Category Archives: Blog Operations

Going Dark

I’m going dark in an hour or so. In preparation for the big move tomorrow, I’m about to shut down and pack up the home computers and tear down our internet connection. Shortly after posting this message, for the first time in over 15 years, my wife and I will no longer have broadband internet access.

Except for an iPad and both our iPhones with LTE, along with the Kindle Fire and Lenovo ThinkPad we have tethered to them, of course, which should last us until we can use the WiFi I setup in the new home. Because we’re not savages.

But other than that, totally dark.

See you on the other side…

A Small Orange, WTF?

For the last few years, this blog has been hosted on a smallish Virtual Private Server (VPS) at A Small Orange. I had originally started with a typical shared hosting account, but one of the sites I was hosting for a friend started getting a lot of traffic, and I needed something a little beefier to take the load. It just made sense to put my other sites on the VPS as well, including Windypundit.

Overall I’ve been pretty happy with hosting at A Small Orange. The technology makes sense to me, and support staff have been responsive and helpful. But it is a low-cost service, so there have been a few glitches. The server goes down occasionally, dropping off the internet for a few minutes, and every once in a while something worse goes wrong, and it stops serving web pages until I notice it’s down and restart it, which can mean several hours of down time. I’ve been living with that, however, because I like everything else about A Small Orange and the price is right.

Then late on Christmas day the site went down. It took me a couple of hours to notice the problem.  (I get notifications from monitoring services, but who pays attention to that stuff on Christmas Day?) I tried logging in to restart the server, but I couldn’t get to the VPS management tools for my server. So I filed a support ticket.

It took unusually long for ASO support to get back to me, and all they could do is refer me to a network status report which explained that “a network issue was identified with some VPS servers” and they were working on it.

It’s now been 90 hours since my VPS went down, and they’ve issued over two dozen updates, including a second network status report and there’s no end in sight. Clearly something has gone terribly wrong. As near as I can tell, network problems with their servers at the TierPoint facility in Dallas caused a bunch of VPSs to shutdown in a way that makes them difficult to restart correctly, and continuing network problems are making things worse. All these problems have overwhelmed the support staff, and they are many hours behind in handling trouble tickets.

The folks at A Small Orange have been good to me over the years, and I felt bad for them. I have some experience fighting technical problems like that, and it’s not easy. But I wanted to have my websites up.

It’s not easy shopping for VPS services in a hurry, and they vary wildly in price depending on the level of service provided, but I found a reasonably priced plan at InMotion Hosting. It took them a couple of hours to get me set up with a VPS, and then I had to load my websites onto the server. I’d prefer to have done live transfers from the old server, but with the server down I had to fallback to backup copies from Christmas morning. I figure not much happened on Christmas, so I probably didn’t lose anything significant. After that, I just had to point all the DNS records to the new server and let the changes propagate.

All my sites should be visible to users now. It’s been less than a day, so I can’t tell if InMotion is going to work out yet. I’ll give it a month and see what happens before deciding if I should stay with them, go back to A Small Orange (especially if they offer nice apology freebies), or try some other service (suggestions welcome). This is about the sixth time I’ve changed hosting services, and I seem to be getting good at it.

Windypundit Technical Review

In an earlier post, I wrote,

The whole point of a blog like this is to share everything on the site with literally anyone who wants to see it. In fact, I’ve gone through rather a lot of trouble to make sure that happens.

That got me thinking about all the bits of technology that it takes to put a blog like this on the web. I decided to make a list, and it turns out there are a lot of pieces. To start with, there’s the main WordPress installation:

  • WordPress — the blogging engine that powers it all.

The look and feel comes from the WordPress theme I use, which is made up of about four big pieces:

I’ve customized Skeleton to produce the theme I use for Windypundit. I use the SCSS preprocessor to do some of the math to make the look and feel more tunable.

