WordPress questions

I think it's time to give up on Livejournal and host my blog on my own server. I imagine I'll still feed RSS into this account, but the ads that LJ's Russian Masters are apparently subjecting my readers to before they can post comments hurt me deep inside.

Anyway, WordPress seems to be what the kids are using today, so I've installed that and I'm playing around with it.


  • Does "livejournal-importer-0.3" actually work? It would appear not to. So what's the second-easiest way? Convert my LJ to an RSS feed and stuff that in? Or hack it out in the SQL database directly?
  • What is the WordPress theme that most closely resembles the theme of this here LJ? I was going to just add some CSS to the default "twentyten" theme, but it sets colors in no less than 83 places, which is just ridiculous. (When I edit "style.css" am I editing a generated file? Or did someone actually produce that monstrosity by hand?)

  • What is the done thing for commenting and spam avoidance? Should I just install whatever-plugin and force people to have Facebook accounts to comment? What are the sensible choices here?

  • Any WP-related security gotchas I should know about?

Tags: , ,

63 Responses:

  1. pavel_lishin says:

    For commenting, you might want to consider Disqus.

  2. chanson says:

    My understanding of WordPress themes is that most of them offer their own customization mechanisms within the WordPress admin interface, rather than have you edit the CSS.

    Whether that generates the CSS or performs transformations on it I couldn't tell you. I stay as far away from that crap as I can.

    • chanson says:

      Also, insert snarky suggestion that you write your own blog engine in TI Explorer Lisp. It'd probably be better than WordPress. Or LiveJournal.

      • dagbrown says:

        After looking at WordPress, Movable Type and the others, I concluded that I would be just as well off crufting my own blog engine from scratch as I would trying to comprehend and customize any of the others on the market. Blogs aren't exactly hard, after all (which might explain why there's so much mediocre blog software out there).

        So that's what I did. Apparently I did it well enough that my built-entirely-from-scratch blog still attracts Russian spammers who apparently want to sell the world Ugg boots (although to what end I have no idea--and none of them have noticed that not a single one of their spammy comments has ever actually made it to a real page in my blog).

    • pvck says:

      FYI most of the backend modifications are just turning on and off various chunks of php. I supposed it's theoretically possible that theme developers could be using that to write css files, I've never seen it actually done.

  3. pfrank says:

    if you use the wordpress comments rather than Disqus or some other farmed out thing, Akismet really is worth using. It seems to do pretty well.

    When editing a theme, the best way to proceed is to just make a child theme like this:


    You can just scrap their CSS that way but still get all the basic functionality.

  4. pvck says:

    My answers assume you are installing WordPress on your own server, and not hosting at wordpress.com, I don't know what that might change.

    1) No opinion.

    2) There are a bajillion themes so it's difficult to say which one is closest. I would recommend is finding the simplest theme and editing the css to taste. The css files are not dynamically generated, so changes you make will stay sane. I built my site off of this base theme because it implemented a fluid grid nicely, which was my priority. That guy has a few other themes, and he's forever espousing the joys of minimalism, so any of them might make a good start point. You will probably be able to find a one-column theme, but minimal dealing with php and css will allow you to chop out columns pretty easily.

    3) WordPress automatically comes with Akismet, which is an anti-spam plugin, it does not require any registration from visitors. You have to register with them (if I remember correctly you're basically getting an API key), but it's painless and has so far been 100% correct in its spam detection for me.

    4) Outta my pay grade. But I haven't heard of any major kerfluffles in years now, and the wordpress people have been very proactive whenever issues arise.

    (as a side note, I wonder how many people are just going to stop looking at lj entirely once you're gone. I don't think I've read any lj other than you in like a year now)

  5. Based on the 2010 Theme, the Theme 2010 Weaver offer quite a few variations, among them an WYSIWYG color editor that seems to do the trick...
    Good luck!
    PS: I am a big WordPress fan, but it's ot panacea or the none plus ultra. Easier software come to mind for bloggers: Posterous.com & Tumblr.com

  6. mark242 says:

    Any WP-related security gotchas I should know about?

