  • Word: Microsoft’s 1983 knock-off of a word processor was based on Lexitron and Linolex (1972), and WordStar and WordPerfect (1979)
  • Excel: Microsoft’s product borrowed from the original VisiCalc (1978) and Lotus 1-2-3
  • Access: uses Codd’s models, which were developed in 1970 (before Microsoft even existed)
  • Internet Explorer: an extension of the older NCSA Mosaic web browser.
  • Active Directory: a re-implementation of the Lightweight Directory Access Protocol (LDAP), with Microsoft’s proprietary variant of MIT’s Kerberos often being used for identity authentication.

Mr. Wheeler sums it up nicely: All major Microsoft products are essentially re-implementations of previous products; none are fundamentally innovative.

So, who is dumb enough to pay top-dollar for a second-rate product? Simple: CORPORATIONS. Big businesses are Microsoft’s last stronghold. They are inefficient, bloated organizations incapable of rational thought. Instead of getting stuff done, corporations are designed to feed you coffee and harvest your pee. And these legal “people” are demonstrably psychopaths who buy Microsoft products.

The thing that is fundamentally wrong with some of these products is that they waste enormous amounts of time. Take Internet Explorer as an example (ah yes, bring forth the whipping boy): how many hours, days, weeks, months, or YEARS of man-hours has that browser wasted for web designers and developers? I’m reminded of the burning of the library at Alexandria or the destruction of non-canonical texts by early Christians: how many hundreds (or thousands) of years did that set back civilization? What a waste. And I have to wonder, how many years has Internet Explorer set back our technological civilization? A similar comparison could be made for IIS.

So to wrap this up, I salute NGINX: may their momentum snuff out the IIS’s inefficient bloat-ware once and for all.

]]> 2
How WordPress Destroyed the Internet Tue, 10 Jan 2012 07:38:15 +0000 WordPress is so popular that it is taking over — it’s behind 22% of all new sites on the internet, but this sets a dangerously poor coding standard. Our infrastructure is crumbling!

Yes, this is a rant. My beef today is this: the WordPress manager might be easy to use, but under the hood, it sucks. There, I said it. It’s awful architecture and it has taught thousands of web developers that it’s Ok to write piss-poor code. This has single-handedly dumbed-down a whole generation of developers by setting a bad example. WordPress is the junk food of coding standards: ubiquitous, tastes good, but lacking any nutritional value.

I’ve ranted about WordPress before but what put me over the top today was the Suffusion Theme. It looks like a clean layout, so I thought I’d give it a try. Holy flaming monkey balls, was I in for a shock!

Suffusion Theme Options
Holy Smokes: The Suffusion Theme is not just a Theme

This theme not only has a metric-crap-ton of options, it also does the unthinkable: it allows you to register custom post-types and custom taxonomies. Does that sound like something else? Why, yes, it does: THAT, my friends, is A PLUGIN. Now, no offense to the theme’s author — it’s a clean interface and he obviously takes a lot of pride in his work — but this type of thing should never occur. A theme should never introduce extra functionality. What happens when you change the theme? Your whole site could collapse.

The conclusions that I have to draw about about the architecture here are pretty negative: WordPress allows (or even encourages) the polluting of application layers in very unhealthy ways. It’s a very serious black mark for an application to allow a theme to get away with that. The view layer should be static: no logic, no functionality, it should merely determine how data is displayed.

This is hardly the end of the architectural infractions WordPress is guilty of, but it is perhaps one of the most obvious. I’d better leave it at that: the way WordPress is built allows for severe architectural flaws that make development difficult or impossible. Buyer beware.

Review of Web-based Project Management Software Sat, 31 Dec 2011 05:00:52 +0000 Help! I gotta keep track of everything I gotta do! There is help available to track your projects, you just got to know where to look.

A lot of developers, designers, students, and even web-hobbyists have a lot of items on their to-do lists for any particular site or project. You have to remember to fix that one CSS glitch, or rewrite a page to use some new function… the lists can be long and daunting. If you’re like me, you’re likely to forget half the stuff you need to do, and if it weren’t for project management software, I might as well stay in bed.

