The ones I know of:

ads.txt
humans.txt
robots.txt
security.txt

This site makes use of robots.txt and humans.txt . I don’t need ads.txt because 3rd-party ads aren’t currently running on the site, and security.txt seems not necessary as the site’s contact form is easy enough for anyone to find.

I’m guessing there are other “little text files” out there, but I am super busy building a bookstore subdomain for the site with every spare minute. So for now I’ll post the files that I’m aware of; I’m sure in time more will be found and added to the list.

Also: how are people referring to these files? Surely there is something better than “all the little dot-text files you can put in the root directory of your website”.

I think..

Eventually there will be all sorts of these little text files. Anyone can start a text file thing. Like contact.txt for contact information. Or help.txt for support. It could even go beyond site meta and do like friends.txt or any-useful-bit-of-information.txt .

Recently I found myself listening to someone who was trying to convince me that I should be doing more on Facebook. For reasons like attracting new customers and making more money. It was pretty sad listening to the spiel, but I do care about people and their opinions, even when they are wrong.

The person really wanted to know “why” I wasn’t spending more time on Facebook. They were spending all of their time and efforts there, and obviously didn’t understand someone who did not share the mindset.

So after thinking for a moment that, well golly, I’ve been on Facebook since 2008, have around 300 friends, eight different Facebook pages , and have joined around a hundred Facebook groups. I thought, like that’s not enough? You want me to spend even more time on Facebook. Lol.

So I responded that I’m actually busy weaning off of Facebook, and that I disagree with how they treat their users. You know, ethics and principles and all that stuff. Pretty important reasons to not want to get more involved but rather work on cutting all ties. Stuff like, because I have to live with myself, and loathe the idea of censorship, data mining, and basically everything that FB reportedly is up to.

And I sent that reply, what I thought was a solid reason for disliking Facebook (the company not the people, I love my friends and followers). But apparently it wasn’t enough to get the message through. For the person shot back saying that I needed to get over my “ego” and not worry so much about the ethics of it, and that no company is 100% ethical, they’re all power-hungry control freaks, yadda yadda yadda. Like you know, come one dude and get on this bandwagon it’s not a big deal.

At that point, I responded that it’s hard to ignore things like principles and integrity in pursuit of profit. And if it were just a matter of ethics or whatever, I would agree that Facebook might be worthwhile. But it isn’t. There are other factors as well. Like amount of work and time required vs. potential payoff. I did a simple cost vs reward analysis and the numbers just aren’t there. Put simply:

FB = too much work for too little reward.

Apparently that last quip was enough to finally get the point across, as the person simply responded with a smiley emoji. So the conversation ended with a smile, but I had a few more points to go.. unfortunately the person was no longer interested, maybe had gotten the point. Maybe not. But I think it’s important especially these days to understand clearly why Facebook is not worth it ..

A few reasons why Facebook is not worth it

First as mentioned in the conversation, Facebook reportedly bans and censors users, sells their data, spies on them, tracks them, and basically manipulates just about everything that results in more $$$. But you already understand this, as do most thinking/moderately aware people these days. We’ve all read the reports that Facebook is an unethical giant corporate dinosaur up to no good. Whether or not that’s all true is up to you, my friend. I have no clues.

Second , also as mentioned, Facebook requires too much work for too little reward. Back when Facebook was first getting started, it was easy to get some good likes and hits from a well-phrased post. Then they started in with the Facebook advertising and things began to change. Then they went public with their stock offering and things have gone downhill pretty quickly from there. These days, you can post the most awesome stuff and maybe if you’re lucky get 50 likes on it. Or if you’re super popular maybe 1,000 or more. But the vast majority of users get almost nothing for all the hours of time spent on Facebook. A like here and there, maybe a comment. It’s just not worth it. Unless you’re willing to spend big $$$ (or commit huge amounts of time), the incentive is gone. It’s sad too because it was not always the case.

Third , you can do more outside of Facebook. Life is so much better running your own site. Working for yourself is like owning a home instead of renting. And that’s what Facebook is: renting space paid for by your time and efforts. All those cool photos and nifty memes you’re posting belong to Facebook now, and Facebook can use them to make as much money as they want (and you will get none of it). All the ideas and attention you’re giving to Facebook may be enjoyed by some of your “friends” and followers, but you could be getting much better results doing it your own way. You know, like growing up and moving into your own place, where you make the rules and reap all the rewards.

