WordPress plugin to remotely manage and automate multiple WordPress sites

Hello! Being a Toronto based web design and development agency means that we interact with a significant number of WordPress sites. This tends to happen when a project starts (obviously), but often continues after a site is launched. This is something that we offer along the lines of “post launch maintenance”. By no means once a site is launched is our job done, and I’m sure a lot of other people in the industry can relate. If you follow the WP Vulnerability database notifications (if you don’t, you should), then you will see many notifications per day with various plugin or core vulnerability announcements. For this reason, among many others, we found ourselves struggling to automate and streamline the management of many client websites. We’re a fan of automation and have published articles on our efforts to integrate WordPress with Jenkins. With that particular plugin, we were able to automate […]

How to use Jenkins and Git to automate code pushes for your Laravel project

Hello! Recently we published guides how to push WordPress sites with Jenkins or how to push WordPress sites with a simple shell script. We thought it might be useful to give an overview of how to streamline your code integration process with Jenkins , GitHub and Bash shell scripting. The script I will outline below is definitely a starting point. There are of course efficiencies that could be made within this script, or perhaps that could be found with porting the logic within the script to Python. The idea behind this process is to automate and streamline code integration across your local development environment and potentially to a “staging” server where unit and other tests can be performed. Lastly a “production” push is included in this script. The strategy is to create a separate git branch for staging and production and to either push code directly or create a pull […]

How to craft an XSS payload to create an admin user in WordPress

Hello! XSS (or cross site scripting) attacks are a common method to maliciously execute actions against a website installation. In particular this type of attack vector is useful when dealing with a CMS like WordPress where you have administrative user accounts to target. This means that if you are able to craft an XSS payload that will ultimately be executed by the administrator of that site, you can essentially do whatever you want. In javascript of course. What I’ll go through in this post is exactly how to capitalize on a particular (old) WordPress plugin vulnerability to deliver a persistent XSS injection (not logged into WordPress) that will later be executed by someone logged into WordPress with higher privileges, such as an administrator. Persistent versus Reflected XSS This is debatable, but to simplify things it would be easiest to describe XSS attacks as being two high level methods : persistent […]

WordPress Woocommerce plugin to disable payment methods based on zip or postal codes

Hello! Woocommerce is a great easy-to-implement and versatile e-commerce platform. With the robust development community, expanding the core functionality can be relatively straight forward with the availability of a wide assortment of 3rd party plugins for Woocommerce. One of the things that we felt was missing, but a simple requirement, was the ability to manipulate the payment methods available based on the zip or postal code of the customer. This means that under certain conditions, the end-user will have a catered list of payment methods available to them. The system would need to have the ability to “Remember” the user, and subsequently the available payment methods, even if they came back later to purchase with a different postal or zip code. Why is this necessary? There could be many different justifications for this type of behavior with Woocommerce. If you are offering products and services to customers on a national […]

WordPress plugin to integrate Jenkins to streamline your build process

Hello! We love integrating Jenkins into development workflow. Typically Jenkins would be used for custom development projects to streamline the development “push” process in order to seamlessly integrate code changes from a testing / staging environment over to the live environment. For frameworks like Laravel or Django, this works very nicely. Until recently, we haven’t considered integrating Jenkins into our development workflow for WordPress projects simply because it seemed like overkill. It wasn’t until a few larger WordPress projects came along that required a standalone staging site to push changes that we considered actually integrating the push process with Jenkins into the WordPress administrative interface. What this means is that our clients wanted a staging environment to make content and other front facing changes, approve them internally and then initiate a content push from the staging site to the production / live site. From a development perspective we would be […]

IP Address Reputation and intelligence plugin for WordPress

Hello! With WordPress security, there are many methods for hardening and tightening controls, methods for preventing common attack vectors including best practices from a development, systems administration and even 3rd party plugin perspective. Since the rising popularity of “IP Reputation Intelligence” with Corporate networks and streaming services like Netflix, I thought it would be a great opportunity to integrate one of the more powerful machine learning IP Intelligence services into WordPress : Shift8 IP Intel. IP Intelligence is a free service among many paid / commercial alternatives. Though the free tier is limited by a request threshold, the opportunity to significantly reduce malicious traffic from visiting your site is obvious. How this service works is it uses machine learning techniques developed by the service developer to identify your reputation and identify a scoring system associated with your IP. The higher the score, the more likely your IP address is part […]

How to integrate Chart.js into WordPress Woocommerce to show charts and graphs of your products

Hello! One of the nice things about Woocommerce is that it is very easily customized. Actions can be removed and re-added in order to adjust the default behavior. Additionally you can override many of the default templates that come with Woocommerce and its many extensions to fine tune and adjust the way you want your e-commerce to behave. Whether you are selling t-shirts or auto parts, sometimes its nice to have a clean visual representation of the statistics of each of your products. This will allow the customer to easily attain the pertinent information that they may be looking for, perhaps even assisting in leading them into an online sale. One of the best javascript libraries out there for “charting” is Chart.js. It is very simple yet extremely flexible for plotting and drawing visual representations of data. Things like chart colors, borders and a responsive layout are all things that […]

How to encrypt and execute your PHP code with MCRYPT or OPENSSL

Hello! While the scenario may not necessarily be common in which you would want to encrypt your PHP code and execute it, it is something that I would consider an interesting discussion nonetheless. I fully support free and open source software, however if you are developing an application that manages or monitors systems or services or an application that needs to reside in a “hostile” environment, it might be pertinent to consider encrypting the code before executing it. This protects your code from even being read (and ultimately executed) unless the proper key is passed in order to decrypt it. In the following example & breakdown, we will be (separately) using both the Mcrypt and OpenSSL to encrypt a block of code with a specified key. We will then use that same key to decrypt the encrypted code in order to run it. The reason why I am giving both […]

How to use PHP as a web service to backup MySQL over HTTPS to a remote destination

Hello! Following with the theme of our last post, we thought it might be useful to demonstrate how to create a pure PHP based web service to backup your MySQL database to a remote destination (also with PHP) over a secure HTTPS connection. High level, all we will be doing is iterating over all the tables of the database and generating the database data as JSON, transmitting it to the receiving end over an AJAX HTTPS post. We’ll save it for a separate post, but in this scenario you would also likely want to iterate over the JSON data on the receiving end in order to process and create the database backup on the receiving end’s MySQL instance. Trigger the backup In our scenario we would be implementing this solution as a WordPress plugin. There’s no point in going into it specifically in that context because it is most likely […]

How to use PHP to recursively transfer files in parallel over HTTP

Hello! There may be some scenarios where you might want to clone your site or push files to a remote location completely and 100% using PHP as a web service, without touching the command line. There are many console or command line utilities to help complete this type of job such as rsync, scp, ncftp, ftp or any of the wide assortment of network file copy utilities that are available today. But what if you want to have a system in place that migrates your site files on a web host where the console or command line is not available? For example someone on a shared hosting plan with Godaddy or a similar service will not be allowed command line access to linux utilities like rsync without paying for a VPS or similar plan that affords such access. Rest easy, there are ways to synchronize your files even on a […]