Mark on WordPress

WordPress 2.5.1 is out, with a ton of little bug fixes and one important security fix. Go upgrade your 2.5 blogs now.

One area that has changed is shortcodes, those little square bracket shortcuts like [gallery]. In WP 2.5, those were processed before paragraphs were auto-created and quotes were curled. This lead to funky (and invalid) XHTML formatting for block-level shortcodes like the [gallery] one. In 2.5.1, shortcodes are parsed “at 11″ — that is, after paragraphs are wrapped and quotes are curled. Additionally, a shortcode with a buffer line between surrounding content will not be paragraph wrapped.

Example:

[gallery]

That shortcode’s output would be untouched by WordPress — whatever the shortcode outputs is going to the browser. Note that if you’re a plugin developer and you want the output of your shortcode to be p-wrapped or have its quotes curled, you’ll have to call those functions yourself. At some point in the future we may add more options for shortcode calling, but for now, you’re on your own for formatting.

Be sure to check out the excellent documentation for this feature!

At one time, my Subscribe to Comments plugin would allow you to have the subscription checkbox checked by default. This is no longer the case. I get a lot of e-mail asking about this change, so I’d like to explain it.

In short, having the box checked by default was causing people to subscribe unwittingly, as it was an opt-out thing. I was getting a lot of flak about this, because a lot of sites had enabled this option without thinking about the ramifications (even I had it enabled for a while!). Opt-out is a bad way to operate, and it doesn’t provide a good user experience. A lot of users see it as being sneaky. Obviously if you want to edit the plugin to re-enable this option, I can’t stop you — but I no longer wanted to be encouraging use of this option.

“But what if you have a user who wants to subscribe to every post?” you ask. Well, here’s how it works now. If you subscribe to an entry’s comments, you’ll get a cookie that remembers that you subscribed. And when you visit other posts, the checkbox will be checked by default (for you only). So you only have to opt-in once. Naturally if you then leave a comment with the box unchecked, your personal default will revert to unchecked. I think this is a much better solution.

WordPress, by default, creates <title> tags that look like this: <title>Yoursite » Your Post Title</title>.  Many people want to use <title>Your Post Title » Yoursite</title> instead, to give more importance to the mutable part of the <title>.  There are plugins to do this, but I’d like to show you how a simple change in your theme can accomplish this task. Caveat: this only works in WordPress 2.5 and above.

1. Open your header.php theme file (if you don’t have one, open index.php or whatever one has your <title> tag)
2. Look for:
   <title><?php bloginfo('name'); ?> <?php if ( is_single() ) { ?> &raquo; Blog Archive <?php } ?> <?php wp_title(); ?></title>
   (or something similar) 
3. Replace it with:
   <title><?php wp_title('&raquo;', true, 'right'); ?> <?php bloginfo('name'); ?></title>

The first wp_title() argument is the separator character.  I like » (which looks like: »).  The second argument is whether to echo (print to the browser) the title, or to return it.  We want to print it, so we put true.  The final argument is where the separator should go… on the left or on the right. We want right, so we put "right". Simple enough!

Update: I got confirmation from Matt Cutts at Google that this is better for SEO.

Are you having trouble figuring out how to edit comments from with in the WordPress 2.5 admin (or on WordPress.com since the admin upgrade) ? Here’s the secret: you have to click the name of the commenter or the name of the site that sent the TrackBack/Pingback.

This sort of mirrors how post edit links work. To edit a post (or a page), you just click the name of the post. That is quite intuitive. I learned that behavior in about a day, and now the old way of clicking the “Edit” link seems strange. I’ve not had the same experience with comments. I think the problem is that comments don’t have a title, like posts do. The title is an obvious click target. It is (generally) unique, and it is a natural answer to the question “which post do I want to edit?” (oh yeah, this one!) Clicking the comment author is not intuitive. You don’t want to edit the comment author, you want to edit the comment. The comment author is often not unique, and doesn’t really work as a “handle” for an individual comment.

I’m not the only one having trouble with this.

I’ve started an Idea in the WordPress Idea forum that suggests we revert to having an “Edit” action link for comments. Go add your two cents there (and then come back here for more discussion).

If  you haven’t yet read Mark Pilgrim’s “Club vs. Lojack Solutions” article from 2002, go catch up, then come back here.

