Latest blog posts
A few days ago, a YouTube video was passed around a few Slack teams I’m a member of showing a proof of concept of an unauthenticated remote code execution vulnerability in WordPress core (in other words, a way for people to execute arbitrary code on your server, which is obviously bad). The video, posted by Dawid Golunski of Legal Hackers, purported that the vulnerability was exploited against a clean installation of WordPress with no plugins and only the default configuration.
This morning, Dawid’s new site, ExploitBox, posted details about the vulnerability. In short, by spoofing a request’s “Host” header, it’s possible to trick WordPress into sending a password reset email with a return path pointing to a domain you control.
The author goes on to hypothesize that if an attacker were to first overload the target’s inbox with large messages (effectively filling it to the point that it couldn’t hold more messages), this would cause the mail host to “bounce” (reject) the message, returning it to the sender (the attacker). Assuming the returned email contained the body of the original message, the attacker now has the link that will allow them to change the user’s password.
Though it was only a few short months ago that I left my Lead Web Engineer position at 10up to join Growella as their Director of Technology, today is my last day in that position. It’s not a decision I’ve arrived at lightly, but it’s a move that I feel is necessary for my career satisfaction.
I’m extraordinarily proud of what I’ve accomplished in my few months at Growella; our small team was able to take the site from concept to release in less than two months, rolling out the “Prime” release on January 17. I pitched, built, and have been writing weekly on the Engineering @ Growella blog, a place to discuss how we approach engineering challenges at Growella. Growella’s GitHub organization has a number of open-source contributions to its name, including several WordPress plugins, a WP-CLI package, and several contributions to other open-source projects.
I’ve read plenty of tutorials on making your own cold-brew coffee in a French Press before (Home Grounds has a great guide), but it wasn’t until today that I realized just how easy (and tasty) it can be!
My good friend Matthew Haynes, Head Roaster at Inland Seas Coffee, has a beautiful glass cold-brew maker that serves double-duty as a brewer and an art piece, but there are also plenty of more economical choices for the home cold-brewer, like the popular Toddy system.
Did you know that you can easily make great tasting cold-brew coffee at home with items you likely already have lying around? I’ll show you a few ways you can be drinking great cold-brew coffee by tomorrow morning!
If you recall, I launched the Engineering @ Growella blog at the beginning of 2017. Since then, I’ve been publishing at least once a week on that blog, but this site has been neglected as a result, which is unfortunate.
I’m very proud of the content that’s being published on the Engineering @ Growella blog, however, so I thought I’d take a moment to highlight some of the better pieces from the last two months.
It’s been several months in the works, but I’m thrilled to announce that my latest WordPress plugin, Schemify, is now available on WordPress.org!
Schemify is designed to automatically generate Schema.org-compliant structured data for WordPress, with full customization capabilities through actions and filters. With Schemify, you can rest assured that Google, Bing, and other search engines see your posts as articles, pages as webpages, and ensure that your authors get the credit they deserve.
Best of all? Schemify is able to inject structured data into your site without you having to change your markup!
As you may be aware, I joined a Cincinnati-based startup, Growella, as their Director of Technology in mid-November. Since joining, I’ve been hard at work building our site (which is slated to launch within the next few weeks), building our hosting infrastructure, and generally being the point-person for all things technological at the company.
I’m already learning a lot in my new role, and I wanted an outlet to be able to share those things. I’m also very fortunate that the rest of the company embraces open source software, so I wanted a place (besides this blog) to share what Growella has been working on, the problems we’ve been solving, and any releases of new software.
With all of that in mind, I’m proud to announce that about an hour ago we launched the Engineering @ Growella blog.
If you haven’t run into them before, WordPress Must-Use (MU) plugins can be a great way to say “no, seriously, my WordPress site needs this plugin in order to function”. Other times, MU plugins may be used to activate required functionality that site maintainers don’t want the site editorial team to have to worry about (for example, caching plugins like Batcache).
There are a lot of things that can be done with MU plugins, but there’s one major limitation right out of the gate: WordPress MU plugins cannot run in sub-directories.
If you haven’t had the chance to work with it before, Gravity Forms is pretty fantastic. I was first turned onto it a few years ago while I was at Buckeye Interactive, where it was a mainstay across most of our client sites. Besides presenting an easy-to-manage interface for building forms, the plugin also makes good use of the WordPress Plugin API (thus making my life way easier) and has a vibrant ecosystem of official and unofficial add-ons.
One area where Gravity Forms could stand to improve, however, is making it easier to identify fields. Let’s say, for example, we have a form where we’re collecting a name and an email address; outside of assuming that the regular text field is the name and the
input[type="email"] is the email address, Gravity Forms doesn’t really have a straight-forward way to identify fields when you’re doing extra work with submissions (like sending them to a newsletter or a CRM system).
In my new role as Director of Technology at Growella, one of the first things I needed to figure out was how we could reliably map Gravity Forms submissions into third-party tools.
Just over two years ago, I joined 10up as a Senior Web Engineer. I was looking for an opportunity to stretch my skills on bigger clients with a larger team, and I’m extremely proud of what I’ve accomplished over the last 24 months. I’ve moved around a few different positions in the company, and been afforded the chance to travel to places like Boulder, San Diego, Atlanta, and Manhattan, all while working with a tremendously-talented team of engineers.
For all these reasons and more, it saddens me to announce that today is my last day with 10up. Beginning Monday, I’ll be joining the team at a young company, Growella, as the Director of Technology. While it’s a big change for me, Growella also represents a tremendous opportunity for me to build a company from the ground up, developing not only software but a team of talented engineers.
I wanted to take a quick moment to share a pattern I stumbled upon last week while building something for a client: this particular client runs a large, multisite WordPress network and often needs to be able to provision new sites quickly. In this case, we recently built an new theme designed to handle press sites for live events (photos, transcripts, live streams, etc.), and while I could automate a lot of the setup process (there’s literally a one-click “set all of the defaults for me” button on the dashboard), provisioning the new site still means creating the site as a Network Admin, assigning the theme, and clicking that button.
It’s good, but we can do better.