WordPress is a great piece of software driving billions of sites across the internet. One of the main reason WordPress does so well is because the community gives back freely and often. While these community contributions to the project mean that WordPress is continually enhancing its feature set, it also means that a web site powered by WordPress is continually in need of upgrades.

Being the excellent software that it is, WordPress gives you the ability to ‘Auto Upgrade’ to the latest version. If you’re running an unmodified installation and you don’t have too many plugins, this is an excellent option and I would highly suggest you give it a try.

If you’re going to upgrade WordPress to 2.9 on your own, we want to provide you with the following suggestions and resources.

1. Always backup your database and your file structure (especially the wp-content folder) before upgrading. You can never be too safe. This goes for manual upgrades as well as auto upgrades!
2. Always deactivate plugins prior to upgrading. If you have a lot of plugins and your site gets a lot of traffic, this may be tricky. It’s not ‘necessary’ but its safe practice because if one of your plugins doesn’t mesh with the new version of WordPress it may render your site inaccessible.
3. We would suggest checking with all your plugins’ authors to see if their plugin is compatible with the latest release of WordPress prior to upgrading.
4. Most hosts give priority to index.html over index.php. We often use this tactic to put up a nice “Site down for scheduled maintenance” message during the upgrade. This is obviously optional.
5. You can find a detailed step-by-step instructions for manually upgrading WordPress on their website: http://codex.wordpress.org/Upgrading_WordPress_Extended

Finally – and lets be honest, the real reason we wrote this post – if you have had trouble with WordPress upgrades in the past or are a little bit hesitant to do it yourself, check out http://wpupgrade.com. It’s a site that FullThrottle just launched with the sole purpose of helping others upgrade their WordPress installations.

One of my first experiences with the social web was Del.icio.us. I stopped using it shortly after Yahoo! aquired it, but that’s a different story. The reason I bring it up is because I loved the way that you could search for multiple tags by including a + sign in between each tag in the URL. Can you even do that anymore?

So, I’ve been wanting to do this with WordPress categories for a while now and recently had the motivation to make it happen (aka: a client needed it).
Below is my first draft. It only works with permalink structures for now. I’m looking for some feedback and ‘beta testing’ before I put it into the WordPress plugin repository. Would anyone like to help?

How it currently works:

1. Download, unzip, FTP to your site’s plugins folder.
2. Activate the plugin.
3. Visit http://yourdomain.com/categories/cat1-slug+cat2-slug+cat-3slug+etc/
4. You should get a listing of all your current posts that are in all of the above categories.

Templates, Titles, etc

I am currently using the following logic for determining what theme file is used to display your posts:

1. If there is a file called categories.php, use that.
2. If there is a file called archive.php, use that.
3. If there is a file called index.php, use that.
4. If there is a file called 404.php, use that.

I currently have the following functions available to help you build a title for your archive page

1. is_categories() returns true if you are on a categories page ie: /categories/ is in the URL
2. ft_mca_titles() returns an array of titles for each of the categories in your URL

Download the zip file here: ft-multiple-category-archives.php.

Leave comments below. Thanks!

[Update] WordPress 2.8.5 just dropped. It addresses the DoS attack among other issues. Get it here.

There have been several reports this morning of a DOS attack affecting the WordPress wp-trackback.php file.

• [original post] http://www.stevefortuna.com/new-0-day-wordpress-exploit/
• http://jarraltech.com/2009/10/new-0-day-wordpress-exploit/
• http://www.hashbangcode.com/blog/wordpress-dos-attack-script-solution-2135.html

All the the solutions have been the same thus far and require editing your .htaccess file or the wp-trackback.php file.

FullThrottle has composed this quick plugin that accomplishes the same thing as the edit to the wp-trackback.php file. You may download the plugin below or paste the following code into your theme’s functions.php file.

We will update this post and our code if further insight into the attack deems it necessary.

function ft_stop_trackback_dos_attacks(){
	global $pagenow;
	if ( 'wp-trackback.php' == $pagenow ){
		// DoS attack fix.
		if ( isset($_POST['charset']) ){
			$charset = $_POST['charset'];
			if ( strlen($charset) > 50 ) {  die; }
		}
	}
}
add_action('init','ft_stop_trackback_dos_attacks');

Download the plugin here: ft-stop-trackback-dos-attacks.php

One reason that WordPress is such a great tool for blogging is due to its excellent commenting features. As a blog owner, you can choose whether you want to allow comments on your posts, whether you want to moderate the comments, or whether you want to let each of those comments automatically post without moderation.