Fourth , Facebook is like kindergarten for people who don’t know how, or are too lazy to do it for themselves. So you’ve gotta have all sorts of inane rules that do nothing but restrict conversation, limit sharing, restrain ideas, and keep things locked down and “safe” from any unwanted opinions. Because a few newbies and weak-minded imbeciles on Facebook just can’t handle it, or at least that is how they are being treated. Like don’t think for yourself just do as you’re told type preschool mentality. It’s not all like that, there is plenty of great content on Facebook, but the overall vibe or mentality or whatever you want to call it, is just different now than it once was. Or maybe it’s me that’s changed. I really don’t know.

Fifth , and this sort of follows from Facebook being a playground for Internet toddlers, is the lack of control you have when posting, chatting, and doing whatever. It’s all so cut and paste, fill in the dots, color by numbers. Like when you’re a kid and can imagine a whole universe full of amazing things, and then for your birthday some weird relative gives you one of those toys where you put the shaped blocks in the matching shaped holes. That’s all you can do; fill in a few blanks and try to feel like you’re not wasting your life while staring at the same boring UI year after year.

Sixth , and this is because of the previous five points, the general mentality that you get while visiting Facebook is embarrassing. 90% of the posts that I see are either:

• Boring
• Deceptive
• False
• Cringe
• Aimed at complete morons
• Demonstrate a serious lack of intelligence
• Utter rubbish
• All of the above

It’s getting harder and harder to find anything worthwhile on Facebook these days. Apart from a few specific groups and pages, it’s all just the same boring stuff that you can get on any other social platform or elsewhere online. I love my web-dev related groups and pages, but for the most part, like in general, everyone is bored and apathetic just posting the same old garbage day in and day out. All the interesting stuff (and not talking just politics here) is either banned, censored or manipulated. So what’s left is an intellectual wasteland devoid of meaning and inspiration.

Seventh , there are better alternatives literally everywhere. Even if you don’t want to do all the work of putting together your own website, there are many great social-media services outside of the Facebook world that are doing it better, way better. They are easy to find with a few searches like “facebook alternatives” or best facebook alternatives and so forth. You may need to try a few different search engines to find what you’re looking for. So you can keep your principles and dignity. You can avoid the worthless content. You can avoid the spying and selling of your data. You can do better. Better service, better people, better content, better incentive, better reward. Better everything.

Eighth thru infinity , all of the little things that suck. Too many specific examples and details to cover here. This post is sort of a general guide, truly books could be written about all the pathetic stuff that happens on Facebook. But admittedly it’s not all horrible. Some of my friends and family are there. I get to hear what Joe had for lunch. Or see pictures of what’s her name’s kids. But the other 90% mostly is horrible and not worth the effort.

And.. something I forgot to mention is greater happiness and more free time to do things that I enjoy. Since cutting back on my Facebook time, I have managed to get a LOT more done, and have been enjoying life more. Just the time away from the toxicity of Facebook is like a breath of fresh air and inspiration.

So why do I keep using it

So why I do continue using Facebook? Admittedly I’ve stopped using it for the most part. I still jump in every week or so to share some of my work, maybe like a few posts, and say what’s up to some friends. But for the most part I live my online life like Facebook doesn’t exist . Eventually, at some point, I’ll drop it altogether. But for now, it still serves a purpose, despite all the crap they’re shoveling.

I know I am in the minority with this, but it doesn’t stop me from saying it. More than likely all those millions of Facebook users know what they are doing and Facebook is the greatest and I’m just some old cranky dude who needs his meds. But I don’t think so. I think Facebook sucks for the reasons outlined above.

I would love to hear someone argue the case for spending more time on Facebook. Something other than make money would be great, as that’s basically what caused the whole mess to take a nosedive in the first place.