To put it mildly, there are *a lot* of applications out there that help you track bugs and manage projects, and this article only looks as a handful of them. Although the general purpose of these web-applications are similar, there are substantial differences in the pricing models, features, and usability, and hopefully this article will help you identify an application that is right for you. Or, if you’ve never really thought about using one before, maybe this article can help show you why project management / bug tracking software is good to have around.

This post only covers project management. I’ve discussed invoicing softare in another post. Some of these packages include time-tracking and invoicing, but that’s just a “nice-to-have” for the purposes of this article.

DISCLAIMER: I am not affiliated with any of these companies. None of the links in the article text are affiliate links; I don’t get a kickback or commission on referrals, I’m merely sharing my opinions and experiences using the software in the hopes that it’ll help inform the decisions of others.

Here’s the list… some of these are hosted solutions (software-as-service), and some you have to download and install.


Cheapest Option: Free

# Users: unlimited

Wiki?: yes

Notes: This suite of Apps seems like they were hoping to get purchased by Google Apps… kinda similar, but more labored somehow.

My Intervals

Cheapest Option: Free

# Users:4


Notes: You can get 1 project for free… but the functionality is limited.

Bit Bucket

Cheapest Option: Free

# Users: 5

Wiki?: yes

Notes: yet another solution…


Cheapest Option: Free

# Users: 2

Wiki?: Yes, called “Notebooks”

Notes: This is one of my favorites for hosted solutions. I recommend Unfuddle — it’s not a silver bullet, but Unfuddle is a great tool for maintaining sanity: clean, simple, and easy to use. If you pay a little bit, you can unlock the best features.

Code Spaces

Cheapest Option: $3.99/mo

# Users: 2

Wiki?: yes

Notes: I felt the manager here was heavy… sorta Windowsy in a bad way, as in the interface needs to lighten up, but did have a good set of features.

Feng Office (Formerly OpenGoo)

Cheapest Option: $59/mo

# Users: unlimited

Wiki?: yes

Notes: this is a popular solution for its thoroughness. — you have to install it on your servers, which is actually a good thing for people storing sensitive info.


Cheapest Option: Free

# Users: unlimited


Notes: This one you have to download and install on a server that runs PHP and MySQL — it includes features for sales teams. It’s built using the ATK framework.

Project Pier

Cheapest Option: Free

# Users: unlimited

Wiki?: yes

Notes: you gotta download and install this PHP/MySQL app. This is like the PHP cousin of Redmine, so if you don’t have the ability or resources to work with Ruby on Rails, this is a nice option.


Cheapest Option: Free

# Users: unlimited

Wiki?: Yes

Notes: This is a clean app — another one you have to download and install yourself. It’s a nice option (try the demo). The only thing I didn’t care for was that the app relies heavily on icons, so it’s hard to get your bearings. Good German engineering!


Cheapest Option: Free

# Users: Unlimited

Wiki?: Yes

Notes: This is my favorite. It’s not perfect, but it’s a clean interface and easy to navigate. The major downside is that you have to install this yourself. Can you install Ruby on Rails on your server? No? Then this might not be for you.


Cheapest Option: Free

# Users:unlimited, but only 1 project.

Wiki?: Yes

Notes: although this is hugely popular hosted solution and it’s well integrated with many software projects, this does not have a good ticketing system, and it does not tie into code versioning (e.g. SVN), so I don’t fully comprehend its popularity. It’s pretty good, but it seems over-hyped.


Cheapest Option: $25/mo

# Users: unlimited

Wiki?: yes

Notes: This integrates with their Kiln product to tightly integrate bug tracking with code revisions. There’s another product Trello that does visual project organization, but to be honest, I’m kinda confused by these interrelated projects.

Pivotal Tracker

Cheapest Option: $7/mo (free for non-profits)

# Users: 3

Wiki?: sorta

Notes: This is a serious app from the boys in Boulder for agile development — they’ve really thought through the way that large projects should be managed. It’s a hosted solution, but they can install it in on-site if needed.


Cheapest Option: Free (for open source), otherwise $15/mo

# Users: 10

Wiki?: yes

Notes: another clean app. This is a hosted solution.

Google Code

Cheapest Option: Free

# Users: unlimited

Wiki?: yes

Notes: This option is available ONLY for open-source projects. It’s clean, with an easy interface. Updating wiki pages and bugs seems to triggers errors not infrequently, but I recommend this for any open source project.


