WordPress Plugins vs. Cloudflare Apps

Cloudflare Apps are a lot like WordPress plugins. Each App adds specific functionality to my website. Like plugins, Apps are available in multiple categories such as SEO, Security, Social & Communication, etc. Another similarity – some Apps are free, some are not.

A major difference is that unlike a plugin, which is installed and runs on my site, an App adds its functionality to my pages as they pass through Cloudflare.

Here’s an example … Most of my sites use the same basic kind-of-plain design. This is intentional, since I want user focus to be on content. On a for-fun site though, I’d like to add a touch of whimsy. I log into CF, select my site, click the Apps tab, and start browsing. I find an App called Particles that looks promising. Its description reads “Fill your site’s background with interactive particles”. It has 82% positive rating. Importantly for me, it is free.

I select Particles and click ‘Preview on your site’. I get a screen that shows my site with the new functionality – interactive moving background particles in this case – on the right, and configuration options on the left. I experiment with the configuration options to fine-tune the look.

I decide I like it, so I click ‘Install on all pages’. And … instead of immediately installing, CF serves a pop-up: ‘Cloudflare will share your email address with the developers of Particles’. Well, that’s damn annoying. I decide I like the App enough to risk a few spam emails. I click ‘Continue’.

That’s it. I now have cool background particles on my Micromismanagement site.

Great things about CF Apps in comparison to WP plugins:

  • I don’t have to install or run anything on my site, saving me a few bytes of disk space and a few CPU cycles.
  • The App provider takes care of upgrading to new versions.
  • I can preview the new functionality on my site before deciding whether to install it.
  • Installing and uninstalling are quick and easy.
  • The new functionality is served from the CF node closest to the user for high performance.

Great things about WP plugins in comparison to CF Apps:

  • Selection – there are many thousands of WP plugins are to choose from, compared to a few dozen CF Apps.
  • WP plugins typically have more configuration options. For example I tried the Social Icons App but could not get the icons placed the way I wanted them on my site. I use a plugin instead.
  • Many WP plugins are widely used. They are discussed in the WP user forums and elsewhere. Recommendations, reviews, and peer support for the more popular plugins are ample. By comparison, CF Apps seem to have a much smaller user base. There isn’t much discussion about them in the CF user forums, or anywhere else for that matter.

My point of view … I love the concept of CF Apps. I hope the selection continues to grow and the user base multiplies. For now though, selection is key. I can almost always find the right WP plugin for whatever I need. Particles is the only CF App I currently use.

Facebook Post Optimization

Once in a while I get lucky and someone will ‘like’ or ‘share’ my site on Facebook. By default, the FB post can look crappy, unlikely to drive much if any traffic my way. FB makes guesses about the title and description, and crops an image from my post or page to fit the space allocated on the post – not exactly the best Facebook post optimization.

A crappy-looking Facebook post

But, I can use Open Graph meta tags to tell FB exactly how to display the post. The Yoast SEO plugin makes it easy. I edit the applicable page or post, scroll down the page to the Yoast SEO section, and click the Social Media icon.

Facebook SEO

I immediately get a pop-up nag: “Do you want to preview what it will look like if people share this post on Facebook? You can, with Yoast SEO Premium.” It turns out I can save $80 by using the free Facebook Sharing Debugger instead. I ignore the nag.

Now I can type in the exact Title and Description I want, and upload my preferred Image. The recommended image size is 1200 x 630 pixels, but a similar ratio will also work, 600 x 315 or larger. Next, I visit the Facebook Sharing Debugger, enter the url and click Debug, then – a little further down the page – Scrape Again. I get a preview of the post that will appear on FB when my page is liked or shared. I also get another nag: “The following required properties are missing: fb:app_id”. This means that FB would like me to register my site and get a Facebook ‘application id’ – which is completely unnecessary for my purposes. I ignore that nag too.

I can repeat the whole process as needed until my post looks just the way I want.

That’s all there is to it.  A much more attractive post to improve my click rate.

Update: Twitter post optimization is very similar. Just select the Twitter tab instead of the Facebook tab after clicking the Yoast SEO Social Media icon. The Twitter Card Validator (free, Twitter login required) is analogous to the Facebook Sharing Debugger.