Working on adding syntax highlighting to my code snippets here at Perishable Press. To do it, I use my free WordPress plugin Prismatic . Basically all the plugin does is load up either the Highlight.js scripts and styles, or it loads up the Prism.js scripts and styles. So I can rule out the plugin itself for this “weird” little bug. The issue is with Highlight.js specifically.

What happens

I have this post here , for example. The post contains several pre/code elements displaying code, log entries, and so forth. In one of those elements, I had the following line:

https://example.com/automatic-language-translation-methods/

The presence of that line inside of the pre tag causes Highlight.js to apply syntax highlighting to the element, even though it should not.

Why? Notice the language- part in the URL .. that is what is causing the bug.

The bug

The bug is that Highlight.js is applying syntax highlighting, even when the element does not include the required language- class. So a code block that should not be syntax-highlighted is highlighted anyway. Because the highlight script is matching the language- text inside of the <pre> tag.

Normally, Highlight.js only works on pre/code elements that include a class beginning with language- . Like <pre class="language-perl"> or whatever. The highlight script doesn’t try to “guess” the language; a proper language class must be present on the pre tag or no syntax highlight is applied.

BUT for some reason Highlight.js is checking the content of <pre> elements, looking for anything that matches language- . So there are false positives for any code that includes the string language- anywhere inside of the pre tag. Like the URL example provided above.

That means you get blocks of code and content that are highlighted when they should not be highlighted.

Demo

Here is a demo of the bug:

Some preformatted content blah blah blah..

https://example.com/automatic-language-translation-methods/

..some more code and stuff etc.

There is no language- class on this element. It should not be syntax-highlighted. But Highlight.js thinks that it should be highlighted because it finds language- inside the tag content. Inspect the source for more details.

Here is what the preformatted content should look like:

Some preformatted content blah blah blah..

https://example.com/automatic-language-translation-methods/

..some more code and stuff etc.

Note: if the preformatted content in the first example is not syntax-highlighted, it means that either 1) the bug has been fixed, or 2) I removed/replaced the Prismatic plugin with some alternative.

Solution

The solution is to fix Highlight.js so that it looks for matching class names only on the <pre> tag itself; it should not be checking the pre tag content. This fix would eliminate false positives and boost performance, as checking unknown amounts of code and other preformatted content probably requires a bit of work.

Workaround

As a workaround, I simply removed the language- line from the preformatted code block. Alternately, I could have modified it somehow so it isn’t matched as language- by Highlight.js. Of course, this isn’t a feasible solution for sites with lots of preformatted content — you would need to check all of them and tweak each one individually. But it works.

Update: Easier workaround

You can simply add a class of nohighlight to any pre/code elements that should not be syntax highlighted. I.e., to disable Highlight.js on any problematic code blocks.

Moving on

Fortunately this probably is a rare case; not many people are going to have this issue, but there may be another, so am posting here to share the information.

Welcome to the 2020 (25th!) redesign for Perishable Press. Like many of the previous designs , the new design is super minimal and organic. The #1 goal this time around was to find an optimal balance between performance and aesthetics . Or put another way..

..the least amount of code for the best possible user experience.

This article goes thru the design and attempts to explain some of the techniques and thinking that went into the process. Here is an overview of the contents..

Contents

• Minimalismist
• Design Goals
• Screenshots
• Hello “Yes” theme
  • Yes CSS
  • Yes JavaScript
  • Other Details
• Performance Optimization
  • Micro-Optimizing Code
  • Cutting the Fat
• Performance Results
• Tested Browsers
• Retrospection
• Almost There

Minimalismist

I heart minimalism . Many of the site’s previous 24 designs were minimalist and focused on performance and lightweightedness. The new design pushes it even further by using the least possible amount of code to produce the best possible user experience . A rigorous application of minimalism balancing performance with usability and aesthetics.

Designed with 15KB of CSS and 2KB of JavaScript.

Design Goals

First, I wanted smooth continuation from the previous design (no sudden drastic changes). New designs are a great opportunity to improve through iteration, where you can fix all the little things that you didn’t like about the previous design, while improving the things that work to make them even better. Going for design evolution , not shock and awe.

I also wanted the content to speak for itself and visually pop on screen. You can see this by comparing the before and after screenshots . Easier said than done when using a minimal amount of code and browser default fonts and styles.

