Hack Day: Finding the Problem

Yet another reason I like working with Automattic is that we regularly hold internal Hack Days, where anyone in the company who has an inkling can take a day and set it aside to work on a pet project, presenting what’s done at the end.

Last Hack Day, I made some basic changes to the Gravatar site, which was a fun challenge and taught me a lot about how our development environment functions. (Background: calling me a “developer” is a pretty big stretch; I’m still very basic in what I can do.)

The first part of any Hack Day is finding the problem you want to tackle, and I have something I’ve been wanting to solve for my personal blog for some time now. Generally, the only time I get for writing on my personal blog is at night, often quite late, when most of the people I know are not actively reading things. I also tend to write in big batches, where I’ll put up five or six posts in a relatively short timeframe.

What I would like to do is have a plugin that would:

  • Have a “deferred” post status that would place a post into a queue. First in, first out.
  • Deferred posts would be cron-published. The cron would publish only between certain hours of the day, and would maintain a certain amount of temporal spacing between posts, maybe with a small amount of randomness to make it look less robotic.
  • Authors should be able to publish immediately if they want to (hence having a separate status for the deferred posts).
  • It will work with Jetpack and specifically Publicize.

There are already a couple of existing plugins that try to scratch this itch, but neither of them has been updated in a while and on looking at them I don’t think they are exactly what I want.

I’m pretty certain I won’t be able to get this all done in one day just because I don’t have all the knowledge I think I need to do it. But I’m going to look at the existing work around the idea and see what I can do. I have a feeling this is something that would be useful to other people as well.

Yo, VIP. Let’s Kick It.

In just four more months, I will have been working at Automattic for four years full-time, which is one of those things that feels both like it’s been forever (because it’s such a part of who I am now) and a really short amount of time (because, you know, time flies).

When I started here, I was updating WordPress.tv as often as possible, and being a Happiness Engineer the rest of the time. After about a year of that, I moved to being a Happiness Engineer full-time.

In four years, I’ve done pretty much everything there is to do in Happiness Engineering: I’ve been in our forums, I’ve been answering tickets for WordPress.com and almost every other service we provide, I’ve been in-person at Happiness Bars and doing workshops at WordCamps, and I’ve helped train and welcome several new “classes” of Happiness Engineers to Automattic I’m happy to call colleagues. It’s been a lot of fun being sort of the Happiness Engineering Obi-Wan.

Today is my first day not being a part of that Happiness team. I’m pleased to share that I’m joining the team working on WordPress.com VIP, supporting enterprise and time-sensitive customers with that same dedication to happiness. I’ve been working a rotation with the VIP team for the past two weeks, and it’s been both rewarding and challenging. I’m looking forward to extending this into the next few years.

Matt says often that within Automattic, we should look for new things to do every few years to make sure we’re keeping the mind sharp and learning new things. If the past two weeks are any indication, this is going to be a grand new adventure. It’s wonderful to have team leads who supported this move and teammates old and new who have provided encouragement.

So here’s to new things.

If you think this sounds like a great place to work, it is. And we’re hiring.

WordPress 3.6

WordPress 3.6 shipped today, after a long wait and a lot of testing. It’s got a bunch of features I’ve been waiting for, including a better autosave, improved post revisions (in more than one way), vastly better post locking, and a great theme I’ve been using myself for most of the beta cycle called Twenty Thirteen.

I also love the new release video format:

Somehow, I ended up in that video with some rather amazing people. See if you can find me.

And watch the download counter. It’s always fun.

Four Little Numbers

My colleague Joen Asmussen writing about the process of shaping the new default theme for WordPress 3.6 (that happens to be powering this blog now):

Designing Twenty Thirteen has been a pretty remarkable experience, mainly because I got to work with such an amazing community. There’s nothing to temper a theme into shape like hundreds of people submitting patches. It’s as much a privilege as it is a learning experience and the design has changed so much since my initial mockups, all for the better. Here’s how it all started.

Joen and the WordPress community have outdone themselves with this one. I find myself saying it every year, but I don’t see how I’ll switch away from this one.

