Category Archives: howto

blogposts on with (very concise and non-foolproof) howto’s.

Stopping WordPress media attachments comment spam

I just had my monthly look at the comments spam queue and was baffled by the amount of spam-comments on WordPress attachments. WordPress, surprisingly, has no option to disable comments on media, so based on information in this codex page about the comments_open function, I quickly assembled a plugin to stop comments on items in the media gallery altogether. The code (which can also be added in functions.php instead of going into a plugin):

Plugin Name: No Media Comments
Author: Frank Goossens (futtta)
Plugin URI:
Author URI:
Description: Stop comments on media attachments
Version: 0.1

add_filter( 'comments_open', 'noMediaComments', 10, 2 );

function noMediaComments( $open, $post_id ) {
$post = get_post( $post_id );
if ( 'attachment' == $post->post_type )
$open = false;
return $open;

After throwing that at my server and seeing it worked, I realized there had to be a plugin for this and I indeed found Disable Comments and Comment Control in the plugin repository. Both plugins are by the same author and are only slightly different in scope really. So if you want to stop the comment spam on attached images on your WordPress blog, you’ve got several options. But shouldn’t this be tackled in WordPress core instead, really?

Fix Samsung ICS Exchange connection errors

[Update 21-5-2012: Samsung released new firmware, version I9100XWLPD, which seems to fix the bug.]

Since updating my Samsung Galaxy  S II to Ice Cream Sandwich, I’ve regularly been experiencing the dreaded “connection error” in the mail client when trying to fetch mail from the corporate Exchange server. A colleague of mine, who agreed to have me upgrade his SGS2 after I promised  everything worked flawlessly, had the problem even more regularly.

Searching the web turned up this interesting thread on xda-developers, which had amongst others a fix for the adventurous, but also this eye-opening comment:

The messages in question are Read Receipts, Delivery Receipts and similar messages. Once there is one of those in your inbox, you’re stuck until you delete it. […] A better solution which has worked for me is to create a folder for your receipts. Then, on your PC, create a rule to move the receipts to the folder on arrival. This will obviously also work when your PC is off, as the rules are stored and executed on the server. You will have to create a rule which processes emails on arrival, matches a series of strings in either subject or body of the message and moves them to the folder.

And that’s exactly what I did; mails sent only to me with “Declined:” or “Accepted:” or “Tentative:” or “Read:” or “Not read:” in the subject line are automatically moved into a “tmp” folder. Your mileage may vary (apparently there are other conditions under which the Android/ Samsung mail client has problems downloading items form Exchange), but based on my limited experience up until now, this workaround gets most problematic items in my Inbox out of the way. Now let’s hope Samsung fixes this blatant error (and that it isn’t in the ICS-version on that beautiful Samsung Galaxy S III)!

Firefox preferences for greater privacy

Although browser addons such as NoScript and Ghostery (which is cross-browser with some limitations) provide great protection against tracking, some people prefer not to have to install plugins. Firefox does have configuration options to somewhat limit what trackers can do. You can follow the knowledge base article here to learn how to disable 3rd party cookies (the default setting in Safari, which Google was caught circumventing).

If you’re up to it, you also simply open up the almighty “about:config” and tinker with the following settings (some of which aren’t available in the browser UI):

  • network.cookie.cookieBehavior with values:
    • “0”: allow all cookies (default)
    • “1”: don’t allow 3rd party cookies
    • “2”: don’t allow any cookies
  • network.cookie.thirdparty.lifetimePolicy with values:
    • “0”: keep cookies for as long as the server asks
    • “1”: ask the user on each and every cookie set (try it out if only for fun, you’d be surprise how much cookies are set)
    • “2”: cookie gets deleted when you close your browser (i.e. at the end of the session)
    • “3”: cookies have a lifetime as defined in the “network.cookie.lifetime.days ” preference
  • network.cookie.thirdparty.sessionOnly: set to “true” or “false”
  • privacy.donottrackheader.enabled: set to “false” (default) or “true”, which gently asks sites not to track you

Setting “network.cookie.thirdparty.sessionOnly” to “true” is a low-impact change which should stop tracking-companies (think Media6degrees or Quantcast) from following you around the web.

If you want to stop Facebook, Google & Co to stop tracking you around the web as well, the above setting will not suffice. You should either log out of their sites as soon as you’ve done your business there or set “network.cookie.cookieBehavior” to “1” (which will break their “social widgets”). Or you can install Ghostery or NoScript, off course.

