So, instead of developing the enhancement as a new feature for Free CDN, I decided to create a new plugin called CDN Rewrites. The implementation was not really a breeze, but in the end it worked rather smoothly.

I would like to thank Mike Colburn for the idea and being so kind enough to help me with all the documents and testing. Without him this plugin would never see the light.

Head here for the plugin’s official page.

I’m rather lucky to be working as an R&D guy in my current company, thus got a (legal) chance to (legally) spare a lot of time for (sometimes illegal) new and cool stuffs. Among them is CDN, a solution to distribute (mostly static) contents across a network and let end-user access their copies from the cloud instead of the central server itself, thus reduces bottle neck problems during peak hours. To enterprise websites like those of Microsoft, Yahoo, Amazon, eBay etc., this is vital, as the number of concurrent visitors and downloads very frequently exceeds millions. Some of them build their own CDN, when the others rather hire third party services to handle the load to save time and money. Most well known among these 3rd services are properly Akamai and Limelight, though there is a vast of them, naturally. For instance, Windows 7 downloads (~2GB each!) were served through Akamai network, when the live internet broadcast of Barrack Obama’s inaugural speech was done with help from Limelight.

CDN’s are great as they save websites from heavy loads thus reduces bandwidth and shorten that number on the webmasters’ monthly bills. So why aren’t they used so popularly? Well, because in general they are expensive, as you can tell. Depending on each CDN’s price table and the data size, the cost of using a CDN may range from thousands a month, which is unaffordable for like 98% of our blog owners despite of being just a peanut to Yahoo and Microsoft. So unless he is earning millions from selling Photoshop brushes or Google ads on his personal blog, a blog owner would close his eyes and wait for that Digg wave to calm down instead of (dare) using a CDN and survive the typhoon. So the rich keep getting richer and the poor keep remaining poor, life is bitter huh?

Not really (whoo hoo!). Akamai and Limelight are big, but they are not the only. Aside of those commerical CDN’s, there are some free ones, like Coral, which provide us with free CDN – means free bandwidth. Coral CDN uses peer-to-peer technology in its CDN architecture, thus eliminates the need of maintaining a system of expensive server clusters while still offering an CDN solution with acceptable speed and stability. Long story shot, we small blog owners can also have CDN (on pair with Microsoft, yay!).

It’s dead simple to get a content (being any of types, but most commonly static contents like images, video clips, music tracks, css, java scripts) served thought Coral. All you have to do is appending .nyud.net to the host name of that content’s URL and call it done. Try it here, here, and here to see it yourself. The first time requested, the content is retrieved from the original server and cached on Coral’s distributed servers. From the second request on, visitors will get a copy of that content from Coral. If the content weights 100KB in size, you’ve just saved 100KB bandwidth. If you have 1000 requests, it’s 100MB of bandwidth saved. Piece of cake.

So I was very excited getting to know about Coral and free P2P CDN’s. Then I told myself: ok, it’s time for another WordPress plugin – a “Free CDN” one which will rewrite all static URLs (being images, css, js etc.) to take advantage of Coral. Easier said than done, but nonetheless, I managed to get it done (thank you very much Thaya, for the great help on how to capture the whole WordPress HTML stream). Today is the day Free CDN WordPress plugin is born, cheers! The concept behind this plugin is simple: it looks for static contents inside a WordPress page and rewrites them into Coral-ready format. For example, http://www.yourblog.com/wp-contents/themes/one-room/images/sprites.png will be rewritten into http://www.yourblog.com.nyud.net/wp-contents/themes/one-room/images/sprites.png and gets handled by Coral network.

If your blog is rather small and you don’t have to worry about bandwidth fee / peak times, then it may be not worth your time to lay an eye on this plugin. But if you have a big enough blog with tens of thousands of views a day, and the bandwidth fee is giving you some good nightmare, and the bottle necks are causing you some headaches, then why not give Free CDN a try?

