Preparing for 2017

As we the end of the year draws close, and we look ahead to the coming year, it is time to assess where we are at and where we are going.

The past six months have been challenging – new server equipment, moving the server hardware to a new hosting location, new ISP, and dealing with physical issues (one of which is ongoing.) We have just upgraded to the latest stable release of WordPress, and a dozen or so of the opensource and commercial plugins, themes, etc. We have added a Piwik server for counties which wish to monitor their site traffic, and increased storage for all sites dramatically.

In the next six months we hope to add an installation of WebTrees, a collaborative genealogy presentation and management software, and an authentication platform which will work across our primary services (but has yet to be determined.)

Another security update…

There has been another security update, so here is a brief run-down (this one is simpler than the previous one:)

What we did about it

We have installed the upgrade, which updated the two third-party libraries which had newly-discovered vulnerabilities.

What the vulnerability was

There were two, separate, vulnerabilities; both were in third-party tools used in WordPress.

The first issue was in Plupload, a tool used for managing file uploads, which in certain circumstances could allow a remote person to perform actions on the site which the user did not initiate. This is called a Same Origin Method Execution (SOME) vulnerability. In this case other security measures in WordPress limited the risk, and it only affected the 4.5.1 release, therefore not a high-profile (but still high-priority) issue.

The second issue was in MediaElement.js, a tool used in WordPress to stream audio and video content through WordPress syntax. This was Cross-Site Scripting (XSS) vulnerability, and there was little mitigation of the risk, and so both a high-profile and high-priority issue. Effectively a maliciously formed url could be fed into the javascript and the remote person could execute code on the server.

What this means for you

Nothing, as far as we are aware. The issues are completely fixed.

However, it exposed that WordPress is not strictly using HTML5 audio and video. Everyone on the internet should be using a modern browser which supports HTML5; there are inherent risks to older browsers which simply cannot prevent certain types of internet security and privacy attacks which have been resolved in newer browsers. By supporting old, vulnerable browsers (by using MediaElement.js) WordPress is enabling users to continue being at risk rather than encouraging them to update/upgrade.

Creating a regional coordination page on GenWeb.io/WordPress

GenWeb.io is set up primarily for the purpose of hosting regional coordination pages like the County Coordination sites of the state-level organizations of The USGenWeb Project. And it does so using the open-source WordPress software.

WordPress is popularly known as one of the, if not the, pre-emminent blogging platforms. But a regional coordination site is not a blog, in fact almost nothing like a blog! Yes, and no.

Backgrounder

The software is actually a content management system (CMS), an application for publishing, modifying, organizing, deleting, and curating all kinds of content and media on the internet. It also offers tools to support collaboration in doing so. Although they are intended to avoid the need for hand-coding html, CMSes may also facilitate writing code by hand.

One of the ways a CMS reduces the amount of html-writing is with reusable templates, so you can focus on writing what goes into a page rather than putting most of your effort into creating what each page looks like. With WordPress specifically, every page loads with a similar look-and-feel with some variations for type of page content and depending on the specific ‘theme’ you select.

wordpress-logo-simplified-rgbWordPress, while it is a great blog, also lets you display a ‘static’ page instead of a blog when visitors first arrive at the site. You can edit this page within the same editing environment used for writing blog entries. This editor lets you choose either a WYSIWYG view (Visual), or a source code view of the almost-raw html code (Text).  And you can flip between the two views with a mouse click. Now the magic of this static page is that it, too, is displayed inside that look-and-feel template, allowing you to add the USGenWeb and state project logos and links to every page in your site.

The step-by-step process

Once you have your GenWeb.io account and domain, the steps are extremely simple.

  1. Create your landing page.
  2. Tell WordPress to use it as your static page.
Create the page

Go to your site’s Dashboard, which is the control panel for site administrators. Select Pages from the left sidebar, and then Add New to create a new page. (Normally we abbreviate this as Dashboard->Pages->Add New. Less typing for me, and I am lazy.) This brings up the page editor, with two primary editing fields – the title field and the larger body field which has several editing toolbars above it.

Enter the title you wish to use for your landing page; Welcome or the name of your region are pretty good choices to start.

In the body field you can do almost anything you like to create your new home page. The editing toolbars are self-explaining, for the most part. Use the ‘Preview’ button in the right side-bar to load a new tab with exactly how it will look for your guests (minus that top toolbar – guests don’t get that.) You can change this at any time, so for now just throw some text up there as a place holder – LOREM IPSEM…

Now save it by using the ‘Publish’ button in the right side-bar. The page is now published on the internet. But it is not your landing page, yet.

Tell WordPress to use it

Once you have the page how you want it, hit the publish button in the right sidebar. This page is now available on the internet! but it is not your landing page yet.

Go to Dashboard->Settings->Reading. The top item is ‘Front page displays’. Click the radio button beside ‘A static page (select below)’. Select the page you just created from the ‘Front page’ drop-down menu. Then click the ‘save changes’ button.

Voilà! your visitors will now be landing on the page you created! BUT – what about the posts? Most of us will still want to use WordPress’s blog abilities to make announcements, report news or events, or even to keep subscribers organized. Create another page – and it can be just a title and no body – and go back to Dashboard->Settings->Reading, select the ‘Posts’ drop-down menu, and select this new page, and save changes again.

You will probably want to add a link to your new Posts page from your new Front page, but that is another how-to article at a later date.

Conclusion

By creating a static page for WordPress you magically turn a blogging software into a website management software, and you can still blog on it. Using the WordPress ‘themes’ you can focus time tweaking your ‘look’ once, and it will be applied everywhere all the time. With WordPress you can arbitrarily add pages filled with your own html code, or you edit from a WYSIWYG editor view.

But don’t start dreaming up menus and sidebars yet – because WordPress has that all covered for you, and makes it so easy you won’t believe it.

Registration is (slightly) broken

Always fun to find something not working in a new system!

WordPress simplified logo, from WordPress.Org
WordPress simplified logo, from WordPress.Org

Apparently newly registered users – the ones who do not have a website created for them – are linked inappropriately to an administrator profile when logged in. This means the handy link in the upper-right corner of the logged-in views does not work for them, and they may get “you do not have permission”-type errors if they follow that link.

The best link to a user’s profile page is http://[projectname.]genweb.io/forums/users/[yourusername], which unfortunately is not displayed anywhere except on a forum topic to which you replied. This is not optimal! but it does work.