CALL US NOW
0330 22 33 428

Post Status: New Year’s resolutions for WordPress developers

Editor’s Note: This is a guest post by Jack Lenox. Jack is a developer at Automattic and hails from the United Kingdom.

For just over a year now, I have been working on the WordPress.com VIP team at Automattic. I had been working at Automattic for the two years prior to this – and had been developing sites with PHP and WordPress for almost ten years prior to that. So you might imagine that I had a pretty good handle on developing stuff with WordPress.

And you would be wrong. Getting started with the VIP team was an eye-opening and occasionally terrifying learning experience, occasionally resulting in me thinking: “please excuse me for a moment while I go and fix some horrible vulnerability in all of my WordPress sites.”

Recently, I have cautiously found myself feeling slightly more comfortable with my position on the team. For some time, I have been wanting to document the most interesting and impactful things that I have learned in the past year.

As some readers may know, a significant part of a developer’s job on the VIP team is reviewing code. Thus, with us being at the start a new year, I have hereby compiled some of the most interesting best practices I have discovered as a list of New Year’s Resolutions:

1. Use strict comparison operators

One of the many quirks of PHP is that it enjoys juggling. In particular, it enjoys juggling types. This means that without explicit instruction, PHP doesn’t see a difference between a string of “string”, an integer of 0, and a boolean value of true.

So for example this:

$var = 0;
if ( $var == 'safe_string' ) {
    return true;
}

Will return true. I know, what?! The easy solution here is to simply use strict comparison operators.

So that’s === instead of ==, and !== instead of !=. This pops up in a few other places too. By default the in_array() function has its strict parameter set to false.

So:

in_array( 0, ['safe_value', 'another string'] );

Will return true. To fix this, simply pass a third parameter of true.

While we’re here, there’s one other form of comparison we should be aware of, and that’s hash_equals(). This provides a string comparison that prevents timing attacks.

While a relatively uncommon form of attack on the web, it’s worth being aware of a timing attack. What is it? Well, when PHP compares two strings, it compares them one character at a time.

So in the case of something like this:

$submitted_password = $_POST['password']; // For argument's sake, let's say it's "pa45word"
$password = "pa55word";

if ( $submitted password === $password ) {
    go_forth();
}

PHP’s thought process in human terms is: Is the first character of each string p? Yes it is. Is the second character of each string a? Yes it is. And so on.

It will do this until it realizes that the third characters differ and at that point it will bail. Thus, with sophisticated timing software, a password can gradually be worked out by calculating how long the process is taking. If the process takes slightly longer with one character than it does with every other character, an attacker will know that they have worked out the first character.

Automated processes can keep doing this until the entire password is worked out. hash_equals() will compare two values, but will not bail early if it detects a difference.

In conclusion, if you’re comparing sensitive values, use hash_equals()!

2. Use Yoda condition checks, you must

The WordPress PHP Coding Standards suggest that you should: “always put the variable on the right side and put constants, literals or function calls on the left side.” Initially, this might just sound like a bit of pedantry, but it actually has a very practical application.

Consider how catastrophic the following typo could be:

if ( $session_authorized = true ) {
    unleash_the_secrets();
}

Oh dear, instead of checking that $session_authorized is true, I am instead assigning the value of true to that variable.

Now the secrets are being unleashed to whoever wants them. This could easily be missed when checking the code for bugs, even by a reviewer.

Now imagine if the first line was expressed as:

if ( true = $session_authorized ) {

Well, it doesn’t. We can’t assign a variable to the static boolean value of true.

Hopefully it won’t take us too long to work out why our code is still broken, but the secrets remain safe. So we’re good! 😀

3. ABE. A Always, B Be, E Escaping. Always Be Escaping. ALWAYS Be Escaping.

Not having a firm grasp of the concepts of validation, sanitization and escaping can make you a very dangerous developer indeed.

To the extent that libraries like React escape all output by default and to bypass this functionality, you have to use the attribute: dangerouslySetInnerHTML

Validation is checking that what your code is being passed is even vaguely what it’s expecting. So for instance, if we’re expecting an integer, we can use something like: $zipcode = intval( $_POST['my-zipcode'] )

The intval() function returns its input as an integer and defaults to zero if the input was a non-numeric value. So while this won’t prevent our code from being passed zipcodes that aren’t valid, it does protect our code from being passed anything that isn’t a number.

