Posted on

WordPress – Soup to Nuts

I've written about WordPress at various points. I've been using this cms for 13-14 years, and for me it is well-known, though a bit worn out. The breakage it has has not improved much, and the resources needed are not up to the modern task. Essentially most performance gains are made through improvements in Nginx, PHP, and MariaDB (thankfully, and not inconsequentially). WordPress is a most dreaded platform for 64.5% of developers answering a developer survey on Stack Exchange. This beats out the core enabling technology dread levels of MySQL (50.4%) and PHP (58.6%). Simply put, WordPress has a premium dreadfulness to it. For me it is time for the devil I don't know, rather than the one I do. Even with the Classic Press fork of WordPress, we are dealing with ossified technologies. Granted they will likely not die (the code base is too large), but that does not make them forever bankable and safe, as in the nobody got fired for using IBM of the past.

Previous Articles

Posted on

WordPress 5 – Automattic Waterloo

Automattic is the organization behind WordPress the content management system, wordpress.com, and a number of smaller entities. With some estimates, WordPress has ~30% market share of the web. It has taken on in excess of []$300m in funding](https://www.crunchbase.com/organization/automattic) over the years. After 2–3 years of development of WordPress, Automattic was founded in 2005 to receive an initial funding round of $1.1m.

Competition and Growth

Competition is seen as foremost coming from the lower-end, simpler website design companies such as Wix and Medium. Basic usability and ease-of-use of the WordPress editor is seen as a stumbling block to growth, especially with investors who seek a return. Matt Mullenweg, the co-founder CEO, is not shy to demonstrate the user problems, as seen in his most recent State of the Word presentation from 10 December 2018: State of the Word — Matt Mullenweg — 10 December 2018 While there is an interesting solution provided in terms of Project Gutenberg and blocks to replace the wysiwig/code view editor, it in no way is an answer to novice users creating pages that have complex visuals (other than possibly copy-paste from Word or Google Docs). More importantly, by removing the current wysiwyg/code view editing interface that all intermediate and advanced users have mastered, everyone is forced into a learning curve regarding these less-than-intuitive blocks. Certainly it is a mental model, as Mullenweg suggests, just not an intuitive one, or one that the interface makes readily apparent. To allow for a transition period (aka Phase 2) the old editor will be available by means of a plugin, and has promised support until 2021. The incipient integration of Gutenberg into Core caused quite a bit of disgruntlement, and induced action on the part of a group to do what is always possible with open source software, and to create a new release from the old source code.

ClassicPress, calmPress Forks of WordPress 4.9

Strengths can be weaknesses, and the open source software strength of WordPress has now been used against it in the form of hard forks of the project. ClassicPress released its first version which is a fork of WordPress 4.9. Work began on this hard fork on 30 August, with alpha and beta releases on 24 October and 21 November. calmPress, another fork of WordPress 4.9 is the effort of a single developer. calmPress 0.9.9 a fork of 4.9 was released on 29 November 2018, with alpha and beta versions starting back in September. There was discussion about collaboration on a shared plugin directory between calmPress and ClassicPress, but that has not progressed.

ClassicPress Organizational Development

ClassicPress calls itself a business-focused release. That is, professional, stable, reliable performance. Already ClassicPress is undergoing some performance tuning and a focus on security. The main point is to dodge the bullet of Gutenberg, as with WordPress 5.0 that becomes integrated into Core. Building a successful software project includes proper, effective guidance as well as resources (programming and money). From the ClassicPress forum and Slack channel, these discussions appear to be taking place, and developers are indeed doing the necessary, day-to-day, block-and-tackle efforts.

WordPress 5 Released

WordPress 5.0 was released on 06 December 2018. On 12 December WordPress 5.0.1 was released to include some security bug fixes. However, this also began to introduce breakage.

This is a Waterloo

The Battle at Waterloo has become a metaphor for something difficult to overcome, or recover from. With novices unable to easily adopt the new interface, and with a good swath of intermediate and advanced users in open rebellion against the change, there are now opportunities for sharpened knives. The forces arrayed against Automattic are as follows: - Those who will defect to a hard fork (ClassicPress, etc., see above) - Those who will defect to an alternate platform (Grav, etc., see below) The main forces for Automattic are: - User base inertia, - Community that will censor defectors to a hard fork, and - The WooCommerce and subsidiary plugins which make finding a replacement a more complex and time consuming task. (This is akin to trying to supplant Windows without having an alternative to Office.)

