Luke Bryan | 27 Aug 09:10 2014

Extensibility and shortcodes

Greetings all,

I was looking at the wp media shortcode and wp-views, and noticed a few
things that seem not-too-portable in the view ajax and rendering:

In ajax-actions.php of Wordpress 4.0 we see this render-and-return routine
requiring a post_id of post the user can edit:

function wp_ajax_parse_media_shortcode() {
    global $post, $wp_scripts;

    if ( ! $post = get_post( (int) $_REQUEST['post_ID'] ) ) {
        wp_send_json_error();
    }

    if ( empty( $_POST['shortcode'] ) || ! current_user_can( 'edit_post',
$post->ID ) ) {
        wp_send_json_error();
    }

    setup_postdata( $post );
    $shortcode = do_shortcode( wp_unslash( $_REQUEST['shortcode'] ) );

    if ( empty( $shortcode ) ) {
        wp_send_json_error( array(
            'type' => 'no-items',
            'message' => __( 'No items found.' ),
        ) );
    }

(Continue reading)

Dino Termini | 21 Aug 05:24 2014
Picon

Language Packs for plugins

Hi,

does anyone know what's the status of this feature?

http://ottopress.com/2013/language-packs-101-prepwork/

Otto had announced this feature in version 3.7: is there a page where we 
can learn more on how to implement it in our plugins?

Thanks,
Dino.
Dino Termini | 20 Aug 14:01 2014
Picon

Work on draft while page is published

Hi all, 

Say I've already published a page or post. I now want to make changes, but I want a colleague to check them over
before they go live. Is there any way of doing this? 

Thank you, 
Dino 
--

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
dxw Security | 20 Aug 12:32 2014

Information disclosure vulnerability in WordPress Mobile Pack allows anybody to read password protected posts (WordPress plugin)

Details
================
Software: WordPress Mobile Pack
Version: 2.0.1
Homepage: http://wordpress.org/plugins/wordpress-mobile-pack/
Advisory report: https://security.dxw.com/advisories/information-disclosure-vulnerability-in-wordpress-mobile-pack-allows-anybody-to-read-password-protected-posts/
CVE: Awaiting assignment
CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)

Description
================
Information disclosure vulnerability in WordPress Mobile Pack allows anybody to read password
protected posts

Vulnerability
================
WordPress Mobile Pack contains a PHP file which allows anybody – authenticated or otherwise – to
read all public and password protected posts (draft and private posts appear not to be affected).

Proof of concept
================

Create a password-protected post
Enable WordPress Mobile Pack
Visit http://localhost/wp-content/plugins/wordpress-mobile-pack/export/content.php?content=exportarticles&callback=x
Your password-protected post is now visible to everybody in the form of JSON wrapped in “x()”

Example output:
x (
    {
(Continue reading)

Sinan | 20 Aug 00:49 2014
Picon

Is anyone here has experience with wpmu membership plugin

Is anyone here has experience with wpmu membership plugin?

https://premium.wpmudev.org/project/membership/

--

-- 
Sinan İŞLER
sinanisler.com <http://www.sinanisler.com/>
_______________________________________________
wp-hackers mailing list
wp-hackers <at> lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
Nikola Nikolov | 8 Aug 13:36 2014
Picon

Discontinuing a plugin on WordPress.org

Hi everyone,

I was working with a client that was using the Fundify WordPress theme,
which was powered by a combination of Fundify Crowdfunding(
https://wordpress.org/plugins/appthemer-crowdfunding/ ) and EDD.

I wanted to download the source of the plugin to my computer to easily
navigate through the codebase. On the plugin page they've added "(Moved)"
to the name of the plugin.
Once I extracted the archive, there was nothing but an empty .php file and
a readme.txt file.

My question in this case is - is this allowed and isn't that a terrible way
of discontinuing a plugin? What if someone updates the plugin and their
site stops working? Or someone installs the plugin and nothing happens...

Is there anything the WordPress.org plugins team can do about it?

Best regards,
Nikola
David Anderson | 7 Aug 10:20 2014
Picon

Re: Blocking SEO robots

Jeremy Clarke wrote:
>
> The best answer is the htaccess-based blacklists from PerishablePress. I
> think this is the latest one:
>
> http://perishablepress.com/5g-blacklist-2013/
This looks like an interesting list, but doesn't fit the use case. The 
proprietor says "the 5G Blacklist helps reduce the number of malicious 
URL requests that hit your website" - and reading the list confirms 
that's what he's aiming for. I'm aiming to block non-malicious actors 
who are running their own private search engines - i.e. those who want 
to spider the web as part of creating their own non-public products 
(e.g. databases of SEO back-links). It's not about site security; it's 
about not being spidered each day by search engines that Joe Public will 
never use. If you have a shared server used to host many sites for your 
managed clients, then this quickly adds up.

