WordPress Tips Part 1
- Filed under: Tips
This post is guest blogged by Milo of 3OneSeven.com. For all codes, type them out. Do not copy and paste.
Tip #1
DO NOT use this search code in the
:
Nobody should be allowed to search your entire server, or?
Use this one instead:
Tip #2
Another bad code used in title tags or search templates:
as it allows malicious code injection.
Use this one:
Tip #3
- DO NOT use the default Kubrick theme, as it contains a security bug. Affected Script:
/themes.php?page=functions.php
“Header Image and Color†section of the Default Theme Kubrick.
- Further info here.
- Also, some themes are based on the Kubrick header functions, examine those themes carefully as they can have the same vulnerability.
Before doing any of the following customization, BACK UP your existing files. Or better, test it on your local or server test site.
Tip #4: Style Switcher The Easy Way
- Download this Javascript file
- Upload the style switcher file to your theme’s “js” folder
- Copy your basic theme stylesheet and rename it to style2
- Insert the Javascript in your header:
<script src=”<?php bloginfo(’template_directory’); ?>/js/ style-switch.js” type=”text/javascript”></script>
-
Insert the two stylesheets in your header:
<link rel=”stylesheet” href=”<?php bloginfo(’stylesheet_url’); ?>” type=”text/css” title=”default” media=”screen” /><link rel=”alternate stylesheet” type=”text/css” media=”screen” title=”style2″ href=”<?php bloginfo(’template_directory’); ?>/style2.css” />
Note the difference between the title “default” for your basic stylesheet and the second title “style2″. Vary your basic stylesheet by applying new rules to the id’s and classes.
- Upload new images to your themes image folder (if needed)
- Insert the script call at an appropriate place:
Styles:<a rel=”no follow” title=”Toggle stylesheets” href=”javascript : chooseStyle(’none’, % 20 60)”>#000</a>|
<a rel=”no follow” title=”Toggle stylesheets” href=”javascript : chooseStyle(’style2′, % 20 60)”>#fff</a>Bullet proof for IE6+7.
Tips #5
Block search robots from your archive page by preventing the indexing:
<?php if(is_archive()) { ?><meta name=”robots” content=”noindex”><?php } ?>
Paste it anywhere in the header of your current theme BEFORE the closing of the head tag.
From Small Potato
Milo is a graphic and web designer based in Munich, Germany. Read more about this author.
Part 2 of Milo’s tips will show you how to add Gravatar, add a side blog, customize the read-more link, customize the comment link, and customize the WordPress login.
Great tips! Take a look at tip number 5 though. The “if” statement needs a “(” before the “is”. Works great other than that.
Can’t wait for the next part! Awesome post.
Thanks Brad - I corrected it.
Awesome! I can’t wait to learn how to add a sideblog!
Thanks for the tips
GREAT tips! I’ll be rushing some of them over to my theme as soon as I get to it. Just yesterday I actually posted some other great tips for WordPress sites:
http://www.developdaly.com/blog/…
Never knew Kubrick theme had such an issue.. thanks for the info
Thanxs for the tips! hope wordpress are aware of them and fix them..
thanks a loooot for the Tips
By this sentence I could tell you were german: Nobody should be allowed to search your entire server, or?
Don’t get me wrong, I just think it is funny, not in a malicious fashion.
thanks a lot
Great tips indeed, I will be implementing them in the future!
I know I am a noobie, but does copy and pasting code change it “write it out, do not copy and paste” or is there another reason?
Basically… the quotation marks in the codes posted aren’t what they should be. If you copy and paste them, they will not work as codes.
Thank you for the explanation SP. I wonder how many times I have made that mistake…
[…] Wordpress Tips Part 1 […]
[…] pertaining to WordPress development over the last year, so be sure to check out WordPress Tips Part 1 and Part 2 and browse around for some other great information. No Comments, Comment or […]
[…] WordPress Tips Part 1 (tags: wordpress) […]
[…] Restreindre la recherche à tout le site et pas tout le serveur : DO NOT use this search code in the search.php […]
[…] DO NOT use this search code in the search.php […]
Your first point is based on a terrible misunderstanding - using $_SERVER won’t allow anyone to search your entire server! It’s a superglobal used by PHP to allow access to information set by the $_SERVER. In fact, $_SERVER[’PHP_SELF’] simply returns the page that the person is on - so, “search.phpâ€.
Nonetheless, it’s better to sanitise the $_SERVER array before use (source: Essential PHP Security by Chris Shiflett) and I’m surprised the WordPress guys use it on its own! (Unless it’s sanitised elsewhere? A WP user would have to confirm that.)
Just wanted to point out that the “jem” in the above comment is not the real Jem, as stated on http://www.jemjabella.co.uk/post/20080218_what_the_hell The comment was posted here by someone else, copying her words and attributing her name.
