Turn on Chrome Frame for Internet Explorer in WordPress (and bbPress)

Google is promoting their Chrome “frame” enhancement for Internet Explorer users that allows people to stay with the IE interface but run the much faster and safer Chrome browser inside it.

However ChromeFrame has to be turned on for each website they visit.

To turn it on in WordPress and bbPress you should be able to add this single line as a mini-plugin, or in header.php or even in functions.php.

<?php if (strpos($_SERVER['HTTP_USER_AGENT'],"chromeframe")) {header("X-UA-Compatible: chrome=1");} ?>

Update: the above will not work, apparently Chrome needs it to be a META tag and not in the page headers – thanks Matt

If you want to just put it in header.php use this (before </head>)

if (strpos($_SERVER['HTTP_USER_AGENT'],"chromeframe")) {echo '<meta http-equiv="X-UA-Compatible" content="chrome=1" />'}

If you want it to be a real plugin, use this:

<?php
add_action('bb_head','chromeframe');
add_action('wp_head','chromeframe');
function chromeframe() {
if (strpos($_SERVER['HTTP_USER_AGENT'],"chromeframe")) {echo '<meta http-equiv="X-UA-Compatible" content="chrome=1" />';}
}
?>

Here comes PHP 5.3.1

As excited as I was to see the performance benchmarks for PHP 5.3.0
I am glad I resisted temptation and waited a little bit longer.

PHP 5.3.1 is right around the corner, here’s the forthcoming RC1 announcement for August 13th (next Thursday) http://news.php.net/php.internals/45230
(and note “a final release by the end of August”)

and here is an evergrowing list of fixes that will be included:
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/NEWS

Now I just need to make sure eaccelerator is up to speed on 5.3

Firefox 3.5 finally supports DEFER on javascript

I was pleased to discover that after a mere 9 years
that Mozilla/Firefox finally supports defer on javascript.

Yup, 9 years, I couldn’t believe the time either, see for yourself:
http://bugzilla.mozilla.org/show_bug.cgi?id=28293

What this means is that Firefox finally has a feature
that Internet Explorer has had since version 4 (1997)
(it was made a standard by W3C HTML 4.01 in December 1999)

This means you should be doing this now on all your javascript, inline and external loading:
<script defer="defer" type="text/javascript" ...
(the repeat of the word is simply because of modern validation standards, without it the validation nutters have conniptions)

This causes the script to delay executing until the page is loaded. In some cases the script is also delayed in loading. The short answer is it will make your page seem to load faster for your visitors.

The only time you can’t use DEFER is when you are relying on javascript to inject something inline in your page, ie.
<script defer="defer" type="text/javascript" >
document.write('hello');
</script>
world
will NOT show “hello world” but rather “world hello“.
(if you removed the DEFER it would show “hello world” as expected)

I still don’t know what the status of webkit/safari/chrome is on DEFER or Opera for that matter, much more googling required.

hey Matt, turn wordpress.com credits into donation system?

I was looking at the new tipjoy.com startup for twitter and I kind of like their idea. Turn the massive twitter userbase into a massive micro-payment system. They recently got $1 million in funding.

Micro-payment systems often fail but that’s because they never get critical mass. Twitter won’t have that problem. You don’t even need a Twitter account to have a TipJoy account, ie. http://tipjoy.com/u/ck

So I remembered that WordPress.com has had a credit system in place for a long time now to buy premium upgrades. You can even give the credits to someone else I believe as a gift. So why not take that a step further as allow it to be used to donate to anyone for any reason?

One you have enough credits, you could cash out via amazon gift card by email (instant, any amount over $5) or PayPal. PayPal stopped TipJoy from using them to fund accounts (basically it’s fear of competition) but you can still cash out via PayPal, they won’t stop that.

This way WordPress.com can help theme and plugin developers get a few dollars. You could even allow fractions of credits so if someone wants to donate 10 cents, it’s possible. I think wp.com has enough members to also get past that critical mass problem. If a thousand people gave 10 cents to a plugin developer, that starts to add up. It’s certainly more than I get now!

WordPress still uses the nasty SQL_CALC_FOUND_ROWS

We’ve known for over two whole years now that SQL_CALC_FOUND_ROWS did nasty things in bbPress 0.8

It was fixed by mdawaffe (Michael) after discovering how SQL_CALC_FOUND_ROWS caused an overload on the Automattic wordpress.org forum servers due to a MySQL bug.

But to this very day, it’s still used in all WordPress versions, up to and including 2.8.2

(Even more ironic, now that bbPress 1.0 has switched to the backPress core which is based on WordPress, SQL_CALC_FOUND_ROWS is back inside bbPress, though it works around the bug)

SQL_CALC_FOUND_ROWS is typically three times slower than using COUNT() on the same query without LIMIT and ORDER restrictions.

I’ve seen at least one slow-log for MySQL that is FULL of SQL_CALC_FOUND_ROWS queries from a large WordPress installation on a dedicated server that took 11-15 seconds per query (and crashed MySQL, repeatedly).

