How to Properly Set up an SSL Certificate for a News Site Based on WordPress

Posted by on Dec 19, 2016 in WordPress | 0 comments

Last month I had to set up an SSL certificate for a news site based on WordPress. The owner writes some of the content but there's also content that's pulled from various external sources. The last part posed some challenges. The external content contained a mix of secure and non-secure links to pages and images. Different browsers *complained* about different issues differently. The Solution All instructions are listed here: https://gist.github.com/lordspace/db99e4982839f16e9637de4af7ba099b In order to keep the browsers happy and see a nice green padlock in the address bar I had to make sure all of the resources are loaded from an https location. This applies to both internal and external links. To do that I had to capture the output very early on, do some magic with it and return it. Initially, I have tried with a system WordPress (mu-plugin) that hooked into a content filter but not all of the content was captured. I've also tried to capture the content using ob_start() in the mu-plugin but that didn't work either so I had to use ob_start() in the wp-config.php Correcting links The sites that supported secure links non-secure links were corrected to the secure links. Those links were from sites such as facebook, google, youtube, blogger, feedblitz, linkedin etc. All other links were passed through a redirect script hosted on the https version of the current site (e.g. https://example.com/r.php?r=http://some-external-site.com/test The images were also passed through that redirect script. Firefox was *ok* with that but Chrome still complained about mixed content in the Developer Console (F12). Chrome's warnings made me update the redirect script so it pulled the external images locally. The remote pulling was done once per month and images were stored in deep folder structure (wp-content/remote_images/a/b/c/site_com_image_some_hashasfasfasf) so they are quickly retrieved. It seems the site was also outputting some binary content so the output correcting script had to check if the content contained binary data the first 120 bytes contained one of these strings: ZIP, PDF, PNG, JPG etc.   SSL Provider I have kept an eye on the Let's Encrypt service for quite some time now so I have decided to give it a try. Let's encrypt gives you a free SSL certificate which is valid for 90 days. The client's site was on a VPS server (from linode) which I fully controlled so I wasn't going to be restricted in any way. Let's encrypt doesn't support Wildcard SSL and probably won't in near future so you have to list all of the domains and subdomains that need to be supported. I have seen examples that allow one SSL certificate to work for multiple domains but I prefer to keep each domain's certificates separate. Of course, if...

Read More

How to Prevent Search Engines from Indexing the Entire WordPress Multisite Network

Posted by on Nov 28, 2016 in WordPress | 0 comments

From time to time you will need to block search engines from accessing to the entire WordPress Multisite network. Scanario 1: Staging site that is an exact replica of the live site. It's a great idea to have it because that way you can safely experiment with new functionality and/or design. Scenario 2: An agency has set up a staging site for their client so the client can see the progress during the development. Scenario 3: An agency is about to hire a developer/designer to work on the site. Before access is given the site is cleaned up from any client orders & data.   Password Protection Password protecting a site (basic authentication) is a valid option to protect a site. If the site is an ecommerce site which uses PayPal the password may/will cause problems. Because after each transaction Paypal calls your server to notify it about the recent transaction. If PayPal can't access the site (because of the password) then the orders would stay as pending/waiting for payment. You can search how to protect a folder based on the control panel (cPanel or Plesk). Telling search engines not to index the site The following examples assume that you're using Apache webserver. This example tells bots not to index the site (using .htacces). <IfModule mod_headers.c> # https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag Header set X-App-Env "Staging" Header set X-Robots-Tag "noindex, nofollow" </IfModule> Blocking all Bots <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^.*(bot|googlebot|bingbot|Baiduspider|Yandex|HTTrack|crawl|index|download|extract|stripper|sucker|ninja|clshttp|spider|leacher|collector|grabber|webpictures).*$ [NC] RewriteRule .* - [R=403,L] </IfModule>   Telling bots not to index the site (using a system / MU WordPress plugin). You will need to create a file in wp-content/mu-plugins/staging-noindex.php If wp-content/mu-plugins doesn't exist, create it. The php solution works a little bit differently. If checks if the WordPress site's domain contains one of the following keywords. If it does the system plugin will assume that's it's a staging environment. Only then the noindex is sent to the browser. That way when the site is finally moved to a production server the noindex will not be sent. Pretty smart :) staging, test, development, dev, sandbox, new, example, sample, testing, clients Examples: staging.example.com, dev.example.com, client-staging.com <?php ///////////////////////////////////////////////////////////////////////////////////////////////////// // Example 1 /** * Appends some code to the HTML head php to stop search engines from indexing the (staging) site. * @author Svetoslav (Slavi) Marinov | http://orbisius.com */ function qsandbox_staging_noindex() { $output_no_index = php_sapi_name() != 'cli' // the following below [w\.] is to skip any www\. stuff && ( ! empty( $_SERVER['SERVER_NAME'] ) && preg_match( '#(staging|test|development|dev|sandbox|new|example|sample|testing|clients)\d*\.#si', $_SERVER['SERVER_NAME'] ) ); if ( $output_no_index ) { echo "\n<!-- Staging -->\n<meta name='robots' content='noindex,nofollow' />\n<!-- /Staging -->\n"; } } add_action( 'wp_head', 'qsandbox_staging_noindex', 0 ); ///////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////////// // Example 2 /** * Outputs the http headers using php...