WordPress allows you to specify a couple options for comment moderation out of the box:

• An administrator must always approve the comment
• Comment author must have a previously approved comment
• Hold comments for moderation if more that ## links appear in the comment
• A black list of terms that always send a comment to moderation

This plugin provides you with one more option: Always moderate comments for the following categories.

So, if you have a blog where you allow people to comment freely, but you always want to moderate comments for one specific category, follow the directions below to implement our solution:

1. Download the plugin here until its listed in the WP repository
2. Unzip the file
3. Place the ‘ft-auto-moderate-comments-by-category.php’ file in plugins folder
4. Activate FT Auto Moderate Comments By Category in the WordPress plugin admin page
5. Go to Settings -> Discussion and look for the ‘Auto Unapprove Comments by Category’ setting.
6. Place a comment separated list of categories you want always moderated as false in this field. ie: 1,3,4,6
7. Save and test.

Please let us know if you have any questions or comments

[Download our nonce library]

We’ve recently developed our own PHP NONCE library for use with custom programming. Our version is loosely based on the implementation found inside the core WordPress software.

What is an NONCE?

Literally, the term refers to a number used once. In software development, it is often used as a security measure to ensure that certain links or forms are only available once, thereby preventing malicious attacks against the system. Read More

Where would I use an NONCE

An NONCE offers an additional level of security where sensitive actions may take place within your application. Take the following line of code as an example:

<a href="delete_post.php?post=003">Delete Post</a>

This link was poorly thought out if the application has no other security measures in place. Anyone could begin deleting posts by simply pointing their browser at the above link and changing the post number.

Well designed applications would only make that link available if the user was logged into the system with appropriate permissions. Furthermore, the delete_post.php script would ideally check to see if the user was logged into the system and if the user had appropriate permissions to delete that post. Is this enough security though?

Here are just two scenarios that could circumvent the above security measures:

1. Depending on how the application’s user authentication works, it is certainly possible for a malicious user to spoof an authenticated user or to otherwise crack the authentication.
2. Additionally, if you are a legitimate admin of the above mentioned application it would be possible for me to trick you by sending you a link or to this script. Once you clicked it, the post would be deleted.

How an NONCE prevents the above attacks

An NONCE is successful as an additional layer of security because it prevents actions initiated by links or REQUESTS from being used more than once. Every time a link or a form is printed on the screen, your NONCE functionality embeds a key / value pair to be sent to the receiving script. Every time that script is called, it checks for the key / value pair and then authenticates it on a pass / fail basis. If it passes, the action is performed, if it fails, the action is not performed.

The above link with an NONCE applied to it would resemble something like the following:

<a href="delete_post.php?post=003&_nonce=9c5fbfabb1">Delete Post</a>

The receiving script would then do the following:

1. Check to see if the user is logged in with appropriate permissions (standard security)
2. Check to make sure the NONCE key / value is set
3. Authenticate the received NONCE using a library of functions.

How does an NONCE create and authenticate its key / value pairs?

While there are no hard and fast rules for creating an NONCE, most libraries will include the following components when generating an NONCE:

• A secret key or ‘salt’ stored only on the server
• A user ID (optional – makes the NONCE only work with a specific user)
• An action name: ie: ‘delete-post’
• A timestamp (allowing the NONCE to expire if never used)
• A database of used NONCEs (optional and not used in our library)

Using all of the above components, an NONCE may be generated like this: secret-salt + user ID + action-name + timestamp. All of this is thrown into a hash that the receiving script can unpack and authenticate (Most of the time, the timestamp will be modified before being included and hashed).

The receiving script doesn’t actually ‘unpack’ the received key, rather it recreates it and compares. For instance, the delete_post script would combine the secret salt (which it knows) , the current users’s ID , use the delete-post action name, and a timestamp (modified appropriately). If any one of those components are off, the NONCE value generated by the receiving script will not match the one sent by the initial script and the NONCE will fail to authenticate.

