Category Archives: Web Site Dev

Posts concerning web site design and development. Examples of php, xhtml, and javascript code. Wordpress-related posts may be cross-categorized here, but also have their own category.

So I finally watched The Social Network over the weekend, and it’s made me feel jealous and a bit guilty.

In a meager effort to console myself for so far failing to be a billionaire, I’m assembling the short list of web-application type things I’ve built here.

  1. A dice roller: rollforit. Enter a name, create a room, invite your friends, and start rolling dice. For people who want to play pen and paper, table-top RPG dice games with their distant friends.
  2. A URL shortener: Minifi.de. Minifi.de comes with an API and a bookmarklet. It really works, too! The technical explanation has more details.
  3. A social networking site: Snapbase. Snapbase is a social site that shows you what’s going on in your city or anywhere in the world as pictures are uploaded by your friends and neighbors. The application extracts location information from the EXIF data embedded in images and displays recent images taken near your present location.
  4. A trouble-ticketing system for an IT help desk or technical support center. It’s really pretty extensive, with asset management, user accounts, salted encrypted passwords, and all sorts of nifty things. I really must write a full description of it at some point, but until then, the documentation is the next best thing.
  5. An account-based invoice tracking and access system for grouping invoices according to clients, then sharing invoice history with those clients and allowing them to easily pay outstanding invoices via Paypal.
  6. An account-based invoice access system where clients can view paid and unpaid invoices, and even easily pay an outstanding invoice via Paypal. I actually use this almost every day.
  7. A simple method for protecting a download using a unique URL that can be emailed to authorized users. The URL can be set to expire after a certain amount of time or any number of downloads.
  8. An update to the above download protection script to protect multiple downloads, generate batches of keys, leave notes about who received the key, the ability to specify per-key the allowable number of downloads and age, and some basic reporting.
  9. An HTML auction template generator called Simple Auction Wizard. It helps you create HTML auction templates for eBay, and uses SWFUpload and tinyMCE.

I have another project in the works that promises to be more financially viable, but the most clever thing on that list is Snapbase. It’s in something akin to alpha right now; barely usable. I really wish I had the time to pursue it.

While making changes to my WordPress theme, I noticed that the error_log file in my theme folder contained dozens of PHP Fatal error lines:

...
[01-Jun-2011 14:25:15] PHP Fatal error:  Call to undefined function  get_header() in /home/accountname/public_html/ardamis.com/wp-content/themes/ars/index.php on line 7
[01-Jun-2011 20:58:23] PHP Fatal error:  Call to undefined function  get_header() in /home/accountname/public_html/ardamis.com/wp-content/themes/ars/index.php on line 7
...

The first seven lines of my theme’s index.php file:

<?php ini_set('display_errors', 0); ?>
<?php
/**
 * @package WordPress
 * @subpackage Ars_Theme
*/
get_header(); ?>

I realized that the error was being generated each time that my theme’s index.php file was called directly, and that the error was caused by the theme’s inability to locate the WordPress get_header function (which is completely normal). Thankfully, the descriptive error wasn’t being output to the browser, but was only being logged to the error_log file, due to the inclusion of the ini_set(‘display_errors’, 0); line. I had learned this the hard way a few months ago when I found that calling the theme’s index.php file directly would generate an error message, output to the browser, that would reveal my hosting account username as part of the absolute path to the file throwing the error.

I decided the best way to handle this would be to check to see if the file could find the get_header function, and if it could not, simply redirect the visitor to the site’s home page. The code I used to do this:

<?php ini_set('display_errors', 0); ?>
<?php
/**
* @package WordPress
* @subpackage Ars_Theme
*/
if (function_exists('get_header')) {
	get_header();
}else{
    /* Redirect browser */
    header("Location: http://" . $_SERVER['HTTP_HOST'] . "");
    /* Make sure that code below does not get executed when we redirect. */
    exit;
}; ?>

So there you have it. No more fatal errors due to get_header when loading the WordPress theme’s index.php file directly. And if something else in the file should throw an error, ini_set(‘display_errors’, 0); means it still won’t be sent to the browser.

Just a few notes to myself about monitoring web sites for infections/malware and potential vulnerabilities.

Tools for detecting infections on web sites

Google Webmaster Tools

Your first stop should be here, as I’ve personally witnessed alerts show up in Webmaster Tools, even when all the following tools gave the site a passing grade. If your site is registered here, and Google finds weird pages on your site, an alert will appear. You can also have the messages forwarded to your email account on file, by choosing the Forward option under the All Messages area of the Home page.

