Release Music

Almost nobody knows that Drowning Pool’s “Bodies” is actually a song about code releases.

Let the bodies hit the floor – let’s release
Let the bodies hit the floor – git checkout staging
Let the bodies hit the floor – git merge origin/dev
Let the bodies hit the… FLOOR! – git push –force

Beaten… why for? – tests are not passing
Can’t take much more – again? they were green yesterday
Here we go… Here we go… Here we go (now) – restart the GitHub Action

One – Nothing wrong with me – first test is passing
Two – Nothing wrong with me – second test is passing
Three – Nothing wrong with me – third test is passing
Four – Nothing wrong with me – fourth test is passing

One – Something’s got to give – lints are not passing
Two – Something’s got to give – static analysis errored out
Three – Something’s got to give – there are 3 PRs still open
Now! – there’s no time unfortunately

Let the bodies hit the floor – let’s still release!
Let the bodies hit the floor – git checkout production
Let the bodies hit the, floor! – git merge origin/staging
Let the bodies hit the floor – merge conflict
Let the bodies hit the floor – git reset –hard origin/staging
Let the bodies hit the, floor! – git push –force

Push, me again – push a hotfix into master
This is the end – production cluster is down
Here we go… Here we go… Here we go (now) – it should work now

One – Nothing wrong with me – health checks are up again
Two – Nothing wrong with me – homepage is 200 OK
Three – Nothing wrong with me – release notes are sent to client
Four – Nothing wrong with me – wrapping up for the day

One – Something’s got to give – turns out homepage was cached
Two – Something’s got to give – 500 Internal Server Error
Three – Something’s got to give – migrations didn’t apply
Now! – run them manually!

Let the bodies hit the floor – client is angry
Let the bodies hit the floor – management is furious
Let the bodies hit the, floor! – users are bouncing
Let the bodies hit the floor – rollback is impossible
Let the bodies hit the floor – enable maintenance mode
Let the bodies hit the floor – overtime

Skin against skin, blood and bone – team pulling an allnighter
You’re all by yourself, but you’re not alone – management can’t help
You wanted in, and now you’re here – job responsibilities
Driven by hate, consumed by fear – mortgage payments

Let the bodies hit the floor – git bisect start
Let the bodies hit the floor – git checkout 05bc12aa
Let the bodies hit the floor – git bisect good
Let the bodies hit the floor! – git bisect bad

One – Nothing wrong with me – 05bc12aa was both good and bad
Two – Nothing wrong with me – git blame
Three – Nothing wrong with me – git log
Four – Nothing wrong with me – git stash list

One – Something’s got to give – production branch and ‘origin/production’ have diverged
Two – Something’s got to give – deleted by them
Three – Something’s got to give – rm -rf .git
Now! – git init; git add .

Let the bodies hit the floor – git commit
Let the bodies hit the floor – (how do I exit vim?)
Let the bodies hit the floor! – pkill vim
Let the bodies hit the floor – git commit -m ‘hotfix’
Let the bodies hit the floor – git push –force
Let the bodies hit the floor – 30 minutes to daily
Hey go… Hey go… Hey go… Hey go! – nano letter-of-resignation.txt

Jokes about WordPress

Wrote some jokes about WordPress yesterday.

WordPress walks into a bar followed by 300 plugins.
The bartender asks “What can I get you, folks?”
WordPress says “Can I have an allowed memory size of 67108864 bytes exhausted”


The REST, AJAX and XML-RPC APIs are on a crashing plane.
There are only two parachutes.
The pilot is a WordPress developer and hops off with both, yelling: “Iโ€™ll just hook into init in functions.php, suckers!”


An action and filter walk into a bar. The bartender asks “What can I get you, boys?”
The filter says โ€œIโ€™ll have a pint of unfilteredโ€, chugs it down and immediately throws up.
The action obliterates the bar using globals and weak references, and has the right to remain silent.

Send your jokes in the comments below, let’s have some fun.


I haven’t been at an IT conference (or out of the house for that matter) in a while. With summer approaching quickly I decided to visit Positive Hack Days in Moscow’s Gorky Park. The conference had quite a bit of social media coverage and hype. I reached out to my friends over at xakep (an IT security magazine that I used to read back in the early 00s, which went digital a handful of years ago) and got me an entry ticket, booked the flight and hotel and got ready to relax and chill for a weekend. Boy, was I wrong…

Continue reading

Testing Warnings in PHPUnit 9+

Testing warnings thrown via trigger_error throws a deprecation warning in PHPUnit 9+:

Expecting E_WARNING and E_USER_WARNING is deprecated and will no longer be possible in PHPUnit 10

Testing E_USER_WARNING and E_WARNINGM will no longer be possible, in favor of thrown exceptions. None of the usual convertWarningsToExceptions configuration tricks work.

