wordpress

WordPress.com Stats trojan horse for Quantcast tracking

by

Suppose you’re a blogger who values website performance and online privacy. You may have ditched Google Analytics because you think the do-no-evilers do not have to know who is on your site. Maybe you removed AddtoAny because of the 3rd party tracking code that slows down your site ever oh so slightly. And you don’t want the omnipresent Facebook Like widget for all the above reasons. No, the only 3rd party javascript you allow is the one pushed by the WordPress.com Stats plugin; one javascript-file  and one pixel and you get some nice stats in return. And come on, WordPress, those are the good guys, right?
Well, apparently not. While performing a test on for example webpagetest.org, you’ll see two requests to the quantserve.com domain;

http://edge.quantserve.com/quant.js
http://pixel.quantserve.com/pixel;r=705640318;fpan=1;fpa=P0-450352291-1292419712624;ns=0;url=http%3A%2F%2Fblog.futtta.be%2F;ref=;ce=1;je=1;sr=1024x768x32;enc=n;ogl=;dst=1;et=1292419712624;tzo=300;a=p-18-mFEk4J448M;labels=type.wporg

Ouch, that hurts! But surely Quantcast aren’t in the same league as AddtoAny’s media6degrees, who do behavioral advertising based on data captured all across the web? Well … Quantcast might be better known, but they do exactly the same thing; collecting user information and providing that info for targeted advertising. And just so you know, Quantcast is one of the companies that is on trial for restoring deleted cookies using Flash (“zombie cookies”). So no, I’m not comfortable with Quantcast collecting data on my blog’s visitors.
Now I know that I opted in on user-tracking by WordPress (or rather Automattic). And I can live with them knowing who visits my blog, I can live with the small performance-impact that the stats-plugin has on my site that way. But I did not sign up for 3rd party tracking, the plugin-page conveniantly fails to mention the extra tracking, there’s no opt-out mechanism in the plugin and there’s no info to be found on how to disable Quantcast tracking users on my own blog. I am not a happy WordPress-blogger!
So Automattic; please fess up and at least provide instructions on how to disable 3rd party tracking, just like AddtoAny’s Pat gracefully did?

Update 20 january 2011; Automattic seems unwilling to acknowledge there is a problem, the thread on wordpress.org forums where this was discussed has been closed. I created a small WordPress plugin, DoNotTrack, to stop Quantcast tracking. you can download it here.

Venus doesn’t love noscript

by

Damn, Venus doesn’t love noscript!
You’ve got no clue what I’m rambling about, do you? Well, allow me to explain;

So now you know the context, let me reiterate; Venus doesn’t treat noscript the way it should! It not only strips out javascript as it should (are you listening tt-rss?) but it replaces noscript-tags and all HTML inside with escaped HTML (with HTML-entities actually). And that, my beloved ones, means that the HTML that WP YouTube Lyte generates, doesn’t work properly on Venus-based planets.
So I started looking at the Venus source and mailed with Planet Grep’s Wouter Verhelst to solve this issue. At first sight the solution seemed pretty straightforward; Venus shouldn’t ‘escape’ noscript but should instead just strip the opening and closing noscript-tag. Wouter installed a small sed-filter I wrote and added noscript to the whitelist of Venus’s sanitizer (which is based on Universal Feed Parser) and … it did not work.
The problem apperantly is with another sanitizing component in Venus; html5lib. Sam Ruby, the developer of Venus, wrote on the mailinglist;

There are multiple sanitization passes involved here. […] The html5parser seems to think that noscript is to be parsed as text only, which would result in the behavior that you describe.  Looking at the current HTML5 spec, it appears that this does not match the expected behavior — so perhaps that changed too.

So I started looking at html5lib and … well, I’m stuck, html5lib is a pretty complex beast for a smalltime non-developer to dive into. So earlier today I turned to the html5lib discussion list to ask how sanitization can be configured not to escape noscript, let’s hope someone will enlighten me. Because until then those poor Planet Greppers won’t be able to see (a thumbnail of) Al Jarreau’s great version of Take Five way back in 1976:

Al Jarreau 1976 -Take Five
Watch this video on YouTube.

The bulleted WP YouTube Lyte bulletin

by

It’s been a while since my last “state of WP YouTube Lyte” post, so here are the most important tidbits since;

Feedback is welcome; see info in the FAQ for bug reports/ feature requests and feel free to rate and/or report on compatibility on wordpress.org.
And as befits a post about WP YouTube Lyte on a Friday afternoon, here’s a little YouTube from Gold Panda you can start your weekend with;

Snow And Taxis
Watch this video on YouTube.