“Otto” on the wp-hackers mailing list brought up the tried and true “hidden form field” solution for comment spam, remarking on how well it worked for him.  It didn’t take long for people to point him to Pilgrim’s entry and tell him that if it were implemented in WordPress core (or even as a popular plugin), it would cease to be effective.  The exchange reminded me of a “P.S.” to Pilgrim’s entry that I’ve been throwing around in my head:

Club solutions can be fairly effective if your Club is different from everyone else’s Club, and is constantly changing.

So hooray for Club makers.  They have what it takes to put a huge dent in their comment spam.  But what about everyone else, who doesn’t have the technical knowhow to invent a new Club every couple of weeks?  We need a shape-shifting Club.

Andy Skelton told me about his shape-shifting Club at SXSW:

Who is “Milton?”  You’ll have to read the post to find out.  So, essentially, for each post, he’s defining a unique question, and a unique answer.  He said that besides the anti-spam benefit, it also has the potential to weed out stupid commenters, or lazy commenters who didn’t read the whole article (he often makes the questions about something in the article).  The downside is that he has to craft a new question/answer for each post.

So this is a good example of a shape-shifting Club that doesn’t require technical expertise.  But what would be better is a Club that could shape-shift without user intervention, or at least with less user intervention.  It would also have to shape-shift in a way that spammers couldn’t predict.  Start thinking.

Jeremiah Grossman posted some good slides about the issue of Cross-Site Request Forgeries (CSRF).  We tackled this security issue in WordPress two years ago.  I wrote an article about the issue that still holds true (plugin authors should definitely give it a read if any of this sounds unfamiliar).  Our method is the token method, with fallback to a slightly modified version of the Are You Sure? method for plugins that haven’t properly implemented the token method.  It was a large effort to implement it, but it has paid off handsomely.  CSRF is largely a non-issue in WordPress, which means we can focus our efforts on XSS and SQL injection vectors.

Mike Davidson, CEO of the very cool Newsvine, switched from Movable Type to WordPress three months ago, and spent some time listing his reasons for doing so. Consider this the antidote for any WordPress community members who were feeling a little bruised by Anil Dash’s recent article about switching in the opposite direction.

Aside to Mike: are you planning on attending Gnomedex this year? Rumored to be the weekend of August 8th. I’d love a chance to meet you.

Aside to Anil: I swear I’m going to reply to the technical points of your WP 2.5 article eventually. There are a few points that merit correction, and other points that deserve a response.

I’ve been whiteboarding a new WordPress comment management interface for about a year now — since before the Happy Cog admin redesign started. I had some lofty goals (admittedly some of them were borderline unachievable), but my main goal was this: make comment management more like managing a Gmail inbox. There are typically four actions you can perform on a message in your Gmail inbox (other than reading it, that is): reply, archive, mark as spam, delete. And “reply” is sort of diversion, so let’s make that three actions: archive, mark as spam, delete. The great thing is that if you do it right, at the end, you’re left with an empty inbox, and you know all your open loops have been addressed. It’s a good feeling, and it lets you know that the next time you dive into your inbox, you’re starting where you left off.

With WordPress comment management, it was more like jumping on a passing train of infinite length, and trying to deal with all of the passengers on board, without knowing which passengers have been dealt with (do you walk towards the caboose or the engine!?). When you’re done, you jump off, land on a cactus, and probably don’t feel like doing it again.

So my goal was to move away from the infinite train of confusion and more to the zen-like GTD tranquility of the Gmail inbox. Liz Danzico from Happy Cog alluded to a similar goal at WordCamp SF 2007. Although the Happy Cog redesign of the comment management screens is worlds better, it didn’t fundamentally address the speeding train issue. And to be honest, I’ve been stuck on the problem for months. I couldn’t think of an implementation that wouldn’t be a massively disruptive (and risky) overhaul… until tonight — kept awake by SXSW-inflicted cough and sore throat that refuse to die, I had my epiphany. The solution is already here. I’ve been searching for something that WordPress already does.

Drumroll please. The solution is: the comment moderation panel. Full stop.

I’ve noticed that Matt Mullenweg hasn’t quite been as dissatisfied with comment management as I have, and there’s a simple reason: he approves every comment that appears on his blog, whereas I deal with the comments after the fact.

