The WordPress/HotNacho SEO Debacle

Debate is raging over the “WordPress SEO Spam” issue. Please pay special attention to the disclaimer at the beginning of Andrew‘s post (emphasis mine):

Disclaimer. I’m hesitant to even write about this, knowing the web’s fondness for angry mob justice, but I feel like it’s an important issue that needs to be addressed. My one request: please be calm and rational. WordPress is a great project, and Matt is a good guy. Think before piling on the hatemail and flames.

I originally started this as a comment over on Jonas Luster‘s site. But as it grew longer, I figured it warranted a posting on my own site. Basically, if you ask me, this is much ado about nothing (well, okay, not ‘nothing’ — perhaps ‘mountain out of a molehill’ would be a better analogy). But it’s too late to put out the fire now. We’ll just have to wait for it to burn out on its own.

As far as I can tell, this was just a case of Matt making one bad judgement call. I haven’t met him in person yet, but we’ve had many phone and net conversations, and I feel like I know what his level of dedication is to projects like WordPress. Matt has said time and time again that what makes a project great is its community, and the project’s responsiveness to that community. The perception that he has done anything to harm this community will cut him to the quick.

A project like WP (and his collaboration with me on Ping-O-Matic) has enormous resource needs. Enormous. This is not your average 1000-hits-per-day blog with pictures of kittens and rants about high school homework. This is a project that garnered over 100,000 downloads in just a few weeks. This is a project with around 150,000 posts in its support forums. And that doesn’t even include the 3500+ pages in the Codex, with over a million page views. And don’t even get me started on the storage requirements for all the data that Ping-O-Matic has accumulated across the 79,000,000+ pings that it has served.

You can’t support those kinds of loads out of a $20/month shared web hosting account. And it’s hard to pay the kind of money that it does take out of your own pocket to support something which is, essentially, a hobby (at least in the sense that it’s not a paying job). Personally, I would love to be able to spend more time working on WordPress and adding whizbang new features to Ping-O-Matic. But I can’t. Why not? Because I can’t afford it.

My money is almost completely monopolized by my mortgage, food for my family, car payments, gas for the cars, and all the other usual things. And my time is almost completely monopolized by my day job (which provides the aforementioned money), and my family. WordPress has never bought me lunch. Ping-O-Matic has never paid for my family to go to a Saturday matinee. Not one user of WordPress, Ping-O-Matic, or any other open project that I’ve participated in has ever utilized my Donation Page to send me money or a wishlist item.

I’ve gotten a few “thank you” notes here and there. I’ve seen a few “attaboys”. And those are great, and well appreciated. They make my paltry efforts worthwhile. But they don’t put bread on the table. So I can understand why Matt felt motivated to try an “experiment” which brought in a little revenue without being highly visible. Unforunately, the source of this financing walks the shady edge of what is and is not acceptible to our community. Personally, until Matt returns from his vacation and gives his side of the story, I’m not assuming anything.

But if you’re in the camp of people crying “foul”, consider this: Matt could have put out announcements asking for donations. He could have plastered flashing advertisements all over the WordPress sites. He could have used every available opportunity to “pass the cup”. Instead he chose an avenue which was out-of-sight. And instead of perceiving this as “polite”, people have chosen to view it as “sneaky”. “Et tu, Brutè?”

Update: There are now responses from Matt and HotNacho, the hidden links and content are gone, and Google has restored the PageRank for wordpress.org.

Plugin: SpamForceField

SpamForceField is my newest anti-spam plugin for WordPress. This one does a couple of interesting things:

  • All connections via pinappleproxy are denied.
  • Every connection’s Referer is checked against your blacklist keys. If a match is found, the connection is denied.
  • If a comment is flagged as ‘spam’ due to the normal spam checks, the client receives a 403 Forbidden HTTP status. This also occurs for connections denied in the other two checks above.
  • When connections are denied, the client receives a message explaining what has occurred. It contains a link to check if their connection is through an open proxy and an obfuscated reference to the site admin’s email address. (e.g., “joe (at) example (dot) com”).

I actually wonder if sending a 404 Not Found status would be more effective, as it might trick some spammers into thinking that your site was gone. However, the 403 Forbidden status is more semantically correct. Use of a 404 code for this could mess with analysis of your web logs in confusing ways.

Over about the past week, I’ve been tweaking this plugin and also analyzing sources of spam, and blocking the most abusive hosts and networks with firewall rules (ipfw on my FreeBSD server). This has virtually eliminated (so far) the appearance of referer spam in my stats. Plus it gives me a warm fuzzy to know that all those connections are being rejected.

