Blogging

How to Upgrade WordPress to 2.9

By michael  |  December 9th, 2009  |  Published in Blogging, News, WordPress  |  Comments Off

WordPress is a great piece of software driving billions of sites across the internet. One of the main reason WordPress does so well is because the community gives back freely and often. While these community contributions to the project mean that WordPress is continually enhancing its feature set, it also means that a web site powered by WordPress is continually in need of upgrades.

Being the excellent software that it is, WordPress gives you the ability to ‘Auto Upgrade’ to the latest version. If you’re running an unmodified installation and you don’t have too many plugins, this is an excellent option and I would highly suggest you give it a try.

If you’re going to upgrade WordPress to 2.9 on your own, we want to provide you with the following suggestions and resources.

  1. Always backup your database and your file structure (especially the wp-content folder) before upgrading. You can never be too safe. This goes for manual upgrades as well as auto upgrades!
  2. Always deactivate plugins prior to upgrading. If you have a lot of plugins and your site gets a lot of traffic, this may be tricky. It’s not ‘necessary’ but its safe practice because if one of your plugins doesn’t mesh with the new version of WordPress it may render your site inaccessible.
  3. We would suggest checking with all your plugins’ authors to see if their plugin is compatible with the latest release of WordPress prior to upgrading.
  4. Most hosts give priority to index.html over index.php. We often use this tactic to put up a nice “Site down for scheduled maintenance” message during the upgrade. This is obviously optional.
  5. You can find a detailed step-by-step instructions for manually upgrading WordPress on their website: http://codex.wordpress.org/Upgrading_WordPress_Extended

Finally – and lets be honest, the real reason we wrote this post – if you have had trouble with WordPress upgrades in the past or are a little bit hesitant to do it yourself, check out http://wpupgrade.com. It’s a site that FullThrottle just launched with the sole purpose of helping others upgrade their WordPress installations.

How to Hide the Adminstrator on the WordPress Users Screen

By michael  |  August 18th, 2009  |  Published in Blogging, WordPress  |  18 Comments

[update: you can now download this as a plugin. file at bottom of post]

WordPress has a great admin interface for managing just about every aspect of the software. One integral part of this interface is the “Authors & Users” screen:

WordPress Admin: Authors & Users

This is a great utility and it gives us,  as the developers, the freedom to let our clients have control over their own authors and users.

If you develop like we do though, you’ve probably learned that its better for everyone when we limit the clients ability to have access to areas of the site that they don’t need on a day to day basis. The Plugins and Appearance utilities are a great example.

This usually isn’t a problem because WordPress integrated role management into their software. A common solution – and one that we use at FullThrottle – is to simply retain the “Admintrator” role for yourself and split up the remaining roles for your client as needed. No problem!

What if we don’t want our clients to be distracted by the default “Administrator” account that we leave in tact though? Is there a simple way to remove this from the client’s screen? Well… if simple means fool proof and strictly using PHP and WordPress hook, then no (though we may submit some patches to make this possible). Regardless, what you can’t do with PHP, you can always do with jQuery. Below is our ‘smoke and mirrors’ way to remove all administrator level roles from the User’s screen if being viewed by anyone not in that role.

Removing Administrators from WordPress Users & Authors

All of the code below will be placed in your theme’s functions.php folder:

Step one: Queue the jQuery. Technically, jQuery should already be enqueued, but better safe than sorry:

// Enqueue jQuery
add_action('admin_enqueue_scripts' , 'ft_hide_administrator_jquery' );
function ft_hide_administrator_jquery(){
	global $pagenow;
	if ( 'users.php' == $pagenow ){
		wp_enqueue_script('jquery');
	}
}

Step Two: Remove ‘Administrator from the dropdown boxes

// Remove Administrator from "Editable Roles"
add_action( 'editable_roles' , 'ft_hide_adminstrator_editable_roles' );
function ft_hide_adminstrator_editable_roles( $roles ){
	if ( isset( $roles['administrator'] ) && !current_user_can('level_10') ){
		unset( $roles['administrator'] );
	}
	return $roles;
}

Step Three: Use some jQuery magic to remove the administrator

// Hide Administrator from list of users
add_action('admin_head' , 'ft_hide_administrator_user');
function ft_hide_administrator_user(){
	if ( !current_user_can('level_10') ){
		?>
		<script type='text/javascript' >
			jQuery(document).ready(function(){
                          var admin_count;
                          var total_count;

			  jQuery("#list-filter > .subsubsub > li > a:contains(Administrator)").each(function(){
			  	admin_count = jQuery(this).children('.count').text();
				admin_count = admin_count.substring(1, admin_count.length - 1);
			  });
                          jQuery("#list-filter > .subsubsub > li > a:contains(Administrator)").parent().remove();
			  jQuery("#list-filter > .subsubsub > li > a:contains(All)").each(function(){
			  	total_count = jQuery(this).children('.count').text();
				total_count = total_count.substring(1, total_count.length - 1) - admin_count;
				jQuery(this).children('.count').text('('+total_count+')');
			  });
			  jQuery("#users > tr .administrator").parent().parent().remove();
			});
		</script>
		<?php
	}
}

That’s it! As always, if you find any bugs or have any suggestions, just leave a comment. Below is a link to download the whole chunk of code. Just paste the contents into functions.php and you should be good to go!

