Thord’s post on using WordPress as a CMS got me to thinking about all the times I’ve used Movable Type for that purpose. I use MT for the same reason he uses WP — I know it well enough I can make it do anything I want. It also helps that Six Apart has been steadily adding more CMS features.
So what do you need to know if you’re going to use MT as your CMS? Thord’s article covered a lot of things that should be considered when selecting any CMS software, so I’m going to concentrate on some of the pros, cons, and quirks involved in working with MT.
Templating – MT’s templating system really does let you publish your data in any way you want. Depending on the needs of your website, you can setup MT to generate anything from a simple web page to a complex CSV file to a proprietary feed format. For many things you don’t need a plugin, you just need to know the structure of the final output. One practical example is creating an email newsletter from your recent blog posts. I once created a template that included excerpts from recent blog posts in a format that could be fed directly to sendmail (or some other mail transfer agent) to send to my subscribers. Worked great, and made it easy to reuse my blog content.
Custom Fields – Custom fields in MT are very powerful, and easy to create. “Blog entries” can have fields appropriate to the actual content, such as an address field for an event or a rating field for a movie review.
Multiple blogs – It’s easy to setup multiple blogs so that each can maintain a different section of a site. You might want one blog for your photo gallery and another for your product catalog, for example. And, both can make use of global templates, so you don’t have to duplicate work.
Roles – MT gives you fine-grained access control over what users can do. This allows you to setup a hierarchy of authors, editors, designers, and admins that control different aspects of the site.
Custom App – The application itself is built using the same templating system used for blog templates, so you can customize the interface. You could do anything from replacing the header with your client’s logo to completely reskinning the admin to match their site.
Publishing – Movable Type’s concept of publishing — and republishing everything when you make a design change — can be difficult for users. Static publishing does not give you quite the same instant gratification that dynamic publishing does.
Plugins – There are a lot of great MT plugins, but the development community is small when compared to Drupal or WordPress. There’s also very few “big feature” plugins. If you’re looking for ecommerce or event calendar plugins, you’re not going to find them.
Themes – As with plugins, the variety of MT themes is rather limited.
Image uploads – Tying images or other files to a page or post is still complicated. Plugins help, but it could be easier.
Templating – At this point, the templating system is almost its own programming language, which may put off some designers. And if you do something wrong, the error message can be difficult to interpret.
Organizing – Organizing an MT-based site takes some advanced planning. Can you arrange a single blog the way you want with categories and tags, or do you need to use multiple blogs to control the site? If you change your mind later on, it’s not going to be an easy switch.
Multiple Domains – It is possible for MT to power multiple domains from a single install, but setting it up properly takes some work. If you’re considering doing this, you might want to read how I got my system working.
Which software you choose for your CMS depends largely on your needs and what you’re familiar with. Personally, when I consider what software to use to run a website, my first question is, “How easy will it be for me to customize this?” In that regard, MT has met my needs for a lot of projects.
Have you ever used MT as a CMS? Tell us about your experience in the comments.
I’m reading that Automattic, the company behind WordPress and WordPress.com, as well as Akismet and Gravatar, has acquired IntenseDebate. The deal isn’t all that surprising, given the fact that several services offering more or less the same functionality have popped up the last few years. The most notable is probably Disqus, and it is in this sphere that IntenseDebate operates.
For those of you not familiar with IntenseDebate, it is basically a hosted comment solution for your blog, replacing the built-in comment functionality. This means that some features that are not available in, say WordPress, can be added, and that commenters can have one identity for all sites using the service. Other selling points are threaded comments, and e-mail functionality.
I can understand why Automattic acquires IntenseDebate. It is a good complement to especially Gravatar, another hosted service that more or less is the de facto standard for user avatars on WordPress blogs, and several other sites as well. If Automattic rolls out IntenseDebate across WordPress.com, their hosted blog platform, and then adds native support in the next WordPress version, just like they did with Gravatar, they’ll quickly push IntenseDebate forward. I believe it is a sound business decision.
However, I doubt I’ll use any hosted commenting service myself. Avatars is one thing, but the comments are content, and I prefer to have content under my own control, if it is to be displayed as a part of my blog. The main reasons for this is:
What happens if the service gets canned? This could mean loss of comments, which would be very bad indeed. Sure, there are backup solutions, but still, it is a risk I’d rather be without.
Speed. This applies to all hosted services, applications, widgets, and whatnots I put on my blog: If they are loading slow, my site will suffer, and there’s nothing I can do about it.
