corenominal

Full stack web developer, interested in all the things, but especially the web, code, design, Linux, OS X, PHP, WordPress, JavaScript & robots.

Tagged: wordpress

WordPress REST API Vulnerability Exploits Continue image/svg+xml

Over the weekend the attacks increased and WordPress security firms have seen more attempts blocked by their firewalls. Sucuri, the website security firm that reported the vulnerability to WordPress, was tracking the “Hacked by w4l3XzY3” campaign last week and estimated 66,000 defacements. That particular campaign has now passed 260,000 pages indexed by Google. It is one of nearly two dozen defacement campaigns targeting the vulnerability.

Ouch! The WordPress REST API has certainly gotten off to a rocky start. Personally, I love the REST API, but I’m thinking this hasn’t helped convince its detractors that it should remain as part the WordPress core.

Ignorance is Bliss? An Enormous WordPress Zero-Day has Been Secretly Fixed image/svg+xml

WordPress 4.7.2 fixed the issue, but it was a “silent patch”. The fix was hidden within other issues in order to give everyone time to patch their systems.

At the time of 4.7.2’s release details of the flaw were kept secret, as the security community raced to ensure that as many sites were protected as possible as Aaron Campbell explained in a WordPress blog post.

Sounds like a rather nasty flaw, so it’s understandable that a “silent patch” was applied.

UPDATE: More detailed information available here.

Conditionally include additional CSS and JavaScript for page templates in WordPress

I’m currently working on a large’ish WordPress theme that has a number of custom page templates. The custom page templates require their own CSS and JavaScript files, so I’m using the following code to enqueue the additional files. This allows for a file structure like so:

themes/mytheme/page_template_foo.php // custom page template
themes/mytheme/css/page_template_foo.css // additional CSS
themes/mytheme/js/page_template_foo.js // additional JS

The code should be self-explanatory, but see the comments for explanations as to what’s happening.

Notes: this method increases overheads as it tests for the existence of files, if you’ve only got a couple of custom page templates, you’d be better off hardcoding. That said, if you’re using caching it shouldn’t be a big deal. Also, unless you’re using HTTP/2, you’ll probably want to use something like Autoptimize to concatenate the CSS and JS files.

The State of WordPress Security image/svg+xml

WordPress is not as insecure as its reputation would suggest. Rather it is a top target due to its incredible prevalence. Yes, there are a lot of vulnerabilities in the WordPress ecosystem, but most of them are in a small percentage of the plugins. While many plugins do not contain vulnerabilities at all because of their small size, the ones that do have issues, have a lot of them. The more lines of code a plugin has, the more vulnerabilities it has on average.

I would have thought that would be pretty obvious. Still, it’s an interesting read, if only to get a list of plugins you’d probably want to avoid.

Interview with Matt Mullenweg on the new WordPress release cycle and more image/svg+xml

I had the opportunity to interview Matt Mullenweg at the end of WordCamp US 2016, and we chatted about the new WordPress development cycle, the WordPress REST API, and more.

Following on from State of the Word, 2016, it’s good to see Brian and Matt discussing the announcements in a less formal manner. Their discussion around the REST API and defining its success (starts around 11:50) was most interesting, although I found Matt’s answer somewhat woolly. Authentication issues aside, I’m wondering if the slow adoption of the REST API is related to a lack of firm commitment to the feature? Or maybe it’s just too advanced for the majority of WordPress users. Regardless of the reason, it would be good to hear a solid commitment to it.

jQuery.mmenu, app look-alike menus with sliding submenus image/svg+xml

Looking for that true native app look and feel for your mobile menu? Stop searching, you found it!

No matter how large your nested menu structure is, everyone already is familiar with the sliding submenus used in native apps. Adding a fixed header, search field and subitem counters make navigating your menu even easier.

Looks like a solid app menu implementation. Also available as a WordPress plugin.

State of the Word, 2016 image/svg+xml

The full video and Q&A from 2016’s State of the Word last week in Philadelphia is now online. This year was especially exciting because it wasn’t just a look back at the previous year, but sets out a new direction for where WordPress will be in 2017 and beyond.

It’s a long video, but if you’re at all interested in WordPress, it’s well worth watching. Details about the new release schedule start about 54 minutes in.

About pwgenWEB Password Generator

Back in August, I created pwgenGUI, a little Python front-end to pwgen. Today, I had a day off work, so I created pwgenWEB, a little web front-end to pwgen.

To be honest, there isn’t anything special about this password generator, in fact, I’d probably recommend that you don’t use it. That said, it was fun to build and it has helped me test out a few things, including my newly designed WordPress theme.

For anyone who might be interested, the tool uses a custom WordPress REST API endpoint to call pwgen with the arguments passed via an AJAX call.

I’ve tried to include feature parity with the desktop app, namely:

  • Configurable options, including character length and the inclusion of uppercase, numeric and special characters.
  • Saves settings across sessions, enabling you to use the same password policy (handled by js-cookie).
  • 1-click password generation — generates a password on application start page load.
  • Easily copy passwords to clipboard (handled by clipboard.js).

Anyhow, feel free to use it, or not. Or, if you’re looking for something that’s a little more fun, try something like Passweird.

A Simplified WordPress TinyMCE Editor

Sometimes, you might want to remove a few buttons from the WordPress TinyMCE editor. There could be a whole bunch of reasons for wanting to do this, but I’m not going to get into that just now. Anyhow, it’s good to know that you can make a simplified TinyMCE user interface, if you want/need to.

The following function and call to add_filter() will do just that.

You could use the above in your theme’s functions.php file, or wherever you deem fit, and it should result in an editor that looks similar to the image below (note the number of buttons).

A Simplified WordPress TinyMCE Editor

A simplified WordPress editor.

More information about removing buttons from the WordPress TinyMCE editor can be found here.

Sentence Length Colorization image/svg+xml

Certainly, good writing is more than just varied sentence length, but this is a fantastic visualization that makes an excellent point. It wouldn’t hurt to be able to see this kind of thing in our own writing, in an on-demand fashion while editing.

I really like this idea, it would be great to see something like this as a feature within the WordPress editor.