Let’s Encrypt Apache With Multiple Virtual Host Files – Version 2

Back in January I wrote an article about using Let’s Encrypt with Multiple Virtual Host Files and now I know a better way to do it. The problem I ran into was the script throwing an error when renewing the certificate.  After a little research the easiest way to get a robust installation is to follow Erika Heidi‘s instructions in How to Set Up Let’s Encrypt Certificates for Multiple Apache Virtual Hosts on Ubuntu 14.04. Now the script to renew the certificate works.

I found two problems that might people trying to implement SSL.

  1. The script kept generating a message saying, “No vhost exists with servername”. for two of my sites. When I looked into my site configuration file I found that I was still using a VirtualHost section to re-direct www.wehuberconsultingllc.com to wehuberconsultingllc.com. The script was upset that I had multiple VirtualHosts for the site. If I added a ServerAlias for the www address in the first VirtualHost section and deleted the extra VirtualHost section from my vhost configuration file, the script would find the site and create the certificate.
  2. When you are managing multiple WordPress sites I like to update the plugins via wordpress.com. The problem is that as soon as I implemented mandatory SSL for a WordPress site, Jetpack was no longer able to fetch plugin status and instead displayed the “error fetching plugins” message. After a lot of fiddling around I figured out that I could fix this problem by going to the Settings-General menu and changing the URL for the blog to https.

Fixing WordPress SEO Sitemap Problems

I decided to switch over to WordPress SEO(Yoast) yesterday and ran into a slew of problems with their sitemap generator, a 404 error, a blank screen, and a sitemap.xml not being properly re-directed to the new sitemap_index.xml. The first problem led me to this Yoast knowledge base article, My sitemap is giving a 404 error, what should I do? I fixed the first problem by adding the code to my .htaccess file. To fix the last two problems I added the RewriteRules for the xsl statement(Line 8) and the sitemap.xml(Line 5). Now both sitemap.xml and sitemap_index.xml are being properly redirected and formatted. My Google Webmaster Tools is happy!

Note: The code below is for a WordPress blog in a sub-directory called wordpress.

# WordPress SEO - XML Sitemap Rewrite Fix
RewriteEngine On
RewriteBase /wordpress/
RewriteRule ^sitemap_index.xml$ /wordpress/index.php?sitemap=1 [L]
RewriteRule ^sitemap.xml$ /wordpress/index.php?sitemap=1 [L]
RewriteRule ^([^/]+?)-sitemap([0-9]+)?.xml$ /wordpress/index.php?sitemap=$1&sitemap_n=$2 [L]
# This rewrite ensures that the styles are available for styling the generated sitemap.
RewriteRule ^/([a-z]+)?-?sitemap\.xsl$ /wordpress/index.php?xsl=$1 last;
# END WordPress SEO - XML Sitemap Rewrite Fix

How To Migrate WordPress from Shared Hosting to a Cloud Server with Zero Downtime

Background

I have been a customer for several years and generally speaking I have been pleased with the services I got from Bluehost. Recently I noticed some annoying variability in response time which appeared to be directly related to the shared host arrangement. I did a little shopping and found that for almost the same monthly price I could get a virtual server at DigitalOcean.

Objective

My primary objective was to migrate two shared host WordPress blogs and an open source web-based news feed (RSS/Atom) reader called Tiny Tiny RSS from Bluehost to a virtual server at DigitalOcean. A secondary objective was to replace my web analytics with Piwik.

My Plan

My plan was to follow the DigitalOcean tutorial, How To Migrate WordPress from Shared Hosting to a Cloud Server with Zero Downtime, with a couple of changes. The tutorial was written for Ubuntu 12.04 LTS and I would be installed 14.04 LTS. Since I am a Windows guy I would be using Putty for SSH sessions and WinSCP to transfer files.

Step 1. Create a Backup

The biggest change I made in this step was to backup of the entire WordPress folder. Several services asked me to put little files in the root directory as part of the approval process. I also have a customized .htaccess file. Since my copies of WordPress are up to date, it was easier and faster to copy over the entire folder.

Step 2. Set Up the Cloud Server with LAMP Stack

Here :

  1. I followed the first four steps of the tutorial, Initial server setup for Ubuntu 14.04, but if I had to do it over again I would go ahead and configure ssh to restrict root login and explicitly permit certain users. Considering how many folks will be trying to break into your server, you might as start locking down the server.
  2. Next I followed the tutorial, How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu 14.04.
Step 3. Install WordPress

Since I was going to restore the entire WordPress folder I skipped this step.