Security and spam. Sure, the spam fighting plugins available isn’t perfect, but at least I have full control. What happens if someone hacks a commenting service, and what happens if a security exploit opens it up for spamming or worse? This is, again, outside of my control.
What do you think? Would you want to use a hosted comment solution like IntenseDebate or Disqus?
This week’s Friday Focus will inspire you to think out of the box. Get ready!
Designs of the Week
I like the use of the scattered black circles as the main feature of this design. Though I would suggest being able to distinguish the clickables over the non-clickables. Another good thing about this site is that they included an HTML-only format for those who don’t want the zaniness.
Technically, you can still make out boxes in the different areas of this design, but the graphics just break out of them. Minus points for using the <marquee> tag, but it somehow contributes to the quirkiness of the site.
The implementation of this look is just excellent. And it doesn’t take much to scatter all the images throughout the whole page. Inside it gets a little more organized, which is fine, but I wish the sticky tape was retained for more consistency.
Grunge is practically commonplace these days, but sites like these remind us it’s not just about the “dirt”, but how that dirt plays into the basic structure of a web page. It can eradicate the boxiness and make an impression at the same time.
John Chow released a new version of his site on September 10th, sporting a more controlled, almost corporate look compared top the previous version. The new John Chow dot Com is the third version, and was designed by Unique Blog Designs. In many ways, it is a better theme, but there are, of course, some things I’d like to comment on.
Just like when TechCrunch redesigned, John Chow’s readers have voiced a lot of comments, 227 of them as I’m writing this. Nothing gets the readership involved like a brand new design!
I like the fact that they got rid of the car in the header. Nice balance between logo and the 468×60 pixel ad as well.
The logos for ad and affiliate networks that John pushes aren’t obtrusive, thanks to being in grayscale until you hover them. This is nicely done, since they should be annoying just because of their placement under the main menu.
The RSS and subscription functionality in the top right column blends nicely.
Good spacing in the ad segment, under Blog Sponsor.
The Featured Video box works nicely together with the ad below, and the recent photos, and the about box.
I like the navigation links below the entire site, even though it is a bit illogical to have them below the copyright type.
The JC logo is bland and boring.
The site lacks color, it is basically just white, light grey, and a very tuned down blue, which makes it look corporate and stale.
The Recent Photos block is pretty nice, but it needs to be better aligned with the width of the column, now it is 20 pixels less wide than the other elements in the middle column on the front page. If the plugin used won’t solve it for you, then put it in a box or something.
The categories part of the footer is decent enough, but the rest of it is a bit messy. I’d also do the copyright text in a different color, font, or whatever, to cleanly part it from the content in the footer.
The about page isn’t optimized for the design at all, sporting too little content to fit with the right column, and a photo that is too small. Same goes for the contact page, really.
The What Now?
Contextual keyword ads in posts are one thing, but why are they in the featured articles slide?! Same goes for the listings of blog posts on the front page. Really, that’s too much.
I can’t say that I’m thrilled about the new John Chow design. My main issue with it is that it feels like a corporate website rather than something from “a Dot Com Mogul”. At the same time, there are some really good layout decisions here, and I especially like the way the header manages to not feel littered with ads.
One other color to work against the stale look would do a lot to lift this design.
What do you think about the new John Chow dot Com redesign?
We have a bunch of metaphorical designs on Friday Focus this week: sites whose looks you can immediately tie to the product or purpose they’re “selling”.
Designs of the Week
It really isn’t obvious that we’re talking about snow here—until we see the foot tracks. I also like that the clouds are wispy; it’s a very minute detail that still reinforces the cleanliness and lightness this site is going for.
Very subtle execution of that blueprint look. Combined with that textured penciled-in feel. It doesn’t look too tech-y, though. It looks clean and professional.
This has probably the most subtle metaphor of all. You can barely get a glassy feel from that box. But I also added this site to the mix for its thoughtful layout and elegant effects.
Of course, when it comes to portfolios, many go the tried and tested route of duplicating office stationery digitally. But now matter how many people have done so, no two websites look alike.
Again, another “expected” route: a nature-driven look for a gardening product website. I do like that there is a burst of blue that strikes a balance with the greenery.
Here’s another revelation. A website for airplane lovers that with a retro feel. I love colors, the subtle texture, and most especially that “winged” icon.
This site is just brilliantly executed. Between the parallax effect of the two layers of raindrops and that single umbrella found dead center of the page, you really don’t need much else!
Programming – 10 Principles of the PHP Masters
Programming is not just about coding away all day and night. It’s also about finding the best approach to solve a particular problem. Get expert advice here.
