How to Hide the Adminstrator on the WordPress Users Screen

By michael  |  August 18th, 2009  |  Published in Blogging, WordPress  |  18 Comments

[update: you can now download this as a plugin. file at bottom of post]

WordPress has a great admin interface for managing just about every aspect of the software. One integral part of this interface is the “Authors & Users” screen:

WordPress Admin: Authors & Users

This is a great utility and it gives us,  as the developers, the freedom to let our clients have control over their own authors and users.

If you develop like we do though, you’ve probably learned that its better for everyone when we limit the clients ability to have access to areas of the site that they don’t need on a day to day basis. The Plugins and Appearance utilities are a great example.

This usually isn’t a problem because WordPress integrated role management into their software. A common solution – and one that we use at FullThrottle – is to simply retain the “Admintrator” role for yourself and split up the remaining roles for your client as needed. No problem!

What if we don’t want our clients to be distracted by the default “Administrator” account that we leave in tact though? Is there a simple way to remove this from the client’s screen? Well… if simple means fool proof and strictly using PHP and WordPress hook, then no (though we may submit some patches to make this possible). Regardless, what you can’t do with PHP, you can always do with jQuery. Below is our ‘smoke and mirrors’ way to remove all administrator level roles from the User’s screen if being viewed by anyone not in that role.

Removing Administrators from WordPress Users & Authors

All of the code below will be placed in your theme’s functions.php folder:

Step one: Queue the jQuery. Technically, jQuery should already be enqueued, but better safe than sorry:

// Enqueue jQuery
add_action('admin_enqueue_scripts' , 'ft_hide_administrator_jquery' );
function ft_hide_administrator_jquery(){
	global $pagenow;
	if ( 'users.php' == $pagenow ){
		wp_enqueue_script('jquery');
	}
}

Step Two: Remove ‘Administrator from the dropdown boxes

// Remove Administrator from "Editable Roles"
add_action( 'editable_roles' , 'ft_hide_adminstrator_editable_roles' );
function ft_hide_adminstrator_editable_roles( $roles ){
	if ( isset( $roles['administrator'] ) && !current_user_can('level_10') ){
		unset( $roles['administrator'] );
	}
	return $roles;
}

Step Three: Use some jQuery magic to remove the administrator

// Hide Administrator from list of users
add_action('admin_head' , 'ft_hide_administrator_user');
function ft_hide_administrator_user(){
	if ( !current_user_can('level_10') ){
		?>
		<script type='text/javascript' >
			jQuery(document).ready(function(){
                          var admin_count;
                          var total_count;

			  jQuery("#list-filter > .subsubsub > li > a:contains(Administrator)").each(function(){
			  	admin_count = jQuery(this).children('.count').text();
				admin_count = admin_count.substring(1, admin_count.length - 1);
			  });
                          jQuery("#list-filter > .subsubsub > li > a:contains(Administrator)").parent().remove();
			  jQuery("#list-filter > .subsubsub > li > a:contains(All)").each(function(){
			  	total_count = jQuery(this).children('.count').text();
				total_count = total_count.substring(1, total_count.length - 1) - admin_count;
				jQuery(this).children('.count').text('('+total_count+')');
			  });
			  jQuery("#users > tr .administrator").parent().parent().remove();
			});
		</script>
		<?php
	}
}

That’s it! As always, if you find any bugs or have any suggestions, just leave a comment. Below is a link to download the whole chunk of code. Just paste the contents into functions.php and you should be good to go!

Download Code:

Final Result:

Final Results

PHP NONCE Library

By michael  |  August 12th, 2009  |  Published in Blogging, Uncategorized  |  23 Comments

[Download our nonce library]

We’ve recently developed our own PHP NONCE library for use with custom programming. Our version is loosely based on the implementation found inside the core WordPress software.

What is an NONCE?

Literally, the term refers to a number used once. In software development, it is often used as a security measure to ensure that certain links or forms are only available once, thereby preventing malicious attacks against the system. Read More

Where would I use an NONCE

An NONCE offers an additional level of security where sensitive actions may take place within your application. Take the following line of code as an example:

<a href="delete_post.php?post=003">Delete Post</a>

This link was poorly thought out if the application has no other security measures in place. Anyone could begin deleting posts by simply pointing their browser at the above link and changing the post number.