Here’s a snippet that will help:

$errored = null;
set_error_handler(function($errno, $errstr, ...$args) use (&$errored) {
    $errored = [$errno, $errstr, $args];
$this->assertNotNull($errored, 'did not trigger any warning');                                                                             
[$errno, $errstr, $args] = $errored;
$this->assertEquals(E_USER_WARNING, $errno, 'did not trigger an E_USER_WARNING');

The fact that we’re not even going to be seeing warnings, deprecations in PHPUnit 10 is appalling!

Xdebug Profiling WordPress Actions and Filters

Xdebug is a great profiling tool for PHP code, but it has one little drawback in WordPress that results in a profiling nightmare – WP_Hook::apply_filters. The profiler lumps together all calls to WordPress actions and filters without distinguishing them as different execution paths. This is bad and not useful at all, resulting in a tangled mess of cycles.

Xdebug WordPress WP_Hook-/>apply_filters” width=”959″ height=”457″ class=”aligncenter size-full wp-image-2160″ /></p>
<p>Xdebug can be patched, however (patch below is for version 3.0.4), to differentiate calls to <code>P_Hook::apply_filters</code> and tag them with the actual filter name:</p>
<p> <a href=Continue reading

Upcoming Stream: Creating WordPress Malware

…for fun and fun only!

This week Konstantin Kovshenin created a minimalist WordPress caching plugin in 6 hours. Let’s up the ante!

This weekend I’ll attempt to create the cheekiest and most evasive WordPress malware yet. Leveraging some recent plugin zero-day, I’ll infect several dummy WordPress installs with it, and put a handful of freelance security experts and WordPress malware cleanup services to the test. Think CTF. Who will defeat our evil creation?

WordPress Malware

A huge legal and ethical gray area, bound to be a fun an educational dive into the world of advanced WordPress security concepts as part of the experience. Let’s be the baddies for a bit.

When? 7th August, 7a UTC.
Where? On Twitch, YouTube and other streaming platforms.

Add to Calendar, and meet me there. And don’t tell anyone else ๐Ÿ˜‰

Toptal WordPress “Talent” Pool Needs a Spring Cleaning

Legend has it that you can “Hire the Top 3% of Developers” over at Toptal, and I’ve actually been a member there since early 2015. I remember the onboarding process was quite serious.

Recently, I’ve been helping out screening a full-time WordPress developer for a large project involving BuddyPress, Gravity Forms and Woocommerce. I hop on very short technical calls that usually last under 15 minutes where I talk a bit about WordPress and ask some simple questions. This lets me get a feeling of whether they are competent or not.

Over the course of the last week I spoke to 4 “talented” candidates who had more than 10 years of experience with WordPress. Two of the interviews lasted for 5 minutes, the other two about 10 minutes. I asked the following questions to try and get a conversation going:

  1. Can you show me some code you’re written?
  2. What do you like about WordPress development? What don’t you like?
  3. What’s the difference between sanitizing and escaping in WordPress? What vulnerabilities are prevented?
  4. Can you properly escape the following query $wpdb->get_results( "SELECT * FROM $wpdb->posts WHERE post_title LIKE '%{$_POST['s']}%'" )?
  5. What is fragment caching and how would you implement it in WordPress?

None of the interviewees were able to sanitize the query properly, one took the liberty of trying to look up the WPDB class documentation and still failed to properly combine $wpdb->prepare and $wpdb->esc_like.

These “highly experienced” WordPress developers wanted a $120k/yr. salary (I’m sure Toptal takes a cut as well) and were unable to answer the most basic day-to-day WordPress development questions during a technical interview.

Toptal, are you sure you’re vetting these people correctly? Look at what Codeable are doing.


Godot Wild Jam #29

On the 15th of January I decided to finally try myself at some game development by joining my first game jam.

The game engine that I happened to have come across was Godot, a lightweight, open-source, cross-platform game development environment.

The Godot Wild Jam is held once every 4 weeks. Every jam runs for a little over a week (starting on Friday and ends the following Sunday).

We had initially teamed up with my brother Konstantin and were sort of ready to do the game on our own. The #team-up game jam channel in Discord was full of composers and programmers but not a single artist, so we were prepared to art our way through whatever happens. Our cousin was to give us some game design ideas, text content, and playtesting.

Day Zero:

As the theme and wildcards were revealed – Nomad (with Pets, Education and Upgrades) we quickly thought “digital nomad” and, reminiscing a Russian freelance programmer game we played on Windows 95 back the days decided to make a simple click-based economics simulator, manager game. No hard animations, no art, just a ton of text, and a bit of math.