Troop Strength and Depth

While this might seem like a less difficult challenge than the fated Waterloo, the strength of Automattic's development ranks is thin and ragged. The ability to create quality code and a quality experience should be seriously questioned. For example: - Two plugins remain in Core that cannot be touched (for the obviously irrelevant political reason that they were created more than a decade ago by the CEO), and lead developers have to resort to lying about it in the bug tracker. In ClassicPress, those two plugins were removed in the first Alpha release. - The infamous WordPress plugin repository redesign fiasco of 2015–2017. - Last but not least, the hostility to and distaste for Gutenberg to date. If it were a matter of executing and providing a speedy and pleasent experience, then the rather steep learning curve could be mastered. Instead, the very same puzzling experiences found in user testing with novices using the current editor will be found writ large with not only novices, but intermediate and advanced users of the previous platform. As one reviewer put it I'm tripping over my own feet. Again, it will take more than evangelism to win this battle because the quality of the WordPress package, including the ridiculous redesign of the Plugin directory and its functionality. This is not to mention, the antiquated development tools and processes that continue to cause WordPress, like an old jalopy, to rattle and shimmy down the backroads and washed out valleys of bloatland.

Humans Hate Change

If the above were not enough, there is the very basic psychology that is arrayed against Automatic in this signficant change, which is: humans hate change. Witness: - Why redesigns don't make users happy - Why most redesigns fail

Alternative to WordPress -- Flat File CMS

It is important to view another issue with WordPress which adds complexity and resource requirements, which for many sites is unnecessary: the requirement for a database. Flat file content management systems are increasingly functional and reliable and have significant advantages over the use of a database. Databases are generally opaque, more difficult to inspect, require their own backup and restore procedures, have their own security, use more resources (specifically ram, but also processor) and with advanced caching readily available, do not have much in the way of benefit. For special uses such as shopping carts and session management, a database can be used as a supplement to a Flat File CMS, but for serving most content, it makes little sense. Grav CMS, a maturing Flat File CMS, is a viable alternative to WordPress for certain use cases, perhaps even the majority (and has shopping cart plugins available). For those developers, administrators, and endusers, like me, who have spent more than a decade with WordPress are are looking for a platform for the next 10 years, Grav looks quite promising, as does ClassicPress. WordPress? Not so much.

Posted on

CMS Maturity Hallmarks

Content Management Systems come in all shapes and sizes, and it is unfair to evaluate their maturity based on their functionality. However, to some degree this is still a useful metric, depending on the fucntionality. Below are hallmarks of functional maturity. Again, certain CMS's will not receive an accurate score based on specific niche uses or unique aspects. - CLI / command line interaction - Serverless-able - Database-less/database-optional - Various caching options available - Ecommerce-friendly/Ecommerce package(s) available - SEO metadata friendly - Email/Form management - Effective templating system

Posted on

PHP and MariaDB on Debian

Note: instructions for installing and configuring phpMyAdmin also included below.


Related Artices in Debian Services and Applications - Debian on AWS Lightsail - OpenVPN on Debian + UFW Firewall - Nginx and Letsencrypt on Debian - PHP & MariaDB on Debian - Grav CMS on Debian


As of December, 2018 there are decent performance gains with the latest PHP and MySQL (MariaDB, not Oracle) versions. These are: - PHP 7.3.0 released 06 Dec 2018 - Next PHP release 7.4 likely out December 2019 - MariaDB 10.3.11 released 20 Nov 2018 - Latest MariaDB release 10.4 is in release candidate status as of May, 2019. It would be good to do a new version along with PHP when it's next is released, say Dec 2019/Jan 2020.

PHP 7.3 outperforms PHP 7.2 and earlier versions on nearly all real-world web cms platforms. At the same time, MariaDB does indeed have performance enhancements which generally make it faster than the Oracle offering. For MariaDB the performance advantages have been apparent since at least MariaDB 10.1 vs. MySQL 5.7 back in 2014.