Well designed applications would only make that link available if the user was logged into the system with appropriate permissions. Furthermore, the delete_post.php script would ideally check to see if the user was logged into the system and if the user had appropriate permissions to delete that post. Is this enough security though?

Here are just two scenarios that could circumvent the above security measures:

  1. Depending on how the application’s user authentication works, it is certainly possible for a malicious user to spoof an authenticated user or to otherwise crack the authentication.
  2. Additionally, if you are a legitimate admin of the above mentioned application it would be possible for me to trick you by sending you a link or to this script. Once you clicked it, the post would be deleted.

How an NONCE prevents the above attacks

An NONCE is successful as an additional layer of security because it prevents actions initiated by links or REQUESTS from being used more than once. Every time a link or a form is printed on the screen, your NONCE functionality embeds a key / value pair to be sent to the receiving script. Every time that script is called, it checks for the key / value pair and then authenticates it on a pass / fail basis. If it passes, the action is performed, if it fails, the action is not performed.

The above link with an NONCE applied to it would resemble something like the following:

<a href="delete_post.php?post=003&_nonce=9c5fbfabb1">Delete Post</a>

The receiving script would then do the following:

  1. Check to see if the user is logged in with appropriate permissions (standard security)
  2. Check to make sure the NONCE key / value is set
  3. Authenticate the received NONCE using a library of functions.

How does an NONCE create and authenticate its key / value pairs?

While there are no hard and fast rules for creating an NONCE, most libraries will include the following components when generating an NONCE:

  • A secret key or ‘salt’ stored only on the server
  • A user ID (optional – makes the NONCE only work with a specific user)
  • An action name: ie: ‘delete-post’
  • A timestamp (allowing the NONCE to expire if never used)
  • A database of used NONCEs (optional and not used in our library)

Using all of the above components, an NONCE may be generated like this: secret-salt + user ID + action-name + timestamp. All of this is thrown into a hash that the receiving script can unpack and authenticate (Most of the time, the timestamp will be modified before being included and hashed).

The receiving script doesn’t actually ‘unpack’ the received key, rather it recreates it and compares. For instance, the delete_post script would combine the secret salt (which it knows) , the current users’s ID , use the delete-post action name, and a timestamp (modified appropriately). If any one of those components are off, the NONCE value generated by the receiving script will not match the one sent by the initial script and the NONCE will fail to authenticate.

How to use our NONCE library

  1. Download the zip file and unpack
  2. Include ft-nonce.php inside all your applications pages
  3. Embed one of our two generating functions in your links or forms
  4. Call the validating function at the top of your receiving scripts and do as you wish based on the validity of the NONCE.

If you need further example, you can check out the example here. The PHP file source file is included in the zip .

Feedback

We’ve only deployed this once and value your feedback. We will be more than happy to modify, enhance, and correct bugs as reported.

WPMU – Add ALL New Users to Main Site

By michael  |  August 12th, 2009  |  Published in Blogging, Development, WordPress  |  Comments Off

In WordPress MU there are two levels of users. There are users who have a blog and users who do not have a blog. This option is usually chosen when the user creates their account. If they choose to have just a username only (no blog), then the user is added as a subscriber to the main site (default setting). If they chose to have a blog, WPMU adds a subsite for them with an administrator user for that subsite. However, it does not give them subscriber permissions to the main site.

This became an issue with a site I was working on recently. The main site had a calendar that any logged in user needed to be able to add an event to. To do this I had to create a custom group that allowed users to post in a specific category only, which worked great, except for blog users. Since blog users are not given any rights on the main blog, I needed to find a way to automatically create the same functionality that normal users have on the main site.

This is what I came up with:

function ft_new_user_meta($blog_id, $user_id) {
add_user_to_blog('1', $user_id, 'calendar' );
}
add_action( 'wpmu_new_blog', 'ft_new_user_meta', 10, 2 );

Basically, I hook onto the wpmu_new_blog function, so whenever it is called, it calls my ft_new_user_meta function. Which passes in the two variables $blog_id and $user_id. Then I run the function, add_user_to_blog with 1 as the blog_id for the main site, the $user_id that I’m adding, and the role that I want to give. In this case it is my custom “calendar” role.

I added that into a file named new_user.php which I placed in the mu-plugins directory. Now, whenever a user goes to the site and creates their own blog, it gives them access to the main site with rights to add events to the calendar.

