gmane.comp.web.wordpress.devel

Re: GSoC - Is it obvious?

Suhas Sharma — 2013-05-20T12:18:42

Hi,

I'm pretty sure they have seen it. I found out the hard way that every time
you post or edit your proposal, mentors are emailed of the changes.

Your project maybe clearly explained that they don't have anything to
comment on. There may be, at times, prioritisation of projects due to the
dearth of slots given but that's not in our control.

Either way, there is no point in worrying. IIRC, the result are on 27th
this month. I'd suggest you wait for the official confirmation.

PS: I haven't received any comments either.

Regards,
Suhas


On Mon, May 20, 2013 at 5:30 PM, <wp-hackers-request< at >lists.automattic.com>wrote:

Re: Admin Login Brute Force Attacks (Revisited)

Marko Heijnen — 2013-05-19T23:54:04

It is but not a lot. Also I can do IP based checks depending on the user role. Meaning you can't do everything webserver side.


Op 20 mei 2013, om 01:46 heeft Daniel <danielx386< at >gmail.com> het volgende geschreven:

Re: Admin Login Brute Force Attacks (Revisited)

Daniel — 2013-05-19T23:46:47

Why would you do an IP based check on PHP? Isn't that a waste of CPU?


On Mon, May 20, 2013 at 9:43 AM, Marko Heijnen <mailing< at >markoheijnen.nl>wrote:

Re: Admin Login Brute Force Attacks (Revisited)

Marko Heijnen — 2013-05-19T23:43:56

I use for my site an PHP based ip check and do block some IP addresses for wp-login.php and xmlrpc.php with Nginx rules
A lot of people always forget that XML-RPC is also a way to retrieve passwords. Do say not used a lot but I would personally use that one.


Op 20 mei 2013, om 01:35 heeft Daniel <danielx386< at >gmail.com> het volgende geschreven:

Re: Admin Login Brute Force Attacks (Revisited)

Daniel — 2013-05-19T23:35:59

Or you could just set it (as long as you are the only person who needs to
log in and you got a static IP address) so that only 1 IP address can get
to that file.



On Mon, May 20, 2013 at 9:32 AM, Andrew Ozz <admin< at >laptoptips.ca> wrote:

Re: Admin Login Brute Force Attacks (Revisited)

Andrew Ozz — 2013-05-19T23:32:31

Another good prevention measure is to set a simple htaccess password (or 
equivalent) only for wp-login.php. Yeah, the users will have to enter 
two passwords when logging in (heh, pseudo 2-step authorization?), but 
the bots only hit Apache not getting to PHP at all. Works on most shared 
hosting and reduces server load.

AuthType Basic
AuthName "[whatever]"
AuthUserFile "/path/to/.htpwd"
<Files "wp-login.php">
require valid-user
</Files>

GSoC - Is it obvious?

Hard Patel — 2013-05-19T13:28:21

Hello hackers

I wanted to ask a question about GSoC 2013.
Is it obvious for selected students to receive mail or IRC or comment on
their proposal(on melange) ?? Asking about more information related to
their ideas.
Is there any way i can know if my proposal has been viewed or not ? [1]

Thank you
Happy selecting. !!

[1] Link to my proposal<https://www.google-melange.com/gsoc/proposal/review/google/gsoc2013/hardyy/1>

Best
Hard Patel

Enhanced Emails - GSoC '13

Pranjal Prabhash — 2013-05-18T21:44:07

Hi,

I have updated my Wordpress blog regarding GSoC (
http://gsoc13.wordpress.com/) . Update is regarding a plugin, which I have
added to the wordpress repository. My plugin is now public.

Its been quite some time since someone has commented on my proposal(on
melange). I have replied to the comments put, and have also regularly
updated my proposal on melange through my comments.

I hope that the developers community has been through my proposal on
melange and also though my blog. What should I be doing now?

Regards,
Pranjal Prabhash

Re: Missing safety check in WP3.6

Otto — 2013-05-17T21:09:08

Might want to bring it up in the ticket where the change happened:

http://core.trac.wordpress.org/ticket/24062

-Otto


On Fri, May 17, 2013 at 1:56 PM, Luke Bryan <lukebryan< at >sharefaith.com> wrote:

Missing safety check in WP3.6

Luke Bryan — 2013-05-17T18:56:32

Greetings,

I have been testing WP3.6 and have run into a problem. It seems a
safety check has been removed since wp3.5. In
wp-includes/js/media-editor.js, the add function used to simply return
the wp.media object of the object, if it existed already:

WP3.5:
add: function( id, options ) {
var workflow = this.get( id );

if ( workflow )
return workflow;

workflow = workflows[ id ] = wp.media( _.defaults( options || {}, {
frame:    'post',
state:    'insert',
title:    wp.media.view.l10n.addMedia,
multiple: true
} ) );

workflow.on( 'insert', function( selection ) { ...

