Category archive: WordPress 16 posts now hopefully UN-hacked.

Posted by Jer Clarke on May 12, 2009 · WordPress

So this site was ironically hacked and hijacked by blackhat SEO spammers who inserted a ton of bullshit viagra/homeloan/sex links into my theme in the hopes that it would illegitimately raise their ranking in Google. Of course that’s not inherently ironic, what’s ironic is that it happened while I was at WordCamp Toronto, a mini-conference about all things WordPress, where I gave a talk that included a long section about how to avoid and deal with being hacked in just this way for just these reasons. Some part of me thinks that someone at WordCamp might have done it to show me who’s boss, but I doubt it, the pattern of spam links is just to depressing and business-like to assume anything but an impersonal bot did the damage.

This has happened to other sites I’ve been managing (specifically to Global Voices over the years, and I’ve learned a lot about hardening your server and WordPress installation to help solve the problem. The #1 piece of advice is of course KEEP YOUR WORDPRESS INSTALLATION UP TO DATE, NO MATTER WHAT. In the case of this my personal site (as opposed to sites I manage professionally, which I deal with much more carefully, because they are more important) I was doing a halfway version of this by keeping my very old but theoretically still secure copy of WP 2.0.x up to date. This is the legacy branch (current actual branch is 2.7.x) that was supposed to offer long-term security support, but it seems that is no longer the case. I loved having the bragging rights of being the only person in a room with even 100 WordPress users who had such an old but still secure version (well, except David Peralty), but obviously staying secure is much more important.

If you’re still running 2.0.11 I strongly recommend you give up and get on the normal upgrade schedule now, it seems to have been compromised.

Full details of how to clean up a hacked site below:


I’ll be speaking at WordCamp Toronto

Posted by Jer Clarke on April 11, 2009 · General · WordPress

i'll be speaking at wordcamp toronto I nagged them early enough and got a slot to speak at WordCamp Toronto in May. I’ve had amazing times at the last two WordCamps I attended (San Francisco and New York, I missed the Toronto one last year) talking to people about my favorite web software and shooting the shit about all the little things the rest of the world doesn’t understand.

If you haven’t been and are a blogger/developper in the area you should check it out. If you’re in Montreal there will also be WordCamp Montreal in June but that’s pretty far off and we haven’t come up with many of the details yet. Not sure if I’ll be speaking in Montreal as well but it’s pretty likely ;)

Adding Dashboard Widgets to WordPress 2.7 Using Plugins

Posted by Jer Clarke on January 22, 2009 · WordPress

As you can guess by the title this is another incredibly technical and specific article that’s really only of interest to WordPress developers like myself. Friends and family: please amuse yourself with this instead :)

So onto Dashboard Widgets (also referred to as “Dashboard Modules” in at least one place, though the WP code calls them Widgets so I’ll stick with that).

screencap of my example widgetI wanted to add a little box to the dashboard with the currently logged-in user’s avatar and a few links to things they might want quickly. Since WP 2.7 made the dashboard super configurable (you can show/hide different sections and drag them around to reorder them) I figured that there would be some documentation on how to add new ones using plugins. Unfortunately it turned out that not only was there no page on the WordPress Codex to explain the process, but the dashboard code itself (found in /wp-admin/includes/dashboard.php ) was completely uncommented and confusing as hell. Since I spent the day figuring the whole API out I decided to write up a nice Codex page so the next person would have it easier: Voila.

At that link you’ll find an explanation of the function and hook you’ll need to use to add dashboard widgets using plugin (or functions.php in your theme) code. The process is pretty similar to adding sub-pages to the admin section if you’re familiar with that.

Some lessons I picked up along the way:

  • The dashboard API needs some serious work. I might take a whack at it at some point when I’m bored but hopefully it will get cleared up eventually, especially the missing PHPDoc comments
  • Right now it’s pretty much impossible to easily or effectively push your sorting preferences onto the default Dashboard Widgets. In the codex article I give an example of how to get your widget to the top of the list for people who have never sorted their widgets, but there’s no easy way to add your widget and say “make all users see this at the top of their screen unless they drag it to a different spot”. This fact is pretty annoying as blogs with many users are likely to have a lot of people who never even see the new widget because there are too many default widgets above it pushing it below the fold.
  • I did figure out a way to force your widget to the top of the page but it had the unfortunate side effect of making it trapped there forever regardless of users dragging it around. I don’t recommend this method for publicly distributed plugins (as it will confuse and frustrate users that the dragging is broken) but you can see the code here ( link, apologies if it stops working at some point).
  • This one is a bit obvious, but writing a Codex article (or any documentation really) is very very useful for acquainting yourself with something. I know more about this process than I would have if I’d just followed the instructions someone else wrote (I also know more about what needs fixing!). Lesson: When the docs are missing don’t just hack around till you have a half-baked solution, look through the source and figure out the best solution and share it with the world by adding to the docs yourself.