The state of WP YouTube Lyte (now with fresh Pomplamoose)

by

Although it has been a few months since I last wrote about my baby WordPress plugin, time did not stand still between version 0.3.0 and 0.5.2; the player size can now be changed in the options-screen, I’ve replaced my newTube html5-hack with Google’s official (yet experimental) new html5-compatible embed code and I started migrating the CSS from the mess that had become the JavaScript-file. And I almost forgot what may be the most important change; I started searching for blogs that use WP-YouTube-Lyte to see how it behaves in the wild. Some of the bugs I discovered that way;

But with all those changes you might start to wonder if WP-YouTube-Lyte still reduces download size & rendering time substantially, no? So I ran a couple of new tests for this page on my blog (it has 3 embedded YouTube’s) on webpagetest.org (settings: 5 runs on IE7 via Amsterdam, excluding requests to stats.wordpress.com). The difference is … well, judge for yourself (or see below the tables for the summary)
With normal Flash-based embeds (full results here):

Document CompleteFully Loaded
Load TimeFirst ByteStart RenderTimeRequestsBytes InTimeRequestsBytes In
First View1.850s0.634s1.330s1.850s15343 KB5.350s22524 KB
Repeat View1.142s0.346s0.497s1.142s517 KB2.455s517 KB

And with WP YouTube Lyte (full results here):

Document CompleteFully Loaded
Load TimeFirst ByteStart RenderTimeRequestsBytes InTimeRequestsBytes In
First View1.201s0.355s0.974s1.201s1055 KB2.065s20103 KB
Repeat View0.605s0.352s0.473s0.605s212 KB1.447s514 KB

Did you see that? Less requests, less data and faster rendering for first and repeat views. Hurray for WP-YouTube-Lyte! But enough with that ego-tripping already, I’ve got an Opera-bug to look into! Or wait, I’ll watch this great new Pomplamoose+Ben Folds+Nick Hornby  videosong first:

Ben Folds, Nick Hornby, & Pomplamoose VideoSong!!!!
Watch this video on YouTube.

Protecting wp-contact-form from spam

by

Ever since I installed WordPress on my (virtual) server, I’ve been using the WP Contact Form plugin to provide me with simple contact form. The plugin isn’t exactly under active development (Last Updated: 2009-8-28), but it got the job done and I was quite happy with it. Until spammers found the page and started abusing it, that is. There’s a bunch of other Contactform-plugins in the wordpress.org plugins repository, but most of them were either too feature-packed or development for them seemed to have stopped.
I considered adding ReCaptcha at first, but why would I want to put my visitors through such an ordeal; the captcha’s seem to have gotten very difficult to decipher.  Next possibility; implement Akismet (Mollom would have been a great choice as well)? There’s a great Akismet PHP5-class, you just provide your API-key and off you go. But it seemed kind of inefficient to have to do all that with the official Akismet-plugin already in place?
But wait a minute, why not just piggyback on the Akismet-plugin, as the Clean-contact plugin and wp-contactform-akismet did? Keep it simple stupid and so I just copy/pasted the clean_contact_akismet-function from Clean Contact’s code into my wp-content/plugins/wp-contact-form/wp-contactform.php and on line 142 I changed:

mail($recipient, $subject, $fullmsg, $headers);
$results = '<div style="font-weight: bold;">' . $success_msg . '</div>';
echo $results;

into:

$akismet=clean_contact_akismet($msg,$subject,$email,$name);
if (!$akismet) {
mail($recipient, $subject, $fullmsg, $headers);
$results = $success_msg;
} else {
$results = 'If it looks like spam and smells like spam, it must be spam. Leave (or rephrase)!';
}
echo '<div style="font-weight: bold;">'.$results.'</div>';

That was all it took to add Akismet spam-filtering to that KISS-y wp-contact-form plugin. I wonder why this isn’t in the plugin already?

WordPress stats oddity

by

A couple of months ago I removed Google Analytics from this wee little blog, but I still use the less sophisticated WordPress.com stats plugin to follow up on what is being read around here. Loading the stats-page in my Android-browser is far from optimal (it uses Flash to draw the charts and it is a pretty big page), so I was pleased to read that version 1.3 of WordPress for Android features a stats-section. But the reports don’t work, I just get “No stats data found, please try again later”.
Now while playing around with the stats API over the weekend, I noticed some unusual things:

  • “blog_uri=futtta.wordpress.com” works
  • “blog_uri=blog.futtta.be” results in “Error: zero rows returned.”

The API also supports blog_id instead of blog_uri and after some digging for blog_id’s I found that they are listed in (the html source of) the blog dropdown-list on your wordpress.com-dashboard stats page. And there the problem became clear: I had two blog_id ‘s for the same blog_uri (blog.futtta.be) and the first one was defunct:

  • “blog_id=2184847” results in “Error: zero rows returned.”
  • “blog_id=2185033” works just fine

As I can’t remove the entry with the faulty blog_id from the Stats DB and as I can’t change the Android WordPress app to use one of multiple blog_id’s instead of the blog_uri, I can’t fix this little bugger myself, so I contacted WordPress Support. But how did I end up with 2 blog_id’s in the database?

