Security

WordPress has a terrible track record, and WordPress sites are the most frequently targeted by attackers. There have been massive automated attacks mounted on millions of WordPress sites simultaneously. WordPress sites are easy for attacking web crawlers to identify without human intervention so the cost of attack is very low on a per site basis.

WordPress advocates will point to improvements in WordPress itself, and claim it is a lot more secure than it used to be. However, it still suffers from bad design, and a poor attitude – for example, WordPress developers actually encourage letting WordPress alter its own files because they is how their update mechanism works.

Even if WordPress is now adequately secure, even its defenders will usually concede that there are many insecure themes an plugins. As the attraction of WordPress is its wide range of themes and plugins this leaves you with limited choices:

1. Use WordPress only with bundled themes and plugins. This leaves little reason to use WordPress at all.
2. Security audit the themes and plugins you use: suddenly its not so cheap or fast to set up a WordPress site.
3. Develop all themes and plugin especially for your site: this makes WordPress an expensive solution if your site requires any real customisation.
4. Only use WordPress if you are sure it will do what you want with minimal customisation and only themes and plugins you are sure are secure.
5. Risk it!

Even being this careful, you still have to deal with the fact that a WordPress site is far more likely to be attacked. Even an unsuccessful attack can cause problems (slower site performance, bandwidth consumption from repeated attacks etc.). Certainly, you can (doing a bit more work) solve these problems, but even then any security hole in WordPress is more likely to lead lead to a breach because it is a popular target for automated attacks.

It is not a framework

People use WordPress for all kinds of websites, and even something that are better described as web apps. They have a bad case of “when all you have is a hammer, everything looks like nail”. Anyone who has used a proper framework will tell you that developing a custom site using WordPress is a far longer and less productive process than using framework like Django, Ruby on Rails, or Symfony. If you are a developers, compare this to this, or even better, this.

Similarly frameworks provide productive ways of generating forms that match database tables, or creating a custom admin interface. The work required to deliver the same custom functionality is dramatically lower.

A (good) framework also takes care of a lot of security issues for you — Django, my favourite framework, generates properly escaped database queries by default, and requires CSRF protection on forms by default, etc.

It uses PHP

PHP is a horrible language, and PHP code is harder to maintain. A developer should remember that there are always a minimum of two developers working on any project — you, and you a few months later, and the other one is an idiot. Hard to read and understand PHP code will create more work later. This is just one of PHP’s many, many faults, which are brilliantly covered in depth in A Fractal of Bad Design.

Again, the end result is to make development slower and maintenance more expensive.

PHP advocates like to point to the many large sites like Facebook that use PHP. PHP has worked so well for Facebook that they have resorted to forking it to address some of its more egregious flaws, but they are still constrained by the need for compatibility so it is still far from being a good language. Facebook also uses many other languages: they have released open source components in Ocaml, Java, C++. D, Haskell and more so they presumably use all those somewhere.

Lots of developers, does not mean lots of good developers

A lot of people like the fact that there are more WordPress developers than those working on any other web platform, many working at cheap rates. The reason for this is that it has a lower barrier to entry: it is easy to learn enough to install WordPress and some plugins, perhaps learn a bit of PHP for simple customisation… now you are a developer!

Of course there are plenty of good PHP developers, but I very much doubt there are more good PHP developers than Python or Ruby web developers. On top of that, good PHP developers are unlikely to be pitching for WordPress work and are probably focusing on more skilled stuff using frameworks. If you want cheap, WordPress is for you, but remember who works for peanuts.

What WordPress is good for

I still run my blog on WordPress, and I have used it for some small sites. It is a very capable blog platform, and is acceptable for small brochure type sites. If you are sure that is all your need, and all you are are likely to need, and have a limited budget, then maybe WordPress is a good option, but:

1. Ensure you install is security hardened: there is a lot you can do to make it harder for automated attacks to identify your site as WordPress based and make sure it is regularly updated. I will be blogging about that soon.
2. Use a host that gives you ssh access so that you can use wp-cli to run updates: otherwise you will either have to use the horribly insecure built in update mechanism, or update manually.
3. You have confidence in the security of any plugins and themes you use.
4. Pay for a decent developer. No one with real skills is going to work for £5/hour, even in a low cost country.

If it is so bad, why is it popular?

It is not a case of it being popular despite it being bad, but it being bad because it is popular. As long as WordPress was used for what it is best at (a blogging platform) it was fine (apart from some security issues). Even extending its usage to personal and small websites was fine. The problems are:

1. It is being used for things it was nor originally intended for,
2. It is so hugely popular that it is by far the most popular target for automated attacks.

The first of these causes a productivity problem: it is better to use the right tool for the job. The second means that security problems are far more likely to be found (by the bad guys) and exploited. I am talking here about automated attacks that attack thousands, or even hundreds of millions, of sites, in the hope of finding some that have a particular weakness. From the point of view of someone running one of those attacks, WordPress is probably the most attractive single target because it is popular,

I am not dead set against WordPress, but I am looking for alternatives, especially for small non-blog sites (perhaps for blogs as well) so please look out blog posts on how that goes.

If the slug is still too long, it is then truncated. However slugs will never be truncated mid-word.

The size of words removed the the first phase and both the minimum and maximum lengths of the slug resulting can be configured. Truncation can be turned off. The point at which the slug is truncated is set separately from the maximum for the purposes of phase one (word removal).

The slug is generated on saving a post (so you get a chance to look at it before publishing), or on publish. It will not overwrite an existing slug, even one generated by itself. You can force the generation of a new slug by deleting the existing one.

Installation and configuration is simple. Download Slug Trimmer here. If you want to change the configuration, the options will appear as a sub-panel of “Options” in your WP Admin.