Naturally, Windypundit uses a number of WordPress plugins:

  • Cookies for Comments — A simple anti-spam plugin that rejects some less intelligent spambots.
  • Google XML Sitemaps — Adds a sitemap for Google.
  • Growmap Anti Spambot Plugin — Another simple anti-spam plugin. This generates the “Confirm you are NOT a spammer” checkbox.
  • NextGEN — An image gallery management tool. I don’t use all the gallery features.
  • Search Regex — A potentially dangerous tool that allows me to search-and-replace regular expressions across all blog posts.
  • W3 Total Cache — Caching software, so pages can be served quickly without as many hits to the database.
  • WordPress HTTPS — Improves HTTPS support.
  • WordPress SEO — Makes pages a little more search-engine friendly. I only use a fraction of the features.
  • wp-jquery-lightbox — Displays photos bigger when you click on them. I use this instead of NextGEN’s viewer.
  • WP Widget Cache — Caches the widgets on pages so they can be served without re-querying the database.

I also wrote two small custom plugins:

  • Custom Dynamic Photo Resizer — A WordPress shortcode to generate resized photos for blog posts. If I want to change the size of all the photos in my layout, I just change the resizer implementation and all the images will be generated and served at the new size.
  • Custom Shortcodes — A variety of custom WordPress shortcodes to replace features I had in custom tags on Movable Type. Hardly ever used anymore.

I also make use of a bunch of web-based services which are integrated via WordPress plugins:

All advertising content on the site comes from

Windypundit is hosted on a smallish Virtual Private Server from the folks at A Small Orange. I use a VPS instead of shared hosting because I host a number of other websites and because I wanted to learn about running a website on a VPS.

The server is running a standard LAMP stack:

  • Linux — The operating system. It’s the CentOS distro.
  • Apache — The web server.
  • MySQL — The relational database that holds the WordPress content.
  • PHP — The scripting language that ties it all together. WordPress is written in PHP, along with all of its plugins.

A few other bits run on the server as well:

  • nginx — Running as a reverse proxy for improved caching.
  • cPanel/WHM — The web-based hosting management software.

As I said, it’s actually a virtual server, meaning that A Small Orange has carved out a couple of processor cores and some memory from a larger server. There’s also a SAN array for disk storage. All hosted sites are backed up nightly to Amazon S3 and then rolled over to Glacier.

The servers and disk arrays are located in (I think) TierPoint’s a 68,000 square foot data center in Dallas, Texas. The data center is SSAE 16 SOC 1 certified, with fully redundant HVAC and fully 2N redundant power, with six backup diesel generators fed from a 50,000 gallon fuel reserve. The facility is multi-homed and carrier neutral with connections to Level3, Abovenet, TimeWarner, Suddenlink, Cogent, Global Crossing, and IP Transit. I’m sure there are Fortune 500 companies hosted in the same data center.

Only the main HTML page of Windypundit comes from that server. All of the embedded static components — images, style sheets, Javascript — are served from cached copies in 31 data centers all over the world in the Cloudflare content distribution network so that pages load more quickly.

This is, beyond a doubt, an insane amount of technology for a humble little blog full of libertarian ranting and occasional cat pictures.

The thing is, none of this is particularly special. All of you who have WordPress blogs are using mostly the same technology. You might not have Cloudflare or some of the other layers of caching, and you’re using a different theme and a different selection of plugins, but the rest is basically the same. You might not be as interested in the technology as I am, but we’re all using WordPress, we’re all running on some variation of the LAMP stack, and we’re all hosted out of a ridiculously over-spec’d data center.

A Bit Of Excitement Around Here

On a personal bloggy note, this past week I’ve started seeing signs that Windypundit is once again beginning to draw a bit of attention. The tweet for my post about the attempt to shut down the Bronx Defenders because of a rap video was retweeted by a relatively large number of people, starting with Gideon and Scott, and that post has received about 25 times the traffic one of my posts usually gets. I’ve also received a couple of private “Thank you” emails from Bronx Defenders staff, and David Feige was nice enough to drop by in the comments.

And now I see that Radley Balko at the Washington Post has published an article on the Bronx Defenders’ troubles, and it includes a link to my post and an extended quote from it. That’s pretty cool — getting that kind of attention from a WaPo columnist. Strangely, however, the part of my post that Radley decided to use was my attempt to explore what the lyrics of Uncle Murda’s “Hands Up” really mean. Because, when you’re looking for insights into rap music, aren’t I the first person you think of?

