Category Archives: Wordpress

How to Show a Different WordPress Theme based on IP Address [SOLVED]

A colleague and I recently stumbled on a situation where we had to show one wordpress theme to the web site visitors but show a different theme to ourselves so we can develop the new theme on the live site but not showing the development theme to the web site visitors.

A search on uncle google did not yield any decent results and we did not want a bloaty third party plugin slowing things down and in the end we figured that the best way will be to filter our ip’s and switch the theme based on ip address.

So we spun up a quick, plugin and used the switch_theme function in wordpress.

BOOM! Now when we visit the clients site I can see the new theme and see how it interacts with the current content without interrupting the user experience. NICE!

Here is the code below which help us accomplish the task.

All you have to do is:

  1. Create a file inside your plugins folder called “change-the-theme.php”
  2. Drop the code below into that file
  3. Add the ip addresses to the list of developers ip’s
  4. Change the theme names

 

[solved] Gravity Forms with Javascript Validation

Gravity Forms (www.gravityforms.com), without a doubt is one of the best WordPress forms plugin out there, I have been using it since it was launched and is a brilliant tool and I have it in use on literally hundreds of web sites.

However, recently I have had the need to put javascript validation on some forms and unfortunately, Gravity forms does not natively support it.

When I contacted Gravity Support to ask about javascript validation, they basically told me its not supported and I was on my own.

So below, is some jquery code I have scrapped together to get it working.

gravity-form-javascript-validation

Just assume that the form is Form ID is 7, the rest should be self explanatory.

The code can be put anywhere you like as long as it’s before the Gravity Form function call.

<!-- For Gravity Forms Validation Top Form -->
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js" type="text/javascript"></script>
<script>
jQuery(document).ready(function() {
jQuery("#gform_submit_button_7").click(function() {
return GravityFormValidation_7(gform_7);
});
});

function GravityFormValidation_7(Form){

if (Form.input_7_1_3.value == “”){
alert(“Please enter your Name”);
Form.input_7_1_3.focus();
return (false);
}

if (Form.input_7_2.value == “”){
alert(“Please enter your Phone Number”);
Form.input_7_2.focus();
return (false);
}

if (Form.input_7_4.value == “”){
alert(“Please enter your Email Address.”);
Form.input_7_4.focus();
return (false);
}

}
</script>

Backdoor WordPress Login Script

I have created this script to allow me to quickly login to clients wordpress installs after they have royally messed things up. For example, some clients have changed their admin password and dont know which email account they have used, so this script allows me to quickly create a new user, login and reset their details without having to muck about with mysql etc.

NOTE: to use this script you do actually need to have access to the web server and upload the file to their site and then execute it through the browser.

Instructions
================================
1. create a new file called some_file_name.php
2. copy the code below into it
3. change the settings if you need to
4. execute the script via your browser at www.some_domain.com/some_file_name.php
5. delete the file after the admin user has been created <—probably a good idea.

 

Hiding Part of a WordPress Template Based on the Type of Template Being Used

Here is a nifty piece of code you can use in the case you need to hide something or show something on a wordpress template that you have assigned to your page.

So in the instance you needed to hide the navigation menu on a certain type of page within your site you would literally add a few lines of code as the wordpress codex already provides a function for determining if the page is using a certain type of template. (see: is_page_template )

Lets assume the following.

  1. You have made a wordpress template called “template-no-nav.php” inside the theme root
  2. You have assigned your page the custom template
  3. You want to hide the navigation menu from the template

Just add the following code to the header.php file where your navigation menu would normally appear.

1
[crayon-5dcbba6eaebb9796032982/]

[solved] .htaccess not working in wordpress sub directory

Today, one of my clients mentioned that his rest api was not working and was returning 404 errors and the iphone app was broken due to the 404 errors.

As he is running wordpress the immediate thought was that wordpress was overriding something and showing 404 errors inside his api directory (usually 404 errors indicate that the folder/file does not exist but we checked and the folder was there).

Here is a visual example of the issue.

When i opened up his .htaccess file in his /api/ directory I could see the following which is pretty standard .htaccess format.

1


		

I noticed that the rewrite base was not being defined and this usually occurs when you have an apache server configured for “AllowOverride None” so I added another line to his .htaccess file to get it working again (see line 4 below RewriteBase /api/).

1


		

I hope this helps those who also had this issue.

How to Secure WordPress

WordPress IS NOT SAFE…..”out of the box” and If you are willing and daring enough to DIY it, then the checklist below is  what you need to do in order to make your wordpress install more secure.

Server security will never ever be 100% bullet proof but the methods below will provide a heightened level of security for wordpress and  will deter casual hackers and their automated robots but at the same without causing too much inconvenience to the web site owners.

    1. Give wordpress its own directory
      Quite often, hackers will use automated robots to attack the default admin folders for wordpress so giving wordpress its own directory makes it a little harder for them to find it. Its very simple to do this and wordpress provides very specific instructions here

