WordPress Emergency Support – Here We Are!

If you need WordPress tech support in an emergency, if a crises arises and you need your WordPress fixed as soon as you can snap your fingers — here we are!

Well, slightly longer than “snapping your fingers” — but not much.

We pride ourselves not only on our high quality (plus reasonable cost) but, above all, our speed. We’re obsessed. Middle of the night? There. The wee hours before sunrise? We’re there. Some crazy timezone on the other side of the world you’re in? We’re doubly there.

Of course, we can’t promise 24/7 solutions because we’re brutally honest: sometimes, we just can’t solve the problem that quickly. Sometimes, uninstalling this, re-installing that, changing this whole other thing around, just takes time.

Time, and a lot of coffee!

Here’s one tip. Call us any time — but if we don’t answer, it doesn’t mean we’re sleeping. We’re likely focused and it’s 3am here and Miina’s trying to solve this problem, Jesmin another problem, Kristi a third problem — and so we don’t even have the virtual phone turned on! Just leave a message or send us an email. When we come up to breathe soon, we’ll call you back or send you a note.

There’s an obvious question: “don’t you ever sleep?”.

Well, glad you asked! A few things. First, we drink a lot of coffee. Secondly, we do sneak in naps. Third — more seriously (although the coffee point was indeed serious!) — this is an advantage we have to being partially distributed. Although our home base is in Palo Alto, in Silicon Valley, few of us are based on in Tallinn, Estonia — which positions us perfectly so that, at most times, someone is likely focusing.

Conclusion: you need a WordPress fix in a pinch. Well, here we are. Just call. Or email.

-morgan

How Come WordPress Isn’t More Secure?

A question we get a lot is, Why Isn’t WordPress more secure?

Excellent questions. We used to wonder this ourselves, when we got started!

A few reasons:

First, due to historical legacy reasons. WordPress was built the way it was built, using great technology of the time. PHP was the coolest thing ever! Perhaps today, it is easier to build a safer system from scratch, but it wasn’t when it was first developed. Technologies change, but software remains in the language it was written.

Secondly, there is a trade-off between “flexibility / easy of development” and “security.” Said differently: What makes WordPress so amazing is that it is sooooo easy to work with: you can quickly, trivially, change the source, change a design, add a widget — do almost anything. We love it because, it lets us make any changes we want without much effort. But with great power comes great responsibility: the ease of development has its cost, and that cost is in security (and performance – but that’s a topic for another day). To implement so many ideal security measures would slow down the core dev… and no one wants that. Well, “no one” except for us!

Third, shockingly, many of the security measure are controversial. Incredible to believe, I know! Take, for example, banning IP addresses that hit too many 404-s. Let me explain. A common tactic to break into a site is to just try lots and lots of URLs, that contain plugins with known vulnerabilities, to see if the user happens to have it or not. If they do — hack! If they don’t — a “file not found” (404) error. But there’s a downside to this: logging every 404, could bloat the database to be huge — thus slowing down the site. Plus, during stages like developing the site, the developers often to to URLs that may not exist — thus accidentally locking themselves out. (No, that’s never happened to me, no, never, and especially not two days ago, which served as the inspiration for this blog post — no, of course not, this is merely hypothetical.) As a result, the core WordPress development team has made a trade-off on purpose: lets leave WordPress with the minimum configurations possible, and then let each site administrator decide for himself which trade-off-s he/she’s willing to make. As a man who loves flexibility, I support this philosophy.

These are the three core reasons. Perhaps there are more, but it’s too early in the morning for me to think of now!

Any questions? Bueller, Bueller? Just ask!

-Morgan

Client Questions: Where Are Your Developers?

A common question clients and potential clients ask us is, where are your developers?

Excellent question: many people prefer working with people in a similar time-zone, or who speak the same language — or who are next door, so they can go knock on the door and have a coffee (or beat them over the head!).

Answer: the co-founders split between two offices, in Palo Alto and in Tallinn, Estonia. We’re a small team, so when we say “office”, think about 6 people sitting around at table — not the Googleplex. (Yet!). Most of our supporting development team is in Estonia.