Just call me MC Big Windz. And join me next week when I disclose yet another version of Big Sean’s Blessings, speculate whether Meek Mill’s second studio album can possibly repeat the rambunctious mayhem of his debut, and discuss rumors of an emerging 100th problem for Jay-Z.

2014 in Review

According to WordPress, 2014 was a slow year, with only 114 posts, almost a quarter of which were on a Saturday. And for the first time in years, the #1 post was not my anti-Sprint rant. Instead it was my post about the protests in Ferguson. In addition to the usual social media outlets, I owe Popehat and Gamso for much of my traffic.

My most active commenter was Allison Williams, or rather, the Indian outsourcing firm to which Allison Williams’ internet marketing agency gave her link building subcontract. The second and third most active commenters were Scott Greenfield and Jack Marshall, which probably annoys both of them. Matt Haiduk and nidefatt round out the top five. The rest of you didn’t make WordPress’s list, but I thank you all…or at least all of you who are real people. It would get lonely here without you.

Furthermore, here at Windpundit, 2014 was the year in which:

That was most of it. See you all in 2015!


WordPress Jetpack Comments — WTF?

WordPress’s Jetpack plugin is a nice collection of features for bloggers. I host my blog on a server I pay for instead of on the big cluster because I appreciate the extra flexibility, but by using Jetpack, I can also get some of the more powerful cluster-based features, like improved search and uptime monitoring. I have also apparently been making use of a feature called Jetpack Comments, which provides a more elegant comment interface and allows users to authenticate through WordPress, Facebook, and Twitter.

Not that I get a lot of comments. Windypundit doesn’t have the readership it used to have, and I never really had an active commenter community. Lately, in fact, it seems I hardly get any comments at all, which has been kind of disappointing. I assumed people just weren’t finding my posts interesting enough to engage with.

Over the last couple of weeks, however, I’ve been writing about the events in Ferguson, Missouri, and traffic to my site has roughly doubled because of it. And still there were no comments, even though this was a highly controversial subject. That was suspicious. Could there be something wrong with comments on my blog? Would that explain why I haven’t received any comments in a while?

Yes, yes it would.

It turns out Jetpack comments work by replacing the entire comment entry section with something called an iframe, which is an HTML element for embedding a web page inside another web page, and so the comment form displayed at the bottom of my posts wasn’t generated by code running on my server, it was fetched from And when the user types in a comment and submits it, the form is sent back to I assume it’s then authenticated appropriately and submitted back to my server and displayed.

At least that was the theory. But when I launched an incognito browser window and used it to submit a test comment, for some reason the iframe filled with a cropped-down duplicate copy of the Windypundit web page, complete with animated banner, but all trapped in a box where the comments used to be. I don’t know where the comment went, but it never made it to my blog’s database.

So…maybe the lack of comments wasn’t due to my being boring after all. I wonder how long it’s been that way…

I assumed that problem was either that my theme design was missing some crucial element that makes Jetpack comments work, or that some other plugin was interfering with Jetpack, so I switched to the WordPress-provided Twenty Fourteen theme and I disabled every plugin except Jetpack. Essentially, I was running WordPress fresh out of the box. And still the problem didn’t go away. I don’t know, maybe it’s some weird Cloudflare thing.

I finally gave up. I put everything back the way it was and then disabled Jetpack comments, which seems to have fixed the problem.

I still wanted the social media connection, so I installed the Social Login plugin, which provides alternate authentication through lots of different social networks using the rather amazing protocol translation services provided by oneall. I almost immediately started getting spam comments, so I also dropped in the Growmap Anti Spambot Plugin, which supposedly checks for humanity by requiring you to check a box. I’m not sure why that can’t be automated, but I’ll give it a try.

I need to test this, so if you’ve read this far, please help me out by leaving a comment. Just say hi. Let me know that my blog software is no longer turning readers away.

Site Meter WTF?

Have you been seeing pop-up ads on my blog?

You see, a couple of days ago I was fiddling with some darned thing here in WordPress — I can’t remember what it was anymore — and I wanted to take a look at how the page lays out to ordinary people. As a logged-in WordPress user, I get extra features like a command bar at the top and special links I can click to edit content, and I wanted to get a look at the site without any of that. I could just log out, but then I’d have to login again to tweak it some more, and that’s a pain.

