Protecting wp-contact-form from spam

Ever since I installed WordPress on my (virtual) server, I’ve been using the WP Contact Form plugin to provide me with simple contact form. The plugin isn’t exactly under active development (Last Updated: 2009-8-28), but it got the job done and I was quite happy with it. Until spammers found the page and started abusing it, that is. There’s a bunch of other Contactform-plugins in the plugins repository, but most of them were either too feature-packed or development for them seemed to have stopped.
I considered adding ReCaptcha at first, but why would I want to put my visitors through such an ordeal; the captcha’s seem to have gotten very difficult to decipher.  Next possibility; implement Akismet (Mollom would have been a great choice as well)? There’s a great Akismet PHP5-class, you just provide your API-key and off you go. But it seemed kind of inefficient to have to do all that with the official Akismet-plugin already in place?
But wait a minute, why not just piggyback on the Akismet-plugin, as the Clean-contact plugin and wp-contactform-akismet did? Keep it simple stupid and so I just copy/pasted the clean_contact_akismet-function from Clean Contact’s code into my wp-content/plugins/wp-contact-form/wp-contactform.php and on line 142 I changed:

mail($recipient, $subject, $fullmsg, $headers);
$results = '
' . $success_msg . '
'; echo $results;


if (!$akismet) {
mail($recipient, $subject, $fullmsg, $headers);
$results = $success_msg;
} else {
$results = 'If it looks like spam and smells like spam, it must be spam. Leave (or rephrase)!';
echo '

That was all it took to add Akismet spam-filtering to that KISS-y wp-contact-form plugin. I wonder why this isn’t in the plugin already?

WordPress stats oddity

A couple of months ago I removed Google Analytics from this wee little blog, but I still use the less sophisticated stats plugin to follow up on what is being read around here. Loading the stats-page in my Android-browser is far from optimal (it uses Flash to draw the charts and it is a pretty big page), so I was pleased to read that version 1.3 of WordPress for Android features a stats-section. But the reports don’t work, I just get “No stats data found, please try again later”.
Now while playing around with the stats API over the weekend, I noticed some unusual things:

  • “” works
  • “” results in “Error: zero rows returned.”

The API also supports blog_id instead of blog_uri and after some digging for blog_id’s I found that they are listed in (the html source of) the blog dropdown-list on your stats page. And there the problem became clear: I had two blog_id ‘s for the same blog_uri ( and the first one was defunct:

  • “blog_id=2184847” results in “Error: zero rows returned.”
  • “blog_id=2185033” works just fine

As I can’t remove the entry with the faulty blog_id from the Stats DB and as I can’t change the Android WordPress app to use one of multiple blog_id’s instead of the blog_uri, I can’t fix this little bugger myself, so I contacted WordPress Support. But how did I end up with 2 blog_id’s in the database?

Over vanalles en nog wat

Een paar kleine ditjes en datjes, het moet hier niet altijd proper uitgewerkt zijn:

  • Dropbox is tof, maar niet perfect: op Android een file aan je Dropbox toevoegen doet pijn aan het gat en de Windows-versie wilt ook thuis de proxy van het werk gebruiken (auto-detect proxy werkt niet).
  • WP-YouTube-Lyte zit aan versie 0.4.1, de afmetingen van de player zijn nu configureerbaar. Het ding is al bijna 2300 keer gedownload (cumulatief voor alle versies) en op basis van de downloadcijfers na een release gok ik dat het op een site of 300 geïnstalleerd staat.
  • Van cijfers gesproken, afgelopen maandag met deze blog de 100.000 pageviews gepasseerd, dank daarvoor anonieme passant.
  • Ik draai al een week ofzo op Firefox 4 beta1 (zowel op Windows als op Ubuntu), lekker stabiel voor een eerste beta. Tabs on top is inderdaad logisch en html5 video (met WebM) op YouTube lukt nu ook, maar aan de nieuwe theme en add-on manager is nog “wat” werk. Beta2 zou eerstdaags uitkomen, maar het is nog wachten op de grote javascript snelheidswinst (waarmee FF terug dichter bij de concurrentie zou moeten komen).