Estonia is an interesting and unique place. The birthplace of Skype, it’s also a core European country — but it’s always been a bit on the outskirts. Their language just isn’t related to any other known language (except Finnish and Hungarian, oddly enough) — and the culture is one of Nordic, northern European professionality, seriousness, and problem-solving.

But the best part of working with Estonians is this: their almost-native command of the English language. The education and entire culture there is, effectively, bilingual in Estonian and English. As a result, the communication is as smooth as our team is professional.

But with the other part of our team in Palo Alto, we have a strong American face as well. Half the team is American, and we understand deeply both the American culture, and the unique dynamics of the tech space and Silicon Valley.

Have any questions? Just ask — we love to talk!

WordPress Plugin: Square Bracket Hack Prevention

The Square Bracket Hack Prevention plugin prevents a simple but very common exploit of WordPress, by adding in a .htaccess rule preventing hackers from adding a “[” to the URL.

A common attempt at a WPSOS exploit is to add a “[” to a URL, which can often break a site and expose an ability to inject code. This plugin stops it by banning all attempts at adding a “[” to the URL. It does so via adding code to the .htaccess file.

Additionally, upon the uninstallation of the plugin, the line is removed. And if the .htaccess file is not editable, then the admin user is warned.

The installation and use is very straightforward. You should:

1. Upload the folder `square-bracket-hack-prevention` to the `/wp-content/plugins/` directory
2. Activate the plugin through the ‘Plugins’ menu in WordPress

If you have any suggestions, please let us know! You can contact us via http://wpsos.io/.

WordPress Plugin: Unblock CSS & JS for Googlebot

Unblock CSS & JS for Googlebot plugin allows Googlebot to access the JavaScript and CSS files.

Google periodically sends to webmasters warnings that their JavaScript .js files and their CSS stylesheets are blocked – even when the webmasters have never explicitly done so. In fact, it is estimated that 85% of all users of Google webmaster tools have received such a warning.

Unblock CSS & JS for Googlebot solves this problem for you — and no configuration is needed. Just install and activate the plugin.

How does it work? It just adds in three lines to your robots.txt file to ensure the Google spider can get through.

You don’t want it anymore? Just uninstall and the added lines will be removed.

The installation and use is very straightforward. You should:

1. Upload the folder `allow-googlebot` to the `/wp-content/plugins/` directory
2. Activate the plugin through the ‘Plugins’ menu in WordPress

If you have any suggestions, please let us know! You can contact us via http://wpsos.io/.

WordPress Plugin: Automatic Copyright Year

Automatic Copyright Year seeks to solve a common problem: keeping your copyright year up-to-date.

It’s a problem all of us had: on January 1st every year, we need to go through every one of our websites and update all the footers. And when we see other people’s sites that, in the footer, say, “(c) 1998” then suddenly it’s revealed how out-of-date the site is.

With Automatic Copyright Year, this problem will never happen to you!

Instead of going through every site you have each year on the 1st of January and change the year manually, now it will all be done seamlessy for you. Just install the Automatic Copyright Year plugin and voila: your sites will always have an up-to-date copyright.

The installation and use is very straightforward. You should:

1. Upload the folder `automatic-copyright-year` to the `/wp-content/plugins/` directory
2. Activate the plugin through the ‘Plugins’ menu in WordPress
3. Add ‘<span>[wpsos_year]</span>’ to a widget or to anywhere inside the html footer element

As of version 1.0, there is no need to modify any options. The plugin will go through the content of your widgets and the html footer tag and replace <span>[wpsos_year]</span> with the current year number.

If you have any suggestions, please let us know! You can contact us via http://wpsos.io/.

Password Protecting WordPress wp-admin Folder

Protecting wp-admin folder with HTTP authentication adds an additional protection layer for your server. Password protecting the admin area makes it harder to brute-force access (it’s also possible to password protect only wp-login.php).

For hardening the wp-admin folder, create a .htpasswds file for storing the password of the additional authentication (for creating the file manually, you can use this htpasswds generator for example).