Naturally, we could go a step further to see if the zipcode actually appears to be valid. For example, 1111111111111 is not a valid zip code, but intval() doesn’t know that.

Fortunately, beyond integers, WordPress has a bunch of handy helper functions for almost every data type including my favourite: is_email().

Sanitization is cleaning input to make sure that it’s safe in the context where we want to use it. This prevents one of the most common forms of security vulnerability, an SQL injection attack.

We also sanitize to fix practical things, like checking for invalid UTF-8 characters. WordPress has a class of sanitize_*() helper functions; here’s an example of how one looks in the wild:

$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->ID, 'title', $title );

Therefore no matter what garbage we might have been passed in $_POST['title'], it won’t cause any real problems.

Escaping is similar to sanitization, but instead it is cleaning what we’re sending out, rather than what we’re taking in. A major reason for doing this is to prevent another of the most common forms of security vulnerability, a Cross-site Scripting (or XSS) attack.

We want to clean our output to ensure we aren’t accidentally echoing out something very dangerous that we didn’t realize we were inadvertently storing in our database (or perhaps fetched from an API).

WordPress has a bunch of very useful helper functions here. Some common examples of these in the wild are:

<h4><?php echo esc_html( $title ); ?></h4>
<img alt="" src="<?php echo esc_url( $great_user_picture_url ); ?>" />
<ul class="<?php echo esc_attr( $stored_class ); ?>">

There is also wp_kses() which can be used on everything that is expected to contain HTML, and will filter out elements that are not explicitly allowed.

As a general rule, the the_*() and get_the_*() theme functions are already escaped. However, the get_bloginfo() function, for example, is not escaped.

For further information here, I highly recommend checking out the VIP team’s documentation on Validating, Sanitizing, and Escaping.

4. Stop trusting everything

Don’t trust user input. Don’t trust what’s in your database. Don’t trust any variables.

Treat every variable with contempt.

This way, even if, for example, someone sneaks some dodgy XSS code into your database, it’ll still get escaped on output and your site will be better protected.

5. Avoid inserting HTML directly into the document (when using JavaScript)

Doing something like this is dangerous because the data that we’re using could include many more DOM elements that dramatically alter the anticipated behavior of this code, and make it vulnerable to XSS attacks:

jQuery.ajax({
    url: 'http://any-site.com/endpoint.json'
}).done( function( data ) {
    var link = '<a href="' + data.url + '">' + data.title + '</a>';

jQuery( '#my-div' ).html( link );
});

Instead, we should programmatically create DOM nodes and append them to the DOM. So the above instead becomes this:

jQuery.ajax({
    url: 'http://any-site.com/endpoint.json'
}).done( function( data ) {
    var a = jQuery( '<a />' );
    a.attr( 'href', data.url );
    a.text( data.title );

jQuery( '#my-div' ).append( a );
});

This is how a library like React does things behind the scenes. You can read more about this in a wonderful post about preventing XSS attacks in JavaScript by my colleague, Nick Daugherty.

6. Review code

Have you ever reviewed a plugin before using it? I know, who’s got time for that right? I’ll tell you who: you.

I have come to realize that reviewing code is possibly one of the best exercises for improving as a developer. Even if you’re quite new to programming or development, and you still feel pretty green, you really should give it a go.

A great way to start is to review the next plugin you decide to use on your website. Before activating it, pop it open in your text editor of choice, and just spend some time scanning through it to understand what it does.

A method I like to use here is to interpret each line of the code in simple English. You can even say it loud if you like – assuming you’re not sitting in a café or co-working space where people might become worried about you.

You might be surprised at how often you find bugs and quirks in the code, or that the code isn’t conforming to the best practices outlined above. And if you discover issues, why not create a patch? Or if the plugin is on GitHub, create a pull request.

You can also review your own code. A great method for doing this is to never deploy code straight into production. Instead, leave it on the day you finish it, and review it line by line in the morning. This method is easiest to adopt if you’re using something like GitHub where you can create a pull request with the changes, then review the pull request yourself the next day before merging it.

In this vein, I highly recommend watching my colleague, Ryan Markel’s, fantastic talk on this topic from WordCamp US 2016.

