WP Smith

Creating WordPress & Genesis Websites Since 2010

How to Force a Specific Layout for a Page Template in Genesis

The other day, I was creating a page template using the standard approach used in forcing a specific layout. However, when using page templates, this will work if they have not selected a specific layout on the page in the Genesis Layouts metabox. So you could either hide the Genesis metabox, or you can have the page template ignore any changes made in the layout metabox (less coding!).

The normal procedure is as follows:

[php]
add_filter('genesis_pre_get_option_site_layout', '__genesis_return_full_width_content');
[/php]

However, this ignores any custom fields that may upset this. So since this is pre_get_option_*, the user can accidentally over-ride the "forced" specific layout. So if you don't want the user to over-ride it you need to go a step further. You can add one more line of code to correct and ensure that a page can never have a different layout. One way is to set the post meta to always be whatever you want.

[php]
global $post;
// Force Page Layout for Page Template
update_post_meta( $post->ID, '_genesis_layout', 'full-width-content' );
[/php]

However, the Genesis approach would be to set it via the pre site layout Filter.

Conditionally Remove Post Info from Posts Using Custom Fields

So recently, someone asked me how to remove post info only from specific posts using custom fields. Here is what I came up with:

First, set your custom field name to whatever you'd like it to be. I used no_post_info. And then set its value. I used true, but it really can be anything (other than false or null).

Then add to your functions.php:
[php]<?php
add_filter('genesis_post_info', 'wps_post_info_filter');
function wps_post_info_filter($post_info) {
if (genesis_get_custom_field('no_post_info')) //again, no_post_info can be whatever you name your custom field
$post_info = '';
return $post_info;
}
[/php]

Security for Your WordPress Site: Processes, Passwords, & Plugins

One of the most important things to consider when developing a site for a client is client education and training on site security. While it is true, that once we develop a site for someone, information security belongs to them. We could have implemented all the best WordPress security plugins and processes, but if the user has a poor password then it will only be a matter of time before they are exploited.

So, first and foremost information security, site security, belongs to both the developer and the client. As far as the client is concerned, if their site gets hack or there is a problem with the site due to security vulnerabilities, the first person they will blame is the developer. However, if we educate our clients on the importance of information security, while it may be their tendency to blame the developer, it may not be their first recourse. Simply speaking, information security is everyone's responsibility.

Most of this information was obtained from WordCamp Phoenix Security Presentation by WPVibe.com co-founder Dre Armeda along with CEO and founder of Webdev Studios, Brad Williams.

So what are some security tips around passwords, plugins, and processes?

Processes

  • Browser Processes
    1. Use a secure connection whenever possible, e.g., https://.
    2. Use NoScript FireFox extension if you use FireFox.
  • FTP Processes
    1. Use sFTP or SSH instead of normal FTP. FTP passes passwords unencrypted.
    2. Don't store creditials in FTP client. As tempting as it is to have browsers and FTP clients remember your credentials, avoid doing this.
  • Hosting
    1. Use hosts that talk about security. Free hosting is nice, but the cost of recovering a site may not be worth it.
    2. Purchase a SSL certificate from your hosting company.
  • WordPress
    1. Update WordPress! Minor WordPress versions (3.0.x, 3.1.x, 3.2.x). WordPress is open source and once they find a vulnerability, it is known. And if your site has not been updated, then all the hackers in the world know how to hack your site. Minor versions don't necessarily need development testing. Major releases (3.0,3.1,3.2) should be tested in a development/staging environment before implementation.
    2. Update Plugins! Read the changelog and details to determine if new features are introduced. This is where you can check those change details to determine whether the plugin is adding new features, patching issues or known problems, or is a security upgrade.
    3. Change database table prefix. The default is wp_ and everyone knows this. However, if you change it to something unique. The famous five minute install has a place for you to do this upon installation. However, there are also plugins that will help you change this. And if you know phpmyadmin and mySQL, the prefixes can be changed rather easily. See also my pictorial guide: Pictorial Tutorial on WordPress Security: Change the WP_ Prefix
    4. Use Secret Keys with your wp-config.php. To get your secret keys visit the WordPress Secret Keys API. It's a hashing salt for your cookies on your computer. Newer installations have this in them already; however, older installations may not have it. So if you started with an older WordPress installation and have upgraded, you may want to check to make sure these are in place. Changing these on a live site will only render current cookies invalid and will have no adverse affects on the site.
    5. Lockdown WP Login and WP Admin. Add the following code in wp-config.php to force SSL on login and on all Admin pages. Using SSL (https) on all admin screens in WordPress will encrypt all data transmitted with the same encryption as online shopping.
      On login only
      [php]define( 'FORCE_SSL_LOGIN' , 'true' );[/php]
      On admin pages
      [php]define( 'FORCE_SSL_ADMIN' , 'true' );[/php]
    6. Create .htaccess file in your wp-admin to lockdown IP addresses. Add the following lines of code to your .htaccess:
      [html]
      AuthUserFile /dev/null
      AuthGroupFile /dev/null
      AuthName "Access Control"
      AuthType Basic
      order deny,allow
      deny from all
      #IP address to Whitelist
      allow from 67.123.83.59
      allow from 123.123.123.123
      [/html]
      This example will only allow a user with the IP 67.123.83.59 or 123.123.123.123 to access wp-admin. However, also note that IP addresses do change, and if you are locked you can go into the file edit it to include your new IP address or you can simply delete the file. Also, this file will not be deleted on WordPress upgrades since it does not belong to WordPress core.
    7. Move wp-config.php. WordPress features the ability to move the wp-config.php one directory above your WordPress root. So if your WordPress wp-config.php file is located public_html/wordpress/wp-config.php you can place it to public_html/wp-config.php.
    8. Disable WordPress Generator Tag. Viewing the source on most WordPress sites will reveal the version they are running. This helps hackers find vulnerable installations or older versions. To remove the code, find the following code in your header.php and remove it.
      [html]<meta name="generator" content="WordPress <?php bloginfo['version'];?>" />[/html]
      The wp_head() function also includes the WP version in your header. To remove it, add the following to your functions.php file:
      [php]remove_action( 'wp_head' , 'wp_generator' );[/php]
      Themes and plugins may also output their versions, but some may have an option to remove it, such as the Genesis Framework.
    9. Use Trusted Sources for Themes and Plugins. Use WordPress.org. Themes found elsewhere may have some base64() code that can break your site or just add some black hat SEO. Instead of solely relying on Google or your favorite search engine, use these trusted sources:
      1. WordPress.org Theme Directory
      2. WooThemes
      3. Themelab
      4. Theme Hybrid
      5. ThemeShaper (Thematic)
    10. Don't use admin for your username. All WordPress installs before WordPress 3.0 had an admin install. Change the admin username in MySQL:UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin';. Or:
      1. Create a new account with a unique username
      2. Assign account to Administrator role
      3. Log out and log back in with new account
      4. Delete admin account (WordPress will allow you to reassign all content written by admin to an account of your choice.)
    11. File/Folder Permissions. Good rule of thumb:
      • files should be set to 644
      • folders to 755
      • If your host requires 777, switch hosts.