This is no surprise, being that MariaDB was founded and developed under the direction of the original MySQL founder. The main advantages technically are better thread management and defragmentation of the MariaDB than MySQL databases. In addition, a larger variety of engines are available under MariaDB including NoSQL (Cassandra).

Set up PHP Repository and Certs

sudo apt-get install apt-transport-https lsb-release ca-certificates
sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/php.list

Update and Install PHP

Currently this is the 7.3 branch

sudo apt-get update -y
sudo apt-get install -y php7.3
sudo apt-get install -y php7.3-cli php7.3-common php7.3-curl php7.3-fpm php7.3-gd php7.3-json php7.3-mbstring php7.3-opcache php7.3-readline php7.3-xml php7.3-intl php7.3-zip
php7.3-mysql

Update and Upgrade apt

sudo apt update -y
sudo apt upgrade -y

Verify php-fpm status

systemctl status php7.3-fpm.service

stop injected data into server returns

sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.3/fpm/php.ini
systemctl restart php7.3-fpm.service

Edit php7.3 php-fpm conf file if needed, e.g., increase upload size variables.

nano /etc/php/7.3/fpm/php-fpm.conf

Make the following changes:

cgi.fix_pathinfo = 0
...
max_execution_time = 300
...
upload_max_filesize = 32M
...
post_max_size = 32M

MariaDB - Install cert manager, key, repository

currently 10.3

sudo apt-get install -y software-properties-common dirmngr
sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
sudo add-apt-repository 'deb [arch=amd64,i386,ppc64el] http://mirrors.dotsrc.org/mariadb/repo/10.3/debian stretch main'

Then perform update and install mariadb-server

sudo apt update -y
sudo apt-get install -y mariadb-server
sudo systemctl status mariadb

Enable auth socket

sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf

Add plugin-load-add = auth_socket.so in the [mysqld] section. Then save and restart MariaDB.

sudo systemctl restart mariadb.service

Secure the database

sudo mysql_secure_installation

PhpMyAdmin on Debian

Provided that Nginx and LetsEncrypt SSL is installed and configured. It is time to install PhpMyAdmin

sudo apt-get update
sudo apt-get install -y phpmyadmin

Add a symlink from /usr/share/phpmyadmin to /var/www/html or whatever directory for whichever website

sudo ln -s /usr/share/phpmyadmin /var/www/html

Note for security through obscurity, rename the link

sudo mv /var/www/html/phpmyadmin pma

Install and enamble mcrypt in php, and restart php-fpm

sudo apt-get install -y mcrypt
sudo phpenmod mcrypt
sudo systemctl restart php7.3-fpm

Test to see if it works

https://host.domain.tld/pma/

Limit access to /pma/ by ip address, by editing the nginx configuration

nano /etc/nginx/sites-available/default

Add the following line to the top above server:

geo $admin { default 0; 203.150.176.16 1; }

And put a nested statement under \.php as per this StackOverflow answer

location ~ \.php$ {
    location ~ (/phpmyadmin/) {          # add this
        if ($admin = 0) { return 404; }  # add this
        ## fastcgi parameters            # duplicate these lines
    }                                    # add this
    ## fastcgi parameters ##
}
Posted on

Nginx and Letsencrypt SSL on Debian

It is a good idea to get PHP and MariaDB on Debian set up before Nginx (except the PhpMyAdmin which can come after).

Related Artices in Debian Services and Applications - Debian on AWS Lightsail - OpenVPN on Debian + UFW Firewall - Nginx and Letsencrypt on Debian - PHP & MariaDB on Debian

- Grav CMS on Debian

Install Nginx

Edit the /etc/apt/sources.list to add the Nginx repostitory

nano /etc/apt/sources.list

Add the following repository (currently for Debian 9/Stretch)

deb http://nginx.org/packages/mainline/debian/ stretch nginx

Download and install the key for the repository

wget https://nginx.org/keys/nginx_signing.key
sudo apt-key add nginx_signing.key

Remove nginx-common, update apt and install nginx

sudo apt-get remove -y nginx-common
sudo apt-get update -y
sudo apt-get install -y nginx

Systemd / Nginx Race Condition

There is a known race condition, with a workaround as follows:

mkdir /etc/systemd/system/nginx.service.d
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload

Edit /etc/nginx/sites-available/default

Note: these edits are not comprehensive, just to get certbot working. Uncomment the following lines:

listen 443 ssl default_server;
listen [::]:443 ssl default_server;
...
location / {
...
try_files $uri $uri/ =404;
}

Where it says server_name _; change _ to an appropriate fqdn that has an appropriate A record. Save and restart the nginx:

service nginx restart

Letsencrypt Certbot

sudo apt-get update
sudo apt-get install -y python-certbot-nginx certbot -t stretch-backports

Run letsencrypt (automatic)

certbot

Test access from a browser.

