Getting Started with SSL–WordCamp San Diego 2016

As part of today’s admin track at WordCamp San Diego, I delivered a talk titled “Getting Started with SSL.” My intent was to demystify the terminology and process involved with securely delivering traffic. I described my talk this way:

Revelations like Edward Snowden’s about NSA spying, and Google’s announcement that it will begin considering a site’s HTTPS status in its rankings, led to a lot of talk about moving websites to secure connections. Similarly, the rise in ecommerce, and the simplicity with which one can accept payments online, has increased the need for sites to be available securely. With so much terminology that’s likely new, often very similar, and rarely more than a stream of initialisms, this entire discussion can be very intimidating. I’ll clarify basic terminology, offer some reasons why it’s worthwhile to secure a site whenever possible, and share several solutions to cover everything from simple to enterprise needs.

While securing a site can be intimidating at first, the recent introduction of Let’s Encrypt (https://letsencrypt.org/) significantly simplifies the process for most sites. Many hosts have introduced support for this service, which I’ll discuss before delving into options for sites and circumstances that aren’t suited to Let’s Encrypt.

Continue reading Getting Started with SSL–WordCamp San Diego 2016

Google Analytics overload

There are too many Google Analytics plugins in the WordPress.org repository. By my count, there are 900:

When one of these plugins recently changed ownership and rebranded in a poorly-promoted way, I began looking for a new solution. Frustrated by both the volume of related plugins in the official repository, and their unending lists of features that I didn’t need, I did what many perturbed developers would: I wrote a custom solution.

Continue reading Google Analytics overload

More unexpected props

With this week’s release of WordPress 4.5, yet again, I received props without being aware of it beforehand. As was the case when I wrote about this last year, this recognition came for code I contributed many years ago–four in this case, making it older than my contribution to 4.2.

As I wrote then,

I mention this not to bring attention my involvement, but to highlight the importance of patience when contributing to Open Source projects like WordPress.

Please, read Accidental Props 💥 if you’re discouraged or disappointed because your contribution hasn’t been accepted.

X-Frame-Options and WordPress post embeds

WordPress 4.4 simplified the process of embedding WordPress content on other sites with the introduction of post embeds. From the feature’s announcement post:

WordPress has been operating as an oEmbed consumer for quite some time now, allowing users to easily embed content from other sites. Starting with version 4.4, WordPress becomes an oEmbed provider as well, allowing any oEmbed consumer to embed posts from WordPress sites.

The problem

As exciting as this feature is, it ran into an incompatibility with my server configuration. I’ve set the X-Frame-Options header to SAMEORIGIN near-universally within my nginx configuration, thereby blocking other sites from displaying my sites in frames; instead, my sites can only display their own content inside of frames. I’ve done so as a security measure against “clickjacking.” This header has no impact on my use of WordPress, nor on visitors’ interaction with my sites, but as I discovered, it breaks post embeds in an awkward way.

Continue reading X-Frame-Options and WordPress post embeds

Strebel’s interview with Alex King, from PressNomics 4

Today at PressNomics 4, Josh Strebel shared an interview he did with Alex King back in September, just ten days before Alex passed following a long fight with cancer.

It’s both incredible to me, and simultaneously unsurprising, that Alex took the time to record this interview given how sick he was at the time–one final contribution to a community he was so important to and engaged with.

nginx header inconsistency, aka setting headers all the way down

For the three visitors I attract in a month, I’ve had an outsized interest in making this the most secure WordPress site that I can. My focus of late has been primarily on the security-related headers I can set. In particular, ensuring that HSTS and HPKP were present on all requests became a priority.

Why?

A few weeks ago, I noticed that certain assets served from my CDN host lacked the Strict Transport Security headers (HSTS) I’d expected. To the best of my knowledge, I’d configured nginx to set these headers on every request.

Continue reading nginx header inconsistency, aka setting headers all the way down

Building My Network

Over the past three years, I’ve spent more time than I care to admit on a single project. It started off innocently. Since then it’s grown to occupy a significant place in my daily thoughts.

As you read this, you’re experiencing the product of these efforts. Perhaps you clicked on an eth.pw short URL to get here. If not, your browser still had to figure out how to get to ethitter.com. Now that you’re here, maybe you need to contact me via email. To make any of these endeavors possible, I’ve built a personal “network” of servers and had endless fun doing so.
Continue reading Building My Network