I spent some time thinking today about how other blogs can refer to mine. This included a great conversation in the #blaugust Discord channels that was started in response to a post by JCProbably on manually implementing ‘community echos’.

I am what I like to call ‘constructively lazy’. I know that manually implementing cross-blog post references is not going to work for me, so I’ve always relied on the concept of ‘pingbacks‘. WordPress supports this protocol, and if everyone used WordPress that would work well enough.

But many bloggers today avoid WordPress for various reasons. So what do the ‘cool kids’ these days do to create connection between their blog posts? Apparently, the answer is Webmention, and so I decided to quickly activate something to connect this blog to that protocol.

Please note that, as per the ‘Is it Working?’ section below, the current plugin versions of both Webmention (5.3.2) and IndieAuth (v4.5.0) introduce bugs in WordPress 6.6.1.

NOTE: the featured image on this post is AI generated. I love the spelling errors 😉

What’s wrong with pingbacks?

Pingbacks originated in the very early 2000’s as an ‘open’ specification for blogs to ‘link’ to each other. It is implemented in WordPress core as well as a few other blogging platforms like Movable Type and a couple of other early blogging platforms.

The basic specification as I understand it uses XML-RPC whereby one blog sends a message to the other saying “I’ve linked to this post”. The receiving blog then checks back to the originating blog to make sure the referenced post actually exists, and then does something to identify the reference. With WordPress, pingbacks appear as a type of comment in the referenced post.

There are problems with pingbacks relating to the ease with which they can be faked and the potential for them to produce comment spam in the destination blog. The mechanism that ‘calls back’ to the originating blog can also allow such pingbacks to be used as a sort of distributed denial of service attack. E.g.: a bad actor can send a pingback to my blog referencing your blog, and that will cause my blog to contact yours. Do this across thousands or millions of blogs and some damage can be done.

How is webmention better?

Webmention is a newer specification developed around 2016/2017 as part of the Indieweb movement. It has become a supported W3C standard, which means it has a lot of review and validation.

Webmention uses more modern and simpler protocols based around RESTful APIs and simple HTTP requests and responses. It also has some mechanisms such as token expiry to mitigate (but not eliminate) DDOS attacks. And the marshalling/demarshalling load on the participating servers is much lower because the protocols are simpler, making DDOS attacks less effective.

The main advantage for webmention that I can see is that it is a promoted part of the Indieweb movement. This means that folks that might be moving off of more ‘corporate’ platforms like WordPress are more likely be able to work with webmentions than pingbacks.

How I activated Webmention on WordPress

I very quickly installed two plugins on this site: Webmention and IndieAuth. I tried not to do anything too complex at this point with my aim being focused on connecting a bit better with my Indieweb brethren.

I’ve included a few notes/screenshots below regarding the settings I used for each plugin.

Webmention plugin

This is the main plugin that enables the use of the Webmention specification. I made some quick decisions about options to set. I’ve highlighted the only two properties I recall changing in the images below.

Disable self-pings is a nice option to set
Likewise the option to separate web mentions from ‘normal’ comments seems useful

IndieAuth plugin

I added IndieAuth sort of as a spur of the moment thing. I observed that the Webmention.io site seemed to expect my blog to be using IndieAuth, saw the plugin, and figured it was worth trying out.

After adding IndieAuth I later discovered that WordPress Jetpack features in the admin screen were no longer working. They all presented a “You are not allowed to access this page” error. Disabling IndieAuth resolved this issue, and so I have left it disabled for now.

The Jetpack problem I experienced seems to be a match for a specific ‘known problem’ reported with IndieAuth on the IndieWeb Github. I don’t know if anyone is working on resolving this issue,

As far as I can tell, the only changes this plugin made while I had it running are:

  • Webmention.io recognizes my site, presumably because of the API it adds
  • … and there is a link to use Weblogin on my login form now. See the ‘Is it working’ section below for some example screenshots,

Maybe someone who is a big Indieweb fan can tell me whether my site having IndieAuth does anything for them. I will try to activate it again once I see that the known problem with Jetpack is fixed.

I believe the ‘Use IndieAuth login’ option is selected by default; I’d guess deselecting it would remove the web login option (see ‘Is it working?’ below)

Is it working?

I performed several simple tests of both the cross blog ‘mentions’ mechanism and the login changes. As I noted above, I had to disable IndieAuth due to problems it causes with Jetpack. Otherwise it appears that Webmention itself is working, although my testing was by no means extensive.

UPDATE: I have discovered that Webmention appears to ‘break’ the comment ‘reply’ link and thereby prevents nested comments from working. I’ve opened a Webmention Github issue for this problem.

Normal pingbacks from ‘old’ (i.e.: non-webmention enabled blogs) work. Such mentions are still treated as comments and require approval, which is good. And my usual ‘WordPress’ login still worked for authentication when commenting when I had IndieAuth activated.

The main differences I noticed:

  • Webmention can (optionally) present pingback ‘comments’ separately from normal comments. I like this feature at least based on my initial viewing of it, so I enabled it
  • Self-referencing pingbacks i.e.: when you link from one post in your blog to another can be ignored via Webmention settings
  • I’ve disabled IndieAuth for now due to the conflicts it has with Jetpack: see the details under ‘IndieAuth plugin’ above. But when it was active the only visible change I see regarding login is the addition of Web sign-in on the login form. Nothing seems to change for the comment ‘authentication’. But then, I don’t really understand IndieAuth as well as I should
The Web signin link added by IndieAuth on the login form
Clicking web signing prompts you for your compatible domain name; the “Learn about” link takes you to the IndieAuth documentation

This Post Has 4 Comments

  1. Naithin

    Interesting, I had no idea this existed and pingbacks have been a thorn in my side with how unreliable they’ve been for years. (I think due to host firewall settings.)

    If this plugin gets updated and stops breaking comment replies, I would definitely be keen to give it a shot! I’ll keep it on my radar. 🙂

  2. Kelly Adams

    I’ve actually left the Webmentions plugin enabled for now as you can tell by the fact that the ‘Reply’ link for comments isn’t working. I will probably disable it if there isn’t a fix within a week or so: I like being able to reply so (for example) Naithin knows I’m replying to them 🙂

    The IndieAuth plugin, though, broke a bunch of Jetpack links in the Admin screen, which bothered me much more. That is deactivated until it is fixed.

    I want both of them working, though: I like the idea of making it easier for Indieweb folks to interact with my blog. Fingers crossed that the current issues are resolved soon without introducing some new breakage!

  3. Kelly Adams

    Note that I’ve temporarily disabled the Webmentions plugin so that ‘Nested Replies’ work again. I may be turning it off and on a bit over the next while as one of the developers has asked me to illustrate the problem.

    I’m hoping that a fix will be available soon so that I can re-enable it!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.