TL;DR: View the code on Meta Trac. Every once in awhile I’ll run into a situation where something will break permalinks on all the sites in a WordPress Multisite network, like a plugin network-activation gone wrong. On a single site, it’s easy enough to fix by manually visiting Settings > Permalinks, which will flush and rebuild the rewrite […]
Why Websites get Hacked is a good high-level article to sends to clients or friends who don’t understand why someone would want to attack their site — and therefore doesn’t see the need to protect it — or are curious about how it happens.
I’m working on a plugin that implements a custom post type, and it doesn’t need the editor, but I do want to upload files. I setup the everything like you normally would, but I noticed that the files weren’t being attached to the post when they were uploaded. I couldn’t find anything online, so I dug through […]
WordPress already sends the X-FRAME-OPTIONS header for wp-login.php and the Admin Panels in order to prevent clickjacking, but it doesn’t send it on the front end because that could interfere with remote services that legitimately frame parts of a site. That’s only relevant for a small number of pages, though, so I’ve added a snippet to my functionality plugin skeleton […]
I’m one of the mentors for WordPress’ SupportPress project in this year’s Google Summer of Code, and I wanted to put together a list of WordPress.tv videos to help introduce Varun to the WordPress community and some development best practices. I figured it’d be good to save it for future reference, so I’m also posting […]
Mike Jordan’s post on the WordPress community has some great insight and challenging thoughts. The truth is, however, that our community does not have these rare traits simply because its members are just that awesome. The primary reason that our community is so approachable, is that for the first several years of its life we had to […]
Update: Zack Tollman wrote a plugin called Ostrichize that does an even better job of this, so I’ve reverted my version out of my functionality plugin skeleton and will use his in the future. Pro tip: search for existing code before writing new code ;) * * * There are a lot of WordPress plugin and theme […]
It’s really disheartening to read stories like this coming out of the WordPress community, but kudos to Sarah for speaking out about it. We all need to be more aware of these issues and look for ways to prevent things like this from happening in the future.
Video: I presented on this topic at WordCamp Dayton 2014. It’s very common for developers to customize and extend existing plugins to fit their own needs, which is one of the great advantages of using open-source software. They often do it by making their changes directly to the plugin, though, which creates a security vulnerability […]
I came across a post on WP Recipes about programmatically logging users in, but it seemed like a flawed approach because it duplicated parts of Core’s internals rather than using the API. So, I can up with my own version:
I just released a new plugin into the WordPress.org repository, and am fairly confident that it’s secure, but since it modifies some of the default login behavior, I’d love to get some extra eyeballs on the code. To that end, I’m offering a $150 Amazon.com gift certificate* to anyone who can find a significant vulnerability. By “significant”, […]
I just spent awhile tracking down some odd AJAX behavior that was puzzling me, so I thought I’d share the solution. I was working on a plugin to extend P2 and my AJAX requests were always responding with -1. After a lot of digging and some trial-and-error, I figured out that it was happening because I was […]