Category: Uncategorized

Misadventures in blocking referrer spam: How a rogue WordPress plugin wreaked complete havoc on one of my blogs

There’s no real original news article or Wikipedia article to link to here. This is the original story, and I figure there’s no better place to put it than here.

As many of you may know, I blog about my arcade and pinball adventures (mostly pinball these days) over on SKQ Record Quest. Over the past few weeks, it’s been painful to do much with the site as it had become increasingly unreliable. First it was an occasional “500 Internal Server Error” and then they came increasingly frequent to the point where, at times, the site was basically unusable.

To make matters worse, the host I am on bills by resources used. Taking a look back, the resources used started skyrocketing at the start of the year. I did a few things that appeared to fix the problem at first, but it would eventually come back with a vengeance.

That is, until I finally took a look at what was going on and noticed the CPU for SKQ Record Quest was much higher than the other WordPress sites I have running. I finally began going through a guide that recommended a plugin called WP-Optimize. So I started going down through the list of options. At some point it told me about some cron tasks which had not been completed. Something like over 100,000 (I didn’t notice the exact number, and honestly I thought this was a glitch). So I followed the instructions and did a wp cron event run --all (after some blundering around to find this exact command). I was then greeted with:

Executed the cron event 'wsrs_update_blacklist_twicedaily' in 6.925s.

and many more lines like it, with different times on the end. Turns out that this was left over from a plugin I used to run called Stop Referrer Spam. Not only did this plugin do little, if anything, to get rid of the referrer spam problem I was having, apparently it left behind thousands of cron task turds behind.

I’m not waiting for nor paying for all of that junk to run, so I had to play Go Fish in the database server. Turns out deleting the “cron” key under wp_options (well, what my wp_options table is renamed to) is enough to fix this. Or so I thought, as after the first time it came right back. A second nuke of this key appears to have permanently fixed the issue.

I hate referrer spam, but right now I’m afraid to try any other plugins to fix the issue given what has just happened, and what it took to find and fix the issue. The truly horrifying thing is that I was only a couple more weeks away from taking an extended break from blogging to finally abandon WordPress and migrate almost a decade’s worth of content to a static site. Now, this blog and the other WordPress sites I currently have would be much easier. SKQ Record Quest, however, makes extensive use of Jetpack’s image galleries feature, meaning a large number of posts and images would need to be migrated to whatever is used by the static site generator I am migrating to. On top of this, I would have needed to find an alternative solution for analytics, and it would become much more difficult to post from my mobile phone should the need ever arise again. Also, just for good measure, I would likely have to edit many other links to WordPress-specific things like wp-content/uploads/2024/04/{image filename}. We’re talking easily a month or two of spare time involving a considerable amount of caffeinated beverage consumption and a nontrivial uptick in stress and uttered profanities. Oh, and this is spare time that would come out of bar/arcade visits (i.e. less time playing pinball) and possibly other social activities.

Now there would be advantages to such a move, the least of which would be that backup copies of static sites can be mirrored much more easily and on censorship-resistant platforms. Hopefully the potential censorship won’t ever be an issue; it’s a nontrivial amount of work to go from WordPress to a static site and there’s no guarantee I would be able to easily reverse the process should the original reason no longer make sense from whatever standpoint, be it technical, social, etc.

I’d like to try to make this a learning experience for as many people as possible. So here’s what I learned:

  1. Be mindful of what plugins and themes you install. Most of the time, especially if you stick to plugins available from WordPress’s own directories, you shouldn’t have issues.
  2. Take it seriously when weird things start happening on your website. You should never get a “500 Internal Server Error” and even the occasional one means something is going really wrong. I assumed a later plugin update was going to fix the issue eventually. It did not; manual intervention was needed to get things back to a sane state.
  3. When troubleshooting, always thoroughly investigate anything and everything that is out of the ordinary. As I remember it, there were errors in a previous round of troubleshooting that should have pointed me to the problem had I investigated them more thoroughly. What I actually did was slap a quick bandage fix on it, which of course didn’t solve the real problem.
  4. If you still have the Stop Referrer Spam plugin installed, get rid of it! Like this, if you have WP-CLI installed:
    wp plugin delete stop-referrer-spam
    and then, just to be sure, delete the entire cron row from your wp_optionstable. (Generally, open phpMyAdmin, go to your wp_options table, sort on option_name and look for cron, then delete that row. I’m not sure how to do this by typing in SQL commands if that’s your only option, but that’s the basic idea.)

Hopefully you’ll never need this advice, but it’s there if you do.

A pinball shark tale: champion gets accused of cheating

I don’t write about pinball much on this blog. That’s actually a good thing, as most of the stuff here is about things that go wrong in the world from my point of view. Sometimes the wrongs aren’t all that egregious but give me a chance to write something semi-humorous, others things go really wrong, and a select few are the real head-scratchers that have me saying “what the actual duck quack?” (Usually with much more bleepable language, of course.) I’m not sure where this one lies on that scale, so I’ll state the facts and my take and leave the judging up to you, the readers.

