WP Smith

Creating WordPress & Genesis Websites Since 2010

Web Accessibility: Making Genesis Accessible

Recently, in the StudioPress forums, there was a conversation regarding Web Accessibility. Spiking my interest, I wondered how accessible Genesis was. If you were to run Genesis through the WAVE Web Accessibility Evaluation Tool as I did to StudioPress's Demo of Genesis (report here). There are three accessibility errors, and all three have to do with a missing label: search form (Genesis), enews and updates form (Genesis), and categories form (dropdown) (WordPress Core). While I am not sure if StudioPress will incorporate these label fixes into their core, they can be easily fixed.

Search Form

To fix the search form label, open search.php in your genesis > lib > structure folder. At line 18, change $form from
[php]$form = '
<form method="get" class="searchform" action="' . get_option('home') . '/" >
<input type="text" value="'. $search_text .'" name="s" class="s"'. $onfocus . $onblur .' />
<input type="submit" class="searchsubmit" value="'. $button_text .'" />
</form>
'; [/php]
to the following:
[php]$form = '
<form method="get" class="searchform" action="' . get_option('home') . '/" >
<label for="s" style="display:none;">Search</label>
<input type="text" value="'. $search_text .'" name="s" id="s" class="s"'. $onfocus . $onblur .' />
<input type="submit" class="searchsubmit" value="'. $button_text .'" />
</form>
'; //added <label for="s" style="display:none;">Search</label> to $form & id="s" [/php]

eNews and Updates Form

To fix the enews and updates form label, open enews-widget.php in your genesis > lib > widgets folder. At line 36, change the <form> from:
[php]<form id="subscribe" action="http://feedburner.google.com/fb/a/mailverify" method="post" target="popupwindow" onsubmit="window.open('http://feedburner.google.com/fb/a/mailverify?uri=<?php echo esc_js( $instance['id'] ); ?>', 'popupwindow', 'scrollbars=yes,width=550,height=520');return true"><input type="text" value="<?php echo esc_attr( $instance['input_text'] ); ?>" id="subbox" onfocus="if (this.value == '<?php echo esc_js( $instance['input_text'] ); ?>') {this.value = '';}" onblur="if (this.value == '') {this.value = '<?php echo esc_js( $instance['input_text'] ); ?>';}" name="email"/><input type="hidden" value="<?php echo esc_attr( $instance['id'] ); ?>" name="uri"/><input type="hidden" name="loc" value="en_US"/><input type="submit" value="<?php echo esc_attr( $instance['button_text'] ); ?>" id="subbutton" /></form>
<?php } [/php]
to the following:
[php]<form id="subscribe" action="http://feedburner.google.com/fb/a/mailverify" method="post" target="popupwindow" onsubmit="window.open('http://feedburner.google.com/fb/a/mailverify?uri=<?php echo esc_js( $instance['id'] ); ?>', 'popupwindow', 'scrollbars=yes,width=550,height=520');return true"><label for="subbox" style="display:none;">enews</label><input type="text" value="<?php echo esc_attr( $instance['input_text'] ); ?>" id="subbox" onfocus="if (this.value == '<?php echo esc_js( $instance['input_text'] ); ?>') {this.value = '';}" onblur="if (this.value == '') {this.value = '<?php echo esc_js( $instance['input_text'] ); ?>';}" name="email"/><input type="hidden" value="<?php echo esc_attr( $instance['id'] ); ?>" name="uri"/><input type="hidden" name="loc" value="en_US"/><input type="submit" value="<?php echo esc_attr( $instance['button_text'] ); ?>" id="subbutton" /></form>
<?php } //added <label for="subbox" style="display:none;">enews</label>[/php]

