CloudFlare plugin breaks WordPress repeatedly

Cloudflare is a reverse proxy service that protects hundreds of thousands of websites, The Orbit included, from attacks like DDoS, spam, brute force, and various other exploits. Without it, in the adversarial environment that the Internet happens to be for social justice oriented folks, we would be crushed under the weight of people desiring to silence us. So, they’re doing us a great service, and we are indebted to them.


Yesterday, after a major vulnerability was discovered in the Cloudflare plugin for WordPress, which could allow sites to be cross-site scripted (a method that might allow you to inject bad code into a site “from the side”), it seems as though they panicked and decided to encode *all* POST and GET data, which caused a major set of problems. People trying to edit posts found every non-alphanumeric character turned into an HTML entity (“:” instead of “:” for instance). Then those entities were being reencoded again (“:”).

Over and over and on and on, the posts were getting more and more corrupted. And that wasn’t the only thing that was busted — admins were being told they didn’t have permissions to access certain pages, because the links to those pages were having parts of themselves converted to HTML entities as well. End users could see the site, but admins were fully hamstrung. Greta was working on Steven Universe episode 8 and got stopped short, emailed me to find out what broke, and to my horror, the auto-updated plugin for Cloudflare was actually hampering my ability to do anything in the WordPress admin. I thought we were in serious trouble, but I tracked it back to the plugin which had just updated to version 1.3.21. I pulled out an older version from Sunday’s backups, 1.3.20, and the problem was resolved. Then I found out WHY they’d updated it, and apparently there are such hacks in the wild right now.

So. Rather than risk getting us hacked, when they quickly released 1.3.22 to fix how they broke half of WordPress, I let it install that version.

Overnight, they’ve since updated to 1.3.23 to fix how they send things back to Cloudflare to pre-detect spam. So they made a giant mess and they’re clawing back at it right now.

There’s a problem that several people are reporting presently, that they can’t post comments while not logged in by submitting their email addresses — because the email address never validates. Clearly this is because the Cloudflare plugin is trying to sanitize that variable as well, incorrectly. Other blogs are also having this issue, as seen here: ERROR: The email address isn’t correct. (4 posts) and here: ERROR: The email address isn’t correct. (3 posts). This problem isn’t just impacting The Orbit, but any WordPress site that uses Cloudflare.

But because of the terrible nature of what they’re fixing here, we kind of have to ride out this storm. I could try to implement my own bugfix for this, e.g. by removing email address validation, but that would have other negative impacts on the rest of the site.

For now, please log in to make comments. Sorry for the inconvenience. Hopefully they’ll fix this issue too, as soon as possible.

This is a disaster and it was entirely avoidable through proper QA of the plugin before it being released. The rapid fire nature of the plugin updates speaks to a sort of panic to address the initial vulnerability, which is laudable, but a lack of foresight as to what kind of impact specific changes might make to the rest of the service. Those of us who rely on the plugin should not be stuck choosing between being hacked, being entirely unprotected against DDoS and spam, or having people be able to comment.

UPDATE: they released an update which properly namespaces their variables and only sanitizes those variables, so things should finally be under control. This is why you don’t release plugin updates into production without testing.

Try again to comment, please, folks.

CloudFlare plugin breaks WordPress repeatedly

On the reported RSS issues

Since launch, there’ve been several reported issues with RSS, which I’ve scrambled to try to fix before they did too much damage. But, we keep getting new requests, because the theme apparently doesn’t do a very good job of keeping track of the links, so here’s what’s wrong presently and what I’m working on to fix it.

RSS logo

  • Individual author feeds polluted with whole-network posts – originally, we had installed a plugin that served the feed from /feed for the whole network, but it turns out that it was too greedy and it also grabbed every author’s /feed URL as well. Caching RSS feed sites like Feedburner and Feedly grabbed what was in those lists, and kept them. Unfortunately, there’s not much we can do about this but wait for those to expire.
  • As a side effect of this, the theme’s expectation that the front page blog list should be accessible at, and WordPress treating that like its own blog, means that feed is empty. The whole-network feed is actually at and it serves content from every blog. I will set up an .htaccess rule to seamlessly redirect the top level feed to the network-feed URL.
  • Once I’ve done the above point, I can change the link in the header on the front page to /feed/, thus making it more apparent that that’s the RSS feed as the CSS that provides correct iconography only auto-senses that specific URL.
  • An SEO plugin was installed to help with Facebook linking not grabbing appropriate featured images. That plugin expects all the authors’ feeds to be at /feed too. Fixing the previous point will fix the front page.
  • Some browsers don’t even care about the auto-sense URLs, so putting a prominent RSS feed icon in the top bar of every blog would be preferable. I’ll be doing that as soon as possible, as soon as other fires are quenched.

