fidzu : WordPress

As the engineer and writer Alex Payne put it, these startups represent "the field offices of a large distributed workforce assembled by venture capitalists and their associate institutions," doing low-overhead, low-risk R&D for five corporate giants. In such a system, the real disillusionment isn't the discovery that you're unlikely to become a billionaire; it's the realization that your feeling of autonomy is a fantasy, and that the vast majority of you have been set up to fail by design.

From Wired's One Startup's Struggle to Survive the Silicon Valley Gold Rush.

30 Jul 2014 1:05pm GMT

Vietnam is getting its first WordCamp on September 6th, 2014. WordCamp Hanoi was born out of the Hanoi WordPress Group, an active local meetup with nearly 300 members. The group connects WordPress enthusiasts in the area for relaxed chats and presentations. As of last month, WordPress is now 100% translated into Vietnamese, and some of the meetup members were active in helping to reach that goal.

WordCamp Hanoi is set to have three presentation tracks to include the business side of WordPress, using WordPress, and developing for WordPress. The call for speakers is open and applications will close on August 11. Organizers are looking for volunteers to help with food, shopping, creating speaker gift bags, designing and organizing badges, and all the other behind-the-scenes magic that powers WordCamps.

The Hanoi WordPress Group has been meeting for the past two years and its members have created a friendly atmosphere for connecting with other local enthusiasts. Philip Arthur Moore, one of the organizers of the event, is hoping that same atmosphere will be part of Vietnam's first WordCamp. "Our goal this year is to keep the event simple, cozy, small, and familial, something that our group has done a good job of maintaining since its 2012 start," he said.

WordCamp Hanoi will feature a diverse range of presentations to interest as many different kinds of WordPress users as possible. If you're planning on being in Hanoi during September, watch for the ticket announcement so you don't miss this historic WordPress event.

30 Jul 2014 3:54am GMT

Many Google Maps plugins have a convoluted admin workflow for creating locations in WordPress. Some of the clunkier solutions actually require you to look up longitude and latitude coordinates to manually input for pinpointing. Very few maps plugins utilize custom post types to provide a user-friendly input.

Stellar Places is a new plugin designed to provide an intuitive way to create, manage and display locations in WordPress. The plugin registers a custom post type for locations with integrated Google maps. Once activated, a new Places menu shows up in the WordPress admin:

Scroll down to enter location data, which is pulled in via Google Maps. You can enter an exact address, just the cross streets, exact coordinates, etc. There's a good deal of flexibility in entering a location to pinpoint. The map and extra data fields are automatically updated with your location, without refreshing the page.

Places added can be accessed on the front end via the location listing view or single location view with the associated maps. Maps can be inserted into a page or post using the [stellar_places_map] shortcode. Stellar Places also allows you to display multiple locations on the same map.

The shortcode for embedding places is extremely customizable and includes parameters for customizing HTML attributes, such as ID, class, width, and height. It also includes query parameters for limiting the display by post_type, taxonomy, term, category, and post_id. Shortcode map settings allow you to specify latitude/longitude for the map center, mapType, scrollwheel, zoom, minzoom, maxzoom, and infowindows.

The plugin is also mobile-friendly and produces responsive maps that are easy to navigate on devices. This makes it ideal for featuring local events, divided by categories. You could also use it to create a store locator for businesses that have multiple physical locations. Each location gets its own dedicated page and will automatically appear in the list of all locations.

Stellar places features include:

• Live map preview
• Drag and drop marker relocation
• Location pages for better SEO
• Unlimited locations and maps
• Mobile friendly, responsive maps
• Easy map embeds via a customizable shortcode

In the future, the Stellar Places development team plans to build extensions for the plugin that you can install to gain additional functionality.

An easy-to-use maps plugin that looks and feels like native WordPress is long overdue. I tested Stellar Places and found that it works as advertised. The process of adding new places is intuitive and maps can be tailored to your exact specifications with the many options available in the shortcode. If you're looking to try a new Google Maps plugin for WordPress, download Stellar Places for free from WordPress.org.