Lately, I have been working on a project with a group of developers that I found. In this modern day, security is a must. You have people stealing your server information, database login details, user passwords, script insertions and more. Several years ago security wasn’t a big deal, but now is a desperate time, and desperate times call for desperate measures. Because of this, I have refined my knowledge of hacks that others can do and how to prevent them (or at least prevent most).
These days, it is necessary to encrypt your password in a database. Sure you may encrypt your password with md5 or sha1, but there are methods to decrypt these methods. A good concept is to “do multiple times,” and, in this case, do encryption multiple times. No, I do not mean to md5 twice. There are methods such as salting, or adding extra input to the encryption. One great method is to generate a secure hash on user registration or using information you may already know that the outside world may not, such as registration date (timestamp is best).
In the above example, we used two functions for encryption: md5 and sha1. It is usually best to use many methods of encryption such as above. Extremely few people know how to decrypt md5, and the same for sha1. Together, it is virtually impossible to figure it out. One other thing I want to point out is that we salt twice in that php above. First in sha1 using time(), and the second using the sha1 encryption in md5. The more secure the better, although do not overdo it. Please.
Limit Authorization in the Database
When installing an application, many users just use the default user settings for their database details. The user will have access to every permission in the DB that he can get (depending if on hosted domain or self managed server). If a hacker comes in and gets your details, you are really screwed because they have permission to delete any database, tables, rows, and columns, insert meaningless data, update current data with wrong details or worse. If you follow the password encryption method above, it would be difficult for one to decrypt your passwords.
The best thing to do if you are the installer is to verify which permissions you need in order to run the software correctly. On the other hand, if you are a programmer, please know which permissions, precisely, you need to have the program run without the disruption of errors.
Cross Site Request Forgeries
These are trickier than the above, though are really simple to prevent. In order to know if your software or web site can be hacked with CSRF’s, ask your self if it accepts $_GET or $_POST (or $_REQUEST). To portray how malicious this can be and no matter how secure your application is, Gmail was found to be vulnerable by CSRF’s. There was a method for seeing all the contacts a person had and more. If you have an online store, for example, someone can easily forge a request that the user has, like the following:
The above has several things wrong with it. First, it does not even check if the key ‘product_id’ exists. The second is that is uses $_REQUEST which is bad. This predefined, global variable built into the PHP core contains the values of $_GET, $_POST, and others depending on your php.ini configuration file. To forge a request one can easily alter the HTML using Firebug or any other tool in the browser, or outside the browser and save it, like so:
This is the best reason to just switch to $_POST when possible. By definition made by the W3C, POST should be used when an action is made and GET should be used to retrieve information. HINT: When you buy something, you are performing an action. You may also be thinking that CSRF’s also work with POST. Well, it does. What I do, and same for countless other applications, is to use form tokens. These basically hold some information of the user that requested the form. You may either simply md5 the user’s IP Address or a combination of other things, or store some information in the database with a unique token id. This token will be placed in the form as follows:
if (isset($_POST[‘submit’]) && !empty($_POST[‘product_id’]))
if ($_POST[‘token’] == generate_token())
There are many great improvements here, especially one that we will discuss later on the article. IP Addresses can not be forged, atleast I do not think so. The truly best form of doing tokens is generating a completely new token based on time and other factors and inserting that into the database. When the form is submitted, you select the token from the DB and verify it from there. We now use $_POST and check if the form has been submitted and if the product id is not empty. If the form has been submitted, we then check if the two tokens are the same. A solution we will discuss later on is to cast the product_id into an integer since that is what it is supposed to be. This prevent SQL Injections.
Cross Site Scripting
Imagine inputting that for a field that can be seen publicly like your username, full name, email address, and more. If you do not do the proper measures for preventing scripting, any user that visits a page containing the field in which the above is submitted will be notified that “This page is not XSS-proof.” The are several ways to prevent this script from being called. You can either remove the html tags or use html entities. I prefer using html entities:
[php]//Check if the form has been submitted and that
// $_POST[‘username’] is not empty before continuing
$username = trim(htmlentities($_POST[‘username’]));
This can lower your chances of being hacked using XSS significantly by converting <script> to <script> and other things like & to &
This last one is one of the most difficult since you have to do the same for every input you get that will go into the database. There really is not one justified method for preventing this. There are several and they do not protect against everything either, only most. If you ask someone for their usernameand password to login, a hacker who specializes in this may input something that can essentially modify your query.
