Firefox 3.6 is out and unfortunately it has unveiled a slew of small annoyances in the Ahimsa theme caused either by the browser or more likely by wrong assumptions in styling in the theme. I am running through the issues right now and expect to have a fixed release of the theme out in under two weeks.

This version will also have support for a right sidebar, and a few other interesting new features. If you have things you have wanted in the theme, now’s the time to ask!

Some screenshots of the WordPress plugin Response Tracker

Response Tracker 0.90

This is a small release that replaces images that may or may not be GPL/free with ones that definitely are (it also includes more background images). There are some minor fixes and also some code cleanup.

Download Audacity of Tanish for WordPress 1.0.1

This should be up at WordPress as well shortly.

Download Audacity of Tanish 1.0

Audacity of Tanish for WordPress is a theme for WordPress — more info here. What’s new in this release:

• Tileable configurable background choices
• Option to display most recent post in expanded mode, in the index/home page
• Popout styling for selected post in index/home page
• Superimposed author gravatar in post page
• Collapsible comments block, now attached to the post
• Built-in support for FancyBox using a WP shortcode (qfgallery)
• Styling for TABLEs, headings and PREs
• Ping/trackback comments support
• Support for multi-page posts
• More IE related fixes
• More configuration options
• Better/clearer link to post page in index page
• Cleaned up the stylesheet
• and many, many fixes

Click here for some Screenshots and a video of AoT in action.

Below are screenshots highlighting features of Audacity of Tanish for WordPress, including ones that are new for 1.0.

Movie!

Click here to watch the Blair Witchesque video highlighting some of the features (needs QuickTime).

(Adding screenshots of 0.9.5 release of Audacity of Tanish for posterity ;-) — just moving it from the page about the theme to a post.)

WordPress users need an upgrade to a fairly new version (2.8.3 or newer) to fix a security hole that was recently discovered. That bit of news has been dispensed via various outlets including Twitter. John Gruber, a smart and interesting tech blogger, seems to be thoroughly enjoying this business, from what I can tell. This is not the first time he has opined on WordPress, but despite what seems to be poorly concealed glee (the man has made three comments — and counting — thus far), I think he is almost as equally wrong this time around as well.

First some background:

As per my reading of Matt Mullenweg (the primary creator of the WordPress platform) this exploit is possible if:

• You failed to upgrade WordPress for two releases (i.e., both 2.8.3 and 2.8.4 do not include this susceptibility)
• and you have registrations enabled for your blog (how many self-hosted blogs do that? I do not know)

Gruber’s basic argument seems to be this:

1. If you run a self-hosted WordPress blog and ignore updates, you can get hacked.
2. This is the equivalent of “finding your home burgled and your valuables missing”.
3. He (Gruber) does not know if WordPress is poorly designed (“security-wise”).
4. However, whether it is poorly designed is a question that is similar to the one that “continues to rage” (for “15 years”) about Microsoft Windows.
5. Gruber can’t recall any widespread security attacks against Movable Type, Posterous or Tumblr.
6. Gruber doesn’t update his MT installation but he hasn’t got hacked.
7. Therefore “the situation with WordPress is different, and clearly more dangerous, than it is on other platforms”.

In consecutive breaths, Gruber first ponders:

I have to wonder when WordPress users will start switching to some other platform.

and then disclaims:

Nor am I attempting to persuade anyone to switch from WordPress to Movable Type.

Let us take him at his word, the second one that is (i.e., he is not interested in persuading anyone to switch), and look at the argument he offers. He starts out with a truism in computer security: all software has bugs, and if you run some software that is reachable via the Interwebs, you can get hacked, especially if you don’t update the software with fixes for such bugs. If you didn’t realise that and decided to run a WordPress blog anyway, then like Gruber I would distance myself from “blaming the victim”, but I would still wonder what else you may have expected.

What you should expect, if I am following Gruber’s argument, is that if one platform (MovableType) has not suffered any “widespread” attacks in one individual’s (Gruber’s) memory, while another (WordPress) just suffered one, then that information recalled from memory “clearly” makes the second platform (WordPress) more “different” and “dangerous”. Even if we do not know if there is anything about the second platform that makes it poorly-designed security-wise.  Or in his other words, this one reported vulnerability in a version of a software two releases old is the equivalent of 15 years of [raging debate on] Windows security (or lack of it).

I am afraid that what is unfortunately made obvious by this line of argument is only that John Gruber runs an outdated version of Movable Type (that he does not care to upgrade) because he thinks, though he does not necessarily know, that it is a safe[r] platform. Which in turn leaves one hoping that he will not be in the unenviable position of blaming the victim, himself, some time in the near future. As I wrote at the top, Gruber is smarter than that… or will be once the 15 minutes of schadenfreude wears off.

Some smaller clarifications: As long as you or your hosting provider perform[s] backups, this exploit (if it occurs) does not mean that you have lost your blog content. Without doubt, restoring that content can be a painful affair, but it’s a lot easier and reliable than contacting the police to recover your belongings.

Oh and Movable Type? Here’s just what one random Googling produced (author: distler):

Remember insecure formmail scripts? How very 1990s, eh?

As if comment spam were not bad enough, MovableType includes, in its default installation, a CGI script called mt-send-entry.cgi which — you guessed it! — can be used to send email anonymously to anyone in the world.

