Local Gravatars Plugin for WordPress

Local Gravatars is a WordPress plugin designed to minimize potential privacy issues around Automattic’s Gravatar service.

The plugin will get your users gravatars and host them locally on your website.

Your visitors will get the gravatars directly from your website instead of the gravatar CDN, therefore increasing privacy and performance.

To avoid cluttering the filesystem and to allow refreshing gravatars, the files get flushed on a weekly basis (interval can be modified using a filter).

To avoid performance issues server-side, the download process for gravatars is limited to a maximum of 5 seconds (value can be modified using a filter).

In an interview at WP Tavern, the plugin’s author, Ari Stathopoulos, outlined the sort of risk he’s trying to reduce with the plugin,

“And when I visit a site that uses Gravatar, some information is exposed to the site that serves them — including my IP,” said Stathopoulos. “Even if it’s just for analytics purposes, I don’t think the company should know that page A on site B got 1,000 visitors today with these IPs from these countries. There is absolutely no reason why any company not related to the page I’m actually visiting should have any kind of information about my visit.”

The Local Gravatars plugin must still connect to the Gravatar service. However, the connection is made on the server rather than the client. Stathopoulos explained that the only information exposed in this case is the server’s IP and nothing from the client, which eliminates any potential privacy concerns.

WordPress WPS Hide Login Plugin

WPS Hide Login is a WordPress plugin that obfuscates the login page for a WordPress install.

It doesn’t literally rename or change files in core, nor does it add rewrite rules. It simply intercepts page requests and works on any WordPress website. The wp-admin directory and wp-login.php page become inaccessible, so you should bookmark or remember the url. Deactivating this plugin brings your site back exactly to the state it was before.

Honestly, I did this more to stop an annoyance than anything. There are tons of bots out there that try to do credential stuffing and dictionary attacks against even tiny sites like mine.

They’re unlikely to get past my strong password and 2FA, but it was getting annoying to see the constant stream of “user X has been locked out for 4 hours.”

I used the WPS Hide Login to set my login page to a random 16 character alphanumeric string that would be essentially impossible to guess.

Inserting Multiple Images Into A WordPress Post Using Gutenberg

One of the frustrating things with WordPress’ Gutenberg block editor is that in some cases it removed a lot of functionality that I had come to take for granted in the old editor.

For example, it is a pain in the ass to add multiple images into a post. With the old editor, you could simply hit the insert image button, select all of the images you wanted from the Media Library, and then you were done.

Gutenberg, however, insists that you add images one at a time–which is absolute hell when I need to insert 70 images into a post.

Anyway, I’m not the only one with this frustration and Nico Morgan found a workaround which I have been using for awhile now to solve this problem.

  1. When you want to insert multiple images, first insert a gallery and select all the images you want included from the Media Library.
  2. Once the gallery is created, switch the block back to an image block.

This will force WordPress Gutenberg to create a separate block for each image, instead of having to go through the mind numbing busy work of adding each image one-by-one.

But FFS, why can’t I just insert multiple image blocks to begin with? (Correct answer: because it wouldn’t be WordPress if it didn’t ignore obvious user interface improvements. If you don’t like it, just install Yet Another Plugin that does the same thing).

Simple Post Notes Plugin for WordPress

Simple Post Notes is a WordPress plugin that adds a Notes section on the post edit screen, where WordPress users can leave comments about a post that are not displayed with the post. The notes also are displayed in a column on the All Posts screen within WordPress as well.

It doesn’t happen very often, but once in awhile I want to leave myself a note about a post, and this is a nice way to do it.


Decline in WordPress Wow Factor? I’d Be Happy for a Duh Factor

WP Tavern has an article–now with dozens of comments–arguing that the wow factor in major WordPress release is getting few and far between.

Because of WordPress’ maturity and the short development cycle, major features are getting few and far between. By looking at the Beta tab on the WordPress plugin directory, visitors can view projects that may end up in future versions of WordPress. The only project on the page that excites me is the Front-end Editor but based on how long it’s been in development, I’m not holding my breath.

Please excuse me while I throw up in my mouth. The self-hosted version of WordPress is one of the most widely deployed pieces of software on the web, and yet in 2016 users still have to track down a plugin if they want to do something as basic as rate limit logins to prevent brute force password attacks.

At this point, the lack of such a basic feature has to be put down to extremely poor leadership and vision. WordPress is deployed by a lot of novices, and not only should there be a rate-limit feature, but it should be enabled by default.

But hey, what’s minimal security features in a world where the admin UI needs to be redesigned repeatedly or basic features in the editor need to be removed for no good reason?

AMP Plugin for WordPress

Accelerated Mobile Pages (AMP) is an open source initiative that Google is pushing to provide faster-loading content on mobile devices.

For WordPress, Automattic has created an AMP plugin that will render a WordPress blog posts in AMP (the plugin does not currently support pages and archives).

The plugin essentially dynamically generates an AMP version of a given blog post as long the requestor adds /amp/ to the end of the url. So, for example, https://brian.carnell.com/articles/2016/orcus/ will give the full HTML version of one of my blog posts, while https://brian.carnell.com/articles/2016/orcus/amp/ will return the AMP version.

At some point, Google seems likely to penalize pages that are not AMP-enabled as the search engine company increasingly sees mobile as key to its future. Plus, AMP is a much better alternative IMO to competing initiative such as Facebook’s Instant Articles.