Password Attacks and Good Account Policy

A lot of digital ink has been spilled regarding the supposedly surprising revelation that there is a concentrated effort going on by an apparent botnet to “hack” into your WordPress installation. Some of the better and/or more interesting writeups have been:

It’s important to think about why this attack is happening, and I don’t mean what the eventual goal of the botnet might be. For this attack to be profitable in terms of time and resources, it needs to be worth the effort that is being expended to create it.

Is it happening because the sites in question are running WordPress? Almost certainly not.

It’s happening because users don’t follow good password practices.

I’ll say that again: it’s not happening because WordPress is inherently insecure; it’s happening because you and I have a habit of creating, picking, and using crappy passwords.

Krebs posted a link to the list that’s currently known to be used in this attack, which you can find here. Take a look at it, because if you have had any experience in dealing with access attempts, it will probably look familiar. The vast majority of the usernames that are being tried are admin, and the passwords are by and large passwords that are among the most common passwords chosen by users across every web service in existence, not just WordPress.com.

As the Sucuri blog points out, there are a couple of passwords in there that don’t make a ton of sense compared to the common password list, like these:

6160 [pwd] => #@F#GBH$R^JNEBSRVWRVW
5392 [pwd] => $#GBERBSTGBR%GSERHBSR
5058 [pwd] => %G#GBAEGBW%HBFGBFXGB
5024 [pwd] => RGA%BT%HBSERGAEEAHAEH
4861 [pwd] => aethAEHBAEGBAEGEE%

What this tells us is that it’s not enough just to have a secure password. You need to have more than one. I’ll illustrate with a short story about this happening to me. Remember last year, when LinkedIn and last.fm had a couple of security breaches and they (or at least last.fm) told people it was possible that username and password information had been stolen?

I know from personal experience that they had, because some of my accounts were accessed by people who weren’t me. At the time, I used a “low security” email and password combination, which was exactly the same and used on sites that I considered to be lower in personal priority. Within a few days of the last.fm breach, I started receiving emails from some other services that I didn’t remember asking for. I looked into it, first logging in to my account with EA/Origin (because I knew it was one of those other accounts that shared that email and username combination).

When I did, I found that my EA account was set to display in Russian. It had been accessed using a reverse brute force attack, where the attackers had my combination of email address and password from the last.fm breach and were trying to use it on every web service they could find. Once they knew the combination was valid, it was dumped into a list and used by who knows how many people, trying to see if it gave them access to other accounts.

After going through this—and the associated panic at not knowing which of my accounts were affected—I no longer consider any service or web app I use to be low priority. You shouldn’t, either.

To protect yourself from these kinds of attacks, there are some very simple, slightly paranoid rules you should follow:

  • Don’t use a common password. A good list of these is in this post about common Twitter passwords from a few years back.
  • Try to avoid using dictionary words in your passwords—or if you are, make a passphrase, which is a very secure option.
  • Use a combination of letter case, numbers, and symbols if you’re not using a passphrase.
  • Don’t use the same password for more than one site. I can’t stress this enough. Use a password storage application that has encryption and passwording of its own, like 1Password or KeePass.
  • Use 2-factor authentication wherever you feasibly can. Google offers this for all accounts. For WordPress, there are a few good plugin options, and on WordPress.com, we offer 2-factor as an option for all users.
  • When you set up a new WordPress installation, don’t use admin as your username. Pick something else.
  • For self-hosted WordPress installations, know what your security keys are and how to change them if you suspect a breach.

Krebs posted a link to the password policy page on the WordPress.com support site (for which I feel a bit of pride because I helped write its current incarnation), which goes into more detail and starts with easy stuff you can do and moves on to more complicated options. If you want more tips, I suggest you check it out.

Remember that the best option for protecting yourself from password-based attacks is simply to have good personal password policies and stick to them. For any service that uses a single authentication factor, it’s your job to make sure that factor is created and maintained as secure.

Humble Beginnings, or: I Have Been Doing This a Long Time

On a whim, I just looked up the oldest URL of mine that I can remember (no, I will not tell you what it is) on the Wayback Machine. I found this, excerpted to avoid the embarrassing-I-was-just-out-of-college-parts:

It’s the first post I wrote on my own domain, though I am fairly certain my actual earliest blog post is somewhere (thankfully) lost to the mists of time as it was on LiveJournal sometime in 1999 or 2000.

