making bbPress (and WordPress) work better!

WP development

To Save the Future of WordPress, Steal This Idea…

A Little History…

Nearly 13 years ago, Michel Valdrighi quietly added some code to his
program which unknowingly was to become one of WordPress’s greatest abilities:

That code commit back in October 2002 contans a single note: “now with b2_filter support !” – perhaps the exclamation point exposing a little thrill that this was something new and exciting, but I have to wonder if he could actually imagine what it really meant for the future.

In fact with the addition of those functions “add_filter/apply_filters” one can begin to easily recognize some of the oldest source code as WordPress itself, compared to earlier versions.

(more…) has 2200 servers

500 of them are just for MySQL with 500 million tables. More here:

undocumented Plugin API for plugin authors

Did you know you can get info about plugins in’s extend section in json or xml format? Virtually all the info about the plugin is available in machine readable format.

It’s as simple as adding the plugin’s stub name to the end of this url like so:

php serialize:

You can request partial info or info on multiple plugins via the full API, which is not documented anywhere except this message from last year:

PHP code example:

It was written by DD32 (aka Dion Hulse)

Missing from version 1.0 API are a few finer details like “downloads yesterday” & “last week” but that can always be derived from the graph data like so:

Graphing was just added to the side but the full API does not appear to be available (yet).

every WordPress install vulnerable to new security hack

Remember the mysterious babloo/blyat attack that hit many blogs including xkcd and is continuing in the wild? Here’s how they did it: : WordPress Privileges Unchecked

It’s just mind boggling that the WordPress people:

1. knew about it since June 4th
2. took OVER A FULL MONTH to release a fix (June 4th – July 8th)
3. left ALL previous versions of WordPress flapping in the wind
4. there is no advisory as to how to manually patch existing installs

bbPress 1.0 is possibly affected by this vulnerability now that it uses the WP core
bbPress 0.9 might be immune

added 7/13

I don’t know if this is a reasonable security patch for existing WP installs but the logic seems to make sense to me so far. It might break plugins like subscribe-to-comments or anything else that interacts with regular users through the admin interface.

The problem seems to be this line in admin.php

include(ABSPATH . PLUGINDIR . "/$plugin_page");

Since there is not a natural, singular action before it to hook (it adds the plugin name) the file will have to be edited, and maybe add something like this BEFORE the above line:

if ( ! current_user_can('level_2') ) {
wp_die(__('You are not allowed here.'));

This only allows Authors and above to use plugins via the admin menu.

The WP legacy where regular members are allowed into the admin area, but with reduced privileges, has always been very messy. And this is (yet another time) where it’s coming to haunt WP adopters. The good news is at least bbPress learned from the mistake and does it differently.

WordPress 2.8 might break login compatibility (again)

Remember how they changed the login cookie in WordPress 2.5 ?

Then they realized they got the security model wrong so they changed it again in 2.6 causing more backward compatibility problems. (then they finally added HttpOnly in 2.7)

So since it’s all working/stable now, guess what, they are tampering with it again:

simple WordPress and bbPress security plugin to block long requests

I opened a WordPress security ticket today with something that’s been bothering me for awhile – Apache will take long URL queries up to 8k (8192) characters in length but it’s completely unnecessary and allows XSS exploits to get into WordPress and bbPress. Why not block them entirely with this scrap of a plugin (save as “_block_long_queries.php” without the quotes but with the leading underscore so it loads as early as possible and doesn’t need activation – also can’t be easily deactivated by hackers)

stuff I would have wanted to see at WordCamp SF 2008

Apparently they crammed it all into one day this year and the tech stuff was held separately (downstairs) from the general stuff (don’t want those devs and general users to mingle, ruh roh!)

I don’t fly so I was hoping for some audio or video recordings. I found a live video feed from some bloggers upstairs but nothing downstairs (at least not that I could find). I need to hunt down the slideshows for Crazyhorse, BuddyPress, Nginx etc. Finding a schedule of the tech stuff would probably be a good start, I found one for the general stuff upstairs but not downstairs. ZDnet covered only the non-dev side, but in detail.

Was there *no* bbPress presentation this year at WordCamp? Really?
Twitter went insane with WordCamp stuff!
added: some really good notes from Jeremy Person

(Yet Another) Article About Matt Mullenweg

Another interesting newspaper article about WordPress’s founder Matt Mullenweg from last week that I missed. I can never get over how young he is, it’s impressive. Unfortunately no mention of bbPress or TalkPress in this article however. There was another one from another paper from earlier in the year if you missed it.
Check out the patches on the coat arms, cute – lol!

Proposed New Features For WordPress 2.7

During an informal, public IRC meeting attended by Matt, this list was derived and voted on (the iii’s are votes – people could vote against so that reduced the tally)

iiiiii - Comments API
iiiii - keyboard shortcuts for comment moderation
iiii - remove old/unused code
iiii - theme update api, like we do for plugins
iiii - some default shortcodes, maybe the most popular 10 from
iii - dashboard and write box rearranging
iii - one-click plugin installs
iii - oEmbed support, tied in with shortcodes
iii - admin-only reply thing, for admin replies to comments
iii - better UI for post revisions, maybe an optional field to say what changed in a version
iii - core updating
ii - OAuth support
ii - a frame-like method for moderating ping/trackbacks
ii - GeoData for posts, comments, attachments, etc.
ii - Duplicate post Tags UI for other taxonomies (6387)
ii - SWFUploader make it work with Flash 10
ii - template tags to do everything the custom gallery on does
ii - plugin browser embedded
ii - codepress code highlighting for template editing
ii - php xref hosted on
ii - tag intersections, all posts that have tag x AND y
ii - menu editor

bbPress presentation at WordCamp UK 2008?