    You mean other than "it's shit"?

    I've been burned, so many goddamned times by insecure versions of WordPress, that I'm really ready to throw in the towel. It is an absolute certainty that you will wind up getting hit by some massive automated script that is trying to exploit the gaping-security-flaw-of-the-day, and someone will post a "HA HA I HACKED JWZ LOOK AT MY 31337 SKILLS" bullshit on your host.

    I've run WordPress in a chrooted environment, with the web server only having permissions to its own directory, and this bullshit still happens, especially from some random plugin that you thought might offer decent functionality (eg a cache of dynamic pages) that winds up being completely vulnerable to, say, cache poisoning...

    Anyways, good luck. You might want to spring for the hosted model.

    • tegeran says:

      You mean other than "it's shit"?

      Pithy, but too generic. I think the right answer is "WP is a security-related gotcha".

  7. rsalerno says:

    The theme[s] you are looking for.

    I only have firsthand experience with Sandbox, but I feel wholly comfortable vouching for anything else he's made—some of which are specifically minimal and single-columned. CSS and template edits on those should be trivial for you to bend to your will.

    • rsalerno says:

      I apologize. It seems most/all of his themes haven't been updated to work fully with WP3. Please forgive the unhelpful comment.

  8. jayp39 says:

    Adding basic auth to the wp-admin section will probably help stave off some of the common attacks and vulnerabilities that pop up regularly.

    Akismet auto-kills 98% of spam and doesn't seem to get false positives, but 2% of spam can still be a lot of spam.

    • netik says:

      Basic auth is one step, but I'd go further than that and fence off the entire admin section with an IP based ACL. That's worked for us quite well.

      • pfrank says:

        That is a really good idea. How do you handle exceptions for remote access like via phone or coffeeshop or whatever?

        • netik says:

          At least in my office, we've got Juniper VPNs and we're using JunOs touch to start VPNs from iPhones and remote locations. Then people can access the backend of the blog. I'm not saying this will work for everyone, but it works for us.

          If you have known places you blog from, you can permit those IPs. Even if you can restrict the ACL to a country or ISP location, you can thwart attacks coming from the rest of the Earth.

  9. bbot.org says:

    >What is the done thing for commenting and spam avoidance?

    Up in the air at the moment. Host your own commenting and enjoy vast tidal waves of spam, or use Disqus and enjoy random downtimes.

    >Any WP-related security gotchas I should know about?

    Themes can execute PHP, so if you pick one with a security hole, you can get owned.

    WordPress, as a whole, isn't designed with the degree of paranoia you would like to see in something that is exposed to the internet. But then again, I use a shell script based "CMS" you would presumably explode in indignant rage at hearing described, just to avoid running mysqld at all, so perhaps I'm not the most objective judge.

  10. benc says:

    Starkers might be a good bet, although it does mean making it look like this yourself: http://starkerstheme.com/

  11. Last I checked (about a year ago) wordpress still didn't have any support for caching built-in. Therefore you should absolutely not go live without installing something like wp-super-cache. http://wordpress.org/extend/plugins/wp-super-cache/

    That does pretty much what you'd expect: static versions of your PHP-generated pages when possible so your webserver doesn't sit at 100% CPU all day.

  12. hairyears says:

    Keep us posted: other people here are looking at doing the same. I would be particularly interested in seeing a comment system work with OpenID.

    But... Have you considered Dreamwidth as an alternative to LJ?

  13. Thumbs up for Akismet.

    The only recent problems I've seen people have have been either shonky plugins or bad ISP setup. There's a site out there that lists issues as they crop up but I'm buggered if I can find it.

  14. hatter says:

    I'd suggest you take a look at the previous exploits against WP to see what they like to do after initially getting in, install it with default permissions, then go at the file system, db and httpd config to make it harder for them to do any damage once they inevitably find another hole.

    the hatter

  15. pikuorguk says:

    Akismet is the best spam filter for comments, combined with setting all new people who comment to be moderated the first time. Whatever you use, don't make it so that commenters have to log in - they won't bother commenting, the standard WP comment system works fine.