Download Code:

Final Result:

Final Results

PHP NONCE Library

By michael  |  August 12th, 2009  |  Published in Blogging, Uncategorized  |  23 Comments

[Download our nonce library]

We’ve recently developed our own PHP NONCE library for use with custom programming. Our version is loosely based on the implementation found inside the core WordPress software.

What is an NONCE?

Literally, the term refers to a number used once. In software development, it is often used as a security measure to ensure that certain links or forms are only available once, thereby preventing malicious attacks against the system. Read More

Where would I use an NONCE

An NONCE offers an additional level of security where sensitive actions may take place within your application. Take the following line of code as an example:

<a href="delete_post.php?post=003">Delete Post</a>

This link was poorly thought out if the application has no other security measures in place. Anyone could begin deleting posts by simply pointing their browser at the above link and changing the post number.

Well designed applications would only make that link available if the user was logged into the system with appropriate permissions. Furthermore, the delete_post.php script would ideally check to see if the user was logged into the system and if the user had appropriate permissions to delete that post. Is this enough security though?

Here are just two scenarios that could circumvent the above security measures:

  1. Depending on how the application’s user authentication works, it is certainly possible for a malicious user to spoof an authenticated user or to otherwise crack the authentication.
  2. Additionally, if you are a legitimate admin of the above mentioned application it would be possible for me to trick you by sending you a link or to this script. Once you clicked it, the post would be deleted.

How an NONCE prevents the above attacks

An NONCE is successful as an additional layer of security because it prevents actions initiated by links or REQUESTS from being used more than once. Every time a link or a form is printed on the screen, your NONCE functionality embeds a key / value pair to be sent to the receiving script. Every time that script is called, it checks for the key / value pair and then authenticates it on a pass / fail basis. If it passes, the action is performed, if it fails, the action is not performed.

The above link with an NONCE applied to it would resemble something like the following:

<a href="delete_post.php?post=003&_nonce=9c5fbfabb1">Delete Post</a>

The receiving script would then do the following:

  1. Check to see if the user is logged in with appropriate permissions (standard security)
  2. Check to make sure the NONCE key / value is set
  3. Authenticate the received NONCE using a library of functions.

How does an NONCE create and authenticate its key / value pairs?

While there are no hard and fast rules for creating an NONCE, most libraries will include the following components when generating an NONCE:

  • A secret key or ‘salt’ stored only on the server
  • A user ID (optional – makes the NONCE only work with a specific user)
  • An action name: ie: ‘delete-post’
  • A timestamp (allowing the NONCE to expire if never used)
  • A database of used NONCEs (optional and not used in our library)

Using all of the above components, an NONCE may be generated like this: secret-salt + user ID + action-name + timestamp. All of this is thrown into a hash that the receiving script can unpack and authenticate (Most of the time, the timestamp will be modified before being included and hashed).

The receiving script doesn’t actually ‘unpack’ the received key, rather it recreates it and compares. For instance, the delete_post script would combine the secret salt (which it knows) , the current users’s ID , use the delete-post action name, and a timestamp (modified appropriately). If any one of those components are off, the NONCE value generated by the receiving script will not match the one sent by the initial script and the NONCE will fail to authenticate.

How to use our NONCE library

  1. Download the zip file and unpack
  2. Include ft-nonce.php inside all your applications pages
  3. Embed one of our two generating functions in your links or forms
  4. Call the validating function at the top of your receiving scripts and do as you wish based on the validity of the NONCE.

If you need further example, you can check out the example here. The PHP file source file is included in the zip .

Feedback

We’ve only deployed this once and value your feedback. We will be more than happy to modify, enhance, and correct bugs as reported.

WPMU – Add ALL New Users to Main Site

By michael  |  August 12th, 2009  |  Published in Blogging, Development, WordPress  |  Comments Off

In WordPress MU there are two levels of users. There are users who have a blog and users who do not have a blog. This option is usually chosen when the user creates their account. If they choose to have just a username only (no blog), then the user is added as a subscriber to the main site (default setting). If they chose to have a blog, WPMU adds a subsite for them with an administrator user for that subsite. However, it does not give them subscriber permissions to the main site.

This became an issue with a site I was working on recently. The main site had a calendar that any logged in user needed to be able to add an event to. To do this I had to create a custom group that allowed users to post in a specific category only, which worked great, except for blog users. Since blog users are not given any rights on the main blog, I needed to find a way to automatically create the same functionality that normal users have on the main site.

