Category Archives: WordPress

More Thought on numbers used once(i.e. nonce)

Posted on by
Reply

Although I still believe what I wrote in which I said that the use of wp_nonce in the last steps of the WordPress Automatic Upgrade plugin is an unnecessary precaution, I am puzzled why it did not work.  According to Mark’s post on nonces, it sounds like in theory this "number use once" should still be valid if you are forced to log in again.  Here is what he wrote.

They are unique to the WordPress install, to the WordPress user, to the action, to the object of the action, and to the time of the action (24 hour window). That means that if any of these things changes, the nonce is invalid.

I guess that if we work through the logic, the only thing I can see that has changed is that the user has logged in again. I must conclude that it is identifying the user by something other than the username. Hmm… This is a puzzle.

WordPress › WordPress Automatic upgrade « WordPress Plugins

Posted on by
3

I have been using this plugin for almost a year. When it works it is great! When I upgraded to WordPress 2.5 I started having a problem with the final two steps, reactivating the plugins and going to the final page. Before I could activate the plugins I had to upgrade the data base. Then I had to log back in to the blog. At this point the automatic plugin was lost and gave me a screen with "Are you sure you want to do this?" All the plugin could do at this point was to clean up the installation. I had to manually activate my plugins.

Today I figured out that if I remove the wp_nonce stuff at the end of the line I could get the automatic upgrade plugin to continue. Wp_nonce is a security feature. I think it is primarily used with forms but it can be used with links. About the only source on this function is the Writing Secure WordPress Plugins post by David Kierznowski. I think when I have to log back into WordPress, wp_nonce thinks I am breaking in and slams the door shut. From a plugin design standpoint I am not sure there is a need for this type of security at this point since all I want to do is activate my plugins and get my log report. I guess I will comment out lines 392-394 so the plugin will work.

WordPress › WordPress Automatic upgrade « WordPress Plugins

WordPress 2.5 Secret_Key Vulnerability

Posted on by
Reply

Wow, I did not know about this security feature in 2.5.  I did not have the ‘SECRET_KEY’ defined since my WordPress sites were upgrades. Since I prefer to follow the Secure WordPress recommendations and missed that section in the paper, I added a random key to all of my sites. The key does not cause any ill effects. Read the original post, WordPress 2.5 Secret_Key Vulnerability, for more details.

BlogSecurity » Blog Archive » WPIDS v0.1.2 officially released

Posted on by
Reply

Recently while upgrading my WordPress blogs I installed WPIDS 0.1.2. WPIDS is a Intrusion Protection System, which is based upon the Intrusion Detection System PHPIDS. It is a nice plugin for those curious about WordPress security. In theory this should improve the security of my blogs.

For the last couple of days I have been monitoring its log. So far I have not found any false positives. It looks like it is blocking some comment spam. Most of my comment spam is caught by Akismet.

I am kind of fascinated with this plugin.  If the developers are looking for ideas, it would be nice if:

  1. It would tell me if there is a new filter available. I am not sure how often the filter is updated but with a little modification the plugin could update the file directly. WordPress would like updated plugins to be updated on their web site. An updated the revision number for the plugin would appear in the plugin panel. In a perfect world the use could then update the plugin automatically.
  2. The search stats button overlaid the standard report onto the admin page for the plugin. It is not very useful in this format.
  3. It would be nice if the report said why the bad request was blocked. I have several blocked requests showing something called “__utmz” in the tag field.
  4. It would be nice to download the report as a csv file.
  5. It would be nice to have a summary report by type of blocked request.

WordPress 2.5

Posted on by
Reply

I installed WordPress 2.5 last Saturday on all of the blogs I support. It had passed some preliminary testing on my development blog so I installed it. It is supposed to have increased security, better administrative panels, and the ability to upgrade plugins automatically. They say there are very few changes that will affect the plugins. It sounded like a safe upgrade so I upgraded. After a little testing I found that ImageManager 2.4.1 did not work at all. I am not sure when it stopped working since I do not use it often and I have alternatives.

