So, just what is this Automattic Theme Team anyway? In a nutshell, we’re a bunch of people who really care about WordPress Themes and want to see them get better and better on WordPress.com and for every WordPress.org user. And this is our blog.
You’ll be hearing more from us individually in the coming weeks but I thought, to get started, it’d be a good idea to share a few of the team goals we’ve been discussing. Just some rough thoughts really. But I’m hoping that by sharing them here you can get a better idea of what we’re up to—and get as excited as I am about it all.
- Every WordPress.com user should feel like there’s a theme that fits them perfectly, that is exactly how they want to present themselves to the world, that they’re excited to show to their friends.
- We want everyone to feel a sense of momentum and ever-increasing possibilities, and to do so we will present as many perfect-fit WordPress themes to as many WordPress.com users as we can.
- We will ensure all of our public work represents the best in coding practices, web standards, and technical excellence.
- We will craft all of our themes to have consistent user experience and meet our users expectations and hopes.
- We will teach WordPress developers to become the best theme developers in the world. If you’re a WordPress theme developer—commercial or 100% free—we want to help you be the best.
- We will ensure all our improvements make it back to the open source community.
I love the idea of meeting the “expectations and hopes” of WordPress users by delivering to them the best in WordPress themes. Pretty, painless, perfect-fit ones that just plain work.
So, the Automattic Theme Team. We’re WordPress themers developing for the millions of users on WordPress.com who want to give back as much as possible to the WordPress theme community at large.
Let’s be awesome together.
Today marks the first day of my employment as a Theme Wrangler with Automattic and it feels great. I’m more than excited to finally let you know what I’ve been up to for the last little bit.
What can I say besides awesome, awesome, awesome? The enormous opportunity for learning and improvement; all the super-talented, friendly people; the chance to work on so many really, really cool projects—it’s almost unbelievable. This is a dream job for me.
So, yes, really excited. To say the least. And I don’t want to say too much right now so I’m going to keep this short. Though I imagine you have one very big question you’d like me to get to.
In case you didn’t hear ThemeShaper was hacked. You know what? It really sucks. I’ve got two tips and a plugin recommendation that I want to pass on to you so the same stupid thing doesn’t happen to your WordPress install. And these aren’t even my ideas! These are time tested and tried things that just plain work.
After that comes a list of some further plugins and resources that’ll help harden up your WordPress install and keep hackers at bay. So read on.
Do a Fresh Install of WordPress, Plugins, & Themes
Do a fresh install of all WordPress, your plugins, and themes. That means deleting a whole whack of WordPress files just like you were doing an upgrade. And deleting and re-installing ALL your themes and plugins. If you’ve done ANY customization to any one of these files go through them line by line or re-store a local version that never made it to your web server. And while you’re at it start keeping local copies of your edited themes and plugins that have never made it to your web server.
You’re doing this to help make sure your current setup isn’t already compromised.
Hardening WordPress with htaccess
The Blog Security blog has a great article on how to lock out anyone trying to mess with your WordPress files using htaccess. It’s dead simple to do and requires only cut-paste skills and FTP access to your server, and a quick trip to What’s My IP. Anyone can do it. Check it out now and harden your blog.
The Update Notifier Plugin
The single biggest exploitable entry point on any WordPress install is going to be outdated versions of WordPress, themes and plugins. If you don’t know how extreme this can get check out this comment from one of my readers.
I remember when something similar happened to me. Fortunately I managed to find someone willing to help who knew quite a bit more about WordPress than me. The breach was traced to a caching plugin that was out of date by about a week.
The Update Notifier Plugin helps solve this problem by checking the official repository on a regular schedule and sending you an email when it’s time to upgrade.
Further Security Resources and Plugins
Update: I’ve done a mass hardening (that sounds gross) on everything here at the ThemeShaper ranch and—and it looks like we’re cool now. Let’s hope things stay that way. Hey!—at least I learned something about WordPress security, right?
I’m not sure when but some time ago ThemeShaper.com was hacked. I’m fairly sure it wasn’t a random sort of script-based bot attack but targeted directly at this site. I know this because the idiot that did this uploaded a hacked version of Thematic to a downloads folder on my site and altered the links on the Thematic landing page to point to it. Crap.
You’ll know you have a hacked version if you’ve got an
sv_ss.php file in
If you’ve recently downloaded Thematic or are worried at all there’s a simple fix. Download Thematic again from the WordPress.org Themes directory and thank God there’s a free central repository for these sort of things.
Again, crap. And my apologies. I like making ‘the WordPress news’ but not for something like this. But I would like to assure you this is not a hack resulting from anything wrong with Thematic. Just one of those things that tends to happen to popular WordPress-based sites. It could happen to anyone.
I just wish it didn’t happen to me. Or you guys.
Now, as for the hack. I don’t know how it happened. It’s been suggested to me that it came through a weak plugin. I usually keep everything up to date here on ThemeShaper so, well, I don’t know. We’ll see, I guess. I do know that last night I discovered my
wp-includes directories were 2 megabytes larger than they should be. I deleted them and replaced them. Here’s hoping that put an end to this.
If it doesn’t, and my site disappears suddenly, well, crap, it didn’t work.
Hey, at least the front page isn’t ThemeShaper recommended hosting right? Right?
Sigh. And it’s my birthday today too. What a day.
I’ve got a new project I’m really excited to share with you. In fact, it’s all about sharing. It’s my new home for all the best WordPress stuff—Plugins, Tutorials, Themes, Good ideas—the stuff I find on my crawls through the WordPress-flavored web. It’s easy to spell and it’s fun to say.
It’s Wpazo. Check it out and then come back here to find out more about it.
ThemeShaper’s been redesigned. If you haven’t seen it yet, or want a tour of the design, click on over from your feed-reader, or empty your browser cache. Let me tell you what all the fuss is about.
The last redesign was, a little hasty. It introduced a lot of good things to this site and kept a lot of the bad. And so, for a while now, I’ve been working on a new Thematic Child Theme for ThemeShaper called, The Break.
I’m looking for co-maintainers for the Thematic project to help make Thematic one of the best WordPress themes available, free or “premium”. Specifically, I’m looking for motivated people to help with the following:
- Localization: going through the template files and translation files, making sure everything is up to snuff. The future of any successful WordPress theme hinges on universal adoption and I’d like Thematic to be one of the easiest to localize.
- Comments: the in-development latest version of Thematic threads comments like PHP-based Singer but I want to make sure it’s doing it the right way. It needs a once over.
- Bugs: there’s still a few bugs in Thematic—one I found this morning is particularly annoying. I’m just a PHP hack. Thematic needs a committed enthusiast who likes squashing things like this.