Category: Web Dev Log

Building a Starter Theme

I love using Hybrid Core Framework, I use it in all my themes, I don’t even know how to build a theme without it. Currently Justin is working on the Version 3 of the Framework and it’s offer a lot of improvement and features.

I want to create my own.
nokonokoHybrid Core is modular and extendable so I can use only the features I need and bend it as I see fit, but I want to create my own framework so I can have full control of the features and code. For my themes I created “Tamatebako“, a Hybrid Core sidekick to build theme faster by setting the defaults. Now I want to experiment and make Tamatebako as a standalone framework.

The focus is a little different than Hybrid Core. Instead of building new awesome features, the focus is for faster theme development. I might failed and switch back to Hybrid Core, but I think it’s going to be a good opportunity to dive in and re-learn about theme development.

I haven’t even done porting main framework features (still a mess), but you can follow the development here.

48 Hours Theme Challenge

Explorer WordPress Theme

Explorer
A beautiful WordPress theme inspired by file explorer. I create this theme in 48 hours (well, actually 12.5 hours).

So, a few days ago Sami Keijonen create a challenge to build a WordPress Theme in 48 hours. He mention that he need several months to build a WordPress Theme.

Well, for myself, the challenge is not really hard. I usually build a theme in 2-4 days for simple custom theme. As long as the client already have a design (PSD/design inspiration/example) I can build it in less than a week.

I only charge $300 – $500 for a very simple theme. So, I need to work fast 🙂

Read More 48 Hours Theme Challenge

How to Test Your Code in Multiple PHP Version (only $10/year)

cpanel-select-php-verWordPress is a Global CMS, with very minimum requirement to install:
PHP: version 5.2.4
MySQL: version 5.0

I’m sure most of us have better server configuration than the minimum. I think most hosting have at least PHP 5.4 installed. but as a freelancer, sometimes we get a client with older version of PHP in their server. And for whatever reason they cannot/do not want to upgrade to better hosting.

If you don’t have multiple PHP version in your server, you can always install multiple PHP version in your server and pollute your server with outdated script.

Or you can spent $10 and have a separate server where you can test your code for whole year.

$10 / year, that’s only $ 0.83 / month Read More How to Test Your Code in Multiple PHP Version (only $10/year)

How to Sanitize Image Upload?

Today I updated my plugin f(x) Favicon (no longer available, WordPress now have “Site Icon” feature), and I would like to share in how I sanitize image URL in the plugin uploader.

favicon-settingsWhy sanitize image upload?
Basically what we need is to make sure that the input is an image URL. So, we don’t want user to input other file such as document file, video file, mp3 file, etc.

And this is to make sure our plugin/theme working correctly. We also need to do this check before loading the file.

Wanted result:

<link rel="shortcut icon" href="http://siteurl.com/path/favicon.png"/>

Unwanted Result:

<link rel="shortcut icon" href="http://siteurl.com/path/some-random-file.doc"/>

Read More How to Sanitize Image Upload?

How to use $this in Anonymous Function in PHP 5.3

Yesterday I wrote a WordPress Login Notification Plugin. And I use Anonymous Function (introduced in PHP 5.3) in the settings. It work well in my server but when I install it in my client site, the settings page is truncated even though my client use PHP 5.3.

settings-page-truncatedAfter some googling, I found that we cannot use $this in anonymous function in PHP 5.3, we can use that only in PHP 5.4 +. Thank god I didn’t get fatal error 🙂 Read More How to use $this in Anonymous Function in PHP 5.3

How To Add Background Color (Highlight) Option in WordPress Editor TinyMCE

WP Editor TinyMCE Text Highlight Backgrond Color
WP Editor Background Color Option

WordPress Visual Editor only have text color option. But sometimes we need to highlight the text by changing the text background color. TinyMCE (the editor script) actually have this feature, but WordPress hide it to make the visual editor simpler. But if you need this feature, you can activate this feature using very simple code.