Dropdown Categories

The last error is actually a WordPress core accessibility "error" and has nothing to do with Genesis. First, this is a WordPress core file and edit this at your own risk and as always backup everything before you edit. If you open category-template.php in your wp-includes folder. So you want to edit line 334 as follows:
ORIGINAL:
[php]$output = "<label for='$id' style='display:none;'>$name</label><select name='$name' id='$id' class='$class' $tab_index_attribute>n"; //added <label for='$id' style='display:none;'>$name</label>[/php]
MODIFIED for Accessibility:
[php]$output = "<label for='$id' style='display:none;'>$name</label><select name='$name' id='$id' class='$class' $tab_index_attribute>n"; //added <label for='$id' style='display:none;'>$name</label>[/php]

Now, I need to suggest this at WordPress trac. Oh dear! DONE: Trac Ticket: http://core.trac.wordpress.org/ticket/16527

Enhanced Latest Tweets Widget Plugin

With the encouragement Enhanced Latest Tweets Widget Plugin Screenshotof Nathan Rice from StudioPress and the huge help from Nick the Geek, I have developed my first plugin.

Enhanced Latest Tweets Widget extends the twitter widget which will now allow you to display a certain number of tweets by a specified user with a specified hashtag in a widget. On the admin side, given the twitter username, you can tell:

  1. how many of the last tweets that you want to display,
  2. whether to hide replies, and
  3. then whether you want to limit the output to contain a certain hashtag (with or without the #).

This widget also enhances the Genesis Theme Framework Twitter Widget. This allows it to take full advantage of the styling already present in the Child Themes while providing the advanced hashtag feature.

This plugin works with the [Genesis Theme Framework] and [Thesis 1.7 Framework].

Here's the Plugin Page to Download

Posting on Two Different Pages When Using a Static Front Page

On one of my sites using Thesis, I wanted to create the WordPress blog so that I can "blog" on two different pages (in my case I wanted a blog blog and a podcast blog) based on categories with a static home page. So I first go to /wp-admin/options-reading.php and select static page and select my front page (Create New Page called Home) and my posts page (Create New Page called Blog). If you want two different blogs then your post page could be something like Blog1.

Since WordPress defaults to one certain page (the posts page) to be able to have it default to two different pages, we will be using Categories to control which posts go where. For example, blog posts (with multiple categories) to one page and my podcast posts (via podpress, with only 2 categories) to another page (called Podcasts).

I use categories for my blog and have two categories (podcast and something else) that I exclude from my blog (or posts page) and create a custom category page (Thesis Tutorial – Creating Custom Categories - Sugarrae) for podcasts (or you can use custom_functions.php to create a custom page with its own CSS, etc). You can use the Front Page Excluded Categories or Simply Exclude or Front Page Category (inclusion method) plugin if your blog is your front page (which here we are using a static page) or you can refer to the WordPress Functions Reference (Function Reference/query posts WordPress Codex) which tell you how to Exclude Posts Belonging to Only One Category (Show all posts except those from a category by prefixing its ID with a '-' (minus) sign) by using the php code query_posts('cat=-3'); manually.

To remove the Podcasts & Podcasts ShowNotes (categories) posts, I added this code to my custom_functions.php

[php]//exclude category from the posts page
function exclude_category($query) {
if ( $query->is_posts_page) {
$query->set('cat', '-324, -20');
}
return $query;
}

add_filter('pre_get_posts', 'exclude_category'); [/php]

is_posts_page (Function Reference/WP Query WordPress Codex says it is available for wp-query) works! The category IDs (-324, -20) can be found when you go to /wp-admin/categories.php and hover over the category, you will see /wp-admin/categories.php?action=edit&cat_ID=XXX at the bottom (in Firefox), or if you click on the category, you will see this in the URL. You want the cat_ID number. The (-) tells the query to exclude the category. So you would replace my numbers 324 and 20 with your category number(s). If you have only one category, it will look like this: $query->set('cat', '-XXX'); but if you have two it will look like this:$query->set('cat', '-XXX, -XXX'); and if you have three it will look like this: $query->set('cat', '-XXX, -XXX, -XXX');.