En nog wat: als het gesprek even stilvalt, vragen mensen niet meer naar het weer, maar naar je mening over de slaagkansen van droomkoppel De Wever & Di Rupo. Ik zeg dan dat ze moeten slagen en dat ze dat zelf ook weten want dat het er anders niet goed uitziet voor onze portemonnee en dan verwijs ik naar een interessant artikel dat ik daarover op Apache las en het gesprek valt weer stil.

Cross-platform cloud storage with Dropbox

When a good friend of mine bought a Sony Xperia X10 Mini Pro (that small dude does have a keyboard) and couldn’t find JungleDisk in the Android market, I went looking for alternatives (I had already looked into cloud-based storage/ backup back in 2007) and found Dropbox.
Dropbox is an Amazon S3-based cloud-storage solution with client software for just about every system, Android included. Moreover it offers an API for platforms or applications that need Dropbox access as well. The basic account (with 2Gb storage) is free (sign up here and I’ll get some more free storage thank-you-very-much), so I installed it on the Windows laptop at work, on my Linux “disktop” and on my HTC Hero and (at first sight) all seems to work exactly as advertised (free, easy, cross-platform).
And now that I have external storage that allows sharing files with anonymous users, I could offload some files from my own server? But more importantly; I really should look into reworking that old backup shell-script again (I’ll have to get dropboxd up and running first though). Or maybe I’ll just install WP Time Machine to automatically back up just this blog to my Dropbox-account?

Embedding HTML5 YouTube video with WP YouTube Lyte

I re-implemented newTube.js, an earlier experiment to embed HTML5 YouTube video, into my WP YouTube Lyte plugin. This means that WP YouTube Lyte (for easy lite YouTube embeds, reducing download size & rendering time substantially) can now also use the HTML5-based YouTube video-player to play your embedded video.
If the -experimental- HTML5 option is enabled, WP YouTube Lyte will embed HTML5 YouTube video if:

  • Your visitor uses a browsers that supports the h264 (Safari, Chrome, IE9) or WebM (currently development versions of Chrome, Opera and Firefox) video codecs
  • Your visitor is enrolled in the YouTube html5 beta

If these requirements aren’t met, your visitors will see a Flash-based version of the YouTube video you specified.
As newTube.js is sort of a dirty hack which replaces the LYTE dummy player with an iframe with overflow:hidden, in which the full YouTube-page is carefully positioned to display only the player, there are some other caveats to take into account as well:

But apart from all this small print, is works rather nice if I may say so myself. Or better still, just look at this little They Might Be Giants gem embedded here;

They Might be Giants-Birdhouse In Your Soul

Lovin’ the WordPress plugin ecosystem

I’m a sucker for simple things and in my book, WordPress (the open source software) is a great example of a simple yet powerful solution for publishing on the web. The last few days I experienced their plugin-ecosystem to be just as simple and powerful.
If you have a plugin to share and you:

  1. register on
  2. fill out a form to submit your plugin for inclusion in their repository
  3. after confirmation upload your code (together with a structured readme-file) via svn

Then boom, automatically;

  • plugin pages (for description, installation, faq, changelog, …) are created and populated with information from the readme and base php-file
  • a zip-file is created containing your stable version
  • your plugin is listed on the “new plugins” page

Before you know it, you’ve got a bunch of real users (wp-youtube-lyte was downloaded 128 times in 2 days) who can rate your plugin and provide you with feedback. And every time you upload a new stable version via svn, a new zip-file is created and your users will get a notification in their wp-admin pages, allowing them to upgrade by simply clicking that upgrade link. Don’t you love it when a plan comes together?
But enough raving already, got to go create that admin-page for my plugin now, as requested by a user. I’m a sucker for real users!

Lite YouTube Embeds in WordPress

This 3rd episode in the “High performance YouTube embeds” series brings you yet another way to use LYTE instead of normal YouTube embeds: wp-youtube-lyte. This WordPress-plugin will automatically replace YouTube-links that start with “httpv://” with Lite YouTube Embeds, thereby significantly reducing download size & rendering time.
wp-youtube-lyte plays nice with the great “Smart Youtube” plugin, in which case it will take care of the default embeds (httpv), while Smart Youtube will parse the other types (httpvh, httpvhd, httpvp, …).
You can download the plugin from
A quick demo maybe, to finish things off? Owen Pallett performing “Lewis takes action” live in the KCRW studios:

Owen Pallett - Lewis Takes Action

WordPress galore: plugin bugs, android app, json-api & wp 3.0

Some random WordPress-related thingies I’ve been looking into;

Speed up your (WordPress-)site!