If anything else comes up, feel free to leave a comment or contact us via the contact form here.
Photo by thewritingzone

On the reported RSS issues

Thoughts on the Ashley Madison hack

I’m irritated by this whole thing.

On the one hand, it’s interesting that this might be the first time where MEN are being targeted generally for revenge for sexual indiscretions, and that these indiscretions are actually far more indiscrete than taking nude selfies to share with consenting adults.

On the other, this hack is every bit as much of a violation for these men and women, though it seems mostly only the men are going to be targeted. It includes information about their fetishes, and it includes instances of every account that’s ever been created and since “deleted”-but-not-really. The hack of the information from the site’s database is horrid, and the intent from some quarters — political, anti-social-justice, etc — to pore through it to damn specific people over being in that database is really gross. It’s gross in the same sort of voyeuristic way that putting up revenge porn is gross, though maybe not gross to the same degree insofar as it’s damning them for, at best, THINKING of doing something unethical, rather than damning them for doing something totally normal and commonplace as sending nudies to consenting partners.

This amounts to an infidelity dragnet, and it’s bound to catch innocents who’ve only engaged in “thoughtcrime”, having CONSIDERED having an affair. People who had accounts at one time, but no longer. People who had accounts before even being married. Yes, the site is about married people looking to “cheat”, but I’m sure straight and lovelorn people have ended up signing up for accounts on Grindr before, so it’s bound to happen that people sign up for this site just looking to pull a date. Not to mention that poly folks could very well use this relationship-finder with the full knowledge of their partners. Or people who signed up to research the site, even!

Mind you, it is a bright line that I cannot cross, where I would never engage in any activity that anyone directly impacted by it — e.g. partners — would not consent to. I am an advocate of ongoing, active, informed consent, and abrogating that consent is gross and wrong. It is a breach of trust that absolutely could and probably should ruin relationships. An ethical thing to do on encountering this information about someone’s relationship is to tell them privately — not splash it all over the deep web and create searchable indexes so that 4chan can go digging for dirt on all their most hated Social Justice Warriors. Never mind that they’re the ones constantly claiming that feminists just hate sex (despite evidence to the contrary), giving them the narrative that proving they might want sex somehow makes them hypocrites.

And don’t even get me started on the fact that finally, FINALLY, Josh Duggar — who molested several of his sisters — is suddenly viewed as a bad guy because he had an account here. Admitted child molestation is not a less serious crime than planning on cheating on your wife with zero proof of follow-through.

Just an unstructured thought dump.

Thoughts on the Ashley Madison hack

Batman: Arkham Knight on PC pulled from Steam (and a possible fix?)

Apparently, a bunch of folks are having a terrible time getting Batman: Arkham Knight for PC to work. It’s glitchy and unplayable to most. As a result, WB had it pulled from Steam until they could fix the bugs. They are also offering refunds.

Dear Batman: Arkham Knight PC owners,

We want to apologize to those of you who are experiencing performance issues with Batman: Arkham Knight on PC. We take these issues very seriously and have therefore decided to suspend future game sales of the PC version while we work to address these issues to satisfy our quality standards. We greatly value our customers and know that while there are a significant amount of players who are enjoying the game on PC, we want to do whatever we can to make the experience better for PC players overall.

Thank you to those players who have already given valuable feedback. We are continuously monitoring all threads posted in the Official Batman: Arkham Knight Community and Steam forums, as well as any issues logged with our Customer Support ( If you purchased your copy of the game and are not satisfied with your experience, then we ask for your patience while these issues are resolved. If desired, you can request a refund at (Steam refund policies can be found here: or the retail location where you purchased the game.