I can suggest that you add the following strings to your Comment Blacklist (Options/Discussion):

  • -poker
  • poker-
  • tx-holdem
  • texas-holdem
  • tigerspice
  • -2005.com
  • .wslp24.com
  • conjuratia.com
  • .loveseo.com
  • buy-2005
  • firsthorizonmtg.com
  • government-grants.org
  • government-grants.ws
  • business-grants.org

There are plenty of others, but these account for most of the referer spam I’ve been seeing recently. Also, if anyone wants to share their moderation/blacklist keys via Mark’s XBN Plugin, please feel free to get in touch.

If you’ve read this far, you’re probably wondering where to download it? How about right here: txt, phps.

Note that the file is named 000-SpamForceField.php. The reason for naming it with the three leading zeros is that WordPress loads plugins in filename sort order. We want this plugin to load as early as possible, so we force it to the beginning via the funky filename. In my case, I wanted the SpamForceField to intercept spams before BAStats had a chance to log anything.


Update: I’ve received some reports that this plugin is issuing the 403 status when comments are flagged for moderation, not just when they are flagged as ‘spam’. This behavior is not correct. If anyone can help me debug this, I’d appreciate it, since I’m buried with Real World problems at the moment.

Update 2: I’ve updated the plugin to version 1.1, with a slight change which should take care of the problem of getting the Warning: Missing argument 2 for deny_spammer() message when a comment is posted.

Old wine in a new bottle

The topic of Ajax is pretty hot right now. And some people are getting a little hot over the naming. As I pointed out yesterday, and as Ian Hickson and Dare Obasanjo have also said, Ajax is not a new technology. Web developers have been doing this stuff for years under various names. JavaScript Remote Scripting, Remote Scripting with IFRAME, JPSPAN. But for whatever reason, the name “Ajax” has stuck.

So, what is Ajax? It’s a combinination of tricks which allow web developers to dynamically communicate with a backend server from the web browser without requiring a page refresh. This provides a more seamless experience to the user by making a web page behave a bit more like a normal software application. Typically, this is accomplished by some JavaScript code which exchanges data with the server by means of either a hidden <iframe> element, or by use of the XMLHttpRequest object in more modern browsers.

Again, this is not something new. Brent Ashley was doing this stuff five years ago with JSRS. So why all the hoopla now? Why did the name “Ajax” stick? Why the sudden Ajaxmania?

I think it’s just a “right time, right place” thing. It’s only been recently that big commercial companies have started using the technique for applications that are in the public eye. And that’s because it’s only been (fairly) recently that you could count on a significant percentage of web users to have browsers that supported it. Five years ago, there were still a significant number of Netscape 4.7 browsers out there. Internet Explorer 5.0 was still fairly young, and there were plenty of IE 4 and even IE 3 users. But now? IE 6 and Mozilla 1.0 dominate the browser landscape, and Safari is the king of the Macintosh hill. Basically, the web environment is much better able to support remote scripting now than it was five years ago.

So, sure, Ajax is “old wine in a new bottle”. Let’s not get hung up on the name. But, personally, I think that “Asynchronous Remote Scripting Engine” would have been great. Then if you were debugging your rich client application, you could complain, “I’ve got bugs in my ARSE!”

Ajaxing the Rails

If you’re a web developer, then hopefully you’ve already heard of Ruby on Rails and Ajax. If not, you’re behind the times, and you have some reading to do. New in Rails is built-in Ajax support.

I haven’t had time yet to play with Rails yet, but I’m itching to do so. Rails is a web application framework written in Ruby, an odd, interesting programming language (probably only ‘odd’ to me because I haven’t used it yet). Rails excels at making database operations nearly transparent. And since most web applications revolve around databases, this speeds development greatly.

Ajax is really just a new name for something that’s been around for a while. It’s just that it finally got a catchy moniker that people could latch onto, plus a couple of high-profile real-world applications: GMail and Google Maps.

I have a feeling that we’re going to see an explosion of interesting new “rich interface” web applications soon…

IE7 to support standards?

According to Eric Meyer, it seems that there is hope that Internet Explorer 7 may have improved standards support. He’s got a list of “Top 10 CSS Fixes” that should be made. I would definitely like to add “proper support for PNG transparency” to the list. It’s not CSS-specific, but it is a browser bug that requires many site designs to implement IE-specific work-arounds.

And of course, there are many other bugs listed at the css-discuss wiki and Position is Everything that should be fixed: the “guillotine bug”, “peekaboo bug”, and the “creeping text bug” are ones that have bitten me on more than one occassion.