On March 4, Eric Stone played the new Jaws (LE) pinball live on an internet stream. Stern was, at the time, also running a contest called March Madness. (This is not to be confused with the more widely known NCAA basketball tournament.) The idea behind the contest was that the state with the best players (i.e. highest scores) would win.

Eric, for those of you who do not follow competitive pinball, is a very skilled pinball player. His most notable accomplishment is the 2022 IFPA World Pinball Championship. These are followed closely by a 2022 YEGPIN Match Play championship, a 2024 IFPA Florida State Pinball Championship, as well as two top 20 finishes at the IFPA Open. One does not land those kind of victories without a high level of pinball skill. More importantly, one doesn’t land those kind of victories without being an honest player (i.e. not cheating). Perhaps the latter of these two is even more relevant to the circumstances.

On the night in question Eric put up a mind-blowing score of 4 trillion on this Jaws pinball (see video). For reference, most players consider one billion to be very good score, with my personal best being a paltry 144 million and change. To be fair I have not played this particular title nearly as much as Eric has. The controversy comes from how Eric got to this score.

If you go to 32:35 in the video, Eric has caught all four sharks. He then starts spamming (repeatedly shooting) the spinner. This, in the game’s current state, scores millions of points per spinner tick. The high scoring is likely due to a bug in Stern’s code. Note that it’s incredibly difficult to get to this point. It’s certainly not something even most wizard-level players can do easily.

When he gets to the point where he can make the high-scoring spinner shots, Eric’s score isn’t too far over 1 billion. Obviously, Eric will score big and skyrocket his score geometrically by the end of the game. The 4 trillion score would (temporarily) put Florida in the lead in the March Madness contest.

Temporarily. That is, until Stern decided to disqualify it. That’s bad enough but the social media posts from Stern imply that Eric cheated, using words like “fishy”, “unfair”, and “foul play”:

My take on all this: you really can’t fault Eric for playing the game as Stern shipped it. Everyone has the same (presumably defective) code on their respective Jaws pinball machines. The game was on video. We, the pinball players and fans all over the world, can all see what happened. Most importantly, we can see that Eric did not cheat. Stern’s bad code is Stern’s fault, not Eric’s. The right thing for Stern to do was fix the code going forward, starting with the next round of the contest, letting the current scores stand.

To his credit, Eric handled this rather gracefully, acknowledging that he “didn’t get [the score] the way [Stern] wanted it” among other things, but also emphasizing the score was “earned”. That, honestly, is remarkable composure in the face of a very thinly veiled accusation of cheating. A lot of people would take such an accusation personally, myself included.

Looking back at “Steamboat Willie”

As you may or may not have heard by now, the first Mickey Mouse cartoon “Steamboat Willie” is now public domain. Coincidentally, I recently watched this film, all 7 minutes and 46 seconds of it, after previously only sitting through the first minute or two.

My take on it is pretty straightforward. For starters, I’m surprised Disney themselves made this available on YouTube some years ago. The film prominently features the melody of “Turkey in the Straw.” This is the same “Turkey in the Straw” that shares its melody with songs with (more) blatantly racist lyrics and titles, which I won’t repeat here. You may well have heard the melody as a child played by an ice cream truck, though Good Humor teamed up with someone well-known in the recording industry to make a replacement back in 2020. (I’ll get back to this in a later post.)

If you’re looking for it, you can see something of a link between this version of Mickey Mouse and the minstrel shows of the era. (See this NPR story for further context.) There’s a lot of cartoonish abuse of farm animals, the first instance of which involves a goat with an appetite for sheet music and a guitar.

If you can get past all of that, there’s a lot of late 1920’s humor packed into a little under 8 minutes, and a good look at what Mickey Mouse used to be. Since this is public domain, I have made Steamboat Willie available via BitTorrent (seed file) along with a brief README file and some related materials; this is the official companion torrent to this post. Be aware that as of right now, for some reason the version I found on archive.org is missing the audio. This may due to a mistaken belief that only the silent version of this film is public domain; that is the case for another early Mickey Mouse cartoon but not this one.

It’s that time of the year again: Why “Happy Holidays”?

So once again we are into the winter holiday season, and once again the controversy continues regarding the use of “happy holidays” versus “merry Christmas”. Here’s a recap of the many posts I’ve made over the years on the topic:

Why this still comes up, year after year, is a mystery to me. In fact, this year my Facebook feeds have been flooded with this particular piece of digital dung:

A better way to say this is “It’s not Happy Holidays, it’s Merry Christmas if you are Christian.” From this christianwebsite.com article, 31% of the world’s 7.8 billion people identify as Christian. That means that 69% of the world’s population is not Christian and that 69% identifies with some other religion or worldview, whether a different theistic religion or a completely secular system of beliefs. It’s possible even some of that 31% don’t observe the current, modern, commercialized version of Christmas, and some of the other 69% observe the general “spirit of Christmas” as an occasion of exchanging gifts and similar festivities, and go along with continuing to call it Christmas to avoid “making waves”. Indeed, the past posts where I discuss the so-called “war on Christmas” show just how volatile this situation has been in years past.

