The obvious and painless solution is to upload the files directly to the server using FTP and then control the blog from within wp-admin. In this case, though I knew the simple solution, I wanted to get to the root of the problem. It turns out that weird permission issues with IIS and WordPress and in some extreme cases such as mine, can be solved with simple but somewhat hidden features to get the desired results.

A Google search revealed that adding a few lines of code to the end of your wp-config.php can solve most issues. As from Firdouss.com guide, try this solution first. Open up your production wp-config.php, find the end of the file and add the following lines at the end. Then save the file, upload to your server and try the process again.

if(is_admin()) {
	add_filter('filesystem_method', create_function('$a', 'return "direct";' ));
	define( 'FS_CHMOD_DIR', 0751 );
}

If that does not solve your problem, you can use WordPress constants to solve your problem. It turns out (thanks to a comment on the Firdouss.com guide) that there are a host of constants that can be added to wp-config that can fix broken upload and install/upgrade problems among other things. That link to the Codex contains a detailed explanation of the constants and what they should be set to. Please refer to that link since it will continue to be updated. In my case, I had to add the following to the end of my wp-config.php file. I could also have modified the above code to return ftpext instead.

define('FS_METHOD', 'ftpext');

Now in my case, there were other permission issues that had to be resolved. Our Plesk install had a borked permission system and in order for uploads to be deleted after they are unzipped and copied (WP need to switch to a move), I had to also CHMOD the files. So I ended up with the following code at the end of wp-config.

if(is_admin()) {
	add_filter('filesystem_method', create_function('$a', 'return "ftpext";' ));
	define( 'FS_CHMOD_DIR', 0755 );
}

Now the uploads/upgrades/installs work fine. YMMV.

As for the weird installation issue, it turns out that when I uploaded the WordPress install files on the server and visited the URI, I got redirected to the following along with a white screen of death with no errors.

http://example.com/index.php/wp-admin/install.php

I needed to change that URI manually to the following for the install to continue. That was all.

http://example.com/wp-admin/install.php

Do you have any other suggestions? Are there any tricks that have helped you get similar issues resolved?

CloudFlare is a free(mium) service that was recommended to me by our own James. He had heard about it in conversations with some folks over dinner and wanted us to try it out. While this blog has gotten loaded over the years with JavaScript from various sources and code cruft of years, it has also gotten quite slow as a result. It is not the server (though Spam storms never help) and MySql running on the same server does not help. I had added caching thanks to WP Super Cache and had tweaked most of the settings to be tolerable on the server. I had even tried a CDN at one point but backed out because it turned out to be such a touchy beast.

The free CloudFlare product, which is what we use on here, is substantial enough to depend upon and is easy to set up. I might upgrade to their paid version once I am more comfortable with the results and have let it bake for a month or two. Signup was easy and it really took just under a few minutes to setup this blog. We have been running it for about three days now, with positive results and zero downtime. Let us go over some the details.

It takes just a few minutes to add your site to CloudFlare.com. Add it in, watch a video while it figures out all the details of your DNS, and then turn around and make the name server changes it asks you to make. There are instructions included on the page and it tries to help you make the best choices. It is worth noting that only self hosted WordPress blogs are capable of using CloudFlare. Since the actual change needs to happen at the registrar and name server level, TTL reduction will not help propagate it faster. While Go Daddy seemed to push the changes through quickly for us, it can take up to 48 hours for everything to work properly.

CloudFlare.com

Once the name server changes are made, you just sit back and watch. The free service from CloudFlare performs a bunch of automated magic, including using location aware technology to redirect your visitors to the right cache of your content. I know that the content is still live and interactive, but the seamless nature of the change makes this so easy and attractive. It speeds up your site using a variety of caching technologies and a CDN, including automatically minifying your scripts, reducing extra items in your HTML. It eventually reduces the amount of bandwidth you consume on your server and the number of requests actually hitting your server.