Google likes fast! Visitors like fast! So why don’t you go make your site really fast?
Suppose you just bought yourself hosting and you just installed WordPress for blogging or lightweight-CMS-purposes, how can you improve your site’s performance in that case? Easy!

  1. speed up PHP: use a caching optimizer (I use APC) to significantly speed up PHP performance (don’t bother  signing up for shared hosting with a company that doesn’t offer PHP with acceleration).
  2. cache dynamic output: install the “WP Super Cache” WordPress plugin. Configure and then forget about it; if you create/edit a blogpost, impacted pages are automatically removed from cache.
  3. optimize CSS and JS: install the “CSS JS booster” WordPress plugin, which (amongst other things) grabs all CSS and JS from WordPress and Plugins and outputs it in one CSS- and one JS-file (some plugins, e.g. Sociable and WordPress Mobile Pack, might need tweaking of the css media-attribute though) UPDATE: CSS JS booster has not been updated since 2010 and I switched to (and later even took over development of) Autoptimize for JS, CSS & HTML optimization.
  4. avoid calling 3rd party javascript: tracking (e.g. Google Analytics, which I removed), widgets (e.g. Twitter badges) or other 3rd party gadgets (e.g. AddToAny, which I removed) can slow down your site’s performance significantly
  5. optimize images: fire up your favorite photo editor and make that image just a bit smaller, use an acceptable level of compression (I end up between 70 and 80% for JPEG’s, depending on the image) and upload to to squeeze out the last optimization-drop (example; I used a 20KB picture from Flickr, resized it to 80%, saved it with 77% compression and smushed it to end up with a mere 6KB).

The impact of a number of these steps can be measured easily; below are the response times of my blog’s homepage (the  html including css, js and images) as measured by Pingdom Tool’s Full Page Test.

  1. default WordPress (on a Linux VPS with 320Mb RAM memory): 6.5 seconds
  2. (1)  with PHP APC activated: 4.1 seconds
  3. (2) with WP Super Cache: 3.1 seconds
  4. (3) with CSS JS Booster: 1.3 seconds

So there you have it, from 6.5 to 1.3 seconds in only 5 easy steps! WordPress specific, but easily applicable to other platforms as well. Now go and make your site fast! And then go and make it even faster!

AddToAny: removing the “spy” from the share-ware

Update 02-2015: the information below does not reflect the way AddToAny works now and as such only has historical value. The comment by A2A’s developer below, explains what has been done between 2010 and 2015.
After discovering AddToAny secretly enrolls all of my blogs visitors in a behavioral marketing platform, I disabled the plugin and mailed the author for more information. He answered the media6degrees-integration was a partner-test, only providing them with non-personally identifiable data, which the company indeed can use for targeted advertising. But the good news was that AddToAny would also offer a “publisher opt-out mechanism” shortly. And indeed, last week, Pat announced the brand new a2a api and mailed me the following opt-out code;

var a2a_config = a2a_config || {};
a2a_config.no_3p = 1;

These two lines of javascript, which have to be placed in front of the script-include, should disable all current and future 3rd party tracking. I hope the web-guys from e.g. and (and there are many others) implement this as soon as possible!
So now we can opt-out from having our visitors being spied upon by media6degrees, what more could one want? Well, since you’re asking, here’s a small list of things AddToAny could really should do;

  • transparency; tell users that their visitors’ information will be shared with 3rd parties (in all relevant places)
  • documentation: show them how to “remove the spy” on the AddToAny api page (“no_3p” isn’t there)
  • ease-of-use: allow the tracking to be disabled with a simple checkbox in the WordPress and Drupal plugins

The opt-out code is a important first step and I’m sure concerns such as those voiced on the WordPress-forums will help AddToAny to further make the right decisions!