WP3.6:
add: function( id, options ) {
var workflow = this.get( id );

workflow = workflows[ id ] = wp.media( _.defaults( options || {}, {
frame:    'post',
state:    'insert',
title:    wp.media.view.l10n.addMedia,
multiple: true
} ) );

workflow.on( 'insert', function( selection ) { ...

You used to be able to create the editor's add-media window and make
modifications to it, using
var dialog = wp.media.editor.add('content');
dialog.on('open', dosomething...
dialog.on(event, dosomethingelse...

This would work in 3.5, since all code calling "add" would get the
same object, creating it if it did not yet exist.
In 3.6, the same method seems to cause double-creation of the object,
which makes plupload fail when user tries to upload a file.
When that happens, it causes exception where $index is undefined, in
this section of media-views.js:
info: function() {
var queue = this.queue,
index = 0, active;

if ( ! queue.length )
return;

active = this.queue.find( function( attachment, i ) {
index = i;
return attachment.get('uploading');
});

this.$index.text( index + 1 );

Is this a bug in 3.6, or does code that interacts with the uploader
need to be rewritten, to check existence with get() before calling
add(), and wait for the initial add() call on admin pages, somehow? I
couldn't find any documentation on this issue.

Other than that, wp3.6 seems pretty stable, looking forward to release
day Monday.

Best regards,
Luke

WordPress.org Stats API

Ken (WraithKenny — 2013-05-17T17:18:01

Is there a way to get a filter on http://api.wordpress.org/stats/php/1.0/ (like
`?wp=3.5`) to reduce the result to a particular version of WordPress? If
not, can that be added please?
(I'm requesting the API handle this; It'd also be nice, but not necessary,
to add it to http://wordpress.org/about/stats/ )

I think it'd be useful for plugin authors to see the PHP version breakdown
for a particular version (mainly, the latest WP version) rather then having
older versions (3.0-3.4) mixed in.
(Just for fun, it'd also be interesting to see which PHP versions beta
testers are using to test!)

Example Case: I'm making a plugin that will require at least WP 3.6 (It'll
be in the plugin header, and have a check), and would like to use PHP 5.4
(or at least 5.3). Since the plugin won't run on lower versions, the PHP
versions reported for those lower WP versions aren't useful for my inquiry.

Currently http://wordpress.org/about/stats/ shows 62.5% on PHP 5.2. I would
assume a correlation of older WP to older PHP. Only 33% of WP up to date on
3.5. I'd further assume that the percent of PHP 5.2 for WP 3.5 would be
lower then 62.5%. I just don't have the access to that data yet to confirm.
Please liberate the data for the sake of us poor curious developers! :-)

P.S I originally sent this yesterday, but evidently was having
email/internet issues. I've seen on twitter that Nacin talked about this
yesterday (coincidence). He said that the data isn't yet broken down that
way even internally, but also that the difference in PHP version by WP
version is negligible. Still, it'd be nice to see the data anyway (removing
doubt would help). Also note, this isn't an argument to get WP to abandon
5.2, it's to get more info to plugin/theme devs.

Re: Admin Login Brute Force Attacks (Revisited)

Harry Metcalfe — 2013-05-17T15:42:04

I'd recommend using something like Varnish or nginx to do this - so that 
the requests never even get to Apache.

Harry


On 17/05/13 16:08, Bryan Spahr wrote:

Re: Admin Login Brute Force Attacks (Revisited)

Dion Hulse (dd32 — 2013-05-17T15:17:28

I've done similar stuff in wp-config.php before, a specific bot was hitting
my site rather heavily, so I added a if ( user_agent ) die(); check to the
top of wp-config.php..

I'd just add the same here:
if ( isset( $_POST['log'] ) && 'admin' == substr( $_POST['log'], 0, 5 ) )
die();
(Assuming the username field is 'log')



On 17 May 2013 10:08, Bryan Spahr <bryanspahr< at >gmail.com> wrote:

Admin Login Brute Force Attacks (Revisited)

Bryan Spahr — 2013-05-17T15:08:53

For performance[*], I would like to be able to reject any login attempt
where _POST['log'} begins with 'admin', and to do it at the earliest possible
moment, to minimize the load on my server.

Is login_form_login a reasonable place for this kind of check?  Or is there
an earlier hook that would cause less load on the server?

And what is the best way to "die" in this case - exit? die? redirect?


Thanks,
Bryan

[*] This is NOT intended as a security measure.  I have taken all necessary and
reasonable precautions to prevent someone from breaking in to any of the sites
I host.  I'm looking to mitigate the resource usage caused by bots trying to
log in as admin, or adminadmin, or administrator which is what I'm seeing and
have been seeing for the past few months.

Re: Two wordpress sites but one wordpress DB

Simon Vart — 2013-05-17T11:18:04

I do that sometimes for having différents langages.

I just use wp-config.php to use a different prefix database according to
domail url.

I can send details if you're interested.

With some little more adjustements, I also share users table so the
WordPress installs use the same logins.
Le 16 mai 2013 22:31, "Haluk Karamete" <halukkaramete< at >gmail.com> a écrit :

Two wordpress sites but one wordpress DB

Haluk Karamete — 2013-05-16T20:31:33

I would like to explore the possibilities of a installing a new wordpress
installation which will be tapping into the same database as the first one.