Keeping your server alive with Monit

Posted by Jer Clarke on November 29, 2008 · General · GlobalVoices · WordPress

NOTE: This is super web/development/sysadmin stuff, casual non website people should probably check this instead

Lately GV has been pretty out of control and our server has been crashing way to regularly due to too many visitors or bots. I’ve been working to find all the little holes in the Apache/PHP/MySQL configurations that are causing the crashes when load gets high, but it’s impossible while you’re constantly putting out fires and restarting the servers manually.

monit logoI’ve been having frustrating fun with a tool called Monit that helps stop your server from completely crashing by watching it’s system stats and selectively restarting processes or executing whatever command you want. It installs pretty easily on Linux servers (I think it’s in both Yum for CentOS/RH and in apt for Debian/Ubuntu) and it uses text files similar to Apache to set up different status conditions and what to do. The configuration took me awhile to get right, but once the percentages were tuned based on watching it for awhile it has kept the server from crashing even once for more than a minute despite some record traffic related to our Mumbai coverage. If it weren’t for Monit I’d probably still be getting calls in the middle of the night saying the site was down.

You still need to find the bugs in your server configuration, or move to more powerful hardware (what we’re doing), but even if its annoying that the apache needs to be restarted every few minutes in order to not crash the server, its better than having it crash randomly when you’re not around. While you’re still tuning the system, you can have it email you based on certain conditions, so you can see how often a certain status is reached and determine whether a restart is necessary. The manual explains the functions pretty well and isn’t too long.

My advice if you’re setting it up

Setting the reset/exec levels

If you’re setting it up for the first time and you’re not having any problems at the moment you should be careful not to set the percentages too high, or the server might crash before it got that bad. I was giving a Memory/RAM max around 80%, but the remaining 20% didn’t seem to be enough to save the server, it was already to late. Here are my settings for our Apache webserver:

check system
if loadavg (1min) > 5 for 2 cycles then exec "/etc/init.d/httpd restart"
if loadavg (1min) > 7 for 1 cycles then exec "/etc/init.d/httpd restart"
if memory usage > 65% for 3 cycles then exec "/etc/init.d/httpd restart"
if memory usage > 75% then exec "/etc/init.d/httpd restart"

The ‘exec’ action is running the apache restart command directly, which will clear out all appache processes and restart them, freeing up RAM temporarily. I’m also running two levels of Load checking, which will measure the strain on the CPU. Together these cover a lot of situations that result in crashes, and there are two versions of each, one for bad situations that have gone on for awhile (“for 3 cycles” i.e. 3 minutes) and one for terrible situations that are seen even once (“for 1 cycles”, which is actually unnecessary to write).

You can actually also set up monitoring of specific processes like Apache or other servers, but its been a lot buggier (thinks the program’s not running when it is) for me than the raw server statistics, so use at your own risk.

Alternate Email Formatting for Monit

The default email format template that comes with Monit is pretty hard to read to the point where it’s kind of maddening to recieve messages from it. Luckily they offer a custom mail formatting api so you can make one that makes sense for you. The pieces they give you are a bit limiting but I worked out one that is very short and clear and should even work okay as an sms:

set mail-format {
subject: [$ACTION] $EVENT on $SERVICE
– – – – – – – – – – – – – – – – – –
Action: [$ACTION] at $DATE from $HOST


Which sends you emails like:

[exec] Resource limit matched for
‘’ mem usage of 71.9% matches resource limit [mem usage>65.0%]
– – – – – – – – – – – – – – – – – –
Action: [exec] at Fri, 28 Nov 2008 19:35:22 -0500 from


Which I think is a lot better than the default. Any Monit users out there with a good format I’d love to see what else you’ve come up with.

Speaking at Wordcamp San Francisco ’08

Posted by Jer Clarke on August 5, 2008 · General · GlobalVoices · WordPress

wordcamp san franciscoIn a fit of shortsighted kindness, the organizers of Wordcamp San Francisco (a conference/unconference about my favorite headache, WordPress) have invited++ me to come and speak about Global Voices and how we use WordPress to do the crazy thing we do.

I’ve heard only great things about past Wordcamps (they’re all over the place, there’s one in Toronto in October and a New York one on the same day!), and I’m deeply honored to be able to represent Global Voices and all the amazing people that make it a reality at the SF meeting. I can’t think of anywhere I’d rather be, let alone be the one speaking.

If anyone is in the area and into WordPress you should check it out, if I know you and you’re from SF drop me a line, I’ll be in town for a few days.

Voices without Votes != splog

Posted by Jer Clarke on February 11, 2008 · General · GlobalVoices · WordPress

vwv-promo-125-square.gifAs part of my ongoing work for GlobalVoices, I recently designed and coded a GV-like site with the specific goal of covering foreign blog reactions to the 2008 U.S. presidential election, called Voices without Votes. The VwV site is a mix of original posts by GV authors about what people in other countries are saying about the elections and links to foreign posts about the elections along with the first ~50 words as a preview.

Despite what seems like a clearly good motivation and practice, some people have big issues with this, likening it to a pathetic practice called ‘splogging‘ (spam blogging, wikipedia link). In the WordPress IRC channel (a chatroom, #wordpress on some guys got pretty upset about the idea and I had a debate with them about copyright and aggregation of blogs (aggregation means getting content from varied sources and showing them toghether). This resulted in ‘markr’ posting a lengthy critique of VwV’s aggregation practices on his blog, HERE.

Most of his arguments stem from misconceptions about VwV or about copyright law, but some are sincerely just expressions of his dictatorial attitude towards content. I left the response below as a comment on the post, but am reprinting it here for posterity and for those who read my blog and not his (note: his full response is viewable on his page, only the parts I wanted to respond to are below. Skipped parts are mostly him telling the story i told above).

WARNING: This isn’t for my casual readers. It’s long, detailed, political and there are absolutely no lolcats anywhere to be found.