WordPress

This is only week 5 of 2025???

/ status report / , ,

Ugh, it’s been a fucken hell of a month. Literally the first day of February and no one wants anymore of what this year has in store.

Work

mgbarJerb is… Consistent in its chaotic, disorganised, environment. It’s one of the reasons why we’re actively shopping for a car, even though the orange trump is about to start a trade war ( 2025-02-02_02:36 : has started. We started this post six hours ago.) with Mexico and Canada. I need to be there quickly whenever someone calls out which happens at least once a week. We spend way too much on rideshares and that’s money that should go towards a car payment.

Got written up for bad attitude. Some of that is deserved, some isn’t. But co-workers who are lazy fuckers are a-okay so fuck them and fuck the corpos who like it that way.

bartendJerb: The “floor manager” quit. She was the one who made syrups and purchased some stuff. So now we have no one to do those things. They (as in the current bar manager, and the owner) want me to do it but I will need a car to schlep all the things around. Doing it on my bike is too onerous a task, nevermind the time it will take.

Personal

My personal life is basically non-existent outside of having a couple drinks at various bars around town, after work. Work is life these days. The hangovers too but we are making an effort to keep them to a minimum, like Ernie. She’s up for a James Beard award as a professional oyster shucker. We should learn from her.

As I need to buy a car, we are shopping around and we know we want a Toyota RAV4 or a Honda CR-V. The purchase needs to be done before the economy crashes but we’re extremely leery of making a purchase of such magnitude when the economy is most certainly about to be tossed into a latrine. See what the muskrat is doing at the US Treasury department. Fucken piece of shit Nazi. Fuck his dad and his mom too.

Had a spot of seasonal depression but I think we’re past it. We hope. We’re pretty tired as we type this on our phone at the bar. (Still tired at home on the computer).

Alertness

ICE raids all over the country. ICE office in Saint Paul : they want 75 arrests a day, with increases coming down the pike. Fuck ICE and if you have someone working there, fuck you, fuck your mom, fuck your dad, fuck your grandparents, fuck your great-grandparents, and all of their fucken cows.

They don’t care whether you’re a citizen or not. A resident or not. If you en’t Caucasian you en’t staying.

So that’s another reason to not take the bus and opt for personal transportation.

Ch-ch-ch-changes

This post comes via the WP classic editor on mobile. It is 2025 in the year of the Lard and fucken WordPress still doesn’t have a decent mobile editor. Automattic has sucked as stewards of WordPress for a long time and it shows. Also fuck Matt Mullenweg, prissy bitch.

Positions

This here blog post is us being pro-union (even if most of the bosses are fucken idiots), pro-labor, pro-lgbtq. You don’t like it? The ❌ button should be on your top-right window corner, unless you’re using a corpo app in which case you’re fucked, your family is fucked and fuck you too.

Fucken’a

/ local / , , , , , ,
MMDAS PURAS MMDAS

The fucken site broke and I had no idea why.

Nginx seemed to be okay. PHP seemed to be okay. MariaDB had nothing to do with any of this. But anything PHP-based was throwing a fit and just didn’t work at all and of course logging in PHP is hit-or-miss.

After banging my head for two fucken nights I just backed everything up and nuked the server. Switched fron nginx back to Apache, downgraded to PHP 7.3 and kept MariaDB.

I’m just going to keep stuff on Debian Stable for the time being.

Update 2021-03-02_03-28

I’M STILL DEALING WITH THIS.

Block attacker IP addresses, four ways

/ from outside / , , , , , , , , , , , , ,

If you run WordPress you’ve seen these in your web server logs:

132.232.46.230 - - [29/Oct/2020:13:58:41 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:44 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:48 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:52 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:55 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:58 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"

Fucken scanners just slamming xmlrpc.php looking for a way in. When this happens CPU usage just goes through the roof for as long as the scan lasts and it could be five minutes, could be six hours, could be all week; before it ends. The gods help you if you’re paying by CPU usage.

So you have to block access to the file. You could just block all access to XML-RPC but doing this will prevent the WP mobile app from working.