Other design goals include:

• Optimal performance
• Exceptional usability
• No reliance on JavaScript
• No reliance on CSS
• 100% cross-browser compatibility
• High fidelity/consistency across platforms
• Device agnostic
• Responsive

To accomplish these goals, I decided to stick as closely to browser defaults as possible. After all, the developers of great software like Chrome, Firefox, Opera and others know what they are doing . So instead of ignoring or fighting years of battle-tested default browser styles, I use them as the foundation for my design.

This strategy saves massive time and requires way less code than trying to reinvent the wheel using tactics such as CSS resets or normalization. Most (if not all) of the above design goals were achieved by letting the browser do most of the work.

Screenshots

Before getting into the details of the new theme, here are some screenshots for comparing the previous #24: Metamorphosis"> X theme and the new #25: Performance Over Perfection"> Yes theme (click thumbnails to view full-size images):

Previous site design: X theme

New site design: Yes theme

If you compare the two screenshots, you’ll notice the main vibe of the previous theme is continued in the new Yes theme. But now the content “pops” out more, with more focus on the post content plus some new added information and resources in the sidebars. Besides that, the biggest change is the addition of a fixed top navigation bar and mega footer area. The previous design had a simple one-line footer.

Yes theme rocking Night Mode (click the sun icon in the top nav bar)

Hello “Yes” Theme

Behind the scenes of the new design, there is a WordPress theme called Yes . Not named after the legendary rock band, the Yes theme is more of a general nod toward positivity and optimism. As in “yes” instead of “no” sort of thing. Or in terms of design:

Simple, light and refreshing as opposed to complex, heavy and busy.

The Yes theme serves as the 25th redesign for Perishable Press. The very first theme, named Apathy , was (way) back in 2005. The next theme was named Bananaz , and then Casket , and so forth. With each new theme beginning with the next letter of the alphabet. So the next redesign/theme will be named after the letter “Z”, and will complete the series .

Some features of the Yes theme:

• Theme built with shapeSpace
• Design based on the X Theme
• Night mode (lite/dark toggle button in top menu)
• Mega site menu (inspired by previous minimalist theme )
• Thoughts (asides) displayed in sidebar + thoughts archive
• Super responsive layout/design
• Sticks close to browser defaults
• No plugin dependencies
• Big focus on content
• Removes 3rd-party ads

The Yes theme is built with my shapeSpace starter theme , so the template files are well-organized, streamlined, and kept as simple/lightweight as possible. Keeping the theme light and fast means that you don’t need to try to and compensate by installing all sorts of performance plugins. Honestly, I can’t remember the last time I needed to install any sort of cache or performance plugin on any of my sites.

Not using any cache or performance plugins. Site performance measures close to 100%. ( view results )

So the Yes theme is all optimized PHP outputting clean HTML , and also minimal use of CSS and JavaScript. I’ll spare us the deep dive into all the theme template code (PHP and HTML), and instead focus on the CSS and JavaScript..

Yes CSS

For the CSS, the Yes theme relies on browser defaults as much as possible. This includes properties like font-family , font-size , and line-height , as well as details like colors, borders, and link styles. So basically the design is a giant exercise in margin manipulation while using browser defaults for most everything else.

To give you a better idea, this site’s content spans over 15 years with over 850 posts, pages, and demos. To style all of that, previous designs required upwards of 250KB–500KB of CSS. The previous design boasted a stylesheet weighing less than 50KB. This new design’s stylesheet is less than 15KB.

It may seem like overkill, but again I want to emphasize the goal of this design: greatest possible impact using the least possible amount of code .

Yes JavaScript

For JavaScript, the Yes theme employs progressive enhancement and graceful degradation. That means essentially that JavaScript is not required to access site content normally. In fact, the only JavaScript used for the entire site:

• Anchor offsets
• Break out of frames
• External links in new tabs
• Toggle light/dark mode

All that weighs in at a paltry 2KB, and none of it is required for normal functionality. If the user supports JavaScript, then the scripts are employed in progressive fashion, to enhance the user experience (a little bit). So when JavaScript is not available, the site still looks and behaves the same (i.e., graceful degradation).

