Wordpress stuff, a statistics plugin, and jello

kStats Reloaded just passed 5,000 downloads!

Thank you to everyone who has been part of the development, by supporting the plugin through using it, writing about it in your blogs, sending me feedback via comments, email or bug reports, and anything I missed mentioning! It’s been a lot of fun, and I hope to see it continue growing in popularity.

I’ve got a list a mile long of new features that are up and coming, and I’m currently working on yet more improvements to the database structure as we speak in further attempts to ensure that this is not only an accurate and feature rich plugin, but a lil’ speed demon too. Again, thank you all, and don’t be shy about sending me your criticisms or suggestions!

Mod What?

I just recently installed Mod Security on my server in an attempt to reduce the number of attacks on my blog and the ridiculous referrer spam that I’ve been getting lately. I’m sorry, but I have no interest in taking a screenshot of the latest kStats and showing everybody that 5 out of ten of my top referrers are coming from some stupid subdomain of a**f***d****.com (you’ll notice the most recent screenshot has the top referrers chart collapsed for a reason).

While it deals mainly in HTTP and regular expressions, of which I’m familiar with, the syntax is completely new to me. I hope I haven’t turned on any rules that result in any odd behaviour for anyone; If you notice anything out of the ordinary while trying to perform common tasks such as leaving comments, please let me know so that I can fix it asap. I already had to rewrite a few rules because I managed to make it believe using phpMyAdmin was some form of attempted SQL injection attack…

I don’t know why, but this blog has been really hard to write. Could be the fact that I’m still extremely sore from ripping the garage apart and cleaning it top to bottom, or the fact that I’m bummed out about my new intake for my car not being in the mail today, but I just don’t find writing easy at the moment. So I’ll just try and spit it out, and eventually it will get lost in my archives anyways…

What’s new in 0.7.1?

You won’t notice any major visual changes or fancy new features in this release. I fixed a possible vulnerability in the way that some of the data was stored and retrieved and added a new opt-in program which benefits the plugin and another program, both of which I’ll go into further detail on below.

I did however bump up the versioning from 0.6.x to 0.7.x because there’s something new going on behind the scenes that will be a long term benefit to kStats and the people who use it on their blogs.

The Old Way

The aggregate is tripped every night by somebody visiting your web site. Long story short, this would be better accomplished via a cron process run directly off the server, but due to the nature of plugins and Wordpress, expecting a user to set such a thing up just to use kStats would be asking a little too much.

When the aggregate was tripped, previous to this release, the process would run fast as fast can be and sort your data from the raw table into the seperate totals and charts tables. This of course allows kStats to run faster on a regular basis, and store more information with a much smaller footprint than its predecessor did. The pitfall was that the poor sap who tripped the process had to wait anywhere from 1-3 seconds extra for their page to load (possibly even longer on high traffic web sites).

In this age of broadband expectations, 3 seconds is an eternity.

The New Way

kStats now uses what is called an Asynchronous HTTP Request to run the aggregate. When the scheduled time comes, kStats fires off an HTTP request to an interface that runs the whole process in the background. This means that poor sap we were talking about above no longer notices a delay in their page load, no matter what the size of your database is or how much traffic you’re getting.

I promised when I started this project that the primary focus, regardless of features and capabilities, was to bring you the fastest plugin I could. I believe this update goes a long way to solidifying the groundwork of that promise.

Odds and Ends

There’s a new opt-in program that can be found on the Options page under the Definitions Utility – while I’m still looking for a more reliable Geolocation API (hint, hint), the user agent facility (determining OS, Browser, etc) is powered by the API provided by user-agent-string.info.

Should you choose to participate, what happens is when kStats stumbles across a user agent it can’t identify, it will immediately fire it off to user-agent-string.info so that they can identify it and include it in the next update of their API. The more user agents we can identify, the more accurate the process will be in determining exactly what people are using when they visit your site.

In addition, a possible security vulnerability has been closed up in the way that some data was being stored and returned from the database. The upgrade process will clean your current database and all information entered from now on is completely verified and sanitized. Please note that this was not an SQL injection vulnerability but instead a much smaller XSS vulnerability.

Download Changelog

I doubt any of you script kiddiez even look at the sites you attempt to hack with your little botnet and RFI scripts, but in case you do, I just have one question for the lot of you;

Does your grandma know what you’re doing in her rent-free basement?

I’m sorry, I realize most of you probably live at home with mommy and daddy, and I shouldn’t be bringing your grandmother’s into this, but seriously. Half of you tried to attack my site with a phpBB vulnerability. I’m sorry, last time I checked, I was running Wordpress.

Put down the porn, sign off your favorite MMORPG, change your clothes and shower for once in your life and walk to the front of your house. There’s a big rectangle there with a little round knobby thing on it. This is called the front door. If you open it, there’s a life somewhere out there for you. Go find it.

You’re not getting root on my box, trust me. I’m sure a skilled hacker could if they put enough effort into it, but you’re not.

I don’t know who amongst my readers might have the skills and the time, but if you want to slap some children around with a big trout, here’s a few IPs from my logs;

61.63.10.150
64.6.232.171
194.105.193.46
209.216.213.119

Have a nice day!

Wordpress MU 2.8.5.1 is out!
Read the full post on Donncha’s blog; WordPress MU 2.8.5.1

As you may read, it is a security upgrade based on the recent 2.8.5 release of Wordpress.org, so there are absolutely no excuses — Download and upgrade as soon as you’re finished eating now!

I’m a little late to the announcement game, given that I was out of town for awhile and still catching up, but here it is anyways;

Wordpress 2.8.5 has been released! (zip) (tar.gz)

This is just a security update, similar to the last couple of version releases (list of updates can be found here). If you’re looking for the cool stuff, you’re going to have to wait for 2.9, which will probably be coming out some time next month.

Please also note that this is just the Standalone version of Wordpress.org – Wordpress µ (MU) 2.8.5 has not been released yet. Donncha is always on top of getting MU up to speed though, so keep an eye out for this release to be hitting shelves shortly.