HSTS Preload

Browsers have a list of servers that require https/ssl. Add sites to the list. Two things are required: 80 to 443 redirect, and an hsts header. For the redirect, add this server configuration:

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
}

For the HSTS header, this needs to be added to each server. Can simply be added after the listen 443 ssl; line:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Nginx Info

Nginx has become the standard for much of the web, for the basic standard reason it is not creaky old (though of course still lovable) Apache. However, before we get too far ahead of ourselves, let's recall exactly what we need to know about Nginx in order for it to work as well as Apache: - Installation - Configuration files - Support of SSL / LetsEncrypt - SFTP/SCP access to file system (and file rights + ownership) - Multiple virtual servers / directories - Mimetypes - Support for PHP - Threading - .htaccess and related

Nginx and Related Files and Directories

Standard or default files and directories as follows: - /etc/nginx - application directory - /etc/nginx/nginx.conf - main configuration file - /usr/share/nginx/html - default website root directory - noted as html in nginx.conf - /var/log/nginx/error.log - error log - /var/log/nginx/access.log - access log - /etc/nginx/mime.types - mime types - /etc/php.ini - php configuration file

Nginx / PHP-FPM Security Issues

There are significant issues with PHP-FPM in terms of keeping site caching partitioned when using multiple websites/virtual sites. Opcache should be turned off and individual users should be in charge of a different php-fpm process for each site. How to do this is not listed here (just yet).

Posted on

XFCE vs. Cinnamon 2018

Summary -- The superiority of XFCE or Cinnamon comes down to use cases, and of course preference -- de gustibus non est disputandum.

XFCE Superiority

XFCE is a delight in many ways, when compared with Cinnamon: - Less memory and processor utilization - A bit more stable (though this could be an instability with Nemo) - Faster/easier to configure (the settings menus are much better organized with fewer top-level items)

Cinnamon Superiority

At the same time, Cinnamon has definitely fixed/improved a few things: - Keyboard settings to reconfigure standard keyboard remapping (Win/Cmd/Super remapping, CapsLock behavior) - Shortcuts on the start menu, ease of adding apps from the menu to the dock, and in general a more elegant start menu w/ search, better spacing Beyond these issues, everything else seems to be about applications. Both can do everything else more or less similarly. * Note: one can install Cinnamon on Debian directly, or try Linux Mint Debian Edition (LMDE), or simply standard Mint (an Ubuntu derrivative) and Cinnamon. Cinnamon is also available for a few other Linux distributions.

Nautilus beats Nemo and Thunar

Nemo is simply unstable. Try doing some drag-and-drop and it soon slows, hangs, quits. Thunar is nice, but there is no handy search or buttons to toggle between views. Everything has to be committed to remembered keyboard shortcuts. Silly. Nautilus is not perfect by any means. A seeming limitation of the icon view size set to max 133% is a disappointment. However, beyond that it is very good and definitely an improvement over Nemo and Thunar.

Cinnamon - Better Keyboard Support, Better Dock/Menu

The bottom line is that while Cinnamon has greater resource demands, and a bit less stability, it has a better dock/menu interface and better keyboard configuration support. This makes it a premium modern desktop for Debian and Ubuntu (via the Linux Mint Debian Edition (LMDE).

XFCE - Better Resource Management for Low End Devices

Either Debian + XFCE or the Linux Mint XFCE edition are appropriate for low-end devices, say those with 4gb or less of RAM. This would be appropriate for the Asus C101PA Convertible Chromebook.