While I was at it I did a little spring cleaning. I changed the blog to not use the www subdomain, changed the .htaccess file, changed the blog to use a more descriptive permalink, removed the register feature from the meta widget, and got rid of several old inactive plugins.

Automated WordPress Hacking Tool Cached by Google

Posted on by
Reply

I just finished checking my WordPress sites with both a dork and a FTP. Google says that there 29,000 infected sites. I guess that I was left out of the party since my WordPress sites are at the most recent stable release.

Cyberinsecure recently posted details of an automated WordPress hacking tool that is doing the rounds. This malicious worm or program appears to create the directory, "wp-content/1/" as well as spam comments:

The blogs are most likely attacked by some kind of automated tool since the amounts of spam are too big to work manually on all those spam pages creation. It seems there are also spam comments in posts as well. Spam comments are pointing to internal infected blog pages in folder “1″ to get them spidered and to get people to visit them.

Smackdown also has a nice blog entry about this issue.

Automated WordPress Hacking Tool Cached by Google
DK
Wed, 26 Mar 2008 23:52:40 GMT

WordPress › Blog » 2.5 Sneak Peek

Posted on by
Reply

Since I have a local WordPress blog for my development work, this was a no-brainer. I let Subversion do the hard work. I tried the revised admin panels since they have changed significantly. It was nice to know that my theme and my plugins seem to work fine. So far this upgrade looks pretty solid.

  1. Since I have recently been looking at easy ways to use Flickr images and create image galleries, I was curious how the improved media gallery works. After playing with the insert image and media gallery, I am still trying to figure out how the media gallery works. I guess it is a work in progress. The Gallery and Media Library tabs do not seem to do anything.
  2. It was not obvious how one creates an avatar either.
  3. I tried to automatically update the PhotoXhibit and Database Backup plugins and it did not work.

WordPress › Blog » 2.5 Sneak Peek

WPDesigner » WordPress Theme Checklist

Posted on by
Reply

Here is a handy checklist for people creating or modifying WordPress themes.

Note: The following checklist was based on WordPress 2.0. Since WordPress 2.1, WordPress has replaced and introduced new template tags.

Files, functions, and to-dos you need to check-off before using / publishing your own unique WordPress theme:

Files and Templates
  • 404.php
  • archive.php
  • category.php
  • comments.php
  • footer.php
  • functions.php (for widget-ready sidebar)
  • header.php
  • index.php
  • page.php
  • search.php
  • searchform.php
  • sidebar.php
  • single.php
  • screenshot.png / .jpg / .gif
  • style.css
  • readme.txt (optional)
Header.php
  • Blog’s Title
  • Blog’s Description
Footer.php
  • wp_footer()
  • Footer text and links (usually, copyright message)
Sidebar.php
  • Search form – Does the regular search form match the widget search form?
  • Pages / wp_list_pages() – Have you styled the second level links? Third level links?
  • Categories / wp_list_cats() – Sort by name or ID? In what order? Is hierarchical turned off or on?
  • Archives
  • Calendar – Does the regular calendar match the widget calendar?
  • Links / get_links_list()
  • Meta: wp_register(), wp_loginout(), wp_meta()
Index.php, Archive.php, Category.php, Search.php, Page.php, Single.php
  • the_ID()
  • Post title: the_permalink, the_title()
  • the_content
  • Postmetadata: edit_post_link(), comments_popup_link(), the_author(), the_category(), the_time(),
  • trackback_rdf() [hidden]
  • posts_nav_link() – Next/Previous page links
  • Else – What to display when there is no content.
Archive.php, Search.php
  • the_excerpt() replaces the_content()
Page.php
  • link_pages()
  • Remove Postmetadata
  • Keep edit_post_link()
  • Remove posts_nav_link()
  • comments_template()
Single.php
  • link_pages()
  • Remove comments_popup_link()
  • comments_template()
Comments.php
  • Comments list
  • Comment forms and textarea
  • ‘No comments’ message
  • ‘Comments awaiting moderation’ message
  • ‘Must login’ message
  • ‘Password protected’ message
  • Comments off message
Pages to Validate
  • Home page
  • Archive pages
  • Category pages (if you customize category pages)
  • Search result pages
  • Pages (i.e: About)
  • Single post view page
  • Single post with no comments
  • Single post with comments
  • Single post with must login message
  • Single post with no login required message
  • Password protected single post with comments

Note: This is not an end-all checklist. It covers just the basics. More items will be added.