Other Details

As far as design goes, here are some other details worth mentioning:

• Added a related posts archive
• Added a thoughts side blog for random thoughts and links
• The site menu is now its own page instead of a popup/overlay
• Implemented support for syntax-highlighting code (thanks to Prismatic )
• Decided to keep the comments section (thanks to a few die-hard commenters)
• Added the site tagline beneath the logo (was missing in previous theme)
• Fixed related posts script (wasn’t working correctly in previous theme)
• Better responsive for larger screens (displays 2nd sidebar)
• Kept the print styles, just in case (only costs 200 bytes)
• Dropped a bunch of social-media scripts and plugins

Basically, #25: Performance Over Perfection"> Yes is an example of a super minimal and lightweight WordPress theme. I did however splurge on a few bells and whistles:

• Subtle box shadows for images
• Subtle background image for top nav menu and footer
• And of course night mode

Everything else is about as bare-bones as possible without killing the inspiration. In my mind, the current design achieves an ideal balance between performance and usability slash aesthetics. The design is clean yet sort of has an unfinished, subtle rough feel to it that keeps me motivated and focused.

Performance Optimization

I really liked the previous design. But I’ve got some big plans for 2020 and redesigning Perishable Press sort of kicks off the whole process. So there were some key design patterns that I wanted to bring forward with the new design, things like:

• Sitewide uniform hyperlinks
• Uniform form fields and inputs
• Generous use of white space
• Sidebar-enabled layout
• Less emphasis on social media
• And of course Night Mode

I wanted it to be a natural progression from previous theme, very responsive, lightweight, fast, and flexible. The previous design was relatively close to running on browser default styles (fonts, sizes, colors, etc.). But the Yes theme obviously takes it much further. Especially “under the hood”, where the code is micro-optimized to balance aesthetic with performance. Things like:

• Only 15KB of CSS
• Only 2KB of JavaScript
• ~ 500KB of theme graphics (GIF, JPG, PNG, SVG)
• Use browser default font families, sizes, weights, colors, etc.
• Limits to two (or three) HTTP requests for CSS and JavaScript
• Overall page weight kept as light as possible
• All post images optimized for Web

I actually went into the fine-tuning phase of the design with like 12KB of CSS. It’s a good feeling that probably very few can appreciate.

Micro-Optimizing Code

To give you an example of how the code for this theme is micro-optimized for performance. WordPress includes all sorts of class names for the HTML output of many of its template tags . In general adding the extra class names and markup is useful, but it works against minimalist/performance-focused design.

So to avoid the extra weight when displaying lists of things like related posts, popular posts, post categories, tags, and so forth, wherever possible I replaced the template tag with the hard-coded output. To get that, first I spit out the list (or whatever) using the relevant template tag, edited the HTML to remove all the fluff, and then replaced the template tag with the simplified markup.

The theme also makes use of custom loops where possible, to display posts and whatnot using a minimal amount of markup.

Another example of micro-optimization at the theme level are template codes that are not necessary for the current design. For example, the design has no reason to include things like:

• the id attribute on each post, like id="post-<?php the_ID(); ?>"
• all the class names on each post, from post_class()
• all the class names added to the body tag, from body_class()

And so forth, for whatever extraneous template tags. Likewise with the CSS. Considerable time was spent optimizing the code to be as simple and concise as possible, while remaining flexible and human readable, so I can jump in and make changes on the fly. I’ve written before about micro optimizing CSS:

• How to Micro-Optimize Your CSS
• Obsessive CSS Code Formatting

I used some of these techniques while formulating the Yes theme stylesheet. There you can find further tips for optimizing CSS for performance.

Cutting the Fat

Optimizing performance means sacrifice. You’ve got to be a tyrant. For this design, here are some of the cool little bells and whistles that didn’t make the cut:

• Social media post buttons — simple cost vs. reward
• Twitter latest tweet thing — replaced with thought blog
• 3rd-party advertisements — sharing my own content instead
• Smooth “jump-to” scrolling — just not necessary
• Jump to top button — also not necessary

Plus lots of other CSS and JavaScript tricks that just aren’t necessary. Call me a weirdo, but it’s a good feeling to drop the frills and focus instead on content.