7. Upgrade your tools (or at least use PHP_CodeSniffer)

There are lots of tools that help make web development easier, but if you’re doing a lot of WordPress development, the most valuable is probably PHPCodeSniffer. It reads your code and automatically reviews it for bugs and coding standards inconsistencies while you type.

It’s kind of like a spell checker, but for code. No matter how good your English is, you still use spell check right? So why wouldn’t you spell check your code?

Here’s a bonus for you: the WordPress VIP Coding Standards are available by default with the WordPress Coding Standards for PHPCodeSniffer. So with that, it’ll check if you’re following most of the above resolutions.

As you might imagine, using PHP_CodeSniffer also really helps highlight potential problems when you’re reviewing plugins and other people’s code.

8. Be curious

Far too often, I’m guilty of searching to try to find out what a particular WordPress function does, or scanning Stack Overflow to see if someone’s having the same problem as me.

I have historically had a bad habit of seeing much of what WordPress does as magic, and avoiding getting too deep in the inner workings. But actually, it can be very beneficial to find out answers for yourself, instead of trying to find others who have already done the work.

In essence, WordPress is quite simple. The code largely consists of functions taking arguments, and doing things with those arguments, and passing the results onto other functions taking arguments, and so on.

It doesn’t take much to start unpicking something, and working out exactly what’s happening behind the scenes. So next time you’re struggling with a function, try going straight to looking at what the function actually does.

Personally I find the WordPress GitHub repo that mirrors the core SVN repo to be a very useful way of doing this.

The WordPress strapline is that “code is poetry”, and for its flaws I find that on the most part, the WordPress codebase is very readable, if nothing else! 😉

I’ll conclude by taking this opportunity to wish you a very happy and prosperous new year!

Note: Some of the above has been gleefully plagiarized from WordPress.com VIP’s Code Review documentation. It’s an Aladdin’s cave of useful advice, and I highly recommend working your way through it as and when you can.


Source: WordPress.org Feed

Post Status: New Year’s resolutions for WordPress developers

Tagged

WPTavern: Tom McFarlin to Launch Marketplace for Blogging Plugins, Finds New Maintainer for WordPress.org Plugins

Daily blogger and plugin author Tom McFarlin has found a new maintainer for five of his WordPress.org plugins. Within two days of putting the plugins up for adoption, McFarlin announced that Philip Arthur Moore will be taking over Category Sticky Post, Comment Tweets, Single Post Message, Tag Sticky Post, and Tipsy Social Icons. Moore, who is currently working as CTO at Professional Themes, has inherited roughly 10,000 users overnight in the transfer of maintainership.

WordPress.org plugin adoption stories are few and far between. The most common scenario for an orphaned plugin is to languish in the directory until it disappears from search results (with the exception of exact matches) after two years of no updates. In McFarlin’s case, he was looking to tie up some loose ends before shifting Pressware’s focus to launching Blogging Plugins, a marketplace for extensions that streamline WordPress for regular bloggers.

“Last year, I had a few false starts when trying to launch what was originally called Pressware Plugins,” McFarlin said. “Fast-forward a few months and we’re going to focus on something called Blogging Plugins. We already have two free plugins available, though there’s an entire set of plugins, marketplace, and more coming.”

Moore’s adoption of the plugins, which includes the first plugin McFarlin ever wrote, allows Pressware to move forward with its 2017 objectives. McFarlin said he selected Moore based on the quality of his open source projects and reputation in the WordPress community.

“For those of you who aren’t familiar with Philip’s side projects, you may be familiar with Subtitles,” McFarlin said. “It’s a plugin that falls right in line with my personal ethos of how things should work with WordPress: You activate it, it’s ready to go, and it feels native within the application.”

The adopt-me tag is used on WordPress.org to indicate plugins where the author is looking for a new maintainer. With just two pages of listings, it’s not yet widely used. Most developers find it easier to fork an open source plugin and WordPress.org has recently made it easier than ever for authors to close a plugin by simply emailing the plugin team.

However, not all orphaned plugins are ready for end of life measures. Circumstances change in plugin authors’ lives, but the strength of the user base is one of the primary indicators of a project that could thrive in new hands. The built-in user base is also one of the main advantages of adopting a plugin as opposed to forking it.