Cheapest Option: Free

# Users: unlimited

Wiki?: yes

Notes: A lot of projects use this (e.g. WordPress): You download and install it. It’s written in Python and can run on several common databases.


Cheapest Option: Free

# Users: unlimited

Wiki?: yes

Notes: It’s functional, but the UI/UX is pretty crusty. Sorry to poo-poo the hard work of the devs here, but I never felt like I could get clients to use this app… it’s a bit disjointed.


Cheapest Option: $10/mo

# Users: 10

Wiki?: Yes

Notes: This is popular with big corporations. The biggest disadvantage of this is that it’s HEAVY: you gotta have a rock-solid sysadmin to setup Tomcat on your server to install this behemoth.


Cheapest Option: Free

# Users: unlimited

Wiki?: no

Notes: this is a powerful Perl application used by Firefox that can be the public face of your app. You have to download and install this.


Cheapest Option: Free

# Users: unlimited

Wiki?: Yes

Notes: this thing is on fire — GitHub is THE thing right now. It’s wiki is a pain in the ass compared to Google Code when it comes to formatting special characters. Paid plans get private repos.

Hopefully that’s a good list to help you narrow down your choices. If that’s not good enough for you, check out Wikipedia’s comparison of issue tracking systems

]]> 4
Why GoDaddy is a Horrible Host Sat, 24 Dec 2011 19:16:44 +0000 GoDaddy sucks… their dashboard is completely un-navigable, their shared hosting has repeated errors, their VPS hosts are so poorly configured that they can’t even run updates on themselves, their CEO murders elephants for his own amusement, and they think that a few Superbowl ads featuring Danica Patrick will somehow make us forget how bad they suck. And now this…

You may remember my earlier comparison/rant of VPS Hosting Providers. GoDaddy was on that list of hosts to avoid, but recent events have loaded my arsenal with rant-fuel and I cannot contain myself any longer: GoDaddy is a horrible web host and a terrible company that not only wastes your time and money, it may actively be trying to F you in the A!

The Technical

First, the the technical stuff. This is stuff that actually happened. These are facts, and I invite any other developer to share similar experiences. I got a call late Friday night from a frenetic client with the horrible words: “THE SITE IS DOWN!!!”. Any developer who has heard those words on a Friday night knows that they can kiss their weekend goodbye, and so it was.

The site in question was hosted on a GoDaddy shared host. Ok, so what happened? Well, it’s an eCommerce site that required that a certain port be open for incoming and outgoing requests in order for the site’s software to communicate with the credit card processing (hosted on secure site somewhere else). Without warning, GoDaddy changed their firewall rules and they closed that port. Oops. That prevented the site from doing any business.

So what’s more frightening here? The fact that GoDaddy shut down this port without any warning, or the fact that they denied ever having that port open in the first place? In a separate incident, I had another GoDaddy server upgrade its version of PHP from 4 to 5. Any application developer will know that such a dramatic change in the underlying code can be catastrophic. And it was: the application completely broke because much of the code was not compatible with PHP 5. So the point of the story here is that I have personally experienced massive server changes on GoDaddy servers without any warning and sometimes without any acknowledgement. This is just not acceptable for any web host, and to date, I’ve only experienced this with GoDaddy.

And then it gets worse. The client wanted to keep his GoDaddy account, so he forked over the money to get a Linux VPS with GoDaddy. Man. The provisioning took over 12 hours and several calls to tech support. The GoDaddy dashboard is awful, and their ticketing system is equally poor: you can’t see your open tickets (!!!), so you have no idea what status they are in. You can chat with the techs (if the chat window doesn’t crash before you get through to somebody), but you cannot see any updates or add any information to your requests… you have to call to get information, and this can take a looooooong time.

But eventually GoDaddy got it up (heheh), and I started to configure the Linux Server with Plesk. Now the site required PHP 5.2.4 or greater, but the server shipped with PHP 5.1.6 (CentOS). There was no option to select different distros or different setups other than Plesk or cPanel on CentOS. So I started to get the server ready for take-off by updating packages and compiling a new version of PHP. I tried to download core updates… but out of the box, the repos were not correctly defined, and the VPS could not update itself. So I tried to run some updates by hand — we just needed PHP 5.2.4. So I tried to download and compile it. But the damn thing kept hanging. After some googling, it turns out that GoDaddy intentionally spikes the CPU which causes memory allocation failures. So the Plesk setup as offered by GoDaddy could not even put its own pants on.