Honestly, I could have kept it even more super simple by omitting the toggling light/dark functionality. Shaved off a few more kilobytes off the load. But I hear from people who like being able to switch between the light and dark styles. So it stays for now :)

Performance Results

After launching the site’s new design, I tested its performance using some great (and free) online tools. Here are the results of the tests (click thumbnails to view full-size images). Note that all tests were just using whatever default settings provided by the service. I didn’t bother tweaking anything.

Yes theme performance results at gtmetrix.com

Yes theme performance results at Google PageSpeed (desktop)

Yes theme performance results at Google PageSpeed (mobile)

Yes theme performance results at pingdom.com

Yes theme performance results at uptrends.com

Yes theme performance results at webpagetest.org

The home page weighs in at around 110KB delivered, depending on which images are displayed. Try downloading the homepage (or any page) and look at the results. It’s like four files plus the .html file. Now compare that to other web pages. Google homepage currently downloads as six files (total download size = 1 MB). Twitter homepage is 16 files (2.3 MB). Facebook login page is 33 files (3.4 MB). Amazon is 194 files (3.2 MB). So it’s all relative, but I try to aim for the lower end of the scale.

The previous design was fast. This one is faster.

Built with speed in mind from the ground up. In fact, unlike almost all previous designs, no extra time was spent optimizing things post-launch. And performance scores may improve further, once the random query string is removed from the CSS/stylesheet request (leaving it in place for awhile). Or what Google refers to as “Critical Request Chains” in their PageSpeed report.

Take-home point: much performance awesomeness can be accomplished with good hosting and smart theme design.

So what’s the secret? Simple is better. Less is more. You’ve heard it a million times. That’s all it is. All those great performance scores are because of two main factors: fast server defaults and theme optimization. I don’t use any performance scripts or plugins, other than some caching rules in the site’s .htaccess file . If I had the time, I would dig into all the performance data and recommendations and work on fine-tuning toward even greater speed. But I’m fine with the current performance. “Mission accomplished” as they say.

Tested Browsers

Here are the browsers used to test the new design:

macOS

• Safari 13.0.3
• Firefox 72.0.2
• Waterfox 56.2.11
• Opera 66.0.3515
• Chrome 80.0.3987.87
• Brave Version 1.2.43

PC/Win

• Edge 44.18362
• IE 11.535
• Firefox 72.0.2
• Waterfox 2020.01
• Opera 65.0.3467
• Chrome 80.0.3987

iOS 13.3.1 (iPad/iPhone)

• Safari 13.3.1
• Firefox 14.0b12646
• Brave 1.6.6
• Chrome 76.0.3809

Android 8.0.0

• Chrome 79.0.3945
• Opera 55.2.2719
• Brave 1.5.3
• Opera Mini 46.0.2254

The design was tested pretty extensively on all of these browsers; it is fully responsive from widths of 320px and up. I could find only two unresolvable bugs:

• On iOS fixed/sticky position is kinda wonky in all browsers, for example background-color not working on sticky-position elements
• Tabbing thru the document on Chrome, the focus styles on the first two (icon) links look weird/offset

If you happen to come across any bugs or weirdness while visiting the site, or if you have ideas for improving, please let me know .

Retrospection

I began this redesign on December 20th and launched today, February 6th 2020. Probably spent on average about 4 hours per day, pretty much seven days a week. So around 200 hours from initial plan to completion. As explained, going into the redesign, I wanted to find an optimal balance of performance and aesthetics.

During the redesign process, I found it very challenging to restrain my creative compulsivity while pushing design limits and breaking old habits. I found that focusing on performance, and trying to balance with usability, helps to restrain the endless design options. It frees you to explore concepts more deeply, because you’re working in a finite creative space. You have to make more of every bit of design you want to use. It’s entirely an iterative process: diving in, making progress, getting stuck, letting go, and then coming back to it.

