WordPress Emergency Support — Here We Are!

If you need Word­Press tech sup­port in an emer­gency, if a crises aris­es and you need your Word­Press fixed as soon as you can snap your fin­gers — here we are!

Well, slight­ly longer than “snap­ping your fin­gers” — but not much.

We pride our­selves not only on our high qual­i­ty (plus rea­son­able cost) but, above all, our speed. We’re obsessed. Mid­dle of the night? There. The wee hours before sun­rise? We’re there. Some crazy time­zone on the oth­er side of the world you’re in? We’re dou­bly there.

Of course, we can’t promise 24/7 solu­tions because we’re bru­tal­ly hon­est: some­times, we just can’t solve the prob­lem that quick­ly. Some­times, unin­stalling this, re-installing that, chang­ing this whole oth­er thing around, just takes time.

Time, and a lot of cof­fee!

Here’s one tip. Call us any time — but if we don’t answer, it does­n’t mean we’re sleep­ing. We’re like­ly focused and it’s 3am here and Miina’s try­ing to solve this prob­lem, Jesmin anoth­er prob­lem, Kristi a third prob­lem — and so we don’t even have the vir­tu­al phone turned on! Just leave a mes­sage or send us an email. When we come up to breathe soon, we’ll call you back or send you a note.

There’s an obvi­ous ques­tion: “don’t you ever sleep?”.

Well, glad you asked! A few things. First, we drink a lot of cof­fee. Sec­ond­ly, we do sneak in naps. Third — more seri­ous­ly (although the cof­fee point was indeed seri­ous!) — this is an advan­tage we have to being par­tial­ly dis­trib­uted. Although our home base is in Palo Alto, in Sil­i­con Val­ley, few of us are based on in Tallinn, Esto­nia — which posi­tions us per­fect­ly so that, at most times, some­one is like­ly focus­ing.

Con­clu­sion: you need a Word­Press fix in a pinch. Well, here we are. Just call. Or email.

-mor­gan

How Come WordPress Isn’t More Secure?

A ques­tion we get a lot is, Why Isn’t Word­Press more secure?

Excel­lent ques­tions. We used to won­der this our­selves, when we got start­ed!

A few rea­sons:

First, due to his­tor­i­cal lega­cy rea­sons. Word­Press was built the way it was built, using great tech­nol­o­gy of the time. PHP was the coolest thing ever! Per­haps today, it is eas­i­er to build a safer sys­tem from scratch, but it was­n’t when it was first devel­oped. Tech­nolo­gies change, but soft­ware remains in the lan­guage it was writ­ten.

Sec­ond­ly, there is a trade-off between “flex­i­bil­i­ty / easy of devel­op­ment” and “secu­ri­ty.” Said dif­fer­ent­ly: What makes Word­Press so amaz­ing is that it is sooooo easy to work with: you can quick­ly, triv­ial­ly, change the source, change a design, add a wid­get — do almost any­thing. We love it because, it lets us make any changes we want with­out much effort. But with great pow­er comes great respon­si­bil­i­ty: the ease of devel­op­ment has its cost, and that cost is in secu­ri­ty (and per­for­mance — but that’s a top­ic for anoth­er day). To imple­ment so many ide­al secu­ri­ty mea­sures would slow down the core dev… and no one wants that. Well, “no one” except for us!

Third, shock­ing­ly, many of the secu­ri­ty mea­sure are con­tro­ver­sial. Incred­i­ble to believe, I know! Take, for exam­ple, ban­ning IP address­es that hit too many 404‑s. Let me explain. A com­mon tac­tic to break into a site is to just try lots and lots of URLs, that con­tain plu­g­ins with known vul­ner­a­bil­i­ties, to see if the user hap­pens to have it or not. If they do — hack! If they don’t — a “file not found” (404) error. But there’s a down­side to this: log­ging every 404, could bloat the data­base to be huge — thus slow­ing down the site. Plus, dur­ing stages like devel­op­ing the site, the devel­op­ers often to to URLs that may not exist — thus acci­den­tal­ly lock­ing them­selves out. (No, that’s nev­er hap­pened to me, no, nev­er, and espe­cial­ly not two days ago, which served as the inspi­ra­tion for this blog post — no, of course not, this is mere­ly hypo­thet­i­cal.) As a result, the core Word­Press devel­op­ment team has made a trade-off on pur­pose: lets leave Word­Press with the min­i­mum con­fig­u­ra­tions pos­si­ble, and then let each site admin­is­tra­tor decide for him­self which trade-off‑s he/she’s will­ing to make. As a man who loves flex­i­bil­i­ty, I sup­port this phi­los­o­phy.

