Thankfully, the folks who built the Sharing module provided a filter to override the link used with the sharing buttons.

Add this snippet of code to your theme’s functions.php file, or a file in your site’s wp-content/mu-plugins directory, and your visitors will be sharing with shortlinks in no time.

/**
 * Force Jetpack's Sharing module to use a shortlink rather than full permalink
 *
 * From http://eth.pw/s
 *
 * @param string $url
 * @param int $post_id
 * @uses wp_get_shortlink
 * @filter sharing_permalink
 * @return string
 */
function eth_sharedaddy_shortlink( $url, $post_id ) {
	return wp_get_shortlink( $post_id );
}
add_filter( 'sharing_permalink', 'eth_sharedaddy_shortlink', 10, 2 );

Note that the Publicize module, which handles automatically sharing your content to your own connected social media accounts, does use shortlinks already; therefore, the code snippet above won’t have any impact on Publicize.

Also, I opted not to make this a plugin in anticipation of Jetpack making the switch to shortlinks at some point.

Below is a rundown of all that changed. It’s worth noting that all of the plugins I actively maintain are compatible with WordPress 3.6, which will be released in the coming weeks.

WP Print Friendly (WP.org | GitHub)

It recently came to my attention that the content of password-protected posts could be disclosed via the print templates added by WP Print Friendly. Version 0.6 corrects this deficiency.

Additionally, for privately-published posts, the plugin will no longer display a print template if the current viewer can’t read the content. Instead, the not found (404) template in the active, non-print theme will be displayed.

I also took the opportunity to convert the plugin to a proper singleton¹, improve the internal documentation, and ensure that all aspects of the plugin are ready for translation.

I owe a thanks to Steven Word, a new contributor to the plugin, for adding a hotfix for the content disclosure problem until I had a chance to correct the underlying issues. Upgrading to version 0.6 is strongly recommended.

View All Post’s Pages (WP.org | GitHub)

VAPP, as I abbreviate it out of laziness, shares a small amount of code with WP Print Friendly. Thankfully, given the nature of the plugin, it wasn’t similarly vulnerable to content disclosure in the way WP Print Friendly was. In the process of confirming it wasn’t vulnerable, I made a few improvements.

Like I did with WP Print Friendly, I converted the plugin to follow a proper singleton pattern, enhanced the inline documentation, and updated a few strings that weren’t translation-ready.

Date-based Taxonomy Archives (WP.org | GitHub)

This is one of my more-obscure plugins, one that’s meant for developers to leverage in their plugins and themes. It hadn’t gotten a lot of attention since I released it in June 2012, and the code reflected that.

Version 0.3 corrects a situation that resulted in PHP warnings because I’d improperly used the WordPress database class’s method for ensuring queries are safe ($wpdb->prepare()) where it wasn’t needed.

As I did with the two preceding plugins, I also updated the code to follow the singleton pattern and corrected much of its internal documentation.

WP-Cron Control (WP.org | GitHub)

I’ve recently begun maintaining the WP-Cron Control plugin, both because it was created by a former colleague at Automattic, and because I use it on this and several other sites on my network.

I’d noticed that $wpdb->prepare() was incorrectly used in this plugin much like I’d done in Date-based Taxonomy Archives, resulting in a pile of PHP warnings in my server’s error logs. Version 0.7 remedies this situation.

I also continued my quest to make everything translation-ready by ensuring all strings in the plugin options screen are properly tagged.

The Rest

The remainder of the plugins I created or contribute to were tested and their WordPress version compatibility updated to reflect that they work with 3.6. These are:

• Authy for WordPress (WP.org | GitHub)
• Automatically Paginate Posts (WP.org | GitHub)
• External Permalinks Redux (WP.org | GitHub)
• Jetpack Photon for NextGEN Gallery (WP.org | GitHub)
• Taxonomy Dropdown Widget (WP.org | GitHub)
• Taxonomy List Widget (WP.org | GitHub)

Asides

An astute observer will notice that some of my plugins still don’t follow a proper singleton pattern, instead relying on a global variable as I was fond of doing at one point. I have every intention of converting the balance of my plugins to singletons, which will likely happen as other updates to them are needed. At that time, I’ll also ensure the internal documentation is up to par and that the plugin is able to be translated.

If anyone’s up for translating any of my plugins, get in touch!