CloudFlare and Free Speech

CloudFlare, even more so than other tech giants like Google, Twitter, and Facebook, has the capability to fight subjective hatred and injustice. That is, to limit free speech in accordance with the highly subjective viewpoints of its executives. A huge amount of web traffic flows through CF. It would be trivial to silence any voices that proliferate truly despicable hate speech and/or offend the easily-offended sensibilities of the cry-baby left.

To CloudFlare’s great credit – unlike other, mostly ultra-left web corporations – they have proven remarkably reluctant to do so.

Other web mega-corporations take an active approach to combating what they consider – sometimes based on their radical leftist ideology – to be hate speech. This includes deleting posts, banning users, and deprecating search rankings of sites that proliferate horribly hateful diatribe. But many relatively innocuous posts and websites – including one of minetwice – suffer from collateral damage. And pro-freedom, pro-America – that is to say, right wing – voices suffer by far a disproportionate amount of the collateral damage. Even some openly hateful websites get a free pass provided they are sufficiently liberal. CNN and MSNBC are just two of the more prominent examples.

CF appears to interpret the first amendment to the Constitution as is was intended, clearly prohibiting any “abridging the freedom of speech”. And this includes speech that I – and you, and CF, and pretty much everyone else – disagree vehemently with. Hateful, despicable voices – provided they do not violate U.S. law – are tolerated by CF. Good for CF! Not that I like hate-speech, I despise it as much as you do. But fundamental freedom requires that free speech – even hate speech – be allowed. To do otherwise would be to embark on an extremely slippery slope.

CloudFlare Firewall Rules

CloudFlare announced the introduction of firewall rules on October 3, 2018. Surprisingly, five firewall rules are even provided on the free plan. By comparison the Pro plan provides 20 firewall rules. Unlike Page Rules, additional firewall rules can *not* be purchased. I get five, that’s it – but as we will see a single firewall rule can do a bunch of different stuff provided that the final action is the same. Pretty generous of CF, I think, seeing as I use only their free tier.

CloudFlare Firewall Rules

Comprehensive Web Application Firewall (WAF) rule sets had long been available, but only on paid plans. Free plan users were previously limited to using the IP firewall.

CF provides two ways to enter a firewall rule, an easy Visual Editor and a more advanced Expression Editor. I’ll stick with the easy one. The Visual Editor includes blocks for:

  • Description;
  • Actions, which indicate how to respond to a matched rule; and
  • Fields and expressions, which define the criteria for flagging incoming requests.

So, what good are firewall rules? They are really flexible, and can be used for many things. CF provides several examples. Firewall rules can do some of the same things as page rules, although can also both do things the other can’t. I could potentially  use firewall rules to free up one or more of my three precious Page Rules. Firewall rules, unlike Page Rules, even allow for a recaptcha. Example:

The result, when anyone accesses my Contact Kenny page on that site, looks … well, kinda shitty and really scary, with a big scary orange warning thingy next to the recaptcha …

Further down is more scary text advising to “run an anti-virus scan on your device to make sure it is not infected with malware.” So, rather than cause my visitors to run frightened from their PCs, I skipped the recaptcha and use a javascript challenge instead.

A powerful feature of CF firewall rules is that little “Or” button. I can use it to make a single firewall rule do a bunch of different stuff, provided that the final action is the same. For example, if I want to block user access to … cPanel, xmlrpc.php, wp-login.php, user enumeration, install.php, wp-config.php, .htaccess, readme.html, and license.txt … no worries. I can use a single firewall rule with a bunch of “or”s:

(http.request.uri.path contains “/cpanel”)
(http.request.uri.path contains “/xmlrpc.php”)
(http.request.uri.path contains “/wp-login.php”)
(http.request.uri.path contains “/?author”)
(http.request.uri.path contains “/install.php”)
(http.request.uri.path contains “/wp-config.php”)
(http.request.uri.path contains “/.htaccess”)
(http.request.uri.path contains “/readme.html”)
(http.request.full_uri contains “/license.txt”)
action: block

There may be a limit to the number of “or”s, but if so it is more than 8.  Except for cPanel access, I could also block these things in .htaccess. The beauty of the firewall rule is that these potentially malicious requests are blocked at the CF reverse proxy so they never get to my site or server.