        • This can be easily checked/set via Filezilla by right clicking on the file/folder and clicking on File Permissions. Or via SSH:

        • find [your path here] -type d -exec chmod 755 {} ;
        • find [your path here] -type f -exec chmod 644 {} ;

Passwords

  • Use different passwords for your different sites.
  • Use a password management tool
  • Change passwords often
  • Don't ever share your passwords with anyone

Plugins

Security Plugins:

  1. WordPress Exploit Scanner
  2. WordPress File Monitor
  3. Login Lockdown
  4. AskApache Password Protect
  5. BulletProof Security
  6. Secure WordPress
  7. BackupBuddy: Contains a Malware scanner module
  8. See also WP Smith: The Best Security Plugins for WordPress 3.0+

Backup Plugins:

  1. WP Time Machine
  2. WP-DB Backup
  3. BackupBuddy
  4. VaultPress

Website Scanning Tools

  1. Sucuri.net
  2. Unmask Parasites

Malware Removal

  1. Sucuri.net
  2. VaultPress

Security Related Codex Articles

Blog Security Articles **Beware of DATE published!

Info graphic by WPBeginner:

How to Add a Log In/Log Out Link to a Specific Custom Menu

If you are like me, you may use a framework or theme that supports multiple menu locations. In a previous post, I discussed how to add a login or logout menu item based on menu location. However, if you use the custom menu widget, this tutorial won't help you.

Also, if you are like me, you may want to be able to customize the Log In or Log Out to Sign In or Sign Out. So to add a customized log in or log out menu item at the end of the menu, add this to your functions.php:

[php]
add_filter('wp_nav_menu_items', 'wps_add_login_logout_link', 10, 2);
function wps_add_login_logout_link($items, $args) {
$login = __('Sign in');
$logout = __('Sign out');

//use one of the following methods of identification
$menu_id = '34';
$menu_name = ''; //name you gave to the menu
$menu_slug = ''; //slug of the menu, generally menu_name reduced to lowercase

if ( ! is_user_logged_in() )
$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . $login . '</a>';
else
$link = '<a href="' . esc_url( wp_logout_url($redirect) ) . '">' . $logout . '</a>';

if ( ($menu_id) && ($args->menu->term_id == $menu_id) )
$items .= '<li>'. $link .'</li>';
elseif ( ($menu_name) && ($args->menu->name == $menu_name) )
$items .= '<li>'. $link .'</li>';
elseif ( ($menu_slug) && ($args->menu->slug == $menu_slug) )
$items .= '<li>'. $link .'</li>';

return $items;
}
[/php]

Filter Hidden Metaboxes

So I don't lose this, I wanted to post this. To filter the default hidden meta boxes, use this code in functions.php:

[php]add_filter('default_hidden_meta_boxes', 'be_hidden_meta_boxes', 2);
function be_hidden_meta_boxes($hidden, $screen) {
if ( 'post' == $screen->base || 'page' == $screen->base )
$hidden = array('slugdiv', 'trackbacksdiv', 'postexcerpt', 'commentstatusdiv', 'commentsdiv', 'authordiv', 'revisionsdiv');
// removed 'postcustom',
return $hidden;
}[/php]