Google Webmaster Tools Hack Alert

Google Safe Browsing

The Google Safe Browsing report for ardamis.com: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ardamis.com

Norton Safe Web

https://safeweb.norton.com/

The Norton Safe Web report for ardamis.com: https://safeweb.norton.com/report/show?url=ardamis.com

Tools for analyzing a site for vulnerabilities

Sucuri Site Check

http://sitecheck.sucuri.net/scanner/

The Sucuri report for ardamis.com: http://sitecheck.sucuri.net/scanner/?scan=www.ardamis.com.

The recent news that Yahoo! has sold Del.icio.us to the guys who founded YouTube got me thinking about another former big name in link sharing, Technorati. Does anyone still use either of these sites? I did back in 2006, but mostly just half-heartedly to promote ardamis.com. It would seem that in 2011, we’ve found other, more directly social means for sharing sites.

http://www.delicious.com/ardamis
http://www.delicious.com/search?p=ardamis
http://technorati.com/blogs/www.ardamis.com

A quick glance around Technorati today for sites ranked similarly with ardamis.com turned up little other than spam sites, just like everything else.

I’ve written a few tutorials lately on how to reduce page load times. While I use Google’s Page Speed Firefox/Firebug plugin for evaluating pages for load times, there are times when I want a second opinion, or want to point a client to a tool. This post is a collection of links to online tools for testing web page performance.

Page Speed Online

http://pagespeed.googlelabs.com/

Google’s wonderful Page Speed tool, once only available as a Firefox browser Add-on, finally arrives as an online tool. Achieving a high score (ardamis.com is a 96/100) should be on every web developer’s list of things to do before the culmination of a project.

Enter a URL and Page Speed Online will run performance tests based on a set of best practices known to reduce page load times.

  • Optimizing caching – keeping your application’s data and logic off the network altogether
  • Minimizing round-trip times – reducing the number of serial request-response cycles
  • Minimizing request overhead – reducing upload size
  • Minimizing payload size – reducing the size of responses, downloads, and cached pages
  • Optimizing browser rendering – improving the browser’s layout of a page

WebPagetest

http://www.webpagetest.org/

WebPagetest is an excellent application for users who want the same sort of detailed reporting that one gets with Page Speed.

  • Load time speed test on first view (cold cache) and repeat view (hot cache), first byte and start render
  • Optimization checklist
  • Enable keep-alive, HTML compression, image compression, cache static content, combine JavaScript and CSS, and use of CDN
  • Waterfall
  • Response headers for each request

Load Impact

http://loadimpact.com/pageanalyzer.php

Load Impact is an online load testing service that lets you load- and stress test your website over the Internet. The page analyzer analyzes your web page performance by emulating how a web browser would load your page and all resources referenced in it. The page and its referenced resources are loaded and important performance metrics are measured and displayed in a load-bar diagram along with other per-resource attributes such as URL, size, compression ratio and HTTP status code.

ByteCheck

http://www.bytecheck.com/

ByteCheck is a super minimal site that return your page’s all-important time to first byte (TTFB). Time to first byte is the time it takes for a browser to start receiving information after it has started to make the request to the server, and is responsible for a visitor’s first impression that a page is fast- or slow-loading.

Web Page Analyzer

http://websiteoptimization.com/services/analyze/

My opinion is that the Web Page Analyzer report is good for beginners without much technical knowledge of things like gzip compression and Expires headers. It’s a bit dated, and is primarily concerned with basics like how many images a page contains. It tells you how fast you can expect your page to load for dial-up visitors, which strikes me as quaint and not particularly useful.

  • Total HTTP requests
  • Total size
  • Total size per object type (CSS, JavaScript, images, etc.)
  • Analysis of number of files and file size as compared to recommended limits

The Performance Grader

http://www.joomlaperformance.com/component/option,com_performance/Itemid,52/

This is another simplistic analysis of a site, like Web Page Analyzer, that returns its analysis in the form of pass/fail grades on about 14 different tests. I expect that it would be useful for developers who want to show a client a third-party’s analysis of their work, if the third-party is not terribly technically savvy.

One unique thing about this tool, though, is that it totals up the size of all images referenced in CSS files (even those that the current page isn’t using).