WPDesigner » WordPress Theme Checklist

Top 10 WordPress CMS Plugins | Blueprint Design Studio

Posted on by
1

From the Blueprint Design Studio we get this list of WordPress CMS plugins. I can vouch for Cforms II and Google Sitemap Generator since I already use them. I am definitely going to check the rest of them.

  1. Cforms II – This is far and away the best contact form plugin there is. The reason? configurability. You can easy build literally anything with it. We’ve built out employment application forms, wedding checklists, and more for clients. It also drives our own quote form. There’s also built in spam protection, via question and answer or captcha. by delicious days
  2. WP e-Commerce – Unlike cforms, this plugin has no competition. It provides an easy to manage storefront and shopping cart as an integral part of your wordpress installation. It includes the ability to sell digital downloads as well, which is great for photographers, musicians, and authors. By default it includes support for PayPal, although the $29.99 fee for the authorize.net module will pay for itself in lower fees for most serious e-Commerce sites. by Instinct Entertainment
  3. Search Everything – Since most of the sites we develop focus more on their static content than on their blog posts, this plugin is essential for allowing users to search your entire site without leaving your site and relying on google. by Dan Cameron
  4. Google Sitemap Generator – The biggest benefit of using wordpress is the manual labor you save because the software already knows where all of your content is. This Plugin submits a comprehensive index of your site to google, yahoo, MSN Live, and Ask.com every time you update your site. It’s a huge boost to your site’s SEO. by Arne Brachhold
  5. Subscribe2 – Subscribe2 is a newsletter plugin for your site. It allows you to create newsletters and manage subscribers within your WordPress Dashboard. It also allows you to email subscribers when you post a blog entry, which allows you to have a permanent copy of the newsletter that you can refer people to. plugin homepage
  6. Event Calendar 3 – There are a ton of event plugins out there. This is the best & most integrated one we’ve used. It provides an iCal feed, in addition to the standard RSS feed. Since the events are created as Blog posts, it’s easy to integrate them into your site. by Alex Tingle
  7. Page Links To – by far the simplest plugin on this list, This plugin allows you to create “pages” that link to something else. It’s the easiest way to add links to your main menu, without mucking around in code. It’s good for adding a link to an external photography portfolio, for example. You could also use it to link to sections of a page, rather than an entirely seperate page, which could be useful for linking to sections of a restaurant menu, or other small sections of a larger page. by Mark Jaquith
  8. TinyMCE Advanced – I’ve posted a lot about using this plugin. It was referred to me by Jim Burke from TSG Real Estate, who needed a way to easily add classes to blockquotes, tables, and images. The plugin also does a great job of making tables work well with WordPress posts. plugin homepage
  9. XSPF_Player – As much as I’m not a fan of auto-playing music on websites, This MP3 player makes it easy to manage playlists, cover art, and artist links. It’s a great way for music venues to highlight upcoming shows. Used in conjunction with Event Calendar, you can make the track link lead to the post for their upcoming show, all of which is easily manageable from your WordPress dashboard. by Boriel
  10. pageMash – I just posted about this, but it’s worth mentioning again. This plugin makes it very easy to put your pages in order, without having to edit every page individually. by Joel Starnes

Top 10 WordPress CMS Plugins | Blueprint Design Studio

A quick review of two Related Posts plugins for WordPress

Posted on by
Reply

 Mitcho found a post I wrote about adding Related Posts to a WordPress blog and said:

I would recommend to you and your readers a plugin I wrote, Yet Another Related Posts Plugin. It’s similar in functionality, but has been built with admin-friendliness in mind, and doesn’t require you to edit your theme files. Check it out!

I checked it out and I am impressed! The idea behind related posts concept is that a reader may want to see other posts written by the author that are related to the post he or she is reading. A good related posts plugin  should automagically create a small list of related posts and attach it to the end of the post. Creating a list automatically is the easy part. The hard part is the magic used to find the posts that are related to the post.