If you’re a plugin author, have you done the same?

TripIt helps me keep everything organized, and I love the service so much that I pay for the pro version. There are two distinct advantages to TripIt Pro: alerts and the “inner circle.” The former enables the service to monitor my travel plans (flights mostly, with an occassional train ride) and inform me when things change. Their monitoring goes beyond just flight delay notifications by checking for changes in itineraries, which is especially handy when an airline changes a connecting flight; on more than one occassion, these alerts provided an early-enough warning that I could contact the airlines about rebooking flight segments I wouldn’t otherwise have made the connections for. The “inner circle” feature lets me identify specific individuals who always have access to trips in my account; without it, I’d need to manually share each trip with those who frequently wonder where I am.

In addition to my laptop and mobile phone, I also travel with an Airport Express and Apple TV. The former is especially handy when lodging only provides wired internet or for-fee wifi on a per-device basis. In both situations, I can easily connect my many devices to the available connection. The Apple TV affords me big-screen access to Netflix, Hulu Plus, MLB.tv, and NHL GameCenter, in addition to the iTunes Store, so I can keep myself entertained and see a Red Sox or Bruins game regardless of where I am. The $99 each device cost me is easily justified by the savings on hotel internet and entertainment rental charges. I’ve also been careful to maintain tethering and an unlimited data plan on my mobile phone, ensuring almost universally that I can access the internet on the go.

Besides the electronics already mentioned, I’ve reduced the items I travel with to essential clothing and accoutrements. I’m not the type of person who needs much more than those things to be happy. Really, besides clothing and the electronics necessary to do my job, I require food and drink, neither of which it makes sense to travel with. Generally I can fit all that I need into a large duffle and my laptop bag, though my current journey (March 7 to June 3) takes me to places with widely-varying climates such that I’m carrying an additional bag of warm-weather things.

To minimize airport-induced frustration, I’m enrolled in NEXUS and Global Entry, which afford me simplified passage through US and Canadian Customs, as well as access to TSA Precheck. Together, these programs have enabled me to clear Customs in under five minutes, and airport security in as little as two minutes. In the latter situation, I’m no longer required to remove my shoes, can keep electronics and allowed liquids in my carry-on, and rarely endure security queues of more than a few people. TSA Precheck isn’t available at all airports, but most major ones in the US are in the pilot program, and the TSA is regularly adding new locations. There is a cost involved with these programs, in addition to an involved application process, but their benefit–for me–fully justifies the expense. Another fee I’m growing comfortable incurring is that for day passes to airline lounges. Being overly paranoid, I often arrive at the airport far earlier than is required, and lounges provide a quiet, relaxed place to get work done, charge devices, call family and friends, and generally unwind and avoid the madness that airport terminals often become; some lounges even provide showers!

Lastly, I enroll in the frequent traveler program offered by whatever hotel, airline, or train service I utilize. I never thought the miles/benefits earned would amount to anything useful, but the opposite is proving to be true. I’m lucky enough that my employer lets me keep the benefits earned, so I’m reaching a point where I’ll receive free or discounted upgrades on my preferred airlines. Oh, how I wish I’d enrolled sooner!

Without a doubt, the steps I’ve taken to make travel enjoyable for me won’t work for everyone, but perhaps something I’ve detailed here will prove useful. The efforts I’ve undertaken have brought me to a point where I’m in no rush to settle down and foresee being a nomad for some time to come.

What steps do you take to survive short- and long-term travel?

So those in attendance can follow along, below are the slides I’ll use as part of the discussion:

• The Power of WordPress’ Roles and Capabilities
• Understanding map_meta_cap

My appearance at PDXWP was described as follows:

WordPress’ roles seem simple enough on the surface, but behind the Administrator, Editor, and the other default roles is a powerful system that can be customized extensively. For April’s PDXWP Developer’s meetup, Erick Hitter, Lead of Team Custom at Automattic, is joining us to talk about WordPress roles and capabilities.

While some have said that other CMS’ have an advantage when it comes to security and customizing capabilities, Erick will demonstrate that that isn’t true. Starting with a walkthrough of how to modify existing roles and create new ones, he will then cover how to leverage custom roles in WordPress code. Finally, he will wrap up with a discussion of some powerful filters that will prove WordPress has a roles and capabilities system that is as flexible as the popular competitors often touted as having superior implementations.