      1. create a folder in the root of your site called /mywordpress (or another familiar name).
      2. upload the latest wordpress version to that folder.
      3. make a copy of the /mywordpress/index.php file and move it to the root at /
      4. change this line from: require(‘./wp-blog-header.php’); to require(‘./mywordpress/wp-blog-header.php’);
      5. run the wordpress install and tell wordpress that the site url is: mysite.com and the wordpress url is: mysite.com/mywordpress.
    2. Install and update to latest version of wordpress
      Its very important to upgrade to the very latest version of wordpress in order to take advantage of any new security updates that wordpress has integrated since the last version.
    3. Install Login Lockdown Plugin
      This plugin will trap hackers who try and brute force the login page by only allowing 3 failed login attempts  before locking the users ip out and preventing them from accessing wordpress.
      Plugin URL: http://wordpress.org/extend/plugins/login-lockdown/
    4. Install Wordfence
      Wordfence provides an amazing array of security features. A little long winded to configure but provides ample protection for the standard wordpress user.
      Plugin URL: https://wordpress.org/plugins/wordfence/
    5. Delete akismet plugin as its not needed (if you dont accept comments)
      Unless you will be allowing users to comment and you wish to use the spam filtering from wordpress.org, then delete this plugin. Its easy to reinstall if you need it later.
    6. Delete hello dolly plugin as its not needed
      Although this plugin is totally harmless, there is no point in having plugins which have no use to wordpress.
    7. Delete any themes you are not using
      Dont think that just because a theme is not activated it cant be hacked. You should remove any theme files except for the theme you are currently using and the latest wordpress default theme. Any older wordpress themes or any themes you are not using, uninstall them. Its easy to do through the wordpress admin.
    8. Delete any plugins you are not using
      Like themes, plugins which are not activated should not be sitting on your server. Having code.
    9. Change the wordpress table database prefixes to avoid sql injection
      Using the WP Security Scan plugin installed earlier on, we just add a random prefix to the wordpress tables so in the case a hacker tries to inject data into a table, it makes it harder for them to guess the tables names. The deafult wordpress table prefix is wp_ so you will make it something like wp_xff_
    10. Delete /wp-content/uploads folder and changed upload folder to /images
      Hackers will always try and target the /wp-content/uploads folder, so moving it will bypass any robot attempts to hack it.
      a. open the wp-config.php file
      b. add this line to make wordpress store images in the root like /yourdomain.com/images:
    11. Remove admin username
      Removing the admin username eliminates a known username for hackers to target. If admin username is used, this gives the hacker an extra 50% chance of getting access as they already know the username.
    12. Add directives to robots.txt to not index wordpress files and folders.
      Hackers will use search engines to find login pages for wordpress as well as core folders so preventing them from being indexed in the first place will make it a little harder for your wordpress install to be discovered.However there is also the argument that if someone scans your robots.txt file it will show any files and folders that you dont want to show, however for me I would rather take my chances by excluding them from search engines and adding extra protection using different security layers.
    13. Add htaccess protection /.htaccess file
      This code will prevent hackers from checking to see if there is a .htaccess file on your web site or accessing it directly.
    14. Add no directory browsing to /.htaccess file
      Some hosts prevent web site visitors from browsing directories and wordpress to an extent does provide an empty index.php file in most directories but adding this code to your .htacess file will disable directory browsing across all folder on your web site.
    15. Add additional wp-config.php protection to /.htaccess file
      Although we are providing some security in an earlier step to protect the wp-config.php file, this step, like the .htaccess protection, prevents hackers from directly accessing the wp-config.php.
    16. Add some extra sql injection inside of root htaccess file
      This code will prevent various sql injection methods being passed through query strings to your wordpress files.

Additional Advanced Options

  1. Change the following files so they are read only (chmod 444) to prevent malicious users writing to them.
    Usually hackers will use robots to login with ftp and rewrite or append to your wordpress files. The 3 files below are the main ones that you need to protect so only allowing read access to them means they cannot be written to in the even that your ftp is compromised.
    /wp-config.php
    /.htaccess
    /index.php
  2. Add wp-login.php protection to /.htaccess file
    Automated scripts can attack the default wordpress login page, but by closing off the wp-login.php page and locking it down with an ip or fixed ip’s, you are in effect displaying a 404 error to attackers that are not in the list of authorised ip’s. In the RewriteCond %{REMOTE_ADDR} part of the code below, just enter your ip address parts, replacing each instance of 255.

    IMPORTANT NOTE
    : you need to have a fixed ip for this to work, if not try htpsswd method below which is more common.
  3. Add /wp-admin protection using htpsswd method file 
    Its not fun for server admins when your wordpress is getting attacked. Automated attacks can cause a kind of ddos effect and can really give a server a workout. Now, if you only use wordpress yourself or a handful of users, this method puts a layer of security on top of the /wp-admin folder, so when someone tries to access the /wp-admin folder, they will be prompted for a username and password regardless of what ip address they are using.

    Step 1: Create the Password File
    Create a empty file named .wpadmin and place it in your home directory, where visitors can’t access it. Usually this is ABOVE the public_html  directory in your account (Please note there is a period preceding the wpadmin in that file name.)EXAMPLE: /home/username/.wpadmin
    (where “username” is the cPanel username for the account.)htaccess-protection

    Step 2: Create the Encrypted Username and Password
    1. Visit: http://www.htaccesstools.com/htpasswd-generator/
    2. Use the form to create the username and password.EG. If you put the username as being john and used the password johndoe, then the page would give you a funny looking string looking something like this:  john:$apr1$NFzCXrln$LK4N5.FkrMmqYgFWn8l5E1htaccess-protection

    STEP 3. copy that string as you will now need to enter it into your .wpadmin file you created in step 1.

    htaccess-protection3

    Step 4: Update/Create the root .htaccess file
    The last step is to place the following code in the /home/username/.htaccess file. Some servers create the .htaccess file automatically so if it exists already just add the code below to it. If not then just create a new one.1. open /home/username/.htaccess (if there is not one already just create a new one)
    2. paste into the .htaccess file the following code

    Your wordpress login page should now prompt you for a username and password.

    Happy Days!