So instead, I launched the Chrome browser in “incognito” mode, which runs the browser with no cookies of any kind, as if it had never been launched before, which means my blog will treat it like just another random first-time visitor.

And the darnedest thing happened. Some kind of full-page ad popped up and completely covered the contents of my blog? At the top it had the words “A Message From Our Sponsors” with a link in the upper right corner labeled “Click to continue to site” or something like that. It was just like one of those full page ads you sometimes get when you follow a link to a big media property like Forbes.

What the fuck?

Just to be clear, I don’t put ads like that on my blog. I have an Amazon banner on the right side, and another one at the bottom of every article, and that’s it. Whatever this was, I didn’t do it.

I flipped on developer mode in the browser and took a look at another page. I wanted to see where it was getting content from. This page didn’t show the ad, but when I looked at the Network tab, I was in for another shock. The first file was the main HTML page, and the next dozen or so were the usual bits and pieces from the wordpress folder, bits and pieces of CSS, Javascript, and a handful of images. An awful lot of the rest of the files were stuff I didn’t recognize.

There’s always some of that on a page. If you use widgets or Javascript code to link to Twitter or Facebook or Amazon or Gravatar, the tiny stub of code you use to do that pulls down more code and other assets that it needs to function. But this went beyond any of that. It was hitting a horrifying array of unfamiliar sites:


As near as I can tell, every single one of those is in some way associated with web advertising. Someone was using my blog to get credit for distributing ad content. At the very least, they were probably littering my visitors’ browsers with tracking cookies.

I’m truly sorry about that. This is an embarrassing discovery, and I apologize.

On discovering this, I got a little panicked. My mind went to a bad place: It was possible I had been hacked via malware in a WordPress plugin. WordPress and all its plugins and themes are built on PHP and PHP is wide open: Every WordPress plugin, every theme, has complete access to all the files in a web server account. If any one of the plugins is malicious, it can infiltrate itself into a WordPress installation in ways that are hard to remove. It’s like a virus.

You should never install WordPress plugins or themes from an untrustworthy source. The plugins and themes that you can find from within WordPress via the Add New button have been somewhat vetted by the community and are probably safe, but with the exception of a few reputable vendors, you should never download and install a theme or plugin from another web site. One study on a small sample of random free WordPress themes found that 100% of them had some kind of hidden code to insert tracking cookies or place hidden links on the site. Every single one.

I had been careful about adding plugins, but maybe I had made a mistake, or maybe one of them had slipped past the guards on the WordPress repositories. I began disabling plugins, starting with the most recent ones, and refreshing the page to see if the invading websites were still there. Eventually I got down to just a handful of trusted plugins — Google, Amazon, stuff everyone installs — and the ads were still there.

The culprit turned out to be one of the oldest things I had ever put on my site: The Site Meter badge. I’ve had that thing on my website since before WordPress. I think I even had it before MovableType, back when I was hosted on Blogger. At the time, every blogger in the world used Site Meter to track their stats, and I was no exception.

Site Meter didn’t press their advantage, however, and they didn’t keep up with the times. Their simple counter and statistics are no match for a modern powerhouse like Google Analytics or Woopra. Apparently, at some point they just gave up trying to monetize stats and started just pushing out all kinds of advertising crap. Given how many advertising companies they’ve sold my site to, I assume they’re trying to squeeze out as many tiny fractions of a penny as they can.

(This was actually good news, since Site Meter was just a <script> tag I had embedded in the footer. It didn’t run any PHP code on my site, so it couldn’t have corrupted anything else. It all ran in the relatively safe sandbox of my visitors’ browser.)

I Googled around about this, and apparently everyone else noticed the problem a few years ago. I wasn’t paying attention, and I missed it. I guess that’s because I don’t really use Site Meter any more, and I would have abandoned it, but…it was the oldest counter I had on the site, and I was enjoying watching the numbers climb. It used to go up pretty fast, and I would have reached my first million several years ago, but my site statistics took a dive about 6 years back when I was busy taking care of my parents.

According to Site Meter, I still haven’t quite reached my first million visits. The counter currently sits at 999315.

And there it will stay.