[php]$sql = ‘SELECT username, password FROM users WHERE username=’ . $_POST[‘username’];
With the above query, someone can easily input the following without quotes ‘foobar OR 1=1’. This query every user in the database with their username and password, because of the fact that 1 = 1 without even caring about the username being foobar. To prevent this you can do several meaningful things. Distinguish tables and columns from values using `, distinguish string values using “, escape using the database’s own escape function, and cast each value to what it is supposed to be. Here is the final product:
[php]$sql = ‘SELECT `username`, `password` FROM `users` WHERE `username`=”‘ . mysql_real_escape_string($_POST[‘username’]) . ‘”‘;
Although I did not present type casting in the above example (except in the last CSRF example), you can easily either do intval to whatever needs to be an integer and floatval for decimal numbers. Remember the tips explained above for SQL injections do not cover everything, and would be virtually impossible to prevent everything.
As a last note, I have explained how to prevent password hijacking, database corruption, CSRF and XSS attacks, and SQL injections. I hope you think of this tutorial every second you allow user input. With this guide, you will save yourself and any potential users headaches.
There’s some noise about Internet Explorer 6 right now, originating from the fact that the browser turned 7 (!) on August 27th, 2008. That’s some lifespan, and something to mock if you’re running a site called IE Death March. The list of stuff that came out after IE6 is hilarious, older than the first iPod indeed, do you remember when that one came out?
IE6 is evil, developing for it is evil, and it sucks.
Most designers agree: IE6 is evil, developing for it is evil, and it sucks. I’d reckon most IE6 users would agree too, problem is, they’re stuck with it for some reason. It could be the fact that they don’t know how to upgrade, but more likely it is an OS issue.
And that’s why I think decision to pull support for IE6 is silly. Sure, you could follow Adii’s suit and charge extra if your client wants IE6 support, but to me it sounds like you should up your prices a bit in the first place.
Let me put it this way. If you’re not support IE6, then you’re telling Windows 2000 users to piss off, along with a considerable chunk of the surfers. IE6 isn’t a 5% share browser, like Safari, it’s got 25% of the market! That’s right, 1/4 of the people surfing the web are using Internet Explorer 6, a web browser more than 7 years old.
Safari’s got 5%, and Opera even less. I’m not hearing anyone bitching about not supporting these browsers. Sure, they might be easier to develop for, but does that really matter? Isn’t that just developers being lazy?
IE6 isn’t a 5% share browser, like Safari, it’s got 25% of the market!
Do I think IE6 should be retired? Of course, it is a bad browser, for both user and developer. However, I make websites, and both me and my clients prefer if people can use them.
When Internet Explorer 6 is truly dead, I’ll stop supporting it. Until then, I’ll clench my teeth and make sure that the sites I do work for the 25% stuck with IE6. That’s my problem, not theirs. They have it hard enough at it is, being stuck with such a crappy browser in the first place.
This week on Friday Focus: the most popular color on the planet, blue. After the immense popularity of green (and pink?) during the Web 2.0 wave, it looks like web designs are going back to everyone’s favorite color. And we have a bucket full of examples to prove it.
Designs of the Week
What makes this website work? It’s to clutter-free and straight to the point (the jobs), and it uses a fun motif (the beach).
Another simple design that delivers through the details, like fading hover effects and decorative elements that make sure they don’t overpower the content. It really is the focus here, because as soon as you get out of the white boxes, the elements become dark gray. They give way.
Once more we see blue offset by dark gray, this time in the form of a wooden texture. I like that the header area covers the fixed background. I also like the screen overlay on the portfolio images. It’s an old school web design element, but it still works!
First there was water, and now we have sky. Another “cliche” association with the color blue, but with a twist. There’s a very elaborate footer graphic in green. Another interesting feature of this blog is that the posts use white text on a dark gray background. Again, people seem to like pairing blue with dark gray.
If there’s dark gray, then there’s sure to be black as well. It seems like this website took the complementary color of its company logo to make it stand out. Another nice one-page website.
This design is a little more quirky, combining grunge elements and illustration on a blue-and-black color scheme. There’s also a footer graphic here, though I’m not too sure this time why they chose an aerial view of the African jungle.
Social Media Weekly
Design – Breaking Bad Habits in Photoshop
Bad habits are hard to break. And when you’re working on bulky software such as Photoshop, you might want to streamline your process as best as possible. Start by getting rid of those bad habits like unnamed layers and erasing instead of masking.
Programming – Typechart
Preview different different styles of web typography as seen on Macs and PCs, then grab the CSS! Fantastic idea. Also contains excellent resources on the same topic.