We’ll just block that specific IP address but we need to be quick about it; just do a quick one liner on the terminal before the OS just topples over and becomes completely unresponsive or worse.

iptables

This should work for any Linux distribution that has iptables out of the box which is basically all of them.

# iptables -I INPUT -s 132.232.46.230 -j DROP
  • -I: Insert the rule as the first rule to be applied in the INPUT chain. You could use -A (append) but the sooner we get rid of that traffic the less work the CPU has to do.
  • -s: Source address, in this case 132.232.46.230, which belongs to Tencent.
  • -j: jump to the DROP target. If you use the REJECT target you’re just creating more work for the CPU.

Documentation here but the Ubuntu how-to is far more useful in getting people started.

pf

As it is part of both FreeBSD and OpenBSD base installations it should be enabled in /etc/rc.conf but from reading the (almost useless) documentation and looking around the web You need to fuck around with pf.conf first, then you can manipulate the table. This is the first result on the web when you search for “pf block ip address”. So no one-liner that can save your life.

Edit /etc/pf.conf and add

table <badhosts> persist
block on fxp0 from <badhosts> to any
  • Create table named badhosts, and set it to be persistent in kernel memory
  • Block, on interface fxp0 (you’ll want to change this), traffic from rules in the badhosts table to any destination.

Once you have this you can manipulate the table from the command line with pfctl

# pfctl -t badhosts -T add 132.232.46.230
  • -t means pfctl will manipulate the badhosts table
  • -T will show statistics
  • add address 132.232.46.230 to the table

Fucken hell FreeBSD documentation is the fucken worst. Dryer than Melania Trump’s libido. Now, reading through the OpenBSD pf documentation it looks like you can do

# pfctl -t badhosts -T add 203.0.113.0/24

Which will create the badhosts table automatically without having to fuck around with /etc/pf.conf. Don’t know if this will work on FreeBSD though.

ipfw

It is part of the FreeBSD base installation so it does depend on ipfw being enabled in /etc/rc.conf but it looks like you can go

# ipfw add deny all from 132.232.46.230 to any
  • Add rule denying any and all fraffic from 132.232.46.230 to any destination

At least these rules are succint and easy to read. Whomever wrote the documentation seemed to pay more attention to usage at least.

Still, fuck FreeBSD.

Windows

Super easy now that PowerShell is built into Windows itself:

PS C:\WINDOWS\system32> New-NetFirewallRule -DisplayName "Block traffic from 132.232.46.230" -Direction Inbound -LocalPort Any -Protocol Any - Action Block -RemoteAddress 132.232.46.230
  • -DisplayName: The human-readable name of the firewall rule
  • -Direction: Can be Outbound or Inbound. We want Inbound obviously.
  • -LocalPort: Going with any ports because fuck crackers.
  • -Protocol: Same, block all port
  • -Action: Block traffic
  • -RemoteAddress: Specifying only 132.232.46.230

The documentation for the commandlet is super nice. No, I’m not typing ‘cmdlet’.

The old way involved so, so manny clicks. PowerShell makes it easy.

Now all of the previous bits of code cease to have any effect after a system reboot so if you want the rules to be permanent… don’t. Blackhats will just scan from different hosts and different networks so blocking an IP address permanently is just unproductive.

A better solution is to use fail2ban:

There is also CrowdSec but I haven’t personally used them.

This post came to be cos I spent 30+ minutes trying to figure out how to block traffic on a FreeBSD host and their documentation is just… inscrutable. Should you ask for help in their forums you’ll just get told to RTFM.

You end up going in circles, consuming yourself in rage and frustration which does not feel nice. Rage-posting is where it’sat.

I want a drink and it’s not even 0700 yet

/ local / , , , , ,

On this here blog I use a few things to help secure everything down and avoid issues, namely, nginx location blocks disallowing access to resources, fail2ban tracking nginx logs to prevent people hammering server or trying to do improper things, and the “Limit Login Attempts” WP plugin.

A combination of all these broke access with the wordpress mobile app. Ended up having to disable the wordpress fail2ban jail and altering some of the nginx directives.

This is going to be a pain in the ass to debug cos the wordpress app doesn’t have any kind of proper error messaging, urgh.

