Category Archives: WordPress

Articles and Books WordPress

20 Rules of Capitalization

Yesterday, I wrote an article on technical writing. Today, I’m laying out a few basic rules with regards to when to capitalize things. This is pretty straight forward but I find it can help to remember the rules to lay them out in a basic way. These things should have their first character capitalized:

  1. The first letter of a sentence. This includes a quoted sentence inside a sentence but not a phrase within a sentence. This also includes the first letter of a terminal command when a sentence starts with a command, although I try to restructure those sentences when they come up as it’s not a hard thing to do.
  2. The letter I.
  3. Titles. Each letter in the title of books, movies, poems, songs, articles, newspaper/magazine articles and works of art should be capitalized. This includes when these objects start with a word such as Of, A, The, And, etc but not when those words are in the middle of a title. Titles can also include specific course titles (such as when there’s a number attached). When using a compound title each otherwise capitalized word should be capitalized and each word not otherwise capitalized should not be.
  4. The names of people. Each word in a persons name should always be capitalized. Also their honorary titles/high ranking officials when preceding a name, such as President, Doctor, etc as well as an abbreviated title, such as Mr and Mrs. However, when those titles are used without a specific person attached they don’t need capitalization (although keep in mind if addressing someone with their title that should be capitalized). Titles that occur after a name do not require capitalization. Additionally the name of a relative when used as a proper noun should be capitalized.
  5. Gods, religious figures and holy works should be capitalized, although when describing a group of gods you need only capitalize the region or name of the pantheon and not the non-specific use of the word gods.
  6. The names of schools. This includes any educational institution, not just a college and university. Also, the name of a degree.
  7. Places. This includes bodies of water. A River, Lake, etc. As with the names of people, if you don’t put the name of the specific lake, but use the word you don’t need to capitalize that. A place can also be a mountain or building. Specific buildings, monuments, mountains, hills, volcanoes, etc. should have their first letters capitalized. Specific street names also have the first letter of each word capitalized. Also note that planets always start with the first letter capitalized.
  8. Specific flags.
  9. Regions. When discussing the Midwest, Sun Belt or South as a noun those should be capitalized. However, when using those words as an adjective they don’t need to be. A country, county, city or other region should also have the first character capitalized. I’ve always felt though, that the region unless a specific place, should have to earn the capitalization and it’s worth noting that Big 10/midwestern football just isn’t what it used to be… Also note that you should capitalize directions that are names but not directions when referring to a compass heading. Capitalize countries, languages and nationalities.
  10. Times. Days of the week, months and holidays. Seasons when used in a title, but not when used generally.
  11. Periods and events, except century numbers that are spelled out.
  12. Trademarked names. One thing I try to avoid here is using a trademarked name in writing as a verb, even if that word has become commonplace. For example, while you frequently hear people say to Xerox something I would change that to make a copy of something.
  13. Groups and organized bodies. Athletic, civic, national, political, and racial groups should be capitalized. This includes the name of a court and some other government terms, including Administration when describing a presidents administration, Cabinet when describing that of a president or prime minister and Federal when referring to the government of a country.
  14. Lists. If the first word of any bullet or item in a numbered list is capitalized then all should be, including directions. If two or more sentences follow a colon (not one sentence) then the first word of each should be capitalized; however, if there are items after a colon that are not sentences they do not require capitalization unless another rule requires it.
  15. The first word of salutations and complementary closings.
  16. Words derived from proper nouns.
  17. Initials, initialisms, initials with names and acronyms (unless in commands where the acronym is the command as you’re actually writing the name of the command). Acronyms include the call letters of television and radio stations.
  18. Any character in text that you quote should be capitalized exactly as it appears (although if all words begin with a capitalized character then you don’t need to quote the string).
  19. The first word of each line of poetry, unless not quoted in the poem.
  20. When shouting using the written word one can capitalize each letter of the word to add inflection; however, this is not necessarily proper nor a rule, simply commonplace.

Finally, it’s worth mentioning that writing such as this is a blog. While I don’t like that word, I find that such writing typically frequently allows the writer a certain amount of flexibility with regards to grammatical rules (for better or worse). This could be due to the fact that much of what’s written is done in the middle of the night. While this isn’t an excuse to use poor grammar it does tend to mean a less stringent editorial process over the grammar used. In other words, read/use the content at your own risk. :)

Note: At the request of my readers I’d be happy to write a follow-up article on when to capitalize assets, but I might have to bust out some of my books from Accounting 101 in college to do so!