I think I said it best back in 2013, the last of the posts linked above (with a couple of potential errors which I will note below):

I usually say “Happy Holidays” and I do so to include everyone, whether they observe Yule, Litha, Christmas, Kwanzaa, HanukkahZarathosht Diso, Grav-Mass, Saturnalia, or something else entirely. To many non-Christians, “Merry Christmas” has about as much meaning as “Happy Yule” or “Io Saturnalia” does to Christians. Seriously, try wishing someone “Happy Yule” or “Io Saturnalia” and see how they react.

This, by the way, is nowhere near an exhaustive list. Indeed, the secular/atheist/humanist gathering I recently attended branded itself as a “winter solstice party” which is not on this list as such. (That particular party, by the way, was a great excuse to try a Moscow Mule, which is now my favorite cocktail at least for the moment.)

Regarding the apparent errors:

  1. Apparently the correct name/spelling of the Zoroastrian winter holiday is Zartosht No-Diso. I’m not sure where I got the original from.
  2. Litha perhaps shouldn’t be on this list as it is a midsummer festival, though perhaps it may be observed by pagans and others in December in the Southern Hemisphere (Australia, most of South America and Africa, etc). I have retained it for the moment with that note.

While it is still as of now a work in progress, the current version of what I intend to be a near-exhaustive list of late November to early January winter holidays reads as follows:

  • Christmas, Christians (including Protestant denominations and Catholics), December 25
  • Kwanzaa, African diaspora, December 26 – January 1
  • Hanukkah, Jewish, 25th of Kislev on the Hebrew calendar (November/December)
  • St. Lucia’s Day, Sweden/Norway/Finland, December 13
  • Las Posadas, Mexican, December 16-24
  • St. Nicholas Day, northern Europe, December 6
  • Mardi Gras, January 6
  • Boxing Day, UK/Europe, December 26
  • Yule, Germanic pagan origin but observed by some modern pagans and LaVeyan Satanists, usually December 25
  • Grav-mass (Isaac Newton’s birthday), December 25
  • Yaldā Night/Chelle Night, Persian origin, Iran/Iraqi Kurdistan/Afghanistan/Azerbaijan/Turkiye, December 20, 21, or 22 (winter solstice)
  • Quaid-e-Azam’s Day/Jinnah’s Birthday, Pakistan, December 25 (may be observed alongside Christmas)
  • Chalica, Unitarian Universalists, seven days starting with the first Monday in December (some observe a seven-week variant starting in January)
  • Zartosht No-Diso, Zoroastrians, December 26
  • Litha, neo-pagans in the Southern Hemisphere, December 25 (unconfirmed)
  • Saturnalia, ancient Roman origins with modern observance unknown, December 17-23

There are undoubtedly others, and I look forward to finding new entries to this list for next year.

In closing, happy holidays and merry wishes to all. I am looking forward to an even better year in 2024.

On the Liquid Death “Armless Palmer” controversy

As reported by many outlets, including this article on The Sports Room, the relatively well known canned water/drink brand Liquid Death was at the center of a controversy and legal dispute. The dispute centered around the name of one of their drinks, a hybrid of lemonade and iced tea, commonly known as an “Arnold Palmer” after the late legendary golfer of the same name. Liquid Death called their take on the drink an “Armless Palmer” in line with the other drink flavor names under their brand such as “Grim Leafer”, “Rest In Peach”, “Convicted Melon”, and “Berry It Alive”.

Well, turns out that the late golfer’s name for this combination is a licensed trademark, specifically licensed by Arizona Beverage Company, one of the companies competing against Liquid Death. Not surprisingly, neither Arizona nor those in charge of Arnold Palmer’s estate were very happy about seeing this parody/trademark infringement on the shelves of local stores. They threatened legal action to defend the trademark. Now I don’t fault them for this, as trademarks have to be legally defended or they risk being lost.

And then came Liquid Death’s response to the legal threat. Obviously, they are not going to discontinue the product entirely. No, Liquid Death just came up with a new name for it. Enter “Dead Billionaire”. A great way to keep the branding on theme, yet an ever-so-subtle middle finger at the competitors threatening legal action. Note that Liquid Death takes a bit of poetic license here, as according to the Wikipedia article about Arnold Palmer, his estate was worth only $875 million at the time of his death. Close enough, I say; his name as a beverage trademark has almost certainly brought in the difference since then.

I don’t usually drink tea-and-lemonade blend beverages, regardless of name, but I may well pick up one of these to see what it’s like.

(Full disclosure: within the last 12 months, I did do some merchandising work for Liquid Death. The reference photo above was not taken at the store where I did the merchandising.)