goawayxmlrpc.php

Found a plugin that might be useful for people needing to block xml-rpc.php pingbacks. It disables to methods in the xmlrpc api that allow attackers to send pingback data to your WordPress site. I am currently seeing a flood of pingback spam, which is being written into wpdb. I really don’t care for pingbacks especially when this vulnerability is being used as a denial of service.

Bash Script TimThumb Update [cPanel/WHM]

If your dealing with a large WordPress instance, I hope you have shell. Using plugins like Timthumb Vulnerability Scanner on small installations is great, however, on large installations the server might 503.

I had previously used bash scripts to detect outdated TimThumb using simple grep command and outputting the finding to a .txt file which I could cross reference during the update process. It’s become cumbersome to do this, I wanted to grab the updated timthumb version from the Google Code repository and update the files. With a quick Google search, I fould this simple script for cPanel users that can be modified to your distro. Props to DropDeadDick.com for sharing his script. <3 [bash] #! /bin/bash # Detects and updates timthumb.php to latest version for all cPanel users. # dropdeaddick.com latest=`lynx -source http://timthumb.googlecode.com/svn/trunk/timthumb.php |grep "define ('VERSION'" $file |cut -f4 -d"'"` if [ -z "$latest" ]; then echo "could not get latest timthumb release, aborting!" exit 1 fi for user in `awk -F':' '{ if ($3 > 499) print $0 }' /etc/passwd | grep home | cut -d':' -f1`; do for file in `find /home*/$user/public_html/ -type f ( -name 'thumb.php' -o -name 'timthumb.php' ) 2>/dev/null | tr ' ' '%'`; do file=`echo $file | tr '%' ' '` check=`grep -c "code.google.com/p/timthumb" "$file"` if [ -z "$check" ]; then break fi if [ "$check" -gt "0" ]; then version=`grep "define ('VERSION'" "$file" |cut -f4 -d"'"` if [ "$version" != "$latest" ]; then echo -e "e[1;31mWARNING version $versione[0m updating $file!" # rm -f $file #delete current file before replacing. wget -nv -t3 -T3 http://timthumb.googlecode.com/svn/trunk/timthumb.php -O "$file" chown $user: "$file" else echo -e "e[1;32mOK version $versione[0m skipping $file" fi fi done done[/bash] I'd recommend creating an alias so that you can use it periodically. :]

WP Multisite: Images not displaying?

Last night I began investigating this strange issue. Images on the network either worked, or they were borked. Looking at APC and Varnish behaviors and configuration and found no evidence of an issue with caching. With that ruled out, I began looking at other causes of the issue. WordPress 3.2.4 recently released this month, I was thinking it could have been related to core changes in how uploads and the media library handled blogs.dir. After ruling out server side and client side cache, I began to tinker around to see what was working and what wasn’t.

The first thing is images /wp-content/blogs.dir/[id]/files/image.jpg not displaying properly.

On mapped domains most images display the src attribute with http://domain.com/wp-content/blogs.dir/3/files/2012/03/image.jpg – 404 error (for whatever reason these images are now not showing up.)

However, if I change the URL to:
http://domain.com/files/2012/03/image.jpg
The image will appear. Is this something recent in 3.4.2? Am I going to have to go through and fix all these img src attributes?

I double checked the .htaccess, below is the standard WP .htaccess I have. Note, excluded is mod_expires block of code.

--------------
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]

# uploaded files
RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule . index.php [L]
# END WordPress
--------------

Nothing out of the ordinary in here, however I did find an interesting .htaccess file in the blogs.dir directory, which contained the following code:

-----------------
Order deny,allow
Deny from all
<Files ~ "^[0-9A-Za-z]+.(jpeg|gif|png)$">
Allow from all
</Files>
-----------------

The issue is the regex. It only allows 0-1, A-Z, a-z, and does not include dashes and underscores. The appropriate .htaccess file should read as:

-----------------
Order deny,allow
Deny from all
<Files ~ "^[0-9a-zA-Z.-_]+.(jpg|jpeg|gif|png)$">
Allow from all
</Files>
-----------------

Example; if using the first .htaccess, logo-300×300.jpg would be denied, however if you use the second .htaccess example logo.jpg would work fine.

The new .htaccess file in /blogs.dir/ may have been written by core for security purposes. This piece of code restricts access to any file types that are not defined in the regular expression. It’s a good way to thwart any hacker that may have obtained a user login and is attempting to upload and execute malicious code via Media Library.

[my original thread on wordpress.org as I scratched my head]

WordCamp Seattle 2012 – May 19th @ Seattle Art Museum

Seattle, the city of coffee and technology.

