Tag Archives: WordPress

Disabling the WordPress File Editor

The problem with the WordPress file editor is that it allows users to run PHP code on your site.  Anytime a user is able to run their own code, this presents a security risk.  If an insecure admin account is hacked, the WordPress file editor is the gateway through which a full-fledged attack can be carried out.

Finding the WordPress File Editor

WordPress File Editor

The WordPress file editor can be a great tool because it allows you to make changes to theme and plugin files on your site directly from the WordPress administration area.  Most of the time, people who utilize this tool will edit their theme’s style.css file in order to make tweaks to their site.  This can be a blessing in disguise.  We will go into the issues with the file editor in the next section, but right now I want to point out where it is so you can know if it is enabled on your site.

Finding the file editor is pretty simple.  Log in to the administration area of your site and expand the ‘Appearance’ and ‘Plugins’ menu items by clicking on the arrow that appears on the right-hand side when you hover over the menu items.  If the word ‘Editor’ appears in either of these menus, then you know that the WordPress file editor is active on your site.

Concerns and Security Risks

A I mentioned earlier, the WordPress file editor is a great tool, but there are a few big reasons why you may want to disable it on your site.

WordPress users can mess things up. You do have to have administrative permissions to be able to view and use the file editor, but just because you are an administrator is doesn’t mean you know what you are doing.  WordPress web designers and developers will likely want to disable the theme and plugin editor for their clients in order to prevent them from messing with things that they don’t understand.  Web designers may not want the client making those css changes to the theme because their client doesn’t understand the importance of cross-browser compatibility.  Web developers may want to block this feature because inserting a single character in the wrong place in a PHP file can crash the site.

It is a gateway for hackers. WordPress is a secure platform, but users are often the weak link.  Most people don’t think about it, but your WordPress admin account is only as secure as you make it.  Let’s say a hacker knows your username and is able to crack your password.  Now they have full admin access to your WordPress site.  Where would they go to gain more access?  Yep… the WordPress file editor.  The file editor will allow them to run scripts to upload destructive files, email all your users, access your database, you name it.

Is disabling the file editor the answer?  If you don’t use it anyway, definitely.  If you do use it, just make sure you take enough precautions with site security so that you are the only one who ever sees it.

Disabling the File Editor

So if you agree with me that disabling the file editor is a good idea, you will be pleased to know that it is extremely simple to do.  Just add this line of code to your wp-config.php file:

define('DISALLOW_FILE_EDIT', TRUE);

Yep, that’s it!  Just one measly line of code can stand in the way of you and trouble… go ahead and add it right now.  It only takes 5 minutes. 🙂

http://codex.wordpress.org/Editing_wp-config.php#Disable_the_Plugin_and_Theme_Editor

 

Securing your WordPress Admin Accounts

On its own, WordPress is a very secure platform.  However, when you start introducing third party software and people into the system, this can change.  Today we are going to go over some good policies that every site administrator should put into place.

Don’t Give Away Your Username

Obviously if someone knows your username that you use to log in to your site, all they have left is to guess your password.  It used to be that WordPress automatically assigned the ‘admin’ username to the administrator when a site was created.  If for any reason your username is set to ‘admin’ you will want to change it.

WordPress won’t allow you to change your username after the fact, so you will have to follow these steps to fix it:

  1. Log into your administrator account.
  2. Create a new administrator account with a secure username.
  3. Log in using the new administrator account.
  4. Delete your old administrator account.
  5. When asked what to do with the content created by the old user, assign everything to the new user.

 Changine your display name in WordPress profile settings

Beyond just avoiding using ‘admin’ as your username, you will need to prevent WordPress from displaying your username on the front of the site.  By default, your username is displayed on the front end of the site for all the posts that you have authored.  This is done because the username is required during user creation and not all users have assigned another name to appear on the site.  Thankfully, WordPress allows you to display the name of your choice on the front end of the site.  The image above illustrates the last step in this process:

  1. Log in to your administrator account.
  2. In the menu on the left, go to ‘Users’ -> ‘Your Profile’.
  3. Enter in a nickname that is different from your username.
  4. In the ‘Display name publicly as’ dropdown, select your nickname.

If you don’t mind displaying your real name on the site, you can always display that as well.  Keep in mind that if your username was being displayed on the site before, you will want to follow the aforementioned steps for changing the username for your admin account.