Step 4. Create a Virtual Host

In this step I started to follow the tutorial, How To Set Up Multiple WordPress Sites on a Single Ubuntu VPS. In my case I was going to use a wordpress folder under the default directory for the main blog and a second folder under www for the second blog. I created two virtual host files, yourdomain.com.conf and yourdomain1.com.conf, for my two blogs. The original tutorial omitted the conf extension.

Step 5. Restore Database and Files

This is when I learned the most important lesson. My first Mysql backups were incomplete or bad when I tried to load them. I had poor results trying to load compressed files. So I made it simpler.

  1. I saved the Mysql backups to a temporary folder
  2. I compressed them.
  3. I transferred them to the new server.
  4. I uncompressed them.
  5. I created the database and user.
  6. I loaded the uncompressed file.

To restore the WordPress files :

  1. I transferred the compressed file to the server.
  2. I uncompressed the file in the home directory.
  3. I copied the files to the web server using:
    sudo rsync -avP wordpress/ /var/www/html/wordpress/ 
    sudo rsync -avP firstsite/ /var/www/firstsite/
  4. Give ownership of the directories to the Apache web user and then add your linux username to the web group:
    sudo chown www-data:www-data * -R
    sudo usermod -a -G www-data linux_user_name
  5. Configure each wp-config.php with the new Mysql usernames and passwords for the databases you just loaded.
  6. This is a good time to make sure that the WordPress permissions are set correctly.
    sudo find . -type f -exec chmod 644 {} +
    sudo find . -type d -exec chmod 755 {} +
    sudo chmod 600 wp-config.php
Step 6. Test your Blog

For me everything worked except for mail and some hard coded links in the widgets. To solve the mail problem I installed the wordpress plugin, WP-Mail-SMTP, and sSMTP for a simple and lightweight MTA for the system messages. All of my messages are sent through Gmail.

Step 7. Update Your DNS Settings

If you are using a CDN like Cloudflare that is linked to your Bluehost account, this would be good time to deactivate it. I did not and the response time was all over the map for a day.

Step 8. Install phpMyAdmin, Piwik, Fail2Ban, and Logwatch
  1. I did not need to install phpMyAdmin but DigitalOcean does have a pretty simple tutorial showing how to install it.
  2. I was originally planning to install Awstats but Piwik looked like a better choice. The 5-minute Piwik Installation was easy.
  3. After a little browsing of the auth.log it was easy to see that there was too much SSH traffic that was not originating from me so the solution was to follow this tutorial, How To Install and Use Fail2ban on Ubuntu 14.04. After running Fail2Ban for a couple days it became apparent that I needed to permanently ban some folks. I followed the tutorial, Permanently Ban Repeat Offenders With FAIL2BAN.
  4. Obviously I needed to look at the log files on a daily basis until I get this SSH hacking under control. The solution in this case was this tutorial, How To Install and Use Logwatch Log Analyzer and Reporter on a VPS.
  5. The first thing I noticed from looking at the authentication failures in the pam_unix section was that some of the folks were spacing out their probes to get around the default settings for Fail2Ban. So I expanded the findtime and bantime and maxretry. This caught some more hackers but it still was missing some others.  So I brushed up on my grep, awk, and bash coding to find the worst of the bunch and ban them. Sorry China! There is something odd about restarting Faile2Ban.  It looked it was working but it was not banning IPs I thought it should. Sure enough when I rebooted the server it would read the log file and immediately ban the IP.
Step 9. Take a Snapshot and Project Wrap-up

At this point I can say that the migration is complete. The sites are working and I fixed all of the configuration issues that showed up in the log files.  The response time for the sites is much faster than on the shared host even though I added another application, Piwik. It looks like I can easily support another blog. I have another blog with a renewal date a couple of months from now.

The last thing to do was to take a snapshot or backup. So I took a manual snapshot as outlined in this tutorial,

How To Use DigitalOcean Snapshots to Automatically Backup your Droplets, and it took about five minutes to complete.

For fun I charted the IPs I had already banned by country.

 

BannedIPs

Publicize for Admin and Editor only

I think I found a bug in the Jetpack plugin for WordPress that is stopping me from publicizing my posts to social media sites. It worked under version 2.8 but was broken in 2.9. When I go back to the 2.8 version of publicize it works so why did they change the code? I am guessing but it looks like they fixed the problem with "Publicize for Admin and Editor only" they created a new problem with publicizing posts created using Live Writer and maybe other methods. Here is the code I am talking about.