These are the three core rea­sons. Per­haps there are more, but it’s too ear­ly in the morn­ing for me to think of now!

Any ques­tions? Bueller, Bueller? Just ask!

-Mor­gan

Client Questions: Where Are Your Developers?

A com­mon ques­tion clients and poten­tial clients ask us is, where are your devel­op­ers?

Excel­lent ques­tion: many peo­ple pre­fer work­ing with peo­ple in a sim­i­lar time-zone, or who speak the same lan­guage — or who are next door, so they can go knock on the door and have a cof­fee (or beat them over the head!).

Answer: the co-founders split between two offices, in Palo Alto and in Tallinn, Esto­nia. We’re a small team, so when we say “office”, think about 6 peo­ple sit­ting around at table — not the Google­plex. (Yet!). Most of our sup­port­ing devel­op­ment team is in Esto­nia.

Esto­nia is an inter­est­ing and unique place. The birth­place of Skype, it’s also a core Euro­pean coun­try — but it’s always been a bit on the out­skirts. Their lan­guage just isn’t relat­ed to any oth­er known lan­guage (except Finnish and Hun­gar­i­an, odd­ly enough) — and the cul­ture is one of Nordic, north­ern Euro­pean pro­fes­sion­al­i­ty, seri­ous­ness, and prob­lem-solv­ing.

But the best part of work­ing with Esto­ni­ans is this: their almost-native com­mand of the Eng­lish lan­guage. The edu­ca­tion and entire cul­ture there is, effec­tive­ly, bilin­gual in Eston­ian and Eng­lish. As a result, the com­mu­ni­ca­tion is as smooth as our team is pro­fes­sion­al.

But with the oth­er part of our team in Palo Alto, we have a strong Amer­i­can face as well. Half the team is Amer­i­can, and we under­stand deeply both the Amer­i­can cul­ture, and the unique dynam­ics of the tech space and Sil­i­con Val­ley.

Have any ques­tions? Just ask — we love to talk!

WordPress Plugin: Square Bracket Hack Prevention

The Square Brack­et Hack Pre­ven­tion plu­g­in pre­vents a sim­ple but very com­mon exploit of Word­Press, by adding in a .htac­cess rule pre­vent­ing hack­ers from adding a “[“ to the URL.

A com­mon attempt at a WPSOS exploit is to add a “[“ to a URL, which can often break a site and expose an abil­i­ty to inject code. This plu­g­in stops it by ban­ning all attempts at adding a “[“ to the URL. It does so via adding code to the .htac­cess file.

Addi­tion­al­ly, upon the unin­stal­la­tion of the plu­g­in, the line is removed. And if the .htac­cess file is not editable, then the admin user is warned.

The instal­la­tion and use is very straight­for­ward. You should:

1. Upload the fold­er ‘square-brack­et-hack-pre­ven­tion‘ to the ‘/wp-con­tent/­plu­g­in­s/‘ direc­to­ry
2. Acti­vate the plu­g­in through the ‘Plu­g­ins’ menu in Word­Press

If you have any sug­ges­tions, please let us know! You can con­tact us via http://wpsos.io/.

WordPress Plugin: Unblock CSS & JS for Googlebot

Unblock CSS & JS for Google­bot plu­g­in allows Google­bot to access the JavaScript and CSS files.

Google peri­od­i­cal­ly sends to web­mas­ters warn­ings that their JavaScript .js files and their CSS stylesheets are blocked — even when the web­mas­ters have nev­er explic­it­ly done so. In fact, it is esti­mat­ed that 85% of all users of Google web­mas­ter tools have received such a warn­ing.