Mac OS X Server Ubuntu Unix WordPress

WordPress Site Stuck In Maintenance Mode

When doing updates in WordPress, upgrading the WordPress version or the Plug-Ins causes the site to enter into Maintenance Mode. While in Maintenance Mode, a message appears that says ”Briefly unavailable for scheduled maintenance. Check back in a minute.” rather than the actual site. Sometimes, especially if you’re using the automatic updating functions, an update might fail and the site may be stuck in Maintenance Mode.

WordPress looks at the root level of a directory for some hidden files that can tell a site to operate in a different manner. If there’s a file called “.maintenance” then the site will display the message above. When an update of a Plug-in fails, the .maintenance file is never deleted and the site is stuck in Maintenance Mode. To correct the error, simply ftp into the root of the site and delete the file. It’s hidden, so make sure your ftp software isn’t suppressing the ability to see a hidden file.

Whatever Plug-in or update failed likely also broke something. Usually, if it’s a Plug-in then you’ll need to re-install that plug-in, as the update process removes the old Plug-in and then adds it back. If it’s a Theme, you might need to re-install the Theme.

Programmatically, you can also enable Maintenance Mode by creating this file and then disabling Maintenance Mode by deleting (or renaming) the file again.

Mac OS X Mac OS X Server Mac Security sites WordPress

Vulnerability Scanning Web Servers Using Nikto On OS X

I’ve had a pretty easy time using Nikto over the years. Nikto is a security scanner specific to web servers. I did a post on Nessus recently, but Nessus is a tool for looking at any service running on a system and trying to find available vulnerabilities. Nikto is can do many of the same things, but is specific and therefore more in depth for web servers. This involves looking at things like CGI directories and robots.txt files as well.

Nikto is written in Perl. In order to do everything Nikto can do there are a few perl mules that need to be installed. But let’s look at one of the easiest implementations available for Nikto, which is Yang (short for Yet Another Nikto GUI), available on the OS X App Store. Yang is so easy, you can literally install the app, type a domain name and hit Start to get started. Yang also runs the latest release of Nikto. Let’s look at what a basic scanning process looks like. To get started, open the App Store and search for Nikto. Yang appears, so click on Install by the name of the app.

Once installed, click on Yang in LaunchPad to fire up the scanner (or open from /Applications). When Yang opens, click on the Preferences in the toolbar. Go through each of the options and choose the ones that make the most sense for each scan you run. Keep in mind that each box can increase or decrease the amount of time scans require or the output of the scan drastically. The author of the app was kind enough to include tool tips for the options, very helpful.

Click back on the Scan icon in the toolbar and enter the name of the site to scan in the “Website to analyze” field. Then click on Launch.

The scan then begins. This might take some time. And not “go get some coffee time” but more like, “go take a nap time.” While the scan is running, click on Logs in the toolbar. Here, you can see the exact command run against Nikto.

If you download Nikto from cirt.net you can use these exact commands, although there will be a little work getting the app up and running, defining config files, etc. If you want to do anything (such as writing output to metasploit) then you might end up needing to go ahead and install manually. But if you’re just interested in running some quick scans as sanity checks for deployed configurations, etc then this is a nice little tool that is a bit too nice to be free. Especially given that the author went ahead and built out Nikto with LibWhiskers, SSL support and a few other goodies that aren’t required for a basic deployment. It’s also (IMHO) a really good example of putting a GUI wrapper around command line tools. I’ve played with a few other GUI overlays for Nikto and this one is by far the best one I’ve seen for OS X. Well worth the time to check it out!

sites WordPress

Comments On krypted.com

Comments on this site have been a pain since I enabled them about 2 1/2 years ago. I believe I enabled them due to something some judgmental person said when they couldn’t comment on an article I had written. During the first year, there was a lot of fine tuning the spam blocking to try and keep out the spammy crap. That continues to be a work in progress, but it seems to be in pretty good shape.

