Roots Hide WP

Posted on

Theme author, Ben Word, has been working for some time on Roots: “a starting WordPress theme based on HTML5 Boilerplate & Bootstrap from Twitter.” Back in November, Word wrote an article about how they’re hiding the fact that the theme is powered by WordPress.

In the Roots theme we’re taking several steps to ensure that a visitor to your website won’t know that you’re using WordPress

They do some interesting things, including rewriting URLs to theme assets & plugins to hide the wp-content directory and rewriting URLs to root-relative addresses. Additionally there’s a “walker” class for custom navigation menus, so you could do something like:

wp_nav_menu(array('theme_location' => 'primary_navigation', 'walker' => new roots_nav_walker()));

I’m offering it here as a plugin with some minor changes. Word’s original post is code directly from the Roots theme which is meant to “hide” the fact that a site is running on WordPress. That’s fine for them. I didn’t want to make any decisions about where the assets folder should be for an unsuspecting person who may have been using WordPress for some time. Cleaning wp_head sounds good in practice and I’m sure there’s some stuff in there that most people don’t need, but there’s a reason it got so messy in the first place. I’m still doing a bit of cleaning there, the scripts to make tagging word in Windows Live Writer will be removed along with the wp_generator script that writes out the WordPress version to a meta tag — it’s considered to be a security risk to let people know your WordPress version.

View in Plugin Directory Download on Github

The Beer Game or Why Apple Can’t Build iPads in the US

Posted on

The Beer Game explains why Apple can’t build iPads in the US. It’s not labor costs, it’s the supply chain. Apple could build a factory to assemble devices in the U.S., but all the components come from China anyway.

In the end, we had lost hundreds of dollars in backorders and excess inventory and were cursing out our upstream or downstream vendors for being idiots.

The lessons of the Beer Game are pretty evident. Delay in the supply chain causes amplified downstream problems. The problem wasn’t that we were kids running beer supply, the problem was the structure of the chain itself. Small changes at the front end lead to massive mistakes down the line.

From the transcript of This American Life’s “Retraction” episode:

But labor is such an enormously small part of any electronic device, right? Compared to the cost of buying chips or making sure that you have a plant that can turn out thousands of these things a day or being able to get strengthened glass cut exactly right within, you know, two days of this thing being due, that’s what’s important. Labor is almost insignificant. What is really important are supply chains and flexibility of factories.

Github Styleguide

Posted on

Github has styleguides for CSS, HTML, JavaScript, and Ruby. I generally agree with most of the stuff here. Remember that this is all specific to Github so you may not be able to apply everything directly, but good guidelines nonetheless. It makes me want to write my own styleguide and put it up here.

Self-signed SSL Certificates

Posted on

If you’re logging into a website or posting to the web unencrypted, you’re doing it wrong. I use WordPress and it’s pretty secure, but there’s nothing they can do about unencrypted traffic between your browser and the server.1 WordPress has a feature to force encrypted logins and administration pages, but that’s not going to do you much good if you don’t have a SSL certificate.

Self-signed certificates can be perfectly safe, but there are a couple things you should know.

  1. Don’t let anybody get your key file. With it, anybody can download your certificate and serve it on their website.
  2. Listen to the warnings your browser tells you about. Know that your self-signed certificate may generate warnings and that the only thing companies like Verisign do is verify the certificate is unique and was generated by a known good source.
  3. You probably want to avoid serving self-signed certificates on sites meant for pulic consumption because of the errors mentioned above. I’m going to offer an exception to this here, but keep the error messages in mind.

Since you are the only one logging into your WordPress site, you don’t have to worry about scaring away readers with a self-signed SSL certificate. If you’re running an e-commerce site, you’re going to want to go ahead and pay for a certificate that’s not going to generate warnings. It’s possible to tell your browser to ignore the warnings, but you’ll still scare away most potential customers.

Generate the Certificate

The first thing we need to do is generate a server key. From there we’ll generate the certifiate signing request and then the certificate. Last, we’ll need to generate a version of the key that doesn’t require a password or you’ll have to enter the password on the console every time Apache restarts.2

openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

As I’ve mentioned already, make sure you guard server.key with your life. Ideally you would’ve used a secure password to protect the key at the beginning, so server.key.secure should be safe, but guard that too. You’ll want to make sure you get a copy of server.crt on your local machine. If you’re on a Mac, you can add it the the Keychain so you won’t be bugged every time you visit the site with your self-signed certificate.

Installing the Certificate

In this case, I’m going to install the certificate on an Ubuntu server running Apache, but the process will be similar for any Unix environment. Assuming you already have Apache running, we’re going to move the key and the certificate to the place where they’ll be served from, and enable mod_ssl.

cp server.key /etc/apache2/ssl
cp server.crt /etc/apache2/ssl
a2enmod ssl

Then we’ll need to configure the virtual host. Look in /etc/apache2/sites-available for default-ssl. There you’ll need to configure the host just as you did when you initially set up the server, being sure to change the DocumentRoot and Directory from /var/www if need be. Then, enable the virtual host and restart Apache.

a2ensite default-ssl
service apache2 restart

If everything was configured correctly, you should now be able to visit your site with the https protocol.

WordPress

On a WordPress site, you can force SSL logins and administration by adding the following lines to your wp-config file.

define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

Update

It has been pointed out by a few people that training people to ignore security warnings isn’t the right approach. I never meant to suggest training people to ignore the warnings. If you’re going to self-sign an SSL certificate for your website, you have to install the certificate locally or you’ll have no way to verify that you’re actually connected to the right host and not a victim of a man-in-the-middle attack.

Resources

  1. I’m not talking about WordPress.com blogs here. If your site is hosted on WordPress.com, they’ve obviously taken care of all this already. ↩
  2. I’ve been there. It’s not fun. Even a little. ↩

The Dream Internship: Automattic VIP Team

Posted on

I actually applied for a position at Automattic not too long ago — before this internship was announced. I still have another year at the UW before I can take a full time position anywhere. This internship would be perfect though. I would love to work at Automattic. Currently they seem to be holding submissions in moderation; presumably so new entrants can’t look at the older comments for ideas. I have no idea when there will be any word on this or how many people will apply.