Now I know what you’re thinking… but what if I don’t want to have to approve comments before they appear on my blog? Simple: tweak your blog to publicly show unapproved comments! Now there are three comment statuses in WordPress: approved (1), unapproved (0), and spam. With my proposed system those can be virtually “rethought” as: seen (1), unseen (0) and spam. Both “seen” and “unseen” comments would show on the blog immediately, but “unseen” comments would show up in the moderation queue (which, thanks to the Happy Cog redesign, shows its contents in a colorful comment bubble on every WordPress admin page). Welcome to your comment inbox. There are three types of comments: ham (good comments), spam (advertisements), and bacn (offtopic, lame, rude, abusive, overly-self-promotional-but-not-quite-spam), and there are three corresponding actions: archive (by clicking the “approve” link), mark as spam, delete — just like in Gmail.

I’m going to write a plugin that does this as soon as I can, but I’m also going to be looking for a way to work this into WordPress core, as I think it would really help people manage their comment load.

So what do you think? Is this brilliant? Am I completely off my rocker? Am I an idiot for not seeing this solution before now?

Update: Here’s the plugin!

This is probably going to sound trivial — and it is — but my main complaint about WordPress.com is its name. It is tremendously confusing to people, including WordPress users, WordPress.com users, and outsiders. The WordPress.com forums are full of people asking things about WordPress, and the WordPress project gets “collateral damage” flak for WordPress.com policies. It also hasn’t helped the issue of people thinking of WordPress as a creation of Automattic, instead of the other way around. “WordPress” is entered into web award competitions, but it often is clear whether they mean the WordPress project or the WordPress.com service. I can’t help but think that both entities would be better served had the WordPress.com service used a different name/domain: [FooName] — powered by WordPress.

I’ll now open the floor to Lloyd Budd for a counterpoint.

Update: Automattic’s upcoming hosted BBPress-powered forum service will be called TalkPress… not BBPress.com — though that may have more to do with bbpress.com being taken and “BBPress” being quite a clumsy name for a commercial offering.

Automattic, the company behind WordPress.com, just secured a $29.5 million B round of financing. Congrats to Matt, Toni, and everyone else at Automattic. $29.5 million is a monster round, considering that Automattic has so far grown by sipping daintily on a $1.2 million first round secured in 2006. I can’t wait to see what is next. Really interesting to me is that with this round the New York Times joins their investors. One word for that: adaptation. The line between old media and new media blurs further.

TwoThree of the candidates for the 2008 US presidential election are running WordPress:

On the Democratic side, we have Joe Biden, rocking an older version of plain-old WordPress.

On the Republican side, we have Fred Thompson, who went with WordPress MU.

Update: Doh! I can’t believe I missed Republican candidate Ron Paul! Dr. Paul’s site is using WordPress MU to run their “people” blogs, which feature several blogs written by supporters of the campaign.

Movable Type is now Free for any purpose, under the same license used for WordPress. Take the mic, Mr. Dash.

As of today, and forever forward, Movable Type is open source. This means you can freely modify, redistribute, and use Movable Type for any purpose you choose.

[...]

Like many of us on the team, some of you have been waiting for this moment for years. For a business, an open source license affects boring things like how a product is created, updated, and distributed. But the open source movement has always been about something more important: Freedom. With a name like “Movable Type”, we’ve always been keenly aware of the importance of freedom, as that name echoes both the birth of the printing press and the creation of independent media that an individual can control.

Congratulations to the Six Apart team and the Movable Type community! This is a big deal.

There are detractors, to be sure — but I am not among them. Although the move is overdue, I have no doubts about the sincerity of their intentions or their attitude towards Free/Open Source Software.

Here is a nice interview with Matt Cutts of Google by Reachd TV. Matt has some kind words for WordPress, specifically related to SEO and the canonical URL improvements that went into WordPress 2.3

WP discussion starts at 0:48. For an in-depth look at the canonical URL feature, check out my writeup of the feature.

SmugMug is a photo hosting service targeted towards professionals, and a shining example of how a Valley company can survive (and make a profit) without funding and without completely littering their site with ads. They just released a new “SmugMungous” feature that scales photos up when your browser window is bigger — looks fantastic, and doesn’t use Flash!

But what I thought was really awesome was the “Runs on” line at the bottom of all their blogs:

[blog name] uses WordPress, just like Batman would if he blogged.

That made me smile.

Brian Layman and I did a brief session on WordPress at Blog World Expo. Here are the slides we used.