The new site will obviously be identical in terms of content but I may
choose to install different plugins, use different themes on the second
one.

Of course, wp_options table will be my deal breaker here. but I'm sure
there are work arounds this matter.

So I searched the matter and found this post, but before I explore the
suggested route I wanted to check with you guys to see if this is the way
to go or not?

Thank you

Here is the suggestion.

<quote>

I've done this before, having 6 websites shoot out content from the same
database.

It's easy enough to do. Upload WP into both directories. Make sure they
have the identical wp-config.php file.

In the second sites directory do the following:
In the wp-settings.php file change the options database value to something
like this:

// Table names
$wpdb->posts = $table_prefix . 'posts';
$wpdb->users = $table_prefix . 'users';
$wpdb->categories = $table_prefix . 'categories';
$wpdb->post2cat = $table_prefix . 'post2cat';
$wpdb->comments = $table_prefix . 'comments';
$wpdb->links = $table_prefix . 'links';
$wpdb->linkcategories = $table_prefix . 'linkcategories';
$wpdb->options = 'YOURNEWPREFIX_options';
$wpdb->postmeta = $table_prefix . 'postmeta';
$wpdb->usermeta = $table_prefix . 'usermeta';

$wpdb->prefix = $table_prefix;

See how I've removed $table_prefix . in the options line?
Instead of YOURNEWPREFIX put something like 'site2' or whatever you want.

Then, in PHPmyAdmin duplicate the wp_options table, and rename one of the
them to be YOURNEWPREFIX_options, so if you chose 'site2', it would be
'site2_options'.

Bingo. Edit the information in the 'site2_options' table to refelct the
correct information for your second site and you will be on your way.
<quote>

Re: Must Use plugin example?

Micky Hulse — 2013-05-15T23:18:12

Thanks to everyone who replied. Thanks to your help, this is my first
WP plugin (shameless plug):

<https://github.com/mhulse/wp-deck>

It's a really stupid plugin, and could use a lot of improvements
(please be kind if you have feedback), but it's been a great learning
experience for me (I'm slowly getting my wrapped around the
ins/outs/idiosyncrasies of WP and its API).

I have to admit, I'm not used to using static methods all over the
place ... Doesn't feel completely optimal.

Once I have some more free time, I'm going to circle back around and
re-work the code to use some of the patterns/code mentioned here:

http://wordpress.stackexchange.com/questions/26186/should-all-plugins-be-encapsulated-in-a-class

... and here:

http://stackoverflow.com/questions/8688738/wordpress-plugin-how-do-i-avoid-tight-coupling

... and the link Christian sent, which linked to:

http://bbpress.trac.wordpress.org/browser/trunk/bbpress.php

... which looks very nice in terms of the pattern used.

Anyway, thanks again ya'll! Much appreciated.

Cheers,
Micky

Re: Must Use plugin example?

Micky Hulse — 2013-05-15T18:36:08

Thanks Christian! Checking out the link now. I really appreciate it. :)

Re: Must Use plugin example?

Christian Wach — 2013-05-15T17:54:31

You could look at:

<http://jaco.by/2012/12/12/slash-architecture-my-approach-to-building-wordpress-plugins/>

Cheers,

Christian


On 15 May 2013, at 17:44, Micky Hulse <mickyhulse.lists< at >gmail.com> wrote:

Re: Must Use plugin example?

Micky Hulse — 2013-05-15T16:44:06

On Tue, May 14, 2013 at 8:00 PM, Abdussamad Abdurrazzaq
<abdussamad< at >abdussamad.com> wrote:

Awesome! Thanks for pointing me towards an example, that's very helpful.

Much appreciated.

Honestly, the reason why I ask is because I've never written a WP
plugin before. I've got a decent PHP background, and have written
plugins for other CMS/blog platforms ... With that said, I'm curious
if anyone knows of a repo of WP plugin patterns, similar to:

<https://github.com/shichuan/javascript-patterns>

... I know I could just start downloading plugins from the net and
dissect; I guess I'm kinda curious if there's someone out there
collecting WP plugin templates/patterns (from simple to complex)?

Thanks to everyone for the time and help.

Cheers,
M

Regenerating re-writes upon migration

David Anderson — 2013-05-15T12:13:43

Hi,

To answer my own question from yesterday...

If you're doing an online replacement (i.e. from within WordPress 
itself) of your own database from another webserver, and want to do a 
best-effort job of regenerating your (possibly non-existent) .htaccess 
file to take account of the possibly different permalink structure in 
the database being imported, then...

This is sufficient:
         global $wp_rewrite;
         $wp_rewrite->init();
         flush_rewrite_rules(true);

Only other thing is that you'll need to hook the the pre_option_ filter 
for the options permalink_structure, rewrite_rules and page_on_front 
options in order to make sure that WordPress gets the data from your 
newly-migrated database instead of from cached settings.

David