If you find this plug useful and feel inclined to do me a favour: I would really appreciate links to any of my money-making sites. I most need links to internal pages of Moneyterms, or to either the front page or the books section of PTZ.com.

The screen space saved by using drop downs is used to provide a right navigation bar that varies with the page being viewed. For example when viewing a post the left nav bar shows the (titles only) of recent posts in the same category (or categories).

It is slicker than my previous themes. Doing themes is definitely fun and I will be doing more when I have the time.

You can select this theme (and my other themes) from the theme switcher drop down.

You can download Red Drop from here.

You can download it from here

This theme is based on photos taken in the Lake District. For those unfamiliar with Britain, the lake district is a part of England which has lots of …. lakes. You can download the theme from here.

Basic use is the same as in version 0.1. The main new feature is that the graph height can be set to ‘auto’, rather than a set number of pixels. This will (in browsers with Javascript enabled) set the height of the graph to match the text. If Javascript is disabled the height will default to 15 pixels . The aspect ratio can be specified in order to allow the width to also adjust in line with the height. As with the size parameter, the aspect ratio of a bar graph refers to a single bar, not the whole graph.

This [spark] [type line] [size auto,30] [aspect 1.5] [series 66,64,62,60,58,56,54,52,50,40,30,20,10,0][dot 7,50,5,green][/spark] and this [spark] [type bar] [size auto,4] [series -24.6,3.1,27.1,43.6,39.1][/spark] are the examples used in my original post on the plugin, but with height set to auto. If you change your text size and reload you will see the change.

I have added a [line-width number] parameter that does exactly what it says for line graphs. The line-width, like the [dot] radius is a size on the graph before re-sampling, so the actual width in pixels will be much less. Any value other than 1 (the default) tends to make non-horizontal or vertical straight lines in text sized graphs look awful. It is primarily useful for large graphs (i.e. not true sparklines), which look much better.

I have cleaned the code a bit, and there is now a function:

sparkline_insert(line | bar, height pixels | auto, width, aspect ratio, comma separated data series, [optional] feature point, line width, default height)

that can usefully be called by other plugins or from templates. The feature point parameter is a string containing a comma separated list of parameters in the same format as inserting in a post, ditto the data series. everything else apart from the chart type (line or bar) is a number (unless height is auto).

I have not done anything about implementing caching or multiple data series yet.

I would be very grateful for any feed back, both from those who use the plugin and those who see it here. In particular I need to know whether auto height works OK in IE (all versions from 5.0 upwards) and Safari. So far I know this works on Firefox, Opera and Konqueror.

To install the plugin download this, unzip and copy to your WordPress plugins directory, then activate as usual.

As a good few bloggers are likely to look at this page, I think this is a good place to mention my main sites, Investment Ideas and Money Terms in the hope that some of the users of the plugin might feel inclined to link to them. The latter may well be pretty useful to link to, for anyone writing about finance or investment. The plugin was actually developed for the latter.

This is a very simple WordPress plugin that allows the creation of simple sparklines (small graphs that fit in the flow of text). It uses James Byers’ Sparkline PHP Graphing Library.

The aim of this plugin is simplicity, it therefore does not use the full range of features of the PHP sparkline library, let alone the full potential of sparklines per se. However it is very easy to use. For example this graph [spark] [type line] [size 20,30] [series 66,64,62,60,56,54,52,50,40,30,20,10,0][dot 7,50,5,green][/spark] illustrates the kinked demand curve faced by a firm in a oligopolistic market. The EBITDA of telecoms company Thus over the last five years is shown by [spark] [type bar] [size 20, 4] [series -24.6,3.1,27.1,43.6,39.1][/spark].

The markup to generate these is fairly simple: [spark] [type line] [size 20,30] [series 66,64,62,60,56,54,52,50,40,30,20,10,0][dot 7,50,5,green][/spark] for the demand curve and [spark] [type bar] [size 20, 4] [series -24.6,3.1,27.1,43.6,39.1][/spark] for the EBITDA graph.

The plugin processes whatever is between [spark] and [/spark]. The types can be line or bar, the series consists of values the are sequentially plotted on the graph – i.e. these are y values, the corresponding x values are assumed to start from zero and increase by one each time. The points plotted above are (0,66), (1,64), (2, 62) etc. The dot instruction adds a green dot at (7, 50) with a diameter of 5. Size controls the size in pixels of the graph, height then width – so the graph above is 20 pixels high and 30 side.

Bar graphs can not have the dot highlights (so the [dot 7,50,5,green] would be ignored and width is taken to be the width of an individual bar rather than the whole graph. Bar graphs also show positive values in black and negative in red.

At the moment the plugin can handle only a single data series, and (in the case of line graphs) a single [dot] highlight. There is no control over colours. I plan to:

1. Add multiple data series and dots
2. Improve colour choices, especially for multiple series
3. Improve input validation

Other suggestions are very welcome. I would like to know if anyone else finds this plugin useful.

I would also like to find away of automatically scaling the height to the current text size, however I can not figure out how to pick it up (JavaScript perhaps?). Anyone with any ideas please let me know.

If anyone if familiar with wp-cache: will it cache the output of this plugin? specifically the image generated by the sparkline/image.php

This is my first WordPress plugin and the first PHP code I have written other than the odd lines in WordPress templates. If any better coders use this plugin please have a look at the code for any flaws you can spot. The plugin and the underlying library are both beta, but given the plugin’s simplicity I am reasonably confident that it is unlikely to fail in a way that will leave a user with a worse result than a missing or incorrect graph. One limitation is that it can not handle large series of data because all the data is encoded in the URL, which has a limit of about 2,000 characters.

To install the plugin download the current version, unzip and copy to your WordPress plugins directory, then activate as usual.