Tag: Web Dev

Posted on

All In One SEO Plugin in 2024: Avoid it like the plague

I updated the All In One SEO Plugin on this website today. The next thing I knew, I had two new plugins installed for me, the Monsterinsights and some sort of opt-in plugin called Optinmonster.

Yeet!

I deleted all that shit faster than you can throw a watermelon off an overpass. After googling around a bit to figure out what had happened, I discovered this post that keyed me in to what was going on:

MonsterInsights is Auto-installed
https://wordpress.org/support/topic/monsterinsights-is-auto-installed/

This is a terrible practice I hope no other WordPress plugin developers emulate. If you do, I hope the community shames you into reconsidering your ways.

Why is this so bad? Let me enumerate they ways:

Installing one plugin should never, EVER install more plugins without giving a person the awareness that this is happening! It’s bad form, it’s stealing a website’s resources, it’s stealing screen real estate, it’s introducing unknown risk, and broadening your website’s threat profile without telling you.

Then you get all these banners asking you to set up all these paid connections for these plugins to work. Bad form, again!

The Kicker

To top it all off, after walking through the All In One SEO setup steps, I found an email waiting for me moments later:

I did not opt in for this! This egregious action is most certainly in violation of the US CAN-SPAM laws. I can’t wait to report them. In fact, I will go do that now

Ok, I feel a little better now.

If you offer a plugin for people to use, you should never assume they want MORE plugins installed, and never grab their email address from their WordPress settings to sign them up for ANYTHING outside of your plugin installed.

Posted on

Using IFTTT to connect Reddit to Discord

I spent far too long this morning trying to get posts from a particular subreddit to show up in a particular channel on a Discord server I belong to. There was a lot of bad and wrong information out there on how to do this, and finding the correct way took me down many incorrect pathways.

The goal here is to set up the workflow like this:

Reddit post in /r/yoursubreddit > IFTTT applet > Discord webhook > posted to your Discord channel

Essentially, the Discord webhook is a very simple Discord bot that is fed content by IFTTT when someone posts to the subreddit of interest. The webhook takes that content and feeds it to the channel you desire.

For the record, this is the way to do it.

Prerequisites

  • A sufficient user role to edit the channel settings on Discord of the channel you want to post your Reddit content to.
  • Webhooks capability enabled for your Discord user role *and* for the channel you want to use. See here for more info on how to enable Webhooks.
  • An If This Then That (IFTTT) account.
  • Optional: an image/icon for the webhook. This will show up for the account that will be posting the Reddit post to your Discord channel. I used this one.

The Setup

Let me preface this by saying that these instructions were created using the desktop version of Discord and a desktop web browser. It may be a little more tricky on mobile, and what you see may be a little different, but perhaps not.

Create a webhook for your Discord Channel.

1. Go to the Discord channel you want to use and click the gear icon to Edit Channel:

 

 

 

2. Click Webhooks in the left-side menu, then click the blue Create Webhook button on the right.

3. Give your webhook bot a name such as “Reddit post bot” and select the channel you are having it post to.

4. This is where you can optionally upload an icon for this bot. This will show up as the user icon when this bot posts to Discord.

5. Copy the Webhook URL, or keep it handy, so that you can paste it elsewhere in a few steps.

6. Click Save.

Create an IFTTT recipe

8. Open your IFTTT account, go to My Applets, then click New Applet.

9. Click the blue “+this” to add the first action.

10. Use “Search services” to search for Reddit, and choose the “Any new post in subreddit” trigger

11. For the “Subreddit” field, enter the subreddit you want to use without the “/r/” in front of it. For example:

12. Click Create Trigger.

13. Now you should see something like the following:

 

 

Click the “+that” link.

