A Colored Tag Cloud For Your WordPress Blog

I needed a colored tag cloud widget, and I couldn’t find one that I liked. So I cooked up another one. You can see it in action over in the sidebar. You can configure colors, sizes – you can even use it in your theme instead of as a widget. Or you can do both.

See the official ILWP Colored Tag Cloud plugin page to download.

WordPress Security Tip #1 – Get Rid of the Admin Account

A number of people have asked me for some more detail on how to implement some of the suggestions I made in this post. So, here is the first in the series of in-depth tutorials on how to better secure your WordPress blog.

It’s important to secure your WordPress blog. We’re bombarded daily with tales of worms, virii, and Trojan Horsies. Secure this! Lockdown that! Protect yourself! Fortunately, the chances of your self-hosted WordPress blog are fairly slim, but it does happen. This is the first post in a series of how you can tighten down the security of your blog.

Step #1: Sign the online petition at http://shipthemoff.com to reopen Devil’s Island as a penal colony, and send all convicted hackers there to fend for themselves (remember Papillon?).

All right, so we can’t do that. SO, the first thing you should do is get rid of the default ‘admin’ user account that WordPress so kindly sets up for you when you install WordPress. You can do it in a few simple steps:

  1. create a new user account
  2. log out and log in under the new name
  3. delete the ‘admin’ account

Here’s how.

First step: always the very first step when you’re messing with important parts of your blog – backup your database! (I’ll be showing you how to do that in a future post)

After you’ve backed up your database, continue on:

In your dashboard, find Users and expand it. Click on Add New.

  • addnewon the Add New screen, enter your details, using a new username. Pick a username that isn’t obvious. If you really want to go all out, you can make up a username that mimics a password for effectiveness: mix upper and lower case letters and numbers (you can’t use symbols like ! ^ or @ in a username) and don’t use words that can be found in the dictionary.
  • enter your email address, and your website address (address is optional)
  • enter a new password twice. Get really creative with your password. Use at least 8 characters, preferably 12, and mix upper- and lower-case letters, numbers, and punctuation symbols, and don’t use words that can be found in the dictionary. Use something like JpXM20&33tY!89.
  • be sure to set the new user’s role to ‘Administrator’
  • when you’re done, click the ‘Add User’ button
  • at the top right corner of your window, click the ‘Log Out’ button to log out of your admin session.

Now, you’ll need to log back in as the new user you just created. If you did everything correctly, your dashboard will look identical to the admin user. If you  don’t see all of the menu options on the left, you probably didn’t set your new user up as an Administrator.

After you’ve logged back in and everything looks kosher, you’ll need to delete the original admin account. Don’t worry, you won’t be deleting your existing posts – unless you hit the wrong button 🙂

Click on Authors & Users again. Hover over the admin avatar, and you’ll see a ‘delete’ link (hint: if you don’t see that link, you’re still logged in as ‘admin’). Click.

deleteThe next screen allows you to either delete all posts and links associated to the admin user, or to assign them to the new user. Don’t delete all of your posts! (Personally, I think the ‘reassign’ option should be pre-selected, but that’s fodder for another day). Click the radio button to assign existing posts and links to another user, and choose your newly-created user from the dropdown box.

Click the ‘Confirm Deletion’ button, and WordPress will delete the admin account and assign the posts and links to your new account.

Next, click on the Your Profile link and complete your profile, including the dropdown box of how you want to display your name as an author.

In case of disaster:

If you managed, in the delete step, to delete all of your posts, it’s a relatively simple thing to restore them. You will, though, need to know a little bit about how to use your hosting provider’s MySQL administration tool (most likely phpMyAdmin, but yymv). More on how to restore from a backup in a future article.

Twavatar – Twitter Avatars For Your WordPress Blog

An update: Twitter has seen fit to deprecate (discontinue) the search function that this plugin depended on. Until I can come up with some kind of solution, you should deactivate the plugin if you’re using it; you might have some unexpected errors.

Today is release day for Twavatar – Twitter Avatars For Your WordPress Blog.

It is a simple plugin that displays a commenter’s Twitter profile image in place of the standard WordPress gravatar. If a Twitter image can’t be found, the regular gravatar is displayed.

Twavatar is nice to twitter – it only looks once, and if it finds a profile URL, it caches it in your database for future use. Future versions of the plugin will have an expiry time on the cached URL to ensure avatarial freshness.

You can download the plugin from its page.