Read More

How to Troubleshoot a WordPress Redirect Loop

Posted by on Nov 21, 2016 in WordPress | 0 comments

Redirects are one of the trickiest things to troubleshoot and can cause lots of coffee drinking and possibly sleepless nights :) Here's a video explanation for the whole process. I had to troubleshoot redirect loop issue with one of my recently semi-launched products: EasyWPHost.   The Issue The issue was when the user tried to register WordPress would redirect to default WordPress registration page and then do another redirect to the registration page that was provided by the Membership plugin. It was weird & frustrating. I've even installed xdebug extension to find out what's causing this but setting the debugger & IDE would have been time consuming . I have used Membership2 plugin from WPMUDEV. The funny thing is that I was 99% sure that it was the membership plugin that was causing the issue as all the leads were pointing to it. When I disable the content protection from its settings page the site would work normally. Adam and Predrag from WPMUDEV team tried very hard to troubleshoot the issue but since I am an advanced developer I also make advanced and hard to find bugs :)   Cause It turned out that I had my own redirect rules for links that contain the text: signup, join, register to redirect to the registration page. In hindsight it would have been better for me to hook into a 404 action/filter and then do my own processing. The logic should have been if a page doesn't exist process it... but we can only connect the dots looking backward, right?   The solution I find this part the most important/interesting part. I just couldn't let the issue go. I even dreamt about it. I hate leaving issues unresolved because they consume mental energy.  I was also curious was causing this. I remembered that WordPress has lots of hooks (filters and actions) and php has a great function called debug_backtrace(). debug_backtrace is a super awesome function because it shows function calls that were executed before the current function is executed, the exact lines the function was called from, originating file, function arguments etc. The debug output looks like this. Mon, 21 Nov 2016 07:42:42 +0000 IP: 127.0.0.1 location: [http://easywphost.com/app/manage/], status [301] Backtrace array ( 0 => array ( 'file' => 'C:\\Copy\\Dropbox\\cloud\\projects\\clients\\easywphost.com\\htdocs\\wp-includes\\plugin.php', 'line' => 235, 'function' => 'orb_dbg_redirect_trbl', 'args' => array ( 0 => 'http://easywphost.com/app/manage/', 1 => 301, ), ), 1 => array ( 'file' => 'C:\\Copy\\Dropbox\\cloud\\projects\\clients\\easywphost.com\\htdocs\\wp-includes\\pluggable.php', 'line' => 1154, 'function' => 'apply_filters', 'args' => array ( 0 => 'wp_redirect', 1 => 'http://easywphost.com/app/manage/', 2 => 301, ), ), 2 => array ( 'file' => 'C:\\Copy\\Dropbox\\cloud\\projects\\clients\\easywphost.com\\htdocs\\wp-includes\\canonical.php', 'line' => 516, 'function' => 'wp_redirect', 'args' => array ( 0 => 'http://easywphost.com/app/manage/', 1 => 301, ), ),...

