Single sign-on (CAS) replaces LDAP

All sites in the OIT-managed WordPress environment now use Princeton University's Central Authentication Service (CAS) for authorizing access to protected pages, including the WordPress admin dashboard. This replaces the LDAP-integrated WordPress login page.

Screenshot of old and new login pages

The old WordPress log-in page is on the left; the CAS log-in page is on the right.

Accessing /wp-admin or wp-login.php will automatically redirect to the CAS login page. After authentication through CAS with a Princeton netID and password, a logged-in user will be directed back to the original WordPress site. If a netID uses Duo two-factor authentication, Duo will work the same here as with any other CAS-enabled site.

One feature that is not available with the new CAS solution is the ability to bulk add authorized users to a site. We hope to find or write a plugin that will re-enable this feature.

Enabling CAS was one of the last milestones before migrating all of the sites in our managed WordPress environment to a cloud hosting provider.

WordPress 4.7 deployed, Twenty Seventeen coming

This morning we deployed WordPress 4.7 to the OIT-managed WordPress environment.

One of the main new features of the new version is a brand new default theme, Twenty Seventeen. This theme is not yet activated across our network because I want to first create a child theme that includes the option to add the Princeton University branding to the footer. I will get this theme deployed by the end of next week.

One of the main new features is that the Custom CSS feature is now available in the WordPress Customizer, allowing live previews of CSS design changes. This builds off of the custom CSS feature that is part of the Jetpack plugin suite.

WordPress 4.7 “Vaughan”

WordPress 4.3 is live

I have deployed WordPress 4.3 across the sites in our WordPress network.

New features include formatting shortcuts in the editor, an option to edit the menus in the customizer, and a customizer option to add a browser and app icon to your site.

The “enforce strong password” feature does not really apply to our environment, as we manage our passwords in the Princeton University directory service (LDAP) instead of locally within WordPress.


Oh, the humanity!

Update: It appears that the whitelist is not preventing the arithmetic CAPTCHA. I will contact Jetpack support for more information.

Those of you logging into the admin area of sites on our WordPress network may have been repeatedly asked to “prove your humanity.” This is a feature of the Jetpack plugin suite that helps protect against brute force login attempts.

“Human” users would have to solve an arithmetic problem and enter the answer in a tiny box. This tiny box was easy to miss, so multiple failed attempts to log in would add up, and the username trying to log in would be temporarily locked out.

I have added all Princeton University IP addresses to the whitelist settings for the Jetpack Protect feature, so in the future, you should only encounter this test of your humanity when logging in from an outside network.

WordPress 4.2.1 is deployed

Normally we wait for the breaks in between semesters to deploy feature updates to WordPress core. However, a cross-site scripting (XSS) vulnerability was discovered recently in the WordPress commenting system. A patch was quickly released for the latest feature release (4.2), but not for the release that we were running (4.1.2).

All site networks protected by the Akismet anti-spam plugin (as this one is) should have been protected against this vulnerablity; however, we decided to play it safe and upgrade to WordPress 4.2.1.

The new features for this release are minor. They include support for 4-byte Unicode characters like Han characters and emoji. 🐯🎉🎈 The “Press This” bookmarklet tool was enhanced. Tumblr and Kickstarter were added to the list of supported oEmbed services. You can now switch themes right in the appearance Customizer. Also, the WordPress admin interface has a tweaked default color scheme — consistent cool grays replace the neutral and warm grays.

You can see a full rundown of the new features in this video from WordPress.TV.

WordPress 4.1 is deployed

Updating WordPress during intersession week (also known as "wintersession") has become an annual tradition. This year the version is 4.1 “Dinah,” named for jazz singer Dinah Washington.

The headline feature of this version — the blog-focused Twenty Fifteen theme — is not yet active on our network. I have not yet had a chance to create a custom child theme based on that theme. That will arrive in the next couple of weeks.

This version of WordPress has a significantly improved distraction-free writing mode that lets the sidebars fade away while you are composing a post.

If you’ve ever worried you forgot to sign out from a shared computer, you can now go to your profile and log out everywhere. There is a new "Log Out of All Other Sessions" button right above the Avatar section.

There are many under the hood improvements and bug fixes.

Finally, oEmbed support for Vine videos is now baked in. Just paste a Vine URL into a post on its own line. The Vine clip below is from the Princeton University Vine account.

About the Extended Outage this Weekend

On Saturday, October 18, this WordPress service suffered it longest outage, which lasted approximately 12 hours. On Sunday there was another outage for an hour right before noon.

The reason for this outage was a misconfigured Kace appliance server that was monopolizing all of the http processes on our servers. The Kace server was taken offline Saturday evening, and normal service returned. Then someone brought the same server back up on Sunday morning (without regard for our service), and the outage resumed.

The errant server was moved behind a different firewall, so this exact outage should not happen again. However, we will take steps in the coming weeks to guard against changes to the environment taking down our service again.

I apologize for this outage and the general unreliability of our WordPress service.

WordPress 4.0 is deployed

Update: Thursday morning I upgraded our network to WordPress 4.0. Everything appears to be running smoothly.

After testing WordPress 4.0 for about a week, the new version looks ready to deploy to our network. Normally we would wait a bit longer; however, we try to avoid feature updates to WordPress core during the semester. That would mean having to wait until late January, and WordPress 4.1 should be out by then.

The jump from version 3.9 to 4.0 is no more significant than the jump from 3.8. They just chose not to use “3.10” as their new number as Drupal or OS X would do. There are three new features that will impact content creators on our network directly.

Media Library Grid. There is a new grid view in the Media library, with the Edit dialog displaying in an overly, rather than a new page. The list view is still there and functions the same as in the previous version.

Seamless Media Embeds. Embeds now preview right in the visual editor. This includes image galleries and media that uses oEmbed (YouTube, Vimeo, Media Central, SlideShare, Twitter). For example, as soon as you paste a YouTube link into the visual editor, a progress bar appears, and a preview of the video is immediately visible. You can even play the video right inside the visual editor. If you have a large number of video embeds in a post, this might slow down the initial rendering when you go to edit a post. There is one huge annoyance with this feature. After the live preview of the embed is rendered, WordPress inserts the cursor before the embed. I would expect the cursor to be inserted after.

Intuitive Editing. The last change auto-expands the visual editor as you type and then keeps the toolbar in a fixed location as you scroll back upward. This feature takes some getting used to, but it does make the visual editor seem more productive. Content authors who dislike this feature can turn it off individually, via the “Screen Options” button at the top of the Add or Edit pages, as depicted in the following screenshot.

Screen Options dialog