304,308d303
< 				if ( false == apply_filters( 'wpas_submit_post?', $submit_post, $post_id, $service_name, $connection_data ) ) {
< 					delete_post_meta( $post_id, $this->PENDING );
< 					continue;
< 				}
<
312a308,312
>
> 				if ( false == apply_filters( 'wpas_submit_post?', $submit_post, $post_id, $service_name, $connection_data ) ) {
> 					update_post_meta( $post_id, $this->POST_SKIP . $unique_id, 1 );
> 					continue;
> 				}

Integrating Twitter Summary Cards Into Your Blog Using Jetpack And All In One SEO

Recently I was wondering why some tweets had extra graphic images in them. It looked like someone had figured out how to create a tweet from a blog post and include first image from the post in the tweet. That looked pretty cool. Here is an example.

2014-03-04 15_26_46-alazycowboy

There are two tricks here. The first trick is configure Jetpack to publicize your post via Twitter. With Jetpack you can publicize your posts to several social media sites such as Facebook, Google+, and LinkedIn. Click here for more information on using Publicize. This will get you the standard tweet format. That is okay but I wanted the tweet with more information and graphics in it. To get that format you have to use Twitter Cards and get it approved by Twitter. Here is the Twitter information on configuring Jetpack. There are several Twitter Card formats to choose from and I chose the Summary Card. The next trick is find the plugin that generates the correct meta data for Twitter, validate the card, and apply for approval. I tried several different plugins with varying degrees of success of getting the first image in the post into the tweet. Then I discovered that the best plugin to generate twitter meta data was one I already had installed, All In One SEO Pack. All I had to do was to activate the Social Meta feature and configure it. The changes I made were:

  1. I set Select OG:Image Source to “First Image in Content” to see the first image from the post.
  2. I deleted the default content in Default OG:Image to get rid of the default image.

When I was happy with the layout of the Summary Card preview, I applied for approval. I read somewhere that it takes up to 72 hours to get approved but my approvals arrived within a few minutes. Enjoy!

How Did I Miss Knowing About WordPress Jetpack?

I was playing around with the WordPress app on my Android phone when it told me to install Jetpack if I wanted to see statistics on my phone. This has been a long time annoyance of mine. You could only see statistics with the Android app if you hosted your blog on wordpress.com. To make up for this deficiency I installed a couple of web statistics plugins. So I thought why not one more. I already had a WordPress.com userid. So I went back to my laptop, installed the plugin, and connected to wordpress.com. To my surprise there were 31 features that I could enable with Jetpack and some of these features were interesting. Since there are so many new features I opted to start off small and connect my blog with my Twitter, LinkedIn, and Google+ accounts. Let’s see what happens when I publish this post.

IIS, MySQL, WordPress, and The Famous 5-Minute Installation

Yesterday I was upgrading some programs on my home laptop and realized I had an old version of MySQL, 5.1. The current version is 5.6. The 5.1 version of MySQL was installed when I used Microsoft’s Web Platform Installer to install a test WordPress blog. This is a really easy way to checkout software when it works so I set out to upgrade MySQL to the latest version. Surprisingly there is no way to upgrade or remove MySQL using the Web Platform Installer. So I downloaded the community upgrade from www.mysql.com and ran the upgrade. It did not work. I kept getting an unhandled exception error message during the upgrade. Since I did not have any important information in the data base I uninstalled the current version and installed the 5.6 version. Now MySQL is working but I kept getting password errors when I tried to install a new blog using either the Web Platform Installer or Microsoft’s WebMatrix. So I did a complete MySQL reinstall using these instructions for Windows 7 from serverfault.com.

  1. Uninstall MySQL using the uninstaller.
  2. Delete C:\Program Files\MySQL
  3. Delete C:\Program Files (x86)\MySQL
  4. Delete C:\ProgramData\MySQL
  5. Delete from any Users’ AppData folders. Example: C:\Users\rdoverby\AppData\Roaming\MySQL
  6. Reinstall MySQL

This did not fix my problems with Web Platform Installer or WebMatrix. Since I had phpMyAdmin working under IIS and a working version of MySQL, I opted to try “The Famous 5-Minute Installation”. I copied an old WordPress installation to a new folder, followed the instructions, and in about five minutes I had a new WordPress blog working on my laptop.