Unblock CSS & JS for Google­bot solves this prob­lem for you — and no con­fig­u­ra­tion is need­ed. Just install and acti­vate the plu­g­in.

How does it work? It just adds in three lines to your robots.txt file to ensure the Google spi­der can get through.

You don’t want it any­more? Just unin­stall and the added lines will be removed.

The instal­la­tion and use is very straight­for­ward. You should:

1. Upload the fold­er ‘allow-google­bot‘ to the ‘/wp-con­tent/­plu­g­in­s/‘ direc­to­ry
2. Acti­vate the plu­g­in through the ‘Plu­g­ins’ menu in Word­Press

If you have any sug­ges­tions, please let us know! You can con­tact us via http://wpsos.io/.

WordPress Plugin: Automatic Copyright Year

Auto­mat­ic Copy­right Year seeks to solve a com­mon prob­lem: keep­ing your copy­right year up-to-date.

It’s a prob­lem all of us had: on Jan­u­ary 1st every year, we need to go through every one of our web­sites and update all the foot­ers. And when we see oth­er peo­ple’s sites that, in the foot­er, say, “© 1998” then sud­den­ly it’s revealed how out-of-date the site is.

With Auto­mat­ic Copy­right Year, this prob­lem will nev­er hap­pen to you!

Instead of going through every site you have each year on the 1st of Jan­u­ary and change the year man­u­al­ly, now it will all be done seam­lessy for you. Just install the Auto­mat­ic Copy­right Year plu­g­in and voila: your sites will always have an up-to-date copy­right.

The instal­la­tion and use is very straight­for­ward. You should:

1. Upload the fold­er ‘auto­mat­ic-copy­right-year‘ to the ‘/wp-con­tent/­plu­g­in­s/‘ direc­to­ry
2. Acti­vate the plu­g­in through the ‘Plu­g­ins’ menu in Word­Press
3. Add ‘<span>2020</span>’ to a wid­get or to any­where inside the html foot­er ele­ment

As of ver­sion 1.0, there is no need to mod­i­fy any options. The plu­g­in will go through the con­tent of your wid­gets and the html foot­er tag and replace <span>2020</span> with the cur­rent year num­ber.

If you have any sug­ges­tions, please let us know! You can con­tact us via http://wpsos.io/.

Password Protecting WordPress wp-admin Folder

Pro­tect­ing wp-admin fold­er with HTTP authen­ti­ca­tion adds an addi­tion­al pro­tec­tion lay­er for your serv­er. Pass­word pro­tect­ing the admin area makes it hard­er to brute-force access (it’s also pos­si­ble to pass­word pro­tect only wp-login.php).

For hard­en­ing the wp-admin fold­er, cre­ate a .htpass­wds file for stor­ing the pass­word of the addi­tion­al authen­ti­ca­tion (for cre­at­ing the file man­u­al­ly, you can use this htpass­wds gen­er­a­tor for exam­ple).

Cre­ate a .htac­cess file to the wp-admin fold­er. Note that pass­word pro­tect­ing the whole wp-admin fold­er breaks any code that uses ajax on front-end, there­fore make sure to allow /wp-admin/ad­min-ajax.

The con­tent of the .htac­cess file:

AuthUser­File /path/to/.htpasswd
AuthType basic
Auth­Name “Restrict­ed”
require valid-user

<Files admin-ajax.php>
Order allow,deny
Allow from all
Sat­is­fy any
</Files>

Hiding the WordPress Version

If a weak­ness is found in the Word­Press ver­sion 4.2 and it’s patched in the ver­sion 4.2.2, the sites deter­mined to be run­ning on the old­er ver­sion can be tar­gets for attacks.