This year’s WordCamp Seattle will be held at the Seattle Art Museum in downtown Seattle. I am looking forward to this years WordCamp Seattle since last year we didn’t have one. 🙁 In 2011, I went down to San Francisco to get my fix! I plan on attending a few WordCamps on the west coast in 2012!

If your looking to jump in on the WordPress action, get your tickets today! We’re almost sold out! SOLD OUT!

Who: WordPress Nerdballers
What: WordCamp Seattle 2012
Where:
Seattle Art Museum
1300 1st Avenue, Seattle, WA
(206) 654-3100
How: [Get your tickets here! SOLD OUT!] – If you missed out on a ticket, WordCamp Seattle still needs volunteers! Help out, sign up here: http://2012.seattle.wordcamp.org/volunteer/
Why: Because, CMS.

The WordCamp Seattle 2012 Widget

Spread the word! I just quickly made this widget since WC Seattle hasn’t made one yet!

I am attending WordCamp Seattle 2012

[html]<a href="http://2012.seattle.wordcamp.org" target="_blank"><img title="I am attending WordCamp Seattle 2012" src="http://codesleepshred.com/wp-content/blogs.dir/1/2012/03/wordcamp-seattle-2012.gif" alt="I am attending WordCamp Seattle 2012" /></a>[/html]

Photo credit goes to Doug Mahugh

Inspiration: WordPress Multisite Running On Amazon Web Services

I honestly don’t know why, but I have always feared the day that I would dive head first into Amazon Web Services. In the last two weeks, I have been researching the in’s and out’s of AWS, how people are using it to deploy applications, security, it’s architecture and reading AWS terminology… It is very overwhelming, but I think it’s time I embarked on this adventure.

A few inspirations, Earmilk.com’s Blake Shoji. Although I have never met IRL, nor interacted with him online; the Earmilk network boggles my mind. They definitely sparked my curiosity! If your a music lover, I’d recommend checking them out!

While I was reading up on AWS, I happen to find David Jensen’s blog post on how to install WordPress on Amazon AWS EC2. I am going to use this documentation as a basis for my study, although I do want to branch off to NGINX. We’ll see where the path takes me!

If you need further inspiration that will help motivate you to jump into the cloud, I highly recommend watching “The Known Universe” with The XX Intro Extended dubbed over it. Seriously, the possibilities are endless!

Stepping Into eCommerce With WordPress

It’s time that I take a step into the eCommerce world with a platform that I am most familiar with… WordPress! In the past I’ve helped and tinkered with shopping carts like Magento and have scared away a few small time clients with it’s complexity.

Now, I will be helping clients with the simplicity of WordPress coupled with WooCommerce + WooThemes. I intend on building custom themes based on WooTheme frameworks. Today, I have 2 clients needing website solutions. It’s time to dive into the code!

If you’d like to know more about WooThemes and want a demonstration of WooCommerce, feel free to reach out to me!

How To Add Options To User Profiles Using personal_options

I wanted to add additional fields / options to the WordPress User Profiles, this would enable users to add their Twitter, Facebook, and Phone Number. Below is a snippet of code you can either add to functions.php or integrate into your WordPress plugin!

[php]<?php // Personal Options
add_action( ‘personal_options_update’, ‘save_custom_profile_fields’ );
add_action( ‘edit_user_profile_update’, ‘save_custom_profile_fields’ );
function save_custom_profile_fields( $user_id ) {
update_user_meta( $user_id, ‘phone_number’, $_POST[‘phone_number’], get_user_meta( $user_id, ‘phone_number’, true ) );
update_user_meta( $user_id, ‘greeting’, $_POST[‘greeting’], get_user_meta( $user_id, ‘greeting’, true ) );
}

add_filter( ‘user_contactmethods’, ‘add_contact_option’, 10, 2 );
function add_contact_option( $user_contactmethods, $user ) {
$user_contactmethods[‘phone_number’] = ‘Phone Number’;
return $user_contactmethods;
}

add_action( ‘personal_options’, ‘add_profile_options’);
function add_profile_options( $profileuser ) {
$greeting = get_user_meta($profileuser->ID, ‘greeting’, true);
?><tr>
<th scope="row">Greeting</th>
<td><input type="text" name="greeting" value="<?php echo $greeting; ?>" /></td>
</tr><?php
}[/php]

Adding A Drop Down Menu To personal_options

If your curious how to add a select drop down menu, below is an example on how to do this. I hope you find this useful!

