WordPress questions, part 2

I have largely bent WordPress to my will. I couldn't get the built-in LiveJournal importer to do anything other than sit there for an hour and then say "XML-RPC Request Failed", so I hacked my ljgrabber script to download my entire LJ plus comments and emit a "WordPress Extended RSS" file, which I was able to import.

Check it out: woo.

I haven't enabled commenting there yet because I'm still tweaking things, but poke around and let me know if you see anything broken. Suggestions on how to make it look better or be more usable are welcome.

I guess I'm gonna have to convert all my "previously" links to point here instead of to LJ by diddling the database directly, sigh...

Questions:

  • I understand that using WordPress and/or its plugins means living in a world where you have to upgrade everything constantly. WP has plugin installation and upgrading built in, but -- WTF? -- it wants me to give it an FTP password to do so? (FTP still exists??) But this makes no sense at all: the WP install running on host X wants to download a file and then install it on host X by running FTP from host X, to host X? What am I missing? In what way is that not completely insane?

    So to install things I end up having to download and unzip them manually, and that's annoying. Why can't WP do this for me?

  • What comment-related plugins should I install to make it so that people can log in with Facebook and OpenID and stuff? I don't think I want to allow people to comment unless their email address has been validated by somebody, to avoid the usual drive-by shitcockery. (I've installed Akismet, but that's just a spam catcher.)

  • Should I look for a plugin for crossposting to Facebook and Twitter (and LJ, eventually), or just write my own?

  • There seem to be 30 different plugins to do any given thing (e.g., FB "Like" buttons). What's a good strategy for figuring out which ones are not gaping security holes?

  • Likewise, what plugins do you find useful?

Previously.

Tags: , ,

46 Responses:

  1. I can't answer any of your questions because I have virtually no WP experience, but I just wanted to say that I actually like your WP layout better than your current LJ one.

  2. If whatever is running PHP has write access to WordPress and all it's files, the upgrade stuff works in-place.

    Fast Secure Contact Form
    Google Analytics for WordPress
    OpenID
    Shockingly Simple Favicon
    Twitter for WordPress
    WP-Typography

    I've disabled anything to do with FB for ideological reasons (privacy), so I can't answer that one---assuming you do find one that isn't evil, you may also want to allow Google logins (no suggestions on what to use for that either).

    I tried a bunch of LJ mirroring stuff a long while ago, but they all sucked enough to help me decide to stop bothering.

  3. paje.ro says:

    If you use FeedBurner for your outgoing RSS then "FeedBurner FeedSmith" is a must

    ShareThis is great for, well, sharing!

    WP-PageNavi is a good extension to WP's built in page navigation options

    WPTouch is an fantastic plugin which diverts all touch based mobile devices (iPhone / iPod touch, Google Android, Blackberry Storm and Torch, Palm Pre and more) to a touch screen friendly theme

    • jwz says:

      Wow, WPTouch is pretty slick.

      I don't suppose you've figured out where I change the text foreground/background colors? They don't have a config option for that.

      • paje.ro says:

        not sure... I've never tried to change it!

        I just looked in the plugin and there are several css files which include loads of color styles - might have to be a case of trial and error...

  4. Jamie,

    WordPress prompts the FTP-related stuff only if WP is not able to (over)write itself. So check if the webserver has recusrive write permissions on the /path/to/your/blog directory.

    For crossposting to Facebook, try RSS Graffitti (sp?) on facebook, it uses the RSS feed from you blog to post updates and is quite painless to confiure. Drawback: it's not realtime.

    -m.

  5. DISQUS can replace WPs built-in account log-in and comment system. It is integrated with all of the open ID stuff and supports cross-site "liking" etc. Worth a look.

    My other three faves are:
    - Akismet, which is the absolute must-have spam blocker
    - Tagline Randomizer, which lets you set up a pool of randomly chosen site taglines
    - Ozh' Better Feed, which lets you hack your RSS output

    Cheers,
    Harrison

    • acdha says:

      I'll second the DISQUS recommendation: they're aggressive about anti-spam measures and the experience is great, even on mobile devices. The good/bad part is that it's JavaScript driven: that kills noscript users (which I really don't feel bad about - it's trivial to add an exception) but you gain faster page loads because you can delaying loading it until after the content has been displayed or when the user scrolls down and that also means that it works very well with long-term caching (slap Varnish in front and you'll be network-limited).

    • oshepherd says:

      I'll add a third to Disqus. Its good, its sanely threaded, it does Facebook + Twitter + OpenID (+ probably more i've forgotten)

      I'm using it and am really happy with it.

    • knowbuddy says:

      I'd like to downvote the Disqus suggestion. Keep your comments with your posts, not on another service.