Developer and ZDNet columnist David Gewirtz discovered the full weight of adopting a plugin’s users when he took on 10 plugins from the adopt-me section of the directory. Gewirtz, who inherited approximately 50,000 users, said the experience helped him reconnect with real users.

“The value I’ve gained as a columnist, advisor, and educator that has come from interacting with users from so many nations with so many different skill sets and missions has been off the charts,” Gewirtz said. “I thought I’d keep my programming chops up, and I’ve certainly done that. But I never expected I’d gain a much broader perspective that I’d be able to apply to all of the areas of my professional life and meet so many cool people.”

Adoption is arguably the healthiest outcome for any orphaned project – not just for the sake of reducing plugin abandonment but also for continuing support for users. Many of them blindly depend on plugins with no understanding of how they work.

Once a plugin is downloaded and installed on users’ sites, it gains a life of its own. Adoption strengthens a project’s history by proving it can weather storms that might otherwise cause the plugin to become obsolete and wipe out the user base.

Tagged

Matt: Thirty-Three

I’m taking it easy this week, nothing too crazy — just sharing good meals and wine with friends. Which is probably a good example of my goals for the year: putting family and loved ones first, slowing down (to go further), and deliciousness. (Single Thread Farms blew me away.)

2016 was a year of incredible contrasts: it was the saddest and most challenged I’ve ever been with the passing of my father, and while that overshadowed everything there were also bright moments of coming closer to family, deepening friendships, and growing professionally with incredible progress from both WordPress and Automattic. That momentum on the professional side is carrying through and right now I’m the most optimistic I can recall, and thrilled to wake up and get to work every day with the people I do.

I talked about trying to spend longer stretches of time in fewer places, and that definitely happened. I flew 162k fewer miles than the year before, and visited 35 fewer cities. My blogging decreased a lot too — from 252 posts in 2015 to 76 posts in 2016, but the posts I did write were at least 50% longer. I made it to 9 more of the Top 50 restaurants and stand currently at 50% of the list. I finished 22 books, including a lot more fiction including my first few graphic novels like Ex Machina, Y: The Last Man, and Watchmen. I watched 35 movies, 9 of which were from the Marvel universe on a single flight from Cape Town to Dubai.

Last year I said, “it’s exciting to make the most of the opportunity that the volatility, love, loss, glory, failure, inspirations, and setbacks that 2016 will bring.” I didn’t know how right I would be, and wish I hadn’t been.

This year doesn’t start with new plans, but rather three intentions continued from a few months ago. I revealed one yesterday, and promised I would expand today on the others, so here they are:

  1. Symmetry — Balance in all things, including my body which is stronger on my right side and much tighter on my left side. We also need symmetry in WordPress between the .org and .com products which differ too much.
  2. Stillness — In echoes of Pico Iyer, so much of my life in my 20s was about movement, and “going places to be moved.” In my 30s I’m looking inward. As Saint Augustine said in Book X, chapter 8 of Confessions: “Men go forth to wonder at the heights of mountains, the huge waves of the sea, the broad flow of the rivers, the vast compass of the ocean, the courses of the stars, and they pass by themselves without wondering.”
  3. Yellow Arrows — The idea that there are clear indications of where to go next at every fork in the road, and if not you should paint them. I wrote more on this  yesterday.

Previously: 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, and 32.


Source: WordPress.org Feed

Matt: Thirty-Three

Tagged

WPTavern: WordPress 4.7.1 Fixes Eight Security Issues

WordPress 4.7.1 is available for download and fixes eight security issues that affect WordPress 4.7 and below. The PHPMailer library was updated to patch a remote code execution (RCE) vulnerability. WordFence reported the vulnerability last month as critical and that it affects WordPress core.

However, in the announcement post for 4.7.1, Aaron Campbell, WordPress’ new Security Czar says that, “No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.” Dawid Golunski and Paul Buonopane are credited with responsibly disclosing the vulnerability.

WordPress 4.7.1 also fixes an issue where the REST API exposed user data for all users who authored a post of a public post type. This release limits this ability to only post types which have specified that they should be shown within the API. Brian Krogsgard and Chris Jean are credited with responsibly disclosing the vulnerability.