Flickr, interrupted

/ local / , , , ,

Flickr deprecated its support of the MetaWeblogAPI back in 2014 but it’s been working okay so far so I never thought of updating the thing since it was working Just Fine™ and I wasn’t going to start fucken about with this. I’m okay with the state of the thing as it is right now but it’s probably time to start looking at other solutions. Since I—

And then stuff at work went to shit while I was typing this, so I’m getting this from where I left off.

Don’t remember where I was at. I’ll pick up later. Shit to do.

Press This

/ rucksack / , , ,

WordPress removed the “Press This” bookmarklet because:

  • WordPress developers are fucking idiots.
  • WordPress developers fucking hate you, the user.

Most of the links I put up on this site were usually through the bookmarklet. “We just want to increase security”, they say, then break the functionality without a proper equivalent in place.

They’re probably friends with Firefox developers, who also like to break with the past without regard to their users.

But what do users know, right? Developers always know better.

HTTPS

/ local / , , ,

I done went and got SSL on this here site by way of Let’s Encrypt. It was pretty easy.

Not so easy was the run up to get it installed:

  • Update Debian with latest packages
  • Realize Debian is now on oldstable (jessie)
  • Update Debian to stable (squeeze)
  • BREAK EVERYTHING
  • Kinda-sorta fix it (aptitute still suicides on forking)
  • Run $ sudo certbot --nginx and marvel at how far we’ve come along

The last time I tries setting up SSL was a total pain in the ass, and it only got me a self-signed certificate that all of the browsers kept complaining about.

Yay for one thing taken off the bucket list. As an aside, I changed the permalink structure cos long URLs that use a date/time format are annoying and hard to remember. I got the idea for switching from here. I hear it plays hell with your SEO but I don’t particularly care about it here. Everyday at work I suffer from URLs that mean one thing for one person but something entirely different for someone else depending what they are doing.

Annoying as fuck, let me tell you.

Now I just need to figure out a plugin that will let me type stuff into the WP editor in markdown/commonmark, and not make the plugins kill themselves.

Big Spam dump!

/ local / ,

Large collection of default spam-comments from a slimy SEO tool.

This morning, I woke up to find that someone who was new to the tool (or unclear on the concept) had left a spam with all of the default comment messages in it, dumping the full database of anodyne comments intended to fool both the spam-filter and the human operator into thinking that the sender had read the post and was replying to it.

This should be helpful in blocking future spam.

WordPress 2.7

/ local, ruidoz.com / , , ,

Logré actualizar sin que Gengo la hiciera de tos. Aquí esta lo que hice:

  1. Respalde archivos y base de datos.
  2. Desactive todos los plugins excepto Gengo.
  3. Actualice.
  4. Re-configure Gengo y aplique los cambios.
  5. Limpie el cache del navegador.
  6. Mire el sitio. Funcionó.

Si no funciona, trata moviendole a las opciones de Lenguage, pero recuerda de limpiar el cache del navegador cada vez que lo hagas. Gengo le da una galleta al navegador para que recuerde las cosas.

WordPress 2.7 en sí se mira bastante mono. La interfaz para escribir entradas es mucho mejor, razón suficiente para hacer el brinco.

WordPress 2.7

/ local, ruidoz.com / , , ,

Managed to upgrade without having Gengo bitch out. Here’s what I did:

  1. Backed up both DB and files.
  2. Deactivated all plugins except Gengo
  3. Upgraded
  4. Re-configured Gengo settings and applied changes.
  5. Cleared browser cache.
  6. Viewed site. It worked.

If it doesn’t work, try playing around with the Language settings but remember to clear your browser cache every time you do this. Gengo gives a cookie to your browser to make it remember stuff.

WordPress 2.7 itself is pretty good. The writing interface is much better, reason alone to make the jump.

Estimado Gengo

/ rucksack, ruidoz.com / , , , ,

Por favor apresúrate en madurar, por que haz demostrado lo que una plataforma bloguera multi-lenguaje es capaz de hacer cuando se implementa apropiadamente. No puedo comenzar a imaginar lo que mi vida en WordPress seria sin haber perdido incontables horas en restaurar bases de datos jodidas cuando no te gusta el nuevo plugin en el directorio de plugins y haces berrinche tenerte alrededor para dejarme bloguear en dos idiomas sin muchos inconvenientes.