• It works with static and dynamic content. Direct access is no sweat since a subdomain is created that goes directly to your site! For all of you using virtual hosts, let me calm your fears. CloudFlare works fine with virtual hosts.
• It is always online, even buffeting traffic surges and reducing downtimes. (I have a concern about this. I turned off the MySql server by mistake and the blog displayed a DB error. I assume that if my server is down due to spam storm, the same thing will happen. I will have to investigate that.)
• Reduces slowdown effect of third party tools and scripts such as FaceBook, Google AdSense or Analytics and Twitter. We have a lot of those!
• Protects against network threats such as spammers, uses previously reported information for protection. This is fantastic, if it works.
• Provides visitor analytics that are better than those based on JavaScript. I see a huge difference between thee results and those provided by StatCounter.
• Provides a host of other third party plugins that can easily be installed. I use a couple of them.

Some recommendations for WordPress users:

• There is a WordPress Plugin, use it to be safe. http://wordpress.org/extend/plugins/cloudflare/ Once it is installed, there is a setup page (which is not linked from the plugin page, fix?) that asks you to put in an API key and then lets you optimize your database.
• Continue to use Akismet and any other Caching plugin you have. Instructions are everywhere. Be sure to mark spammers etc. All of it helps the ecosystem.
• Be patient. In my case, the changes were up within an hour. It might take longer for you.
• If all else fails, switch your name servers back and ask for help.

Maybe you want to know what goes into that, or how you can get involved. If you do, this presentation from WordCamp Montreal 2011, featuring Paolo Belcastro and Zé Fontainhas, offers a great peak into a world of WordPress that you may have never experienced or even expected.

Go to the Settings section of your Dashboard and change the two URLs there to the location that you want to move WordPress to. Don’t panic, this will effectively kill your blog until you move all of the WordPress files to their new location.

You may need to re-generate your permalinks at Settings/Permalinks in your Dashboard.

Once that’s done, see our handy guide for changing links and images after a move.

Moving a WordPress installation is not too much of a complicated procedure, but feel free to contact the WordPress Support Forums if you run into trouble.

First of all, do you really need open registration? If not, uncheck “Anyone can register” from the Settings area of your Dashboard.

So, what if you need open registration? First, stop the bad bots from even visiting your blog with Bad Behavior.

Now, you could certainly use a CAPTCHA on your registration form, but I wouldn’t bother with that. Several CAPTCHA have been broken by a simple program, and they just aren’t accessible. Instead, use Ban Hammer, which compares registration email addresses with your comment blacklist (just add them if you notice a trend) and the collective blacklist at Stop Forum Spam.

Like comment spam, registration spam will be a constant battle, but Bad Behavior and Ban Hammer should at least make it easier on you.

By far, the most popular audio plugin is WordPress Audio Player. Video plugins are significantly less popular, probably because video files take up so much space and bandwidth, and it’s so easy to embed videos from external providers.

When embedding audio and video, I prefer to use the Degradable HTML5 Audio and Video Plugin. Sure, it may require some file conversion, but it’s a great way to embed both audio and video files that use the browser’s native (non-Flash) player while also providing the option of a Flash-based player for browsers that don’t support HTML5 embeds.

If you’d rather embed videos from an external provider, it’s easy to do (as mentioned above), but Viper’s Video Quicktags providers a few additional features and customizations, plus it uses XHTML-valid embeds, which most external providers tend to avoid for some strange reason.

Embedding audio and especially video opens your blog to a whole new world of content. Give it a try, you may enjoy it.

The first thing to do is to confirm the existence of a malware infection by running the Exploit Scanner plugin. Once you have confirmed the existence of malware, refer to this handy Codex guide. Why simply link to the guide? Because this handy guide is updated by WordPress’ volunteer community to present the latest tips and tricks to clearing the latest malware infections from your blog.

Of course, the best way to prevent a malware disaster is to regularly backup your database and files, but WordPress’ volunteer community has also compiled a list of recommended security measures.

This is the fourth entry in our hopefully long-running WordPress FAQ series. What did you think, and what questions would you like us to answer next?

Long-time support forum volunteer, Ipstenu, has done all the thinking for you and has clearly laid out the inner-workings of the automated upgrade process.

It’s a quick read, and you might leave with a new respect for the automated upgrade system, and a new understand for why you should create a child theme if you want to modify your own theme.