Since the jam started on Friday in the US it was actually midnight on Friday for us in Russia, so we started actual work on Saturday morning, after discussing the concept well into the night, sketching initial screens, ideas and coming up with the name: Nomadsky, like No Man’s Sky, but spoken out as a Russian surname.

The naming pun was low-hanging fruit, as out of 48 games at least two other games were named “Nomad’s Sky” ๐Ÿ˜€

Day One: GDScript.

I streamed on diving head first into GDScript – a Python-like programming language in Godot.

The first half of day one was spent trying to use GDSCript like Python: figuring out maps, lambdas, list destructuring. None of which turned out to be a thing in Godot! Reading the source code and issues on GitHub I got carried away to the point of starting to write patches in C++ for the engine to introduce these critical features for the language. And was about to make a PR to support object key formatting in strings, when I realized I spent like 6 hours having done nothing for the actual game.

The biggest pet peeves that still remain with the language (and which I mean to send patches for) are:

  • no way to add arguments when programmatically connecting signals
  • print dict-based string formatting does not work with self, even though objects are accessible as dicts

Anyway. I spent the rest of the time structuring out the game code classes and a place for text content to go (job descriptions, action cards, etc.).

About 24 hours into the jam I noticed an artist looking to join a team – Merly23. I quickly explained to them what our vision for the game was and we partnered up. Merly was a bit skeptical about us finishing a game with 5 levels in it, considering nobody would work during the week on it so we had like 4-5 days maximum + whatever we could spare in the evenings and nights.

So we decided to draw level 5 and level 1 first – North Korea and New York. Those would be the starting and ending points for our hero. Nomadsky would have to freelance his way to freedom.

Day Two: Music

The second day was spent composing level music for the game. I was also streaming it and had quite some fun. I wrote music for North Korea, Mongolia, Spain. We knew that programming, text content and music-wise we’d have plenty of time, so as long as art would be pumped out quickly enough I wanted to make sure we had everything ready for all 5 levels, even though there was risk to release with as little as two levels.

I also recorded a bunch of sound effects, meowing, barking, puking, making engine noises with my mouth. I had so much fun as it was quite a while since I last touched music production (about 8 years!!).


While we did do tiny bits of work during the evenings here and there, writing a bit content, music for New York and Spain, programming game logic and waiting for art. I also decided to play it safe and commission some local artists to draw two locations for us – Mongolia and Moscow. Merley seemed to be progressing well and we could expect 3 levels easy: New York was done by then, North Korea was being worked on and we had a weekend for Spain.

I talked to about 5 artists, none of which had pixel art or gamedev experience. Having not much choice I commissioned 4 of them to draw 2 levels. I knew that at least half of them would either be late or give up, so hedging across 4 artists was a smart choice.

Two of them did end up not delivering anything at all. One was very late on the Moscow location, so the other one did Mongolia and we had all the art about 6 hours before the deadline. All in all I spent about $100 on this external help. This was not against the rules.

Day Three: Rushing

The following Saturday we were a bit lazy and left everything for Sunday with about 12 hours to submission deadline. The first full playtests were done about 3 hours before the deadline. Final bits of art, polishing and balancing were done in quite a relaxed manner. We were in feature freeze and quite comfortable just adding graphics around, intro, credits and endgame screens, without the fear of breaking anything in the game.

We open-sourced the game on GitHub at that point and closed most of the issues we had before submitting.

By the way – Godot is a huuuge pain to work with when it comes to version control. Anything that’s done in the 2D or 3D ports, resources added to the scenes, etc. get their own resource IDs assigned, which are numeric incrementals! This means that if I add a sprite to the scene and my team mate does the same we’ll have an ID collision. So many merge tears, to the point where we had to delete and recreate resources in the scene to resolve ID conflicts.

I think Godot should use UUIDs for every node on the scenes.

I was doing a lot of text content for the game in these last 12 hours, coming up with different jobs, accidents, gifts and decisions. We submitted the game 6 minutes before the deadline and voting started for the next 4 days.


I played through all the games in the jam, many were really really well done. We got really good feedback on our game as well. Only participants could vote, which ensured fair and unbiased voting. As the results were revealed we found our game placed 7th out of 48 games. Not too bad, although I had hoped at least top 5 ๐Ÿ˜€

The game is available in the browser (HTML5), has Linux, Mac and Windows builds ๐Ÿ™‚ and you can also check the source code, music and art in our GitHub repository.

Overall this was an amazing experience and we’ll definitely take part in some of the next jams easy. There was so much we didn’t really touch, like sprite animations, tiling. And 3D!

The next jam is in 19 days:, see you there, perhaps? ๐Ÿ™‚

Sucuri imonitor

’nuff said.

The Way of A WordPress Developer

From my very old private programming diary:

2 months later…