The Batman: Arkham fans have continually supported the franchise to its current height of success, and we want to thank you for your patience as we work to deliver an updated version of Batman: Arkham Knight on PC so you can all enjoy the final chapter of the Batman: Arkham series as it was meant to be played.

I got the game for free with the laptop I just bought that has an Nvidia card that happened to be running a promotion. I encountered a bit of glitchiness when I first launched it, but I overcame that fairly quickly. Judging by reports, what I encountered may not be the only real issue at hand. Only a fraction of people seem to be complaining about what I was seeing. But what I did was fairly easy and fairly repeatable, from what I can tell.

The specific behaviour I saw was that when you launch the game, it would immediately minimize itself. Once minimized, if you click on the icon to bring it back up to the foreground, it would hiccup repeatedly to a black screen, exactly like this:

The solution for me was to use a gamepad, launch the game, hit Ctrl-Alt-Del to get to the security options in Windows. Choose Task Manager. You may have to do this more than once to get it to bring Task Manager to focus.

As soon as I managed that feat, suddenly the game in the background was running smoothly, with the Windows task bar and Task Manager in the foreground! Every time I clicked back onto the Batman window, though, it would revert to its buggy behaviour. So, I moved Task Manager out of the way, picked up my gamepad, and went into the graphics options, and tried selecting my current screen resolution (1920×1080), Windowed Borderless mode. Then I dared to click back into Batman — and it worked! It also works for subsequent launches. The issue appears to be with the fullscreen, and possibly with some bad window management as a result. It might be possible to induce this specific display mode through the command line launch options or some INI file, but I haven’t gone digging.

Seriously, if this turns out to fix all your problems, then it’s a shoddy implementation of windowing on Rocksteady’s third party PC porter’s fault, which should have been easily caught and (hopefully) easily fixed in QA — you DID do QA, right? It also only appears to happen with certain Nvidia cards, from all reports I’ve seen. And I’ve seen a number that report that over time, the game will eventually start crashing. I’ve only played through the first Batmobile AR mission, so I can’t tell if that’ll happen, but long-running games eventually crashing sounds a lot like memory management issues to me — some garbage collection isn’t being done, or something.

I still can’t get over the fact that this is a Batman game where you shoot tanks with missiles though. And where the first car you have to fire on actually does have a person in it, you make it flip, and it’s only through the grace of plot that the dude — a banged up wreck after being in a horrific missile-induced rollover — climbs out for you to interrogate.

Batman: Arkham Knight on PC pulled from Steam (and a possible fix?)

VMware VM can't be cloned, moved or backed up? No problem.

There are probably easier (or harder) ways to do this, but my back was up against a wall yesterday after a very important virtual machine was in a very bad state yesterday, after a series of hardware issues with the host, and basically one of those perfect storms of bad backup and bad host and bad VM happened.

Apparently, backups for this machine had been failing in a deceptive manner that didn’t clue us in that they were failing, and the host (VMware ESXi 5.0) was building new snapshots of the drive over and over again when Veeam tried to take a backup.

Worse, every time you tried to do a VMware level operation with the machine, it was complaining about the disks with something like “Error caused by file /vmfs/volumes/########-########-####-############/VM-Name/VM-Name-0000001.vmdk” and failing out. Little extra could be gleaned from SSHing into the host and checking dmesg, but it was plain the disk was being weird in a software way, not a hardware way. Luckily, the virtual machine itself could read the whole disk just fine, and it still ran just fine. So I was stuck with flaky hardware and no way to move the VM off of it.
Continue reading “VMware VM can't be cloned, moved or backed up? No problem.”

VMware VM can't be cloned, moved or backed up? No problem.

Busy, busy worker bee

You might have noticed that most of the work I’ve put into the blog lately has been to the end of promoting Geek Girl Con. This post is no different, save for a bit of complaining.

Honestly, I haven’t had much time for blogospherics lately, as work has had a series of disasters that I’ve had to mitigate, so I’ve been working my ass off. I’ve been venting my frustrations about current real-world events on Twitter in short form, because that seems easier to handle in the midst of jumping from one crisis to another with work, but the blog has lain fallow for too long, so I decided to cross-purpose a bit of work I did today. Why use something you’ve done once, when you can use it twice?