29 Jul 2014 8:04pm GMT

While there are many excellent plugins that make migrations easier for developers, WordPress migration as a service hasn't been widely marketed. MigrateWP is a new business dedicated solely to providing smooth, painless migrations for people who don't have the skills or time move a site from one host to another. Pricing starts at $200 and includes DNS migration and a free site audit. Larger and more complex migrations range from $300-$750.

Founder Daniel Griffiths describes MigrateWP as a curated migration and conversion service for WordPress. Griffiths is best known for his work as an Easy Digital Downloads extension developer and is also the founder of the Redux Framework. During the course of his work, he found migrations to be a source of continual frustration for the average WordPress user.

"The idea came about as a direct result of a series of issues posted in the Easy Digital Downloads support forum related to migration issues experienced by one of our users," Griffiths said. "I came to the realization that no matter how well documented, migrations suck! Even for someone who's done a few, they're a headache and for a new user, they're downright impossible."

A Hands-On Migration Service with No Automation

After researching the problem, Griffiths found that there are very few resources available to facilitate site migration, let alone conversion, for end users who aren't technically inclined. "Yes, there are a few other services, but they all suffer from one fatal flaw: automation," he said. "MigrateWP was built on the premise that no matter how well thought out, automated systems can't compare with the reliability that manual processes can."

Griffiths hand-tailors the migration process for each user's unique scenario, and all migrations are completed hands-on by specialists with a high level of experience. This enables MigrateWP employees to ensure data integrity and customer satisfaction.

"Beyond the basic migration component, we do site conversions, full site auditing, and every migration is run through malware checks both before and after the migration process to ensure the client receives a clean site when the process is finished," Griffiths said.

Customers often have no idea how much information they will need to provide access to in the course of a migration. I asked Griffiths how he plans to simplify the process of interfacing with his clients' old and new hosts. "Before the migration begins, we personally contact every client to work out the details of the migration," he said. However, the initial contact on the website is designed to be quick, without attempting to capture all of the information required.

"Our client contact form is extremely simple for a reason," Griffiths said. "Particularly in the case of companies, it's unreasonable to expect a single individual to know all the details up front. After all, companies frequently have multiple employees responsible for various facets of their tech. This may well include different people responsible for the physical hardware as opposed to software, or corporate staff changeovers."

Griffiths' team first performs a site review and engages each potential client directly to get a grasp of the actual migration before proceeding. He is aiming to hire a 5-10 person staff within the first year.

In the future, he hopes to attract developers to utilize his service, in addition to assisting end users who don't have the skills to migrate their own sites. Any capable WordPress developer should be able to easily handle an average site migration, but Griffiths hopes to free up their time by creating agreements with development agencies or hosting providers to manage their client migrations.

The commitment to provide a more personalized migration experience with no automation is what Griffiths hopes will distinguish MigrateWP from its competitors. Many hosts already offer free automated migration when you sign up for a new account. Do you think end users are more likely to utilize a dedicated migration service or will MigrateWP find more success among developers and agencies?

29 Jul 2014 6:12pm GMT

WP Tavern reported recently that WordPress Developers are organizing a community initiative to standardize common post types, taxonomies and meta data. Led by Justin Tadlock, popular WordPress developer and author of Professional WordPress Plugin Development, the goals of the community project are to name these common parts of WordPress to create a more stable and […]

29 Jul 2014 4:57pm GMT

29 Jul 2014 3:54pm GMT

29 Jul 2014 3:42pm GMT

wpgo.go is a command-line tool to interact with WordPress blogs, written in Google's Go language. It's cool to see this new generation of apps built on WP.com + Jetpack's new APIs, like Postbot.

29 Jul 2014 3:30pm GMT

Welcome to the fifth "Week in Review" on Post Status, where I hope to offer up some of the things you may have missed in the last week or so.

Sass is coming to Underscores

A long-awaited feature, the first pass at introducing Sass to the Underscores (_s) theme has been committed. This morning's commit by Tammie Lister follows a number of much-discussed Github threads, and it looks promising. The Sassy version of Underscores is in its own branch, if you want to explore it further and get started with that version right away.