This creates the Blog posts correctly. Now to create the second one, there are two methods: (1) Custom Category Page (see Sugarrae's Creating Custom Categories) or (2) Custom Page (see DIY's Custom Page tutorial). The easier option is to use the custom categories (usually renders a url of domain.com/category/podcasts/), but the sweeter way is the Custom Page.

I hope this helps!

The Best Security Plugins for WordPress

Security should be everyone's number one priority. This needs to be determined from the outset, and with WordPress's growing popularity you can expect more and more hacks/hackers. If you have not heard already there are a few hacks already spreading through the WordPress community. However, there are plugins that can help patch up the WordPress CMS to help.

My favorites have been (not all are WordPress 3.0 compatible) and are:

  1. Admin Log (Download, Directory): Displays a list of all the admin pages accessed in the Blog admin area. This is updated every time a page in the admin area is accessed. Information displayed includes: admin page accessed, user, and time of access. However, this should be filtered better because it’s keeping some access pages that are unnecessary at all.
  2. Admin SSL (Download, Directoy): This administrator security plugin is very helpful to protect the admin pages, posts, secured logins, supports all SSL setups and encrypted cookie content. This plugin is compatible on wordpress 2.3-2.7 versions only.
  3. Akismet: This is a standard spam application that comes with WordPress by default. Be sure to set this up and have this running almost immediately.
  4. Angsuman's WordPress Guard Plugin (Download): This plugin adds Double Security For WordPress Administrator Panel, Protection over wp-admin directory, and Protection Against Future Vulnerabilities. Adding password protection to /wp-admin/ adds a 2nd layer of protection around your blog's admin area, login, and files. This forces an attacker or bot to attack this 2nd layer of protection instead of your actual admin files. This dramatically increases your security
  5. Authenticated WordPress (Download): The free Authenticated WordPress Plugin (compatible with all versions of WordPress) makes your blog content (posts, pages, categories etc.) accessible to registered users only. This allows you to display content to your users in a controlled fashion. It also allows private blogging i.e. makes your blog accessible to selected people only (like family and/or friends and/or business associates).
  6. Anonymous WordPress Plugin (Download, Directory): All the WordPress versions 2.3 and above have the feature to get automatic updates for plugins. During this process it will send some of your information like your blog’s URL, version number, list of installed plugins and activated plugins to WordPress.org. This information could be of potential use for hackers. So to avoid this, installing Anonymous WordPress plug-in is a feasible option. It will strip off your blog’s URL and version number and empty the activated plugins list. This plug-in is compatible with WordPress 2.3 and above.
  7. AskApache Password Protect (Download, Directory): It will block the bots and creates a safe wall for any vulnerability your WordPress blog may have. It will protect your password as well as your WordPress directories like the wp admin-directory, wp-includes, wp-content, including plugins. This protects your Admin-panel with a powerful htaccess protection, preventing all spambots and unwanted users to access you site. It provides you complete control over your site from both sides.
  8. Blogsecurify (Download): Forces users to login over a secure communication channel (SSL). This is similar in functionality to Force SSL plugin. As with Force SSL, it requires your server to have SSL enabled which also means it needs a SSL server certificate which doesn't come cheap and is a recurring expense.
  9. Chap Secure Login (Download): If you are not having a secure connection like SSL to protect your password, then you can use this plug-in for encrypting passwords. It will use the Chap protocol to hide the passwords and transmit it encrypted. The only information that is transmitted unencrypted is your username. Protecting password will give full security because password leaks will enable the hacker the gain full control of your WordPress blog.
  10. Database Backups: There are two that I use with this and I don't know which I prefer quite yet. WP-DB-Backup (Download, Directory) is a WordPress specific plugin that creates backups of your core WordPress tables as well as other tables of your choice in the same database. The content can be backedup at your HDD, email, domain space. You can restore the entire database with the same greatness if it is accidentally deleted or deleted by other hackers. This is the must have Plugin for your wordpress. Backupify is a social/web 2.0 backup system that can backup Facebook, Twitter, Flickr, Picasa, PhotoBucket, Delicious, Hotmail, Friendfeed, Basecamp, Zoho, Blogger, WordPress, and Google Apps.