During those couple of years I ended up racking up a queue of about 7,000 in the spam category and another 2,000+ in the pending category (which meant I need to deal with them). I was dealing with comments every day, but I’d miss a few and it built up over the course of a couple of years. Tonight, I either addressed or cleared out all but 17. My database is much happier. The 17 remaining are thoughtful questions and require thoughtful answers, so I’ll get to them when I have time to provide such an answer.

In the meantime, note that now that it’s all cleaned up, if there are any comments, feel free to post and I should actually respond at this point… Sorry for being latent on those up ’till now.

WordPress

WordPress Lightbox Made Easy

I wasn’t very happy with how images were handled on krypted.com. Which is why I added a new plugin, http://wordpress.org/extend/plugins/wp-jquery-lightbox to provide more of a lightbox feel when you click on my images.


Many of my images are pretty large, so I make them a little smaller on the site so they fit well on the page. Now, when you click on images on the site, it greys the rest of the page and zooms in on the image. I’ve tinkered with a lot of lightbox plugins, but this one makes me happy. You just install and activate and viola, you’re done. It doesn’t get a lot easier than this and it’s a much better way than the default method for handling images in WordPress.

Mac OS X Server Ubuntu Unix WordPress

Get Your WordPress on with Ubuntu 10

Setting up and installing WordPress is pretty straight forward. That’s not to say it’s not going to take a little work to go from 0 to 60 on a base Linux installation. But I’ll lay the work out for you so as not to be that tricky. Everything we’ll be doing will require elevated privileges, so sudo in front of each command or sudo bash before you get going.

First up, install Apache, as you’ll need a web server. I think the base apache2 config is pretty straight forward out-of-the-box:

apt-get install apache2

During installation you will be asked to type y to continue. Do that and it will finish with no major issues. Next up, install MySQL, php5, php5-mysql and phpmyadmin. We can use apt-get to knock all this out at once:

apt-get install mysql-server-5.1 php5 php5-mysql phpmyadmin

Again, you will be asked to choose whether to proceed, type y and hit enter. The next few steps will change according to versions, but for now, you’ll then be asked for a password for the MySQL root user. Provide that password and then tab to the OK button. You’ll then be asked to select which web server you are using. Assuming you did the apache2 install previously, choose Apache and then tab to the OK dialog. Then you will be asked to provide the MySQL password. This will be the password you typed earlier.

You’ll then be prompted for a phpmyadmin password, which will be a password to access phpmyadmin’s web interface. Once the installation is done, you should have a fully functional LAMP environment. I like to reboot and check syslog afterwards just to make sure that everything is in working order and not reporting any major malfunctions.

Next up, we will need to create the MySQL user and database that WordPress will use. To do so, log into phpmyadmin using a URL that begins with http:// followed by the address of your server and finally the /phpmyadmin. For example, if your server is at 192.168.210.200 then the address would be http://192.168.210.200/phpmyadmin. You will be asked to authenticate, and here you will want to use the password you provided during the phpmyadmin package installation. Once you have authenticated, click on the Privileges tab and then click on the Add a new user button.

You will then be asked to provide a username and password for the user you are creating, define what addresses that user can log in from (if you have multiple front-end servers you probably aren’t using this post to install WordPress so you might as well limit it to localhost) and most importantly you have a radio button for “Create database with same name and grant all privileges”. If you use this option then both the user and the database will be created in one step, making life pretty easy. I used wordpress as my username in the example.

Once you have all the services installed and the MySQL user and database setup, then you’re ready to install WordPress. I like to cd into /var/www and then wget the latest.zip, which always has the latest version of WordPress:

wget http://wordpress.org/latest.zip

Then you want to unzip that (the unzip command is built into Ubuntu 10):

unzip latest.zip

This will extract the wordpress folder into /var/www. Then make sure your admin user has permission (mine is oddly enough called cedge):

chown -R cedge:users wordpress

Now cd into the wordpress directory:

cd wordpress

Make a copy of the main configuration template called wp-config.php:

cp wp-config-sample.php wp-config.php

And then let’s edit that new file (vi, nano, tapping directly into the Matrix, or whatever you like), looking for DB_NAME, DB_USER, DB_PASSWORD and DB_HOST. In these respective fields, put the name of the database (wordpress in this example), the username for administrative rights to the database (wordpress again in this example), the password for the database (whatever you provided in phpmyadmin’s web interface for your new user and the IP or hostname of the database server (let’s assume 127.0.0.1 if the database and web servers are the same).

