PHP Interfaces

I’ve found as I progress in my career, there are many people I’ve spoken with that aren’t as familiar with the OOP side of PHP. Procedural coding in PHP is pretty easy to grasp for most, but true architects build with structure, which procedural coding quickly turns to mushy spaghetti quick. I plan to have a series of posts outlining some of the cool pieces of Object Oriented Programming found in PHP.

This first post we’ll talk about interfaces. Sure we could talk all about design patterns, but what I found most interesting is those less talked about pieces. While this isn’t really something that is new to PHP, in my line of work, I don’t find many others using it. Let’s talk about what an Interface is see what it can do to strengthen our OOP skills.

Read More

Build A Hollow Box with CSS3

Quick post on just some fun with CSS. I talk too much about WordPress, not that is a bad thing… just thought it would be good to do something different.

In this quick little post, we’re going to build a box with a hollowed out center. Nothing really special, but something fun and fairly simple. Maybe we’ll come back and build on it in a longer post.

Read More

Professional WordPress Development Environments

If you haven’t guessed, I do a lot of development on WordPress. Over the past 7 years I’ve been building on WordPress, I’ve come to find the perfect setup to help me really focus on my projects and build fast and efficiently. Of course, this is what I’ve found really works for me and my workflow/skills. While I only work from a mac, this list is based on that and I try to cover any Windows alternatives when possibly. Unfortunately I don’t personally know the good alternatives to ome of these tools so I encourage others to share their tried and true alternatives and I’ll update this list! With that said, this is nothing more than my tools/workflow that I felt would be beneficial for other WordPress developers.

Read More

Where Art Thou?

For any of you that have noticed, I’ve been quiet on my site and the podcast seems to have halted?

Well long story short, I’ve been in the hospital since Easter (March 31st) and haven’t been able to produce anything. I’m 100% fine, just had a series of unfortunate events that lead to one thing after another, but we are on the final stretch in getting me back in the wild! So far I’m estimated to be discharged on Tuesday, April 16th.

Read More

Custom Message in WP Admin Area

A quick little tutorial.

Recently, I had to leave a warning message on the Reading area of the Settings section on a clients website. Why? Well, the theme was dependent on working as expected as long as a static page was set. Of course, that probably means there’s some reworking to be done on the theme, but it was considerable reworking the client didn’t have a budget for, so we decided the best option is to place a warning message on that page saying, “Don’t Touch!”.

Read More

Modify Breadcrumbs in Canvas from WooThemes

Recently, at the marketing company I do a lot of custom development for, they signed up for the Theme Club over at WooThemes and I was faced with creating my first child theme based on the Canvas theme. I have always hand-built my themes and my experience with premium themes is minimal, but man WooThemes has some rock star developers on the team there. Anyways, one thing I had to do was modifying the output of the breadcrumbs that is found within the theme. Off to Google we go for a fast answer, right? Low and behold I found nothing? Surely I’m not the only one that has required this customization? All I wanted to do was remove the default “You are here“ text and change the separator which was displaying as >.

Read More

CSS3 Box Shadow with SASS and Compass

Today, I’m gonna focus on something else besides WordPress. Although, the techniques here can easily be brought into any WordPress theme as long as you have it configured to use SASS.

I made the switch to SASS about October 2012, and I haven’t looked back. If you haven’t used it yet, you should at least try it out. I followed the tutorials from Web Design Tuts+ and began experimenting with it from there. I cringe now when I’m faced with dealing with plain CSS now.

Let’s sit down together and have some fun!

http://youtu.be/50czRXFpX4U

Resources:

Get BuddyPress Notifications Count

BuddyPress!">BuddyPress!

