Tag Archives: WordPress

WordPress 4.0 Would Be a Good Chance for a Rewrite

WordPressIt’s no secret that the WordPress codebase is a mess. It seems that not a week goes by without some blogger publishing a post criticizing it. Unfortunately, fixing it is no simple matter.

One of the goals the WordPress project holds is to maintain compatibility with older plugins and themes that may not have been updated to work with the latest version, which means, well, not changing things that would break old plugins. Or adding new functions and leaving the older, redundant ones behind to maintain compatibility. It’s that methodology that led the developers to bake the infamous Magic Quotes functionality into WordPress itself, when it has been deprecated and removed from newer versions of PHP, so as to not break plugins expecting that behavior. (Which means plugin developers have to unescape strings before passing them to prepared statements, like they should be doing.)

That’s just one example of something I find vexing about WordPress, and not really indicative of the deeper structural issues that others complain about.

Continue reading →

WordPress Security Advisory: Harden Your Admin Login

WordPressThere has been news lately of a distributed attack against WordPress sites. A growing botnet has been running dictionary attacks against sites powered by WordPress, in effort to gain access to the the admin panel and infect the server. As is usually the case with botnets, infected servers are assimilated into the pool of compromised systems that make up the botnet and put to use for nefarious purposes such as DDoS attacks.

It’s important to note that this is not a WordPress security flaw, but rather an attempt to systematically guess passwords.

The attacks consist of simple POST requests to wp-login.php with a supplied username of admin and one of many simple, insecure passwords. I’ve noticed plenty in my logs, including rainydays, sophie1, and wordpress. The requests come from a rotation of IP addresses in the botnet, making it difficult to block them outright.

It’s easy enough to protect yourself from the attacks, providing you follow some simple best practices.

1. Get Rid of the Admin User

Historically, every WordPress installation would come with an administrative user named admin, which was created during the setup process. In more recent versions, the setup screen prompts you to choose your own username instead of providing a default. Check the Users screen in your WordPress backend to see if a user named admin exists. If it does, you should replace it with a profile that has a unique name, ensuring that the new account has administrative privileges.

Having a user account with that default name is a bad idea, because numerous attacks over the years have operated under the assumption that the operators of many WordPress sites will have been too lazy to change it. The current attack only tries passwords for a user named admin, as well, so ensuring that such a user does not exist will go a long way toward protecting your site.

Continue reading →

WordPress 3.6 to Have Audio/Video Support in Core

WordPressHere’s some great news from the WordPress development blog: WordPress 3.6 is going to have built-in support for audio/video playback. You will be able to upload a media file, and WordPress will handle playback with the MediaElement.js. Shortcodes will be available, as well as template tags for theming support.

…there is now native support for Audio and Video in core! There has been great support for embeds by way of WP_Embed and oEmbed providers for a while, but, if you wanted to play an MP3 from your Media Library, you had to install a plugin. Supporting audio and video in core gives bands, podcasters, vloggers, et al the ability to easily and beautifully expresses themselves through sounds and moving pictures without using an external service.

This should go nicely with the coming changes to Post Formats—unless the plans have change, a UI based on the one by Crowd Favorite is going to be a part of the WordPress core, hopefully making post formats actually useful. (I’ve been using the Crowd Favorite plugin on my personal blog for awhile now, and it’s great.)

Another part I find interesting is the addition of embed handlers for common media files. You will be able to paste an URL to an AAC/MP3/etc. into a post and it will be seamlessly replaced by a media player, just like how oEmbed works.

Audio / Video support in Core [Make WordPress]

Using the WordPress 3.5 Media Uploader in Your Plugin or Theme

Back in 2010, I wrote a post on Using the WordPress Uploader in Your Plugin or Theme that went on to be one of my most popular tutorials of all time. Then the WordPress team went and added a much cooler media uploader in version 3.5 and make that post outdated. Since most of you probably want to add the new uploader in a theme or plugin you’re working on right now, I figured it was time for an updated post.

WordPress 3.5 Media Uploader

The process required to add the new uploader is a bit different, but not too much more difficult. I was able to adapt the old tutorial a little, so it shouldn’t be too hard to replace some code in an existing project and get the new uploader instead of the old.

Continue reading →

Frank: A Free and Speedy WordPress Theme

Smashing Magazine recently released a new WordPress theme that’s definitely worth a look. Frank, as it is called, is a lightweight and elegantly simple theme that’s designed for very fast loading times. It boasts a JavaScript dependency of zero, and no external images to speak of. Instead, it makes use of SVG for icons and such. The final page size for a fresh install ends up being 30KB, or 9.5KB gzipped.

Frank is built atop the responsive Foundation grid framework, and features a layout customization tool that lets you adjust how the homepage is displayed.