Atentamente,
nullrend

Dear Gengo

/ rucksack, ruidoz.com / , , , ,

Please hurry up in maturing, for you have shown what a truly multilingual blogging platform is able to do when implemented properly. I cannot begin to imagine what my WordPress life would be without having sunk countless hours in restoring fucked up databases when you don’t like the new plugin in the plugins directory and throw a tantrum having you around to let me blog in two languages without too much hassle.

Regards,
nullrend

Finally

/ ruidoz.com / , , ,

The good people at Día Siete are releasing the magazine in PDF files. Hopefully they’ll release old editions as well.

They’re also changing the format of the site, going from a simple advertisement space for the magazine’s contents into a space with its own additional content that is not in the magazine! If it all looks a bit familiar it’s because they’re using WP 2.5.1, w00t

They’re good, and getting better.

Finalmente

/ ruidoz.com / , , ,

La buena gente de Día Siete están soltando la revista en archivos PDF. Ojala y en una de esas se animen a soltar las ediciones previas.

También se encuentran cambiando el formato del sitio, pasando de un simple espacio publicitario del contenido de la revista a un espacio con contenido agregado que no viene en la revista! Si de repente se ve un poco familiar el asunto es por que están usando WP 2.5.1, w00t.

Van bien, y mejorando.

Security in WordPress

/ ruidoz.com / , , ,

I’m not saying WordPress isn’t secure, but the perception seems to be

“WordPress is not secure”

It’s said in TechCrunch, it’s called out to Matt, JD of Get Rich Slowly had big trouble, and there are a lot of tips and tutorials. The Codex entry on Hardening WordPress is missing some stuff… but the perception keeps turning more and more negative. If it keeps up like this some other platform will come along claiming to everyone to be more secure than everyone else and a lot of people will migrate just because of that.

I feel to avoid this the focus of WordPress 2.7 should be security. We already have a stable and flexible platform to establish and maintain blogs, so now it must become a secure platform.

Seguridad en WordPress

/ ruidoz.com / , , ,

No es que diga que WordPress no es seguro, pero siento que la percepción en general es:

“WordPress no es seguro”

Lo dicen en TechCruch, se lo reclaman a Matt, el de Get Rich Slowly tuvo broncas fuertes, y hay un chingo de tutoriales y tips por todos lados. A la entrada en el Codex acerca de como endurecer WP le hacen falta algunas cosas… pero ps la percepción sigue tornándose mas y mas negativa. De seguir así va a llegar alguna otra plataforma clamando a diestra y siniestras que es mas segura que los demás y muchos migraran solo por eso.

Siento que para evitar que esto suceda el énfasis de WordPress 2.7 debe ser la seguridad. Ya tenemos una plataforma estable y flexible para establecer y mantener blogs, por lo que ahora debe convertirse en una plataforma segura.

Advanced WYSIWYG modification

/ ruidoz.com /

I’ve been using this plugin for a while now to take the place of WP’s default editor because it’s too plain and it’s missing some features. Problem was after installing the plugin it looked like crap and I ended up modifying it as well.

Now I made somewhat more extensive modification and added lots of things while keeping buttons included in the default editor — like the “More” button for example — y expanding the available options.

You start with this:

Wordpress WYSIWYG original

Then it changes to this after installing the unmodified plugin:

Advanced WYSIWYG original

It’s pretty obvious keeping that setup is out of the question, so I hacked it a bit, removed some things and added others… but I recently got tired of having to change to the code editor to use stuff like the “More” button or remove formatting

After a bit of poking I ended up with this:

Advanced WYSIWYG mod

As you can see we now have two rows of buttons but keep WP stuff like the “More” button and the spellchecker and keep plugin stuff like the foreground/background modifyers… and get some extras like the table editor and the formatting eraser.