I have made the dive. I have gone 7 years now developing with WordPress and finally a project has approached me that requires BuddyPress. I’ve heard good and I’ve heard bad… over all, I’m pumped to work on BuddyPress and become best friends ;P

Today’s tutorial is a quickie. Let me share with you a work around I created to fix an issue I was faced with. Earlier today I spent about 15 minutes scouring the interwebs looking for that magical function that will return the total number of notifications the current BuddyPress user has, I am defeated. Surprisingly, there is no core function that returns this, but I know for a fact this functionality exists! Digging deep into the core of BuddyPress I was able to locate a function has a snippet of just what I was looking for.

We’ll extract out some code found in the bp_members_admin_bar_notifications_menu() function in bp-members > bp-members-adminbar.php. This function has only been tested with version 1.6.1, so beware! If things update in the future, I’ll be sure to back track and update this post ^_^

Create the custom function

First we need to open the functions.php file in the root of our theme. And paste in this code.

function cg_current_user_notification_count() {
    $notifications = bp_core_get_notifications_for_user(bp_loggedin_user_id(), 'object');
    $count = !empty($notifications) ? count($notifications) : 0;

    echo $count;
}

Explanations

We first use the BuddyPress core function _bp_core_get_notifications_foruser(). At first glance this function would seem to do just what we need, unfortunately it returns too much. All we are looking for is the total number of notifications. This function actually returns a multidimensional array, separating each notification into its own array for the currently logged in user. We’ll store this in a variable called$notifications for use in the next part.

With our array of notifications, we then set another variable that we’ll count each array in our $notifications variable and store the results in a new variable called $count.

Lastly we echo the results of our counted array!

Usage

Now we can just add in our_ _function where we want! I’ll end this quick tip with a bonus too. the below code will use our new function and wrap that in a link to our user profiles so we can view the notifications that are pending ;)

<p><a href="<?php echo bp_core_get_user_domain(bp_loggedin_user_id()); ?>"><?php cg_current_user_notification_count(); ?> - Notifications</a></p>

Securing WordPress with a Bulletproof Vest

WordPress out of the box is pretty easy to get up and running, install some plugins to extend it’s functionality and focus on writing your next big time blog post. With what WordPress provides out the box, an area over looked by a lot of users running a self hosted WordPress is security.

Now don’t get me wrong, this doesn’t mean WordPress isn’t secure! With any system, security issues always arise in even some of the biggest software manufactures in the world. The excellent team behind this powerful system has a lot of security baked in. There is form sanitization that is available to developers with some amazing documentation on how to harness this power in your custom themes and plugins, they update the core code on a regular basis, notifying all users when there are major security updates required to keep your site secure. These are just some of the basics as far as security goes when applied to WordPress out of the box.

The type of security WordPress doesn’t provide out of the box is the security of your computer and the server your WordPress site is installed on. Over the last few years I have been doing some research on security and have complied a crash course tutorial here on how I go about securing all of my websites, new or existing and I feel are required, good practices for anyone running a WordPress site. In reality, WordPress is secure, it’s the thousands of 3rd party themes and plugins that introduce these issues. Installing any third party theme or plugin can impose security threats if the proper precautions aren’t met.

Now, why should you care? You run a small business that markets to local customers? In my experience, hackers don’t care. I have worked on projects from small mom & pop shops to large networked WordPress Multisite installs geared for community involvement world wide that see daily traffic of 100,000 unique visitors a day. And both of these types of websites get attacked by hackers or bots all the time, trying to get in, to either market something to your users without your knowledge, use your site as testing grounds for fresh hackers, religious based hackers trying to spread a message, and lastly the malicious hacker with the intention of stealing sensitive data. The motivation to hack any website is beyond the usual thought of “They want money”. Some hacking is influenced by black hat SEO and creating unauthenticated back-linking.  The reality is, if your website is up and available for anyone in the world to view, it’s worth any hackers time to try and make some use of your site as they wish.

Ok,  let’s dig in and get working on securing our WordPress sites! Of course, all of these steps are best implemented from the beginning, but a lot of this is a great place to start for an existing site or after dealing with a hacked install.