At Geek Girl Con, I’m going to be working in the DIY Science Zone, teaching a thing or two about randomness, especially as pertains to dice. I’ll be performing a few demonstrations of how humans don’t really grok randomness, including one where I’ll get people to draw fifty random dots on a piece of paper. I’ll then compare them to a better (though still not perfect) pseudo-random generator, a computer.

Then I’ll go on to talk about how this universe is deterministic and randomness really isn’t all that random no matter what we do to generate it, and pretend to be all smart and stuff. We’ll see how that works out.

I’ve written a little Python script to help with the first demonstration I mentioned above. Here it is. It uses the fairly standard Pygame init > run > terminate main loop you might see in other examples.
Continue reading “Busy, busy worker bee”

Busy, busy worker bee

The sophistry and revisionist history in Skeptoid Brian Dunning's statement

My understanding of Brian Dunning’s cookie-stuffing scheme is fairly thorough at this point. I’ve read the articles in major news organizations about Dunning and Shawn Hogan’s scheme, and I happen to understand to a very high degree of fidelity the workings of the World Wide Web and cookies. So when I read the statement that he wouldn’t allow copying-and-pasting on, I balked. Not only at the lies, misdirection and obvious con-man level sophistry going on in the post, but that anyone who claims to have pulled off such a job might think that what they claim to have done is actually plausible.

Rebecca Watson has done a thorough job at deconstructing the statement for what it is: a great ball of chaff thrown up to confuse the radars of so-called skeptics who are evidently unable to recognize such tactics. But there’s some nuance I’d like to add, specifically because there are parts that appear to directly reference something I blogged about recently, which has bubbled up to very near the top of search results on the terms “Skeptoid” or “Brian Dunning”.
Continue reading “The sophistry and revisionist history in Skeptoid Brian Dunning's statement”

The sophistry and revisionist history in Skeptoid Brian Dunning's statement

The virtual radio silence on Brian Dunning's fraud

Today, Brian Dunning of the Skeptoid podcast and brand, blogger at SkepticBlog, was sentenced to 15 months prison and three years supervised release.

Barely anyone’s talking about it, though (except, obviously, us Social Justice Bullies who will inevitably be accused of crowing about this news).
Continue reading “The virtual radio silence on Brian Dunning's fraud”

The virtual radio silence on Brian Dunning's fraud

Why I distrust Apple, in one short video

Okay, seriously. I know that WWDC is a sales pitch moreso than a tech demo. But this supercut of superlatives tweaks every nerve I have as regards manipulative language.

There’s not a lot of actual innovation in their new iteration, that I can see, just a nice coat of paint slapped on the same old stuff. “This changes everything” was true when iOS first got introduced, but now it’s all “this keeps everything the same except for a prettier wastebasket.”

Why I distrust Apple, in one short video

Twitter blocked in Turkey; activists graffiti alternate DNS workaround

Prime Minister Recep Tayyip Erdogan of Turkey has instated a ban of Twitter ostensibly over concerns that it hosts pornography, but from all appearances actually in response to repeated leaks of damning recordings of government officials.

However, the way that the ban is implemented is very rudimentary — the government has forced all ISPs in the country to remove from their DNS servers.

In response to this ban, activists have been graffitiing Google’s DNS servers:

Graffiti on a turkish wall reading 'DNS: Alternatif:'

Picture obtained here, can’t find the original source — if you do, let me know.

It’s not clear how long this workaround will last, but there are other avenues. One could, for instance, switch DNS to OpenNIC, or if changing DNS no longer provides enough of a workaround and these ISPs are forced by the government to shut down all traffic to Twitter’s servers, then you could instead connect to Tor or some other anonymizing VPN or proxy service.

When people complain that they’re being silenced for being blocked or moderated on a blog, I have to laugh — that’s not in any way an abrogation of your freedom of speech. Having all access to the internet cut off by a totalitarian government, on the other hand, is most decidedly one, and is most decidedly something we all must fight.

Twitter blocked in Turkey; activists graffiti alternate DNS workaround