Remove Facebook like buttons with NoScript

If you don’t like Facebook’s omnipresent Like widgets (there were already plenty of reasons why not to like them and last week’s cookie-debacle only added to that conclusion) and if you already use NoScript so you don’t want to install another plugin (like Ghostery, which reports any tracking activity and allows you to block it), you can put this in NoScript’s ABE user ruleset (NoScript Options -> advanced -> ABE);

# Allow Facebook scripts and objects to be included only
# from Facebook pages
Accept from

This tells NoScript to allow Facebook scripts (you know, to visit, but to stop them from being included in other sites. I guess with NoScript’s surrogate scripts one might even be able to replace Facebook’s Like-widget with one that just shows the old-fashioned (and harmless)  share-button. Now wouldn’t that be fun?

How to fix SSL errors in Mac OS X browsers

So you know about SSL (or rather TLS) and you prefer things secure, so you request and pay for an officially signed certificate and configure your Apache to use it. The next days you’re feeling very Kevin Mitnicky, until some nitwit on Twitter trashes you for the ugly error-message he sees when trying to visit your supposedly “secure” site that is. What’s up with that?

Well, chances are that your disgruntled visitor was using a browser you didn’t test on, like Chrome on Mac for example? Because there is a small issue you have to take into account when “doing https”; both Chrome and Safari (but not Firefox) on Mac use OS X’s keychain, which does not have some of the intermediate certificates needed to establish the trust relationship between your signed certificate and the certificate authority’s root certificate.

As you can’t expect Apple to add intermediate certificates to their keychain by default (which Firefox does a pretty good job though) and you can’t ask all your OS X users to add the intermediate certificate by hand either,  you’ll have to solve this yourself. A good thing Apache can help you in that department with it’s SSLCertificateChainFile directive, which

sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.

If there’s only one intermediate certificate missing between your’s and the CA’s, you can export it in good old Firefox (as a pem-file), place it in the same directory as the actual certificate and use SSLCertificateChainFile to tell Apache where to find it and that should solve the nasty errors those Twittering Mac-heads get.

Google App Engine project template for PHP (with Quercus)

So you’re a wanna-be developer who’d love to deploy in the cloud, but you only  “know” PHP? Well, as you might already have read elsewhere Caucho, the company behind Resin, has a 100% Java GPL’ed implementation of PHP5 called Quercus that can be used to run PHP on GAE. It took me some time to put the pieces of the puzzle together, but in the end it’s pretty straightforward.

From scratch to a deployed webapp in 7 steps:

  1. Download & install the Google App Engine SDK
  2. Download this GAE project template for PHP and unzip it in the root of the SDK directory as  projects/phptemplate/
  3. Put your PHP-files in projects/phptemplate/war/ (you probably want to overwrite index.php and remove phpinfo.php)
  4. Test you application locally with dev_appserver as described here
  5. Login on and register a new application
  6. Put the app id from (5) in projects/phptemplate/war/WEB-INF/appengine-web.xml, between the <application>-tage
  7. Upload your application as described here: appcfg –enable_jar_splitting update <path-to-war> (–enable_jar_splitting is needed as the WEB-INF/lib/resin.jar is rather big)

And there you have it, your very own PHP-app on GAE! Check out the Quercus info on  on how you can access Java components from within you PHP-code, it might come in very handy to use GAE’s Java API’s for the datastore, queues and all those other goodies!

(Disclaimer: while this here template seems to work, I can’t make any promises or provide any kind of warranty.  As soon as you download it, you assume all responsibilities for any problems you might cause to the Internet, GAE or the Ozone-layer.)

Secure your smartphone

Your smartphone probably contains a wealth of information of personal and professional nature, which you would not want others to have access to. This is why (after losing my HTC Hero a couple of months ago) I now try to follow 2 out of these 3 simple rules:

  1. don’t lose your smartphone.
  2. if you lose your smartphone, make sure you have something in place to locate it
  3. if you lose your smartphone and you can’t locate it, make sure you can wipe it remotely

There are multiple solutions to locate & wipe smartphones (including HTC’s Sense online offering), but for my Sense-less HTC Magic I installed “Lookout“. Lookout is a free application that provides device location, contacts backup & restore and apparently also malware protection. If you’re willing to pay $3/month, you also get remote wipe, remote lock and backup/ restore of pictures and call log. If you lose your Android-phone, you just log in to the Lookout-website to locate and optionally lock or wipe your handset.

I’m happy using the free version for now; I activated Android’s pattern lock-screen to avoid anyone from accessing my handset and deactivating Lookout. Remote wipe is great, but I guess I can activate my Lookout Premium account if ever I need that feature?