So, I’m posting this partly to spread the word and partly to see if the existence of this post will be successfully tweeted complete with short URL.

(NOTE: while YOURLS itself supported the IDN seamlessly, its WordPress plugin seemed to choke silently when pointed at the unicode form of the IDN for the YOURLS API and needed the punycode version to make it work.)

Edit: actually, OpenID login now seems to be entirely broken.  Hmm…

June 6 – 7, 2009; venue to be announced by March 1.  More info and signup at http://wordcampchicago.com/.

Problem: You’ve finally found a theme you like but you want to modify it. The modifications are pretty simple but what happens when you want to upgrade the theme? Do you really want to go through all those files again hunting down the changes? Don’t you wish you could just upgrade and be done with it?

So, basically, install the theme you want, create a new theme directory for you modifications, and in the style.css file, which defines the metainfo for the style, designate the original (unedited) theme as the template.  If need be, use functions.php to make more modifications.  Just note that any template files in your own version’s directory beyond style.css and functions.php will be ignored.

When it comes time to upgrade the theme, you upgrade the “parent” theme and your modifications are unchanged in their own directory.

<?php wp_footer(); ?>

in the footer.php file, like they should, I guess, since that seems to be what the WordPress.com stats plugin needs to register hits.  I had been wondering why the numbers on my dashboards didn’t even remotely match my awstats numbers.

Version 2.5.1 of WordPress is now available. It includes a number of bug fixes, performance enhancements, and one very important security fix. We recommend everyone update immediately, particularly if your blog has open registration. The vulnerability is not public but it will be shortly.

The notice also mentioned the SECRET_KEY thing that I talked about yesterday and gave a link to auto-generate the line for wp-config.php:

Since 2.5 your wp-config.php file allows a new constant called SECRET_KEY which basically is meant to introduce a little permanent randomness into the cryptographic functions used for cookies in WordPress. You can visit this link we set up to get a unique secret key for your config file. (It’s unique and random on every page load.) Having this line in your config file helps secure your blog.

Upgrading took me about 15 seconds (as usual), mostly to find the svn command in the codex again and then a few seconds to run it and a few seconds in hitting the “database upgrade” page on the site before things were all done.

To make cookies secure against attacks where someone has managed to get into your database through an SQL injection exploit or other means, WordPress 2.5 introduced a user-definable constant called SECRET_KEY. If you look at the sample wp-config.php shipped with 2.5, you’ll see these lines.

// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit https://www.grc.com/passwords
.htm
// to get a phrase generated for you, or just make something up.
define(’SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase

If you upgraded from a previous version of WordPress you probably won’t have these lines in your wp-config.php.

That last bit is, of course, the critical thing for me and had me going back and inserting SECRET_KEYs into all my older/upgraded WordPress installs.  Just remember that if you’re integrating with bbPress, you have to match the SECRET_KEYs in wp-config.php and bb-config.php.

Upgrade your blog to the latest WP. This shouldn’t be hard. There are plugins for it, if you’re techy use Subversion, there is the standard FTP method, and finally Media Temple, Dreamhost, and Bluehost (through SimpleScripts) all have been pretty good about having their one-click upgrade systems ready with new versions within a day or two of a release.

I’m techy, sure, but I don’t know much about subversion other than it seems to have replaced CVS and I didn’t know much of anything about CVS other than that people working on big OSS projects seemed to use it.  (Okay, I know a little more about what subversion and CVS are supposed to do, but I’ve never actually used a check-in/check-out/versioning system.)  I literally just installed subversion with the package manager on my system, then used the commands given in the WP Codex.  Not very techy-like.  Done.

… there is a wave of attacks going around targeting old WordPress blogs, particularly those on the 2.1 or 2.2 branch. They’re exploiting problems that have been fixed for a year or more. This typically manifests itself through hidden spam being put on your site, either in the post or in a directory, and people notice when they get dropped from Google.