Read More

How to Delete a WordPress User Using PHP

Posted by on Oct 4, 2014 in WordPress | 0 comments

From time to time when you're developing plugins/themes you may need to delete some test user accounts. Here is a way to do it. You can either create an MU Plugin (by creating a file in mu-plugins/some-code.php) or adding it in functions.php in your current (child) theme. Then go to the admin area. I was receiving errors (function doesn't exist) when I wasn't in the admin area. You have to be careful with this code. add_action('admin_init', 'abc_quick_del', 10); // !!! function abc_quick_del() { $user = get_user_by( 'login', 'some_username'); if (!empty($user-&gt;ID)) { echo "Deleting user ID: " . $user-&gt;ID . "&lt;br/&gt;\n"; wp_delete_user( $user-&gt;ID ); } else { echo "Account not found."; } }     Can you set up a test/staging WordPress sites in seconds? Yes, with qSandbox you...

Read More

How to Change Your WordPress.org Email and Password

Posted by on May 29, 2014 in WordPress | 0 comments

In may be hard to find on WordPress.org the link to edit your email and password. Normally, you'd expect the edit link on http://profiles.wordpress.org/YOURUSERNAME/ to do that but you have to go to a different location. Make sure you are logged in. Then visit link: https://wordpress.org/support/profile/YOURUSERNAME/edit Video tutorial Related http://wordpress.org/support/topic/how-to-change-email-address-for-wordpressorg-user-profile?replies=3 Can you set up a test/staging WordPress sites in seconds? Yes, with qSandbox you...

Read More

4 Things to Consider Before Creating a WordPress Plugin

Posted by on May 12, 2014 in WordPress | 2 comments

So you were thinking of writing a WordPress plugin? Awesome!I am assuming that you've read how to create plugins and looked at the source code of some simple plugins. Great! Here are a several things to consider before starting What are you going to build & is there really a need for this kind of product? (tough one) How should you name the plugin? Support: Are you going to be maintaining the plugin in the future? Business: What is the business model? The questions above are very important to ask yourself before doing the work.We can create many products but if no one wants them that means that we haven't used our time well. The good thing with programming is that whatever you create it's not a total loss. The code can be recycled and reused in a different product. What are you going to build & is there a need? This is a very tough one because when we are about to create something we try to convince ourselves that this would be a cool product.In some cases that's true but we have to be honest with ourselves and answer this question:Are we building this product because:We like the idea and the implementation excites us? OR We've done (some) research which proved that there is a need for that product?There's (almost) no right or wrong answer but the results will be different in each scenario.From my experience I can tell you that the products for which I've done some research have gotten a lot more downloads/sales. At the time of this writing I've created about 60 plugins (some are free, premium and the rest are done for clients). Are there any other plugins that do similar things? If yes, it might be a better option to become a contributor to another plugin rather than releasing it yourself. Yes, won't be *driving the bus* but you can learn a lot by contributing to another project. That also helps creating nice professional contacts. How should you name the plugin? If you've used WordPress for sometime you'll be tempted to start the plugin name with WP or WordPress.I've done it. I admit it. As far as I know now using WordPress in the plugin name will most likely result in a rejection.Plugins are tested before they appear in the WordPress Plugin Directory. After my 6th or 8th plugin I decided to put my company name in front of each plugin name. There's huge benefit. People will start recognizing the name (eventually). Another huge benefit is that you can setup an alert at WordPress.org forums to be notified when somebody mentions your plugin. All I had to do is to set an...

Read More