Update 2019-01-30: I stumbled onto another great thing about CF firewall rules. Unlike page rules or htaccess, firewall events are logged. And … it’s pretty revealing. Lotsa bad guys/gals (I’m guessing mostly guys) out there doing bad web stuff. Just one of my sites is averaging about 100 events a day that I consider serious – in that the consequences would be significant if the hack succeeded. These are mostly admin logon attempts, but a bunch of other nefarious stuff mixed in. Those 100 events are in addition to roughly 250 to 300 a day that are less serious but still malicious and annoying – mostly attempted image hot links. Be careful out there.

She posted Clickbait. What happened next exploded her world!

Call to Action is really Clickbait

– or –

Five Shocking Reasons a web page “Call to Action” is really Clickbait
(Ask your doctor if your heart is healthy enough to read #4)

  1. Irresponsible use of emotional triggers.
  2. Lack of humanity.
  3. Lack of honesty.
  4. Your doctor called and requested I redact #4.
  5. False promises.

So, is every web page Call to Action also Clickbait? Of course not. But plenty are, and plenty more blur the line, and the rest run the spectrum from emotionally needy to annoying to obnoxious.

If I want to sign up for your newsletter (I don’t), I’ll sign up (no, I won’t). “Enter a free drawing for free stuff just by signing up for my Newsletter!” is just going to encourage me to visit a website with better manners. Even “Sign up for my Newsletter” seems to be questioning my ability to see and understand your Newsletter link.

I realize that Clickbait, in the form of a Call to Action or otherwise, works. It must, or you would not be reading this post. Also it would not be ubiquitous on the interwebs. I still hate it.

Every web page SEO guide I have ever seen emphasizes using a compelling Call to Action. What do I want the reader to do? Well, I genuinely want the reader to enjoy my content. So I try (I did say try – I realize I am not always successful) to create good content. If my content is key, then to try to compel, trick, or bully users into doing something other than enjoying my content would be counterproductive and impolite.

I did break my rule and indulge in Clickbait just this once though. Mostly for fun, but also – hopefully – to make a point.

Arrg! Me Pirate Form plugin be walkin the plank.

Shiver me timbers! Me favorite contact form plugin – Free and Simple Contact Form by Pirate Forms – be abandoning ship. Pirate Forms was acquired by WPForms, who are retiring my favorite contact form in favor of a migration path to their signature WPForms Lite. Either by remarkable coincidence or due to a wry sense of humor,  the scallywags at WPForms made the announcement on International Talk Like a Pirate Day.

When a favorite plugin is lost at sea.

I find full-featured form plugins like the deservedly popular Contact Form 7 to be overly complex for my meager needs. I need just a simple contact form with no ‘advanced’ features to get in my way. Pirate Forms was perfect. To be fair, WPForms is also awesome. The final version of Pirate Forms includes a migration tool to make conversion to WPForms as painless as practical. And WPForms provides a very nice balance between powerful features and ease of use – kinda halfway in between Pirate Forms and Contact Form 7. But WPForms includes one mildly annoying characteristic that I just could not get past – a hideously ugly lime green background on the confirmation message.

OK, “hideously ugly” is overstating it, but it does not fit well with the look of my sites. It should be a relatively straightforward matter to change the look of the confirmation message with a bit of custom CSS. But no matter what I tried, I could not get it to work. In desperation I finally edited the plugin CSS directly – an obviously bad practice that I will likely have to re-do every time the plugin is updated. But, like I said, I could not live with the lime green.

Ah, much better.

WP is not ready for CSP

A Content Security Policy (CSP) relies on code headers to help prevent cross site scripting and other malware, providing a great addition to a layered security approach. I think of it as a reverse firewall. It tells browsers exactly what content should be accepted from my site. All other content – malware for example – should be rejected. So, it doesn’t protect my site. But if my site gets infected, it can prevent the infection from spreading.

WP is not ready for CSP

A correct CSP is a really good thing, adding to interweb safety. So, why do almost no websites – something incredibly small like 1% of 1% – have a CSP? Partly because it is not very well known yet, but also because it is really complicated to create a correct one. It is much more likely that I will screw up my WP site and deliver false errors to my visitors than it is that my CSP will work properly.

If I create a flat HTML website, and code it myself, so I know the code really well, inside and out, I have a good chance of being able to create a correct CSP. But WP, like any content management system, intentionally obfuscates the code details. Themes and plugins – unless I spend many hours to really study and understand the code – are black boxes by design.

The WP Content Security Policy plugin is an ambitious attempt to solve the challenges of implementing CSP on WP. It is really cool. I tried it out and wanted very much to love it. It resolves the problem of code obfuscation by letting me create a bare-bones CSP then add to it over time. It logs CSP errors so that I can examine them and tweak my CSP to eliminate the false errors.