If you’re interested you can download the modified file here. If you install and activate it the way it is you’ll end up with something like this:

Modified Advanced WYSIWIG with some missing features

To have all the available features you need to do some work:

  1. First download TinyMCE here. Doesn’t matter if it’s the tarfile or the zip, they contain exactly the same files
  2. Uncompress the file and go to the plugins directory. Using FTP upload the “table” and “xhtmlxtras” directory to the location wp-includesjstinymceplugins on your host. Directory “wp-includes” is located on the WordPress root folder.
  3. Go write a new post and voilá. If you had already uploaded and activated the modified plugin you must refresh the page manually using the reload/refresh button on your browser, or you can press F5

With that done you now should have the full set of buttons. If you paid some attention you should have seen many more plugins for TinyMCE. You can add those functions but you need to do it manually editing the plugin PHP file and uploading the corresponding directories to the TinyMCE plugins folder. One that could be useful for sites that constantly use the same code over and over is the “template” plugin. After creating — and making sure it works — the template just fill up the blank spots and you’re done, like event sites or WordPress MU. If you want to add your own buttons you’ll want to look at the plugin documentation and the button reference for the available buttons.

I don’t think I broke anything when I made the modifications and I tested it on WP 2.1 and 2.1.2. For Suggestions and yelps use the comments.

Modificacion – Advanced WYSIWYG

/ ruidoz.com /

Desde hace tiempo venia usando este plugin para sustituir el editor visual de WP 2.0 por que editor normal esta bien pinche simple y le hacían falta cosas. Problema fue que a la hora de instalarlo acabe modificándolo también por que se veía de la chngada.

Ahora me avente una modificación más amplia y le agregue bastantes cosas manteniendo varios de los botones que vienen con la versión de WP — el botón de “More” por ejemplo — y expandiendo las opciones.

Primero se comienza con esto:

Wordpress WYSIWYG original

De ahí pasa a esto al instalarse el plugin sin modificación:

Advanced WYSIWYG original

Resulta obvio que dejarlo así resulta bastante estorboso. así que le moví y le quite unas cosas y agregue otras… pero recientemente me enfade de tener que cambiar a webo al editor de código para echar a andar cosas con la función “More” de WP o eliminar formatos.

Después de un rato de moverle termine con esto:

Advanced WYSIWYG mod

Yeap, como ven tenemos dos renglones de botones, pero se mantienen cosas de WP como el botón de “More” y la revisión de ortografía además de tener los botones para modificar colores de texto y de fondo… además de que le agregue el editor de tablas y la goma para eliminar formatos.

Si les interesa pueden bajar el archivo modificado desde aquí. Si lo instalan y activan así como va terminaran con algo así:

Modified Advanced WYSIWIG with some missing features

Para tener todos los botones es un poco mas trabajoso:

  1. Primero hay que bajar el TinyMCE desde aquí. No importa si es el tarro o el zip, ambos contienen exactamente los mismos archivos.
  2. Extraer el archivo e ir al directorio de plugins. Con FTP hay que subir los directorios “table” y “xhtmlxtras” al directorio wp-includesjstinymceplugins en el servidor. El folder wp-includes esta dentro del directorio raíz de WordPress
  3. Crear un nuevo post y voilá. Si ya habías subido y activado el plugin modificado tienes que refrescar la pagina manualmente presionando el botón de “reload” o “refresh” en tu navegador, o presionar F5.

Con eso deben quedar con el set completo de botones. Si se fijaron hay muchos mas plugins para el TinyMCE, las funciones se pueden agregar pero se tiene que hacer manualmente agregando el código necesario al archivo PHP del plugin y subiendo los directorios correspondientes al directorio de plugins de TinyMCE. Uno que en lo personal considero practico para sitios que constantemente usan el mismo código una y otra vez es el de templates. Solo seria rellenar los datos y ya, como para paginas de eventos o algo en WordPress MU. Si alguien quiere agregar sus cosas mas le vale que lea la documentación para los plugins y la referencia de botones disponibles.

Creo que no rompí nada al hacer las modificaciones y fue probado en WordPress 2.1 y 2.1.2. Mentadas y sugerencias en los comentarios.

Scroll to Top