Auto Updating WordPress with 1and1 Hosting

By michael  |  August 10th, 2009  |  Published in Blogging, WordPress  |  2 Comments

If you have any WordPress blogs on 1and1 then you’ve probably ran into some problems with updating certain plugins, updating the blog, or even importing to your blog. The reason is because 1and1 has some issue with PHP4 but there is an easy fix.  You need to hand edit your .htaccess file (located in the root of your WordPress directory). Here you will add the line, AddType x-mapp-php5 .php to the end of the file. It doesn’t matter too much where you put it, so it’s best just to put it at the end.

Let us know if this helps you out or not.

Good PHP Coding Techniques

By michael  |  August 1st, 2009  |  Published in Blogging, News  |  Comments Off

Sebastian Bergmann has put together a slideshow highlighting several tips for good PHP coding techniques. Th e slideshow is called “Quality Assurance in PHP Projects“.

The slideshow includes several examples of coding and testing techniques.

Hide “Back to Top” Links

By michael  |  July 23rd, 2009  |  Published in Development  |  Comments Off

Often, web pages will include links at the top of the page which reference paragraphs or sections lower on the page. A recent client’s web page had a list of links at the top of the page. Each link would cause the page to scroll down to that particular section of the web page. The client wanted the user to be able to quickly return to the top of the page, but he did not want “Back to Top” links at the end of each section.

Usually, this type of web page does have “Back to Top” links at the end of each section. For example, click here to jump to the next section of this post.

Next Section
This is the next section. If you clicked on the link above, then you scrolled to this section. This section could have been anywhere on this page.

This is the HTML code used to create the link “click here to jump to the next section of this post”:

<a href="#nextsection">click here to jump to the next section of this post</a>

This code creates a link to a named section called “nextsection”.

The code to create the named section for “Next Section” would look like this:

<a name="nextsection"></a>

Typically, you would create a link at the end of “Next Section” to allow the user to jump back to the top of the web page, like this: Back to Top.

This is the code for creating the “Back to Top” link:

<a href="#">Back to Top</a>

Hiding “Back to Top” Links
However, it is not always aesthetically pleasing to have “Back to Top” links appear throughout your web page at the end of each paragraph or setting. This is especially true if your users want to print your web page. The process below “hides” the “Back to Top” links until a user clicks a link to that section.

For example, this link will take you to a section called “New Section“. However, before you click that link, scroll down to “New Section”, and you will see that there is no “Back to Top” link.

New Section
This is the new section. If you clicked on the link to “New Section” above, you should have jumped to this section. You will also see a “Back to Top” link here:

However, if you scrolled down the page without clicking the “New Section” link above, then you should not see a link for “Back to Top”.

This is the new HTML code used for the “New Section” link:

<a onclick="document.getElementById('newsection_back2top').style.visibility = 'visible';return true"
href="#newsection">New Section</a>

This code sets element “newsection_back2top” (defined below) to be visible when the link “New Section” is clicked.

This is the new HTML code for the “Back to Top” link:

<span id="newsection_back2top" style="visibility: hidden;">
<a onclick="document.getElementById('newsection_back2top').style.visibility = 'hidden';
return true" href="#">Back to Top</a></span>

Floating “Back to Top” Links
There is another option that works well for a web page that has several section with multiple “Back to Top” links. Instead of coding a “Back to Top” link after each section, or even coding a hiding “Back to Top” link after each section, you can create a “Back to Top” link that floats at a particular place on the web page.

For example, click this link for the “Final Section“. This link will cause the page to scroll down to the section labeled “Final Section”, and it will also make a new “Back to Top” element visible.

Final Section
If you clicked the “Final Section” link above, you should now see a floating “Back to Top” link on the left side of the page. Even if you scroll up or down on the web page, the “Back to Top” link will remain in the same position. Click the “Back to Top” link to scroll to the top of the page and to remove that floating “Back to Top” link.

The code for the “Final Section” does not change. However, this is the new code for the “Back to Top” link:

<div id="finalsection_back2top" style="position: fixed; left: 5px; top: 40px; background: #EEE; 
visibility: hidden;"><a onclick="document.getElementById('finalsection_back2top').style.visibility = 'hidden';
return true" href="#">Back to Top</a></div>

The addition of fixed positioning along with a location (left, top), causes the “Back to Top” link to “float” in the specified position on the web page.