    I've used Disqus comments and they seem quite cool, but I dunno... letting someone else handle comments seems a bit strange, it sometimes buggers up plugins and templates that don't use the "normal" system for handling that stuff.

    Using Akismet on your WP blog is like using GMail to control email spam - it stops being a problem. Not using it is like using Hotmail or Yahoomail...

    There is a livejournal crosspost plugin you can install which will then repost WordPress back into LJ which might make the transition easier (if you care).

    WordPress themes are a great timewasting thing, some people think they can charge money for them! And yes, they are a mess of PHP, HTML and other acronyms - it's web development, it's shit by design...

    Don't install a template that isn't designed to work with WordPress 3.x, it might not have the new standard features like Gravatars and automatic post thumbnail generation, and instead might do its own similar hack.

    Maintaining a WP installation is pretty painless since most of it is automatic; a note appears on the admin screen when there's an upgrade and it's a one-click system to upgrade most things. You won't lose hours of your life gently tending to its every need.

    Also... it doesn't have sodding Captcha! :D (has anyone noticed they seem to be running out of recognisable words and are now showing unreadable gibberish?)

  16. aerdan says:

    If you're looking to move away from LJ, I would suggest http://www.dreamwidth.org -- same overall engine, but their developers pay attention to the community, etc. I have an invite I could offer, too.

    • jwz says:

      I've had an account there for years just for namesquatting purposes, but I couldn't care less about it. I'm not moving from one sinking ship to a slightly smaller copy of the same sinking ship.

  17. giantlaser says:

    I use WordPress plugin "LJ Crossposter", version 2.0.6. I can only find 2.0.5 on the web now. In fact, I'm not even sure if 2.0.6 is my own patch anymore. If you've been subjected to my technical posts here on LJ, you've seen it in action. You can download it here:


  18. 0x1392 says:

    I once saw captchas which were presented as ASCII graphics. I thought that was very cool, since you could use such a site even in a text-browser like lynx. A nice contrast to today's Flash-filled, Javascript-abused "Web 2.0"...
    On some unixen you could do something like system("banner cx762e1");.

  19. cow says:

    I rather like Intense Debate as a comment engine. They handle spam well, and you can use openID, Facebook, Twitter, etc (as a site admin, you can choose to not allow certain ones if you like, but they're all supported). Or, if you create an Intense Debate account, you gain a reputation score across all sites that use it, which allows people to just eyeball to see if someone's a useful commenter or a troll.

    It also has a WordPress plugin which makes installation easy. (It's easy anyway; I use Textpattern as blogging software and wrote the support for ID myself.)

  20. greatevil says:

    This has worked for scraping content as little as 6 months back: http://antennapedia.livejournal.com/266462.html

    It will barf on random entries, I've found that editing them or removing them lets the app move on.

    Not perfect but you end up with XML that is sane to deal with.

    • alchemist says:

      The more recent versions of WordPress have LJ Import built-in. It worked rather well when we converted ursulav to wordpress as her primary earlier in the year.

      The only thing we needed to do was to turn off the crosspost BEFORE import because it will dupe entries if you don't.

      • jwz says:

        As I said, the "built in" one is doing fuck-all.

        • alchemist says:

          Found that after I pressed "post" - not sure what to say in this case. The export/import (which is what I did when I converted a few years back) is a pain in the ass, but should work.

          You will need to go in and fix all the bits where it makes any lj specific tags (or HTML tags) into XML entities, and then convert them to proper links, or it'll make the archives into all kinds of crap.

          I'd say to report a bug, but I'm pretty sure the russians don't give a fuck. I've got a friend who's now "high up" in the lj support team - soon as he's back from the con this weekend, I'll point him this-a-way.

  21. malokai says:

    As far as security goes, the lifespan of a wordpress install is 1 year then reduce that by 3 months for every third party plugins you have installed (other than akismet or ones that only push JS to the client).

  22. gryazi says:

    Now you have two problems.

  23. headlouse says:

    Been running WP for years as I got sick of LJ a long time ago.