Over vanalles en nog wat

by

Een paar kleine ditjes en datjes, het moet hier niet altijd proper uitgewerkt zijn:

  • Dropbox is tof, maar niet perfect: op Android een file aan je Dropbox toevoegen doet pijn aan het gat en de Windows-versie wilt ook thuis de proxy van het werk gebruiken (auto-detect proxy werkt niet).
  • WP-YouTube-Lyte zit aan versie 0.4.1, de afmetingen van de player zijn nu configureerbaar. Het ding is al bijna 2300 keer gedownload (cumulatief voor alle versies) en op basis van de downloadcijfers na een release gok ik dat het op een site of 300 geïnstalleerd staat.
  • Van cijfers gesproken, afgelopen maandag met deze blog de 100.000 pageviews gepasseerd, dank daarvoor anonieme passant.
  • Ik draai al een week ofzo op Firefox 4 beta1 (zowel op Windows als op Ubuntu), lekker stabiel voor een eerste beta. Tabs on top is inderdaad logisch en html5 video (met WebM) op YouTube lukt nu ook, maar aan de nieuwe theme en add-on manager is nog “wat” werk. Beta2 zou eerstdaags uitkomen, maar het is nog wachten op de grote javascript snelheidswinst (waarmee FF terug dichter bij de concurrentie zou moeten komen).

En nog wat: als het gesprek even stilvalt, vragen mensen niet meer naar het weer, maar naar je mening over de slaagkansen van droomkoppel De Wever & Di Rupo. Ik zeg dan dat ze moeten slagen en dat ze dat zelf ook weten want dat het er anders niet goed uitziet voor onze portemonnee en dan verwijs ik naar een interessant artikel dat ik daarover op Apache las en het gesprek valt weer stil.

Cross-platform cloud storage with Dropbox

by

When a good friend of mine bought a Sony Xperia X10 Mini Pro (that small dude does have a keyboard) and couldn’t find JungleDisk in the Android market, I went looking for alternatives (I had already looked into cloud-based storage/ backup back in 2007) and found Dropbox.
Dropbox is an Amazon S3-based cloud-storage solution with client software for just about every system, Android included. Moreover it offers an API for platforms or applications that need Dropbox access as well. The basic account (with 2Gb storage) is free (sign up here and I’ll get some more free storage thank-you-very-much), so I installed it on the Windows laptop at work, on my Linux “disktop” and on my HTC Hero and (at first sight) all seems to work exactly as advertised (free, easy, cross-platform).
And now that I have external storage that allows sharing files with anonymous users, I could offload some files from my own server? But more importantly; I really should look into reworking that old backup shell-script again (I’ll have to get dropboxd up and running first though). Or maybe I’ll just install WP Time Machine to automatically back up just this blog to my Dropbox-account?

Embedding HTML5 YouTube video with WP YouTube Lyte

by

I re-implemented newTube.js, an earlier experiment to embed HTML5 YouTube video, into my WP YouTube Lyte plugin. This means that WP YouTube Lyte (for easy lite YouTube embeds, reducing download size & rendering time substantially) can now also use the HTML5-based YouTube video-player to play your embedded video.
If the -experimental- HTML5 option is enabled, WP YouTube Lyte will embed HTML5 YouTube video if:

  • Your visitor uses a browsers that supports the h264 (Safari, Chrome, IE9) or WebM (currently development versions of Chrome, Opera and Firefox) video codecs
  • Your visitor is enrolled in the YouTube html5 beta

If these requirements aren’t met, your visitors will see a Flash-based version of the YouTube video you specified.
As newTube.js is sort of a dirty hack which replaces the LYTE dummy player with an iframe with overflow:hidden, in which the full YouTube-page is carefully positioned to display only the player, there are some other caveats to take into account as well:

But apart from all this small print, is works rather nice if I may say so myself. Or better still, just look at this little They Might Be Giants gem embedded here;

They Might be Giants-Birdhouse In Your Soul
Watch this video on YouTube.

Lovin’ the WordPress plugin ecosystem

by

I’m a sucker for simple things and in my book, WordPress (the open source software) is a great example of a simple yet powerful solution for publishing on the web. The last few days I experienced their plugin-ecosystem to be just as simple and powerful.
If you have a plugin to share and you:

  1. register on wordpress.org
  2. fill out a form to submit your plugin for inclusion in their repository
  3. after confirmation upload your code (together with a structured readme-file) via svn

Then boom, automatically;

  • plugin pages (for description, installation, faq, changelog, …) are created and populated with information from the readme and base php-file
  • a zip-file is created containing your stable version
  • your plugin is listed on the “new plugins” page

Before you know it, you’ve got a bunch of real users (wp-youtube-lyte was downloaded 128 times in 2 days) who can rate your plugin and provide you with feedback. And every time you upload a new stable version via svn, a new zip-file is created and your users will get a notification in their wp-admin pages, allowing them to upgrade by simply clicking that upgrade link. Don’t you love it when a plan comes together?
But enough raving already, got to go create that admin-page for my plugin now, as requested by a user. I’m a sucker for real users!