      • oshepherd says:

        Disqus will also crosspost your comments to WordPress' builtin comment system (with resultant loss in fidelity), and they also provide a way for you to download them all to back them up.

        And, lets be honest: Disqus works, and it works well. Far better than anything WordPress itself provides.

  6. skreidle says:

    FWIW, if you don't end up crossposting to LJ, I'll just pick up the RSS feed. :)

  7. dossy says:

    re: WP self-upgrades requesting FTP credentials - it only does when WP is running as a user that doesn't have write permission to the files it needs to update. HOWEVER, IMHO there is a bug in that permission-detection code in that it *expects* WP to be running as the user that *owns* the files, not just has the appropriate write permissions (i.e., group or other bits set).

    tl;dr: chown -R www-data wordpress/

    • Stefan P says:

      If wordpress doesn't realize it has permissions, and keeps prompting for ftp credentials after proper and vigorous chown/grp/moding, you can help it unbreak your balls by adding add define('FS_METHOD', 'direct'); in wp-config.php

      • jwz says:

        Cool, that did it -- it had write permission but I guess it was confused over the owner/group issue.

    • krick says:

      A similar ownership issue exists with SMF Forums and the Joomla CMS.

      Supplying FTP credentials (which it doesn't save, btw) gets around the need to chown everything to apache, or the php user, etc...

      However, my understanding is that the chown route is more dangerous because if someone manages to hack your site through a WP vulnerability, then they now have the ability to overwrite/delete/change every file on your site.

  8. giantlaser says:

    I've already commented on plugins, which I'll link to here for ease of discussion.

    WP-Spamfree works well at keeping spam away, but unfortunately it conflicts with most OpenID plugins. Unfortunately OpenID works just fine to authenticate spammers as well as humans.

  9. c0nsumer says:

    I've been using ljxp for a couple years now and it works fine for WP to LJ crossposting. By default it inserts some silly text about how the content was originally posted elsewhere and where you can comment, but that's really easy to modify/remove.

    • pikuorguk says:

      Go into your LJXP settings and press the update settings button, then tell me if your blog still works after. Doing this on mine made it give me an Apache error for a few minutes. As far as plugins go, it's one of the dodgier.

      It also has the unwanted side effect of making people comment on your LJ feed rather than WordPress. And if you disable that part it seems nobody bothers commenting due to user lazyness.

  10. Ben De Rydt says:

    The FTP stuff is to have sensible permissions. WordPress acts as an FTP-client that uploads the files for you. You don't want every php-file writable by the Apache user. IMHO, the security risk of giving WordPress your FTP-password pales in comparison to the ease of updating. You will get hacked if you do not religously update your WP install.

    Try to use as few as possible plugins. Most are badly written and a lot of them will break on update. Askimet and WP Super Cache are a must.

  11. fantasygoat says:

    So, should I move to using an RSS feed from the new site and comment there, or do comments from LJ end up on WordPress?

    I don't see an RSS feed link, though.

      • jwz says:

        Well, that was dumb (and doesn't appear to be working, anyway). jwz.livejournal.com will continue to work, I'll either mirror into it or transform it to a syndicated account.

        • edm says:

          FWIW, jwz_blog, has now fetched from the feed. (LJ seems fairly slow to fetch new feeds these days, and in general seems to poll at least feeds with few readers relatively infrequently.)

          BTW, I think "transform it in to a syndicated account" involves deleting the existing individual account, waiting for an expire run (very infrequent) to free up the name, hoping no one beats you to grabbing the newly free name, using another paid account to syndicate to "jwz", getting all your followers to subscribe to the new syndicated "jwz". Or persuading some operations staff to assist with expediting the above.

          Mirroring (ie auto-reposting) is likely to be faster to set up. (And if you do choose a mirroring approach and want comments at the original site, the best approach I've seen is to include a footer on each post with a link to the comments/posting/etc, and then tell LJ to disable comments. Ideally with a magic uncached img reporting how many comments are already posted at the original. AFAICT LJ provides no meaningful way to be notified of comments on LJ to a syndicated feed post, even if you have a LJ account.)

          Ewen

  12. leopanthera says:

    For Twitter, install Twitter Tools.

    You may also want WPtouch, which serves up a mobile-formatted version to iPhones and Androids and the like.

  13. wisn says:

    Bad Behavior is a relatively low-maintenance way to block comment spammers and spammers' crawlers.

    WP Supercache is the only other plugin I'd unilaterally recommend, but it looks like that got hashed out in your previous wordpress query post. Akismet is a good idea but far from mandatory, especially if you're not allowing comments or the comment accounts are managed externally (like through OAuth).

    Both WP Supercache and Bad Behavior require fiddling with .htaccess files and are more likely to induce config conflicts than the average wordpress plugin. That said I haven't had problems with either of them on the variety of sites I've set up. I don't have a lot of patience with fun web toys, so my idea of useful plugins is limited to roughly these.