TweetSweetR for WordPress – a full-featured Twitter plugin for your blog

UPDATE: 0.6.0 is now out. Latest version add support for substituting Twittter avatar for standard Gravatar. If a Twitter avatar isn’t found, defaults to standard WP options.

UPDATE: Ha! Well, this is embarrassing. TweetSweetR is now at version 0.5.1 already 🙂

A few months ago, the twitter world was all a-twitter (I know, bad pun) about a WordPress plugin called TweetSuite. I saw it, installed it on a couple of blogs and one notable blog network. It worked okay, but didn’t really have the features I/we were looking for, and it wouldn’t run on the network. Then, the plugin kind of dropped off the radar. Maybe the author didn’t have time to support it (it happens, trust me). Feature and support requests were going unanswered, and it even appears the author stopped using his own plugin! None of this is meant to detract from the plugin – it fulfilled a need of the Twitter world at the time, and served its purpose and every plugin author has a life beyond plugins.

So rather than wait for updates that might never come, I decided to take what I thought were the best concepts of the plugin, make a few feature additions here and there, modify the execution, and come up with my own.

So, here it is: TweetSweetR in all its BETA glory.

What does TweetSweetR do?

TweetSweetR provides a number of tools and features to integrate your WordPress blog with your Twitter account. As you post, it automagically grabs a shortened URL from the http://is.gd url-shortening service and displays a badge and ‘tweet this post’ link with the shortened URL already included. A visitor clicks the link or the badge and goes to their own twitter home where they can finish adding a tweet.

TweetSweetR periodically searches for mention of the post’s short url using Twitter’s search service, and posts a list of tweets that are talking about your post.

TweetSweetR also provides a number of sidebar widgets you can use or not use:

  • MyTweets, a list of your current twitter tweets
  • MyFavs, a list of your favorited tweets
  • TwitterTrends, a list of currently trending searches on Twitter
  • MostTweeted, a list of your most-tweeted blog posts as defined by the number of search results for each short url

TweetSweetR updates itself automatically using a scheduled-tasks feature of WordPress. It gathers your latest updates, searches for mentions of your blog posts, grabs new trends — all in the background so your page loads aren’t delayed. Searches and updates are throttled to keep you from running afoul of Twitter’s API restriction of 100 requests per hour. All results are stored in the same database that your blog runs from, and TweetSweetR looks there first for information.

TweetSweetR is still very much in beta-testing mode, and new features are still being added. When TweetSweetR reaches a stable release status, I’ll add it to the WordPress plugins respository. When that happens, you’ll be able to automatically update the plugin through your WordPress plugins page.

To download the plugin and see full installation and usage details, please visit TweetSweeR for WordPress’s permanent page.

Review of “Twitter Avatars In Comments WordPress Plugin”

Smashing Magazine recently released a WordPress “plug-in that uses Twitter to show avatars in comments in WordPress blogs”.

While I like the idea, the implementation leaves a little bit to be desired. Comments to the release post indicate that some effort is being made to address the shortcomings in the plugin code, but as yet those changes haven’t been made.

Here’s why I don’t recommend that you use this plugin just yet:

  • the Twitter API allows 100 requests per hour. If you have a blog post with 20 comments that gets visited 5 times in one hour, Twitter will cut off further requests
  • each call to the avatar display requires 2 HTTP requests on the server side (via cURL calls) and one at the client side to download the avatar. Using the previous example of 20 comments, that works out to sixty extra HTTP requests for every page load. Completely unacceptable.
  • the plugin requires that you diddle around with your theme. While that isn’t a problem with some bloggers, for the majority it is a non-starter. The plugin needs to hook into the appropriate WordPress functions rather than rely on theme changes.
  • the plugin searches for and displays Twitter avatars first, then falls back to the common gravatar we all know and love (!) then further falls back to a default image. All fine, but no choice is given to the blog owner as to preferred fallback behavior. I would prefer to be able to choose which avatar to display as a default.
  • searches for Twitter avatars are made on the email address that the commentor enters. *I* don’t even remember what email address I used when I signed up for Twitter. I would much prefer to see another form field that asks for a Twitter ID. Yes, it’s an extra field to fill out and implementing it will mean much more work in coding the plugin.

So the bottom line is that at this point in time, I don’t recommend that you use this plugin. If the changes suggested to the developer are made, though, it will definitely bear looking at again.

For more information, you can visit the release post here: Twitter Avatars In Comments WordPress Plugin.

