Category: Content Management Systems

WordCamp Nijmegen – a small review of #WCNMGN

On the 1st and 2nd of september, I attended the very first WordCamp in the lovely city of Nijmegen. While this conference was the first edition, it was entirely sold out. No wonder though, since Nijmegen has a thriving WordPress meetup and community.

A small impression of my two days of WordCamping in Nijmegen:

Day 1 – Contributor Day

The first day was the traditional contributor day. For those of you who haven’t attended a WordCamp yet, this basically is a day where all attendees unite and work on WordPress. In Nijmegen, there were about 70 people to contribute on WordPress. Impressively, a very big “support”-team manifested itself (usually, this is one of the smaller teams on a contributor day). Led by Remkus De Vries, we cleaned out the dutch WordPress forums by cleaning up spam posts and replying to open questions.

After a very tasty lunch in “De Refter” (where I had a lovely “Lekkerbek”), we continued our contributions to WordPress.

Day 2 – Conference Day

The second day was, of course, the day I was looking forward to the most, since I was selected as a speaker and I just LOVE speaking at Dutch WordPress events.

The conference kicked off with an inspirational keynote by Joost De Valk (Yoast), who talked about “5% for the future”. After the break, I went to see a very informative talk by Alain Schlesser on the basics of OOP for plugin development. After that, I went to a hallway track session.

After a delicious lunch, I went to see a talk by Hristo Pandjarov on using WordPress for really big projects, which was (in my opinion) one of the most interesting talks of the day. The next talk in track 2 was my own presentation on Speeding Up WordPress, which was very complementary to Hristo’s talk.

Up next was the afternoon break, followed by more talks I attended in track 2. The standout ones for me were “Pagebuilder Galore” by Wendie Huis in ‘t Veld (websiteclub.nl) and “How to avoid common SEO mistakes” by Michelle Foolen from Yoast.

After the last session, we gathered in track 1 for the closing of the conference, followed by a couple of drinks.

To the organizing team:
Thank you for an awesome conference. Hopefully we’ll see a second edition in 2018. If so, count me in!

Instant Cookie Expire – my first WordPress plugin

Recently, I published my first WordPress plugin: https://wordpress.org/plugins/instant-cookie-expire/ do5enef. It’s a very basic and simple plugin that does just one thing: setting the expire-time of a cookie when using a password protected post to “instant” instead of “10 days”.

This solves the problem that, once the password has been entered, you can access a password protected post for the next 10 days without having to enter the password again. In some cases, this isn’t wanted behaviour and so I crafted this one-line plugin.

Primarily, this was a testcase though. I wanted to learn the workflow of building WordPress plugins and publishing them to the repository. Currently I’m building my very own WordPress Security plugin (over 1500 lines of code already and still counting), which I hope to release by the end of 2016.

Of course I’ll keep you all posted!

WordPress and user enumeration through Author Pages rant

Yes. This will be a bit of a rant about WordPress.

Don’t get me wrong. I love and adore WordPress. Hell, I live WordPress. But there are just some things I really don’t like about it (at least from a security perspective).

Most of my major issues are with the default settings of a clean install of WordPress. I’m talking about features such as the XML-RPC protocol, author pages, file editing in the backend (on themes, plugins and core files).

Let’s take “author pages” as an example. I know from experience that this feature of WordPress is being used by just a fairly limited number of sites running WordPress.
However, when author pages are active, it’s easy to derive the usernames. This only leaves hackers the necessity of ascertaining the password and they’re inside your backend.

If you’d like to know the impact, just add “/?author=1” behind your domainname in the address bar. If author pages are active, it’ll redirect to a url that contains something like “/author/username”. And this “username” is actually the one you use to log into your wp-admin-backend.

And yes, I know there are plugins that can block this for you (such as https://nl-be.wordpress.org/plugins/disable-author-pages/ and several security plugins that offer it as an option), but that’s not my point.

The thing is that these settings are active by default, without an option in the WordPress backend to easily disable them.

My proposition:
Let’s make these functions an “opt-in” functionality. Let them be disabled by default and let’s make it possible to enable them if this is really needed for a specific website. This would make a huge number of WordPress sites that little bit more secure.

I’ve decided I won’t site back and I’ve already started working on a security plugin that will disable all of these features and create an “opt-in” menu under “Settings” in the WordPress backend. More on that soon!

 

8 great resources for stock photos

When producing content for your site or blog, you’d usually want to add a great picture to your page or article. However, most stock photos are quite expensive. But thankfully, there are several sites that provide high quality stock photos that are free, even for commercial use. Here’s a list of 8 sites I use the most:

Have fun creating/publishing!

Block xmlrpc attacks via .htaccess

XMLRPC is a protocol that is enabled by default in WordPress. However, since version 3.5 the option to disable this function was removed from the WordPress backend. Since this protocol is prone to attacks, which can be used to try several hundreds of username and password combinations in one single request, it’s paramount to disable this.

You could do this through a plugin, but a more efficient way would be to add following RewriteRule to your .htaccess:

RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]