How to use our NONCE library

1. Download the zip file and unpack
2. Include ft-nonce.php inside all your applications pages
3. Embed one of our two generating functions in your links or forms
4. Call the validating function at the top of your receiving scripts and do as you wish based on the validity of the NONCE.

If you need further example, you can check out the example here. The PHP file source file is included in the zip .

Feedback

We’ve only deployed this once and value your feedback. We will be more than happy to modify, enhance, and correct bugs as reported.

With Twitter Post every author of your blog can have their own Twitter information stored under the User’s section. Whenever they post to your blog it will automatically tweet a message to the admin twitter accoutn as well as their own twitter account. The admin can also choose to send a tweet to all authors twitter accounts whenever anyone publishes a post.

With Twitter Post you can…
choose which categories are included or excluded
exclude individal posts from being tweeted before you publish them
retweet a published post*
choose to tweet to all authors
customize the tweet format, including the post title and post URL (using the custom tags %TITLE% and %URL%, respectively)**

Currently Twitter Post supports two URL shortening services. TinyURL is the default shortener, Twitter Post will attempt to get permalink of your post shortened by TinyURL. If it is unable to, it will use the regular site URL. The other shortener you can use is a WordPress plugin called Twitter Friendly Links. If Twitter Friendly Links is installed and activated on your website then Twitter Post will use it as the default shortener.

* Twitter no longer allows the ability to tweet the same exact message more than once. This is an attempt to reduce SPAM in their system. I am not trying to encourage SPAM with the ReTweet feature, but I felt like it was an important feature to include. Because of the limitation imposed by Twitter, I had to add a random element to each ReTweet. Currently a random digit between 10 and 99 will be appended to a ReTweet. Also, you will only see the ReTweet option for published posts.

** Twitter allows a maximum of 140 characters per tweet. If your custom format is too long to accommodate %TITLE% and/or %URL% then this plugin will cut off your title to fit and/or remove the URL. URL is given preference (since it’s either all or nothing). So if your TITLE ends up making your Tweet go over the 140 characters, it will take a substring of your title (plus some ellipsis).

Download

Latest Version (Tested on WordPress 2.9.1 but should work on 2.6 and up)

ChangeLog
1.5.5

• Fixed exclude post issue.

1.5.4

• Removed link to survey.

v1.5.3

• Added link to survey about what we should do when Twitter breaks Twitter Post

v1.5.2

• Fixed bug introduced in WordPress 3.0 with publishing pages

v1.5.1

• Fixed case sensitivity issue in tweet format
• Added ability to ReTweet a published post
• Removed and cleaned up some code
• Cleaned up some validation techniques for test tweet feature

v1.5.0

• Added ability to send a test tweet to Twitter (to verify everything is working); this bumps the support up to start at WP2.8 but will allow me to add a “re”-tweet feature in a later version.
• Made some efficiency fixes
• Made some styling changes to match current WordPress styling
• Setup partial error reporting (as part of the test tweet) which I will extend into a debugging feature in a later version

v1.4.1

• Fixed issue with not stripping slashes properly from default tweet format option
• Removed unneeded option code for efficiency
• Updated str_ireplace function for better PHP4 compatibility

v1.4.0

• Discovered WP_Http class (since WP2.7) which makes life much easier for everyone, but this bumps the support up to start at WP2.7)
• Removed cURL requirement, switched to WP_Http API
• Removed Twitter API Classes, switched to WP_Http API
• Changes in cURL requirement required modification of init() function

v1.3.5

• Moved URL shortening functionality for improved efficiency

v1.3.4

• Moved exclusion check for efficiency
• Fixed bug in scheduled posts, if a secondary account schedules a post and logs out, it would not have tweeted the message

v1.3.3

• Had a typo when checking the PHP Version for PHP5 functionality

v1.3.2

• Fixed bug that prevented TwitterPost from tweeting when setting a custom tweet on a Post page

v1.3.1

• Fixed bug with category exclusion logic… accidentally brought it back in with version 1.3.0

v1.3.0

• Cleaned up and remove 139 lines of code
• Fixed second bug with category exclusion logic

v1.2.2

• Fixed bug with category exlusion logic
• Added fullthrottledevelopment profile as contributor

v1.2.1

• Fixed PHP cURL Requirement Error Message
• Added PHP cURL Requirement skip if Twitter Friendly Links is already installed.
• Added ability for WP Admin to set Twitter Post to tweet from all Author accounts whenever a post is published.