Lastly, here’s the recording:

There are plugin solutions, such as Limit Login Attempts, that can mitigate the effectiveness of this attack, but I wanted a solution that didn’t  let the flood of attempts ever reach my server’s PHP processor. On this approach, there are numerous tutorials that recommend restricting access to wp-login.php and the entire wp-admin directory. This approach is problematic because WordPress’ Ajax endpoint exists within the wp-admin directory, so it must be publicly accessible for many themes and plugins to function properly.

Since this latest attack targets wp-login.php, I opted to place that file behind basic access authentication by modifying my server’s nginx configuration. This is a single-user site, so I don’t need to worry about managing users at both the server and WP levels.

location ~* /wp-login.php {
	auth_basic "erick t. hitter WordPress Network Login";
	auth_basic_user_file PATH_TO_AUTH_FILE;

	PHP_CONFIGURATION
}

The ~* tells nginx to match all requests for wp-login.php regardless of casing (WP-LOGIN.php, WP-login.php, etc.), and also without regard to the directory the request was made to. I took this approach because my access logs revealed many requests to wp-login.php in directories that didn’t exist, likely the bots’ attempt to uncover all possible locations for the file.

In the above example, PHP_CONFIGURATION is replaced with whatever directives your configuration needs to pass PHP requests to the processor; in my case, I’m using PHP-FPM, and those settings appear there. It is necessary to redeclare these configuration settings within this new location block since the existing declarations won’t be applied to requests handled by this new location block.

Beyond ensuring that the Ajax endpoint is accessible, protecting only wp-login.php also restricts this extra security step to login requests alone. Once I’ve logged in, and for as long as I remain logged in, I’m not prompted to provide the HTTP authentication credentials again. In other words, additional security without too great an annoyance for me.

To be clear, this change constitutes just one element of the login protections employed on my multisite network. The admin user doesn’t exist, I use a very strong password, and I’ve enabled a two-factor authentication plugin.

What are you doing to ensure your WordPress setup isn’t compromised by this latest attack?

Reference: http://arstechnica.com/security/2013/04/huge-attack-on-wordpress-sites-could-spawn-never-before-seen-super-botnet/

Briefly, this was the intent of my talk:

Ever wonder what process WordPress undertakes when someone visits your site? Or how it translates that nice permalink to the database query that ultimately delivers the content your visitors requested? Or what it takes to load the appropriate template from your site’s theme?

In this talk, I’ll walk through WordPress’ loading process and shed some light on the various APIs used. I’ll also discuss how these APIs work together to make the software function.

Slides are available at http://slides.ethitter.com/from-url-to-query/.

I’ll link to the video once it becomes available. The recording of the WordCamp Phoenix iteration is available in the meantime, but isn’t as in-depth as what I covered in Atlanta or Miami.

Ever wonder what process WordPress undertakes when someone visits your site? Or how it translates that nice permalink to the database query that ultimately delivers the content your visitors requested? Or what it takes to load the appropriate template from your site’s theme?

In this talk, I’ll walk through WordPress’ loading process and shed some light on the various APIs used. I’ll also discuss how these APIs work together to make the software function.

Slides are available at http://slides.ethitter.com/from-url-to-query/.

I’ll link to the video once it becomes available. The recording of the WordCamp Phoenix iteration is available in the meantime, but isn’t as in-depth as what I covered in Atlanta.

Ever wonder what process WordPress undertakes when someone visits your site? Or how it translates that nice permalink to the database query that ultimately delivers the content your visitors requested? Or what it takes to load the appropriate template from your site’s theme?

In this talk, I’ll walk through WordPress’ loading process and shed some light on the various APIs used. I’ll also discuss how these APIs work together to make the software function.

Slides are available at http://slides.ethitter.com/wcphx-from-url-to-query/.

The session was recorded, so video should eventually be available on WordPress.tv.

In the meantime, slides for those topics I prepared them for are available:

• Obejct-oriented Plugin Development
• New APIs in WordPress 3.5: WP_Post and WP_Image_Editor
• Playing Well with Others: Why You Should Include Actions and Filters in Your Code
• Moving Beyond the Codex: Learning WordPress from Itself

Thanks to all who attended! It was a great day, due in no small part to the great audience we had. It was a pleasure to work with Paul on this as well!