The system that powered the post you are seeing part of there was a custom front-end I wrote in ASP that used the backend of Snitz Forums. I made it using Dreamweaver and at the time I think (though I am not sure) that it was hosted on SimpleNet. It had comments in that if you clicked through you would be taken to a forum thread, and it actually had categories that would display a different header image above each post based on that taxonomy, which was set by the forum in which the post was created.

My habits of blogging have come and gone in the intervening years. But it is really cool to think that I have been invested and interested in publishing on the internet for that long. From hand-coding a site using TeachText and a giant book on HTML 3 in my bedroom, to making my first site that relied on a database, to discovering, playing with, and professionally supporting WordPress today, it’s been a huge part of my life.

When I was giving the beginners’ workshop on WordPress at WordCamp St. Louis, I took a moment after explaining how to create the first post on a blog to reflect along with the people in that room. More than half of them were completely new to WordPress and maybe even to blogging, as I once was. I asked them to stop and consider what I had just done.

When you stop and think about it, it’s amazing how much easier it is now to be able to click a button and have the words you write made public for the world to read. You and I can write about just about anything and we’re enabled to nearly instantly beam that out so others can find it, read it, maybe identify with it, and even respond to it with their own Publish button.

The amount of power that confers on people is still amazing to me. That’s why I still do this; that’s why I help other people do so as well.

Core Rides Again

The astute among you may have noticed over the last day that my blog managed to disappear for a bit and then this morning magically reappeared – with a new, more spartan look and some default messiness.

For the last year-plus, my blog has been on WordPress.com, where I help people every day with their blogs. I loved it and if you are thinking of starting a blog or you want to take a lot of the hassle out of managing the blog, I suggest you consider doing so there. I’m proud to work on the service and it really does take a lot of the managing out of the picture so you can get down to business.

But I realized that I had become out-of-touch with a few things, like the state of core development as a whole, how plugins like Jetpack and others function (Jetpack is especially important because I support it), and just hacking a bit on WordPress here and there.

So over the last day, I leased new hosting, checked out trunk, and moved my domain. Now I’m looking forward to exploring a bit more and having some fun with it—starting with making changes to Twenty Twelve.

One thing I’ve fallen behind on is plugins. I’ve grabbed a few and have installed some basics, but I think there are likely a few things that I’m missing. Are there any plugins that—especially recently—you think are key to a good personal WordPress installation? Drop a comment below and let me know what you think.

And I’m not leaving WordPress.com behind by any means; I still have a photoblog that I plan on keeping there, and my wife is still doing her blogging on WordPress.com as well. I already miss several features of WordPress.com that I hope make it to Jetpack in the near future.

Back to adventuring. :)

Your Blog Has Always Loved You

There’s lots of talk going on early this week about Twitter and their intentions towards third-party clients. Will they permit them? Will Tweetbot still be around in six months? How am I going to connect with other people if Twitter goes the Facebook route and makes me use official clients that aren’t as nice as the third-party ones I have now?

I was going to write a bunch of words about this, but in the end it comes down to something very simple.

Your blog has always loved you. Open—or at least agreed-upon and widely used—standards are not going to magically grow walls and keep you or others out.

WordPress. RSS. Comments. Pingbacks.

Digging deeper: PHP. MySQL. Apache/Nginx. Linux.

These things don’t belong to someone else. They don’t belong to a company that needs to please its investors. They don’t have reasons to keep you out or to stop you from doing what you want.

They belong to you. You use them to make great things. You contribute to them and make not only your stuff, but other people’s stuff, better. You use them to read others’ content and to enter the discussion. If your blog hasn’t been the center of your digital presence, why not?

Your blog has always loved you.

Lisbon in (iPhone) Pictures

I spent this past weekend in Lisbon visiting colleagues and friends and attending the first-ever WordCamp Lisboa, which was a very nice event. I was able to meet and greet with the Lisbon WordPress community for the second year in a row (familiar faces!) and help a few folks at the Happiness Bar between talks.

I love Lisbon and was delighted to return there. It was amazing to see this community that has grown from a handful of people we invited to a get-together at our Happiness meetup last year to a WordCamp with almost 200 registrants. It’s the power of open-source publishing at work.

I didn’t bring my camera this year, but I did snap more than usual with my iPhone.