Frank: A Free WordPress Theme Designed For Speed [Smashing Magazine]

WordPress Core Control

I’ve been working on a WordPress plugin that takes advantage of the WP-Cron system (which, for the uninitiated, is a sort of event scheduling system that runs functions in WordPress at predetermined intervals). Unfortunately, that’s a bit of a pain considering the nature of the task. How do you test functions that are designed to run intermittently, say twice a day? The easy/hacky solution is to add a function call that runs the task on every page load, and then remove it when you’re done. But if you want a solution that doesn’t involve editing your code, there’s a handy plugin that’s perfect for this scenario.

Core Control is a plugin that lets you monitor and adjust several parts of WordPress for diagnostic and development purposes. It makes it easy to view registered WP-Cron events, and trigger them with a click. It can also force WordPress to check for ore, plugin or theme updates, log any HTTP requests WordPress makes to external servers and determine which filesystem access method WordPress is using.

Automattic Releases Jetpack 2.0, Featuring the New Photon CDN

Automattic’s Jetpack plugin has certainly grown since I first looked at it. I originally dismissed it, not wanting to unnecessarily tie my own self-hosted blogs to WordPress.com for a few niceties like in-Dashboard traffic stats and very thorough spelling and grammar checking via After the Deadline.

I decided to try it out again now that it hit the big two-point-oh, and was surprised now only by the amount of functionality it offers, but by how many other plugins it can conceivably replace. The Publicize module, for instance, will automatically post links to new posts on Twitter, Facebook and other popular social networks, so you don’t need another plugin for that if you run Jetpack. I also found the Mobile Push Notifications and JSON API modules to be intriguing. The former sends push notifications to your iPhone/iPad when new comments are posted, and lets you jump right over to the WordPress iOS app to manage them, and the latter is primarily of interest to developers looking to integrate a WordPress blog into another web site or application. (Previously I used this plugin, but Jetpack looks roughly equivalent.)

The big new feature in this version is a free service called Photon, an “image acceleration and editing service” which acts as a CDN for your images. It mirrors images it finds in your posts (or ones a theme or plugin developer specifies via an API) on WordPress.com’s servers, which enables them to be served faster and takes load off your server. This would be excellent for blogs hosted on cheap shared hosting, especially if coupled with a static caching plugin like WP Super Cache or W3 Total Cache.

WooThemes Redesigns, Adopts Their Own WooCommerce Plugin

WooThemes launched a new redesign of their site this month, bringing some interesting changes along with the more modern style. The navigation has been restructured to highlight their non-theme offerings, making it clear that WooThemes is very serious about their plugin offerings (especially WooCommerce). Their “notorious” user management system has also been replaced with their own free WooCommerce plugin.

I like the new look, with its flat colors and additional negative space. It seems more current, as excessive gradients seem to be falling out of style in web design lately—just as browser support for them is starting to catch up. It’s definitely easier to find what you’re looking for on the new site, so the new navigational structure is a success.

The design looks great, but I find the switch to WooCommerce to be the most interesting. Not only is WooThemes “eating their own dog food,” but the fact that the largest and most known supplier of commercial WordPress themes is using it is good to know for anyone looking into e-commerce solutions.

We’ve re-designed. Everything. [WooThemes]

WordPress to Dump Blogroll Feature in 3.5

Starting in WordPress 3.5, the Links feature will no longer be a part of the WordPress core. The blogroll feature will be available as a plugin, Link Manager, so it’s not completely going away. Though it could be more convenient to use the Menus feature in place of the older blogroll function, having a menu to hold your blogroll links.

Lorelle VanFossen goes into considerable detail on the issue, with a few migration routes, including using custom menus.

Personally, I have mixed feelings about blogrolls. On on one hand, they’re a convenient way to recommend some of your favorite blogs in a persistent manner. Certainly good for a personal blog. On the other hand, they’re of more limited benefit for more topical sites. It’s probably a good thing that it’s being removed from the WordPress core, since blogrolls aren’t as popular as they were ten years ago.

WordPress’s…Interesting Way of Dealing with Magic Quotes

If you’ve been working with PHP for awhile, you’re probably familiar with one of the worst ideas the language’s developers ever came up with: Magic Quotes.

If not, here’s a brief history lesson. In order to help newbies write functioning MySQL queries, they thought it would be a great idea to automatically escape input data with slashes, overwriting the $_POST, $_GET and $_REQUEST globals. So if someone submitted hello, I'm Steve through a form, it would be immediately converted to hello, I\'m Steve so the apostrophe wouldn’t cause issue if a naive user tried inserting it into a database.

But what if you weren’t going to dump the data into a MySQL database? Too bad, it’s now full of slashes and you have to use stripslashes() on the variable. Also, you could conceivably end up with something like hello, I\\\'m Steve if you try escaping the data yourself before inserting the data into a database. It was a massive headache, and the normal practice ended up being “check to see if magic quotes are enabled at the top of your script, and strip the slashes out if the feature is activated. Then handle database queries with prepared statements or by properly escaping the data.”

Continue reading →