Trend spotting: WordPress Centric Hosting – Over the past two years, a new form of web hosting has cropped up that tries to bridge the gap between all the safety nets WordPress.com offers with the freedom to do whatever you want via the self installed version of WordPress. Examples of these types of companies include Page.ly and WPEngine. I’ve noticed more and more of these types of companies starting to open shop while at the same time, long time players in the web hosting industry are starting to create WordPress centric packages. One thing you need to keep in mind is that a WordPress centric host does not make them better than all of the other options.

How Up To Date Are Their Servers? – During the early part of 2010, there were a number of instances where large, well-known web hosting companies became victims to exploits and attacks thanks to outdated software in use on their servers. Before becoming a customer, ask the web host in question what versions they are using for php, MySQL, phpMyAdmin, etc. A good web host will generally always be using the most recent stable version of software.

Reputation Check – Type into Google the name of the web host you’re interested in followed by the word sucks. You should quickly noticed that every web host sucks. What you should really be paying attention to is not only the severity and amount of problems that users report, but how the company responded to those problems. Every web host is going to encounter its share of problems but it’s how they handle those problems that makes a big difference. An excellent resource for all things web hosting that has been in existence for years is WebHostingTalk.com. If you’re interested in hardware, software, all things related to what it takes to make a web hosting company run, that forum will make your mind explode with detailed discussions.

Human Recommendation – If you start a thread on the WordPress Support forum asking for advice on which web hosting company to go with, chances are you’ll get 3-5 different company names as recommendations. If one of these companies interest you, be sure to ask around to get personal experiences from folks, especially as they relate to customer service and up time. However, similar to the Google Research conundrum, it could turn out that all of your friends have had success with a particular company and you turn out to be the bad apple with a bad experience.

Check And Double Check Policies – It’s imperative that you read the Terms Of Service and Acceptable Use Policies for the host you’re interested in using. While many hosting companies advertise unlimited everything, you’ll find out by looking in the small print within their AUP that if your site goes overboard with CPU, space, or bandwidth resources, you’ll be cut off. Unlimited is a great marketing technique but there are always limitations so take the term unlimited with a grain of salt.

DoS And DDoS Attacks – I found this out the hard way early in 2010 when my own web site, WPTavern.com was hit with a denial of service attack. When I contacted support for AnHosting, they basically told me that I must figured out a way to stop the attacks because after the site gets suspended three times in a row for using too many resources, they would remove my site along with my account. Needless to say, this infuriated me as I’ve been a loyal customer for over two years and they failed to work with me to find a cause along with a resolution. DoS attacks are a common thing these days so please make sure that whatever web host you’re interested in using has a firewall or some type of preventive measures in place to help out instead of abandoning the customer as my previous host did.

Support – Probably one of the most important aspects of choosing a web host is their support system. Look for companies that offer a variety of support solutions such as forums, ticket system, email, and a phone number. I’d choose a web host that has 24/7 support versus week days only. Extra points to those web hosting companies that don’t outsource their support to countries/companies that don’t speak English very well.

Redundancy – If the companies website and services go down, do they have a fail-over system in place? Is your data mirrored to that fail-over system? Does it have the same security precautions as their first system? This is not overly important as their are a number of options available specifically for WordPress users to create redundancy of their data.

Communication – This is one area in which I see web hosting companies screwing up the most. You’d figure that by now, they would understand that communication with their customers is paramount but most of them still don’t get it. Ask the web host you’re interested in whether or not you’ll be contacted if maintenance is required on the box your site resides on. Also ask where all such service interruptions and other announcements will be published. Nothing like publishing a post in WordPress only to hit the button and see a site not found error.

Payment Options – Make sure you understand any money back guarantee that is offered. I recommend staying away from purchasing web hosting for more than one year at a time unless the money back guarantee specifically states that refunds can be pro-rated. Preferably at 1, 3, or 6 month periods at the most. This way, you’re not locked into a specific host. You’ll regret it when you’re halfway through your contract and the web host experiences severe technical difficulties that last a week or more but you can’t move to a new web host because you’ll lose money from not fulfilling the other half of the contract. It may seem like you’ll save tons of money by purchasing 3-5 years worth of hosting, but realize this is a very high risk you’d be taking.

