The RSS specification allows you to have an <image> element in the header of your RSS feed.  A long time ago, if you used Wordpress, you'd have to edit the wp-rss.php file and be very careful when you upgraded to new releases, or your change could be lost.

But if you use a modern version of Wordpress, you should take advantage of the do_action('commentsrss2_head') hooks* in the feed-rss... .php files.

Here's what you'd do: Add the following code to your theme's functions.php file:

function add_my_rss_image()
{
    echo '<image><title>', bloginfo_rss('name'), '</title>';
    echo '<url>', bloginfo_rss('stylesheet_directory'), '/images/button.gif</url>';
    echo '<link>', bloginfo_rss('url'), '</link>';
    echo '<width>88</width><height>31</height>';
    echo '<description>Description of your blog.</description></image>';
}

add_action('rss2_head','add_my_rss_image');
add_action('rss_head','add_my_rss_image');
add_action('commentsrss2_head','add_my_rss_image');

Take care to actually put an image file in the path specified, and adjust the width and height accordingly.

Et, voila! Now your feeds have images, and they're forwards compatible with future versions of Wordpress. Oh, did I say future versions of Wordpress? Excuse me, I have to:

svn sw http://svn.automattic.com/wordpress/tags/2.6/

Blam! Upgraded. Sweet.

* Also rss2_head and rss_head, just so I cover the appropriate Google terms.

How did I miss this?  The latest update (to 2.3.3) fixes an exploit that may have been used at my own site.

For me, the update process looked like this:

1. ssh to my blog's directory.
2. svn sw http://svn.automattic.com/wordpress/tags/2.3.3

Yea!

I was doing some general cleanup around the blog. (Considering widgetizing the sidebar...) I re-validated the XHTML, and some errors came up. The following code was inserted into the content of a post. (Which is contained inside a MySQL item.)


<p id="displayer" style="display:none">
CD and DVD films available for download at <a href="http://my-movie-download.com/">download movies</a> site, cheap prices and fast downloading.</p>


The evil little snippet above says that humans won't be bothered with the link, but search engines will notice it.  Also, the following was actually inserted into my theme's index.php.


<form id="srch" name="srch" style="overflow:hidden;width:0pt;height:0pt" method="post">
DiVX and DVD films available at <a href="http://my-movie-download.com/">download movies</a> portal, low prices and fast downloading.
</form>


Just like the prior snippet, humans won't see the link, but search engines will.

It's hard to describe how annoying this is. Somebody/bot found a way to compromise my blog's directory and its database.  I only sftp and ssh to the site. (Although in the past I have ftp'ed. No more!) I thought I chmodded the wordpress files to -rw-r-----, but I see now that there are more extensive write permissions in some directories.

I checked the last few logins, but they were all mine this month.  (And my host clears the log every month.)  I have to monitor the situation closely.

Ye gods, the referrer spam goons are aggressive!  Aargh!

How hard do I rock?  Let me give you an example.

Date:  The near future.

Scene: David's blog, a jewel of php code, with a few custom modifications to the WordPress framework.  Does anybody else have an <image> element in their <channel> in their feed-rss.php family?  Doubtful.  Oh, how about user friendly "there's more content this way" ellipses in their wp_trim_excerpt() function in their formatting.php?  Ha!  The world would be so much nicer if only they did.

But what's this?  There's danger brewing.

A vulnerability in the pingomatic server unleashes a feedback ping ripping a hole via XSS into every single wp_footer().  Everybody who posts, pings.  And everybody who pings gets spam added to their footer.  And everybody who pings suffers a debit from their PayPal account.

Never fear!  Matt Mullenweg's team of crack coders patches the hole the exploit accessed in the WordPress code.  But now WordPress users across the world must scramble to follow the tedious upgrade instructions.  And then re-apply their custom changes.

Oh, the humanity!  Why isn't David panicking?  Why isn't he in despair?  Doesn't he realize the danger to his blog?!  Doesn't he realize the tedium that awaits him?

Let's zoom in and see what he's doing...

David grabs a few dark chocolate covered espresso beans, and casually pops them into his mouth.  He ssh logs into his blog's directory.  He types,

svn sw http://svn.automattic.com/wordpress/tags/2.3.2/

and logs out.  He's done.  His blog is updated, protected, and his customizations are intact.  He turns up his MP3 player and goes outside to enjoy the sun.

(In other words: My blog is now a subversion sandbox.  Whee!)

I'm a big fan of Wordpress (I use its code at my own site and they host my work blog).  So although I'm very much done with flamewars, the Duncan Riley article on Matt Mullenweg's feeling about monetizing Open Source (and its thread) at TechCrunch caught my attention.

Duncan and Matt go at it in the comments.  But that's not what interests me.  It's the whole concept of ethics involved in monetizing open source.  (What ethics?  People will flock to your open source, or they won't.)

This coming from a guy (me) who's paid money to some open source projects that he uses, but not to all.

My latest daddy blog contains a little illustrative mouse art.  It's so bad, it works.

I took the day off to do some Halloweeney stuff with the family. But I got to sneak in an hour or two to do work, which is sorely needed.

Except, well, I noticed that my blog's backend is WordPress 2.0.4, but 2.0.5 is out now. And, well, I simply have to upgrade. Security fixes and all. But I mustn't forget to merge in my personal tweaks, lest I lose them. (As I did from 2.0.3 to 2.0.4. Grr.) Copy, merge, compare, upload...

So, I didn't do any work, but I got something else done.

It's time to clean up some of the automated processes at my website. I've got processes that generate Zeitgeist and referrer pages. These processes use lists (which are themselves automatically updated with "suspected new" entries) of known-good-search-engines and known-referrer-spam sites. But, eventually, I have to go in and check that the lists are what they should be.

So, here are the tasks for Spring Cleaning this year:

1. Download my personalized Zeitgeist.pm, being careful to maintain the unix line-terminating character. (0x0A) Download the list files and some test log files.
   
2. Lock the files so I don't accidentally change the line-termination, or make a modification I can't easily back out of. (I use CVS, but this is work "on the side" in-between commits.)
   
3. Install FoxServ
   
4. Connect to localhost, just to make sure things are copacetic.
   
5. Proofread and update "searchengines.txt" and "referrerexclusions.txt" with the approved new entries.
   
6. Add documentation directly to zeitgeist lists, because I have to keep reminding myself what each field is. (Currently, the lists have no preamble.)
   
7. Get the site's control panel working. (The raw logs are no longer written where the cpanel looks for it.)
   
8. Rename the site from "Daddy Blog" which is now too generic. (Other fathers have been blogging for a few years, now. I'm not so novel.)
   
9. Add win/loss ratio to the RPS site.