  • HTML Size
  • Total Size
  • Total Requests
  • Generation Time
  • Number of Hosts
  • Number of Images
  • Size of Images
  • Number of CSS Files
  • Size of CSS Files
  • Number of Script Files
  • Size of Script Files
  • HTML Encoding
  • Valid HTML
  • Frames

Attempting to run the W3C Link Checker against //ardamis.com/ returns an error message.

Error: 406 Not Acceptable

This is what the W3C says about the 406 HTTP status header:

406 Not Acceptable
The resource identified by the request is only capable of generating response entities which have content characteristics not acceptable according to the accept headers sent in the request.

http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

In other words, the W3C Link Checker requests the web page, and tells the web server that, by the way, it can only accept a responses in a certain format. The web server then regrets to inform the requestor that it cannot fulfill this request, because it cannot return a response that would be acceptable to the requestor. It does this in the form of a 406 Not Acceptable HTTP header. The W3C Link Checker then outputs this error.

Other W3C apps, like Unicorn – W3C’s Unified Validator and the W3C HTML Validator don’t seem to be sending the same HTTP headers. (But I did note that there were a few small issues preventing the home page from passing the test, which I then fixed.)

Ardamis runs on WordPress, with a custom theme originally developed years ago from the Kubrick theme and a handful of plugins (as more completely described at the colophon page). I tinker with the site, from time to time, trying to speed it up or what-have-you. But no amount of tinkering seemed to resolve this problem. Over the course of a few months, I’d try various changes to the site to see if there was something I could do to fix this problem. I had pretty much convinced myself that it was going to be an issue for my web host when, miraculously, after making some changes to the .htaccess file, my theme and disabling one of the plugins (which I can’t see how would possibly affect the HTTP headers) the Link Checker began working.

In the results page for www.ardamis.com, it lists some of the headers used:

Settings used:

  • Accept: text/html, application/xhtml+xml;q=0.9, application/vnd.wap.xhtml+xml;q=0.6, */*;q=0.5
  • Accept-Language: en-US,en;q=0.8
  • Referer: sending
  • Sleeping 1 second between requests to each server

I’m not sure what I did to make this work, or even if it was something I did. But further troubleshooting would have involved disabling all plugins, trying a different theme, and then ruling out WordPress entirely.

As of April, 2011, the home page of ardamis.com has over two million inbound links, with over 2,800,000 total inbound links to all pages on the site.

This is an increase of 1,200,000 inbound links to the home page alone since July, 2010. I calculate that the home page is gained an average of 150,000 inbound links a month during the last eight months. That’s pretty amazing.

April 2011 Inbound Links

But I continue to be disappointed in the Site Performance area of Webmaster Tools. Try as I might, Google still thinks my site is crushingly slow, with average load times of 2.9 seconds, even though my independent tests suggest that the site consistently returns pages in less than two seconds.

April 2011 Site Performance

I’ll keep at it.

I switched from GoDaddy to Just Host in mid 2010. GoDaddy had great uptime and excellent customer support, but I preferred the cPanel interface available at Just Host to the proprietary admin area on GoDaddy. I also liked being able to host all of my sites under a single, inexpensive plan at Just Host, rather than paying for separate hosting for each domain at GoDaddy (which I later discovered was an option).

But, after a few problems here and there with Just Host, I thought it was a good idea to keep track of issues that lead to support calls. By early 2012, I had decided not to renew my hosting contract and was looking for alternatives. HostGator seemed to be pretty decent, but I was also curious about going it alone with an Amazon EC2 instance.

Below is a record of the support tickets logged with JustHost for what I think are problems that a competent host would be able to resolve without requiring my attention.

Slowness

[#2916833] MySQL seems extremely slow over the last two days
Sunday, August 28, 2011

Hello there,

It seems like something is really slowing down the MySQL server that I use on http://alephstudios.com.

Basically, the same operation takes the server over 5 times longer than on my low-end laptop. The server is usually far, far faster than this. I’m running into PHP max execution, script timeout type problems with what should be very quick processes.

Would someone please look into this?

I’ve put more details up on my site at //ardamis.com/2011/08/28/justhost-com-what-is-wrong-with-your-mysql-servers/

Thank you,
-Oliver

Downtime

The downtime at Just Host has become increasingly frustrating. I’ve now noticed my sites being down four times in 2011 and have logged support tickets.