14. This time, under “Search services,” search for “webhooks.” Select the result and click “Make a web request.”

15. Now you can paste the Webhook URL you created in Step 5 above into the URL field here.

16. For “Method” choose POST and for Application Type choose “application/json”

17. Here’s the crucial part. Under “Body” copy and paste this entire line of json code exactly as-is EXCEPT, change YOUR BOT’S NAME to the name you want to give this bot (such as “Reddit Feed Bot” or “Fred”):

{ "username":"YOUR BOT'S NAME", "content":"I have received a new post!", "embeds":[{ "title" : "{{PostURL}}", "author": { "name": "'{{Title}}' by {{Author}}" }, "description" : "{{PostedAt}}", "url" : "{{PostURL}}" }] }

Optionally, you can change the “I have received a new post!” text to anything you want to show up any time there is a new post to Discord from this bot. Leave all the rest of the code as-is.

18. Click Save.

That’s it! Any new posts in the subreddit you chose should now show up in the Discord channel you chose. Keep in mind that it isn’t instant. It usually take about 15 to 30 minutes for new posts to show up for me, for whatever reason. If anyone knows how to speed that up, please feel free to post the solution in the comments section below.

Enjoy!

Posted on

Speaking at Drupal Camp Asheville

I will be doing a talk on Drupal and Security at this year’s Drupal Camp Asheville. I will cover some security best practices for Drupal developers, how to avoid certain Drupal-specific security gotchas, some lessons learned in keeping Drupal sites secure, and some handy tidbits you can use to prevent the bad people from ruining things.

The times for the various speaker sessions haven’t been announced yet, but stay tuned. I hope to see you all there!

#dcavl

Posted on

A jQuery 1.x vulnerability exists and no fix is planned

I haven’t seen much talk about this issue around the Internet, so I thought I’d present what I’ve learned for others to be aware of. It mainly has to do with the fact that jQuery 1.x (and 2.x, for that matter) were replaced by 3.x, yet they are still thriving in many, many projects, applications, and websites to this day.

While doing a security review of some code the other day, a retirejs scan informed me that jQuery 1.x contained a Medium vulnerability regarding cross-domain requests in ajax. According to Snyk:

“Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain ajax request is performed without the dataType option causing text/javascript responses to be executed.

Remediation: Upgrade jquery to version 3.0.0 or higher.”

“Upgrading to 3.0.0 or higher seems pretty drastic,” I thought to myself. Well, according to a comment I found on jQuery’s GitHub page, this is actually their stance, and they don’t plan on patching 1.x because it is a ‘breaking change’:

https://github.com/jquery/jquery/issues/2432#issuecomment-290983196

So it would behoove you to upgrade to jQuery 3 if you don’t want to be susceptible to this vulnerability. The magnitude of that may seem rather staggering if you consider all the projects across just about everything (WordPress plugins, Drupal modules, etc etc) that bundle the 1.x version of jQuery, and haven’t updated it in years.

While the vulnerability may not be relevant if you are not making cross-domain ajax calls, this is but one risk that has come to light for which there will be no fix. And it’s not exactly reasonable to assume that developers know they need to avoid that if they intend to use jQuery 1.x.

The longer jQuery 1.x sits in your project, the higher a risk it becomes.

As the impending OWASP Top-10 for 2017 says, “Applications and APIs using components with known
vulnerabilities may undermine application defenses and enable various attacks and impacts.”

Long story short: Keep your bundled libraries up to date!

Posted on

Are You Putting Your WordPress Site at Risk?

WordPress as a platform has been a solid, secure application over the years. The few times a vulnerability has been found, the WP team has been super-fast to patch it, publicize it, and take care of business.

That said, there are two major areas where WordPress lacks in security:

1. Plugins

2. Administrators

There are so many plugins for WordPress, which is part of what makes it so great. However, those plugins can also present attack vectors, and we see evidence of this almost every day.

It was just revealed that most WP users have very little understanding of the risk they are lending to their own websites. Not updating plugins, not updating WP itself, and not doing backups, are the most easily fixed things that people tend to not do.