    For comment spam use Askimet. It's pretty impressive and kills nearly all spam. One other tip is to kill comments on old post or comments with too many links. Discus is an option too but I also don't like having a 3rd party own my comments-hell that's why I jumped ship from LJ anyway. Discus does do nested comments which is nice but there are WP plugins that do that too.

    For Security, the main thing is to keep your WP install up to date which is easy. Also don't have "powered by wordpress" on every page of your site like it has by default. Throw your thanks WordPress on your About page instead. That little bit of text attracts a lot of spambots and script kiddies. BTW, I've never had any of my WP sites hacked and my main blog gets decent traffic. There are tutorials out there which talk about other measures you can take to secure your site but I haven't needed it.

    As others have said install WP super cache. It will handle your traffic spikes and serve your pages up faster. As to themes it can be hard to wade through them all. Make sure it is WP3.0 ready so it can easily use all the new stuff. The 2010 theme is good but I know what you mean by the CSS. It's a bit of a mess. It's decent and admittedly has to be flexible CSS so it's gonna be complex but there are a few sloppy chunks and it could stand some more organization.

    Not sure about LJ importing as I never bothered.

  24. bitwise says:

    Logjam keeps all downloaded entries in relatively sane xml files. I think an import from there would be straightforward.

  25. pberry says:

    If you're worried about security, one thing that we've done is to run off of HEAD from their svn repo. Cron up an update job and let it go. We've been running on that for a few years now. Downsides are that something might break, but we haven't had that happen. Plugins could be a problem with this model though. WP3 has brought a lot into core, so I don't know how much of an issue that will be.

  26. rhino_rex says:

    thank you for asking these questions. your followers are more useful in this area than mine are.

  27. cje says:

    I started on WP a while ago because it's easier and less difficult to navigate than LJ. You may find some things insanely irritating because you actually read and write code. For me, it's a simple and easy way to have both a professional site and a blog, without having to learn much.

    From my experience:

    I *did* export my LJ blog into my WP one. Every post from the beginning made the migration. Comments did not (despite the utility reporting that they did make it) & neither did images (but my images vanished from LJ a while ago for no apparent reason). The only real problem I had with the exporting process was that WP got some of the "originally posted on" dates wrong.

    Commenting and spam are easy to avoid. Akismet and WP-SpamFree both work for me, but I don't get the traffic you do, so you'll probably need something beefier. Just check the plug-in options: there's a ton of them. Your fanboy base may mean that you have to moderate/verify/something your comments or you'll end up with moon-man following you over there, too. (Though it's pretty easy to block IPs, users, and also delete comments in WP.)

    Security issues seem to remain at bay as long as you update regularly.

    But, ye gawd, the themes. You could probably modify Black Letterhead (http://wordpress.org/extend/themes/black-letterhead) pretty easily. While I can't speak to the quality of his CSS, the basic colors and layout are easy to play with.

    Once you get this down, could you please start building free themes that don't suck?

  28. grahams says:

    I switched away from LJ -> WordPress 2.9 earlier this year. I used the LJ importer built into WordPress, located under Tools -> Import -> LiveJournal... It worked for my 10 years of LJ entries almost flawlessly, though it did seem to lose the association between some anonymous comments and the posts they are attached to. This added up to about 150 comments total for me, which was enough for me to say fuck it. You probably have more anonymous comments, so you may care more.

    I wrote an addition to ljdump which converts the output of ljdump into something the old WP importer could read, but then they completely rewrote how the importer worked and obviated the need for it.

    For comments I just use the built-in stuff and the Akismet anti-spam plugin, which works well for me.

    • jwz says:

      Well that's what I've been trying to use, and what it does is it says "We're downloading and importing your LiveJournal posts..." and sits there spinning for more than an hour before finally saying "XML-RPC Request Failed -- -32301: transport error - HTTP status code was not 200" with nothing having been imported at all.

      • grahams says:

        Hrm... I wonder if LJ has changed something to break the protocol since I made the move in June... A few times during the import an error would occur because I think LJ was ratelimiting, but I just restarted the importer and it picked up where it left off.