Use Secure Passwords

All too often people use insecure passwords because they are easy to type or easy to remember.  Here are a few pointers on secure passwords:

  1. Never use obvious or easy to guess passwords.  ‘Password’ or your pet’s name should definitely be marked of the list.  Also, don’t use the name of your spouse, parts of your address or other personal information like your birthdate.
  2. Don’t use a password across multiple accounts.  If someone were to gain access to your password for one account it would compromise all of your other accounts.  When I use the word ‘accounts’ here, I mean any website where you might have a username and password.
  3. Make your password long enough. The shorter your password is, the more likely a hacker will be able to crack it.  As a password gets longer, it becomes exponentially more difficult to crack.  Eight characters should be the minimum here.
  4. Mix up your characters. Don’t just use all letters or numbers, or even all upper or lowercase for that matter.
  5. Actually change your password occasionally.

Title Template Tags in WordPress

WordPress themers should be aware of all the different title template tags out there for properly calling page titles.  Not every function will work in all situations, so you have to think carefully about what to use and where.

Below is my synopsis of all the title template tags that WordPress has to offer:

Template Tag Proper Usage
wp_title() Used to display the page title within the HTML <title> tag.  This is typically altered for SEO purposes and should not be used to display page titles in the content area of a page.
the_title() Used within the loop to display the title of a post or page.  This function outputs the title immediately and is a wrapper function for get_the_title().
get_the_title() Used to fetch the title of a post or page.  Can be used outside the loop if is_singular() is true.  This is the only function on our list that doesn’t automatically print out the title to the page.  You can optionally provide an ID and get the page title for another page as well.
single_post_title() Used outside the loop to display the title for a single post or page.  This function also works when trying to display the title for the posts page when a user’s settings have designated a static page to display their blog.
single_cat_title() Used outside the loop on category pages to display the title for WordPress’s built-in categories.  It is now just a wrapper function for single_term_title() and will probably be depreciated in the future.
single_tag_title() Used outside the loop on tag pages to display the title for WordPress’s built-in tags. It is now just a wrapper function for single_term_title() and will probably be depreciated in the future.
single_term_title() Used outside the loop on taxonomy pages to display the title for any taxonomy.  This means that this function can be used instead of single_cat_title() and single_tag_title() and will also work for any custom taxonomies that have been defined.
single_month_title() Used outside the loop to display the title for date based archives.  The title will display the month and year and will require you to assign a prefix in order for it to appear correctly.  If a user is on a year based archive page, only the year will appear in the title.
post_type_archive_title() Used outside the loop to display the title on the main archives page (aka posts page) for custom post types ONLY.
the_search_query() Used outside the loop to display the search query.  Great to use in your search.php theme file, if you have one.

I would love to hear if and how you have been using these in your themes.

Get the title for the posts page in WordPress

This little tidbit is for all you WordPress themers out there.  It is important that your theme displays the proper title on the page no matter what settings a user has on their site.  As you probably are already aware, a user can go to ‘Settings’ -> ‘Reading’ in the WordPress admin menu and change what pages are used for the front page and the posts page (aka blog page).

Set Blog Page in WordPress

So in the example above, I want to set a static page as my homepage and delegate another page to host my blog (aka posts page).  So now that my posts page is no longer the front page, I want to display the page title that the user assigned to that page in my theme.  This helps add clarity for users and makes all of my pages have a more consistent appearance.  As an example, it could be that I am using the posts page for displaying news items and want to label my posts page ‘News’.

Rather than leaving it up to the user to go in and try to hack your theme to get the page title to appear, you decide you want to display this page title for them automatically.

WordPress provides you with the the_title() function, which works great inside the loop.  Problem is, you are using that inside the loop to display the title for all of your blog entries on the page and that won’t do you any good when trying to fetch the page title outside the loop.  If you try to use this function for the page title outside the loop, all you get is the title of the first post on the page.

So how do we fetch the page title for our posts page?

There are two ways to do it.  First is the easy way:

single_post_title();

The only problem you might encounter with this method is that the function echos our title immediately.  If you want to get the title as a variable for any reason, you would have to use output buffering to do it.

You can use the get_the_title() function to get the title of a page as a variable just by providing the ID.  If you don’t provide an ID, then the function will try to fetch the ID for the current page.  Unfortunately, this function doesn’t detect the current page ID properly in our use case, which is why using the_title() function didn’t work for us earlier:  the_title() is just a wrapper function for get_the_title().

Luckily for us, WordPress does store the ID of the page you want to use for the posts page in the database.  So we can fetch the title as a variable, like this:

$our_title = get_the_title( get_option('page_for_posts', true) );

This may be more than you ever needed to know about fetching the title for an assigned posts page, but now you know! 😉

Creating a Photo Gallery in WordPress

Many people get confused when trying to create a photo gallery in WordPress. It isn’t obvious at first glance how to utilize this built-in feature. Let me walk you step-by-step through how to create a photo gallery by uploading images from your computer or by using images already in your media library.  Just in case you need a little more help, you can follow along with the video! Continue reading Creating a Photo Gallery in WordPress

Add New Page Screen in WordPress

Adding Pages to a WordPress Site

WordPress is a popular solution for managing website’s nowadays.  The reason it is so popular is because of the simplicity with which you can add or manage the content on your site.

