Vetting form input using PHP

Forms provide a really good way for a hacker to try and fiddle with the internal ‘gubbings’ of your PHP code both in a normal PHP software development situation and customising WordPress with PHP.

The following functions allow a PHP developer to clean up the form’s data before they start to process it with their PHP code.

  • trim –
  • stripslashes
  • htmlspecialchars

Typically you can cascade the piece of data from the form through these functions.

$formvalue = trim($formvalue);
$formvalue = stripslashes($formvalue );
$formvalue = htmlspecialchars($formvalue );

They can obviously be nested into one line for brevity:

$formvalue = htmlspecialchars(stripslashes(trim($formvalue)));

Using the above will  remove  characters  such as  space, tab and  newline. It will then take out any ‘\’ characters. Finally any html tags are neutralised by characters such as <> being  replace by their respective PHP escape codes. For example: &gt for the greater than symbol >.

 

Adding a WordPress PHP file to a theme without FTP

 

Looking to add a  php file to your theme, but no FTP then try this. Some hosting servers will not let you do this for security reasons

In WordPress’ Dashboard’s  menu:

  • Choose Appearance/Editor then select your function.php  or header.php file.
  • At the top  add
    <?php touch(‘wp-content/themes/yourthemefolder/whatever.php’); ?>
    Obviously yourthemefolder and  whatever.php should be changed to your theme’s folder name and the new file name respectively.
  • Click Update and then view one of your web pages, this will execute the php line you just added.
  • Switch to the WordPress’ Dashboard’s  menu  and choose  Appearance/Editor again. You should now be able to see your new file in the list.
  • Re-select and edit the  function.php  or header.php file you used  –  remove the line you added above and then press Update.
  • Select your whatever.php file and start adding your content as normal.

This is useful to create different page layouts for the content area, i.e. page templates.

 

WordPress Health Warning

Plugins can degrade the performance of your site and some may have security implications. Delete any plugin you no longer use. It is suggested you keep plugins to a minimum and make sure you always update them when they have been updated. Remember that little red circle next to word Plugins in the Dashboard menu you sometimes see?  It means some plugins need updating.  See it! Do it!

How do I set up a theme ‘preview image’ for my child theme?

When choosing a WordPress theme in the Appearance sub-menu, the themes usually have an image you can see to identify them and to check them out.  The image cab can be set up by upload a png image to the theme’s parent folder, e.g. for a twentysixteem child them this would be:

/yourdomain.com/wp-content/themes/twentysixteen-child.

The image should be 1200 W X 900 H pixels in size.

The image should be called screenshot.png.

 

It’s as simple as that…

Changing the header colour on WordPress Parallax theme

You need to edit the style.css file.  Simply search for the id,   navigation_menu.container-full-width and change background-color to the hex value colour you want.
#navigation_menu.container-full-width {
border-bottom: 4px solid #b2b3b2;
background-color: #2E3233;
/*    background-image: url(images/bg.jpg); */
}

In this example the background image has been neutraised by commenting (rather than deleting) and and the background color changed to #2E3233

Gasp… Chinese characters on my WordPress Website!

You’ve been hacked my friend…

 

Example of a hacked WordPres site
This page was the home page of an actual “professional”  WordPress developer.

The above, Gwent-based,  WordPress site was probably Chinese hacked because the developer did not have the latest version of WordPress. The html code on this site reported Version 4.2.6, when the latest copy of WordPress was 4.4.1.

<meta name="generator" content="WordPress 4.2.6"

How you can check if your WordPress is up to date click here.

If your site has been compromised by the Chinese hack then expect your site to be tagged with safety content warnings  from sites like  www.siteadvisor.com, www.mywot.com, /www.domainname.com. The hacker’s payload can include porn, gambling and violent content.

How do I reduce the chances of being hacked like this?

How do I get out of this mess?

Give me a ring or email me  and we can take it from there.   Your site can often be repaired remotely.

Michael Fabbro specialises in providing WordPress webdesign and consultancy for Newport, Gwent based businesses

What is the best way to avoid my WordPress website being hacked?

Number one has to  be….

Make sure you have the latest version of WordPress installed.

  • You must also use a good password, upper and lower case letters, numbers and punctuation characters. Do no use any dictionary words unless they are Klingon (The 1st Dynasty Dialect)
  • Avoid plugins if possible, they slow your site down and some can have security issues.
  • Make sure Plugins and Themes are up to date.

See also

http://www.fabbro.uk/how-do-i-stop-so-many-hits-for-wp-login-php/

http://www.fabbro.uk/wordpress-xmlrpc-php-high-number-of-hits-in-the-log/

How do I stop so many hits for wp-login.php?

Why are there so many hits forWordPress file  wp-login.php when I rarely log in?  Because bots are trying to hack you.

Simply use FTP or your hosting file manager to rename this file to something you can remember later.  When you need to login to your website simply change it back.

You can of course add a security plugin that renames the login page to something of your choice e.g. “iThemes Security

 

How do I check my version of WordPress without logging in?

Simply load your home page into a browser and select “view source.”  Most browsers can  display the web page source. Usually, on a PC, it can be found as an option after pressing right mouse button.  Once displayed simple use the search option (cntrl + f) and look for the following “meta name=”generator”

The line will look something like this for version 4.4.1

<meta name="generator" content="WordPress 4.4.1" />

 

WordPress’ xmlrpc.php high number of hits in the log

This file allows remote posting to your blog using an XML-RPC client.  If you only post on your WordPress site then the chances are you do not need to have this file active. Rather than delete it, simply rename it to something you can find again.

If a large number of hits are recorded in the website log for this file then you can see at first hand how often your site is under hacker attack.