[#2743795] Site unreachable…
Saturday, July 2, 2011
http://www.webpagetest.org/result/110702_8P_Z5WT/

[#2419040] Sites down again
Wednesday, March 16, 2011

[#2269339] site timing out
Thursday, January 27, 2011

[#2219224] Site appears to be down
Tuesday, January 11, 2011

Just Host is pretty good about quickly getting things running again, but I wondered how much downtime my sites are experiencing that I wasn’t aware of. In August, 2011, I set up a free account at pingdom to monitor for any further downtime.

Error messages

Shortly after I became a Just Host customer, I discovered a misconfiguration on the server that was preventing my sites from saving PHP session variables. This was quickly resolved.

[#1836474] Cannot save session data to /tmp
Monday, August 23, 2010

DNS problems after server migration

On Wed, Apr 4, 2012 at 12:07 AM, I received the following email from JustHost:

We’re pleased to inform you that we will begin upgrading your account, and all associated subdomains, to a new hosting server within the next 48 hours.

This upgrade requires that we take your websites offline for a short period of time to complete the transfer. Anticipated downtime is between 1-2 hours, though we’ll take every step possible to restore full service as quickly as possible.

In order to facilitate the smoothest transition possible, we’ll be updating internal DNS entries automatically during the transfer, and will make the website accessible at the previous IP address for approximately one week after the upgrade completes.

Should you be managing your own DNS (you know who you are), your new IP address will be available in your account once the upgrade completes. As part of our seamless upgrade process, your website will continue to be available at the previous IP address for approximately one week. However, we suggest updating your DNS entries immediately to ensure proper functionality for your hosted domain(s).

Finally, customers in the European Union will begin paying VAT tax on any future purchases, as required by EU law. VAT will not be charged on any past purchases.

Please do not hesitate to contact our Support team if you have any questions: (888) 755-7585

Sincerely,

Just Host Support

That sounded pretty good.

On Wed, Apr 11, 2012 at 12:02 AM, I started getting alerts from Pingdom.com that my site was going up and down. It eventually went down 3 times for a total of one hour.

On Wed, Apr 11, 2012 at 7:24 AM (7 days, or 175 hours, after their notification email), I received the following email from Just Host Support:

The upgrade of your account, and all associated subdomains, to a new server has completed successfully. Your website(s) are now hosted at a new location, with the following IP address; please keep these for your records.

If you are managing your own DNS entries for your domains, not common, please update them now.

173.254.6.73

Like the previous email mentioned, your website is still available at the old IP address, and will remain available for approximately one week.

While no data loss was encountered during the upgrade, we suggest you browse through all your hosted domain(s) to verify that they are functioning properly. Additionally, note that this process required a change in server timezones, from Central Daylight Time (GMT -5) to Mountain Daylight Time (GMT -6). Any automated tasks you have may require adjustment to trigger them at the desired intervals.

Lastly, this upgrade included several software upgrades and changes. The most noteworthy being a new Domain Manager, a new Billing interface, and the more robust SimpleScripts, which replaces Fantastico. You can directly import your Fantastico installed software to SimpleScripts, which will manage the installations and upgrades as Fantastico did.

If you have any questions about your account post-upgrade, or experience any trouble at all, please do not hesitate to contact our Support Department.

Just Host Support

OK, so it took them a bit longer than they originally anticipated. That’s fine.

What wasn’t fine was that my sites all failed to resolve. Instead of my sites, I got a JustHost ad-supported placeholder page. Later that afternoon, I called JustHost support and was told that while the file migration was complete, there was a problem with the DNS (as in they pointed it to the wrong server) and we were now waiting for the correct DNS entries to propogate. After a few hours of being completely horrified that my sites were replaced with a hideous landing page, everything began working normally. Or so I thought.

On Sun, Apr 22, 2012 at 5:45 PM, I logged a support ticket because the password protection on one of my subdomains (which had worked fine before the server migration – see below) stopped working. I was still prompted to enter a username and password, but instead of then taking me to the site, the server was throwing a 500 error. I tried removing the password part of my .htaccess file, and the site worked fine. I put the password part back and tried changing the password for the subdomain, but it continued to throw the 500 error.

My email to Just Host support:

Hey there, folks.

I have set an directory password on one of my subdomains – rankings.alephstudios.com – and added (what I believe are the necessary lines to my .htaccess file). I’m getting the expected password prompt, but after I enter the password, I get a 500 internal server errror.