The problem? The plugin relies on the WP REST API to log CSP errors. I use the excellent Disable WP REST API plugin by Jeff Starr of Perishable Press to substantially reduce hacker attack vectors that the REST API opens. I have to choose between no-CSP security risks vs. REST API security risks. I choose to leave REST API disabled, and forgo – for now – the benefits of CSP.


The greatest keyboard of all time

Having worked in IT since the mid-1980s, I have seen tremendous advances in technology. Everything has progressed consistently for the better by leaps and bounds. CPUs, monitors, networks, pointing devices, on and on. Year-by-year, decade-by-decade, everything is faster, cheaper, brighter, more capacity, more bandwidth, better everything in every way.

With one exception. The greatest keyboard ever made was the IBM Model M, introduced in 1984. By ‘greatest’ I mean the best keyboard ever mass-produced for the common people, even included standard with off-the-shelf PCs. There are expensive gaming keyboards, hand-crafted artsy perfumed keyboards, keyboards specially made to excel at a certain something, that no doubt have their merits. But for a run-of-the-mill everyday office keyboard for regular people, the M rules and it ain’t even close. Since the M, keyboards have gotten progressively worse – flimsier and mushier – over time.

the greatest keyboard of all time

The greatest keyboard ever made

The M featured serious heft with a strong plastic frame and heavy steel backplate. As a colleague put it, “You could kill somebody with one of those”. The labels were virtually fade-proof – baked into the keys, not just applied to the surface. The M was so over-engineered and well-made it would literally outlast decades of constant use – many are still in use among fellow enthusiasts.

But the best feature – the defining feature – of the Model M was the buckling spring keyswitch. The M provided unique tactical and auditory feedback – I would unmistakably hear and feel every single key press. It was an absolute joy to type on. Like the rest of the keyboard, the keyswitches were designed to never wear out.

Over the years the M was offered in various flavors. My favorite was the M-122, a massive barge of a keyboard with a whopping 122 keys.


A massive barge of a keyboard

IBM eventually bowed out of the PC business, and stopped making the Model M in 1991. Fortunately Lexmark, followed by Unicomp, produced clones of the iconic keyboard. Still today I can buy a Unicomp clone of the Model M – and I did, when I finally could no longer stand the flimsy mushy keyboards provided on today’s PCs. I got the 122, even though no one even remembers what some of the keys were for. My M clone does not have the heft or cosmetic manufacturing care of the original. I would be hard pressed to kill someone with it, but that was not in my plans anyway. The case has a blemish and rough spot or two. But the awesome keyswitch technology is identical to the original. Finally, after many years, keyboard typing is a joy again.

My Unicomp Model-M Clone

Just a warning though – by today’s standards the Unicomp is loud. We didn’t really notice back in the 1980s because we weren’t far removed from ubiquitous office typewriter noise – the M was actually an improvement. Today – if you are in a library or quiet cubicle environment – you will be noticed – click-click-click-click …

Is Gutenberg the beginning of the end of WP?

Is Gutenberg the WP Waterloo? An editor too far? The doomed charge of the CMS brigade?

Is Gutenberg the beginning of the end of WP
The Battle of Waterloo by Clément-Auguste Andrieux

Ah, no. At least I don’t think so, although there is a lot of speculation about it. Moving Gutenberg into WP core is an inexplicable misstep by the WP People in Charge (PIC), an arrogant act of incompetence, an imposition of the unwanted on the unwilling by the unaccountable. But it’s not like WP PIC haven’t stepped on their dicks before and recovered from it.

As I relate in another post, I have test driven Gutenberg and – despite its still-persistent bugs – I don’t hate it. It works about as well for me as the classic TinyMCE. What I do hate is the arrogant, despotic tyranny of forcing it on a community of loyal users who overwhelmingly do not want it. But will this kill WP?

Again, I don’t think so. The PIC – reluctantly, I imagine – provided a reasonably easy way to stick with TinyMCE and evade Gutenberg, at least for the time being. Also, WP is way too popular, way too excellent in very many ways, and generally well-maintained and supported by the usually-awesome PIC, to slip into permanent decline over this kerfuffle.

What would I do – switch to Joomla? I would have to change the name of this blog to JoomlaPOV, and that’s not even alliterative.