Todd Lahman

The Plugin Generated x Characters of Unexpected Output During Activation

January 14, 2012 | Author Todd Lahman

While developing a new WordPress plugin I ran into a common problem when the plugin was activated. The following message popped up:

The plugin generated 1616 characters of unexpected output during activation. If you notice “headers already sent” messages, problems with syndication feeds or other issues, try deactivating or removing this plugin.

The most common causes are:

1. A white space before or after the PHP opening or closing tags
2. A file encoded in UTF-8
3. Another issue when something is called at the wrong time, or a call that cannot be resolved without intervention

The first is the most common mistake for new programmers. Once the space is removed before or after the PHP opening and closing tags try deactivating and reactivating the plugin to see if the message is gone.

The second stumped me. I use several local development servers including Uniform Server, WAMP Server, and XAMPP. The files were encoded in UTF-8, the universal language encoding that is the standard, but the server threw errors. I finally converted the files to ANSI encoding, and the problem was fixed. Some web hosts also run software that generate this error, so it is best to encode the plugin in ANSI to avoid unexpected problems.

If the first two causes have been eliminated, and the problem persists then this issue needs to be tracked down and eliminated, otherwise it might cause problems. To save the error message to debug the problem the following code snippets can help:

function tl_save_error() {
    update_option( 'plugin_error',  ob_get_contents() );
}
add_action( 'activated_plugin', 'tl_save_error' );

Then to display the error message:

echo get_option( 'plugin_error' );

Or you could do the following:

file_put_contents( 'C:\errors' , ob_get_contents() ); // or any suspected variable

If you have another method to save and display these error messages share them.

Tags: WordPress Plugin Development | No Comments »

Database Scaling with Memcached Interview with Northscale Co-Founder

August 23, 2011 | Author Todd Lahman

One of the Northscale co-founders gave a very interesting interview about making databases scale horizontally, like Google does, so the database becomes elastic.

With common databases like MySQL handling more traffic meant scaling vertically, building a bigger more powerful server, but thanks to Memcached cheap servers, like Cloud servers, can be used in front of the database to grow horizontally for a lot less money. Memcached also allows MySQL, and similar databases, to handle far larger traffic than they were designed to handle.

One concept in this video is the idea of storing some less important data that doesn’t have to be saved per say in the database, but needs to be stored in something like the database, can be stored in the less costly Memcached memory, which is RAM. In WordPress, temporary data can be stored in the Object Cache, and if it is temporary then it is best to use the Transient API. If Memcached is doing the Object Caching for WordPress, then data from the Transient API gets stored in Memcached.

See the video below.

Read the rest of this entry »

Tags: Memcached, MySQL | No Comments »

Google Content Delivery Page Speed Service

August 4, 2011 | Author Todd Lahman

Google has been talking a lot about web site performance for years, and it is a difficult problem to solve because it has so many causes. Narrowband dial-up has been replaced by Broadband, but despite the speed difference it isn’t fast enough to satisfy web surfers. After a short time surfers develop a tolerance to the increase in speed, demand even faster speed. That is the assumption being made by Google, and others, based on page load times, and the average amount of time a web surfer spends on a page or a web site. Decreasing the time a page takes to load results in longer average time spent on a page and the associated web site. The conclusion is that faster is better.

Read the rest of this entry »

Tags: CDN, Content Delivery Network, Google Page Speed Service, Page Speed Service | No Comments »

Malware and Spyware Remover Software

July 26, 2011 | Author Todd Lahman

Google added this month a malware, or spyware, warning that pops-up to warn your computer is infected, and it offers a link for information that can help fix the problem. On the Google support page they list several anti-virus software that may help including, BitDefender, F-Secure, McAfee (my personal favorite), Microsoft Security Essentials, Microsoft Safety Scanner, and Windows Defender. Notably left off the list is Norton Antivirus, which I have found to slow down computers. Google also suggests using the search term "antivirus" to find additional software.

Read the rest of this entry »

Tags: Antivirus, ComboFix, fake antivirus, fake AV, Malware, Spyware | No Comments »

Spam Free WordPress

June 23, 2011 | Author Todd Lahman

Spam Free WordPress is a comment spam blocking plugin that blocks 100% of the automated spam with zero false positives. There is no other plugin, or service, available for WordPress that can claim 100% accuracy with zero false positives, not even Akismet. Manual spam is blocked with an IP address blocklist.

