Category — wordpress

This article is the first in a series of how-to articles which will go through all the steps required to create a wordpress plugin.

At the end of the article, there will be a download link to a working plugin that you can download and use as a template for building your own plugins. The latest version of Wordpress is required (2.8.5), which is the version I used when writing this article. Earlier versions might also work, but I can’t guarantee it.

The first step is to create a new php file called testplugin.php

The comment headers in your main plugin file (everything above between (/* and */) give wordpress information about your plugin which is displayed on the plugin information screen.

If you were to upload our template plugin file right now to your Wordpress plugins directory (wp-content/plugins), you would see the following in your plugin manager:

Now, we are going to add a settings page for our new plugin.

Understanding how to create your own plugin first requires an explaination of some built-in wordpress functions that are required to properly communicate with various sections of your administration panel and blog.

Even though it’s at the end of the file, add_action starts the process rolling for the settings page. Wordpress allows you to hook into different events with your own functions, which can execute and process code at various times. Since we are adding a new settings page onto the administrative menu, ‘admin_menu’ is passed as the first parameter (which is the event) and ’settings page’ is passed as the second (this is our function that will be called for that event).

CheckAuth() checks to see if the user has the correct permission to view or edit our plugin settings through a function called current_user_can.

The following is a list of all of the possible permissions that you can check:

• install_themes
• update_themes
• switch_themes
• edit_themes
• install_plugins
• activate_plugins
• edit_plugins
• update_plugins
• delete_plugins
• create_users
• edit_users
• delete_users
• edit_files
• manage_options
• import
• unfiltered_upload
• edit_dashboard
• moderate_comments
• manage_categories
• manage_links
• unfiltered_html
• edit_published_posts
• edit_others_posts
• edit_pages
• edit_others_pages
• edit_published_pages
• publish_pages
• delete_pages
• delete_others_pages
• delete_published_pages
• delete_others_posts
• delete_private_posts
• edit_private_posts
• read_private_posts
• delete_private_pages
• edit_private_pages
• read_private_pages
• upload_files
• publish_posts
• delete_published_posts
• edit_posts
• delete_posts
• read

add_options_page adds our new options page to the settings menu.

add_options_page(page_title, menu_title, capability, file, [function])

page-title: Text that will go into the HTML page title for the page when the menu is active.
menu-title: The on-screen name text for the menu.
capability: The minimum role required to display and use this menu page.
examples: Editor,Author,Contributor,Editor,Administrator
file: If the function parameter is omitted, this should be the PHP file that handles the display of the menu page content.
function: function that displays the page content for the menu page

settings_subpanel() displays all of the HTML that will be contained in the new settings page. I also used a couple of built-in functions that may help you when you build your own plugins.

update_option(): Update an option in the wp_options table.
get_option(): Get an option from the wp_options table
$wpdb->escape(): Used to prevent injection attacks by encoding certain characters. You should be ussing this function (or some other type of escaping) on any data sent into a database.

Download

This example plugin will display an input form which will allow you to update the current wordpress admin email address. If you would like to download the plugin example from this article, it can be found here.

If you have a wordpress blog and have gotten to the front page of digg, you may have seen the following error message:

This is usually caused by a large amount of traffic that is overloading your database (because each page that is loaded requires a query or multiple queries).

A great way to not only improve the speed of your entire blog, but help prevent the above error from occuring is to install a plugin called WP-Cache.

Installing

Installing is pretty easy and straight forward:

1. Upload to your plugins folder, usually
   wp-content/plugins/

   and unzip the file, it will create a

   wp-content/plugins/wp-cache/

   directory.

2. If you have Gzip Compression enabled turn it off (in Options->Reading).
3. Activate the plugin on the plugin screen.
4. Go to “Options” administration menu, select “WP-Cache” from the submenu, the plugin will try to autoconfigure everything. The plugin will try to autoconfigure everything and guide you through the process. In case of failure –normally due to the lack of files’ privilegies– it tell you and give the instructions to solve the problems.
5. A way to make things even faster is to enable gzip compression for wp-cache. It can done by doing the following: (within wp-cache-phase1.php) add the following line: if ( extension_loaded(’zlib’) ) ob_start(’ob_gzhandler’); before this line: foreach ($meta->headers as $header) {

The wp-cache wordpress plugin can be downloaded here

1) CodeColorer

Features

• line numbers
• automatic links to the documentation inserting
• code block intelligent scroll detection (short code would have short block, for long one block height would be fixed and scrollbar would appear)
• predefined color themes (Slush & Poppies, Blackboard, Dawn, Mac Classic, Twitlight, Vibrant Ink)
• syntax colors customization in CSS file
• syntax highlighting of the code in comments
• code protect from mangling by Wordpress (for example, quotes, double-dashes, etc would look just right as you entered)

2) Raw html

This plugin lets you use raw HTML or any other code in your posts. One way to use it is to wrap a part of your post in special tags (below) to prevent WordPress from converting newlines to HTML paragraphs, escaping apostrophes and so on. This is very useful if you need to add a CSS block or JavaScript to your post.