Read More How To Add Background Color (Highlight) Option in WordPress Editor TinyMCE

How to Fix Google Apps “Send mail as” : “Functionality not Enabled”

  1. Login to Google Apps for Work Admin Panel.
  2. Go to “Apps” settings: Manage Apps and their settings.
  3. Select “Google Apps“: Gmail, Calendar, Drive, & more.
  4. Select “Gmail“.
  5. Scroll to the bottom and click “Advanced Settings“.
  6. Uncheck option “Allow per-user outbound gateways” and Save.
  7. Wait for 1 hour.
  8. Check (reactivate) “Allow per-user outbound gateways” option and Save.
  9. Wait for 1 hour.
  10. Try to set “Send Mail As” feature in your Google Apps Gmail Settings again.

If it’s a success you will see SMPT outgoing setting after you submit the “Send mail as” email address and no longer see “Functionality not Enabled” message.

#source

Create WordPress Settings Page With Meta Boxes

In this tutorial I want to explain Step by Step How To Create WordPress Settings/Options Page With Meta Box, like what you see in this screenshot:

WordPress Settings With Meta Box
WordPress Settings With Meta Box

WordPress have a decent Settings API and it offer a lot flexibility in design. Several plugins do “wild” things in their Settings Page, However for better user experience it’s best to use seamless design (blended) with other admin UI design.

One of my favorite admin UI element is Meta Box. Not only because meta box have an easy to use Meta Box API (so we can easily create meta boxes), but it also have user preference options where user can reorder (drag-and-drop) the position, toggle open/close meta boxes. and even changing Screen Layout to 1 or 2 column using “Screen Options”.

Benefit in using Meta Box in Settings Page:

  1. Nice UI : Neatly Group Complex Settings.
  2. Minimum Design Time : WordPress already have the design.
  3. Easy to use : because user already familiar with how the panel works.
  4. Extend-Ability : Other developer can easily extend our plugins and add options with familiar API.

So Let’s Start ! Read More Create WordPress Settings Page With Meta Boxes

Fighting Brute Force Attack in WordPress

wordpress--brute-force-protection

Brute Force Attack is a daily problem for WordPress sites. What’s interesting is that you cannot prevent it from happening. It’s unavoidable. You can only make harder for the attacker to attack your sites.

If we use CMS with login feature to manage our content, we cannot remove/disable the login functionality because we need it to get access to manage the site.

You can use the strongest password, two factor authentication, etc. But it will not stop the attack to your site.

Every single login attempt will cost you server resource. You cannot cache this page to reduce the impact because WordPress need to validate each login attempt.

They can try to get access to your site, and fail. But they still can make your server collapse.
( or make you pay a lot of money if you use hosting that calculate price by pageviews )

But, we can try to discourage attacker by blocking IP addresses they use. If you use relatively good hosting, you probably have firewall system installed in your server to log and block attacker. But you can also install security plugin to add another layer of security. Several plugin for WordPress brute force protection:

  • Limit Login Attempts : un-maintained plugin, if I’m not mistaken WP Engine auto-activate this plugin for sites hosted there.
  • BruteProtect : Use their server to log IP addresses, kinda like Akismet for brute force attack. You need to register to their site to get API key for each of your site. Currently owned by Automattic.
  • Login Security Solution : similar with limit login attempt, maintained. And have multi-site support. This is the plugin I’m using.
  • And a lot more alternative…

It will reduce their attack, but because they seem to have unlimited number of IP Address, it’s actually (kinda) useless method to try to discourage them.

never give up

Quoting from Matt Mullenweg:

Supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).

You can also read other sources to understand the scale of the attack:

Every single day in each sites I got hundreds of failed login attempt. Probably tens of thousands if it’s not protected by firewall and security plugins. It happen in every single site. Not even one site is free from brute force attack.

Several days ago, I ask for advice at Theme Hyrid Forum (private forum replies). I got several response. And from their response I create a custom solution for my sites and my clients sites.

I tested it in 10 different sites for 24 hours, the result is amazing. I got almost zero login attempt.

Even though it’s still premature to say that this solution is working. In this post I would like to share the custom solution I build to solve this problem. Read More Fighting Brute Force Attack in WordPress