Scroll down a little further until you see the Authentication Unique Keys: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY. You’ll want to visit the WordPress secret key generator at https://api.wordpress.org/secret-key/1.1/salt to get your keys. Then simply cut/copy/paste the whole section, commenting out the existing lines or paste the contents of each line over the line it is replacing. Once that is done save your changes to the file and exit your text editor. Now visit the address of the site followed by WordPress (ie – http://www.krypted.com/wordpress). You’ll then be able to setup WordPress for the first time.

At the first login, you will see a screen prompting you to define a title for the site (Your domain name is a pretty traditional title to use), the username you want to use to administer the site (ie – admin), the password (ie – according to the movie Hackers, god) and and administrative email address. Here, you can also choose whether you want the site to be crawled by search engines. Once you’re happy with your settings, click on the Install WordPress button down at the bottom of the page.

Now you should be able to see your first post, create posts and use WordPress. That should have been pretty painless. If it were any more painless, then I fear the dribble that people would post… Anyway, if you want the webroot (www.krypted.com instead of www.krypted.com/wordpress) to be WordPress, then you will also want to change the DocumentRoot setting in /var/www to point to the /var/www/wordpress folder in the /etc/apache2/sites-enabled/000-default file (or whichever site it is if you have multiple ones).

WordPress

WordPress and Spam Bots

There are a number of ways that you can protect your WordPress site from spam bots. The first is to only allow authenticated users to post comments. Doing so can still be a bit unwieldy, but this feature is built into WordPress and so pretty straight forward to use. Some, who deal with large amounts of spam bots then choose to completely disable the commenting feature outright (Settings -> Discussion -> Uncheck Allow people to post comments on new articles), but comments can still be made on existing articles and commentary is one of the best features of WordPress for many. To stop comments on older articles, also disable commenting on older articles (same page but also choose the Automatically close comments on articles older than option as well).

No site should have to disable comments or bend to the will of a spam bot. You can also then choose (same page again) to email the administrator when a comment is made and then choose to not publish comments until the administrator approves them. But spam bots will still attack, and now you’ll just get a ton of junk email. So many will turn to plug-ins for WordPress. There are a few of those that I like a lot. One is called Invisible Defender. Invisible Defender adds a couple of fields that are suppressed using the style sheets. These invisible comment fields, because they’re not displayed to a browser should then never be filled out. Therefore, if a field is filled out, it had to have been done by a bot. Those comments are then automatically blocked.

Then there’s the ability to force captcha (shows you funny garbled letters and you type them into a verify field). Captcha for account creation means that all but the most sophisticated bots will fail. This form of forcing an additional form of verification that a visitor is a real human can then be circumvented by users of OpenID, FaceBook and other services, using plug-ins that allow those users to be authenticated through the third party (typically requires a little theme customization).

Then there are the antispambee and akismet plug-ins, which look at the actual comments and attempt to determine which ones are spam. These make a good layer of defense but should not be the only layer used. Regrettably, any time you have user generated content on a web site you are going to have automated bots attempting to do a number of things, most likely sell black market pharmaceuticals and other items of questionable origin.

There are also bots that attempt to exploit the login page of the WordPress admin (<DOMAIN>/wp-admin.php or /wp-login.php. These are defeated an entirely different way. One of the best strategies is to lock out those who have attempted a number of invalid attempts that exceeds a threshold that you define.  Amongst those is Login Lockdown WordPress Security. Another layer for protecting the administrative side of the site is to add an .htaccess file to provide an additional layer of security on top of WordPress. You can also change the URLs of your login page, which I usually use a plug-in called Stealth Login for.

Finally, I like to back up WordPress in an automated fashion. There are a lot of plug-ins to do this, but I’ve always used WordPress Database Backup. Why? Because it works every time I tested it. I haven’t even bothered to test a good backup and restore for another software package because WordPress Database Backup always works, backs up data to another server I have, and it hasn’t failed me yet. I always test the restores of data that I’m backing up and I recommend that you test this (mileage may vary) if you choose to put it into production as well (false senses of security are in many cases worse than no security).

sites WordPress

New Krypted.com

I just can’t help myself. Every now and then I get a bug up my butt to go messing around with Krypted.com. In this case, I was tired of looking at some broken elements from the page and the front end of the site in general (just felt like something I might have built in college). I also needed to upgrade the site to the latest and greatest WordPress and some of the plug-ins that I was using were broken in 3. And thus, the lightest version of the site that I think has ever gone up. The posts are all still there, so no change to the content, but a lot of stuff was removed and the site in general (I think) looks and navigates much better.