So we had to pay an extra $10/month to get a WHM/cPanel server. So it was another 12 hours of provisioning (turns out the process hung, but without the ability to see the status of the ticket, I only got this info when I phoned in). But basically the same thing happened with the cPanel server: EasyApache could not finish executing due to memory/CPU throttling (not even on the command line). Something on those servers was completely F’d. As usual, GoDaddy techs denied everything, even when confronted with error logs. It was ridiculous and a waste of time for me and for the client (who hadn’t been able to sell anything on his site for about 48 hours at this point)

The final bit of ludicrousness was when we requested a separate IP address for the server so we could install the SSL certificate. With LiquidWeb, getting an extra IP address takes about 60 seconds. With GoDaddy? It took about 6 hours. Blink blink.

So the final solution here was to move this site over to my own server, which only took an hour or so. Instead of taking all weekend, it took only an hour. The conclusion is that GoDaddy is really good at creating billable hours, but not at actually having a working product.

The Non Technical

The non-technical stuff here is a bit more subjective, but it’s equally unflattering. You may remember the controversy when GoDaddy CEO Bob Parsons bragged about shooting and killing an elephant and a leopard. Mr. Parsons tried to play it off as some kind philanthropy because “elephants are destroying Zimbabweans’ crops”. In my opinion, anyone arrogant and/or stupid enough to justify their actions with a statement like that really deserves a punch in the dick. LEOPARDS DON’T DESTROY CROPS. And if Bob Parsons really cared about the plight of Zimbabweans’ crops, he’d do something more effective like fund charity organizations in Africa or help them build a fence. I mean, seriously… have you seen his Video Blog? Arguably, the elephant and leopard got treated more humanely with bullets to the face than those of us who watched a 61-year-old man ogle the scantily clad women grinding against him while he lectured us on “hiring great employees.”

Bob evaluates his employees greatness

And remember my disgust with QuickBooks? Looks like Bob had a hand in that as well: apparently, he sold his accounting software to Intuit in 1994.

And now with the internet censorship laws coming up in relation to the “Stop Online Piracy Act” (aka SOPA), we see that GoDaddy is a political animal. First they came out in support for SOPA. Then after a “maelstrom” of internet backlash, they later discontinued support for SOPA. But what bothers me is the casual internet citizen is fooled by this token gesture. It seems that it was a calculated move by GoDaddy where they make a public statement to placate the sheople, but behind closed doors, they still are working to game the system for personal gain and the expense of public freedom. This article about a judge forcing domains to be transferred to GoDaddy was alarming. How much does the system have to be corrupted if the legal system is ORDERING domains to be transferred to GoDaddy? Why does this sound like Iraq under Saddam Hussein where oil companies were ORDERED to do business with Saddam’s relatives. It just stinks to high heaven.

What to Do

Get your sites off of GoDaddy. They are Ok as a registrar if you can tolerate their idiotic dashboard and general ineptitude, but you’re wasting your life and your money if you host with them. Gotta love developers: here’s a good reference for how to move your domains off of GoDaddy: Moving Domains off of GoDaddy, but really, if you want to stick it to GoDaddy then you should call them and tie up their phone lines as much as possible. Have them walk you through how to transfer your domains…. step…. by…. step.

Sign up to boycott Godaddy here.

Find another registrar. NameCheap offers pretty much every TLD you can think of, and they at least as cheap.

If you need some good VPS hosting, I still have some space on my server: you get more horsepower than you’d get on your own VPS, and you don’t have to spend all the time setting the thing up. Contact me if you’re interested.

]]> 9
MODx vs. WordPress (revisited) Sun, 25 Sep 2011 20:25:00 +0000 last article I wrote about this topic was criticized as being heavy-handed in my complaints about WordPress, so in this article, I am revisiting the topic from the other side of the fence. There are things about WordPress that are great, and there can many good reasons why you'd choose it as your Content Management System.]]> The last article I wrote about this topic was criticized as being heavy-handed in my complaints about WordPress, so in this article, I am revisiting the topic from the other side of the fence. There are things about WordPress that are great, and there can many good reasons why you’d choose it as your Content Management System.