Create a .htaccess file to the wp-admin folder. Note that password protecting the whole wp-admin folder breaks any code that uses ajax on front-end, therefore make sure to allow /wp-admin/admin-ajax.

The content of the .htaccess file:

AuthUserFile /path/to/.htpasswd
AuthType basic
AuthName “Restricted”
require valid-user

<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

Hiding the WordPress Version

If a weakness is found in the WordPress version 4.2 and it’s patched in the version 4.2.2, the sites determined to be running on the older version can be targets for attacks.

There are a few places from where the WordPress version can be detected:

– generator meta tag in the header (<meta name=”generator” content=”WordPress 4.2.2″ />)
– RSS feed
– Stylesheets and scripts without specified version will add the WP version as default (stylesheet.css?ver=4.2.2)
– default readme file

# For hiding the WordPress version from the header and from the RSS feed, all you need to do is add the following code to your functions.php

function wpsos_remove_wp_version() {
    return '';
}
add_filter('the_generator', 'wpsos_remove_wp_version');

# For hiding the WordPress version from the stylesheet and script links, you can modify links and remove the version, before displaying them in browser by adding the following lines to functions.php

function wpsos_remove_wp_version_links( $src ) {
    global $wp_version;
    //If the version is set in the link and equals the current WP version
    if ( strpos( $src, 'ver=' . $wp_version ) ) {
        //Remove the version arg from the link
        $src = remove_query_arg( 'ver', $src );
}
    return $src;
}
add_filter( 'script_loader_src', 'wpsos_remove_wp_version_links' );
add_filter( 'style_loader_src', 'wpsos_remove_wp_version_links' );

# The default readme.html with information about the WordPress version can be found in http://yoursitename.com/readme.html. In case the file is there, remove it.

Note: it’s still highly recommended to always update to the latest version of WordPress!

WordPress Plugin: Add or Remove Www

The WordPress plugin Add or Remove Www seeks to solve a common problem: preventing redirects from a www- version to a non-www version of a site — or vice-versa.

Add or Remove Www lets you easily configure your WordPress site to always (or never) use the www. subdomain in all links of the posts and pages.

It’s common that you’ll create a content link or include an image, linking to http://YourSiteNameHereForExample.com/imageExample.jpg — but your server then redirects that to http://www.YourSiteNameHereForExample.com/imageExample.jpg . That adds in an extra server request and delay to the user.

Instead of going through every image and link, one by one, making sure they’re all consistent, Add or Remove Www changes the links.

Note: the version 1.0 does NOT change all the previously existing URLs, it affects all the content and image URLs that are saved/modified after saving activating the plugin and choosing the suitable option.

We plan on adding more options to be edited — if you have any other suggestions, please let us know! You can contact us via http://wpsos.io.

The installation and use is very straightforward. You should:

1. Upload the folder `add-or-remove-www` to the `/wp-content/plugins/` directory
2. Activate the plugin through the ‘Plugins’ menu in WordPress
3. From the ‘Settings’ menu, there should be a new option, called ‘Add Or Remove Www’

As of version 1.0, you can choose between two options: using the URLs with or without www. The option affects all the post and page URLs, including image URLs.
Note: the version 1.0 does NOT change all the previously existing URLs, it affects all the content and image URLs that are saved/modified after saving the option.

WordPress Plugin: Tweak Hidden Options

Tweak Hidden Options is a safe and easy-to-use way to modify various WordPress options that WordPress doesn’t link to from the standard WordPress interface.

All options are provided in safe select-down options, without any user-input data, so that it is perfectly safe for any user to use.

We plan on adding many more options to be edited — if you have any other suggestions, please let us know! You can contact us via http://wpsos.io/

The installation and use is very straightforward. You should:

1. Upload the folder `tweak-hidden-options` to the `/wp-content/plugins/` directory
2. Activate the plugin through the ‘Plugins’ menu in WordPress
3. From the ‘Settings’ menu, there should be a new option, called ‘Tweak Hidden Options’

Version 1.0 supports the following options:

* comment_order,
* gzipcompression,
* image_default_align,
* image_default_size,
* image_default_link_type.

Note: changing the image options has effect only on images uploaded afterwards.