1. The code has been COMPLETELY re-written from scratch. As of the previous versions, it was one big file that handled everything from admin to front-end control. Needless to say how inconvenient this approach had become when bug fixes and new features were added… too bad that I have decided to throw all away and build a brand new OOP Referrer Detector. Well, it was a looong and tough way, but I’ve never looked back!
2. The data are now in (ahem) database. I was thinking (and convincing myself) that a JavaScript file is faster, as it reduces the number of database requests. But with time, it becomes too bloat and too hard for me to track bugs as well as to add improvements. So I told myself: hell with this sacrifice, I better obey the power of MySQL.
3. The biggest new feature that I’m really excited of is the ability to add localized messages. In the past, your users were welcomed the the same (English) greetings regardless of which country they were from. Now you can specify a localized message for those from Vietnam, another for Brazilians, Portuguese, and so on. The plugin will try to detect users’ country and decide which message to show. Isn’t it cool?
4. The second new feature is the ability to backup and restore stuffs, including entries, excluded URLs, and options. For restoring, in order to keep the administration panel AJAX’ed, I go with Uploadify, a wonderful jQuery file upload plugin. This plugin uses a bit of Flash, but no worries, it will still works if your browser has no Flash player installed.
5. For the Stats panel, there were two problems that caused me much of headache. One is Google TLDs which are hundreds in number thus totally ruined the chart. The other is the chart itself: PHP/SWF Charts library is too darn heavy and often broke my SVN commits. So I wrote some code to group those annoying TLDs into one group, and use Google Chart instead.
6. In the admin panel, I added a “Support this plugin!” tab. Just a bit about myself, like “Follow me on Twitter”. Hope you aren’t pissed of with this change.

As usual, the plugin is downloadable at WordPress Codex. Your comments are always welcome here and in the plugin page. Let me know if you’re happy with the new version, or about the bugs you encounter!

But today I noticed this DANGEROUS thing, and I want to announce it so that everybody can fix. By default, sql dumb data are saved into files under a directory named backup-db inside wp-content. And this directory has absolutely no protection. That means you can freely browse anyone’s wp-content/backup-db/ content and download the data file.

Now, I did a search of “index of /wp-content/backup-db” on Google. From the popularity of WordPress and this plugin, you can tell how many results I got. Yes, thousands of results were returned, each was a browsable and downloadable backup directory among thousands of different WordPress-powered websites.

Need I stress on how serious this problem is? It’s about passwords (encrypted or not), email addresses, other private data, even credit card numbers for business blogs. This is serious.

The fixes

There are many fixes for this problem. You can

• Change the backup directory, or
• Upload a index.html file into backup-db directory to prevent directory browsing, or
• Use .htaccess to prohibit downloading contents from the directory etc.

For the sake of WordPress users, please spread this. I’ve also contacted Lester Chan, the author of the plugin, so that he can release a fix.

Updates

It seems I missed the instruction from the author before installing the plugin
But anyway, I believe most of WP users just install the plugins without reading, especially when they just work out of the box. And as the downloadable sql dumps are still out there, I’m waiting for a more strict fix instead of readme file’s instruction.

UPDATE: Starting from version 2.50, the plugin author added a check for a proper .htaccess file in the backup folder for security purpose. Way to go!

Nevertheless, I’ve just taken part in this community for 2 months, so I would consider this a small success.

And this is a win-win.

But hey, this post is not about WordPress 2.7! There are hundreds of blogs out there babbling about it already! If you’re a careful reader (definition: a careful reader is someone who reads something from the title on), you probably know it, I’ve managed to used some free time to write another WP plugin called AJAX Random Posts, and this post is more or less its homepage.

As its name is saying, AJAX Random Posts (AjaxRP) display a list of randomly chosen posts from your WordPress-powered blog. Yeah, it’s nothing new, such a concept is very popular and has been greatly done by several plugins before. The limitation of those plugins however, is the lack of cache plugins compatibility. For example, you install a random post plugin. Then a visitor comes to post A, and under a post he’s served with 5 other random ones, let’s say C, Y, M, K, and J. If you have WP-Super Cache enabled on your blog, the post A is cached for, like, one hour. During that one hour, any visitor that reads post A will be served with its cached version, with C, Y, M, K, and J following. You must agree with me, it’s not so random anymore .

So, the only difference my AjaxRP is making is its “AJAX” part. With AjaxRP, the random list is NOT generated along with post A. Instead, it makes an AJAX call to the server after the page is loaded (more precisely, after the DOM is ready) and retrieves a list of random posts. This way, it works regardless of whether or not you have a cache plugin installed. That means, each page refresh shows a new random list. And I guess that is what should be called “random”.

