Tag Archives: WordPress MU

Piquing Curiosity

June 13, 2008 – 6:05 pm

I don’t have time to do a more detailed post on the technical details of my new blog consolidation approach, but I thought I’d throw a teaser out there and mention that I did it without adding any additional plugins. Just something for you WP enthusiasts to ponder / wonder about until I get around to explaining it. :-)

By JB | Posted in Blog Posts | Also tagged , | Comments (0)

Long, rambling thoughts on WPMU

May 31, 2008 – 9:07 pm

I’m posting this a bit late, but just about two weeks ago I finally caught a few spare minutes to upgrade this thing to the latest released version of WordPress MU. Things went surprisingly well, especially since until that point I’d been running a “custom” version (more on that later), and this was the release that synced up all the new admin changes released in the 2.5 “regular” WP release.

I run this domain (freepressblog.org) with several blogs as well as two other domains (”sites” in WPMU terminology), each with their own set of blogs. So far no reports of any problems; the transition went pretty smoothly. Prior to the upgrade, I heard a lot of noise about the new admin UI being a hard adjustment, but in my experience, I haven’t encountered any difficulties, and haven’t heard of any from the other people who use this install.

I’ve been wanting to the “big” upgrade for quite a while now, since it was kind of a pain to be maintaining my own hacked together version. The unfortunate thing was that I didn’t really have much of a choice in that matter, as the “main” line of development in the WP project had been getting all sorts of urgent security patches and MU just doesn’t really keep up with them to the degree that I’d like.

As an example, you may remember the password hashing / salting and cookie authentication vulnerabilities from WP 2.3. These two issues were initially reported (to “regular” WP) November of 2007, and patched in that code base relatively quickly (December 2007). There was a similar ticket for incorporating the same changes into WPMU, and it was arguably (IMHO) even more important to do there, since MU installations generally have more registered, non-admin users.

I’m using these two in particular as an example because I’m familiar with them; later that month (12/2007) I submitted a patch that corrected these two issues for MU users as well, and I’ve been running it without error here on this installation ever since. Unfortunately, it was decided that these changes should follow the same path as the rest of MU - namely wait and eventually do a huge sync-up release that ports all the latest stuff from standard to MU.

The problem is that this “sync-up” release only just happened earlier this month (May 2008). This means that for anyone running only “released” versions of the software, they had been lacking these (and other) security fixes for 5-6 months. Personally, I consider that to be a problem, since running only released versions of the software should be a reasonable and safe choice for people who aren’t willing or able to hack together their own code.

There are various things that have recently kept me from being as involved in WP development stuff as I was at one point. Mostly it’s just other priorities / demands on my personal time, but I do have to admit that part of the motivation I initially had after WordCamp in San Franciso last July has certainly faded.

Even that I won’t attribute entirely to the issues I’m “complaining” about here; a good deal of it is probably just a shift in interest for me personally. But I also have to honestly admit that I do not feel as interested in pushing for / working on the kinds of things I’d like to contribute to in a project like this, since I think it’s clear that they often don’t quite line up with the values / priorities of the people who control the direction of the WP project, for better or for worse.

I imagine it’s this way with any open source project with a healthy number of contributors, and I certainly do believe whole-heartedly in the benevolent dicatorship model of guiding changes in open source projects like this. It’s just a bit discouraging when you’re on the wrong side of that equation, and don’t have the time or energy to campaign for your position, getting your patches in, etc.

Even that I wouldn’t mind much, assuming that rational discussion would be an effective way to discuss / debate the differences. There have been some unfortunate situations in which such discussions, even from core contributors, were basically ignored (here’s one, admittedly very minor issue, but still). At other times I’ve seen (and once experienced personally) what I’d consider to be reactions more grounded in emotional involvement / defensiveness than concern for the actual issue at hand.

I’ve struggled with this state of affairs for a while now, but have yet to come to a satisfactory conclusion on what to do about it. At this point, I’d switch if there were a better alternative, but I haven’t seen one yet.

I still think it’s a great platform overall, but I do think that there’s certainly some room for more serious competition. I hope to see such strong competition arise, not just for my own benefit, but for the benefit of WordPress as well.

By JB | Posted in Blog Posts | Also tagged | Comments (0)

WPMU Security Update

December 23, 2007 – 12:25 pm

If you run your own installation of WordPress (and you’re paying attention to security) you’ve probably heard quite a bit of talk recently about a couple issues that could lead to a compromise of your blog.

I won’t go into too much detail here on the exploits, but they’re definitely out there, “in the wild”, as they say, because I’ve seen quite a few hacked blog posts show up in my RSS feeds in the last couple days.

This prompted me to get to work on patching these issues in WordPress MU. I put together a patch that addresses the two main issues: stored password hashes not being salted, and the cookie authentication vulnerability. (See those last two links for detailed discussion on the problems). If you’re running WPMU, I suggest applying this patch to keep your installation safe.

The patches have already been applied to the standard version of WordPress, but not in a released version yet. This may be complicated for those of you running regular WP, because there are a ton of other significant changes that have also been commited to the SVN repository , and you may not want some of those in your day-to-day install yet (specifically, the unfinished redesign of the admin UI).

The changed files are all the same as in my patches, though, (only the line numbers will be different) so you could probably use them to figure out what you need to change in your own installation to apply the security fixes without the other current changes.

By JB | Posted in Blog Posts | Also tagged , , , | Comments (0)

Blog hosting

December 13, 2007 – 7:35 pm

I’ve been meaning to mention this for a while now, but I’m now hosting several different sites under this same WordPress MU installation. In addition to the freepressblog.org ones (mine and Martha’s), I recently added a couple other sites (other domains, hosted using the same WP installation): one for Martha’s school and the other for our latest foray into the land of podcasting.

All that to say that if anyone is looking for a place to host their blog, you’re welcome to do it here for free (friends only, non-commercial, normal traffic blogs of course).

The benefits would be that you would always be running in an up to date WPMu installation (similar to what you’d have if you signed up for a wordpress.com account), but with a bit more flexibility in terms of available themes, plugins, etc., as well as being able to pick your own name.

You can have whatever.freepressblog.org, or just use your own domain name that you’ve already bought but don’t want to pay for web hosting for, and you can have the whole scope of *.yourdomain.com to set up multiple blogs under.

The only drawbacks would be that I can be a bit picky about installing themes or plugins (I would have to review and approve them first), and I wouldn’t allow certain types of advertising or other monetization methods that I deem inappropriate (TLA, pay per post, etc.)

Not trying to make any money or anything, just throwing it out there in case it might be useful to anyone.

By JB | Posted in Blog Posts | Also tagged , | Comments (2)