Tiny Deathstars of Foulness

WordPress has an app. That means there’s an API to normalize communication using a predictable programmatic interface. In this case, as with many others, that’s done using a standard REST interface to communicate. The easiest way to interact with any API is to just read some stuff from the server via curl. You can feed curl the URL to the API by using your URL followed by /wp-json – as follows, assuming a URL of


To view header information:

curl -s -D - -o /dev/null

In the below example we’ll ask for a list of posts by adding /wp/v2/posts to the URL:


You’ll see a list of some posts in the output along with a little metadata about the posts. You can then grab an ID and ask for just that post, using a post ID of 48390:


You can also see revisions that have been made to a post by appending the URL with /revisions


You can see comments with the comments route:


Or pages with the pages route:


Or users with the users route:


Or media that has been uploaded with the media route:


And the output of each can be constrained to a single item in that route by providing the ID of the item, which shows additional metadata about the specified item. And there are routes for categories, tags, etc.

There’s also some good stuff at such as which is a plugin that allows you to auth against the API.

curl --user admin:krypted

Not only can you look at user information, you can also add and remove posts. You would add by doing a -X followed by a POST and then feeding a file with the –data option

curl --user admin:password -X POST --data @post.json

The output would then include the ID of your new post to wordpress. In the following example, we’ll get rid of the post we were looking at earlier using -X and DELETE in the URL, assuming a username of admin, a password of krypted, and a post ID of 48390:

curl --user admin:krypted -X DELETE

If successfully deleted the response would be as follows:

“message”:”Deleted post”

To dig in deeper, check out where the whole schema is documented. You can also use the GitHub site to access a command called wp (as well as PHP, node, and java clients) that can be run at the command line for simple scripting interfaces. This could allow you to, for example, simply backup posts to json files, etc.

Also, it’s worth noting that various plugins will require their own interface (note there’s no themes or plugins route), such as woocommerce, interfacing with or

July 14th, 2017

Posted In: WordPress

Tags: , , , , , , , ,

Leave a Comment

By default, screenshots are pretty big on a retina display on an El Capitan machine. Like about 4 times the size they should be. I haven’t found a defaults key I can use yet to reduce them, so I’ve been using this little screenshotting app called RetinaCapture, available at

Basically, when you’re running it, you just open it up and click on the Window button. There, you can select a window to screenshot.

Screen Shot 2015-09-24 at 8.37.33 AM

Once you’ve selected the window, you’ll be prompted to save it somewhere with a name.

Screen Shot 2015-09-24 at 8.38.00 AM


I don’t love having to use any 3rd party apps for my screenshotting workflow. Screens get resized for books and so I’m really only using this for my site. But, hopefully it helps someone else along the way. Happy screenshotting!

October 6th, 2015

Posted In: Mac OS X

Tags: , , , , , ,

When you enable permalinks in WordPress, you’re basically converting a link to an article you’ve written from something like to something like Doing so makes Google like the page more (supposedly). After my site moved, the permalinks were broken, so I turned them off until I could find time to fix them. I never did. But thanks to the glory that is @sacrilicious the permalinks were magically fixed one day.

So do permalinks matter to drive traffic to a site? Well, nothing else changed, same length of articles, same frequency, etc. But when permalinks were turned back on, the answer was in my Site Stats, courtesy of  JetPack:

Screen Shot 2013-10-04 at 10.52.16 PM


Thanks again, Banks!

October 6th, 2013

Posted In: sites

Tags: , ,

Setting up and installing WordPress is pretty straight forward. That’s not to say it’s not going to take a little work to go from 0 to 60 on a base Linux installation. But I’ll lay the work out for you so as not to be that tricky. Everything we’ll be doing will require elevated privileges, so sudo in front of each command or sudo bash before you get going.

First up, install Apache, as you’ll need a web server. I think the base apache2 config is pretty straight forward out-of-the-box:

apt-get install apache2

During installation you will be asked to type y to continue. Do that and it will finish with no major issues. Next up, install MySQL, php5, php5-mysql and phpmyadmin. We can use apt-get to knock all this out at once:

apt-get install mysql-server-5.1 php5 php5-mysql phpmyadmin

Again, you will be asked to choose whether to proceed, type y and hit enter. The next few steps will change according to versions, but for now, you’ll then be asked for a password for the MySQL root user. Provide that password and then tab to the OK button. You’ll then be asked to select which web server you are using. Assuming you did the apache2 install previously, choose Apache and then tab to the OK dialog. Then you will be asked to provide the MySQL password. This will be the password you typed earlier.

You’ll then be prompted for a phpmyadmin password, which will be a password to access phpmyadmin’s web interface. Once the installation is done, you should have a fully functional LAMP environment. I like to reboot and check syslog afterwards just to make sure that everything is in working order and not reporting any major malfunctions.

Next up, we will need to create the MySQL user and database that WordPress will use. To do so, log into phpmyadmin using a URL that begins with http:// followed by the address of your server and finally the /phpmyadmin. For example, if your server is at then the address would be You will be asked to authenticate, and here you will want to use the password you provided during the phpmyadmin package installation. Once you have authenticated, click on the Privileges tab and then click on the Add a new user button.