In addition to patching eight security issues, this release fixes 62 bugs. To see a full list of changes, visit the release notes page or you can view them on Trac. Sites should update automatically but if you’d like to update sooner, visit your site’s Dashboard, select Updates, and click the Update Now button.

Tagged

Power Guide to Twitter Automation: Tools, Strategies, Ethics

Power Guide to Twitter Automation: Tools, Strategies, Ethics http://bloggerjet.com/twitter-automation/ via @timsoulo

Any kind of automation in online marketing has always been a subject of a great controversy. And Twitter is no exception. Where’s that line between being authentic and being spammy? What’s the moment your white hat starts turning grey? All this matters for many… but not to me. In this 4800-words-long guide to “Twitter Automation” …

Tagged

Happy New Year 2017 – Uncategorised Webhosting 4 Business – WordPress Hosting

https://webhostingforbusiness.co.uk/uncategorised/happy-new-year-2017/ ‎

@wordpresswebhosting #WordPressHosting #WordPressWebHosting #HappyNewYear Related posts: Google will start ranking ‘mobile-friendly’ sites even higher in May Happy Easter to all our Clients, Friends and Followers Google Found Nearly 800K Compromised Sites In One Year Is Desktop Advertising on Its Way Out? Mobile Advertising is Projected to Still be Growing in 2017 To…

Tagged

WordPress Hosting for your Business. Fast, Secure & 100% UpTime

WordPress Hosting for your Business.
Specialised WordPress Hosting that takes care of your WordPress site as if it was our own.
https://webhostingforbusiness.co.uk @wordpresswebhosting
#WordPressHosting #WordPress #Hosting #WordPressWebHosting



WordPress Hosting for your Business, Webhosting 4 Business is Dedicated to Supplying the Fastest, Secure & 100% Available Hosting Solution for your Business

Tagged

We Wish you all A Very Merry Christmas

Wishing you all a Very Merry Christmas.

The most famous story about St. Nicholas tells how the custom of hanging up stockings to get presents in first started! It goes like this:

There was a poor man who had three daughters. He was so poor, he did not have enough money for a dowry, so his daughters couldn’t get married. (A dowry is a sum of money paid to the bridegroom by the brides parents on the wedding day. This still happens in some countries, even today.) One night, Nicholas secretly dropped a bag of gold down the chimney and into the house (This meant that the oldest daughter was then able to be married.). The bag fell into a stocking that had been hung by the fire to dry!

This was repeated later with the second daughter. Finally, determined to discover the person who had given him the money, the father secretly hid by the fire every evening until he caught Nicholas dropping in a bag of gold. Nicholas begged the man to not tell anyone what he had done, because he did not want to bring attention to himself. But soon the news got out and when anyone received a secret gift, it was thought that maybe it was from Nicholas.

How St. Nicholas Became Santa Clause

In the 16th Century in northern Europe, after the reformation, the stories and traditions about St. Nicholas became unpopular.
But someone had to deliver presents to children at Christmas, so in the UK, particularly in England, he became ‘Father Christmas’ or ‘Old Man Christmas’, an old character from stories plays during the middle ages in the UK and parts of northern Europe. In France, he was then known as ‘Père Nöel’.

In some countries including parts of Austria and Germany, present giver became the ‘Christkind’ a golden-haired baby, with wings, who symbolizes the new born baby Jesus.

During the early years of the USA his name was ‘Kris Kringle’ (from the Christkind). Later, Dutch settlers in the USA took the old stories of St. Nicholas with them and Kris Kringle and St Nicholas became ‘Sinterklaas’ or as we now say ‘Santa Claus‘.

@wordpresswebhosting  #WordPressHosting  #WordPress  #Hosting  #WordPressWebHosting  #MerryChristmas

Tagged

WordPress Hosting for your Business. Fast, Secure & 100% UpTime

WordPress Hosting for your Business.
Specialised WordPress Hosting that takes care of your WordPress site as if it was our own.
https://webhostingforbusiness.co.uk
#WordPressHosting #WordPress #Hosting #WordPressWebHosting

WordPress Hosting for your Business, Webhosting 4 Business is Dedicated to Supplying the Fastest, Secure & 100% Available Hosting Solution for your Business

Tagged