Blog

Anyone know their way around the WordPress 3.5+ media upload API?

Version 1.0 of the Developer’s Custom Fields plugin is in development. I’d hoped that the core Metadata UI API would have made progress enough for me to revamp DCF in light of the new core functionality, but that’s not looking likely. DCF 1.0 won’t be a major update, but I’m hoping to get some significant things sorted out.

The most important, I think, is getting the file field type working with the new (well, introduced in WordPress 3.5) media upload API. It’s pretty much there, but I’m looking for some help with it. Does anyone know the media upload API well?

Read more »

Multiply WordPress posts in testing

Very often while building a WordPress site, I need to see how a layout works with a load of posts. Maybe 4, maybe 40. In any case, it’s tedious creating dummy content.

There’s a number of dummy content dumps out there to use, but often we’re working with custom post types and we need particular custom fields working right.

This bit of code will allow you to add a particular argument to the query (WP_Query, get_posts, etc.) to artificially multiply or repeat the posts returned.

Read more »

Google Analytics Measurement Protocol plugin for WordPress

Recently I had a request from a client to trigger some Google Analytics events for things that were happening on the server. This sort of thing can be tracked indirectly through client-side JavaScript analytics code, with, for example, “success” pages where a user is redirected after the server-side event. However, it seemed to make more sense to look into proper server-side analytics for WordPress sites.

Read more »

Always test for existence of plugin functions

Like every developer, I’ve got a particular configuration for most sites I deploy. My WordPress sites are mostly all based on my Pilau parent/child themes, and I’ve a set of “usual suspect” plugins I include in most projects. Some plugins—in particular Developer’s Custom Fields—are pretty much indispensable to my work. So much so, that for a while I assumed, in my custom theme code, that the plugin would be installed.

More recently I’ve forced myself to follow best practices better. So, even if I know a certain plugin will be installed and active, because I manage the site, I still surround a call to a function from that plugin with a function_exists() test. I just found out why that’s a good idea.

Read more »

Wordfence’s false positive issue with Developer’s Custom Fields

I use the Wordfence plugin on my WordPress sites for extra security. Generally it’s great, but it can be a bit over-sensitive (granted, it’s best to err in this direction with security!).

Just now I did a scan on a site and it came up with a “critical” “suspected malware URL” issue with a file from my Developer’s Custom Fields plugin. Now, whenever I use a bit of code from somewhere on the web, I always include a link in a comment, both in order to credit the person it’s from, and for future reference. I grabbed a bit of code for this plugin, to read URL parameters in JavaScript, from papermashup.com. It seems that Google has recently flagged this domain as being susipicious, citing unpromted malware downloads while also saying “this site has not hosted malicious software over the past 90 days”.

Anyway, however dangerous (or not) this site is, the URL in the JS file is utterly harmless – it’s in a comment. Furthermore, the URL is only in the dev version of the script. Only the minified version – stripped of comments – actually gets used on live sites.

I’ve removed this URL from the latest version of the plugin on GitHub, but it might be a little while before it gets rolled out on wordpress.org. Until then, please ignore this issue if Wordfence flags it up for you.

Force Strong Passwords for WordPress 3.7

The upcoming 3.7 release of WordPress is getting a new password strength meter, using the zxcvbn library from Dropbox.

It’s a great improvement. However, my Force Strong Passwords plugin is based on replicating the JavaScript password strength check in PHP. And zxcvbn.js is 683 KB (minified). I’m simply not going to be able to convert this to PHP, and I can’t see anyone else taking the challenge on.

So what I’m doing is adding some JavaScript for 3.7+ which simply passes the results of the client-side strength meter through to the server for the enforcement check. This should be fine. Of course, a tech-savvy user could manually bypass the check. But without a PHP port of zxcvbn, I think this’ll have to do.

The new version isn’t up on the wordpress.org repository yet, but you can download it from GitHub. If anyone’s using the beta of 3.7, do please give it a whirl and let me know if there’s any issues. Any other feedback regarding this development is also most welcome.

Developer’s Custom Fields 0.8.4

Developer’s Custom Fields 0.8.4 is now available. There’s a couple of new features:

  • The abbreviate_option_labels parameter, which is true by default. This is partly a stop-gap measure for this issue, which involves posts with duplicate titles getting missed out of options populated with options_query. Being able to switch off the abbreviation of titles for the options reduces the chance of this happening.
  • The sortable parameter is now availabel for multiple checkbox fields. This makes use of jQuery UI Sortable to make the checkboxes drag-and-droppable. An extra hidden field is automatically created to store the order. When a sortable field’s values are returned using any of this plugin’s functions, they are returned in the right order. The ordering can be obtained independently with the slt_cf_field_values_order() function.

Blog archive