FAQ

Q: Do you provide a template tag/ post tag?
A: Absolutely. If you don’t want the random posts to be display after every post, just set “Automatically display the random posts in a single post page?” to “No” in the Settings page, and

• Manually put <!–ajaxrp–> at the end of your post, or
• Place this php code: <?php if (function_exists(‘ajaxrp’)) ajaxrp(); ?>
  at a proper place in your template’s single.php page

Q: Where can I find a demo?
A: Right here! Take a look at the end of this post.

Q: How do I support this plugin?
A: Please link back to this post or blog about it. Also I would appreciate a lot if you can rate this plugin 5 stars in the WordPress repository.

History

Full history can be found here.

Download

Head here.

It’s been a while… yes I know I’m feeding up your ears (or eyes) with this same old same old greeting, but I’ve never been a good speaker.

So it’s been a while, and I’m writing another small plugin for personal purpose. Remember, I have another site dedicated to Vietnamese poetry? Well, I’m trying to enhance it up a bit – with some plugins I write maybe…

However, something today made me (temporarily) pause the work. Something not so happy.

In case you don’t know yet, I’ll stress it again: I didn’t invent the [concept of] Referrer Detector plugin. Instead, I first saw a similar plugin in action on my favorite blog Smashing Magazine. As Smashing is more or less a commercial blog, I was thinking it was something they made themselves and thus may not be open source, so I decided to write my own. When I found out that it’s originally a great plugin from Thaya Kareeson, my Referrer Detector was nearly finished, and I didn’t want it to be left abandoned. Apart from that, I also thought that my plugin, while still young and lacked of some important features, had some advantages that I personally could make use of (at that moment). So eventually I registered it in WordPress Codex. That’s the story.

When Referrer Detector was out, I was very happy to see how welcomed it was. My [G]mail box were full of comment moderation requests, and I was continuously asked for bug fixes, implementations, even some not so relevant stuffs (like how to change theme ). These comments were the invaluable support that encouraged me to quickly release newer and hopefully better versions of RD, with visible and invisible changes as well. And it’s always been a joy for me to open my mailbox and see an unread message titled “[phoenix.heart - portfolio & more] Please moderate: “Here it is – Referrer Detector…”.

Thaya has noticed about my plugin, as he even left a comment on my blog entry – I was happy with it too. So it came to me as a surprise when today, I found out that it’s not that simple. Seems like he’s thinking I’m forking his code and is upset with the fact that RD is sharing the “fame” with his WP Greet Box. On a blog that promoted my plugin he left this comment:

Honestly, I am quite disappointed that my plugin hasn’t done better in the WordPress community. I am also even more shocked[upset] that Referrer Detector got the word out much quicker than WP Greet Box. I guess it really does matter “who” you knows in the blogging community.

I don’t want to sound biased, but as of right now (Referrer Detector version 2.1) I believe that WP Greet Box is hands-down better than Referrer Detector:

1. Referrer Detector has a security flaw in its administrative AJAX interface. I won’t say more, so hopefully people with Referrer Detector installed won’t get hacked.
2. WP Greet Box works with WPMU.
3. WP Greet Box has the ability to keep track of visitors, so the visitor referred from google will not keep getting the same greeting message if they have visited within the last X hours.
4. Exclusion rules have regular expressions support.
5. More solid default CSS.

The only pros referrer detector has on WP Greet Box are:

1. More default greeting messages
2. The ability to include WordPress attributes like url, title, author, category etc. into the greetings

Given the security flaw Referrer Detector, I wouldn’t even try it out on a production site until the fix comes.

And on his official WP Great Box plugin blog, he changed the Upcoming Features to something below:

Maybe I’m a little over-sensitive, but nevertheless, it seems that I’m just one of those “kiddie coders” who’s “forking [his] code”.

To be fair, he was right about the pros and cons both plugins have – although still I believe that mine has something more that that. Also, I agree about the possible security flaw (and have fixed it in the latest version of WordPress). More or less, I’m not a hacker, so I can’t tell if it’s really a security flaw and if someone can make use of it, since first, AJAX calls across domains are very limited in terms of usability, and second, the person who may control the plugin and the admin panel, if not yourself, must be someone you totally trust.