I’d have thought a WordPress expert such as yourself would be able to sort out this, Small Potato. Surely you could install a plugin to make sure that the apostrophes aren’t magically fiddled with when located in
tags?
WP fix any security issues they find, they would never use $_SERVER with out some protection, still, as Jem says (from another site), it won’t allow anyone to search the entire server.
Secondly, how does changing echo $s change anything, since echo’ing something won’t do damage. Any code injection will be in the form, submitted via the DB. Changing what is echo’d will not change what is submitted.
[…] Wordpress je veľmi rozsiahly systém, ktorý umožňuje užÃvateľom vkladaÅ¥ pluginy, alebo poľahky meniÅ¥ celé motÃvy. Práve tie sa stávajú najväÄÅ¡ou slabinou celého systému. Pre tých, ktorà programujú nemusÃm hovoriÅ¥, že Äo programátor, to kód, Äo dizajnér, to dizajn. Preto je veľmi dôležité dávaÅ¥ si pozor na motÃv/tému, ktorú si vyberiete. Sám som sa popálil na dizajne, ktorý môžete vidieÅ¥ na mojom blogu. Nie je to môj výtvor, je to prebraný dizajn, ktorý som si dodatoÄne upravil. Tvorcovia vÅ¡ak na bezpeÄnosÅ¥ moc nedbali (a ani na kvalitu kódu) a tak sa s nÃm trápim dodnes. Chyby som odstraňoval postupne, ako mi boli hlásené a bolo ich dosÅ¥. Preto vás chcem upozorniÅ¥, vyberajte si design, ktorý je populárny a preÅ¡iel pod rukami mnohým ľudom, tak je menÅ¡ia pravdepodobnosÅ¥, že je design zraniteľný. Pre tých, ktorà si vytvárajú vlastný design, nepoužÃvajte <?php echo $_SERVER [’PHP_SELF’]; ?>miesto toho použÃvajte funkciu bloginfo(); (ak nechcete aby sa výstup hneÄ vypisoval tak get_bloginfo();)<?php bloginfo (’home’); ?>Viac tipov pre dizajnérov, ktorà tvoria vlastnà dizajn pre Wordpress nájdete na stránkach WPDesigner. […]
[…] ajudarão a que a sua instalação de Wordpress seja mais segura. Algumas já deverá conhecer de outras bandas, outras serão com certeza uma novidade. Se não está para se incomodar com estas coisas […]
@Nick
Could you not echo some javascript?
[…] O WPdesigner aconselha a NÃO usar este código no ficheiro search.php […]
[…] O WPdesigner aconselha a NÃO usar este código no ficheiro search.php […]
[…] WPdesigner advices us to NOT use this search code in the search.php […]
First point is outright wrong. Amusingly so.
Wordpress uses a bootstrap index.php file as a controller to interpret all GET requests (amongst other things). The $_SERVER[’PHP_SELF’] variable is simply telling the form to submit the search query to the script that the user is currently on, which because of the bootstrap setup is ALWAYS index.php
Your tip to use bloginfo(’home’) does absolutely nothing different - the same destination will be echoed out, although index.php will be masked (but ultimately still executed by the end user).
Building pretty themes in Wordpress does not make you a security expert, it would seem. Stick to what you’re best at, eh?
YongFook - Please look again. This was a guest blog article. I didn’t write it.
Hi,
I would like to know if tip #1 is wrong or right? Can someone confirm this.
Thanks,
Naom
[…] O WPdesigner aconselha a NÃO usar este código no arquivo search.php […]
[…] ???????????????? 1).???Search.php??????????? from WPDesigner.com ??? […]
[…] O WPdesigner aconselha a NÃO usar este código no arquivo search.php […]
[…] about instead of laying the blame on someone else (however wrong they may be) you correct the post and approve the comment that made you realise […]
Tip 2 is a good one security wise, however it will only work if you have register_globals turned on in your PHP setup, something which is inadvisable in its self for security reasons. The following code example will work on all servers, irrespective of the register_globals setting.
Do not use:
<?php echo $_GET[’s’]; ?>
as it allows malicious code injection.
Use this one:
<?php echo wp_specialchars($_GET[’s’], 1); ?>
[…] 1. ???????????????? 1).???Search.php?????????????? <?phpecho$_SERVER[’PHP_SELF’]; ?> […]
[…] Comment on WordPress Tips Part 1 by ??wordpress?10????? | ?de?? By ??wordpress?10????? | ?de?? 1. ???????????????? 1).???Search.php?????????????? <?phpecho$_SERVER[’PHP_SELF’]; ?> […] Comments for WPDesigner - http://www.wpdesigner.com […]
[…] O WPdesigner aconselha a NÃO usar este código no ficheiro search.php […]
@Naom: Totally wrong… but it doesn’t hurt anyway.
I was took off magnificent could reach. from it’s name