SSH And SFTP – SSH stands for Secure Shell. It’s a Unix-based command interface and protocol for securely getting access to a remote computer. It is widely used by network administrators to control Web and other kinds of servers remotely. SSH is actually a suite of three utilities – slogin, ssh, and scp – that are secure versions of the earlier UNIX utilities, rlogin, rsh, and rcp. SSH commands are encrypted and secure in several ways. Both ends of the client/server connection are authenticated using a digital certificate, and passwords are protected by being encrypted.

SFTP on the other hand is the secure version of the FTP protocol. SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. It is functionally similar to FTP, but because it uses a different protocol, you can’t use a standard FTP client to talk to an SFTP server, nor can you connect to an FTP server with a client that supports only SFTP.

Sandboxing – Probably the most important question you can ask to a shared hosting company is how they secure/sandbox the user account space. By default *nix systems don’t protect user home directories. Also, how do they secure/sandbox the php processes. By default, php has to run with apache privileges and any code that runs on the server, regardless of user, runs in the same security context. Sandboxing the PHP code to a specific user account is important on a shared host so that user1 can’t write some code that hijacks user2?s site.

Conclusion:

While this isn’t the all encompassing guide to choosing a great web host to put your WordPress powered web site on, it does provide food for thought. This is just a short list of things to consider but in reality, having a great experience with a webhosting company is almost like winning the lottery because it’s so rare. In my experience with WPTavern.com, I experienced 2 great years with my previous host and then it turned into a nightmare in just a matter of two weeks forcing me to move. In fact, I moved twice in one week due to the problems I was having with migrating my site. Ultimately, it comes down to gathering as much information as possible in order to make an informed decision as to whether a particular webhost is right for you. Price should not be the only determining factor for hosting your site, especially if you plan on taking things seriously.

Yes, this will only work in Google Chrome if you have the Voice Search extension or if you’re using the latest development version, but with most computers shipping with built-in microphones these days, Voice Search certainly makes searching easy, and it’s a great way to impress your friends.

Most WordPress users can easily find and install plugins from the official directory via Plugins -> Add New in their Dashboard, but some may need to complete a manual installation. To install a plugin manually, download it and then use an FTP or SFTP client to upload the decompressed archive to your blog’s /wp-content/plugins/ directory. Once the plugin has been uploaded, you should be able to activate it from the Plugins section of your Dashboard. If it isn’t appearing, the plugin may have additional installation instructions.

Plugins are not free from the dangers of malware, and can sometimes be far more dangerous than themes. Unfortunately, the plugin directory does not have a volunteer review staff like the theme directory does, so users need to be extra careful. Always check a new plugin’s tagged support topics before installing it and run the Exploit Scanner plugin before activating it. If it finds any results for the plugin files in the “Level Severe” category, just delete the plugin and find another. If you are ever uncomfortable with any of the results from the Exploit Scanner plugin, delete the plugin and find another.

Plugin malware is a serious issue. By simply installing and activating a plugin, you could instantly lose all of your data, subjecting your visitors to invasive scripts, or leaving your blog open to malicious attack.

To be safe, always run the Exploit Scanner plugin before activating a new plugin.

This is the third entry in our hopefully long-running WordPress FAQ series. What did you think, and what questions would you like us to answer next?

Oh great, now every plugin will put a menu in the admin bar, Next stop: a plugin preventing others from cluttering the admin bar.

While it’s pretty funny to think about the admin bar containing menus for all sorts of different plugins, it’s a potential problem that users may have to deal with in the future. Hopefully, plugin authors are diligent with not adding a menu to their options page as part of the default package of a plugin. For certain plugins, the idea works well but not for all of them.

So while this is a neat little tutorial on how to add menus to the admin bar, are you worried that plugin developers may take this too far?

Without a doubt, the best place to find free WordPress themes is the official WordPress Theme Directory. Themes can be submitted to the directory by almost any author, but the themes are thoroughly checked for quality and safety by a team of dedicated volunteers. With over 1,200 free themes and a handy tag filter interface, you’d have a hard time not finding the perfect theme for your blog.