A popular related posts plugin is the WP 2.3 Related Posts plugin by Denis PaoPao. It uses WordPress’s native support for tags to build the list. For this plugin to work you must add tags to each post. I have used this plugin on this blog since I upgraded to WordPress 2.3.

Mitcho uses a different technique. He gratefully acknowledges the work of several people, Peter Bowyer, Alexander Malov, and Mike Lu. The key part of this plugin is the algorithm to identify related posts. Peter uses MySQL’s fulltext search score to identify related posts.

Since I am an empirical type of guy I put it to a little test. I activated the plugin on this blog and put the related_posts call in the main WordPress loop. Although the plugin is admin-friendly you have to manually edit your theme to get it into the main loop. Now each post had two lists, one generated by YARPP and one by WP 2.3 Related Posts plugin. This makes for a wordy post but I expect to print both lists for a short time. Since my main page had twenty posts, I printed off the main page of the blog.  I found that I preferred the YARPP related post list for ten posts. Some of the lists were actually quite good. Two of these posts won by default. I had forgotten to add tags to the post. That is a plus for YARPP. Since the YARPP algorithm does not require tags it created a list where WP 2.3 Related Posts plugin did not. I found it interesting that I did not find a related post list created by WP 2.3 Related Posts plugin I liked better than YARPP. Hmm… Another interesting fact I learned is that I found ten posts in which neither related posts list were particularly related the post. Oops!

After this small test it is pretty obvious that although YARPP is not perfect, most of the time it creates a list that I preferred over WP 2.3 Related Posts plugin. At its worst YARPP creates a list like the list created by WP 2.3 Related Posts plugin that is unrelated to the post. Great job Mitcho and thanks for the tip!

Javascript Code Highlighter: Chili vs SyntaxHighlighter :: PseudoCoder.com

Posted on by
1

Today I tried to get Chili to work on this blog. I post code occasionally and Chili was appealing to me since it uses jQuery for most of the heavy lifting. I was hopeful that Chili would be quick and incrementally increase the amount of JavaScript downloaded. Chili didn’t work for me. It had syntax errors in the JavaScript. My debugging skills were not finding any quick answers so I decided to give plan SyntaxHighlighter a try.

From the post it looked like SyntaxHighlighter was going to be a bear to install so I decided to check the WordPress plugins web site for possible alternatives. Guess what I found, SyntaxHighlighter-Plus! This recently updated plugin uses the SyntaxHighlighter JavaScript package by Alex Gorbatchev and makes installing a syntax highlighter a snap. The instructions are a little sparse on how to use it but I converted several existing code snippets to use the plugin. They looked good after I figured out how to get around the automatic encoding of HTML entities. The first time the editor encodes those special characters it was nice. The less than character becomes <. The second time it encodes the characters, it created a mess. The less than character becomes <. I guess I should turn off the visual editor again. I also had to hand tune the CSS to get around some alignment issues.

Overall I give the plugin a thumbs up based on ease of installation and the light load it added, ~25K bytes. Editing a post is still a problem but I can work around that problem.

Javascript Code Highlighter: Chili vs SyntaxHighlighter :: PseudoCoder.com

WordPress › jQuery Lightbox « WordPress Plugins

Posted on by
1

I just changed out one of my WordPress Plugins. I generally use thumbnails of my images and let a plugin called Lightbox show a larger image when the image is clicked upon. Today I replaced WP Lightbox 2 plugin with jQuery Lightbox plugin. I was hoping to reduce the amount of JavaScript the page downloads and I was not disappointed. One one website I maintain the new plugin reduced the JavaScript downloaded from 161,100 to to 39,420 bytes. There are some minor formatting issues but I think I can handle that.

CSS Fix #1 – On the web site using CSS dropped shadows I had to add new selector to remove the dropped shadows.

#lightbox img {
background:none;
border:0;
padding:0;
}

CSS Fix #2 – One of my themes has tabs on the top and after installing jQuery Lightbox the body was overlaying most of the tabs. I found that I could restore the tabs and not cause any other problems if I removed the CSS attribute, “height: 100%”, from the body selector in the jquery.lightbox.packed.css.