I've been using my own forked version of Underscores for some time now, that includes Sass, and I'm happy to see this change. I look forward to comparing their version with my own and learning from it. Underscores has become one of the most popular WordPress themes to build custom websites from, and this is a great change.

If you don't think you're ready for Sass, Josh Pollock has a nice post on Torque to help you out.

Custom post type standards are underway

After my post recommending that Jetpack lead the way for standardizing custom post types, Justin Tadlock wrote an excellent follow-up piece.

Furthermore, he started a Github repo for a community-based, unofficial standards document. This is exactly the type of discussion that I hoped would occur, and I encourage you all to get involved. If enough of us encourage standards for some common custom content types, we can make portability between WordPress themes even better, and that would be great.

The first issue is to decide what post types to standardize, so go get involved.

Standard site logo support for the customizer

Also along the standardization theme, WordPress.com has introduced a feature for theme developers to create standard support for site logos, a feature that's in almost any WordPress theme.

The feature is live on WordPress.com, and coming to a Jetpack near you. WordPress.com added support for about a dozen themes for the launch of the feature.

MailPoet and Sucuri spar over the handling of security disclosures

On July 1st, Sucuri disclosed a vulnerability in MailPoet, a very popular WordPress-centric newsletter plugin. Over the next few days, MailPoet released a variety of updates. A bunch of WordPress websites were estimated to be hacked. Updates were available, and many hosts made server level changes, but it affected every version and was a serious issue.

However, MailPoet was unsatisfied with how Sucuri handled the disclosure, and posted some lessons learned on their blog a couple of days ago. That post is worth reading on its own, but essentially they're displeased at the rapidity of Sucuri's actions from notification of the vulnerability to publishing the news on their blog. Sucuri says it was standard practice, and give a rundown in an open letter to MailPoet on their own blog.

When your primary software product has something like this happen, your emotions definitely tick up a notch or three. I can see both sides of this story. In the end, it's important that the fix gets in and site owners and hosts get notified so they can get their sites fixed. I don't know who is more correct in this story (I haven't given it enough thought, honestly), but I think most things are better settled in a different venue than trading accusatory and pointed open letters - something both parties are guilty of here.

Starting a WordPress blog?

Oli Dale has some really interesting insight where he raises the hypothetical, "If I were to start a blog about WordPress today." He highlights how he thinks some genres (like WordPress news) are well covered, but that he sees a great deal of potential in more niche markets.

Definitely read Oli's advice if you're looking to start a blog. Also keep in mind, really there is so much opportunity, no matter what you see out there today; just do it better than anyone else and you can succeed. (Notable on this topic, WP Scoop just rebranded itself)

Related, but more general: You are not late.

GravityView: display entries of Gravity Forms anywhere on your site

Zack Katz has released GravityView, a plugin that takes Gravity Forms submissions and lets you put them anywhere on your site. This plugin look really slick, and I see a lot of potential uses for it.

Zack is the developer of the free Gravity Forms Directory plugin, and GravityView is a different plugin, but expanded version of that. Zack talks about GravityView and his thinking behind it on the latest Apply Filters podcast, which he recorded right before he released the plugin.

Automating WP App Store

Iain Poulson wrote a fun little post about how he's automated most of the work that goes into WP App Store, a former marketplace product turned email deals product.

Brian Richards goes full-time on WP Sessions, introduces first course

Brian Richards has left his position at WebDevStudios to attempt a full-time career building WP Sessions, his WordPress learning website.

As I noted last week, he's giving away a $2,000 value trip to WCSF to those that sign up for his VIP program, and there are still a couple of days to enter.

He also just released a course on building WordPress plugins, which Pippin Williamson is teaching; it doesn't get much better than that. I wish Brian the best of luck, and hope WP Sessions sustains him.

My first WordCap San Francisco

I guest posted on the WordCamp San Francisco blog, where I talked about my first experience at WCSF. Incredible relationships and experiences are made at WordCamps; this is my story.