Now looking back on the event, I see that the challenges and frustrations along the way meant that I was learning and expanding my skills. Overall I think the design turned out great. It inspires me to work on the site, post content, etc. And more importantly, it completes the Phase 1 of my plan for 2020 . So now it’s on to Phase 2: add a sub-domain to Perishable Press and build a new bookstore. Then it will be time to write some more books ;)

Almost There

The previous several themes have been trending further toward absolute minimal. Now that there is only one theme left — the “z” theme — in the Perishable Press Alphabet-series themes , I think the next one will be more visually striking, with more graphics and super styles, like Chris Coyier’s latest space-age incarnation of CSS-Tricks . With the fancy scrollbars, bold colors, and all-around fun user experience. Maybe something reminiscent of the Quintessential theme . I still want to keep strong performance focused. So the next challenge will be to spend my design credits as wisely as possible.

The 7G Firewall was released about a year ago as beta, and has had time now to mature/develop into a stable release. So this is just a heads up that 7G is now officially out of beta and ready for use in live/production environments.

Thank you to everyone who helped with development by providing bug reports and feedback for 7G, very much appreciated.

For more information about the thinking and work behind the nG-series firewalls, check out this post on building the 4G blacklist .

I like sharing my plans with those who will listen. For example, last year I said what I was going to do in 2019 , and as far as I can tell it is mission accomplished. Now my goals for 2020 are a little more structured and ambitious..

Whereas last year, I wanted to just kinda “go with the flow” and see what happens. Looking back, it went well and relatively according to plan. The first half of the year was a lot of work, and then things sort of leveled off in the summer and into fall. The last few months of 2019 were a blessing, as they enabled me to recharge my creative battery and prepare for what’s next.

So now in 2020, I am feeling super-charged and focused, ready to go. The plan is to simplify and amplify my efforts toward better results. Currently I’ve got a million projects and things all over the place. So I’m putting much more emphasis on simplifying my workload and routine.

A big part of simplification is consolidation and elimination. As much as I dislike ending projects (especially long-running ones), I want to cut way, way, way back on the number of “little” tasks I have to do, each year, each month, etc. The more stuff you put out there, the more time it takes to keep things updated and working with all the latest. And with 20+ years working online, it definitely is time to simplify.

Instead of having a million little projects, I want to consolidate my efforts and focus on two things: books and plugins. By the end of the year, around 90% of my online time will be spent on either writing books or developing plugins. That’s a lofty goal, but something definite to work towards.

Online work goals

Here is a quick overview of some of the online goals I want to achieve in 2020:

1. Redesign Perishable Press (in progress, nearing completion)
2. Add a books.perishablepress.com subdomain
3. Build a bookstore on the subdomain
4. Move my current bookstore to the subdomain
5. Remove e-commerce stuff from current book sites (e.g., DigWP.com , .htaccess made easy , The Tao of WordPress , and WP Themes In Depth )

So the current book sites will be more static (read: less work) and just point to the books subdomain here at Perishable Press. That way I’ll have two main properties to focus on: Perishable Press (books/tutorials) and Plugin Planet (plugins).

More focus = higher quality.

I find that, between books and plugins, I get to do most of the things I enjoy online. Like writing, blogging, designing, publishing, graphic design, photography, web development, server ops, security, SEO, and the occasional audio track and/or video production. Producing books and plugins makes use of all those thangz.

So that’s the big push for this year. Lord willing, there will be enough time to achieve these goals while maintaining a good balance between online and real-world realities. It’s gotta be 50/50 or you’re just missing out on too much good stuff.

Here’s to 2020 and beyond.

Around the end of December 2019 and then now well into January of 2020, I’m seeing a massive spike in aggressive malicious scanning for uploads-related targets. In particular, there are massive numbers of requests for URL targets involving uploadify , plupload , and similar. Typical scans hitting upwards of 30K–50K requests per attack. Just relentless exploit scanning on steroids.

Getting hit with 30K–50K scans across all domains, all web hosts. So to minimize the drain on server resources, I put together a mini firewall to block them.

