How to Restrict Access to WordPress Uploads Folder to Logged-in Users only

Posted by on Apr 6, 2017 in WordPress | 0 comments

Edit: I've received some valuable feedback from Reddit users: cabalos & zware. It seems the following approach may be bypassed by an experienced developer. Will come up with an alternative solution and update this post again. !!Edit2:!! For a far more effective protection check the free plugin below. It uses the technique mentioned in this post and also combines it with a system WordPress plugin to do more thorough checks. Below is the 2nd video which demonstrates the more effective approach in protecting WP Media Uploads folder. Orbisius WP Media Protector When you upload files in WordPress by default they go to wp-content/uploads folder. Those files are normally accessible from the browser and it is supposed to be that way because the transfer is faster. Serving files from php, perl etc would take additional resources. What if you have project that requires all files to be accessible to the logged in users only? For example this could be an internal site that allows employees, vendors can upload documents. The admin creates the accounts on demand and it’s tightly controlled who gets access to the site. Here is a video demo how to do it.   Here some snippets for Apache web server that need to be added to the .htaccess file which resides in the folder where WordPress is installed. Option 1: Full Restriction: How to restrict access to all files from residing in the WordPress uploads folder. # Protect all files within the uploads folder <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_COOKIE} !.*wordpress_logged_in.*$ [NC] RewriteCond %{REQUEST_URI} ^(.*?/?)wp-content/uploads/.* [NC] RewriteRule . http://%{HTTP_HOST}%1/wp-login.php?redirect_to=%{REQUEST_URI} [L,QSA] </IfModule> Option 2: Partial Restriction: How to restrict access to only to some files (based on their extension) in the uploads folder. # Protect only some files within the uploads folder <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_COOKIE} !.*wordpress_logged_in.*$ [NC] RewriteCond %{REQUEST_URI} ^(.*?/?)wp-content/uploads/.*\.(?:gif|png|jpe?g|pdf|txt|rtf|html|htm|xlsx?|docx?|mp3|mp4|mov)$ [NC] RewriteRule . http://%{HTTP_HOST}%1/wp-login.php?redirect_to=%{REQUEST_URI} [L,QSA] </IfModule>   Note: This works for Apache web server and can be tweaked to work with nginx as well.   How it works? Apache mod_rewrite module checks to see if there’s a cookie whose name contains  “wordpress_logged_in”. If it doesn’t exist that means that the user is not logged in. Next rule checks if the user is trying to access a file in the uploads folder. Based on the which option you’ve picked the rules check if it’s any file is accessed from within uploads OR a file with a known extension. The last line redirects the user to the login page and if they successfully login then they’ll be redirected to the file they have tried to access. Other solutions just redirect to random locations or output an access denied error message. Note: WordPress’ uses a php constant called...

Read More

How to Conditionally Display Discount Code Box in Restrict Content Pro WordPress Plugin

Posted by on Feb 28, 2017 in WordPress | 0 comments

I have decided to use the Restrict Content Pro WordPress plugin for one of my SaaS products. It supports several payment gateways & it’s pretty easy to set up & configure. Pippin made it super easy for people to try it before they buy it by publicly hosting the plugin’s code on github at https://github.com/restrictcontentpro/restrict-content-pro He made it that way to facilitate developer contributions. Test driving is a side effect. If you need support you need to buy a license which makes total sense. The support is super helpful (hey Ashley, I am talking about you). Ok. Back to what I was trying to accomplish. I wanted to use coupon codes but also wanted to show the discount code box conditionally. When visitors see a discount box they will stop at checkout and start searching for a code. I have done it and it’s tempting to save a few bucks. While they are searching they might get interrupted and totally forget to come back to my site. I wanted to enable the discount box for people who are on my email list or if I have directed people from a campaign. I can send them a special link that will allow the discount code box to show up normally. Add this to your current theme's functions.php. Create it if necessary or just an mu-plugin in wp-content/mu-plugins/my_site_custom_rcp.php if ( ! isset( $_REQUEST['my_site_show_rcp_discount_box'] ) ) { add_action( 'wp_print_scripts', 'my_site_hide_discount_code' ); } /** * We want to show the discount code only when send a specific parameter exists. */ function my_site_hide_discount_code() { ?> <style> #rcp_discount_code_wrap { display: none !important; } </style> <?php } Test WordPress site deployed in seconds? Yes, it's possible. Visit qSandbox for more...

Read More

How to Get Rid of the TGM Plugin's Install Required Plugins Shown to Non-Admins

Posted by on Feb 21, 2017 in WordPress | 0 comments

Many themes use TGM Plugin Activation plugin (tgmpluginactivation.com) to manage the plugins that their theme requires. Yes, this plugin provides some cool functionality but in my case it was pretty annoying for my non-admin users to see a warning that some plugins had to be installed. As admin, I didn't want to install the suggested plugins because whatever I had set up works just fine in the current context. For example why install some form plugin or an e-commerce plugin if I am using a form builder already  or if I won't be selling anything? To disable the annoying notice you need to add this to your functions.php file or create a php file in the wp-content/mu-plugins/ with the following content. add_action( 'init', 'my_site_disable_install_plugins' ); function my_site_disable_install_plugins() { if ( ! current_user_can( 'manage_options' ) ) { add_filter( 'tgmpa_load', '__return_false' ); }...