See Also for Linux on the ASUS C101PA

Posted on

Gsuite Free Domain Alias Mailboxes

Google likes to remove functionality on free products to induce upselling. This is a common tactic in many software/SAS models. However, the cost of adopting Gsuite is very high, relative to free. Essentially a 5-10 pack of mailboxes with $5/month for the least expensive Gsuite paid option. That's $300-$600/year. What is sadly missing is a less expensive option. I don't mind paying money for valuable services, but an individual consumer who really only has family mailbox accounts, this is ridiculous pricing. As someone with multiple domains, here is how to get around this issue.

No Duplicate Mailboxes

The main problem comes when one wants to have mailboxes that have the same username, e.g., info@primary-domain.com and info@secondary-domain.com. Because added-on domains are always only aliases, only the primary domain is possible (e.g., info@primary-domain.com), and all subsequent domains with the same info@ are aliases of the underlying primary domain.

Steps to Support Duplicate Mailboxes

The work-around is as follows: - Create a unique mailbox such as secondary-domain@primary-domain.com. - After some amount of time (an hour at the most) the address info@secondary-domain.com will be added (provided info@primary-domain.com was already a primary or secondary mailbox address). - Log into secondary-domain@primary-domain.com and add info@secondary-domain.com as a second account. This will generate an email which will be sent to info@primary-domain.com. Verify access with the verification code. Set that info@secondary-domain.com as the default and configure the mailbox to always send email from that address. - Log into info@primary-domain.com and add a forwarding address of secondary-domain@primary-domain.com. This will generate a verification code emailed to secondary-domain@primary-domain.com. Verify this. - Next, create a new filter for incoming mail addressed to: info@secondary-domain.com and have it forward email to secondary-domain@primary-domain.com and also delete the email locally. The steps above will properly route and address mail so that the new mailbox will function properly using the normally disallowed duplicate username in the free version of Gsuite.

Endgame with Gsuite

Frankly I dislike Google and Gsuite. My use is only a holding action to not have to deal with email migration. The vast majority of time I no longer use Gsuite other than calendar and email, and also the use of those accounts for YouTube and Google Business Listings, and also the Analytics/Google Ads suite. Obviously there needs to be Google accounts, but they can be independent Gmail accounts rather than Gsuite accounts. At some point (in 2019), I'll migrate off and do self-hosting on mail and calendar, and therefore move YouTube, Business, Analytics over to Gmail accounts.

Posted on

Artistic Creation Endeavors

Back in the early stages of adulthood, I had at times contact with, interest in, and time spent doing art. This was mainly poetry, short fiction, and painting. Giving it up because of a statement of Baudelaire, and psychic exhaustion, was not the best idea, but it is where I have been with this. It is time to begin to turn the ship of state that is my vocation and avocations back toward that blessed horizon.

Some Blender Resources

Jama Jurabaev

The Next Leap: How A.I. will change the 3D industry

Posted on

Amazon Canada Incompetence

By Amazon Canada, I am referring to the Amazon Advantage Canada operation. Pure, unadulterated incompetence. Support requests go something like this: - Me: Here is my problem, with detail - AC: Request for information (which is already in the detail) - Me: Submission of requested info, again - AC: Thank you, please wait - AC: We are working on this, thank you for your patience - AC: We are working on this, thank you for your patience - AC: It is fixed now, please try again - Me: No, it is still broken - AC: Thank you, please wait - AC: We are working on this, thank you for your patience - AC: We are working on this, thank you for your patience - AC: It is fixed now, please try again - Me: No, it is still broken - AC: We tried to call you, please provide a time to discuss this isse - Me: No, we don't need to talk, please fix the problem - AC: Thank you, please wait - AC: We are working on this, thank you for your patience - AC: We are working on this, thank you for your patience - AC: It is fixed now, please try again - Me: No, it is still broken - AC: Please send screenshots with dates (obviously they don't believe me) - Me: Submission of requested info, again - AC: We tried to call you, please provide a time to discuss this isse - Me: No, we don't need to talk, please fix the problem - AC: Thank you, please wait Repeat with various slight modifications. This has happened to me twice now, with different issues, and it is completely maddening. First, they cannot update an item in inventory. After three months of this nonsense, I just removed/discontinued the item. The second time, most recently, they can't update my bank information and my account is locked and I can't update it myself. This has been the situation now for over a month. Well, bye bye Amazon Canada, incompetence par excellence.