Along a similar vein, Christine Rondeau answers, "Why bother with WordCamps?"

Meet me in New York

I'm really excited to attend WordCamp New York City Friday through Sunday. If you're there, I'd love to meet. The lineup of attendees and speakers is insane. I'll also be doing some hallway interviews, so Post Status readers will hopefully enjoy the results of those. I'll probably be singing Alicia Keys to myself for the next few days, so you can have that mental image for free.

It's not quite midnight on Monday in Alabama, as I wrap this up. So while the week in review is a bit late this week, I hope you still enjoyed it and learned something new. If you did, I of course appreciate if you'll share it with your social network of choice.

Have a great week everyone.

29 Jul 2014 4:31am GMT

This Friday at 3PM Eastern, we'll be joined by three individuals to discuss the topic of crowdfunding. Crowdfunding is defined as "the practice of funding a project or venture by raising many small amounts of money from a large number of people, typically via the Internet." While some projects fail, others are exceedingly successful.

Our guests will share their experience, lessons learned, and what they would have done differently. We'll also discuss the impact of crowdfunding open source software development.

• Scott Kingsley Clark - Clark used Kickstarter to successfully raise enough funds to develop Pods 2.0 and the community website. Although he only asked for $1,500, he ended up with nearly $4,200.
• Nick Haskins - Lead developer of the AESOP Story Engine plugin and hosted service, Haskins asked for $6,000 and received $6,572 using Crowdhoster. Crowdhoster is the open source version of Crowdtilt.
• John Saddington - Lead developer of Pressgram, asked for $50,000 and received $56,500 using Kickstarter to fund his image sharing app.

Crowdfunding enables people to not only gauge interest in an idea or product, but also allows them to receive funding without having to deal with venture capitalists or banks.

If you have any questions for our guests, or about the topic of crowdfunding, feel free to post them in the comments.

28 Jul 2014 11:20pm GMT

photo credit: rosswebsdale - cc

A WordPress community initiative is underway to standardize content types used by plugin developers. Justin Tadlock is spearheading an initiative to create WordPress community-curated standards for common post types, taxonomies, and metadata.

WordPress developers are invited to join the discussion taking place in the Content Type Standards repo on Github where Tadlock outlined the objective: "The purpose of this repository is to create an open set of standards for the WordPress developer community on how to name custom post types as well as related taxonomies and metadata." This would include common post types, such as testimonials, portfolios, recipes, FAQ, events, and products.

Tadlock, who has historically been a vocal advocate of data portability, is hoping that the standards will enable users to painlessly switch between plugins that compete in the same space, without losing any data. Standards will also make it easier for developers to build extensions in such a way that they can be more widely adopted by theme developers. He identifies a few benefits that both users and developers would enjoy as a result of content type standards:

• Less worry about what to name things when creating a plugin.
• We can have competing plugins in the same space.
• Cool things like add-on plugins become easier to build.
• Users can switch between similar plugins to find the one they like best.
• It would be easier to push for things in core WP like custom Dashicons.
• Theme authors could potentially support multiple plugins.

The project will first be focused on establishing a set of standards for plugin authors to follow, based on the core WordPress methods. Tadlock also suggests a secondary goal of creating a few PHP scripts for developers to copy/paste for registering a post type or taxonomy that make use of the new standards.

The Need for a Community-Curated Initiative

Brian Krogsgard recently published an article calling for Jetpack and WordPress.com to lead the way toward standardizing custom post types. While Jetpack and WordPress.com are in a good position to lead the way on this, there are many community developers outside of Automattic who have valuable input to offer on the creation of a truly open set of standards.

In a recent article that outlines the need for custom post type standards, Tadlock argues that standardization goes far beyond simple naming conventions:

People are still using their own, separate code rather than adopting existing solutions, preferring a solution built in-house instead of joining together with others. That's the reason we don't have standards. It really has little to do with post type naming conventions.

The idea behind the community-curated standards is to help WordPress developers work together without the need to reinvent the wheel every time with their own solutions. Instead of closing off products with naming conventions that won't be able to transfer users' data, Tadlock encourages developers to work on creating plugins that become standards in their own right.

Standards are created after we've made them and they've been adopted by enough people. In other words, we create standards by building good plugins, getting users to install them, and having theme authors integrate with them.

The Content Type Standards project is a community initiative that puts users first and helps developers make products that can be more widely used. The first order of business is to establish the post types to standardize so that contributors can then address the naming standards, taxonomies, and metadata for each. If you build products that utilize custom post types, make sure to get in on the discussion happening on GitHub.

28 Jul 2014 7:36pm GMT

Utilizing SSH keys in conjunction with the servers you connect to is a great and highly recommended security practice. SSH stands for "Secure Shell" and enabling SSH for a server creates a secure channel between you (via the command line) and your server.

SSH keys help the server validate and authenticate who you are. SSH servers can even be setup to require a known valid SSH key in order for the server to acknowledge you to begin the login process.

Using SSH from a Linux or Mac system is straightforward. You may not realize it but your system will automagically generate an SSH key for you the first time you use SSH if you do not have one already. This key will then be sent with all subsequent request to that server and all other servers. This is a great start, however it is possible to maintain multiple SSH keys on your system.

If the one SSH key allows you to get into all your systems why would you want additional keys? Simple, extra security.

Having a unique key per system you are logging into will create additional security by only allowing that key to be used on that system and no other. If your account somehow gets compromised and the key to the server taken you do not have to worry about all the systems you have logged into with that key and remember to go secure them. You simply delete the key for that system and generate another.

Managing multiple keys is easy. Let me show you how you can accomplish this on your own system.

This tutorial assumes you have basic knowledge of the command line. It was originally written as part of a series of CLI (command line interface) cheat sheets, and I'm reposting it here so that a broader audience can take advantage of SSH for server management. The CLI cheat sheet has other excellent resources I recommend you check out as well.

Where to find SSH files

All the SSH files live in a hidden folder .ssh in your user directory. If your system is using the generic key file this folder may not exist. You can safely create this folder yourself. We will be working out of it for the remainder of this tutorial.

We will also be working from the terminal for the rest of this process.

Open up your terminal and get setup.

cd ~/.ssh

If you get an error that the directory does not exist create it with:

mkdir ~/.ssh

Lets make some keys!

For this example we will setup keys for two servers: abc.com and xyz.com.

SSH includes a simple utility for creating SSH keys called `ssh-keygen. The following is an example of what creating a key would look like.

blobaugh@devbox$ ssh-keygen
Generating public/private rya key pair.
Enter file in which to save the key (/Users/blobaugh/.ssh/id_rsa): [id_rsa.abc.com]
Enter passphrase (empty for no passphrase): [Enter a passphrase]
Enter same passphrase again: [Repeat passphrase]
Your identification has been saved in /Users/blobaugh/.ssh/id_rsa.abc.com
Your public key has been saved in /Users/blobaugh/.ssh/id_rsa.abc.com.pub
The key fingerprint is:
[Long crazy string]
The key's random art image is:
[Cool ascii art]

Type ls into the terminal and you should now see two new key files that have been created for abc.com. Repeat the process with xyz.com.

Passphrases are recommended but not strictly necessary. If you are creating a passwordless login you can hit enter to leave it blank. Later on when we get into the configuration file there are additional login options you can set.

Since you are now a pro at creating SSH keys I suggest you also create a generic key. This key will be used on any systems you login to where you do not have a unique key created.

Setup the configuration file

Likely there will not be a configuration file in your .ssh directory. This is normal. You will create it in this step.

To utilize your shiny new SSH key with a specific system you will need to create a new entry into the ~/.ssh/config file related to that host. You can use either the hostname or the IP. One key can have multiple entries, so if you have multiple hostnames for one system, or want to use both the hostname and IP to login simply create an additional entry in the config file. The * wildcard can also be used.