You will then be asked to provide a username and password for the user you are creating, define what addresses that user can log in from (if you have multiple front-end servers you probably aren’t using this post to install WordPress so you might as well limit it to localhost) and most importantly you have a radio button for “Create database with same name and grant all privileges”. If you use this option then both the user and the database will be created in one step, making life pretty easy. I used wordpress as my username in the example.

Once you have all the services installed and the MySQL user and database setup, then you’re ready to install WordPress. I like to cd into /var/www and then wget the, which always has the latest version of WordPress:


Then you want to unzip that (the unzip command is built into Ubuntu 10):


This will extract the wordpress folder into /var/www. Then make sure your admin user has permission (mine is oddly enough called cedge):

chown -R cedge:users wordpress

Now cd into the wordpress directory:

cd wordpress

Make a copy of the main configuration template called wp-config.php:

cp wp-config-sample.php wp-config.php

And then let’s edit that new file (vi, nano, tapping directly into the Matrix, or whatever you like), looking for DB_NAME, DB_USER, DB_PASSWORD and DB_HOST. In these respective fields, put the name of the database (wordpress in this example), the username for administrative rights to the database (wordpress again in this example), the password for the database (whatever you provided in phpmyadmin’s web interface for your new user and the IP or hostname of the database server (let’s assume if the database and web servers are the same).

Scroll down a little further until you see the Authentication Unique Keys: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY. You’ll want to visit the WordPress secret key generator at to get your keys. Then simply cut/copy/paste the whole section, commenting out the existing lines or paste the contents of each line over the line it is replacing. Once that is done save your changes to the file and exit your text editor. Now visit the address of the site followed by WordPress (ie – You’ll then be able to setup WordPress for the first time.

At the first login, you will see a screen prompting you to define a title for the site (Your domain name is a pretty traditional title to use), the username you want to use to administer the site (ie – admin), the password (ie – according to the movie Hackers, god) and and administrative email address. Here, you can also choose whether you want the site to be crawled by search engines. Once you’re happy with your settings, click on the Install WordPress button down at the bottom of the page.

Now you should be able to see your first post, create posts and use WordPress. That should have been pretty painless. If it were any more painless, then I fear the dribble that people would post… Anyway, if you want the webroot ( instead of to be WordPress, then you will also want to change the DocumentRoot setting in /var/www to point to the /var/www/wordpress folder in the /etc/apache2/sites-enabled/000-default file (or whichever site it is if you have multiple ones).

November 30th, 2010

Posted In: Mac OS X Server, Ubuntu, Unix, WordPress


There are a number of ways that you can protect your WordPress site from spam bots. The first is to only allow authenticated users to post comments. Doing so can still be a bit unwieldy, but this feature is built into WordPress and so pretty straight forward to use. Some, who deal with large amounts of spam bots then choose to completely disable the commenting feature outright (Settings -> Discussion -> Uncheck Allow people to post comments on new articles), but comments can still be made on existing articles and commentary is one of the best features of WordPress for many. To stop comments on older articles, also disable commenting on older articles (same page but also choose the Automatically close comments on articles older than option as well).

No site should have to disable comments or bend to the will of a spam bot. You can also then choose (same page again) to email the administrator when a comment is made and then choose to not publish comments until the administrator approves them. But spam bots will still attack, and now you’ll just get a ton of junk email. So many will turn to plug-ins for WordPress. There are a few of those that I like a lot. One is called Invisible Defender. Invisible Defender adds a couple of fields that are suppressed using the style sheets. These invisible comment fields, because they’re not displayed to a browser should then never be filled out. Therefore, if a field is filled out, it had to have been done by a bot. Those comments are then automatically blocked.

Then there’s the ability to force captcha (shows you funny garbled letters and you type them into a verify field). Captcha for account creation means that all but the most sophisticated bots will fail. This form of forcing an additional form of verification that a visitor is a real human can then be circumvented by users of OpenID, FaceBook and other services, using plug-ins that allow those users to be authenticated through the third party (typically requires a little theme customization).

Then there are the antispambee and akismet plug-ins, which look at the actual comments and attempt to determine which ones are spam. These make a good layer of defense but should not be the only layer used. Regrettably, any time you have user generated content on a web site you are going to have automated bots attempting to do a number of things, most likely sell black market pharmaceuticals and other items of questionable origin.

There are also bots that attempt to exploit the login page of the WordPress admin (<DOMAIN>/wp-admin.php or /wp-login.php. These are defeated an entirely different way. One of the best strategies is to lock out those who have attempted a number of invalid attempts that exceeds a threshold that you define.  Amongst those is Login Lockdown WordPress Security. Another layer for protecting the administrative side of the site is to add an .htaccess file to provide an additional layer of security on top of WordPress. You can also change the URLs of your login page, which I usually use a plug-in called Stealth Login for.