This plugin was born out of necessity in September of 2007 when HollywoodGrind.com was getting a lot a traffic, and with it a lot of spam that multiple plugins could not stop, but instead increased the load on the server fighting the spam. Since its birth, Spam Free WordPress has been tested successfully under real world heavy traffic, and heavy comment spam, conditions. Once Spam Free WordPress is installed, no other comment spam plugins are needed, and it is recommended that all other plugins be disabled since they will cause undesirable false positives.

It is my goal for Spam Free WordPress to help WordPress become the world’s first and only comment spam free blogging platform.

What Am I Worth?

Is a reliable spam fighting plugin worth a dollar?

Spam Free WordPress Features

Automatically blocks 100% of automated comment spam
Local manual spam and ban policy set with local IP address blocklist
Global manual spam and ban policy set with remote IP address blocklist
Significantly reduces database load compared to other spam plugins
Zero false positives
Option to strip HTML from comments
No CAPTCHA, cookies, or Javascript needed
Saves time and money by eliminating the need to empty the comment spam folder

Automatically Blocks Automated Comment Spam

Spam Free WordPress uses anonymous password authentication to block 100% of all comment spam with zero false positives. Either the password is submitted with the comment form, or it’s spam. Each post is a assigned a password. The password is generated only after it is visited for the first time, and the password only changes when a comment is left. The password is only generated and changed when necessary to eliminate unnecessary load on the database. The reader leaving a comment copies and pastes the password into the comment field to authenticate while remaining anonymous, thus eliminating the need to login to an different account on each blog. Logged in readers will not be required to use the comment form password.

CAPTCHA is not used because it is hard to read, unnecessary, easily cracked, and reduces the number of real comments substantially. There is an interesting article about CAPTCHA here.

Readers do not need to accept cookies or to have Javascript enabled for Spam Free WordPress to work. Spam Free WordPress uses anonymous password authentication the reader types into the comment form.

Automated spam bots use the wp-comments-post.php core WordPress file to submit comment spam even if the comment form doesn’t exist like when DISQUS is used to handle comments. Spam Free WordPress hooks into wp-comments-post.php to block automated spam by requiring the same password authentication used on the comment form. Spam Free WordPress eliminates the spam DISQUS users continue to experience.

Local and Remote Blocklist

Spam Free WordPress uses an IP address blocklist to block comment spam that is manually submitted by a real person. The blocklist can also be used to ban readers that leave offensive comments. The local blocklist is stored in the database, so it can be used to set policy for a local blog. The remote blocklist allows a global policy to be set for many blogs that remotely access a file that contains the IP address list.

If someone has their IP address listed in the blocklist that person can still read the blog, but will not be able to leave a comment. This approach is used for several reasons. Spam bots may spoof an IP address, or another person may have been using the IP address when they were banned. No one owns an IP address for life, so the IP address is blocked from leaving comments, but not from reading the blog.

Reduces Database Load

As mentioned above, the password is set and changed only when necessary to reduce load on the database. Other plugins filter comments in an effort to determine if they are spam.

Since it is not possible for any filter to ever identify spam accurately, their success at blocking spam is marginal. Those other plugins allow spam to be written to the database most of the time, and stored in the comment spam queue, where the blogger must manually delete the spam. Akismet will prevent some comments it believes is spam from being written to the database, and that results in complaints at times when people realize it was a real person commenting.

Spam Free WordPress knows if comments are real or not, because a password must be entered into the form manually. Anything that is submitted without the password is considered spam. Unlike a filter approach that has many variables, password authentication is 100% accurate, since the password is submitted or not.

Comments that are blocked are never written to the database, which eliminates all the load on the database that spam creates, and other plugins allow.

Option to Strip HTML from Comments

It is very common for manual and automated comment spam to include a URL that links to a web site. Spam Free WordPress has an optional feature that will automatically strip out HTML from comments so that links will show up as plain text, and will then also remove the allowed HTML tags from below the comment text box.