With the emerging of tags, and I’m not talking about Technorati tags here but tags as a part of your own blog, categories can become redundant. A lot of blogs out there has got a bunch of categories, and with the addition of tags, they suddenly have duplicates of everything. Or perhaps they have a lot of categories, because the categories have been used as tags, basically, which perhaps was a great idea back then, but today is totally unnecessary.
Finding a balance between categories and tags might not be as easy, nor as obvious, as one would like to think.
The Ideal Category/Tag Setup
In my opinion, categories and tags are two completely different things. Mind you, I’m tackling this issue as both a designer and a publisher. The ideal setup for your particular fancy or site might be something completely different, there’s the whole matter of what you need and want as well, of course.
I define categories and tags like this:
Categories are main sections of the site. If you’ve got an entertainment blog, “music” might be one category, and “movies” another, but no more niched than that.
Tags are descriptions of post content. This means that if you’ve got a post in that “music” category, it might be tagged “metal” because that’s the genre, and “Alice Cooper” because that’s the artist.
The benefits of this way to look at categories and tags, is that categories can be treated as true sections of your site. Most blogging platforms support category specific styling, so that music category can have a cool guitar at top, or use a special color, or whatever. The point is that you can style a specific category in a fitting way, making it more obvious that it is one of the (few) main sections of your blog.
It might take some time to apply a more sound use of categories on your blog, but defining your sections is a good thing.
Tags, on the other hand, are like a loose search query. The point isn’t to style everything tagged “Alice Cooper” in a specific way, since it might be posts from completely diverse areas (i.e. different categories), but rather to list everything relevant.
The Blog Herald had a gadzillion tags before its redesign. Since it uses WordPress, I used the included script to convert categories to tags, and then sorted the content in more relevant categories, like news and features, and so on. It might take some time to apply a more sound use of categories on your blog, but defining your sections is a good thing.
If you’re using a blog platform as a CMS (something I’ve touched before), using categories as main sections of your site makes even more sense. After all, you’ve got your menu right there, in the categories, and you’ll be using the blog platform as it is meant to be used, the only difference is that you’ll style the various categories a bit more elaborately than you might have for a traditional blog.
What are your thoughts on how to use categories and tags on a blog? Share your thoughts in the comments!
Movable Type 4.2 came out about two weeks ago, and since then I’ve been poring over the documentation to learn about the new features in this release. There’s a lot here for developers and designers to enjoy. Things like social networking, improved templates, and better performance make upgrading an easy decision. Let’s look at some of the new things we have to play with.
The MT Community Solution was first introduced over a year ago. With 4.2, that feature is expanded and, possibly more importantly, now free for non-business users. Your blog can include forums, ratings, user profiles, and more.
What makes me excited about this is the combination of a full suite of social networking features with MT’s powerful templating system. Designers can break out of the standard forum look to develop new (and hopefully better) user interfaces.
New Default Templates
Although the modularity of the default templates in 4.0 simplified site-wide changes, many developers found them too complicated. The 4.2 templates attempt to correct this. The line-upon-line of <mt:setvar> tags that started many of the templates are now gone. There’s also far fewer includes. These new templates should be easier to modify for people new to MT.
Template Module Caching & Server Side Includes
The results of template modules can be cached so they don’t have to be recreated every time you publish. This is great for sidebar content that doesn’t change with each entry you create. Combined with the new settings for Server Side Includes, this should be a powerful replacement for my optimal includes.
Custom fields is another feature that’s been around a while, but with 4.2 it becomes available to more people through the free blogger license. This is huge for people using MT as a CMS. MT’s custom fields are particularly nice, because each type of field you can create comes with its own set of template tags.
Pagination for Dynamic Publishing
Any dynamically-published template can be paginated. This feature is not a part of the default templates, but the implementation is very simple. This goes hand-in-hand with new options that give you more control over how each template is published.
…and many more changes, both large and small. Over the next few weeks I’ll be exploring these new features more and giving you new and interesting ways to use them.
Notes for Upgraders
Since the initial release, a couple of changes have come to light that you should know about if you’re upgrading an existing blog. First, because of a change in how per-template publishing is handled, any index template you had set not to publish automatically will now be set to publish. You’ll need to go into each one and change the Publishing option to Manually.
Also, the dirify modifier no longer strips out hyphens. If you have a custom archive path that uses dirify (e.g. <mt:entrytitle dirify="1">.php), it would change where some files get published. On the ProNet mailing list, this work-around was offered:
It’s likely this change will either be reversed or someone will release a plugin that makes dirify work the way it used to.
Have you tried MT 4.2 yet? What are your favorite new features?