Abandon WordPress despite the complexity of mod_rewrite

First I was a little worried that this had been the result of a security flaw in Serendipity, as I had not noticed the problem while using WordPress, but looking at a backup from my WordPress days allayed these suspicions and confirmed that the attack had happened before I switched to this better blogging software. While I was doing this investigation, I also checked an old and the current database for other instances of spam like this, fortunately finding none. Intrigued as to the details of this attack, though, I googled around a bit and found an entry by a fellow blogger who only found out they had been a victim when Google had sent them an email about it. Of course even Free software can have security bugs, but when a project makes release after release with critical security flaws in, which are getting exploited almost immediately, you have to start wondering whether members of the project are actually getting paid a share of the proceeds from this spam. Why is WordPress so keen for you to keep the version number of their software in the <head> of your pages? Come to think of it, why does Serendipity even have it there at all?

mod_rewrite

Despite the obviously right choice to move from WordPress to Serendipity, there were challenges along the way. I had thought these problems were now behind me, but some missing functionality of the URL scheme that Serendipity was using, or just its inelegance, caused me to go back and look at the “URL Rewriting” section of my configuration. I had originally turned off the mod_rewrite mode, because of some perceived incompatibility with my migration process, but I’m sure I had intended to revisit this decision later. Having found that Google had updated all the links to my archives by following the hand-crafted mod_rewrite rule I had added, it seemed like the right time to perform another smaller migration to a URL scheme I settle on.

Under WordPress, the URLs ended blog/?p=$id or blog/archives/$id, and my rewrite rule had taken these to blog/index.php?/archives/post-$id.html. My new rule, then, had to take these links and redirect them to the URLs Serendipity was now using, of the form blog/archives/$id but this proved to be difficult. The official documentation is almost without value for trying to solve practical problems, unless you already have years of experience (which I do, and it’s still not useful). Much better for beginners is a page with practical, explained examples (and if that page has a friendly URL then that’s a good indication).

The difficulty, though, was writing a rule which matched on the query string of an incoming request, and used that to generate a URL that didn’t have a query string. After trying various double-redirect setups, and causing a few infinite loops, I found some instructions which, while complicated, showed how to capture a regular expression from the query string using RewriteCond and put that in the output of a rewrite rule. Moreover, this complicated page explained how to “Delete the Query String” which I didn’t even know was possible and is certainly not standard advice. It seems bizarre and almost arbitrary that if you add just a ? after a file name in a mod_rewrite rule then the rule will remove the query string, including the question mark itself, but I suppose that’s the nicest way to produce this result. The final rule, then, looks like this:

RewriteBase /~hagfish/blog/ RewriteCond %{QUERY_STRING} archives/post-([0-9]+).html RewriteRule ^index.php.*$ archives/%1? [R,L]

Now that I understand mod_rewrite, does that mean Apache won’t cause me any more trouble? Not even with VirtualHost rules? Not even as discussed in my next blog post?