v1.2.0

• Changed default tweet from “Blogged %TITLE%: – %URL%” to “Blogged %TITLE%: %URL%”.
• Added check to make sure PHP Curl is installed.
• Fixed bug that caused Twitter Post to tweet when adding new page.
• Added ability to specify which categories to include/exclude in tweet.
• Added ability to exclude a post before publishing it.
• Added support for using Twitter Friendly Links instead of TinyURL links when TFL plugin is activated.
• Added support for multiple author twitter accounts and default twitter account.

v1.1.1

• Fixed support URLs

v1.1.0

• Fixed Default Tweet typo (“blogged” instead of “bloggged”).
• No longer publishes to twitter when you update/edit an old post.
• Added feature to customize tweet per post using Custom Fields.
• Changed project URL to http://fullthrottledevelopment.com/ – my new business venture.

v1.0.0 – Initial release

• Allows custom tweet formatting with %TITLE% and %URL% tags.

Installation

1. Upload `rf-twitterpost` directory to the `/wp-content/plugins/` directory
2. Activate the plugin through the ‘Plugins’ menu in WordPress
3. Update Twitter Post Options with your twitter username, password, and the tweet format.
4. Next time you publish a new post it will update twitter.

Possible Future Features

• Ability to add post excerpt to tweet.
• Possibly switch to Twitter’s OAuth API.
• And as always, we listen to your requests…

This WordPress plugin adds a list of posts to the bottom of static pages based on the name of the page and the category of the post. The plugin examines the name of the page, then it finds the most recent posts in a category with the same name as the page.

For example, if the site includes a page called “Services” and a post category called “Services”, then a list of the most recent posts in the “Services” category will be included at the bottom of the “Services” page.

This plugin allows immediate cross-referencing between static pages and posts with similar content.

There are a few options associated with this plugin. The user can set the number of related posts to display and can format the related post title and list.

To use this plugin, unzip and upload to your plugins folder, then activate.

Download here until it gets approved by wordpress.org

This script was generated in response to a thread on the wp-hackers mailing list.

The question at hand is how to make one plugin dependant on another plugin’s installation and activation while maintaining the use of the register_activation_hook() function.

The following code is a proof of concept. It can be improved and will be improved after I get through with WordCampRDU this weekend. I slapped it out while on a 2 1/2 hour phone call with a client and only had time to confirm it works and post it here.

How to use this proof of concept:

1. Copy the code below and paste it into the top of “Hello Dolly”
2. Try to activate “Hello Dolly” without “Akismet” activated.
3. Activate “Akismet” and try to activate “Hello Dolly”
4. Deactivate “Akismet” and confirm that “Hello Dolly” has been deactivated

Still To Do:

1. Investigate the active plugins option to see if I can prevent hardcoding the plugin’s file location
2. Enable a way to notify the admin that a dependent plugin has been deactivated at the same time the required plugin was deactivated.
3. Copy the WordPress Core’s implementation of deactivating a plugin to allow for multiple dependencies and to take advantage of existing action hooks.

The Code: ( a modified hello.php )

• hello-dependent.txt

This plugin does one thing. If a page that is password protected has children pages, all children pages will be protected with the same password. If the correct password is entered on the parent page or any of its children pages, all related pages will be viewable to the user.

The following logic is invoked whenever the_content or the_excerpt is called from your theme.

1. Is this a page?
2. Does this page have an ancestor page
3. If it does, does the ancestor page require password protection?
4. If it does, treat this page the same way you would treat the top level ancestor page.

Version 0.2 uses the $post->ancestors property and allows protection of grandchildren pages as well

Download here

Once activated, private posts will no longer have the word “Private: ” appended to the beginning of their title.

Just activate and go. No options. Let me know if you need some.

Download at the WordPress plugin repository:

http://wordpress.org/extend/plugins/ft-remove-private-from-post-titles/