For my UK mates, WordCamp UK 2008 is coming up next Saturday and Sunday 19-20 July 2008 at The Studio in Birmingham.

(42 out of 100 tickets have been sold as of yesterday, so it’s bound to sell out)

I’d love to hear any recordings (video or just audio) of the more technical sessions and of course Sam’s presentation on bbPress

ps. check out Sam’s impressive WP crests!

WordPress 2.5 slated for March 10th – really?

Apparently they are quite serious about rushing out WordPress 2.5 by March 10th – just three weeks away. I am suspicious of the 2.4 version number jump and how freaked out people are going to be over the color/style changes in the admin menu (which seem rather harsh to my eyes). Also, Matt stated in the #wordpress channel that people should not mind scrolling down two pages to change the slug or date on a post – they are getting rid of the sidebar.

Fortunately the sidebar can be hacked back in fairly easily. Not so much the old colors. I suspect someone will give it a try though. Admin plugins still seem to work fine with 2.5 however.

Oh there are also currently 500 open tickets for WP 2.5 – most of which will probably be swept under the rug for 2.6 I guess.

bbPress is going to get way out of sync with the 2.5 release. I want to encourage them to release the alpha trunk build 1075 as 0.8.5 to kinda match the numbering and also because of the password cookie change.

The Vertical Nature of WordPress 2.5 Can Be Changed

Some people are concerned about how vertical all the options have become in WordPress 2.5 under “write post” etc.

With just 10 minutes of hacking I was able to use jquery.ui to make all the options draggable from the main area to the sidebar (and back) as well as change the order.

Once 2.5 hits a release candidate stage I’ll post the changes as a diff for anyone that wants it.

Why does ANY information need to be sent to the WP servers?

With the 2.3 fiasco over sending a list of all plugins being used and blog url to the WP servers, I can’t understand why they didn’t do this more intelligently?

If there was a mini-downloadable database of all the current version numbers, a blog would NOT have to send ANY information at all.

It’s a far better technique too, where the server only has to do the work once to compile the mini-database and the client-side does all the work comparing version numbers.

Then the DB is assigned a version number (build #) to itself and you only download the new DB when it’s a major build number change.

Completely passive technique and no “privacy” violations of any kind.

IMHO, easier to code too.

WordPress 2.3 beta in 30 days?

update: wtf? A few days after I start speculating on this, they announce 2.3 beta 1. This means they are ignoring hundreds of tickets. I guess that means they are sweeping them “under the rug” until 2.4 next year? Or will 2.4 beta become a December holiday gift? In any case, I figure I am waiting for 2.31 or 2.4 beta at this point.
————– original post follows…
I was looking at the WordPress roadmap in trac and apparently they’ve “committed” to a feature freeze for WP 2.3 on August 23rd. This should be interesting as 2.4 won’t be out this year so it represents the best WP will be for 2007. There are nearly 400 tickets open for it though, so they are either going to be ignoring or pushing many of the suggestions/requests to the next version…

I’ve been out of touch with WP development since 2.0 went alpha so I’ve got some catching up to do (been manually patching my installs for security issues).

Now to hunt down “what’s new” in 2.3 – I had to hack a lot of the core in 2.0 to make it do some of the things I really wanted but couldn’t wait for. Now my goal is zero core hacks in 2.3 and do every single mod via plugins so I can keep up with releases for security issues as well as new features.

So far all I know is that is that 2.3 will be 100% jQuery, even in the admin they have removed Prototype.js but I am sure there is much more to be found… are they doing comment pagination natively yet? I sure hope so…

WordPress WordCamp 2007 Videos!

I was fortunate to stumble across these fantastic video clips from this year’s WordCamp. I won’t likely be ever able to attend one of these in person so huge thanks to John Pozadzides who took the time and energy to make and post them!

I can’t say which one is the most interesting yet, but it’s fascinating to see the big names I’ve spotted among the code/plugins and respected for years now ie. Matt Mullenweg, Mark Jaquith, Donncha O Caoimh, Michael Adams and Andy Skelton. I’d like to see a few women on the team by 2010 though.

measuring WordPress performance

At some point you might get curious about how fast or slow WordPress is actually running, especially after a few strange reports that 2.0.4 is running slower.

I had tinkered with Jerome’s Query Diagnostics plugin: (at the bottom of the page)

but on the WordPress IRC I just learned about
libertus’ interesting “performance probe” plugin
which looks even more fascinating… (also see his other posts here and here)

added: apparently I can’t use his plugin (as many people on shared servers will discover) since my PHP was not compiled with the “–enable-memory-limit configuration option” – there is also a php function called “memory-get-peak-usage” which might be helpful to some.

Be sure to see all the links on the right hand side on my main page here for more performance and development plugins/info on WordPress.

By the way I made a subtle enhancement to Jerome’s output, the code follows below the break: