WPEngine Authentication Issues

August 24th, 2017

Over the past few months I’ve received a handful of support inquiries from MarsEdit customers who have trouble logging into their WPEngine-hosted WordPress blog, after initially typing the wrong username or password into MarsEdit’s authentication panel.

Normally when MarsEdit tries to connect to a blog, it reacts to authentication failures by putting up a simple panel prompting for a username and password. In some cases, where the authentication challenge seems to be coming from a higher level than the blog itself, MarsEdit prompts with a different panel, suitable for supplying HTTP protocol-level authentication.

MarsEdit distinguishes between WordPress-level authentication and HTTP-level authentication by the simple fact that WordPress always returns HTTP status 200, even when a user is authenticated. The failure to authenticate is expressed in a valid XMLRPC response, and since the response is valid, it warrants a 200 “Success” HTTP status result.

In the process of debugging this problem, I observed that some of my customers were getting authentication failure responses from their self-hosted WordPress blogs, in which the HTTP Status Code was not 200, but 403 instead. Slowly, but surely, I came to understand that each of these affected customers was running on WPEngine.

Finally, with the help of a customer who shared my eagerness to get to the bottom of the problem, I was able to trace the behavior to a custom WordPress that is installed by WPEngine on behalf of all of their customers. It’s called the “wpengine-common” plugin. My customer was kind enough to send me a copy of the plugin files from within his WordPress installation. Guess what I found inside the plugin?

function wpe_login_failed_403() {

	// Don't 403 when the login comes 
	// through an Ajax request
	if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
		return;
	}

	status_header( 403 );
}
add_action( 'wp_login_failed', 'wpe_login_failed_403' );

This bit of code overrides the standard WordPress login failure, forcing a 403 status code when one occurs. From what I can gather, the intent is to raise the visibility of WordPress login failures so that security packages that monitor for attempts to break into sites can log the attempts and potentially warn users and/or WPEngine about the risk of an intrusion. That’s a great motive, but it has an undesirable consequence for clients of the WordPress API.

Any client of the WordPress API is liable to interpret a 403 status code as an authentication failure outside the scope of WordPress itself. It may assume there is no blog at all to connect to, or it may assume as MarsEdit does, that there is a second level of authentication required to gain access to the server, before gaining access to WordPress.

I don’t know what the ideal solution to this problem is, but it would be nice if WPEngine found another way to flag the potentially suspicious login attempts to their WordPress installations, that didn’t involve breaking the contract for how the WordPress XMLRPC API is supposed to behave. If you look again at the source code excerpt I pasted above, you’ll see there is a special case in place for “Ajax” requests. Presumably this is another use case where the unexpected 403 status response has caused trouble. In fact, if you Google for “wpe_login_failed_403”, you’ll find a number of simple WordPress plugins whose whole purpose is to disable the WPEngine 403 status behavior described here.

I am planning to work around the issue in MarsEdit somehow, but in the mean time if you are a WPEngine customer who also uses MarsEdit, you may run into problems when/if you enter your credentials wrong, or you try to connect again from MarsEdit after changing your password. You’ll see a different login panel speaking of things such as “second level of authentication”. If you run into this, you can get back on track by manually entering your correct username and password:

  1. Click the blog in the left-hand side of MarsEdit’s main window.
  2. Hold the option key down while clicking the “Blog” menu item at the top of the screen.
  3. Select the “Enter Password…” menu item.
  4. Enter your correct WordPress username and password.

As long as the username and password that are stored by MarsEdit in the keychain are correct, you should be able to connect to your WPEngine-hosted WordPress blog without any issue. Whenever they are incorrect, until I implement a workaround, or until WPEngine changes their plugin behavior, you will need to work around the problem in this manner.

MarsEdit 4 Public Beta

June 28th, 2017

It’s been over 7 years since MarsEdit 3 was released. Typically I would like to maintain a schedule of releasing major upgrades every two to three years. This time, a variety of unexpected challenges led to a longer and longer delay.

The good news? MarsEdit 4 is finally shaping up. I plan to release the update later this year.

Beta Release Overview

Because the update contains many new features that my patient users have been waiting to get their hands on, I want to give folks the option of trying it out early. I think the beta release is very stable, but you’ll have to forgive a few rough edges while I finish things up. If you want to give it a spin, click this link:

Download the MarsEdit 4 Public Beta

The beta release supports Mac OS X 10.10 or greater, though final system requirements are not yet set in stone. Users who own an existing license to MarsEdit 3 can run the MarsEdit 4 beta for free until the final version is released. Customers who purchase a new MarsEdit 3 license from the Red Sweater Store between now and the final release will be entitled to a free upgrade to MarsEdit 4. Unfortunately, the Mac App Store does not accommodate free or discounted upgrades.

If you decide to install the beta, please join us in the Red Sweater Slack team to discuss the upcoming release. As always, I welcome bug reports and other feedback via email as well.

Beta Release Details

So, what’s new in MarsEdit 4? I will write in more detail when the final release is done, but here’s a high level list of some of the things that have been added in the update so far:

  • Editor Enhancements
    • Visual formatting bar – Select common formatting options with the mouse.
    • Typewriter Scrolling – View menu option to keep typing vertically centered.
    • Multimarkdown support – Enhanced functionality when previewing Markdown content.
    • Faster Preview filtering – Code-based Markdown and Convert Line Breaks filters.
    • Interactive image sizing – Rich text mode supports direct manipulation of image display size.
    • Improved “Split Post” UI – Splitter now presented inline in post content.
  • WordPress-specific enhancements
    • Faster refresh times.
    • Featured Image support.
    • Post Format support.
    • Per-post Author editing support.
  • Improved system integration. Now supports standard autosave and version history for locally saved drafts.
  • Expanded post downloads. WordPress and Blogspot blogs can now be configured to download the entire history of posts instead of a recent subset.
  • Automated preview templates. Click the “Download Template…” button from the template editor to automatically detect your blog’s theme.
  • Safari App Extension. Active the “Send to MarsEdit” extension in Safari to easily create new drafts citing the page you are viewing.
  • Application Sandbox. The app is now sandboxed for increased security.

On top of all these, there are numerous smaller changes that you may notice and appreciate. Please let me know if you decide to try the app, what you like, what you don’t like, and I’ll do what I can to continue improving the app both for the 4.0 final release, and beyond!

Blogger’s Obfuscated IDs

April 4th, 2017

For years, MarsEdit was not able to upload directly to Google’s Blogger service. Instead, it had to upload to Google’s sibling service: Picasa Web Albums. Recently, Picasa has been folded into Google Photos, and in the course of the transition, Google has forbidden apps such as MarsEdit from creating albums on the service.

This left MarsEdit in a bind with respect to supporting image uploads for Blogger. The good news is Google added support for uploading directly to the Google Photos album that is used for Blogger images. Sort of…

MarsEdit 3.7.11 introduced the ability to upload directly to the Blogger photos album, and it seems to work flawlessly for many Blogger users. Unfortunately, it fails spectacularly for a subset of users. Specifically, if your Blogger user profile is set to use a “Blogger-specific” identity, you will not be able to upload images from MarsEdit. If, on the other hand, your Blogger profile is set to use a Google+ identity, everything should work fine.

The cause seems rooted in Blogger’s understanding that a “Blogger-specific” profile may be used for purely pseudonymous blogs. For this reason the information they share with MarsEdit includes a user ID that is not the user’s actual ID, but an “obfuscated ID.” When MarsEdit proceeds to use this ID to upload to Google Photos, the tell-tale error message is generated:

Can’t upload file for [your blog name] because the server reported an error: Invalid length for obfuscated ID "[your obfuscated ID]".

I’m not sure yet whether the obfuscated ID is meant to work, but that there is a bug in the Google Photos API. Ideally, that is the case and the Google Photos team could fix something on the server to get things working. On the other hand, it may be intentional that no client such as MarsEdit should be able to use one of these anonymized IDs to upload photos to Google.

The long and short of it is if you want to reliably upload photos from MarsEdit to a Blogger blog, you need to switch your blogging identity to a Google+ account. Google has documentation about this process, which also includes caveats about the implications of making the switch:

Change your profile on Blogger.

Existing MarsEdit users who had previously established a workflow of uploading images may already have a “MarsEdit Images” album among your Google Photos Albums. If so, you can achieve a short-term workaround by downgrading to MarsEdit 3.7.10, which will continue to try uploading to an existing MarsEdit Images album. Unfortunately, when this album reaches capacity, MarsEdit will not be able to create a new album.

I will continue tracking this issue while I weigh my options for additional workarounds. I am also in touch with some folks at Google and I hope they will have advice or devise a reliable means for MarsEdit to support image uploads regardless of the “identity” setting on a user’s Blogger account.

Diamond Anniversary

March 31st, 2017

Only after reflecting on the ten-years-old support for Blogger in MarsEdit, did I realize I had missed yet another important milestone in Red Sweater history:

February 22 marked the ten year anniversary of my acquisition of MarsEdit:

You read that right, no need to run for another cup of coffee. MarsEdit, the kick-ass, intuitive web-publishing powerhouse which I’ve been using to write entries here since I started blogging almost two years ago, is now part of the Red Sweater family of products. What an exciting day!

Where has the time gone? I sometimes despair at the relatively slow progress I seem to make in the development of all my software, MarsEdit included. On the other hand, looking back at the screenshot I included in that original post, it’s also easy to appreciate how much the app has evolved in the years since I’ve been developing it:

NewImage

Wow. Well, first of all I’m writing this post on a Retina display, and I certainly hoping you are reading it on one. The first thing that jumps out is how fuzzy everything used to be. How did we live that way? Furthermore a number of key UI elements have been dramatically reworked just in the post editor interface alone. Let’s see how things look on the version of MarsEdit I’m running:

Diamond Anniversary

Now, to be fair, this is a screenshot from an as-yet unreleased version of MarsEdit, but the gist of the design is pretty close to the shipping MarsEdit 3.7.11. The main difference experienced MarsEdit users will notice is the addition of an icon formatting bar above the main text content. This little teaser is your reward for having read through the length of this post, and for helping me in celebrating my Diamond Anniversary with MarsEdit.