At the moment the best solution I have is adding a robots.txt to every 
site with "Crawl-delay: 15" in it, to slow down the rate of compliant 
bots and spread the load around a bit.

Best wishes,
David

--

-- 
UpdraftPlus - best WordPress backups - http://updraftplus.com
WordShell - WordPress fast from the CLI - http://wordshell.net
David Anderson | 6 Aug 14:08 2014
Picon

Re: Blocking SEO robots

Haluk Karamete wrote:
> Could this list help you?http://www.robotstxt.org/db/all.txt
At first this looks potentially useful - since it is in a 
machine-readable format, and can be parsed to find a list of bots that 
match specified criteria.... but on a second glance, it looks not so 
useful. I searched for 3 of the recent bots I've seen most regularly in 
my logs: SEOKicks, AHrefs, Majestic12 - and it doesn't have any of them.

Blue Chives wrote:
> Depending on the web server software you are using you can look at using the htaccess file and block
users/bot based on their user agent.
>
> This article should help:
>
> http://www.javascriptkit.com/howto/htaccess13.shtml
The issue's not about how to write blocklist rules; it's about having a 
reliable, maintained, categorised list of bots such that it's easy to 
automate the blocklist. Turning the list into .htaccess rules is the 
easy bit; what I want to avoid is having to spend long churning through 
log files to obtain the source data, because it feels very much like 
something there 'ought' to be pre-existing data out there for, given how 
many watts the world's servers must be wasting on such bots.

Best wishes,
David

--

-- 
UpdraftPlus - best WordPress backups - http://updraftplus.com
WordShell - WordPress fast from the CLI - http://wordshell.net
(Continue reading)

pushpendu mondal | 6 Aug 12:46 2014

Adding Date-picker to Widget.

Hi ,

I want to add a Datepicker field to my custom widget. So that I can select
a date from backend. I have tried a lot but no proper solution. Can anyone
help me out how can I complete the task.

Regards
Pushpendu
David Anderson | 6 Aug 11:50 2014
Picon

Blocking SEO robots

This isn't specifically a WP issue, but I think it will be relevant to 
lots of us, trying to maximise our resources...

Issue: I find that a disproportionate amount of server resources are 
consumed by a certain subset crawlers/robots which contribute nothing. 
I'd like to just block them. I have in mind the various semi-private 
search engines run by SEO companies/backlink-checkers, e.g. 
http://en.seokicks.de/, https://ahrefs.com/. These things happily spider 
a few thousand pages, every author, tag, category, etc., archive. Some 
of them refuse to obey robots.txt (the one that specifically annoys is 
when they ignore the Crawl-Delay directive. I even came across one that 
proudly had a section on its website explaining that robots.txt was a 
stupid idea, so they always ignored it!).

I'd like to just block such crawlers. So: does anyone know of where a 
reliable list of the IP addresses used by these services is kept? 
Specifically, I want to block the semi-private or obscure crawlers that 
do nothing useful for my sites. I don't want to block mainstream search 
engines, of course. I've done some Googling, and haven't managed to find 
something that makes this distinction.

Or alternatively - anyone think this is a bad idea?

Best wishes,
David

--

-- 
UpdraftPlus - best WordPress backups - http://updraftplus.com
WordShell - WordPress fast from the CLI - http://wordshell.net
(Continue reading)

David Anderson | 5 Aug 10:54 2014
Picon

At last... (PHP versions)


Rejoice: PHP 5.3 is, at last, on the threshold of overtaking PHP 5.2 as 
the most common version that WordPress is being run on...

http://wordpress.org/about/stats/

... just in time for the PHP 5.3 end-of-life! 
http://marc.info/?l=php-internals&m=140605526629324&w=2 (though for 
many, there will continue to be security patches for several more years, 
since PHP 5.3 was part of RHEL 5 and hence Cent OS 5).

 From the end of this month, around 21.5% of WordPress installations 
will be running on non-EOL-ed PHP versions.

Best wishes,
David

--

-- 
UpdraftPlus - best WordPress backups - http://updraftplus.com
WordShell - WordPress fast from the CLI - http://wordshell.net

Gmane