Hope you like, and thank you for continuing to come to the site and read my random meanderings!

Unix WordPress

Resetting a WordPress Password

Sometimes you can bite yourself a little when you experiment around with things. I installed a security plug-in and the next thing you know I couldn’t log into my own website. Ouch. Not a huge deal as it actually led to experimentation with the MySQL tables for WordPress, which oddly enough, I’ve typically just left well enough alone. But this I figured was gonna’ need to be updated eventually (although I relished the opportunity to get caught up on some stuff in the meantime). So first up, SSH into your box. Then fire up mysql:

mysql -u root -p

Turns out there’s a wp_users table in there. For my user I was able to do the following (replacing MYUSERNAME with my actual username):

SELECT MYUSERNAME FROM `wp_users`

Then the following (again assuming MYUSERNAME is the user and now substituting MYPASSWORD with the password you want to use – lucky us that md5 is supported from the mysql CLI now, as that’s what WordPress is gonna’ want us to use):

UPDATE wp_users SET user_pass = MD5(‘”(MYPASSWORD)”‘) WHERE ID = MYUSERNAME

And then viola I was back to writing the same old dribble once again. I had been really busy finishing off some chapters and so hadn’t bothered to figure it out. Now I’ll be back to it. Lucky you, right?!?!

WordPress

Integrating WordPress Comments with Facebook

In a constant search for achieving comment nirvana for the sites I manage, I was recently looking into integrating WordPress (and a couple of other CMS engines) with Facebook. The sites are setup to only allow authenticated users to comment and it just seemed like with all of the single-sign on technology out there that it just didn’t have to be so annoying. After installing the OpenID integration it seemed like there still had to be a better way to allow even more people to authentication. How about Facebook?

Facebook has done a lot of work on making their API one of the best in the social networking world. The initial implementation of FBML was a little clunky (a client was an early adopter) but it proved to be one of the things that set them apart from the competition. And the API doesn’t just allow for embedding objects into Facebook, it allows for extending Facebook out as well. One of the best examples of this is for authentication.

Which brings us to actually making it work. The first thing to do is go grab an API key. To do so, visithttp://www.facebook.com/developers/apps.php and click on Set Up New Application (orhttp://www.facebook.com/developers/createapp.php?version=new). Provide the domain name and any other required fields and out pops an API key and a secret. The API key will be exposed but the secret will act as a password of sorts, much the same way many other key exchanges function. Copy these and do not give them out.

Once you have your key, go to your WordPress site and log into the admin page. From there, click on Plugins and then click on Add New. Search for WP-FacebookConnect. Install the one from Adam Hupp and then locate it in your sidebar (it will say Facebook Connect). Click on it and then provide the API Key and Secret and click on Update Options.

Now that it the plugin is installed and configured it’s time to add it to your theme. This part is a little more tricky than most but it can be as simple as a single paste. Copy this into your clipboard:

<?php do_action(‘fbc_display_login_button’) ?>

Now click on Appearance back in the sidebar and then click on Editor. In the Editor scroll towards the bottom (usually) and locate the form that takes in the comments, which likely begins with:

<div id=”comment-form”>

Now paste it in immediately above or somewhere inside the form, which means somewhere below the first line but above the following:

</div>

Once done, open one of your pages and you should see the Connect with your Facebook Account icon so you can authenticate using Facebook. You can also move the text around in the box by moving between areas in the comments.php file (in the themes screen). If you don’t see the Facebook icon then try accessing the site from another browser as you might still be logged into your administrative portal.

Finally, consider the strategy that you use for managing comments. You can still hold comments for approval, you can still approve once and give users unbridled commenting love and you can still scan comments for spam using one of the filters for doing so. That is according to you. But you now have an easy-to-authenticate to solution where visitors don’t have to sign up and get an email back, etc. But they can if you want, given that there are still at least 4 or 5 people (I believe they are in deep freeze somewhere) who don’t use Facebook, and you wouldn’t want to alienate them!