Archive for 'wordpress'

fixing wordpress

Friday, 23 June 2006

I kid. I love WordPress. But I always have to mess with it, and I figured it was worth documenting how I always mess with it. If you’re not me, you may or may not find this useful, but if you are me, it should save you some time and help you make sure you (I) hit everything the first time through.

Basic Hardening

  • Get rid of xmlrpc.php and wp-trackback.php.
    (disallows trackbacks, but should protect against remote procedure attacks)
  • Rename wp-register.php and wp-login.php to something else.
    Change all occurences of wp-login.php in the file to whatever you renamed it to (so that the forms invoke the right action). This may seem pretty paranoid, but otherwise it’s vulnerable to brute force attacks.
  • Protect wp-admin with .htaccess
  • Install Spam Karma
    “Kinda mean” setting seems to work well
  • Remove meta links in sidebar.php

basic functional customization

  • options:permalink
    touch .htaccess (in main blog directory) world-writable, set reasonable permalink structure, and remove world-write from .htaccess
  • options:writing
    make sure visual editor and emoticons are both unchecked
  • links
    delete all the bogus default links

style tyranny

  • grep the template directory for jS and change all “F jS, Y” to “j F Y” because I prefer day/month/year order.
  • grep the template directory, add to templates (and change all occurences of class=”narrowcolumn” to class=”widecolumn”), because I want nav on all pages.
  • Change most occurences of “center” in style.css to left
    (headings, mostly)
  • Change all occurences of “justify” to left
  • Get rid of the huge header image. Need to adjust
    #headerimg .description (left margin)
    h1, h1 a, etc. — link, left-margin, alignment and padding
  • get rid of the horrible bullet characters, don’t forget to set:
  • If you want to allow lists within comments (and why not?):

    .commentlist ol li {
    .commentlist ul li {

    (apply font-weight:normal, too)

  • Distinguish external links:

    a.external:hover, a.ext:hover {
    color: #147;
    text-decoration: none;
    border-bottom:1px dashed #147;


In post-editing mode, I don’t like the fact that the categories selection controls are collpased by default when the editing page loads. Currently, I’ve got the “more meta” group of editing controls (Discussion ,Password-Protect Post, Post-slug ,Categories, Post Status) set to dispay opened. This is suboptimal: I rarely want to password-protect posts or customize the slug, and I’d be happy to have those hidden. But having the categories hidden is a pain that leads to posts published with incorrect tags.

I also don’t like my fix, which will be overwritten whenever WP is upgraded. In wp-includes/js the file dbx-key.js initializes 2 dbxGroup control sets, one called “meta” and one called “advanced”. If the default state (7th parameter) for “meta” is set to “open” vs. the default “closed” then the “more meta” control set will be initialized in the expanded state.

I suppose I could write a javascript library that inserts itself into the onload stack and opens just the categories box, but that also seems likely to be fragile against software upgrades.

I have a very hacky little “plugin” that overrides some of WP’s defaults for marking up text and comments. It should stop text strings like from being marked up as links automatically, it should add class=”external” to links in comments, and it should format ellipses (. . .) the way my editor tells me they should be formatted.
Here’s what’s in it right now:

function dmw_texturize($data) {
# leave my ellipses alone!
$data = str_replace(". . .",". . .",$data);
return $data;
function dmw_rel_nofollow( $text ) {
// dmw hack: class ext applied to links that are rel nofollowd.
$text = preg_replace('|<a (.+?)>|i', '<a class="external" $1 rel="nofollow">', $text);
return $text;
# do the regular wp_texturize, then undo some particular things
add_filter('the_content', 'dmw_texturize');
# makes www.something into a link. just don't do this at all.
remove_filter('comment_text', 'make_clickable');
# get rid of the standard wp_rel_nofollow, replace with my version.
remove_filter('pre_comment_content', 'wp_rel_nofollow');
add_filter('pre_comment_content', 'dmw_rel_nofollow');


Code in comments has proliferating slashes all over the place. Need to figure out how to have this not happen w/o compromising the extra security applied to content text, or trying to write improperly escaped strings into the db.