Harden the Configuration file

First place I start when creating a new WordPress site is with the wp-config.php file. If you haven’t guessed it, this is the configuration file for our WordPress site. There are three major spots of this file.

MySQL Settings

MySQL Settings for WordPressThis may seem like a given, but I don’t know how many times I’ve acquired a site, and found the proper levels of security were not applied to the MySQL Settings section. This section of our configuration file holds the connections to our database, which is essentially the brain of our WordPress site. If anything were to happen to our database, we would lose everything in our WordPress site without a proper backup.

Security is not to be taken lightly here. I try to use descriptive, but yet cryptic naming schemes for the database name, the username and the password. You’ll want to use something descriptive but not too obvious for hackers to figure out for the database name and username. Some hosts when creating these, limit the amount of characters, we’ll want to make sure they are long enough to be used with your hosts requirements.

Set Your SALTs!

The SALTs is a very important part for security and is very easy to set.

If you look in the comment code at the top, you can see they provide a URL that will auto generate the SALTs for you! <3 WordPress. All you have to do is paste that URL into your browser and copy the code they generate for you to paste back into your config.php.

Now, this is all fine and dandy, but what does this do really? These are used for user authentication and form nonces. Let’s say for instance you had a compromise and someone has logged into one of your accounts, you can reset these and that will invalidate all cookies set from user login which will then force everyone to log back in. Giving you a window of time to temporarily disable user login while you correct the issue. Pretty neat and easy ^_^

 Database Table Prefix

The final important setup is the Database Table Prefix. By default, WordPress uses wp_ which is set to the beginning of every table in your database. Hackers love this, and opens a doorway for them to use SQL Injection to corrupt your database or return sensitive data through malicious scripts. Changing the default to something unique will harden your install. If you have an existing website that needs this to be updated, sadly you can’t just change the prefix in here.. You will have to manually update the table names yourself. A discussion on that is a talk of it’s own and is beyond the scope (slightly) of this post. Maybe I’ll revisit that in a later time..

“Cripple” the Admin Account

Back in the day, WordPress always created an admin account and you couldn’t rename it. That created huge issues for stoping brute force attackers as they already had the user name figured out. Since WordPress 3.0, they allowed users to install with an account of their choosing. Now I say, install with an admin account with a secure password still but “cripple” that account. What does this mean exactly? Well, I like to keep the hackers at bay and work for it. What I like to do is install WordPress with and admin account with a secure password. Then I’ll go in and create a new account with administration privileges, login with that account and set the original admin account we created in the install and set it’s privileges to subscriber. This will keep the hackers busy for quite some time, plus if they get in, awesome, now they can update their user profile and all that hard work of brute forcing into the account is wasted ^_^ Send them on a wild goose chase. Just because the account username is admin doesn’t mean they have admin privileges… lol

Plugins

As I said, WordPress out of the box is pretty secure already, but we will need plugins to extend the security of our install and make things more bulletproof. I’ll list out plugins that I use in all of my websites and have been proven to prevent security holes and attacks.

Wordfence Security

http://wordpress.org/extend/plugins/wordfence/

Wordfence is a required plugin. There are security plugins similar to it, but they don’t pack the punch or easy to use interface like Wordfence Security provides. Several years back, I had been brought into a company to analyze some strange javascript that is being displayed in their WordPress websites. They had a handful of single installs on a shared server, and after digging around in their account, I realized they had been hacked through a vulnerability in “TimThumb”. Without going into much detail, TimThumb is a PHP image resizing script and many themes or plugins never updated the script thus opening the door to hackers. My client was hit and hit hard. Every website in their account was infected due to one out of date theme.. Using Wordfence Security on all of their websites I was able to narrow down every instance of malicious code and locate the back door that was injecting the malicious scripts. All of that through Wordfence Security without the need to FTP in.