Ease of Updating

WordPress has done a fantastic job of making its product easy to use: each time there is a new version of WordPress, it takes only the click of a button to update your site. MODx still requires an FTP connection and an FTP client that can merge directories, otherwise, the upgrade can be hairy indeed. Unless you’ve got a really nice FTP client like Coda or you’ve got SSH access and you’re comfortable using cp -fr, then MODx can’t compete… MODx-ers will have to wait until version 2.2 or 2.3 when MODx will offer seamless upgrades.

WordPress also lets you easily upgrade all your plugins with a single click. MODx Revolution introduced package management, so you can see which plugins need updating, but it’s still not as streamlined as what WordPress offers.


Although WordPress at times is boneheaded and backwards in how its code is built, it is almost always extendible. MODx, especially Revolution, represents some code that is much more mature. If you are a PHP hobbyist or even a junior level developer, there’s a good chance that you won’t be able to follow the core MODx code because it’s so much more complex. MODx has areas that simply are not easily customizable — for example, the MODx manager is just flat-out hard to programmatically modify. At best, customizations of the MODx manager can be accomplished via configuration, but customizations via plugins can be complicated, and at worst, they may not be impossible. The WordPress manager, by comparison, is nearly always customizable via one event or another, so with a working understanding of PHP, you can usually trick things out to how you want them. WordPress may be completely low-brow in how it implements certain functionality, but as long as you can find an appropriate action or filter to hook into, you can usually customize the dashboard to how you want it.

Some of the more-experienced readers might be raising an eyebrow here as I compare MODx and WordPress in this area, because the MODx architecture is built so much more sensibly and because MODx is entirely object-oriented, it is by definition easier to override behaviors. But my point is that for “Joe Coder”, there are many tweaks that are simply easier to carry out in WordPress. It’s a bit like having a Volkswagon and a Jaguar in your garage: you can carry out most repairs on the VW with a wrench and a screwdriver whereas the Jaguar requires special tools, experience, and patience.


WordPress’ manager is built using jQuery. The MODx Revo manager is built using Ext JS. Although Ext JS offers way more options when it comes to building an application, the experience of using the MODx manager is that it is sluggish and more difficult to customize due to the steeper learning curve. The WordPress manager may not represent the most mature architectural principles, and jQuery may be simplistic for certain uses, but WordPress is generally much faster to use — jQuery has a much lighter footprint so it loads more quickly and doesn’t require as many resources from your server.

Secondly, jQuery, like WordPress itself, is much more widely used than Ext JS. There are lots of jQuery plugins available and it’s generally easier to customize. No, jQuery isn’t going to be the end-all-be-all of your web application, and it isn’t going to scale well when you start demanding more and more complex user-interfaces, but it really fits the bill for a huge number of sites and interfaces.

Post Types

Any good content management system has to be able to store different types of content. In general, MODx is far better at this from an architectural and from a templating standpoint, but from the viewpoint of the average manager- or editor-user, WordPress generally makes more sense. MODx lets you define custom fields (called Template Variables in MODx parlance), and you associate them with a template. It makes good sense architecturally, but it is a bit… weird.

For example, you may create a “Book” template with custom fields for “Title”, “Author”, and “ISBN”. So the work flow in MODx is that you add a generically-named Document, then once you select the “Book” template, the “Title”, “Author”, “ISBN” custom fields appear, suddenly making the document a “Book” document. That works, but many users just don’t get it: they want to add a Book to their site. WordPress 3 allows for post types, which accomplishes just that — the built-in implementation is very primitive in comparison to MODx, but once it’s up and running, you won’t need to lecture your users about how a “Document will become a Book once you change the template”. If that explanation is confusing to you, then you can appreciate why WordPress’ implementation of this concept is easier to work with as an end-user. The Custom Content Type Manager plugin fixes many of these WordPress warts.


Hopefully this article explains a bit more of WordPress’ strengths: it’s not the best solution for every project, but it can be the right choice for a lot of projects. I still have a long list of gripes about WordPress, but that doesn’t mean it doesn’t have its strengths.

]]> 2