Finally, I like to back up WordPress in an automated fashion. There are a lot of plug-ins to do this, but I’ve always used WordPress Database Backup. Why? Because it works every time I tested it. I haven’t even bothered to test a good backup and restore for another software package because WordPress Database Backup always works, backs up data to another server I have, and it hasn’t failed me yet. I always test the restores of data that I’m backing up and I recommend that you test this (mileage may vary) if you choose to put it into production as well (false senses of security are in many cases worse than no security).

September 28th, 2010

Posted In: WordPress

Tags: , , , , , ,

Sometimes you can bite yourself a little when you experiment around with things. I installed a security plug-in and the next thing you know I couldn’t log into my own website. Ouch. Not a huge deal as it actually led to experimentation with the MySQL tables for WordPress, which oddly enough, I’ve typically just left well enough alone. But this I figured was gonna’ need to be updated eventually (although I relished the opportunity to get caught up on some stuff in the meantime). So first up, SSH into your box. Then fire up mysql:

mysql -u root -p

Turns out there’s a wp_users table in there. For my user I was able to do the following (replacing MYUSERNAME with my actual username):


Then the following (again assuming MYUSERNAME is the user and now substituting MYPASSWORD with the password you want to use – lucky us that md5 is supported from the mysql CLI now, as that’s what WordPress is gonna’ want us to use):


And then viola I was back to writing the same old dribble once again. I had been really busy finishing off some chapters and so hadn’t bothered to figure it out. Now I’ll be back to it. Lucky you, right?!?!

April 13th, 2010

Posted In: Unix, WordPress

Tags: , , , , ,

In a constant search for achieving comment nirvana for the sites I manage, I was recently looking into integrating WordPress (and a couple of other CMS engines) with Facebook. The sites are setup to only allow authenticated users to comment and it just seemed like with all of the single-sign on technology out there that it just didn’t have to be so annoying. After installing the OpenID integration it seemed like there still had to be a better way to allow even more people to authentication. How about Facebook?

Facebook has done a lot of work on making their API one of the best in the social networking world. The initial implementation of FBML was a little clunky (a client was an early adopter) but it proved to be one of the things that set them apart from the competition. And the API doesn’t just allow for embedding objects into Facebook, it allows for extending Facebook out as well. One of the best examples of this is for authentication.

Which brings us to actually making it work. The first thing to do is go grab an API key. To do so, visit and click on Set Up New Application (or Provide the domain name and any other required fields and out pops an API key and a secret. The API key will be exposed but the secret will act as a password of sorts, much the same way many other key exchanges function. Copy these and do not give them out.

Once you have your key, go to your WordPress site and log into the admin page. From there, click on Plugins and then click on Add New. Search for WP-FacebookConnect. Install the one from Adam Hupp and then locate it in your sidebar (it will say Facebook Connect). Click on it and then provide the API Key and Secret and click on Update Options.

Now that it the plugin is installed and configured it’s time to add it to your theme. This part is a little more tricky than most but it can be as simple as a single paste. Copy this into your clipboard:

<?php do_action(‘fbc_display_login_button’) ?>

Now click on Appearance back in the sidebar and then click on Editor. In the Editor scroll towards the bottom (usually) and locate the form that takes in the comments, which likely begins with:

<div id=”comment-form”>

Now paste it in immediately above or somewhere inside the form, which means somewhere below the first line but above the following:


Once done, open one of your pages and you should see the Connect with your Facebook Account icon so you can authenticate using Facebook. You can also move the text around in the box by moving between areas in the comments.php file (in the themes screen). If you don’t see the Facebook icon then try accessing the site from another browser as you might still be logged into your administrative portal.

Finally, consider the strategy that you use for managing comments. You can still hold comments for approval, you can still approve once and give users unbridled commenting love and you can still scan comments for spam using one of the filters for doing so. That is according to you. But you now have an easy-to-authenticate to solution where visitors don’t have to sign up and get an email back, etc. But they can if you want, given that there are still at least 4 or 5 people (I believe they are in deep freeze somewhere) who don’t use Facebook, and you wouldn’t want to alienate them!

January 28th, 2010

Posted In: WordPress

Tags: , , , , , , ,

RSS feeds are pretty darn useful for a lot of things. And WordPress makes them really, really easy. If you want to insert an rss feed somewhere then according to the type of feed you need, you can just use a pretty repeatable pattern to do so. Basically, following the site you would use /wp-rss.php for rss, /wp-rss2.php for rss2 or /wp-atom.php for Atom feeds. For example, to get a feed of this site in rss you could use the following:

Or rss2:

Or rdf:

Or Atom:

January 16th, 2010

Posted In: WordPress

Tags: , , , , ,

Let’s see how this turns out. I added a shoutbox along the sidebar of the site. Hope it doesn’t get abused like most things do. We shall see… Anyway, let me know what you think…

December 29th, 2009

Posted In: sites

Tags: , ,

I’m now doing my own URL Shortening using the Pretty Link plugin for WordPress. For example, the following link is a bit long:

So using Pretty Link, I tell it to add a link and then it gets shortened down to (or aliased to more like it):

December 17th, 2009

Posted In: WordPress

Tags: , ,

Next Page »