WordPress › WordPress Automatic upgrade « WordPress Plugins

I have been using this plugin for almost a year. When it works it is great! When I upgraded to WordPress 2.5 I started having a problem with the final two steps, reactivating the plugins and going to the final page. Before I could activate the plugins I had to upgrade the data base. Then I had to log back in to the blog. At this point the automatic plugin was lost and gave me a screen with "Are you sure you want to do this?" All the plugin could do at this point was to clean up the installation. I had to manually activate my plugins.

Today I figured out that if I remove the wp_nonce stuff at the end of the line I could get the automatic upgrade plugin to continue. Wp_nonce is a security feature. I think it is primarily used with forms but it can be used with links. About the only source on this function is the Writing Secure WordPress Plugins post by David Kierznowski. I think when I have to log back into WordPress, wp_nonce thinks I am breaking in and slams the door shut. From a plugin design standpoint I am not sure there is a need for this type of security at this point since all I want to do is activate my plugins and get my log report. I guess I will comment out lines 392-394 so the plugin will work.

WordPress › WordPress Automatic upgrade « WordPress Plugins

Cutline 1.3 Released | Cutline Theme for WordPress

I upgraded to WordPress 2.5.1 today and my old theme broke. I have been looking at Cutline for some time but I have not been motivated enough to commit the time.  Today I had the motivation. I am really pleased that I had it ready to go in about thirty minutes.

Cutline 1.3 Released | Cutline Theme for WordPress

WordPress 2.5 Secret_Key Vulnerability

Wow, I did not know about this security feature in 2.5.  I did not have the ‘SECRET_KEY’ defined since my WordPress sites were upgrades. Since I prefer to follow the Secure WordPress recommendations and missed that section in the paper, I added a random key to all of my sites. The key does not cause any ill effects. Read the original post, WordPress 2.5 Secret_Key Vulnerability, for more details.

BlogSecurity » Blog Archive » WPIDS v0.1.2 officially released

Recently while upgrading my WordPress blogs I installed WPIDS 0.1.2. WPIDS is a Intrusion Protection System, which is based upon the Intrusion Detection System PHPIDS. It is a nice plugin for those curious about WordPress security. In theory this should improve the security of my blogs.

For the last couple of days I have been monitoring its log. So far I have not found any false positives. It looks like it is blocking some comment spam. Most of my comment spam is caught by Akismet.

I am kind of fascinated with this plugin.  If the developers are looking for ideas, it would be nice if:

  1. It would tell me if there is a new filter available. I am not sure how often the filter is updated but with a little modification the plugin could update the file directly. WordPress would like updated plugins to be updated on their web site. An updated the revision number for the plugin would appear in the plugin panel. In a perfect world the use could then update the plugin automatically.
  2. The search stats button overlaid the standard report onto the admin page for the plugin. It is not very useful in this format.
  3. It would be nice if the report said why the bad request was blocked. I have several blocked requests showing something called “__utmz” in the tag field.
  4. It would be nice to download the report as a csv file.
  5. It would be nice to have a summary report by type of blocked request.

WordPress 2.5

I installed WordPress 2.5 last Saturday on all of the blogs I support. It had passed some preliminary testing on my development blog so I installed it. It is supposed to have increased security, better administrative panels, and the ability to upgrade plugins automatically. They say there are very few changes that will affect the plugins. It sounded like a safe upgrade so I upgraded. After a little testing I found that ImageManager 2.4.1 did not work at all. I am not sure when it stopped working since I do not use it often and I have alternatives.

While I was at it I did a little spring cleaning. I changed the blog to not use the www subdomain, changed the .htaccess file, changed the blog to use a more descriptive permalink, removed the register feature from the meta widget, and got rid of several old inactive plugins.

Automated WordPress Hacking Tool Cached by Google

I just finished checking my WordPress sites with both a dork and a FTP. Google says that there 29,000 infected sites. I guess that I was left out of the party since my WordPress sites are at the most recent stable release.

Cyberinsecure recently posted details of an automated WordPress hacking tool that is doing the rounds. This malicious worm or program appears to create the directory, "wp-content/1/" as well as spam comments:

The blogs are most likely attacked by some kind of automated tool since the amounts of spam are too big to work manually on all those spam pages creation. It seems there are also spam comments in posts as well. Spam comments are pointing to internal infected blog pages in folder “1″ to get them spidered and to get people to visit them.

Smackdown also has a nice blog entry about this issue.