This puts WP websites at risk, lets them get hacked, and gives WordPress as a whole a bad wrap.

The survey of 503 WordPress users, which took place online during February this year, revealed that WordPress users are more exposed to security problems than expected. In total, 54 percent of respondents said they updated WordPress between once a week and every few weeks, and yet only 24 percent back their websites up — and only 23 percent have received training in the use of tools such as backup plugins.

ZDNet

On that note, I thought I’d mention that the most popular SEO plugin for WordPress, Yoast’s WP SEO, has a new, major vulnerability in it. GO UPDATE!

Posted on

Snagit Charges for “Upgrade”

lipstick on a pig photo
Look! This pig has lipstick.

I am completely fine with paying for software that I really like and that serves a purpose for me. However, if you are a software company that is going to use the ‘paid upgrade’ model of charging customers to upgrade to the next major version of your product, make sure the next major version contains new features worth paying for.

In the case of TechSmith’s Snagit, they have failed to provide anything of real value in their latest release (version 3.0 for Mac, or 12.0 for Windows), yet they are asking for $24.95 to upgrade to the latest version.

I paid for version 2 of Snagit for my Mac (that’s version 11 for you Windows users), and I really enjoyed using it. It became a tool in my arsenal that I relied heavily upon for doing quick screen shots and adding text, notes, arrows, and more.

Then one day a couple of weeks ago the updater ran and I was suddenly looking at a trial version of Snagit 3.0. And it said it was going to expire unless I paid the discounted upgrade fee of $24.95.

Aggravated, I hoped to have my mood changed and be wowed by version 3.0. So I tested it out for a few days. I quickly found that it had a nicer look and feel about it, but other than that, there were no noticeable enhancements or actual upgrades to the product. It was the same product with about one new feature related to the video clipping tool — something I could care less about. And that new feature was only a new arrow selector of some sort. Not impressed.

Jason Eagleston, the “Snagit Product Owner” at TechSmith even admits in their self-congratulatory release video that “with this release we had a focus on updating the way Snagit looks and feels, partially to bring that consistency across all the Techsmith things that you are going to interact with, but ultimately it’s only focused on getting your content to be the most prominent thing on the screen.”

Hmm…I only interact with one Techsmith product, so why should this be a feature worth paying for? And how is it not the most prominent thing on my screen if I’m currently using it in the first place?

A couple of more employees in the video go on to talk about how much nicer the product will be to use, and that they really wanted people to feel like they were using something current and not outdated. So it really isn’t about an upgrade, it’s about a change of clothes.

The whole video is about them admitting that their product didn’t look that great, so they spent a lot of effort making it look better (or “flatter,” as they say in the video, which is supposed to be something we should like), and now they want their customers to pay for that. No real tool enhancements or additions, just a subjective improvement to the design. For $24.95? No thanks.

For those of you looking for a free alternative to Snagit, check out Skitch. With or without Evernote, it’s a nice tool that does just about everything Snagit does for screen capturing.

Photo by Darin Barry

Posted on

Time To Abandon Social Sharing Icons?

After reading the following article, I realized that I too have witnessed social media sharing icons on many a website never gain any traction. It is as if they are completely ignored. I went on and removed them on this website moments ago.

Why I’m Done with Social Media Buttons

As someone mentions in the article’s comments section, there are certain instances where social sharing buttons are a good idea, and you should definitely make them look nice and work well when they are useful. However, sticking them at the end of every blog post just because some SEO-grading web tool says you should is not necessarily a good plan, based on the evidence.

Keep in mind, I’m referring to sharing icons, not follow-me icons (those which take visitors to your social media page).

Posted on

Free Stock Photos: Many Resources

2014-02-08_10-09-19Thanks to a thread over on Reddit, I have discovered a world of free, use-for-anything stock photography resources. They range from websites where you can sign up for free photos to be delivered via email to those where you can search and browse, and they all tend to not be very crappy!