WordPress › jQuery Lightbox « WordPress Plugins

WordPress 2.3.1

Posted on by
Reply

WordPress 2.3.1 is now available. 2.3.1 is a bug-fix and security release for the 2.3 series.

2.3.1 fixes over twenty bugs. Some of the notable fixes are:

  • Tagging support for Windows Live Writer
  • Fixes for a login bug that affected those with a Blog Address different than
    their WordPress Address
  • Faster taxonomy database queries, especially tag intersection queries
  • Link importer fixes

The part that interested me the most was the tagging support for Live Writer. After a little research I figured out that I did not need to anything except refresh my blog account. To test this feature I created a new post and placed my tags in the field at the bottom of the Live Writer window called keywords. After publishing my post the browser confirmed that the tags were correctly entered. That is simple!

WordPress 2.3.1

Updating my blog to WordPress 2.3 and migrating existing UTW tags to the WP native tags

Posted on by
Reply

Well, I finally updated this blog to WordPress 2.3. After I upgraded WordPress to version 2.3, I imported my tags from Ultimate Tag Warrior and then I made several changes to my theme before everything looked normal. To get there I had to:

  1. Replace the UTW function in my index.php, single.php, and archive.php files with this function, <?php the_tags(‘Tags:<ul><li>’, ’</li><li>’, ‘</li></ul>’); ?>. I had trouble finding the documentation for this function and Rich did not provide a good example of how to use it. After some guessing I came up with the correct parameters to generate valid html for an unordered list.
  2. Rename/delete my tag.php page. It interfered with the native tag support.
  3. I followed Rich’s suggestion and added the Executable PHP Widget widget to my blog. I used this widget to create a new tag cloud widget to replace my UTW tag cloud widget. I reduced the maximum font size down from 36 to 24 to get it to fit in my sidebar
  4. I added the wordpress-23-related-posts-plugin for related posts to replace the similar UTW function. I added the function call to display the related posts just under “the_tags” function call in my index.php, single.php, and archive.php files.

Upgrading WordPress to Version 2.3

Posted on by
Reply

Yesterday I started updating some of my WordPress sites to WordPress 2.3. I used the WPAU plugin to update two sites and it worked fine. The bad news is that I found several problems. One theme and one plugin were not compatible with the latest WordPress version. I was a little surprised since these were plain vanilla sites with little customization.

The first problem I found was that I got an “array_key_exists” error message on the blog’s main page. After a little research I found that the problem was related to the Misty Look theme and that Sadish had updated the theme to version 3.5 to fix the problem.

The second problem I found was a bit more subtle. When I made a post or updated a page I got a “‘wp_post2cat’ doesn’t exist”. There were a variety of recommendations on how to fix this problem but I finally figured out that I needed to upgrade the google-xml-sitemap-generator plugin to the latest version.

Considering the problems I have found with the easy sites, I will proceed very carefully when I update this site. This site may have too many bells and whistles for my own good.

Variations on Updating WordPress

Posted on by
4

The folks have updated WordPress again and I have been evaluating different methods of upgrading. The standard method works but I have been wanting to streamline the process for remote hosts.

For my locally hosted blog I used the Updating WordPress with Subversion method. This is pretty slick! I had previously checked out a copy of WordPress using Subversion and integrated the wp-content and a couple other files into the working copy. All I had to do this morning was to crank up TortoiseSVN on the checked out directory, change its tag to 2.3, and let Subversion do the rest. When I logged in as Admin, it updated the database. I did get some database errors about duplicate entries into wp_terms and wp_term_taxonomy but I do not think these errors are critical since this is the blog I use to test changes with. Its pretty funky!

Yesterday I got carried away again and did a little research on using Subversion on remote hosts. I found that some host providers provide it but most do not it. My host provider, bluehost.com, does not provide Subversion support directly but I found a post on a forum that described a method I could use to install it.  I kind of followed their instructions. It is working as a client and here are my instructions.

