Easily Extended Contact Info in WordPress

I’m working on a project where I need the ability to add “Phone”, “Building”, and “Room” as information a user could add in their profile. I also wanted to remove “AIM”, “Yahoo”, and “Jabber” — none of the users are going to need to fill in that info.

You can easily add this code into your functions.php. I was writing it for a WordPress MU site with multiple themes and needed to make sure it was enforced, so I stuck it in the mu-plugins directory, in a file named “extended-contact-info.php”.

This is the simple code block you need:

function extended_contact_info($user_contactmethods) {
	//Use this if you want to append to the default 
	//contact methods (AIM, Yahoo, Jabber)
	//$user_contactmethods += array(
	//	'building' => __('Building'),
	//	'room' => __('Room'),
	//	'phone' => __('Phone')
	//);

	//Use this if you want to ignore the default 
	//contact methods (AIM, Yahoo, Jabber)
	$user_contactmethods = array(
		'building' => __('Building'),
		'room' => __('Room'),
		'phone' => __('Phone')
	);
	
	return $user_contactmethods;
}

add_filter('user_contactmethods', 'extended_contact_info');

WordPress Ultimate CMS Plugin

Description

FullThrottle Development is thrilled to announce our latest and greatest WordPress plugin! This ground breaking piece of craftsmanship will instantly turn your WordPress blogging software into a full fledged CMS. Just install, activate, and partake. Sreenshots below.

Download:

Features include but are not limited to the following:

  • Full standards compliance — We have gone to great lengths to make sure every bit of WordPress generated code is in full compliance with the standards of the W3C. This is important not only for interoperability with today’s browser but also for forward compatibility with the tools of the next generation. Your web site is a beautiful thing, and you should demand nothing less.
  • No rebuilding — Changes you make to your templates or entries are reflected immediately on your site, with no need for regenerating static pages.
  • WordPress Pages — Pages allow you to manage non-blog content easily, so for example you could have a static “About” page that you manage through WordPress. For an idea of how powerful this is, the entire WordPress.org site could be run off WordPress alone. (We don’t for technical mirroring reasons.)
  • WordPress Links — Links allows you to create, maintain, and update any number of blogrolls through your administration interface. This is much faster than calling an external blogroll manager.
  • WordPress Themes — WordPress comes with a full theme system which makes designing everything from the simplest blog to the most complicated webzine a piece of cake, and you can even have multiple themes with totally different looks that you switch with a single click. Have a new design every day.
  • Cross-blog communication tools— WordPress fully supports both the Trackback and Pingback standards, and we are committed to supporting future standards as they develop.
  • Comments — Visitors to your site can leave comments on individual entries, and through Trackback or Pingback can comment on their own site. You can enable or disable comments on a per-post basis.
  • Spam protection — Out of the box WordPress comes with very robust tools such as an integrated blacklist and open proxy checker to manage and eliminate comment spam on your blog, and there is also a rich array of plugins that can take this functionality a step further.
  • Full user registration — WordPress has a built-in user registration system that (if you choose) can allow people to register and maintain profiles and leave authenticated comments on your blog. You can optionally close comments for non-registered users. There are also plugins that hide posts from lower level users.

Screenshot

Screen shot 2010-03-08 at 11.25.19 AM

Colophon

PHP NONCE Library

[Download our nonce library]

We’ve recently developed our own PHP NONCE library for use with custom programming. Our version is loosely based on the implementation found inside the core WordPress software.

What is an NONCE?

Literally, the term refers to a number used once. In software development, it is often used as a security measure to ensure that certain links or forms are only available once, thereby preventing malicious attacks against the system. Read More

Where would I use an NONCE

An NONCE offers an additional level of security where sensitive actions may take place within your application. Take the following line of code as an example:

<a href="delete_post.php?post=003">Delete Post</a>

This link was poorly thought out if the application has no other security measures in place. Anyone could begin deleting posts by simply pointing their browser at the above link and changing the post number.

Well designed applications would only make that link available if the user was logged into the system with appropriate permissions. Furthermore, the delete_post.php script would ideally check to see if the user was logged into the system and if the user had appropriate permissions to delete that post. Is this enough security though?

Here are just two scenarios that could circumvent the above security measures:

  1. Depending on how the application’s user authentication works, it is certainly possible for a malicious user to spoof an authenticated user or to otherwise crack the authentication.
  2. Additionally, if you are a legitimate admin of the above mentioned application it would be possible for me to trick you by sending you a link or to this script. Once you clicked it, the post would be deleted.

How an NONCE prevents the above attacks

An NONCE is successful as an additional layer of security because it prevents actions initiated by links or REQUESTS from being used more than once. Every time a link or a form is printed on the screen, your NONCE functionality embeds a key / value pair to be sent to the receiving script. Every time that script is called, it checks for the key / value pair and then authenticates it on a pass / fail basis. If it passes, the action is performed, if it fails, the action is not performed.

The above link with an NONCE applied to it would resemble something like the following:

<a href="delete_post.php?post=003&_nonce=9c5fbfabb1">Delete Post</a>

The receiving script would then do the following:

  1. Check to see if the user is logged in with appropriate permissions (standard security)
  2. Check to make sure the NONCE key / value is set
  3. Authenticate the received NONCE using a library of functions.

How does an NONCE create and authenticate its key / value pairs?

While there are no hard and fast rules for creating an NONCE, most libraries will include the following components when generating an NONCE:

  • A secret key or ‘salt’ stored only on the server
  • A user ID (optional – makes the NONCE only work with a specific user)
  • An action name: ie: ‘delete-post’
  • A timestamp (allowing the NONCE to expire if never used)
  • A database of used NONCEs (optional and not used in our library)

Using all of the above components, an NONCE may be generated like this: secret-salt + user ID + action-name + timestamp. All of this is thrown into a hash that the receiving script can unpack and authenticate (Most of the time, the timestamp will be modified before being included and hashed).

The receiving script doesn’t actually ‘unpack’ the received key, rather it recreates it and compares. For instance, the delete_post script would combine the secret salt (which it knows) , the current users’s ID , use the delete-post action name, and a timestamp (modified appropriately). If any one of those components are off, the NONCE value generated by the receiving script will not match the one sent by the initial script and the NONCE will fail to authenticate.

How to use our NONCE library

  1. Download the zip file and unpack
  2. Include ft-nonce.php inside all your applications pages
  3. Embed one of our two generating functions in your links or forms
  4. Call the validating function at the top of your receiving scripts and do as you wish based on the validity of the NONCE.

If you need further example, you can check out the example here. The PHP file source file is included in the zip .

Feedback

We’ve only deployed this once and value your feedback. We will be more than happy to modify, enhance, and correct bugs as reported.