Hello, this note is written with #WordPress. If you are reading this with any other software via #ActivityPub: Gratulation.
Apparently there is a lot of rage about WordPress COM (that’s the company) changing their terms of service.
This here is just another self hosted WordPress instance (that’s the software) federating with the Fediverse *since 2019* – just like a shiton of other software you may never have heard about – and is not affiliated with said company in any way.
So… mebbe cool your jets. It’s not the software that makes weird policy decisions.
Still have the urge to block, bEcAusE WoRdPReSs? Go ahead 🤷 Just waiting for FediverseIsGoingGreat to pop up any day now.
I like eye-candy for my #WordPress#hCard and for the longest time I did override the generic icon for missing SVGs via CSS. This never fixed the titles thought and after starting to mass non descriptive links all named “website” I started to dig into the code class-relme-domain-icon-map.php of the #IndieWeb plugin.
Update: Well fck, the entire svg folder gets replaced on update of the IndieWeb plugin. Good idea to backup additional SVGs so they can be copied back on Update. Proxmox snapshot for the win!
Turns out Rel_Me_Domain_Icon_Map does some file system shacking for unknown domains in wp-content/plugins/indieweb/static/svg/ so I fixed myself some symbolic links:
This is an update to my 2018 article on how I set up my WordPress site.
Standard Plugins EWWW Image Optimizer(Link) – It reduces file sizes for images to ensure faster loading Pushover Notifications(Link)or the forked alternative Pushbullet Notifications(Link) for WordPress – This plugin sends n...
Great overview of useful plugins for a typical Indieweb WordPress Website. Wish I’d have seen this months ago.
This is an update to my 2018 article on how I set up my WordPress site.
Standard Plugins EWWW Image Optimizer(Link) – It reduces file sizes for images to ensure faster loading Pushover Notifications(Link)or the forked alternative Pushbullet Notifications(Link) for WordPress – This plugin sends n...
Great overview of useful plugins for a typical Indieweb WordPress Website. Wish I’d have seen this months ago.
Update: WordPress 4.2 has full UTF-8 support! There’s no need to upgrade manually any more.
For many years, MySQL had only supported a small part of UTF-8, a section commonly referred to as plane 0, the “Basic Multilingual Plane”, or the BMP. The UTF-8 spec is divided into “planes“, and ...
tl;dr Thanks to @GaryPendergast I now switched from latin1 to utf8mb4.
Well f*ck me but I really didn’t take care about my blog at all any more. Checked the logs and an occasional error about emojis and the database showed up. On investigation I found out that the database was still running on MYISAM and latin1. WordPress never updated this during upgrade (despite my DB having support for this for ages). My website moved a lot and existed even before switching to WordPress in 2004 so it’s sort of a miracle that it’s still working anyway. Unlike Geocities and the likes I mean 😉
PHP message: WordPress database error Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8mb4_unicode_ci,COERCIBLE) for operation [...]
Fixed by running this SQL on all of my tables:
ALTER TABLE wp_posts ENGINE=InnoDB ROW_FORMAT=DYNAMIC;
ALTER TABLE wp_posts CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
Today I run into domain abuse while working on a WordPress project due to a typo in the TLD. A foreign server happily served me the requested files but with spiced content. This looked unsuspicious at first glance.
Now this is something that doesn’t happen every day [to me]. I haven’t touched PHP and WordPress in years so I don’t have a workflow established for this any more. Today I got the job to upgrade some legacy system. So I checked out the project from git, configured some dnsmasq magic and launched a local PHP development server and browser.
I was astonished when the project came up in the zero profile development chrome and the first link I clicked opened a new tab presenting me with some scam ringing all alarm bells. I’m on localhost! And Linux! What happened? Do we have an infected project in our git repository? So I started digging.
This should all point to my local dev domain at 127.0.0.1 that has no public DNS records at all.
Wait, this doesn’t look right. Looks like I made a typo replacing the WordPress WP_HOME and WP_SITEURL in our local wp-config and got a doubled dot de. That’s not going to localhost but it’s still loading JavaScript files. No file came back with 404 – Not Found error so at first glance nothing suspicous happened beside the CSS looking weird. Most files were empty but with some exception – as you can see.
That’s not my expected source.
So I run that IP against the IP Abuse DB and it checked out with various reports including a “took over my blog” report. Yeah, I guess that happens when you’re going to login to your blog. This IP ships any file you request back to you but with it’s own flavoured JavaScript. That’s what happens when you do a typo and someone else is just waiting for this. And it happened to my dev setup since I made a search and replace without enough caffeine in my blood to spot the typo and without bothering to set up SSL and CORS for developing.
Requesting without “subdomain” results in an critical error.
So yeah.. you can throw any domain at this. It will happily serve malware, or spam or whatever it’s up to today. It’s just waiting for a typing error.
The 127.0.0.1 one is fetched by my local dnsmasq
There’s a lesson here. Watch careful what domain you really use. Don’t be lazy and make use of SSL/CORS even in development. I can’t help me from having some respect for this idea and there are probably others doing the same.
Close
🦠 Ad-blocker not detected
Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.
Stay cool. Stay safe. Use an ad-blocker. Use protection.
David Shanske