Cached Pages Will Work

Comment form passwords will properly refresh on cached pages, provided the cache program is set to refresh the page on changes to the page, or if a comment has been submitted. Spam Free WordPress has been tested with WP Super Cache, Batcahe, W3 Total Cache using APC, Memcache, and Xcache, with the super fast Nginx web server using its core NCache module, and PHP served with PHP-FPM, with Apache serving PHP, and with other caching programs, all of which worked properly.

Spam Free WordPress in Action

Case Study: Hacked Comment Accounts on Gawker

On Monday December 13, 2010 at 5:59 PM, Gawker sent out this email message to people who had an account on their blogs used to leave comments. It should be noted that Gawker does not use WordPress, but the security hole created by using comment accounts is the same on every blogging platform.

Gawker Comment Accounts Compromised — Important

This weekend we discovered that Gawker Media’s servers were compromised, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name and password associated with your comment account were released on the internet. If you’re a commenter on any of our sites, you probably have several questions.

We understand how important trust is on the internet, and we’re deeply sorry for and embarrassed about this breach of security. Right now we are working around the clock to improve security moving forward. We’re also committed to communicating openly and frequently with you to make sure you understand what has happened, how it may or may not affect you, and what we’re doing to fix things.

This is what you should do immediately: Try to change your password in the Gawker Media Commenting System. If you used your Gawker Media password on any other web site, you should change the password on those sites as well, particularly if you used the same username or email with that site. To be safe, however, you should change the password on those accounts whether or not you were using the same username.

We’re continually updating an FAQ (lifehac.kr/eUBjVf) with more information and will continue to do so in the coming days and weeks.

Gawker Media

If Gawker had been using the anonymous password authentication built into Spam Free WordPress this incident would not have happened.

Case Study: Street Dogs Band

A blog run by the band Street Dogs recently started using Spam Free WordPress around 7-15-2011, and in just a few weeks they’ve blocked over 26,000 spam comments. Visit they’re site and refresh the page to see how fast the spam comments are hitting their server.

Update: As of 10-27-2011 Spam Free WordPress has blocked 430,000 spam comments from the Street Dogs blog.

Comment Form Example

If Spam Free WordPress is installed correctly there will be a Password field on the comment form. Each time a reader leaves a comment they type in that password, or copy and paste it, to leave a comment. Below is an example. If the password field is not visible refer to the readme.txt file for specific directions.

To see the password field you must be logged out of your WordPress blog account.

Installation Instructions

Proper Installation Example

If Spam Free WordPress is installed correctly there will be a "Password:" field on the comment form. An example screenshot can be viewed above, or for a live example scroll down to the comment form at the bottom of this page.

To see the password field you must be logged out of your WordPress blog account.

NOTE: Clear the blog cache, like WP Super Cache, after installation.

WordPress 3.0 and Above

Upload to the /wp-content/plugins directory
Activate
If the comment_form() function is already in the comments.php file, then nothing else needs to be done. Otherwise go to step 4.
Save a backup copy of comments.php
Go to Appearance -> Editor. Edit comments.php
Replace the <form> and </form> tags, and all the code between the <form> and </form> tags, with the following line of code:
```
<?php comment_form(); ?>
```
Click "Update File" to save changes.
If the file gets messed up, use the backup comments.php code to restore everything.

Incorrect:

<form> <?php comment_form(); ?> </form>

Correct:

<?php comment_form(); ?>

If the comments.php file is custom, and it is not desirable to use the comment_form() function, then follow the directions for WordPress 2.8 or 2.9 below.

WordPress 2.8 or 2.9

Upload to the /wp-content/plugins directory
Activate
Copy and paste the following line into your comments.php file right after the last form field for either the email address or the URL (web site):
```
<?php if(function_exists ('tl_spam_free_wordpress_comments_form')) {
	tl_spam_free_wordpress_comments_form();
} ?>
```

Thesis Theme

Go to Thesis -> Custom File Editor, choose custom_functions.php, then click Edit selected file. Add the following line of code to that file:
```
add_action('thesis_hook_comment_field', 'tl_spam_free_wordpress_comments_form');
```
Save changes.

Genesis Theme Framework by StudioPress

Upload to the /wp-content/plugins directory
Activate