  1. Log in using SSH. I used PuTTy.
  2. Create a bin directory.
  3. Edit the .bashrc file to add the path statement to the bin directory.
  4. Create a source directory and then change to this directory.
  5. Use wget to download the tar version of both the Subversion package and the dependencies package.
  6. Untar both packages.
  7. Run configure, make, and then make install. You should have several executables in the bin directory. 
  8. Make sure that subversion works by typing in “svn –version”.

Here is the command line version: 

mkdir ~/bin
# Use your favorite editor to edit the .bashrc file and add the path statement to the bin directory
mkdir ~/src
# get the subversion and dependencies tarballs
cd ~/src
wget http://subversion.tigris.org/downloads/subversion-1.4.5.tar.gz
wget http://subversion.tigris.org/downloads/subversion-deps-1.4.5.tar.gz
tar -xzf subversion-1.4.5.tar.gz
tar -xzf subversion-deps-1.4.5.tar.gz 

# Build it
cd subversion-1.4.3
./configure --prefix=$HOME --without-berkeley-db --with-zlib --with-ssl
make
make install

# check it works!
svn --version

I am now able to check out a copy of WordPress and update it on my bluehost.com website. I am not sure this is much better than the WPAU plugin I used recently. I will probably continue to play with both methods. I am still working at setting up a repository on bluehost. I do not mind using the Subversion client to update the WordPress files but I would like my bluehost account to be a server for the wp-content files since I would like version control on my theme files. It would be nice if the folks at bluehost decided to directly support Subversion, too.

WordPress Automatic Upgrade plugin update « Techie Buzz

Posted on by
1

WordPress Automatic Upgrade (WPAU) is a plugin that automatically upgrades your wordpress version to the latest files provided by wordpress.org

WordPress Automatic Upgrade plugin update « Techie Buzz

Okay, I was short on time and was willing to take a chance on a minor WordPress upgrade. I had several sites I wanted to upgrade and this looked like it would make the process quick and painless if it worked. For me, the plugin worked and the upgrade was complete in a few minutes. Yea!

Updating PHPUnit on XAMPP

Posted on by
2

I have decided to do some playing around with unit tests for PHP. I saw a video on Getting Involved in WordPress and it reminded me of my interest in unit testing. Now I almost want to create some unit tests for verifying WordPress plugins or phpWebSite code. Fortunately, common sense will prevail and I will restrict my activities to playing. The instructions at Chapter 3. Installing PHPUnit looked pretty easy but since I wanted to do my testing under XAMPP I knew there would be problems. Hopefully the problems would be minor.

Confirm the PEAR configuration

The first thing I did was to open a command window in the PHP directory under xampp and ran the following command.

pear show-config

This command prompting elicited an error about improperly set environment variables. So I edited the file and inserted the full path to the XAMPP directory. I tried the command again and it showed the PEAR configuration. I checked the installed packages and it showed PHPUnit to be version 1.3.2. I would like to use the latest version so I am going to follow the instructions from the documentation.

Update the channel and install the PHPUnit

The next commands I tried were to update the channel and install PHPUnit.

pear channel-discover pear.phpunit.de

pear install phpunit/PHPUnit

The channel command worked. The install command did not work since it wanted the a dependency updated, GraphViz. After updating the dependency I ran the install command again. It installed 3.1.7 and it said I could also install pdo_sqlite and xdebug. I tried to install these extensions but they ended with a DSP error.

Test the PHPUnit

To test the installation I created a new folder under htdocs called phpunit so that I would have all of the unit test files in one spot. I quickly found out that I needed a copy of the phpunit.bat file in that directory, too. This file is in the PHP folder and it has the correct path to the php.exe file. I copied the example ArrayTest from the documentation into a file called ArrayTest.php and ran the command, “phpunit ArrayTest“. It worked. Now I can move on to more sophisticated unit tests.

Final Fixups

After a little searching I found that the xdebug and pdo_sqlite extenstions already exist in the extensions folder. XAMPP installs all of the extensions but only enables a couple of them in the default installation. All I had to do was to edit the php.ini file, remove the semi-colon in front of these extensions, and restart the web server.