While I’m not a fan of smiling faces on websites because of the impersonal feeling, and the fact that Google might soon penalize you for using stock photography, I do like the idea of having free resources available which can be used for compiling visuals that help narrate a story on your website. The following links are full of such images, and much more.

Disclaimer: Always read the fine print, just in case, to make sure you are allowed to use the image you are downloading without attribution or payment! Whenever possible, it’s still a good gesture to give credit where credit is due, even if you don’t have to legally.

Google Image Search for Commercial Reuse

Contrary to popular belief, you cannot search Google Images and simply use any photo you find in your project. This specially crafted search, however, produces images that are OK for commercial use and modification:
Google commercial reuse image search

Note: It is possible for images found here to have been reposted by someone who copied it from the original source. Just because you find it on Google Image search for commercial use doesn’t mean it’s absolutely OK to use without proper credit/compensation. 

Flickr

Similar to the above Google Images search, you can browse Flickr using a similar technique:
Flickr Creative Commons license photo search

IM Free

This site lets you search a collection of curated photos for commercial use:
http://imcreator.com/free

Gratis Photography

While not easily searchable, there are some great photos on this website.
http://www.gratisography.com/

Photo Pin

Here you can search for “free photos for bloggers and creatives”. Enough said.
http://photopin.com/

Creative Commons Search

“Find content that you can share, use and remix.” Just make sure you leave checked the checkboxes for ‘commercial purposes’ and ‘modify, adapt…’
http://search.creativecommons.org/

New Old Stock

Some amazing photos from times gone by, this site pulls from the public archives.
http://nos.twnsnd.co/

Pic Jumbo

Another site with free photos for you use.
http://picjumbo.com/

SplitShire

This fellow asks for attribution or a donation for coffee via his website if you want to use the photos he offers. He has some great images that would be well worth it.
http://splitshire.com/

Pixabay

A repository for free public domain images.
http://pixabay.com/

Little Visuals

You can sign up via email to get 7 free images delivered to your inbox so that you can start building your own library of stock photography.
http://littlevisuals.co/

Unsplash

Similar to Little Visuals, except that this site sends you 10 photos a day. They all tend to be on the awesome side of great.
http://unsplash.com/

Fin

Speaking of free coffee, if you enjoyed this blog post and would like to see more like it, send me a little donation!




Posted on

WordPress and jQuery issues

First, I don’t remember where I found this along the way, but this is a smart and efficient way to include jQuery in your WordPress themes. Just add this to your theme’s functions.php file:

// ADDING JQUERY
add_action( ‘init’, ‘jquery_register’ );
add_filter( ‘script_loader_src’, ‘jquery_unversion’ );

function jquery_register() {

if ( !is_admin() ) {
wp_deregister_script( ‘jquery’ );
wp_register_script( ‘jquery’, ( ‘http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js’ ), false, ‘1.x’, false );
wp_enqueue_script( ‘jquery’ );
}
}

// remove version tag to improve cache compatibility
function jquery_unversion( $src ) {

if( strpos( $src, ‘ajax.googleapis.com’ ) )
$src = remove_query_arg( ‘ver’, $src );

return $src;
}

Now, the issue I have been having is that when I try to add your own jQuery scripts or functions in your theme’s header.php file, I always get this error:

“$ is not a function”

What?  Yes it is, dammit!

Turns out WordPress has reserved the $ character, so you have to rename all occurence of $ to ‘jQuery’.  Example:

Before

<script type=”text/javascript”>
$(document).ready(function() {
$(‘.slideshow’).cycle({
fx: ‘fade’,
timeout: 4000,
speed: 2000
});
});
</script>

After

<script type=”text/javascript”>
jQuery(document).ready(function() {
jQuery(‘.slideshow’).cycle({
fx: ‘fade’,
timeout: 4000,
speed: 2000
});
});
</script>

Hope that saves someone the hours of frustration I have had with this.

clicky