There are certainly other places to find free themes, like Theme Lab, but how can you be sure that the theme you downloaded is safe? If you plan to download themes from anywhere but the official WordPress Theme Directory, you should install both the Exploit Scanner and Theme-Check plugins.

Run the Exploit Scanner plugin immediately after installing the theme. If it finds any results for the theme files in the “Level Severe” category, just delete the theme and find another. If the Exploit Scanner gives it a pass, activate the theme and run the Theme-Check plugin. If the Theme-Check plugin gives the theme a pass, you should be good to go.

If you are ever uncomfortable with any of the results from the Exploit Scanner or Theme-Checker plugins, delete the theme and find another.

It’s generally safe to download and install a free theme from the actual developer’s site, but you should still run both plugins just to be sure.

Theme malware is a serious issue. By installing a free theme from any source except the official WordPress Theme Directory, you could be unknowingly running spam ads, subjecting your visitors to invasive scripts, or leaving your blog open to malicious attack.

To be safe, make sure that you either get your free themes from the official WordPress Theme Directory or at least run the Exploit Scanner and Theme-Check plugins.

This is the second entry in our hopefully long-running WordPress FAQ series. What did you think, and what questions would you like us to answer next?

Even though you may have changed your main URL during the move process, your internal links and images will remain unchanged, leaving images broken and internal links pointing toward the old domain or directory. Sure, you could manually edit every single post or page, but there are other ways.

The easy way is to use a plugin called Velvet Blues Update URLs. It’s a very simply plugin. You just enter your old URL, then enter your new URL, and this plugin take cares of the rest. I know, it almost seems too easy, but in this case it really is just that easy. Of course, if you want to make it a little bit more difficult, we sure can.

What if Velvet Blues Update URLs disappears and you’re left to fend for yourself? You can use the Search and Replace plugin to search for your complete old URL and replace it with your new URL. A note on searching for the complete URL, don’t take shortcuts. If you moved from maindomain.com/blog/ to maindomain.com, do not simply search for and replace all instances of /blog. This will all affect all instances of /blog, including links to other sites and blogs that may have /blog in the URL. Instead, search for maindomain.com/blog/ in its entirety and replace it with maindomain.com.

What if you can’t use plugins? What if you have an illogical need to do everything the hard way? Well, we haven’t forgotten about you. There’s a hard way to do just about anything. Simply backup your database and open the .sql file in a plain text editor. As above, search for and replace all instances of the complete old URL with the new URL. The same warning about shortcuts applies here as well. Once you’re done, save the file and restore your database.

As always, if you run into any problems, the volunteers in the WordPress Support Forums will be more than happy to help.

This is the first entry in our hopefully long-running WordPress FAQ series. What did you think, and what questions would you like us to answer next?

Hovercards have already been enabled throughout WordPress.com and WordPress.org, and there is an official plugin in the works, but what if you can’t wait for the official plugin to add Hovercards to your WordPress blog?

If your theme has a functions.php file, just add the following line within the file:

wp_enqueue_script( 'gprofiles', 'http://s.gravatar.com/js/gprofiles.js', array( 'jquery' ), 'e', true );

If your theme doesn’t have a functions.php file, or you’d rather not mess with it, use a plain text editor to create a file called hovercards.php with the following content, then use an FTP or SFTP client to upload it to the /wp-content/plugins/ directory, and activate it via the Plugins section of the admin panel.

<?php
/*
Plugin Name: Hovercards
*/
wp_enqueue_script( 'gprofiles', 'http://s.gravatar.com/js/gprofiles.js', array( 'jquery' ), 'e', true );
?>

Credit for the above code goes entirely to Otto and Alex. It is not official and not supported, so you should probably switch over to Gravatar’s official plugin when it’s released, but at least this will hold you over until then.

What do you think of the new Hovercard feature? Will you be adding it to your blog?

Update: The code listed above, while leaner, enables Hovercards everywhere (including the admin panel), which may not be a desired outcome for some users. If you find this to be a tad bit annoying, Otto’s code properly displays Hovercards on the blog side only.