Working with code is a non stop adventure of undesired education.
While trying to get next.yahoo launched, i've learned a great, great many things about wordpress that i absolutely don't want to ever learn again.
Allow me to provide you with a few of these tidbits:
PlugIns are your friend. Except when they're not
One of the things that Wordpress gets right is that most calls get filtered through the ever-so-handy plugin architecture. There are dozens and dozens of filters and actions you can define. There are also a bunch that are defined for you. These pre-defined plugin actions and filters are usually "helpful" and only occasionally useful. Here are a bunch you can turn off and why:
remove_filter('the_content', 'wptexturize');
wptexturize is responsible for giving you "smart quotes". These are the curly bits of typography that folks that actually pay attention to these sorts of things think are quite important. We, who live in the modern era and are able to determine the start and stop quote based on the context of use, prefer "typewriter quotes", which have existed on keyboards since the late 1800's. In addition, these "typewriter quotes" are useful in contexts like "code" where "smart quotes" make things explode in stunning, invective spewing ways. In theory, it's also possible to install a plugin that does this for you by adding various special tags like "sponge", "sandpaper", and i believe "rhubarb" for the posts you don't wish to have smart quotes for. Sadly, there's no magical word for "any" so forget that useless waste of a plugin and write yer own.
remove_action('wp_head', 'wlwmanifest_link');
remove_action('wp_head', 'rsd_link');
Somewhere, there exists a person who believes that having a link back to the editorial interface for your blog published within the publicly viewable portion of your blog is "a good thing". Chances are exceptionally good that self same individual believes that white gym socks, dress shoes and madras shorts are the very height of style and that it's your fault for driving by his window and seeing him doing naked aerobics.
Me? i figure that if i've already created the post in question, i'm probably smart enough to remember the editor in question i used not less than 24 hours ago. Exposing the naughty bits of how anyone could monkey this sort of thing just strikes me as a REALLY BAD IDEA.
A few other notes:
get_option('home') is the public URL for your blog.
get_option('siteurl') is the administrative URL for your blog.
Chances are exceptionally good that both of these are the same, still, if for some security reason, you want to put the administrative functions on a URL that is blocked from public access (you know, so someone can't hack in and do bad things), that's a particularly noteworthy distinction. It's important that anytime you need to get the root URL of your blog, you're aware of the context it's being used in.
(Now, if only someone could get the WordPress folks to follow that.)
You can fix such "mishaps" by creating a filter for bloginfo_url that returns a "corrected" value (e.g. if your blog is on example.com but your administration functions are on example.net:
function my_bloginfo_url($url,$arg2)The technical term for this is "Icky-Poo" as these sorts of calls really should use the right source option to begin with.
{
$output = preg_replace('/example.com/','example.net', $arg1);
return $output;
}
wp-cache
WP-Cache is an amazingly useful tool that gave me the screaming willies when i was trying to install it.
No, don't set the wp-content directory and files to allow your webserver read/write access. That's how you screw yourself because it means that anyone who cracks your server's code has access to install or change pretty much anything. No, a far better technique is to just install things by hand, remove the "is_writeable($dir)" and "is_writable($wp_cache_config_file)" checks from wp_cache.php:wp_cache_verify_config_file(), copy the sample config to wp-content/wp-cache-config.php (make the appropriate changes in there).
Mind you, such things as options REALLY belong in the wp_options MySQL table instead of a process writable config file, but that's another rant for another day.
Of course, i still had to make minor tweaks to core files to fix silly things like adding appropriate challenges and various robot killers, as well as not including the database password into an accessible function call, as well as wrap all user provided content calls with proper sanitizers, but most of those could go into the plugin too.
So, with much screaming and angry cries to a malevolent god, i did manage to get a (hopefully, reasonably) secure installation. Of course now, i get to live in dread of finding out that i didn't baton things down anywhere near as tightly as i should have.
And thus will begin a new unwanted learning experience.
Callous: We were frequently reminded of that, however we had extenuating circumstances and requirements that prevented us from using that solution. (Yeah, that's it.)
Shep: The layout and graphics are products of the genius that is Ernie.
Actually, now that I think about it, I'm a little surprised the public-facing side would be running Wordpress in any fashion.
This is where I start down the road to crazy-talk involving databases and transforms, so maybe I'll just be quiet now. I do see you get a lot of stuff for free(*) in basing off Wordpress.
(*) Free does not include all the work you've had to do.
(Oh yeah, and you have pretty much shamed me into altering the way my plugin works. I knew it was a hack, I didn't know anybody cared.)
For all my kvetching, I like Wordpress a lot. The other option available to us is Movable Type, but it has it's own issues as does Drupal and a bunch of others. Provided you run the WP-Cache plugin, Wordpress does a pretty good job of letting you build and publish pages with minimal CPU fray.
There's also WordPress Super-Cache which you might find useful.
I kinda know the developer of that and WordPress-MU.
Save This Page
You know, you could have just had Y! Small Business Hosting set you up with an account. Hoo yeah, then allllllll your problems are just memories. Uh huh.
Thanks, though, this is interesting stuff. I normally try to stay away from the inside of Wordpress as much as possible, but it's interesting to see what you've done for an inter/intra split system.