December 2017 – Less gives a stone

Pannel is a compact and minimal writeboard to track projects featuring a very lightweight implementation of markdown and in-place AJAX editing. Obviously, heavily inspired by 37signals‘ Writeboard.

I wouldn’t consider pannel a finished and polished web app. For starters it’s development has spanned 7 years… Yeah, a lot of things have happened in between. 🙂 But I wanted to finish the basics and get it working, to finally push it out the door and move onto something else. It’s development has been more of an exercise and than an objective based project.

The main idea was to use in place editing and to be somewhat RESTful in the calls and the way the app flows. Because it was meant for collaboration, no ownership is enforced or tracked (thus, no privacy either), but I wanted to track versions. There are a lot of ajax calls everywhere, which were mostly done with jQuery; it was fun porting and rewriting the modules I made 7 years ago in scriptaculous and prototype. And revisiting my php code from long ago was tough, but it was a great refresher.

My mini-markdown implementation seems a bit too minimal now, but back then it was actually pretty nifty to have it run in 70 lines of code instead of using some of the behemoth classes or packages available at the time.

I haven’t bothered updating the style or layout; though CSS has come a very long way in these 7 years, it was a little bit beyond my scope for this project.

If you want to have a look at it, pannel’s repo is on github. Play with it if you want and have fun.

WordPress has had it’s share of security holes, and to be fair the dev community has worked hard to plug them pretty quick, but until auto-updates where introduced there was still a significant lapse before those updates reached the installations. And sometimes that was too late.

Auto-updates are great, but they come with one big caveat: the user that runs php has to have write access to the directory where wp is installed; to a lot of people (including me) that doesn’t seem like a very good idea. Many users caution against giving a WordPress install any more permissions than are necessary, which normally means that the owner of the files should not be your web server (or php, depending on your setup); they only need to read them and shouldn’t be able to modify anything outside of the uploads folder.

This means goodbye to automatic updates, and we all know that if we have to do something by hand, again and again, there will eventually be a point when we forget, or something else comes up.

I was looking for a solution with two objectives in mind: I wanted it to be fully automatic and I didn’t want to relax the permissions on my server. I found Liz Quilty’s WordPress Upgrade shell Script and I loved that it cleverly scanned for WordPress installs, but it’s conservatively hesitant about installing anything without your consent and in regards to plugins and themes (which are the major source of wp vulnerabilities), it only installs them (by shotgun approach: just overwriting all of them) when a core update is triggered.

Then I found wp-cli, an excellent tool to manage wp installs from the command line that diligently checks for updates against the WordPress API and installs them in a much more rationalized manner, including caching downloads. Check their website for install info. I instantly had the happy idea to use Liz’s directory scanning and frankenstein them together:

#!/bin/bash -e
#
# Core, plugin and theme updater for WordPress
# (C) 2017 Robert Sanchez
#
# Uses wp-cli to update wp installations, their plugins and their themes.

# Find all the WP installs
FINDDIR="/var/www/"
wplist=$(find ${FINDDIR} -wholename "*wp-includes/version.php" )

# Now let's check each one
for file in $wplist ; do
    wp_root=$(echo $file | sed s@wp-includes/version.php@@)
    #enter the WordPress folder
    cd $wp_root
    wp core update --allow-root
    wp core update-db --allow-root
    wp plugin update --all --allow-root
    wp theme update --all --allow-root
    wp language core update --allow-root
done

Now this script can be added to a regular cron job and we don’t have to worry about manually updating all our WordPress installs or plugins.

Disclaimer: there are probably a hundred reasons why this is a very bad idea; a broken plugin or theme could break your site, exposing valuable data. Use at your own risk.

Less gives a stone

A somewhat random and discontinuous (but always humorous) collection of thoughts, code and ideas, by a bilingual spaniard. Figuring out web and app design, php, css, system administration, mac os and linux one E_ERROR at a time.

Month: December 2017

pannel

WordPress auto-update in hardened installs with wp-cli