Authorising WordPress Users From Another Script

Sometimes you might want to add additional pages or some extra functionality outside of WordPress. I needed to do this and only allow singed in users to access the page.

There’s a pretty straight forward way to check visitors to the page simply by including the WordPress header file and then checking for an appropriate permission.

Read on for the script. Continue reading Authorising WordPress Users From Another Script

2 Simple Tips To Secure Your WordPress Installation And Uploads Directory

Lately, I’ve seen a flurry of WordPress attacks that uploads files or alters the WordPress core files to make your sites do things that they really shouldn’t do.

This nefarious tasks can range from using your site to email spam to making your site a billboard for online drugs sales and injecting visitors’ browsers with malware. You can imagine that it can be quite tricky to hunt these things down – or even be aware that they are happening if you’re not careful.

So here’s a few steps that you can take to ensure that your WordPress site is secure from these attacks. If you manage the server, then you might want to update your httpd.conf and add the following configuration.

<locationmatch "wp-content/uploads/.*\.(php\d?|phtml)$">
 AllowOverride None
 Order Deny,Allow
 Deny from All

What this does is prevent PHP files from being accessed from a browser. Our server is configured to allow PHP extensions with .php2 through to .php5 as well as .phtml. To prevent this from being accessed – I’m using a regular expression to find all of these file types. The AllowOverride directive will prevent any .htaccess files being used as well. If a script has managed to upload files to your server, there’s nothing to stop them allowing access back to the php files so this is necessary to prevent this.

This configuration applies to any location that is matched, which applies to all of your websites, rather than using the Directory method, which is based on the local file system.

Another security measure to consider is making the WordPress site read-only. I know that it’s a chore to manually update your site and plugins – but I have seen WordPress core files modified to inject headers and redirect certain requests. This is a complete pain to find, so save yourself the bother.

If you do find that your site is hacked – the first thing that you should try is to reinstall the WordPress core files. If you haven’t made the files read-only, then you can do this by clicking on the Dashboard > Updates link in WordPress and then click ‘Re-install Now’. This downloads and installs a fresh version of WordPress over your current core files with no configuration changes.

If you’re still noticing unusual behaviour, then you should try removing unnecessary plugins and themes and check the wp-config.php file in in your site.

If you at least use the above two tips, then the chances of your site being exploited are greatly reduced.

Life and Blogging is Hard

Plus.net have moved to the new CGI platform after some sort of disaster. As this was coming for almost a year, I’m shocked that the platform still seems in such a shoddy state.

This has meant that the site has been misbehaving for a few weeks. Most notably causing random Apache errors.

I think that it’s a wake up call to me that I need to get this blog living somewhere else. Letting it expand and breathe as it needs to.

Some of the way to that is getting a new hosting plan sorted out. I wanted to do this in an el-cheapo style by using SQLite instead of mySQL to power WordPress, but it seems like the database abstraction that it uses might as well be non-existant. mySQL or bust I’m afraid.

In a time when PHP provides a unified access library, and many frameworks have a respectable set of DB abstraction libraries – it’s frustrating to see the WordPress team get suckered into making new features the top of the development priority list, while failing to solidify or revisit programming fundamentals.

And what’s the point of having plugins at all if they don’t get approved in any way? After my trial with SQLite, I’m genuinely worried about any WP plugins now.

Moving soon folks!

Stop Sexy Bookmarks from being filtererd

I’m quite a fan of the Sexy Bookmarks WordPress plugin. There’s clearly an element of grace in the design and the developers make no bones about how it should be perceived. Being ‘sexy’ has an inexpressible appeal for anything but it can cause headaches simply because of the connotations that are also brought up with it.

For example, searching in Google for Sexy Bookmarks is innocent enough at first until you get a few pages into the results.

The other problem is that corporate firewalls like WebSense can block words such as ‘Sexy’ if they appear in filenames. Continue reading Stop Sexy Bookmarks from being filtererd

Prevent WordPress from Hanging when You Log on

I’ve set up a WordPress site for a client and have had no end of troubles trying to get the site to behave – however there seems to be a constant problem of WordPress hanging.

Looking further into it – I discovered that the feeds in the Dashboard were making the browser and site hang. There is likely to be an issue tied into the host / browser / Javascript.

Anyway, if you find that you are having the same problem, follow these directions:

  1. Restart your web browser (if it isn’t already closed)
  2. Beofre visiting your blog, open up the settings and disable javascript. (IE / Firefox / Opera Instructions)
  3. Open up your blog site and log on in the normal way.
  4. On the Dashboard panel, you’ll see that there are now a number of panels that state they require Javascript – great!
    broken_dashboard
  5. On each widget – click on the configure link. Delete the contents of the RSS feed URL and then click on Submit
  6. Once done, you can turn Javascript back on in the broswer settings. You’ll see the widgets appear with errors on them.
    widget_nojs
  7. Now just go to the top of the page and click on Screen Options. Disable the widgets that show an error message and all will be right with the world once again!

It’s a bit of a pain, and I haven’t managed to get to the bottom of the problem as I am never in charge of hosts where the problems lie.

However, this workaround will at least get you going with your blog without any more hassle!

Bank 2.0 – An Ideal of a Better World

I’ve just read Matt Mullenweg’s thoughts on starting a bank. Not just any bank – but a safe bank.

In the current climate of consumer resentment to their bank, it seems like Matt’s thoughts on starting an internet bank using tried-and-tested internet strategies is a geat idea.

Of course, there is all the fine details. How difficult would it be to get a loan from SafeBank? Or how would one deal with credit cards or “reasonable” fees…

Still, a very interesting premise and one that I might steal for a speech idea! Nice one, Matt!