Stop the madness

Thousands of redundant, exploit-seeking requests hitting your server every minute is a bad thing, and should be stopped at the server level asap. Save those precious resources for legitimate visitors. To help with this, I developed the following Apache/ .htaccess ruleset. It straight up blocks about 90% of the latest uploads-related malicious scanning. Here it is, short & sweet:

# 7G Addon: Stop Aggressive Scanning for Uploads-Related Targets
# https://perishablepress.com/stop-aggressive-scanning-uploads/
<IfModule mod_rewrite.c>

	# RewriteCond %{REQUEST_URI} /php(unit)?/ [NC,OR]
	# RewriteCond %{REQUEST_URI} \.(aspx?|env|git(ignore)?|phtml|rar|well-known) [NC,OR]
	# RewriteCond %{REQUEST_URI} /(cms|control_panel|dashboard|home_url=|lr-admin|manager|panel|staff|webadmin) [NC,OR]
	# RewriteCond %{REQUEST_URI} /(adm(in)?|blog|cache|checkout|controlpanel|ecommerce|export|magento(-1|web)?|market(place)?|mg|onli(n|k)e|orders?|shop|tmplconnector|uxm|web?store)/ [NC,OR]
	
	RewriteCond %{REQUEST_URI} (_timthumb_|timthumb.php) [NC,OR]
	RewriteCond %{REQUEST_URI} /(install|wp-config|xmlrpc)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(uploadify|uploadbg|up__uzegp)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(clipboard\.min\.js|comm\.js|mysql-date-function|simplebootadmin|vuln\.htm|www\.root\.) [NC,OR]
	RewriteCond %{REQUEST_URI} /(admin-uploadify|fileupload|jquery-file-upload|upload_file|upload|uploadify|webforms)/ [NC,OR]
	RewriteCond %{REQUEST_URI} /(ajax_pluginconf|apikey|connector(.minimal)?|eval-stdin|f0x|login|router|setup-config|sssp|vuln|xattacker)\.php [NC]
	
	RewriteRule .* - [F,L]
	
</IfModule>

I’ve added this mini firewall to most all of my sites. The result? It stops about 90% of those massive uploads attacks at the server level. So downstream resources like PHP and MySQL aren’t called, thus saving tons of memory, bandwidth, and other server resources. It is proving to be very effective, at least on my own Apache-powered sites. Of course, your mileage may vary.

Changelog

• 2020/01/28 — removed plupload
• 2020/02/02 — removed upload.php

About the code

What’s happening with the code? I’m glad you asked. Here is an overview:

• First, check if mod_rewrite is enabled via <IfModule>
• Next there are four lines/conditions that are disabled (commented out)
• Then there are six lines/conditions that are enabled
• Next, any matching requests are denied access via 403 forbidden status (via the RewriteRule )
• Lastly, close the opening <IfModule> container

So now the interesting bits.

The four commented-out lines (conditions) are there for your consideration. Each or all of these four lines may be enabled only IF you are sure that none of the matching patterns could block any legit requests on your site. For example, I leave the first line disabled because otherwise it would block requests for my PHP category. If you look at that linked URL , you will notice it includes /php/ , which is one of the patterns blocked in that first commented-out rule. The four rules are very powerful and block a LOT of bad requests, but they also have the potential to produce false positives. So you want to be extra careful before enabling.

Then for the six active conditions. These lines alone effectively stop most of the aggressive uploads-related scanning. If you examine the patterns (regex) in the rules, you will find that many of the targeted keywords and phrases are matched and blocked. Even though I am running these conditions without issue on my own WordPress-powered and regular/vanilla HTML sites, it is recommended to test thoroughly and report any false positives or bugs, etc.

For more details about how the above mini firewall works, check out some of the related posts in the nG tag archive . Tons of useful/relevant information and other techniques are yours to discover.

The worst part

The worst part of such aggressive scanning is the redundancy. The idiots running these attacks are doing it “brute force” style with hundreds or even thousands of identical/repeat requests for the same targets. This is wasteful for everyone, including the attackers. Repeatedly requesting the same set of URL s over and over and over again.. you’re just wasting your own resources (CPU, RAM, bandwidth, energy, time, etc.). Especially when the requests are only a few minutes or even seconds apart. Why don’t you morons try remembering the responses you’re getting from your target servers. Would save you TONS of time and resources, especially when cranking out 30,000 to 50,000 or more requests per scan. Seriously. At least act like you’ve got a clue and aren’t a complete waste of human existence.

</rant>