i.justrealized

Probably about time:

PHP 4 and MySQL 4 End of Life Announcement

First up, the announcement that developers really care about. WordPress 3.1, due in late 2010, will be the last version of WordPress to support PHP 4.

For WordPress 3.2, due in the first half of 2011, we will be raising the minimum required PHP version to 5.2. Why 5.2? Because that’s what the vast majority of WordPress users are using, and it offers substantial improvements over earlier PHP 5 releases. It is also the minimum PHP version that the Drupal and Joomla projects will be supporting in their next versions, both due out this year.

Finally!

I’m a little slow, I just upgraded to WordPress 3.0. The interface undergone slight tweaks and has emerged more polished. One of my crucial plugins don’t work though and I have to use a development version of the plugin. Probably not upgrade my other blogs.

Not long ago, word’s been going around to upgrade WordPress to its latest version 2.8.4. Robert Scoble suffered some loss, some hackers broke in and deleted some of his blog posts. In addition to that, the hackers also placed malicious code in his archive pages and Google sent him an email stating it has removed his blog from its indexes.

I would be terribly upset if such things happened to me. I keep updating WordPress just in case. But what happens when it did get hacked? Are the WordPress developers to be blamed? One of things brought up is custom plugins being incompatible with the new WordPress. I hate to say this but when it comes to security, it’s still more important to temporarily disable the plugin and fix it ASAP instead of not upgrading. The risk is just too much.

And backups. Do them frequently. If it’s hard to do backups, just pay your host to do so. I just pay them to settle those stuff for me. I’m not too clever with all the backup utilities. I never had the time to explore them.

One of the comments in Scoble’s Friendfeed caught my attention:

This recent wave of WordPress incidents shows the negative side of using open source software. Matt says that there are many people looking into WordPress’ source code, but the problem is that probably half of those people have malicious reasons for doing so. – Nikolay Kolev

To which Matt of WordPress fame replied:

Nikolay, it’s always better to have more people looking at the code, because a bug that’s been found is better than a bug that hasn’t. WordPress used to get almost no security problems and people thought it was because it was coded differently, when in fact it was coded far worse than it is today it just didn’t have enough users to make it worthwhile to target. Also where many commercial or proprietary companies try to minimize information about their problems or sit on a fix for months so they can package a bunch into one update, we put everything out there doing a new release as soon as possible after a problem has been reported. – Matt Mullenweg

Here’s another response from another user, Tim:

Nikolay: I would also push back against your assumption that using Open Source software equals less security. Microsoft Windows and OS X are both closed source and both have security holes – there is a competition each year to help MS and Apple find them and fix them. Both Apple and Microsoft came away with security holes to fix this year. So just because it’s open source doesn’t automatically make it more open to security holes. I agree with Matt and believe that have the source open to all makes fixing the holes much quicker. – Tim

I think I can relate to this…

Anyway, Matt also wrote an article on How to keep WordPress secure.

As planned, Apache is no more. Say hi to Lighty

Made a few silly mistakes along the way and almost accidentally deleted my folder of pictures even. Things got a little more responsive. I haven’t used any caching solutions for WordPress. Caching is going to be tough work.

I just let PHP CGI spawn happily:

Lighttpd don’t exactly take up a lot of resources too.

It’s been requiring almost a daily restart. I think it’s probably MySQL or Apache’s fault. Or perhaps it’s just my fault for being a miser not wanting to pay for more. Either way, I’m going to fix it. So far, I’m done with the virtual hosts. Lighttpd isn’t as hard as I thought. PHP is working fine already. I’m still in the midst of testing if WordPress works. Once I’m done with that, it’s “sudo apt-get remove apache2″.

WordPress 2.7 introduced a feature to perform automatic updating of plugins and WordPress itself. It annoys me endlessly that the automatic update refuses to work and require me to input a FTP username and password which I don’t have. This blog runs on a server that does not have FTP installed. I use SSH for that. The method is to change ownership of your WordPress directory to www-data (for Apache).

Run the following command in your WordPress directory (sudo required):

That did the trick for me by changing the ownership every folder and it’s files recursively to ‘www-data’. It is slightly risky and you may not like the idea of giving so much privileges to the WordPress directory. But before I can think of any way to attack the server, I guess this method is more or less safe. Unless there is a malicious plugin that you install. Always install proven plugins. That said, use it at your own risk.

Changing the ownership give Apache access to your WordPress directory allowing WordPress to overwrite its own files and automatic update works. Well not really automatic actually. Semi-automatic since you actually have to trigger something to continue the update.

Thanks jer for the hint.

WordPress starts WordPress.tv.

On WordPress.tv, you’ll find tutorials for both WordPress self-installs and WordPress.com to help you get blogging fast and hassle-free. We’ve kicked things off with the basics — now you can shape what comes next. Just drop us a line and let us know what you’d like to see added. (Source: WordPress blog)

This is like screencast to how to use the WordPress blogging platform. I think it’s great for new users when WordPress features aren’t entirely obvious.