On top of all of that it provides login security by blocking IP address of brute force attackers, theme and plugin checking and hiding if usernames were correct if a failed login occurs (why WordPress does this.. I don’t understand that..). It will also email you about any security vulnerabilities found in your WordPress core files, themes and plugins. One thing that is fun to experiment with is to tell Wordfence to email you when a user is blocked from logging in. That’s how I learned about the kind of hacker traffic that I get on my different websites and found just how many hackers are still trying to brute force the admin account. Reference the “Cripple” the Admin Account section above to make things really interesting.

WordPress Firewall 2

http://wordpress.org/extend/plugins/wordpress-firewall-2/
Sadly, this plugin recently hit it’s two year mark of no updates… I’m actually in process of finding a comparable plugin but so far I have found no issues with this plugin regardless of it’s developers inactivity. To this day I’ll get notifications about people trying to run SQL Injections or exploiting malicious code on some of my websites.

This plugin will listen for known hacker techniques, block anything that matches them and email you the URL it happened at and what the plugin thinks the attack was. Using this plugin also help teach me about known security vulnerabilities such as the fb_connect vulnerability that will return your username and encoded password

I’ll be sure to update this plugin when i have located something just as good or even better.

TimThumb Vulnerability Scanner

http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

As mentioned in the blurb about Wordfence Security, TimThumb is still lingering in some themes and plugins. If you are unsure if your website is vulnerable to this horrible zero-day hack, you can install the TimThumb Vulnerability Scanner. The name says it all really, it scans your WordPress site for out of date versions of TimThumb. The usage is pretty stright foward, you push a button to search and it will report back the version of TimThumb you are running (if it finds it) and will let you know if you are out of date or up to date. This was a huge help for my TimThumb vulnerability to stop any more back doors from being created.

VaultPress

http://vaultpress.com/

What good is an install without any backups? VaultPress will handle that for you and is maintained by the company behind WordPress, Automattic. Now, admitingly, I have not used ValutPress yet because I haven’t had the needed or a client willing to pay for the service. I do have it planned for my personal site but that will be in a little while. At the moment, I have my host running backup for me which I can access at anytime and restore if I need to.

With VaultPress, they also run security checks similar to Wordfence Security. If you are paying for the package that offers security checks, you can run them both I’m sure, but that may just be a bit paranoid. I would suggest you choose between the two and stick with it. In reality you can also push to the basic plan that just offers the backup and restore features and use Wordfence Security to deal with the server checks.

.htaccess tricks

If your WordPress site is running on apache (which most do), you can take advantage of some great tricks in the htaccess file which acts as a remote server configuration file. This is normally found in the root of your website, if it doesn’t exist, you can just create one. Another thing to not is that natively this is a hidden file, so make sure you have your computer or your ftp software set to display hidden files.

Secure sensitive files

The snippets below will make the following pages inaccessible in a browser. By default, technically you can load these files, but for security sake we’ll stop the server from serving our .htaccess and wp-config.php. Just copy and paste these anywhere in your .htaccess file.

# PREVENT ACCESS TO WP-CONFIG.PHP
<Files wp-config.php>
    Order Deny, Allow
    Deny from All
</Files>
# PREVENT ACCESS TO OUR .HTACCESS
<Files .htaccess>
    Order Allow, Deny
    Deny from All
</files>

Hide Directory Indexes

Most good hosting companies will setup your server to disallow user from navigating to a directory in your site which then lists every folder and file inside of it. This can be a bad thing as malicious users can get in there cause some havoc. Let’s prevent that just in case.

# STOP USER FROM VIEWING OUR FILE DIRECTORIES
options all - indexes

Wrapping It Up

In reality, there’s not much to securing your WordPress site. All that I spoke about above is what all of my websites use and since I started implementing these I have prevented security issues ad have been worry free about the security of sites. Of course there are many other things one can do to boost security even further. A good list is from .Net Magazine list 10 simple tricks to secure your WordPress site.

If you have a great security trick that I didn’t list out here, please leave a comment below and share with us!