3) SyntaxHighlighter Plus

It supports the following languages:

• Bash — bash, sh
• C++ — cpp, c, c++
• C# — c#, c-sharp, csharp
• CSS — css
• Delphi — delphi, pascal
• Diff — diff
• Groovy — groovy
• Java — java
• JavaScript — js, jscript, javascript
• Perl — perl, pl
• PHP — php
• Plain text — plain, text
• Python — py, python
• Ruby — rb, ruby, rails, ror
• Scala — scala
• SQL — sql
• VB — vb, vb.net
• XML/HTML — xml, html, xhtml, xslt

4) SyntaxHighlighter Evolved

SyntaxHighlighter Evolved allows you to easily post syntax-highlighted code to your site without loosing it’s formatting or making any manual changes. It uses the SyntaxHighlighter JavaScript package by Alex Gorbatchev and a bit of code by Automattic.

5) FV Code Highlighter

Features:

• Renders XHTML, CSS, XML and PHP
• Default look: Dreamweaver style
• Customizable look of codes and code box

I wrote a previous article about improving wordpress security (here), which lists wordpress extensions that can help you improve the security of your blog.

The following is a list of some additional changes that you can make to improve the security of your wordpress installation (Backup wp-config.php and your db tables before trying the following):

Wordpress tables

Change the default table prefix. Many times, attackers can get information from your database because they know the exact names of the tables. Use a random table prefix that can’t easily be guessed.

If you already have a wordpress blog, you can follow the following steps:

1) Choose a random table prefix (example: 78erx2)
2) Open wp-config.php
3) Find $table_prefix = ‘wp_’; and change it to: $table_prefix = ‘78erx2_’; (This will be the prefix that was chosen above)
4) Execute the following SQL commands (in your favorite mysql client..I prefer SQLYog):
RENAME TABLE wp_categories TO 78erx2_categories
RENAME TABLE wp_comments TO 78erx2_comments
RENAME TABLE wp_link2cat TO 78erx2_link2cat
RENAME TABLE wp_links TO 78erx2_links
RENAME TABLE wp_options TO 78erx2_options
RENAME TABLE wp_post2cat TO 78erx2_post2cat
RENAME TABLE wp_postmeta TO 78erx2_postmeta
RENAME TABLE wp_posts TO 78erx2_posts
RENAME TABLE wp_usermeta TO 78erx2_usermeta
RENAME TABLE wp_users TO 78erx2_users

UPDATE 78erx2_options SET option_name=’78erx2_user_roles’ WHERE option_name=’wp_user_roles’

5) You may or may not have to execute this (it’s only if it exists in your DB):

In wp_usermeta, wp_autosave_draft_ids and wp_user_level for the field meta_key need to be changed to 78erx2_autosave_draft_ids and 78erx2_user_level.

Install WP-Scanner

WordPress scanner is a free online resource that blog administrators can use to provide a measure of their wordpress security level.

You first need to download the activator plugin Here. This plugin adds a simple piece of text to your blog to verify that you own the blog. After this is installed, you can scan your wordpress installation here.

Also remember to deactivate the plugin after you are finished scanning or other people will also be able to scan your installation.

File Security

The root Wordpress directory: all files should be writable only by your user account.
(The exception is .htaccess if you want WordPress to automatically generate rewrite rules for you)

wp-admin – All files should be writable only by your user account.
wp-includes – All files should be writable only by your user account.
wp-images – All files should be writable only by your user account.
wp-content – Should be writable by all (owner/user, group, and public).
wp-content/themes – If you want to use the built-in theme editor, all files need to be group writable. If you do not want to use the built-in theme editor, all files can be writable only by your user account
wp-content/plugins – All files should be writable only by your user account.

1) WP Security Scan

This plugin will scan your wordpress installation for security vulnerabilities and give you hints for fixing them.

Features:

• passwords
• file permissions
• database security
• version hiding
• WordPress admin protection/security
• removes WP Generator META tag from core code

Download Here

2) Change all accounts that have known usernames (example: admin).

Even though this will not protect you if someone knows your password or gets into your wordpress blog through some other vulnirability, it will be one less piece of information a potential attacker can use to compromise your site.

3) Remove Wordpress Version

This plugin removes the wordpress version from everything, including the RSS feed.

If you have extensions installed that requires the wordpress version information, this might break them. So install with care.

Plugin available Here

4) adminSSL

Features:

• Forces SSL on all pages where passwords can be entered.
• Works with both Private and Shared SSL.
• Can be installed on WordPress MU to force SSL across all blogs (only works if you have a Private SSL certificate installed) from WPMU 1.3 upwards.
• Custom additional URLS (e.g. wp-admin/) can be secured through the config page.
• You can choose where you want the Admin SSL config page to appear

Download Here

5) askApache Password protect

This plugin allows you to set up Password Protection for your blog using HTTP Basic Authentication, or you can choose to use the more secure HTTP Digest Authentication. Choose a username and password to protect your entire /wp-admin/ folder and login page. Forbid common exploits and attack patterns with ModSecurity, ModRewrite, Mod_Alias and Apache’s Core Security features.

Download Here

6) Wordpress firewall

Features:

• Detect, intecept, and log suspicious-looking parameters — and prevent them compromising WordPress
• Also protect most WordPress plugins from the same attacks.
• Optionally configure as the first plugin to load for maximum security.
• Respond with an innocuous-looking 404, or a home page redirect.
• Optionally send an email to you with a useful dump of information upon blocking a potential attack.
• Turn on or off directory traversal attack detection.
• Turn on or off SQL injection attack detection.
• Turn on or off WordPress-specific SQL injection attack detection.
• Turn on or off blocking executable file uploads.
• Turn on or off remote arbitrary code injection detection.
• Add whitelisted IPs.
• Add additional whitelisted pages and/or fields within such pages to allow above to get through when desirable.

Download Here