What made me feel weird are:

1. He seems to be thinking that all I (and some other plugin developers) have been doing is forking his code. This is not so correct To me, the code I was forking, if any, came from another plugin called ShareThis. Actually, this is the plugin I was learning from when I developed Digg This O’ Mine, and can be seen as my WordPress plugin tutor. Other than this, except for the concept that I learned from Smashing Magazine, I built my Referrer Detector from the scratch, as you can see if you take a look into the source code (of both RD and WPGB).
2. He’s upset just because “Referrer Detector got the word out much quicker than WP Greet Box”. If it’s something really matters, then my answer will be “Digg”. I posted a story about RD onto Digg, that’s why it gets known rather quickly. Moreover, the more people get to know RD, the more they’re announced about WPGB, since on my official plugin entry and here again, I give all the initial concept credits to Thaya Kareeson. If his plugin is better, it will simply be used more widely. So why he got upset, I honestly don’t get.
3. Seems like from his upset, he called other developers who share the same concept with him “kiddie coders”. Of course he is a great developer, as anyone can see from the concept and the way he’s writing code. But just because he’s great doesn’t mean others are bad, yes? And correct me if I’m wrong, isn’t writing various softwares with the same concept and purposes something we see everyday in this open source world? If not, then why so much Linux distributions?
4. The “dark side”

So, as a conclusion, the concept credits go to Thaya, and I’m sorry if what I do is causing him some inconvenience. And let’s face it, everyone has his choice, so if my plugin doesn’t work for you for any reason, I always recommend WP Gree[a]t Box.

P/S: Have you noticed yet? Referrer Detector 2.1.1 which includes the security flaw fix is out!

For, the most significant change compared to previous versions is the admin (aka Options) panel. With the help of the great jQuery UI library, all the options are now divided into much much clearer tabs!

Then, from the suggestion of iTalal, I’ve added an option to specify a list of “excluded” URLs. If the user is coming from one of these URLs, the greeting box won’t be shown. This comes handy with, for an example, Google Reader. Please note that the URLs should come in a separated list, each following the same rule with the entry URL – no “http://www” prefix.

The next visible change is, now it’s 100% AJAXed – well, it was not with the Generic Options, but now even that conservative old guy is convinced by the AJAX power Now you won’t need to reload the page – ever!

Then, we have some more improvements under the hood:

• As Study Babes suggested, there should be an option to display the welcome message in the theme itself. Well, not until now – now you can place this template tag somewhere in the theme files (most likely index.php):

  <?php if (function_exists('referrer_detector')) referrer_detector(); ?>

  In case you ever wonder, there is at most one greeting box each page. With that said, this template tag has the highest priority, when the lower goes to the “Automatically add to every post blah” settings, and the least is for the custom tag {referrer-detector} if any in the post.

  There is one drawback with the template tag though. Since in such a case, the greeting box is shown in a page with many different posts at once, the tags such as {author} and {categories} become ambiguous. So, please keep in mind that if you use template tag, only the most common {title} and {url} are available.

• Some of the javascript files are now packed to save some bandwidth and loading time.

That’s all! And is it redundant to add that you can, as usual, grab it at the WordPress Codex?

But, here is another proof to prove that 3 days is such a long long time: I’ve managed to release 4 versions of Referrer Detector! Huh, shocked? Here you go:

1.0 – Initial version

1.0.1

A quick fix for caching problem (if cache is enabled and the first user has no referrer, the plugin will fail). This serious bug is found by me.

1.1

Better support to work with cache plugins. Now the generic options take effect without the need to delete the cache. The reason behind this is now all options are saved into the file data.js, and this file is executed every time a page is loaded, regardless of your blog has a cache enabled or not.

And today, version 1.2 is released! Basically this version just includes several important fixes and improvements, but I decided to change the minor number to make that look somehow more important . Here is the changes:

• Fixed the bug when multiple greet boxes are stupidly shown if the page is filled with multiple full posts (such as homepage). This is a serious bug that was found by Kelson (thanks, Kelson!). I decided that in such a case, no greet box should be shown.
• Fixed the bug in the initial SQL data where the default RSS feed url is set to mine. It’s so embarrassed to confess that with the old versions, upon installing all the RSS links in the entry would point to *my* FeedBurner url. This was my problem – I forgot to change the RSS link when publishing the plugin to WordPress Codex.
• Fixed the javascript error when the page has no referrer.
• Update the installation and FAQ section.
• And some little stuffs…

If you’ve installed my plugin, you should have been announced about this version in the Plugins panel. Or you can always grab the latest version here.

Update: I’ve managed to complete version 2.0 which I’m going to blog about tomorrow. Stay tuned!