WordPress REST API security risks

I’d recommend any WordPress users install the disable-JSON-API plugin.  This will prevent anonymous access to WP REST API endpoints, such as /wp-json/wp/v2/users – which provides a list of usernames (API docs).

The REST API was introduced in WordPress 4.7 and is (unfortunately) on by default with no option in settings to turn it off – the idea is it will in time be used for AJAX in some of the admin system, not just external requests.   There is a good change if you were running 4.7.0 or 4.7.1 and did not immediately upgrade to the 4.7.2 security release posts may have been defaced.

Also be aware that the WordPress readme.html file no longer displays complete version numbers – e.g. it will show 4.7 rather than 4.7.2.  (a step backward, IMHO).  Though you might not be aware however you can get the version number by clicking on the WordPress icon at the left of the admin bar (and of course, WP-CLI users can do: wp core version)

Git apply no output / no effect – troubleshooting Drupal patches

Be aware that for Drupal, when testing patches from the core issues queue, you can only use the git apply command on the main repository:

https://git.drupal.org/project/drupal.git (browse code)

(i.e. choose 8.2.x or 8.3.x according to issue )

and not on drupal-composer/drupal-project (e.g. a DrupalVM install)

This is logical, the commit IDs in the .patch file simply can’t be found in that repo, so git skips them.  Instead you should use:

patch -p1 < example.patch

…as described here. (You still use -R to reverse it.)

What’s less helpful is git apply will give you no warning there’s a problem – you’ll run the command, see [ok] but no other output, as though it had worked.

Likewise using any of these switches won’t print anything to the screen:

--verbose
--summary
--check

Annoying, the instructions for  --check imply it might tell you:

Instead of applying the patch, see if the patch is applicable to the current working tree and/or the index file and detects errors. Turns off “apply”.

(See also)

Suggested Checklist

  • create a new branch for the patch you’re testing
  • run git diff to check the files have actually been altered
  • run drush cr too to reset cache/UI etc. before testing

Obscure techniques for developers to minimise macOS CPU, disk I/O and power consumption

updated Sat 11 Feb 2017

Me writing this blog post

Assuming you’ve done all the obvious things, e.g.: remove unwanted apps, close apps that don’t need to be open, remove System Preference pane based apps you can do without, tidy the Login Items list, free up sufficient disk space, upgrade RAM, remove unnecessary browser extensions etc.

  • Exclude every website, Git repository and virtual machine on your Mac from Spotlight search.  This made an incredible difference in CPU activity for me (the mdworker and mds processes are what to look for in Activity Monitor).
  • Reduce the quantity of files in your Dropbox folder. It can’t cope with hundreds of thousands of files, or at least the indexing process on initial login can become lengthy and CPU intensive as you near Dropbox’s own estimate of 300,000 files.  Avoid having any Git repositories in there – just make sure you (a) have local backups (Time Machine only backs up certain files and directories) (b) you’re pushing to GitHub, Bitbucket or somewhere else off-site regularly.   Download AWS CLI and sync a .tar.gz occasionally with an S3 bucket.
  • If you use PhpStorm, turn off all the Language Injections you don’t need, turn off all the Inspections you don’t need and remove any unnecessary plugins.  You’ll almost certainly have a handful of candidates for each of those three areas – i.e. languages or frameworks you never use.  Just familiarise yourself with what’s available every now and again so if you do work on an unusual project you have a better chance of remembering to turn the necessary options back on.

(P.S. I’m still using El Capitan 10.11.6 and have no plans to upgrade for several months.)

Mac load average

$ sysctl -n vm.loadavg
{ 1.29 1.38 1.45 }

If you think the Mac load average seems high compared to Linux, here’s an explanation of how it’s calculated.  The CPU idle % is a more useful measure of how loaded your system is (the above measurement was taken with 97% idle CPU).

Troubleshooting Drupal\Core\Template\Loader\ThemeRegistryLoader – Unable to find template

(NB: this post refers to Drupal 8)

You may see an error like this if you’re developing a theme with caching disabled and twig.config.auto_reload on, and you’ve just removed a template from a subtheme:

Twig_Error_Loader: Template “themes/custom/test/templates/field–node–title.html.twig” is not defined (Drupal\Core\Template\Loader\ThemeRegistryLoader: Unable to find template “themes/custom/test/templates/field–node–title.html.twig” in the Drupal theme registry.)

To get rid of this you need to clear the theme-registry , until you do that it won’t correctly fall back to the equivalent file in your base theme.

Similarly, if you add if you add an extra template to a subtheme, Drupal will ignore it and continue to use the base theme until the theme-registry is cleared. (You won’t get an error, but you’ll wonder why your changes haven’t been reflected.)

To reset it:

drush cc theme-registry

or:

drush cr

The latter is less precise and takes longer to run, but is quicker to type the first time. Or you can use drush cc and pick the number the menu.

Note this happens (for me) regardless of whether twig.config.cache is true/false or whether the dynamic page cache is disabled.

Getting voice memos off an iPhone

If you are having problems losing the will to live transferring voice memos saved on your iPhone using iTunes in iOS10, I would suggest you give up following tutorials and fiddling with the sync settings and just get a program called iMazing – you plug the phone in, go to Voice Memos, shade the ones you want, click Export, and choose a directory you want to save them in. (They remain on the phone.)

(There’s a free trial and you can either buy it directly – £35, or it’s in the new SetApp monthly maOS app subscription, which is $10/month but is also in a free-beta period until the end of January 2017.)

Blocking spam text messages on iOS 10

I’m blogging this because the user interface in different parts of iOS isn’t consistent so it’s not immediately obvious how to do it.

Supposing you receive a spam/unwanted text from a particular number (a full number or shortcode, doesn’t matter.)

– open Messages and view the conversation
– Click the (i) symbol in top right corner
– Click phone number on following screen (not the icons, to the left of the screen where the actual number is, you may not think it’s clickable but it is)
– The next screen will have a Block this caller link at the bottom

This is confusing because there are other ways to bring up a similar screen but without the Block option at the bottom.

Tested in iOS 10.1 and 10.2