Here are the log entries for this event (my IP is 69.211.123.27):

[Sun Apr 22 16:11:49 2012] [error] [client 69.211.123.27] (13)Permission denied: Could not open password file: /home/alephst1/.htpasswds/public_html/rankings/passwd
[Sun Apr 22 16:11:49 2012] [error] [client 69.211.123.27] (13)Permission denied: Could not open password file: /home/alephst1/.htpasswds/public_html/rankings/passwd

It looks like a permissions or ownership problem on the htpasswd file or parent directory.

The password protection is primarily to keep spiders out of that directory, so I can give you guys the username/password if you need it.

You can email me at xxxxx with questions.

P.S. The Apache log also shows tons of these errors, not from my connection:

[Sun Apr 22 16:43:49 2012] [error] [client 66.249.73.205] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use ‘LimitInternalRecursion’ to increase the limit if necessary. Use ‘LogLevel debug’ to get a backtrace.
[Sun Apr 22 16:43:50 2012] [warn] RewriteOptions: MaxRedirects option has been removed in favor of the global LimitInternalRecursion directive and will be ignored.

I figured that was a pretty good email. I was able to clearly describe the problem behavior, supply some evidence of a record of the problem behavior, and propose some logical places to begin troubleshooting the behavior. As someone who has worked in technical support in the past, I’m pretty careful about how I interact with reps.

This is the response I got:

Hello,

The log file shows errors or issues for the entire server your account is on. The only ones that affect you are the ones associated with your connection, ie IP address, and are typically in red.

A 500 internal server error can be displayed for multiple different reasons. It can be thrown when there is an incorrect redirect or rewrite rule stated in the .htaccess file. You can troubleshoot this issue by simply renaming the .htaccess file, effectively deactivating it. After renaming it, try reloading the page that was giving the 500 error, (you may need to clear your cache). If you need help renaming the .htaccess file, please follow these steps:

Login to your Cpanel
Scroll down to Files
Click on File Manager
Choose Web Root, also make sure that you also check the box to show hidden files.
Click Go
On the right side, look for the .htaccess file. Right click on it, and click rename file (rename it to something like .htaccess.old)

It can also be caused by improper file/folder permissions Typically folder should have permissions of 755 and files should be 644 You can check and change file/folder permissions using the File Manager in the cpanel or using an FTP Client such as Filezilla.

If this does not resolve the issue, please check your cPanel -> Error Logs. Please Note: The MAIN error_log is a shared log meaning that errors from all websites hosted on the server will be displayed as well as those for your website, be sure to reference your IP when searching this log. If you are unsure of your WAN IP address please visit http://whatismyip.com

It can also be caused by a plugin or script that is trying to do something that the server doesn’t allow; checking the error logs as stated above should identify the script or file that is causing the issue.

Thank you,
XXX
Level I Tech Support Engineer

Completely not satisfactory as a response, even from a Level 1 Tech. The errors I quoted in my email were in red. I took pains to provide useful information and got a stock response back without any apparent effort.

So, I replied with this:

I logged a support ticket because the password protection on one of my subdomains (which had worked fine before my sites’ recent server migration) stopped working.

I was still prompted to enter a username and password, but instead of then taking me to the site, the server was throwing a 500 error. I tried removing the password part of my .htaccess file, and the site worked fine. I put the password part back and tried changing the password for the subdomain, but it continued to throw the 500 error.

I looked at the server logs and, as I pointed out in my original ticket, found entries from my IP address indicating a Permission denied error for my htpasswd file.

Would someone please confirm that the files and directories have the correct ownership to allow me to use password protection on my directories?

Thanks,

In August, 2010, I described a simple method for dramatically reducing the number of spam comments that are submitted to a WordPress blog. The spam comments are rejected before they are checked by Akismet, so they never make it into the database at all.

Now, a few months later, I’m posting a screenshot of the Akismet stats graph from the WordPress dashboard showing the number of spam comments identified by Akismet before and after the system was implemented.

Akismet stats for August - December, 2010

The spike in spam comments detected around November 3rd occurred after an update to WordPress overwrote my altered wp-comments.php file. I replaced the file and the spam dropped back down to single digits per day.

The sitelinks on ardamis.com seem to come and go. I noticed that they were back again a few days ago.

Google sitelinks for "ardamis"

But this time around, a search for “Oliver Baty” also returns sitelinks.

Google sitelinks for "oliver baty"

This is the first time I’ve noticed that a search for other than the domain name has returned sitelinks for ardamis.com, so I figured it was worth recording for posterity.