Using WordPress for the first time can be a bit confusing, but once you get the hang of things, I guarantee you will love it!  One of the first tasks you will need to learn to perform is how to add a page to your site.  Here is a great video from WordPress.tv on how to add pages:

Adding Pages to Your WordPress Website

  • Log in to administrative back-end of your WordPress site.  Typically, you can reach the login by typing in your normal website address and adding /wp-admin on the end.
  • Next, click on ‘Pages’ in the navigation menu on the left-hand side.  If you have pages already, they will appear on this page.
  • To add a page, click on the ‘Add New’ button in the ‘Pages’ sub-menu or at the top of the page that just loaded.
  • Now, you should be on the ‘Add New Page’ screen.   The first box you will need to fill in is the title.  Below the title field is a text editor where you can put the content you want to appear on your page.

Add New Page Screen in WordPress

  • On the right-hand side, you will see some options.  If you want to add this as a sub-page of another page, you can do so in the ‘Page Attributes’ box.
  • Once you are ready to publish your page, just click on the blue ‘Publish’ button in the ‘Publish’ box at the top right of the page.
  • Once the page has been published, you will see a notification at the top of the page with a link to view your page on the main site.

So that is it in a nutshell.  It is pretty simple, but feel free to ask any questions in the comments.

Choosing a WordPress Theme

Choosing a WordPress theme can be a confusing task for a lot of people.  Everyone can choose a theme that looks nice, but being able to head off potential problems before you launch a theme on a live site is extremely important.  As a WordPress developer, I am often asked to review WordPress themes for clients.  In order to avoid major issues, I recommend doing the following checks on any theme that you are seriously considering.  These checks are listed in the order that they should be done:

  1. Date Last Updated – If you are looking at free themes in the WordPress theme repository, you can easily check this by clicking on the theme you are interested in and checking the ‘Last Updated’ date in the right-hand column.  You really want to find a theme that has been updated relatively recently.  The idea here is that you don’t want to have to hire someone to make a lot of changes to be sure it is compatible with the most recent version of WordPress.  If you are buying a premium theme, you will want to be sure that you will have access to support and upgrades.

  2. Test Thoroughly – You can demo most themes before you download them, whether they are free themes or paid.  If you can’t demo a paid theme before you download it, I would recommend looking elsewhere.  Make sure you don’t just look at the homepage on the demo; visit all the possible links and watch out for issues.  Once you decide to download the theme, perform the same checks you did in the demo and make sure that all the functionality that you are expecting is available in the admin area.  This will require that you have some content on the site.  If the theme doesn’t take advantage of features like the new customized menus, or doesn’t support widgets, this would be a deal-breaker for most people.  If you really like the theme, you can have a WordPress developer fix these things for you.  You may also want to consider how easily you can insert your logo.

  3. Code Quality – Run your theme through a markup validation service to see how it checks out.  If you don’t mind touching code, disable any WordPress plugins and make sure the theme you want to check is active.  In your wp-config.php file, found in the root directory that you installed WordPress in, drop in this line of code: define(WP_DEBUG, true);.  You will now be able to see any errors with the PHP code in the theme.  Hopefully, there won’t be any.  Poor code simply means more issues that will have to be fixed.  Watch out for themes that try to obfuscate the code so you can’t change it.  It is important that you are able to make changes as needed.

  4. Cross-Browser Compatibility – Your visitors may be viewing your site using Internet Explorer, FireFox, Safari, Google Chrome, Opera or another web browser.  Regardless of the browser or version being used, you still want them to be able to see and use the site.  Adobe BrowserLab is currently a free service that will allow you to see how your site will look in different browsers.

This list applies to any type of theme, not just WordPress.  Even if you are having a web developer create a custom theme for you, be sure to personally do checks 2-4!

MailChimp Setup

Automating your E-mail Newsletter with MailChimp

As you may already know, WordPress and other content management systems automatically generate an RSS feed with the content you create. MailChimp is an online e-mail distribution software that can take an RSS feed and use it to fuel an e-mail newsletter. Find out how… Continue reading Automating your E-mail Newsletter with MailChimp

WordPress and BuddyPress – SEO meets Social Media

Third party social media tools are great for bringing in new visitors and keeping your brand in front of loyal followers.  What if you could create your own social media sphere where your visitors can connect with each other?  Do you think you would have more people stick around? Continue reading WordPress and BuddyPress – SEO meets Social Media