  11. Force SSL (Download, Directory): For those will an SSL certificate, this plugin forces an HTTPS connection for security purposes. Force SSL simply redirects requests made via regular old http to requests for trusty new https, the SSL connection (secure connection).
  12. Invisible Defender (Download, Directory): This anti-sypbot plugin protects the registration, login and comment forms from spambots by adding the 2 extra fields that were hidden by CSS (cascading style sheet). This shows the number of blocked spammers in your Dashboard.
  13. Login Encrypt (Download, Directory): This will help encrypt the login information using the complex DES and RSA combination. It uses the JavaScript appended and encrypted the password of the user and generates a unique DES key. And by using this key, user can have secure login each time they login to your blog.
  14. Login Lockdown (Download, Directory): This records the IP address and time-stamp of every failed login. If certain login failure attempts were made from same IP range in certain period of time, it will disable all the requests from that range, which may also include yourself.
  15. Replace WP-Version (Download, Directory, German Homepage): Secure your WordPress installation and eliminate or replace your wp-version and database-version on easy way with a small plugin.
  16. Secure Files (Download): This plugin allows you to upload and download files from outside of your web document root for security purposes. It can be used to can restrict file downloads to users that are logged in, or have a certain user level.
  17. Secure WP (Download, Directory, German Homepage): It will help secure WordPress installation by removing miscellaneous items after the installation process which may aid hackers, such as your login pages, forums, adds index.html to plugin directory, removes wp-version except in admin-panel. Secure WordPress will add a blank index.html to the plug-in directory such that if anyone is trying to view the contents of the directory they will be viewing a blank page instead of the contents.
  18. Semisecure Login (Download, Directory): This increases the security of your WordPress login. This uses client-side MD5 encryption on password when the user log-ins. But many of the users neglect it, if they are using ForceSSL or AdminSSL.
  19. Theme Authenticity Checker (Directory): Scan all of your theme files for potentially malicious or unwanted code. This is a helpful plugin for you to check any theme you download somewhere to make sure the theme is safe for using.
  20. WordPress File Monitor (Download, Directory): Monitors your WordPress installation for editing/adding/deleting files. When a change is detected an email alert can be sent to a specified address. It also has ability to record the time-stamp of one of the above 3 modifications.
  21. WP-Ban (Directory): Wp-Ban bans users by IP, IP Range, host name, user agent and referer url from visiting your WordPress’s blog. It will display a custom ban message when the banned IP, IP range, host name, user agent or referer url tries to visit you blog. You can also exclude certain IPs from being banned. There will be statistics recordered on how many times they attemp to visit your blog. It allows wildcard matching too.
  22. wp-dephorm (Download, Directory): wp-dephorm protects your users from the prying eyes of phorm. This is achieved by setting a cookie to opt out of the phorm information mining. Your blog viewers will not have there information stored and used in marketing campaigns whilst viewing your site
  23. WP-Security Scan (Download, Directory): Semper Fi Web Design probably has one of the best security plugins available. Scans your WordPress installation for security vulnerabilities and suggests corrective actions regarding: passwords, file permissions, database security, version hiding, and WordPress admin protection/security.
  24. WP-SpamFree (Download): An extremely powerful anti-spam plugin for WordPress that eliminates comment spam, including trackback and pingback spam. It works invisibly without CAPTCHA’s, or other inconvenience to site visitors. The plugin includes spam-free contact form feature as well.

Now I do not use all of these plugins, or even half of these. However, there are some essential security items that must be addressed. The plugins that I use on every site are: Akismet, WP-DB-Backup (and/or Backupify), Login Lockdown, Secure WordPress (or Secure WP), and CHAP Secure Login or Semisecure Login or Login Encrypt.

There is one more that is in beta and is only by invitation, and that is WP-Security. More information forthcoming.