And, no, this is not a merely theoretical issue; it’s being actively exploited by spammers.

Want more?

• http://securepoint.com/lists/html/bugtraq/2007-01/msg00603.html
• http://secunia.com/advisories/16899/

All these demonstrate is (not that these are the same vulnerabilities discovered in WordPress but) that software is by nature insecure. And all that rot that we all know quite well.

Earlier this year, the chaps at WordPress added a very useful feature for WordPress.com blog owners: reply to comments via email. No longer do you have to plod through the comments responding to them via the reply form or through the Dashboard comment section (which despite admirable enhancements still does not offer a threaded view, making it difficult to tell if you have already responded to a comment — a very real concern for a forgetful dweeb like me).

Excellent, you say. Indeed, but the nub of it is that this brilliant new feature is unavailable for self-hosted WordPress blogs (no doubt, in part due to the intricacies of tying up with the email system of the blog owner). Needless to say there has been some anguish in the community.

Read the rest of this entry »

Update: You can now download this version of the theme from the official WordPress site as well.

Download Ahimsa 3.0 for WordPress

With apologies for all the delays, and for the incomplete features and issues that remain, I am releasing Version 3.0 of Ahimsa for WordPress.

There is a lot in this new release (hence the bump up to version 3, rather than the 2.3 that was initially planned). Here’s a summary:

First the fine print

This release includes cleanup of the stylesheet. If you have custom CSS changes or equivalent, please beware (also see my offer towards the end of this post). Your custom skins will need to be updated to the new styles. You can do that by checking the “Update Skins” checkbox in the Ahimsa Options page of the admin section of your blog, and then clicking on Save Changes. The AhrenCode supplied skins (Kind of Blue, A Grey Mood) are already updated to the new style, so this step is not required in their case. The corollary is that if you have made custom modifications to these themes, then please save them before you install this version. Finally, as of this release, there is not even a pretense of IE6 support. Sorry, its just too much work.

New Features and Fixes

• Custom skin editing: if you created a skin in the past and were frustrated by the inability to edit it, this might be a bit of relief. You can now edit the skins you create (or have created) — the limit is that the skin has to be the current selected one. As the above fine print notes, the style sheets have now changed, so follow instructions above to first update any skins.

• New Skin “Sarvodaya”: this update includes a new earth toned and simplistic skin called Sarvodaya. Give me your thoughts on it!

• IE Rounded Corners: don’t get excited. This has turned out to be a horrible affair. After evaluating 10 or so JavaScript plugins and libraries, I settled on two that provide some support for rounded corners in Internet Explorer. A lot of disclaimers apply: no rounded corners for the titles, sidebar widgets, the action bubbles, etc; and an artifact: a small white section is displayed under the bottom bar of each post. If all of this is palatable to you, then visit the Ahimsa Options page and turn on IE rounded corners support. If you notice anything worse than the above, turn it off and let me know.

• Custom modifications support: for your own CSS customisations, or JavaScript snippets and such that you may need to add to the footer, there are now two files that you can use: <code>custom.css</code> (for your style overrides) and <code>footer-custom.php</code> (for your footer snippets). The stylesheet <code>custom.css</code> is loaded last by the theme, so you can override any of the styles in this file. And since these files are external to the theme files, your modifications are safe from theme upgrades (watch out, however, that your theme update does not nuke your entire theme directory, killing your custom files!).

• Proper Comment Reply Form AJAX behaviour: WP 2.7 introduced the feature of moving the reply box up immediately after a comment when you click to reply. That behaviour was broken in Ahimsa and has now been fixed.

• Share your skins: this is not a change to Ahimsa itself, but if you have created a custom skin that you want to share you can now do so. See the instructions on the Ahimsa page.

• W3C XTHML 1.0 Standard validation: many, many fixed to satisfy the W3C validator. One or three issues might persist but most are now gone. Check it out and let me know!

• Multi-page suppport: Ahimsa did not include support for mutli-page posts. It now does.

• Other fixes:
  • Fixed input fields in response form: The response form had ridiculously long input fields for Name, URL etc. That has now been fixed.
  • Increased line spacing: makes for easier reading for your audience.
  • New screenshot: the current one dates back to an Ahimsa 1.x release!
  • More information in the Options section
  • Fixed a bug where the date bubble in comments was getting chopped off on the right.
  • And a lot of other minor issues.

Many of you have waited patiently for this update and I hope this is worth the wait. As always, I greatly appreciate your feedback.

And if you have done customisations of the theme with which you need help, or if your skin does not update properly, etc, please do contact me and I will be glad to help.

Download Audacity of Tanish 0.9.2

Audacity of Tanish is a dark coloured theme for WordPress that I am releasing under the GPL. For more info, visit the Audacity of Tanish page, which includes more screenshots, etc. This is version 0.9.1 and it has been tested on Firefox 3.5, Safari 4 and IE7. It should also be available shortly for download from the official WordPress theme site.

A note for the patient and friendly users of Ahimsa for WordPress: this doesn’t mean I don’t love you any more ;-). This theme grew out of a temporary project to understand some WP stuff and play with code cleanup and so on, all targeted towards my next release of Ahimsa. In the process, I realised I had done enough work to make an independent new theme and hence this one. Ahimsa 2.3 will be release as soon as possible (later this month).