Automated WordPress Hacking Tool Cached by Google
DK
Wed, 26 Mar 2008 23:52:40 GMT

BlogSecurity » Blog Archive » WordPress Scanner

Last night I used the WordPress Scanner on two of my blogs and I got this message.

dangerous-check-[0] PHP configuration file found in http://www.somewebsite.com/

I guess it is complaining about the fact that I have a php.ini file. I guess there is a security implication I am do not know about. I googled php.ini and security and I did not get any hits. Can anybody provide me with some insight on the security issue?

BlogSecurity » Blog Archive » WordPress Scanner

WordPress › Blog » 2.5 Sneak Peek

Since I have a local WordPress blog for my development work, this was a no-brainer. I let Subversion do the hard work. I tried the revised admin panels since they have changed significantly. It was nice to know that my theme and my plugins seem to work fine. So far this upgrade looks pretty solid.

  1. Since I have recently been looking at easy ways to use Flickr images and create image galleries, I was curious how the improved media gallery works. After playing with the insert image and media gallery, I am still trying to figure out how the media gallery works. I guess it is a work in progress. The Gallery and Media Library tabs do not seem to do anything.
  2. It was not obvious how one creates an avatar either.
  3. I tried to automatically update the PhotoXhibit and Database Backup plugins and it did not work.

WordPress › Blog » 2.5 Sneak Peek

WPDesigner » WordPress Theme Checklist

Here is a handy checklist for people creating or modifying WordPress themes.

Note: The following checklist was based on WordPress 2.0. Since WordPress 2.1, WordPress has replaced and introduced new template tags.

Files, functions, and to-dos you need to check-off before using / publishing your own unique WordPress theme:

Files and Templates
  • 404.php
  • archive.php
  • category.php
  • comments.php
  • footer.php
  • functions.php (for widget-ready sidebar)
  • header.php
  • index.php
  • page.php
  • search.php
  • searchform.php
  • sidebar.php
  • single.php
  • screenshot.png / .jpg / .gif
  • style.css
  • readme.txt (optional)
Header.php
  • Blog’s Title
  • Blog’s Description
Footer.php
  • wp_footer()
  • Footer text and links (usually, copyright message)
Sidebar.php
  • Search form – Does the regular search form match the widget search form?
  • Pages / wp_list_pages() – Have you styled the second level links? Third level links?
  • Categories / wp_list_cats() – Sort by name or ID? In what order? Is hierarchical turned off or on?
  • Archives
  • Calendar – Does the regular calendar match the widget calendar?
  • Links / get_links_list()
  • Meta: wp_register(), wp_loginout(), wp_meta()
Index.php, Archive.php, Category.php, Search.php, Page.php, Single.php
  • the_ID()
  • Post title: the_permalink, the_title()
  • the_content
  • Postmetadata: edit_post_link(), comments_popup_link(), the_author(), the_category(), the_time(),
  • trackback_rdf() [hidden]
  • posts_nav_link() – Next/Previous page links
  • Else – What to display when there is no content.
Archive.php, Search.php
  • the_excerpt() replaces the_content()
Page.php
  • link_pages()
  • Remove Postmetadata
  • Keep edit_post_link()
  • Remove posts_nav_link()
  • comments_template()
Single.php
  • link_pages()
  • Remove comments_popup_link()
  • comments_template()
Comments.php
  • Comments list
  • Comment forms and textarea
  • ‘No comments’ message
  • ‘Comments awaiting moderation’ message
  • ‘Must login’ message
  • ‘Password protected’ message
  • Comments off message
Pages to Validate
  • Home page
  • Archive pages
  • Category pages (if you customize category pages)
  • Search result pages
  • Pages (i.e: About)
  • Single post view page
  • Single post with no comments
  • Single post with comments
  • Single post with must login message
  • Single post with no login required message
  • Password protected single post with comments

Note: This is not an end-all checklist. It covers just the basics. More items will be added.

WPDesigner » WordPress Theme Checklist

Top 10 WordPress CMS Plugins | Blueprint Design Studio

From the Blueprint Design Studio we get this list of WordPress CMS plugins. I can vouch for Cforms II and Google Sitemap Generator since I already use them. I am definitely going to check the rest of them.