Recursive Virus

I’m sick again. So is Susan. It seems like this illness just keeps going in circles through our family. First the kids had it, then Susan, then me, then the kids got sick again, now we’re sick again… It’s like a recursive function that hasn’t met its exit condition yet. Somebody make it stop!

All of this while we’re still trying to get the rest of our stuff moved out of the old house and into our new one. We’ve spent the last two weekends packing furniture and boxes in and out of the moving truck, only pausing now and again to blow our noses, cough, or take an all-too-brief water break. We’ve gotten most of the stuff moved, except for some things in the basement. I think we’re going to break down and hire some movers to get that stuff out, because if we keep going like this, the whole family will end up in the hospital.

I’m working from home today. Or at least, trying to work. My brain is still a little cloudy from sinus pressure and lack of sleep. But I feel better now than I did at 3:30 this morning, when I was attempting to cough up one of my lungs so I could get a better look at it.

WordPress 1.5 Themes Competition

There’s only one week left in the WordPress 1.5 Themes Competition. You might want to start on the Submitting a Theme page for a good overview of the rules and some good guidelines. I’ve seen several outstanding entries so far (out of 48 submitted!).

And for more sweet, gooey, themey goodness, check out this list of over 115 WordPress 1.5 themes!

Theme Preview Plugin

Early in the development of the “themes” support in WordPress, I bugged Ryan Boren for a “preview” feature. Instead, he wrote a Theme Switcher Plugin, which wasn’t what I wanted (but was still a cool thing to have). Now, he’s finally written a Theme Preview Plugin.

The thing is, I had already given up on him and written my own, weeks ago. I just never got around to documenting it and writing it up.

Differences:

  • Ryan’s has user-level checks (only level 8 or higher can preview), mine doesn’t
  • Mine does error checking to ensure that the theme actually exists
  • Mine allows you to separately specify which theme to pull the CSS from. This is because the themes themselves allow you to specify the style separately from the templates. This is actually somewhat redundant, but I tossed it in for experimentation, in case I wanted to override the stylesheet.

There, now you have a choice. And choice is always good. Ryan, feel free to add my plugin’s biological distinctiveness to your own 😉

Update 2007-07-26: Since the question keeps coming up — this plugin is compatible with any version of WordPress higher than or equal to version 1.5. This includes versions 2.0, 2.1, and 2.2, and it should continue to be compatible with future versions. It’s only about a dozen lines of actual code, it uses standard WordPress API calls (one function and two filters), and it doesn’t interact with the database. It’s vegan-safe, has a low carbon footprint, and uses recycled bits for maximum ecological friendliness. See the comments for examples of using the plugin here on this site.

Germy

Bleah. I’ve been sick for about a week or so now. I thought that I was fighting it off okay until a few days ago. On Tuesday night, my throat was sore, and my nose was particularly stuffy. Which resulted in very little sleep. So I woke up feeling like death on a cracker. A stale cracker. A stale cracker that’s one of the last in the package, so it’s all broken and crumbly. Anyhow, I decided that it was time to actually see a doctor.

The doc told me that I had a sinus infection (no surprise to me), prescribed an antibiotic, a decongestant, and a nasal spray, and sent me on my merry way. I procured said medicines, and took them with my lunch. A few hours later, I felt even worse, and by Thursday morning, death had eaten the stale cracker, and was sizing me up as the main meal. I gave death the finger and took my medicine.

Around mid-day on Thursday, the primary symptoms were slightly better, but I started to feel extraodinarily tired. Like nothing in the world could stop me from lying down and sleeping. I leaned back in a recliner, covered myself with a blanket and attempted to obey my body’s demands. I fitfully half-dozed for a couple of hours, but still didn’t feel like I got any real rest. But as evening approached, I found that I felt a little better than before.

Today, I’m back at work again. I still feel tired, and my nose is still pretty stuffy, but the sore throat is almost completely gone. Which is good. At the worst point, Wednesday night, just trying to clear my throat was triggering my gag reflex. Which is really stressful when you feel the need to clear your throat almost constantly.

So, the good news is that I’m feeling better.

The bad news is that Susan and Mary both seem to have caught my cold. Sorry, ladies. 🙁

blo.gs up for sale

The popular weblog update tracking service, blo.gs, has recently announced that it is up for sale. The sale announcement notes that the site currently operates at about a $20/month loss, which doesn’t sound bad at all. I wonder why it’s up for an outright sale, rather than attempting to add more revenue?

Anyhow, blo.gs is a very useful service. I use it myself just about every day. Hopefully, someone will step up to take it over without disrupting the service too much. For the paranoid, the privacy policy states that an email will go out to give subscribers a chance to opt-out their personal info before a change of ownership occurs.