To get started open the ~/.ssh/config file in your editor of choice and add the following lines:

Host abc.com
    IdentityFile ~/.ssh/id_rsa.abc.com

Host xyz.com
    IdentityFile ~/.ssh/id_rsa.xyz.com

That is it! You will now be utilizing a different key for each of those hosts.

Setup the generic key with

Host *
    IdentityFile ~/.ssh/id_rsa.generic

Configuration options

There are many configuration options available to you in this file. Lets break down a few here.

Host
The Host option is a bit tricky. Host is for the name you use on the command line with the ssh command. This does not have to be a real machine but can be an alias. When used as an alias you need to supply the HostName option as well. Here are a couple examples to help make this more clear.

Host lobaugh.net
    ….

On the command line you would use ssh yahoo.com to connect to the machine still.

Host ben
    HostName lobaugh.net
    ….

In this example you would call ssh ben and still be connected to the lobaugh.net server.

User
Allows you to set the username that is supplied to the connection by default. This can be different than the currently logged in user that is supplied by the system if one is not supplied. This setting can be overwritten at run time on the command line.

Host lobaugh.net
    User ben

ServerAliveInterval
Some servers have a timeout setting that will automatically disconnect a user if they do not perform an action for a specified period of time. This is great for security, however some hosts are a bit aggressive with disconnects and will bump you rather quickly (looking at you MediaTemple). This option tells your client to send keep alive packets to the server so you do not get disconnected too quickly. This setting is in seconds.

Host lobaugh.net
    ServerAliveInterval 60

IdentityFile
This is the key file we created in the beginning that should be used for the connection.

Host lobaugh.net
    IdentityFile ~/.ssh/id_rsa.lobaugh.net

Port

Allows changing the port number the connection uses for non-standard ports.

Host lobaugh.net
    Port 5000

A complete list of configuration options can be found at http://www.gsp.com/cgi-bin/man.cgi?topic=ssh_config

Setup the server side of things

Now that we have things on the client side setup we need to let the server know what is happening. This will ensure that the server knows who we are. This is as simple as ensuring the public key is present in the authorized_keys file.

We will use a couple "magic" ssh commands that run remote commands on the server for us.

First we need to ensure the .ssh directory exists on the server or the transfer of the key will fail.

ssh USER@SERVER mkdir ~/.ssh

Now we will send the public key to the server.

cat .ssh/KEY_FILE.pub | ssh USER@SERVER 'cat >> .ssh/authorized_keys'

You are now all set with multiple unique keys per machine you are connecting into, complete with verification of the key on the server side of things.

Ben Lobaugh

Ben is an Automattician working on Team Jetpack, as well as a musician, a sailor, and Seattle WordCamp co-organizer. You can follow him on Twitter @benlobaugh

28 Jul 2014 5:22pm GMT

photo credit: Ravages - cc

The JSON REST API plugin for WordPress released a security update over the weekend. Version 1.1.1 includes a fix for a vulnerability wherein the JSONP support built-in to the API could be used to serve up arbitrary Flash SWF files. This technique has known been used in the past to abuse JSON endpoints to allow Flash files to bypass browser cross-origin domain policies.

WordPress core already has CSRF protection, but the WP REST API is oftentimes used in combination with other software which may not have the same protections. You can use a filter to disable JSONP support:

add_filter( 'json_jsonp_enabled', '__return_false' );

WP API project lead Ryan McCue credits Ian Dunn in the release announcement for responsibly disclosing the vulnerability to the team.

The WP REST API project is now available on HackerOne, with a bounty for hackers who discover remote code execution exploits, SQL injection, privilege escalation, and other security issues. The WP-API plugin is listed as a high priority along with the OAuth 1.0a server plugin, which provides authentication for the API.

The vulnerability fixed in version 1.1.1 of the plugin was classified as a minor security issue, according to McCue, and no sites have reported any exploits. He recommends that anyone still using version 1.1 of the plugin to update as soon as possible.

28 Jul 2014 4:55pm GMT

28 Jul 2014 3:47pm GMT

28 Jul 2014 3:43pm GMT

28 Jul 2014 3:41pm GMT