404 – Not Found. Some Tips To Make Your 404 Error Page Work FOR You

Look, it happens. A visitor is going to land on your site trying to get to a page or post that doesn’t exist. The question is this: “Are you going to drive your visitor away to another site, or are you going to try and help them find what they’re looking for?”

Hopefully, you chose the latter – you want to help your visitor find what they want. If you don’t care, then this post isn’t for you 🙂

So what can we do to help? The first thing to do is to let your reader know in a nice way that something’s not right. You can use the familiar ‘404 – Not Found’ term, with a little bit of an explanation:

404 – Not Found

Oops! The page you’re looking for isn’t here. Maybe we removed it, maybe it was never here. No matter – we can help you find what you wanted. You can…

Then we can show a list of some helpful actions to take:

  • Check the list below to see if what you’re looking for might be there
  • If you typed the page url address (www.ilikewordpress.com/showme), in the address bar, make sure that it is spelled correctly and the case (CAPITAL and small letters) is correct.
  • Go to the I Like WordPress home page and look for links to the information you want.
  • Use the navigation categories to the right to find the link you are looking for.
  • Go back to the page you just came from.
  • Use the search box at the top right of the sidebar to search I Like WordPress.

So, from the top:

  • In our 404 page coding, we can use some scripting that searches your blog posts for what could be a keyword in the URL (the showme part)
  • We can echo the url that the visitor typed in or clicked a link to that landed them here. If we get fancy, we can actually tell whether the visitor clicked a link or typed in the address themselves. Hint – if they clicked a link, we might want to get the link corrected. Be a little careful about echoing the URL, though — if it’s a long one, it could break your layout as most browsers won’t split a link in the middle.
  • We can give a link to our home page. Maybe the info they want is easily findable from there.
  • We point out the navigation links that are available: categories, archives, latest posts, etc.
  • Use a javascript ‘back’ link to take them back one page. You might not want to use this one unless you know that the user clicked a link from within your site. This will only happen if you’ve messed up one of your own internal links. You wouldn’t do that, would you?
  • Suggest that the visitor use our handy-dandy search tool to find their information.

Really fancy stuff

I mentioned in the first option that we can use some scripting to search for what might be a keyword in the URL that wasn’t found. What we’ll do in a later post is learn to extract the last part of the URL and use it as a search term. We’ll use a database query that has been bullet-proofed against malicious use.

Also, that javascript ‘back’ link? In a future post, I’ll show you how to find out if a user clicked one of your own internal links or not and how you can serve the back link to just those visitors.

In the meantime, check out a really bad example of a 404 –  Not Found page: what your 404 page should NOT look like.

Update: coincidence or not, Macy’s (above link)  just changed their 404 page 🙂 I’ll leave the link for posterity, but I’m sure you’ve seen examples of useless 404 pages.

Moving Your RSS Feed From FeedBurner to Google

If you blog and you’ve burned your RSS feed to FeedBurner, you’ll be interested in this.

Since Google’s acquisition of FeedBurner, Inc. on June 1, 2007, we have been moving the FeedBurner application to Google hardware, software, and data centers. This allows the application to scale and perform like most Google applications and integrate easily with other Google platforms. It also means more reliability in delivering your content, analytics, and monetization, as well as a more secure and consistent experience for your users.

Google is requiring that you move your existing FeedBurner feeds to your Google Account by February 28. If you don’t, your feeds will return either 404 – Not Found or 301 – Moved response.

Google Account required

If you don’t have a Google account, you can create one at the time of your move.

I just finished moving all of mine — really, it’s painless. It takes a little time (mine took about 25 minutes for 8 blogs, some new, a couple with 3+ years of posts) but you don’t have to monitor it if you don’t want to. The transfer status page will periodically update, but you can actually close the page if you want to once the process is started.

Roll your own

You also have the option of snatching back your feed and serving it yourself. If you mistrust Google like some people do, that may be an option for you.

No more FeedBurner Networks

Alas, a handy feature of FeedBurner is not making the move — FeedBurner Networks. Networks was a mechanism that basically let you make a mashup of different RSS feeds and funnel them into one feed that you could then put on your web site. A couple of my clients were making use of Networks; I guess it’s time to write a custom plugin for them.

API Changes

For those of you who may have plugins or widgets (or custom programming) that makes use of the FeedBurner Awareness API, be aware that the endpoint address has changed.

More Information

For more information on the FeedBurner move, you can vist the remnants of FeedBurners Burning Questions blog, or see the Transferring FeedBurner Accounts to Google Accounts FAQ.