This is what I came up with:

function ft_new_user_meta($blog_id, $user_id) {
add_user_to_blog('1', $user_id, 'calendar' );
}
add_action( 'wpmu_new_blog', 'ft_new_user_meta', 10, 2 );

Basically, I hook onto the wpmu_new_blog function, so whenever it is called, it calls my ft_new_user_meta function. Which passes in the two variables $blog_id and $user_id. Then I run the function, add_user_to_blog with 1 as the blog_id for the main site, the $user_id that I’m adding, and the role that I want to give. In this case it is my custom “calendar” role.

I added that into a file named new_user.php which I placed in the mu-plugins directory. Now, whenever a user goes to the site and creates their own blog, it gives them access to the main site with rights to add events to the calendar.

Auto Updating WordPress with 1and1 Hosting

By michael  |  August 10th, 2009  |  Published in Blogging, WordPress  |  2 Comments

If you have any WordPress blogs on 1and1 then you’ve probably ran into some problems with updating certain plugins, updating the blog, or even importing to your blog. The reason is because 1and1 has some issue with PHP4 but there is an easy fix.  You need to hand edit your .htaccess file (located in the root of your WordPress directory). Here you will add the line, AddType x-mapp-php5 .php to the end of the file. It doesn’t matter too much where you put it, so it’s best just to put it at the end.

Let us know if this helps you out or not.

Good PHP Coding Techniques

By michael  |  August 1st, 2009  |  Published in Blogging, News  |  Comments Off

Sebastian Bergmann has put together a slideshow highlighting several tips for good PHP coding techniques. Th e slideshow is called “Quality Assurance in PHP Projects“.

The slideshow includes several examples of coding and testing techniques.

Using a blog to attract customers to your business

By michael  |  July 22nd, 2009  |  Published in Blogging, Video  |  Comments Off

Adding a blog to your business web site is a great way to attract customers and clients to your business. Even in this age of Web 2.0, most web content remains static, meaning the message delivered to search engines like Google does not change. However, by adding a blog to their website, businesses can create dynamic content which will be indexed by search engines.

The Complete Website has published a short (1 minute) video that demonstrates the effectiveness of adding a blog (and blog content) to your business website. Watch their video here: “Business blog = Google magnet .”

Matt Mullenweg – Keynote – WordCamp RDU

By michael  |  June 24th, 2009  |  Published in Blogging, Conferences  |  Comments Off

This is the video of Matt Mullenweg’s Keynote at WordCamp RDU. Unfortunately Matt forgot to wear the lapel mic that I gave him, so I had to rip the audio from Wayne Sutton’s (@WayneSutton) UStream video (http://www.ustream.tv/recorded/1651759) – thanks Wayne! It is pretty well synced up, and there are a couple minutes at the front and near the end where the audio is muted for some reason. But otherwise, it’s all good. Enjoy.

Alan Knox – WordPress in Corporate and Educational Environments – WordCamp RDU

By michael  |  June 23rd, 2009  |  Published in Blogging, Conferences  |  Comments Off

Download Alan’s Slideshow in PDF format: Implementing WordPress in Corporate and Educational Environments

Alan can be reached on Twitter via @alan_knox

Also watch: WordPress as a Factory (plugin development)

FullThrottle Development at WordCampRDU 2009

By michael  |  June 12th, 2009  |  Published in Blogging, Conferences, News  |  Comments Off

FullThrottle Development is excited to take part in WordCampRDU 2009 on Saturday, June 13, 2009. WordCampRDU will be held at the School of Education at North Carolina Central University in Durham, NC from 9:00 a.m. until 6:00 p.m. (For a complete schedule, click here.)

FullThrottle Development is participating in WordCampRDU 2009 is several ways. First, we are one of the Gold Sponsors of the event. Second, three of our developers are speaking during the event (see below for more information). Finally, we will be taking part in the “Q&A” in the “genius lounge”.

The following representatives of FullThrottle Development will be speaking during WordCampRDU 2009:

  • Glenn Ansley will speak on the topic “WordPress as a Factory: The Fundamentals of Plug-in Development” at 10:15 a.m.
  • Lew Ayotte will speak on the topic “WordPress Mu: Installation, Plug-in Management, and Features” at 3:00 p.m.
  • Alan Knox will speak on the topic “Implementing WordPress in Corporate & Educational Environments” at 5:00 p.m.

(We plan to record our sessions and post the videos and slide shows here.)

Other representatives of FullThrottle Development will be attending WordCampRDU sessions, meeting people, volunteering, and answering questions.

Also, we will live blog as much of WordCampRDU as possible.

Finally, don’t miss our BIG ANNOUNCEMENT at 11:45 a.m.

We hope to see you at WordCampRDU!