[php]<?php // Personal Options

add_action( ‘personal_options_update’, ‘save_custom_profile_fields’ );
add_action( ‘edit_user_profile_update’, ‘save_custom_profile_fields’ );
function save_custom_profile_fields( $user_id ) {
update_user_meta( $user_id, ‘teampage’, $_POST[‘teampage’], get_user_meta( $user_id, ‘teampage’, true ) );
}

add_action( ‘personal_options’, ‘add_profile_options’);
function add_profile_options( $profileuser ) {
$greeting = get_user_meta($profileuser->ID, ‘teampage’, true);
?><tr>
<th scope="row">Include On Meet The Team Page?</th>
<td>
<select name="teampage" id="teampage" >
<option id="Yes"<?php selected( $profileuser->teampage, ‘Yes’ ); ?>>Yes</option>
<option id="No"<?php selected( $profileuser->teampage, ‘No’ ); ?>>No</option>
</select>
</td>
</tr><?php
}[/php]

How To Remove Default personal_options in User Profiles

Below is a snippet of code that allows you to remove personal_options in the WordPress User Profile.

[php] // Remove Default personal_options
add_filter(‘user_contactmethods’,’hide_profile_fields’,10,1);

function hide_profile_fields( $contactmethods ) {
unset($contactmethods[‘aim’]);
unset($contactmethods[‘jabber’]);
unset($contactmethods[‘yim’]);
return $contactmethods;
}[/php]

Now How Do I Echo This Onto A Page!?

I am assuming you know a little bit about PHP, WordPress Theme development and the API. Below is a function you can use. If you need more info on the_author_meta() and get_the_author_meta() functions please visit the codex. Please feel free to ask a question in comments.

[php]
the_author_meta(‘jobtitle’, $authorID);
get_the_author_meta(‘teampage’, $authorID);[/php]

How To Setup LAMP on uBuntu 11.04 – Also, WordPress

In this article, we will work on setting up a LAMP environment for uBuntu 11.04. As an added bonus, I will setup WordPress 3.2 in the environment for you nerds. As you may notice in previous posts, I have a nice little lappy which allows me to dev on the run.

Installing LAMP onto uBuntu 11.04

First thing is first, we need to install tasksel then run it via terminal.

[code lang=”bash”]
sudo apt-get install tasksel
sudo tasksel[/code]

Select LAMP Server and proceed to install it!

While you are installing LAMP, you will be prompted to set a password for MySQL root.

First of all, /var/www/ directory is set for root user only. We want to allow our IDE’s, such as Netbeans or Vi/Vim/Nano have permissions to write to this directory. So let’s sudo su and chown /var/www/

[code lang=”bash”]
sudo su
chown yourusername:yourusername /var/www/
exit
[/code]

At this point, let’s test to see if LAMP is running.

[code lang=”bash”]sudo vi /var/www/index.php[/code]

Within index.php just enter phpinfo(); to check if the PHP core fires an output!

[code lang=”php”]<?php phpinfo(); ?>[/code]

Save index.php and exit.

When you visit http://localhost/index.php you should get an output. If you do not, you can try restarting apache2 with the following command:

[code lang=”bash”]sudo /etc/init.d/apache2 restart[/code]

Installing phpMyAdmin To Manage Your MySQL Databases on uBuntu 11.04

[code lang=”bash”]sudo apt-get install phpmyadmin[/code]

WordPress: World Famous 5 Minute Installation

Head over to WordPress.org and grab the latest version of WordPress. Extract the zip file to /var/www/wordpress

Visit http://localhost/phpmyadmin and create a database.

Under the Privileges tab, goto Add New User. Make sure under Global Privileges click Check All and hit Go.

Visit http://localhost/wordpress and setup your WordPress install! Bam! Your done!

MySQL Find And Replace In WordPress Database

If you’re migrating domains, changing your alias, or simply learned the hard lessons between your, you’re, you are, here’s a simple mysql query to run on your database.

[box type=”note”]Be sure to backup your database![/box]

You will need phpMyAdmin or SQL Executioner. A basic knowledge in SQL is a must, so run down to Barns & Noble and get your nerd on!

[code lang=”sql”]
update wp_posts set post_content = replace(post_content,’myoldsite.com’,’mynewsite.com’)
[/code]

In this example, we are targeting wp_posts -> post_content. We are performing replace() on anything in post_content that matches “myoldsite.com”.

The basic logic can be applied to anywhere in the database, but this is very useful if for example, all your posts pointed to a site that no longer exists. I’ve also used this to remove author’s contact information in the content. For some reason they thought it was a good idea to include their phone number and e-mail on every post, which later became outdated! I eventually crated a useful author signature and a way they could update this information in /wp-admin/profile.php.