    One of the fundamentally nice aspects to WordPress' design is that all user-specific files are in three locations: .htaccess, wp-config.php, and the wp-content directory. Everything else can be trashed and replaced with impunity and your site's not fundamentally affected. So this makes in-site upgrades relatively painless even in the worst-case scenario.

  14. Ken Kennedy says:

    I use it, no problems. It allows logins from just about everything...Facebook, Twitter, Yahoo, OpenID, etc.

  15. lafinjack says:

    "X comments" aren't displayed on the main page for the comments you've imported; is that lumped under enabling new comments?

    • jwz says:

      For some reason it thinks the imported entries have 0 comments in some contexts (even thought the comments are there). I guess their importer left something out of sync in the db.

      • wisn says:

        That's more or less accurate. The wp_posts table has a comment_count column that your LJ importer isn't touching, so it sets to 0 until instructed otherwise, and that's what gets read when the posts are displayed.

        It's benign in the sense comments won't be lost or buried because of it, but WordPress won't re-sync the value on your behalf. You're left with unapproving and reapproving comments in batches, finding a plugin to do it for you, or scripting something up to frob the db directly.

        • jwz says:

          To get an accurate count of comments:

          SELECT comment_post_ID as ID, COUNT(*) FROM wp_comments GROUP BY comment_post_ID;

          To fix, massage that data into a series of statements like:

          UPDATE wp_posts SET comment_count = 15 WHERE ID = 1286364;

          Presumably there's a way to do that in a single statement, but I just used a keyboard macro.

          • edm says:

            Sub-queriess seem to be the most direct approach:


            UPDATE wp_posts
            SET comment_count = (
            SELECT COUNT(*)
            FROM wp_comments
            WHERE wp_comments.comment_post_ID =
            wp_posts.ID);

            assuming that I'm understanding the table structure correctly from your bits of SQL (and your database supports subqueries at that point; presumably the only reason the importer doesn't do that is that it can't be sure the database supports sub-queries.... sigh).

            Ewen

  16. chrisam says:

    Running your wp installation with suphp under its own account will help in several regards: It won't execute your php with the permissions of the httpd user, and it will allow the wordpress and plugin upgrades to work seamlessly since PHP will be executed as the same user who owns the files. Dunno what OS you use, but I wrote a how-to for CentOS: http://www.chrisam.net/blog/2009/10/11/installing-and-configuring-suphp-on-centos-5-3/

  17. dachte says:

    For those on firefox, sprinkling ljgrabber with:


    use DBI;
    my $mozcookbook = $ENV{HOME} . qq{/.mozilla/firefox/68u9a8qi.default/cookies.sqlite};

    and replacing get_cookie with

    sub get_cookie() {
    my $dbh = DBI->connect("dbi:SQLite:dbname=$mozcookbook","","");

    my @vals = $dbh->selectrow_array("SELECT value FROM moz_cookies WHERE host='.www.livejournal.com' AND name='ljmastersession'");
    if(@vals)
    {
    print "D: " . $vals[0] . "\n";
    return $vals[0];}
    else
    {error ("no ljmastersession cookie in Firefox database");}

    will work (replace the random bit in your firefox path with what you actually have).

  18. gthing says:

    I used WP for a long time but eventually switched due to security concerns. Allowing the software to overwrite itself at any time is pretty poor security practice, and even before it had the capability of doing that my WP sites were constantly getting hacked if I didn't update my plugins almost the day security patches came out.

    I switched to Drupal. It can be a bit more daunting than WP at first, but it's helps to think of WordPress as a CMS and Drupal as a framework for building CMSes. I have yet to have a Drupal site hacked, even if I am lax on security updates, and you can use drush to do all the updates automatically from shell (which runs from outside the web root directory for security).

    Not trying to dog on WP, but learning and using Drupal has prven to be immensely more valuable. They also encourage developers to add features to existing modules rather than starting a new module that does basically the same thing. You do still have some modules that do similar things, but it's not nearly as fractured and confusing as WP.

    FWIW.

  19. bitwise says:

    I rather like the nonfunctional <lj user="foo"> tags. (i.e.)

  20. lovingboth says:

    I see it's sorted, but the other way to upgrade WP is to install it via svn and let it handle stuff.

    Half of the security holes that WP has had involve account holders being able to upgrade themselves to admin status. You probably don't want any other users anyway...

  21. Lovingboth says:

    .. and another one was fixed yesterday, see the release of 3.0.2.

    Apparently, allowing "malicious Author-level user" to gain further access to the site is a "moderate security issue".

    • Seems "moderate" to me. Author-level implies at least some degree of trust.

      Or: Yes, its a privilege escalation, but by no means is it a way for J Random Person to root you either.