There are a few places from where the Word­Press ver­sion can be detect­ed:

- gen­er­a­tor meta tag in the head­er (<meta name=“generator” content=“WordPress 4.2.2” />)
— RSS feed
— Stylesheets and scripts with­out spec­i­fied ver­sion will add the WP ver­sion as default (stylesheet.css?ver=4.2.2)
— default readme file

# For hid­ing the Word­Press ver­sion from the head­er and from the RSS feed, all you need to do is add the fol­low­ing code to your functions.php

function wpsos_remove_wp_version() {
    return '';
}
add_filter('the_generator', 'wpsos_remove_wp_version');

# For hid­ing the Word­Press ver­sion from the stylesheet and script links, you can mod­i­fy links and remove the ver­sion, before dis­play­ing them in brows­er by adding the fol­low­ing lines to functions.php

function wpsos_remove_wp_version_links( $src ) {
    global $wp_version;
    //If the version is set in the link and equals the current WP version
    if ( strpos( $src, 'ver=' . $wp_version ) ) {
        //Remove the version arg from the link
        $src = remove_query_arg( 'ver', $src );
}
    return $src;
}
add_filter( 'script_loader_src', 'wpsos_remove_wp_version_links' );
add_filter( 'style_loader_src', 'wpsos_remove_wp_version_links' );

# The default readme.html with infor­ma­tion about the Word­Press ver­sion can be found in http://yoursitename.com/readme.html. In case the file is there, remove it.

Note: it’s still high­ly rec­om­mend­ed to always update to the lat­est ver­sion of Word­Press!

WordPress Plugin: Add or Remove Www

The Word­Press plu­g­in Add or Remove Www seeks to solve a com­mon prob­lem: pre­vent­ing redi­rects from a www- ver­sion to a non-www ver­sion of a site — or vice-ver­sa.

Add or Remove Www lets you eas­i­ly con­fig­ure your Word­Press site to always (or nev­er) use the www. sub­do­main in all links of the posts and pages.

It’s com­mon that you’ll cre­ate a con­tent link or include an image, link­ing to http://YourSiteNameHereForExample.com/imageExample.jpg — but your serv­er then redi­rects that to http://www.YourSiteNameHereForExample.com/imageExample.jpg . That adds in an extra serv­er request and delay to the user.

Instead of going through every image and link, one by one, mak­ing sure they’re all con­sis­tent, Add or Remove Www changes the links.

Note: the ver­sion 1.0 does NOT change all the pre­vi­ous­ly exist­ing URLs, it affects all the con­tent and image URLs that are saved/modified after sav­ing acti­vat­ing the plu­g­in and choos­ing the suit­able option.

We plan on adding more options to be edit­ed — if you have any oth­er sug­ges­tions, please let us know! You can con­tact us via http://wpsos.io.

The instal­la­tion and use is very straight­for­ward. You should:

1. Upload the fold­er ‘add-or-remove-www‘ to the ‘/wp-con­tent/­plu­g­in­s/‘ direc­to­ry
2. Acti­vate the plu­g­in through the ‘Plu­g­ins’ menu in Word­Press
3. From the ‘Set­tings’ menu, there should be a new option, called ‘Add Or Remove Www’

As of ver­sion 1.0, you can choose between two options: using the URLs with or with­out www. The option affects all the post and page URLs, includ­ing image URLs.
Note: the ver­sion 1.0 does NOT change all the pre­vi­ous­ly exist­ing URLs, it affects all the con­tent and image URLs that are saved/modified after sav­ing the option.

WordPress Plugin: Tweak Hidden Options

Tweak Hid­den Options is a safe and easy-to-use way to mod­i­fy var­i­ous Word­Press options that Word­Press does­n’t link to from the stan­dard Word­Press inter­face.

All options are pro­vid­ed in safe select-down options, with­out any user-input data, so that it is per­fect­ly safe for any user to use.

We plan on adding many more options to be edit­ed — if you have any oth­er sug­ges­tions, please let us know! You can con­tact us via http://wpsos.io/

The instal­la­tion and use is very straight­for­ward. You should:

1. Upload the fold­er ‘tweak-hid­den-options‘ to the ‘/wp-con­tent/­plu­g­in­s/‘ direc­to­ry
2. Acti­vate the plu­g­in through the ‘Plu­g­ins’ menu in Word­Press
3. From the ‘Set­tings’ menu, there should be a new option, called ‘Tweak Hid­den Options’

Ver­sion 1.0 sup­ports the fol­low­ing options:

* comment_order,
* gzip­com­pres­sion,
* image_default_align,
* image_default_size,
* image_default_link_type.

Note: chang­ing the image options has effect only on images uploaded after­wards.