Read More

What to Consider Before Moving your WordPress Site to a New Provider

Posted by on Feb 2, 2017 in WordPress | 0 comments

So you want to move your WordPress site to a new web hosting provider? Great! Change is always a good thing. Before you take any action, take some time to do some proper planning. Planning helps things go smoother and you will see problems before they show up which is always a good thing. The first questions to ask yourself is what are you moving/migrating exactly? Is it the WordPress (files + database) website only? What about your emails accounts? Are they (currently/going to be) handled by your current web hosting provider or an external one such as gmail, rackspace? What about domain registration? Is the current provider your domain registrar as well? What about DNS? Are you relying on the current webhosting provider for DNS as well? What about SSL certificates (if any)? What other services are you using with the current provider – SVN, git, FTP storage?   The next thing is to be clear why you are migrating the site. You're not happy with the current hosting provider The current web hosting bill keeps increasing Your site needs more resources You want to move your site out of /blog to the root location / or vice versa Your site needs to be moved to a better dedicated server (with VPS you can increase the resources from the control panel) You're changing your business name and domain and need to change from CoolCompany.com to AwesomeCompany.com Setting up your site on a staging environment You want to hire a developer / designer to work on your site but you want to clean up some customer data before that. It’s import to think about everything now because nothing will get set up on the new server automagically. Your business will be impacted so the planning is not a waste of time. Can you do it yourself? Well, that depends. There are lots to plan for but there’s also free and paid tools available. If you have time you can read and watch videos and learn how to do it. Depending how computer savvy you are it will take you between 1 - 20 hours to finish the migration process. I highly recommend that you keep the old hosting account active for some time just in case if things don’t work out with the new one. I have used Duplicator plugin in the past and it does a great job for 90% of the sites. I’ve had issues with files that contained non-english characters and large sites due to hosting limitations. Each hosting provider makes sure that their clients get enough resources. So the hosting company monitors the resource usage and may/will block the a long running programs such as...

Read More

How to better use WordPress filters and actions

Posted by on Feb 1, 2017 in WordPress | 0 comments

WordPress uses calls filters and actions internally. They are called hooks and they make WordPress super flexible because it doesn't have to be a piece software that tries to do or be everything. It only needs to offer the foundation and the rest can be done via plugins.   WordPress Hooks Filters => modify a piece of content and return it Actions => are events that happen at a given time. An action can output something or nothing at all.   Naming convention Here's how I name my filters and actions. I start with my company name and then add the plugin name. If it's going to be an extension/addon of an existing plugin I add that name as well e.g. "_woocommerce_ext_" Depending on the hook it will also have _filter_ or _action_ after the name and last comes the action/filter name. Result: action: orbisius_woocommerce_ext_quick_order_action_before_order_container filter: orbisius_woocommerce_ext_quick_order_filter_header_cols Yes, they are long but so are descriptive. You won't accidentally use filter where an action is supposed to be used or vice versa. How I use them When triggering actions I pass an array which I call context ($ctx)  that contains relevant info. In the beginning it's either empty or has just one element. When triggering filters I pass the data that needs to be modified and then as a second parameter an array which I call again context ($ctx)  that contains relevant info.   Examples This is how your code should trigger the action. // action triggering $ctx = array( 'product_id' => 123, ); do_action( 'orbisius_woocommerce_ext_quick_order_action_before_order_container', $ctx ); This is how an addon can use your custom action. add_action( 'orbisius_woocommerce_ext_quick_order_action_before_order_container', 'company_custom_action_handler' ); function company_custom_action_handler( $ctx ) { // Do something awesome! echo 42; } Actions can output something. If you need the capture the content from an action, you can use php's output buffering functions. I've seen this approach in Pippin's plugins and is a very cool idea. $ctx = array( 'css_class' => 'my_app_wrapper', 'product_id' => 123, ); ob_start(); do_action( 'orbisius_woocommerce_ext_quick_order_action_before_order_container', $ctx ); $action_buff = ob_get_clean(); Filters There's a little extra effort to add 2 additional parameters to that add_filter call. We need to explicitly specify the priority of the filter and the number of arguments it accepts. We specify 10, 2; 10 - priority, 2 - 2 arguments. The first value is the data that's being modified and 2nd one is the context parameter. For actions we didn't have to do that because by default the priority is 10 and the number of arguments is 1. This is how your code should trigger the filter. // Your plugin/theme triggers the filter. $columns = [ 'id' => 'ID', 'product_name' => 'Product Name', ]; $ctx = array( 'user_id' => 777, 'product_id' => 123,...

Read More

How to Find Missing Featured Images for WordPress Posts

Posted by on Jan 30, 2017 in WordPress | 0 comments

From time to time you may need to check if featured images actually exist in the local file system. The files may not have been successfully transferred during a recent WordPress migration to a new webhost. The tool below looks for posts who have a featured image set and check if the file exists locally. If it doesn’t, it will report it and will give you an edit link to the post. This free tool requires php 5.3+ and wp-cli to be installed on the server. It checks for wp-cli in several locations and if it can’t find it then it gives up. You can start the script from your browser or from the command line. Some servers will make the browser wait before they show any output. That depends on the server set up. When you run the script from the command line it will show you the progress.     Download Links (same): https://cdn.rawgit.com/orbisius/server-tools/e3cd5763/orbisius_fmf.php With the one below you will have to do "Save As" https://raw.githubusercontent.com/orbisius/server-tools/master/orbisius_fmf.php   Usage: 1) download the file on your computer 2) upload the file where your WordPress installation is. You should be seeing wp-config.php a) browser usage: upload to wp dir and visit site.com/orbisius_fmf.php b)  command line usage php orbisius_fmf.php -doutput_buffering=off > posts.html then open posts.html by going site.com/posts.html   Do you use test/staging sites? Visit qSandbox for more...

Read More