Using a blog to attract customers to your business

By michael  |  July 22nd, 2009  |  Published in Blogging, Video  |  Comments Off

Adding a blog to your business web site is a great way to attract customers and clients to your business. Even in this age of Web 2.0, most web content remains static, meaning the message delivered to search engines like Google does not change. However, by adding a blog to their website, businesses can create dynamic content which will be indexed by search engines.

The Complete Website has published a short (1 minute) video that demonstrates the effectiveness of adding a blog (and blog content) to your business website. Watch their video here: “Business blog = Google magnet .”

Setting up a single login across WordPress and WordPress MU

By michael  |  July 20th, 2009  |  Published in Development, WordPress  |  7 Comments

We recently ran into a client who needed help getting his WordPress installation and his WordPress MU installation communicating together. They had WordPress installed in the root directory of their website, and WPMU installed in a sub-directory of the same website. Both WP installations were on the same DB.

Unfortunately I was unable to get a good copy of their MySQL tables, so I had to recreate this setup on my own. I did a little research and found out that many people have similar setups and many people have different solutions. I felt like it might be beneficial to share my experience with this.

First, I downloaded the latest WP and WPMU (2.8.1 at the time). I setup a new MySQL DB and extracted WP and WPMU into their respective directories (remember WordPress was in the root and WPMU in a sub-folder).

Something like this:

/wordpress/
/wordpress/wpmu/

After messing around for a while I determined it was easiest to install WPMU first. There was two reasons for my thinking, one of which was no necessary. First, if you were to install WordPress first, when you tried to install WPMU it would get confused because it would see the wp-config.php file below. Don’t ask me why this is, it just is. Second, I was thinking about changing the WP DB prefix (default: wp_) to something else. In WordPress you can do this during the install, in WPMU you have to edit the files to get this accomplished. This was the part that wasn’t really important, because I actually kept both using wp_ as the prefix.

Ok, WPMU is installed and working, now I installed WP. At the end of the install, it sees that there is already a wp_users table, with an Admin user in it. This caused me a little problem because I think it actually reset the password without telling me the new password. So I had to go into phpMySQL to reset the password to something I knew. Hardly a huge problem, but still it might make you think that everything is broken when you cannot log into either WP or WPMU!

Now, the goal is to be able to log into either WP or WPMU and then not have to log in again when you switch to the other. So, I needed to be able to log into WP and then go to WPMU without it asking me to log in again (and vice-versa). This is all about COOKIES! There are a bunch of people who have different solutions, but the easiest solution for me was to make sure that both the WP auth cookie and the WPMU auth cookie were identical. This is not as easy as it sounds, because MU handles cookies slightly different than WP. But ultimately, I just needed to edit wp-config.php in both WP and WPMU to get it to work perfectly.

Here are my setting changes:
define(‘COOKIE_DOMAIN’, false);
define(‘ADMIN_COOKIE_PATH’, ’/’);
define(‘COOKIEPATH’, false);
define(‘SITECOOKIEPATH’, false);
define(‘COOKIEHASH’, ‘vy48u9w38868t7t99jh8g137x221r5h1h8’);
define(‘AUTH_KEY’, ‘49uld4y46i3432ugvi346uv86uci53v5529jj5z265i987u43snbxwj3ps92u2lr’);
define(‘SECURE_AUTH_KEY’, ‘f2et8b6xck64m4j2vmqcuqxb57s3rk5edh5d19pq114ef7y67g35i6m682lr288z’);
define(‘LOGGED_IN_KEY’, ‘mywu969v3tcf2uer82vxisx8k6sq2neib5qs1qt4sx383slslb5t1xep12hbtcxs’);
define(‘NONCE_KEY’, ‘bde6j26r93lvwmgwydw7x3kp74r5299q8vxe832y7r616lf215142e5t4vc55j36’);
define(‘AUTH_SALT’, ‘3856m559klvidrx34fi574ct32r94x77bepr7638jmuw22d29883i82k76un2tm4’);
define(‘LOGGED_IN_SALT’, ‘jq4p67bv772nd73w4zm6286552x755v6293qpj5fbe34fxy894trdu77h38586n2’);
define(‘SECURE_AUTH_SALT’, ‘i9hlmd67n21j2u485645in9vu6v92itgfmja6bjfbc36gqc673svlis9u789316p’);
define(‘TEST_COOKIE’, ‘TEST_COOKIE’.COOKIEHASH);

I actually copied the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, LOGGED_IN_SALT, and SECURE_AUTH_SALT from the WPMU wp-config.php file. I just copied it over the normal WP wp-config.php settings. Then I added the other lines and everything worked. It didn’t require any additional plugins or work.