Here is my quick & dirty patch to the WordPress (and BackPress) core that attempts to change SQL_CALC_FOUND_ROWS to the COUNT() workaround – it’s inside wp-includes/query.php – it’s tested working but not heavily tested so use with caution and let me know if you have improvements?

My changes are against the file from WP 2.5.1 but the file has barely changed since 2.5, even 2.8 is virtually the same so it should be easy to modify other versions.

There is one other use of SQL_CALC_FOUND_ROWS left in WordPress but it’s in the admin section so I am not going to worry about it for now.

More about the MySQL bug due to it’s poor optimization:
http://bugs.mysql.com/bug.php?id=18454 (cache)
http://bugs.mysql.com/bug.php?id=19553 (cache)
http://www.mysqlperformanceblog.com/2007/08/28/to-sql_calc_found_rows-or-not-to-sql_calc_found_rows/

Matt in a hat

I can’t decide if I like it or not, it definitely gives him a different style. (I like this one better)
Full article over here (they need to stop using “geek” and “nerd”, it’s so 1990).

Firefox 3.5 tampers with image colors by default

Tonight I was bothered that an image I was looking at in my browser looked washed out and when I loaded it into Irfanview to correct it and study it more closely, somehow it was already darker in Irfanview.

At first I started wondering if I accidentally turned on some kind of automatic option in Irfanview but then I remembered that Firefox 3.0 had image color correction added, but was off by default.

Sure enough Firefox 3.5 has color correction turned ON by default. Even for existing installs that simply upgraded, it apparently turns it back on all by itself.

So go to about:config and find
gfx.color_management.mode
and set it to 0 (zero)
problem solved.

every WordPress install vulnerable to new security hack

Remember the mysterious babloo/blyat attack that hit many blogs including xkcd and is continuing in the wild? Here’s how they did it:

coresecurity.com : WordPress Privileges Unchecked

It’s just mind boggling that the WordPress people:

1. knew about it since June 4th
2. took OVER A FULL MONTH to release a fix (June 4th – July 8th)
3. left ALL previous versions of WordPress flapping in the wind
4. there is no advisory as to how to manually patch existing installs

bbPress 1.0 is possibly affected by this vulnerability now that it uses the WP core
bbPress 0.9 might be immune

added 7/13

I don’t know if this is a reasonable security patch for existing WP installs but the logic seems to make sense to me so far. It might break plugins like subscribe-to-comments or anything else that interacts with regular users through the admin interface.

The problem seems to be this line in admin.php

include(ABSPATH . PLUGINDIR . "/$plugin_page");


Since there is not a natural, singular action before it to hook (it adds the plugin name) the file will have to be edited, and maybe add something like this BEFORE the above line:

if ( ! current_user_can('level_2') ) {
wp_die(__('You are not allowed here.'));
}


This only allows Authors and above to use plugins via the admin menu.

The WP legacy where regular members are allowed into the admin area, but with reduced privileges, has always been very messy. And this is (yet another time) where it’s coming to haunt WP adopters. The good news is at least bbPress learned from the mistake and does it differently.

babloo/blyat spammer attack on many WordPress blogs

I’ve learned recently that a number of WordPress powered blogs (including xkcd) were hit by some kind of spammer attack (bablooO aka babloo-O).

It injected many spam links into the database before the “read more” part of a post.

I am trying to figure out how this happened so it can be prevented from happening again, if it’s a plugin vulnerability or from WP’s xmlrpc.

So if anyone has more details please let me know. I do know it was not tied to any specific version, I have found the signature on WP 2.3 2.5 2.7 & 2.7.1

(sometimes the signature says “blyat” instead of “babloo”)

bbPress still deleted from Wikipedia

5/26 update: a noble group of folks have taken up the effort to restore and rebuild the page on wikipedia – I’ll leave this post for posterity…

bbPress is approaching 10,000 active installs and millions of users by my (heavily researched) estimation and yet it’s still deleted from Wikipedia. However BuddyPress which definitely has less than a thousand active installs, features it’s own page. Go figure.

Wikipedia has pages on ultra obscure fonts that aren’t even in use anymore from ancient Windows 3.1 applications, but a dedicated bbPress page is excessive to the editors?

wolfram alpha is not just hype, it’s amazing

From a programmer’s perspective this is the most amazing thing I have ever seen done on a PC:

http://www.wolframalpha.com/screencast/introducingwolframalpha.html

keep watching, even 5-10 minutes in, it just keeps getting more and more impressive…

(among other things it can casually compute fluid dynamics, tell you where things are in space, mix colors, weather for any location at any time in history, whoa it’s staggering)

Swine Flu 2009 Epidemic Map on Google

Apparently USA media outlets are neglecting to include the word “emergency” from the World Health Organization’s press release about the spread of Swine Flu.

I guess check this daily and decide for yourself how bad it is:

swine flu map on google maps (replaced with better map 5/2)

ps. Tamiflu can pretty much stop it from having symptoms more than a cold but a full treatment costs $100 plus a doctor’s office visit to get the prescription, so good luck to those without insurance like me… btw in India it’s only $60 and they have a generic version coming out for $30 but you won’t likely see it in the USA because corporations need their profits no matter how ill you are