  1. Cforms II – This is far and away the best contact form plugin there is. The reason? configurability. You can easy build literally anything with it. We’ve built out employment application forms, wedding checklists, and more for clients. It also drives our own quote form. There’s also built in spam protection, via question and answer or captcha. by delicious days
  2. WP e-Commerce – Unlike cforms, this plugin has no competition. It provides an easy to manage storefront and shopping cart as an integral part of your wordpress installation. It includes the ability to sell digital downloads as well, which is great for photographers, musicians, and authors. By default it includes support for PayPal, although the $29.99 fee for the authorize.net module will pay for itself in lower fees for most serious e-Commerce sites. by Instinct Entertainment
  3. Search Everything – Since most of the sites we develop focus more on their static content than on their blog posts, this plugin is essential for allowing users to search your entire site without leaving your site and relying on google. by Dan Cameron
  4. Google Sitemap Generator – The biggest benefit of using wordpress is the manual labor you save because the software already knows where all of your content is. This Plugin submits a comprehensive index of your site to google, yahoo, MSN Live, and Ask.com every time you update your site. It’s a huge boost to your site’s SEO. by Arne Brachhold
  5. Subscribe2 – Subscribe2 is a newsletter plugin for your site. It allows you to create newsletters and manage subscribers within your WordPress Dashboard. It also allows you to email subscribers when you post a blog entry, which allows you to have a permanent copy of the newsletter that you can refer people to. plugin homepage
  6. Event Calendar 3 – There are a ton of event plugins out there. This is the best & most integrated one we’ve used. It provides an iCal feed, in addition to the standard RSS feed. Since the events are created as Blog posts, it’s easy to integrate them into your site. by Alex Tingle
  7. Page Links To – by far the simplest plugin on this list, This plugin allows you to create “pages” that link to something else. It’s the easiest way to add links to your main menu, without mucking around in code. It’s good for adding a link to an external photography portfolio, for example. You could also use it to link to sections of a page, rather than an entirely seperate page, which could be useful for linking to sections of a restaurant menu, or other small sections of a larger page. by Mark Jaquith
  8. TinyMCE Advanced – I’ve posted a lot about using this plugin. It was referred to me by Jim Burke from TSG Real Estate, who needed a way to easily add classes to blockquotes, tables, and images. The plugin also does a great job of making tables work well with WordPress posts. plugin homepage
  9. XSPF_Player – As much as I’m not a fan of auto-playing music on websites, This MP3 player makes it easy to manage playlists, cover art, and artist links. It’s a great way for music venues to highlight upcoming shows. Used in conjunction with Event Calendar, you can make the track link lead to the post for their upcoming show, all of which is easily manageable from your WordPress dashboard. by Boriel
  10. pageMash – I just posted about this, but it’s worth mentioning again. This plugin makes it very easy to put your pages in order, without having to edit every page individually. by Joel Starnes

Top 10 WordPress CMS Plugins | Blueprint Design Studio

Options WordPress Theme: What WordPress themes should be like

A magazine theme with some interesting ideas. I do not know if I am going to use it but I may use an idea or two. Nice work Alessandro!

Options WordPress Theme: What WordPress themes should be like
alessssandro
Sun, 09 Mar 2008 09:30:00 GMT

Javascript Code Highlighter: Chili vs SyntaxHighlighter :: PseudoCoder.com

Today I tried to get Chili to work on this blog. I post code occasionally and Chili was appealing to me since it uses jQuery for most of the heavy lifting. I was hopeful that Chili would be quick and incrementally increase the amount of JavaScript downloaded. Chili didn’t work for me. It had syntax errors in the JavaScript. My debugging skills were not finding any quick answers so I decided to give plan SyntaxHighlighter a try.

From the post it looked like SyntaxHighlighter was going to be a bear to install so I decided to check the WordPress plugins web site for possible alternatives. Guess what I found, SyntaxHighlighter-Plus! This recently updated plugin uses the SyntaxHighlighter JavaScript package by Alex Gorbatchev and makes installing a syntax highlighter a snap. The instructions are a little sparse on how to use it but I converted several existing code snippets to use the plugin. They looked good after I figured out how to get around the automatic encoding of HTML entities. The first time the editor encodes those special characters it was nice. The less than character becomes &lt;. The second time it encodes the characters, it created a mess. The less than character becomes &amp;lt;. I guess I should turn off the visual editor again. I also had to hand tune the CSS to get around some alignment issues.

Overall I give the plugin a thumbs up based on ease of installation and the light load it added, ~25K bytes. Editing a post is still a problem but I can work around that problem.

Javascript Code Highlighter: Chili vs SyntaxHighlighter :: PseudoCoder.com