I sent the instructions to the client, he followed exactly what I did here and it worked fine for him. So, if you have a similar need, I’m pretty confident this will work for you.

WordPress 2.8.1 as a Wordle

By michael  |  July 15th, 2009  |  Published in WordPress  |  Comments Off

WordPress 2.8.1 as a Wordle

I thought it would be cool to see what the WordPress 2.8.1 source code would look like as a Wordle. To make this, I had to merge all the .php files from WordPress into one file and copy the text into the Wordle engine. In linux, I unziped a fresh copy of WordPress and ran this command in the wordpress directory:

find . -name "*.php" -print | xargs cat >> ../wordpress.txt

Then I copied the text from the file (approx. 4.2MB worth) and pasted it into Wordle. I played around with the Wordle settings a bit and thought this was a pretty good representation of WordPress. What do you think?

SysAdmin, Web Developer PC Setup

By michael  |  July 15th, 2009  |  Published in Development, SysAdmin  |  1 Comment

I just got a new Desktop PC, it’s a DELL 760, with two Dell 2208 WFP monitors. I thought this might be a good opportunity for me to list all the software and packages I install on my machines. I am a Systems Administrator and a Web Developer, so I use a lot of different tools.

Development Tools:

  • XAMPP – An easy to install Apache distribution containing MySQL, PHP and Perl.
  • Notepad++ – A free (as in “free speech” and also as in “free beer”) source code editor and Notepad replacement that supports several languages.
  • Tortoise SVN – Subversion client for Windows.
  • Adobe Web Premium Suite – mostly for Dreamweaver and Photoshop
    • SubWeaver - Tortoise SVN Plugin for Dreamweaver.
  • GIMP – Free GNU image manipulation program (similar to Photoshop).

Browsers:

  • Firefox – 90% of my browsing is done with Firefox.
    • Adblock Plus – Block annoying Ads.
    • Download Statusbar – I like this for my download management.
    • Firebug – Necessary tool for any web developer.
    • Firesizer – Also pretty nice tool to see how your site looks in specific resolutions.
    • Forecastfox – Nice little forecast plugin for FF.
    • Gmail Manager – Best Gmail plugin out there, reports on my 16+ gmail and gmail hosted accounts.
    • IE Tab – Two uses: 1) for sites that only work in IE – but you don’t want to open IE and 2) to test a site in IE.
    • oldbar – I don’t like the big fat URL bar with firefox, this makes it one size with all the benefits of the new bar.
    • SecurePassword Generator – Great tool for generating secure passwords.
    • TwitterFox – Twitter plugin.
    • Ubiquity – Don’t really use this much, but it’s there just in case.
    • User Agent Switcher – Testing iPhone-enabled sites and hacking airport wireless.
    • Xmarks – Bookmark syncing.
    • YammerFox – Yammer plugin.
  • IE – Comes with Windows, barely ever use it for anything except testing.
    • Xmarks – Bookmark syncing.
    • IE7Pro – Use for Ad Blocking.
  • Google Chrome – Browser compatibilty and some productivity uses.
  • Safari – Mostly to test browser compatibility.
  • IETester – For testing browser compatibility in IE6 – IE8

Utilities:

Productivity:

  • VMWare Player – Using for virtual Kubuntu and Mac OS X desktops.
  • VMware Infrastructure Client – Using for Linux and Windows Servers.
  • PuTTY – SSH client for Windows.
  • WinSCP – Easy to use SCP client for Windows; also does SFTP and FTP.
  • Microsoft Office Professional

Unproductivity:

That’s pretty much everything that I install and use on a regular basis. There are some other small utilities, and such, that I have installed for non-business related tasks, so I didn’t include them here.

If you have any questions or comments about what I use, please ask. I’d love to know what you use on a regular basis. So if you have a blog I encourage you to do a similar write-up and let me know about it.