  29. blueapples says:

    But professionals use http://expressionengine.com/

    I'd seriously recommend it, I've done dozens of sites using it and it beats WordPress hands down on almost any kind of site, including a simple blog. If you want to manage more complex types of data like Projects, Products, Songs, etc. in a database-like format and with a nice and easy to use and configure UI then it's even better.

  30. evan says:

    I don't have any recommendations for you other than that WordPress is a security disaster. The bugs I've seen have been embarrassing.

    For my Chrome blog I thought "it can't be that hard" and wrote some scripts that generate the content as static files, along with some elisp to help construct posts in the proper form. With static files there is no security to worry about. In retrospect I wish I had outsourced it to something like Jekyll (which is what github uses).

    The only dynamic thing that matters is comments, where I grudgingly accept disqus is better than trying to manage it yourself.

    • jwz says:

      Of course "write it myself" was my first instinct, but come on, it's The Future now, I shouldn't have to re-invent that wheel again...

      • bellacrow says:

        make a better wheel, lots of us would thank you

      • leolo says:

        I have a suspicion that all blogging software was written by bloggers, not programmers. So you get horendeous messes like the LJ code base or slashcode or word press.

        Of course a real programmers would want a better chalenge, so when they set up their blog they don't want to spend a week or 4 writing the software, so they grit their teeth and use whatever is going.

        I also strongly suspect that if a real programmer starts writing blog software they end up with Reddit or Stack Overflow.

  31. pyrop says:

    What about Tumblr?

    • jwz says:

      You risk the Hammer of Bannification for suggesting start over from scratch with completely-other-dumb-thing in response to the very specific questions about the unrelated thing that I actually asked about, but I'm feeling gregarious so I'll answer you anyway:

      After the pain in the ass that migrating from LJ will be, there's no fucking way that I'm making the mistake of giving someone else all my data a second time.

  32. kensey says:

    Count me as a "hell no" vote for Akismet unless you don't mind false-positives. I'm sure it does keep the spammers out, but it also has a bad habit of keeping real people out too. Another site I read (The Daily WTF) uses Akismet for their comments and it's constantly getting in the way, particularly (but not exclusively) when commenters try to post links or URLs.

    Maybe they're doing something broken, but the opinion of Akismet among the commenters there is not positive.

  33. giantlaser says:

    And some other practical advice:

    1. Use php-suexec. If your user runs your PHP scripts, wordpress can update itself and its plugins with one click. That happens at least once a month, usually for security reasons, and you REALLY don't want to delay upgrading. Or you can run as the web server user, as long as that user can edit the blog's files.

    2. Install and use the plugins WP-SpamFree and Akismet. WP-SpamFree uses javascript to ensure commenters are human (most blog spammers don't yet interpret javascript). Akismet matches against a known database of spam provided by other Akismet users. It works pretty damn well. Between the two I get one spam a month.

    3. If you want better performance and SEO, install W3 Total Cache and All in One SEO Pack.

    Akismet comes with WordPress. Links to other plugins:


  34. notthebuddha says:

    I'm not getting any hurtful ads. What, don't I rate anymore?

  35. Mike Bayer (the gentleman responsible for the really excellent Mako & SQLAlchemy Python libraries) has recently written on migrating away from WP here.

    You will almost certainly not be interested in the conclusion given that he's settled on what appears to be a pretty fiddly Python-powered solution, but I thought you might be interested in another coder's experience of managing a WP install.

  36. jwz says:

    test 2.

  37. One note: the line spacing on this WP's layout seems to be just a tiny bit too cramped. Livejournal's slightly-spaced-out lines help readability immensely.

    • jwz says:

      You're right, I tweaked it.

      I dunno how much more CSS fiddling I can do before it starts to sound like a better idea to write my own theme...

      • Wow, much nicer. Thanks.

        That sound you hear is the sane half of your readers going "No! Don't open that cupboard! That's where the monster's hiding!" at the idea of writing your own theme. I gather things are better than they used to be, but WordPress' content injection APIs aren't exactly great.