Bart Schouten | 2 Sep 03:38 2014

is_single() includes attachments

(I wrote this two weeks ago).

Hi all,

There seems to be a bit of a confusion all around about the "is_single()" 
template function.

From the Codex:

"This conditional tag checks if a single post of any post type except 
attachment and page post types is being displayed. (...). To check for all 
the post types, use the is_singular() function."

However when you check the code it is clear attachments are included, not 

(Talking about 3.9.2 now)..

query.php: WP_Query::init_query_flags() initializes $this->is_single to

query.php: WP_Query::parse_query() then does:

if ( ('' != $qv['attachment']) || !empty($qv['attachment_id']) ) {
      $this->is_single = true;
      $this->is_attachment = true;

Also, further down:

(Continue reading)

Bart Schouten | 2 Sep 03:20 2014

Blocking SEO robots

On Wed, Aug 6, 2014 at 9:26 PM, Daniel <malkir at> wrote:

> Set up a trap. A link hidden by CSS on each page that if hit, the IP 
> gets blacklisted for a period of time. No human will ever come across 
> the link unless they're digging. No bot actually renders the entire page 
> out before deciding what to use.

This is awesome stuff.

Personally I am annoyed by the pollution of page hit (visitor) statistics. 
So the same trigger cq. trap could be used to filter out those. At this 
point I am probably not allowed by my host in any way to start blocking 
IPs at the Apache level (even that) but it is easy enough to implement it 
in PHP at least for my purposes.

I guess it should then just be the first link on every page, which is 
currently a "home" link. It could be something ridiculously funny like 
geteatenalive.php but that might also tempt some human diggers :P.

Alright let's see what it does. I have this table:

CREATE TABLE wordpr_trap_victims (
   ip_address VARCHAR(15) NOT NULL,
   host_name VARCHAR(255),
   user_agent VARCHAR(255),
   referer VARCHAR(2000),
(Continue reading)

Luke Bryan | 27 Aug 09:10 2014

Extensibility and shortcodes

Greetings all,

I was looking at the wp media shortcode and wp-views, and noticed a few
things that seem not-too-portable in the view ajax and rendering:

In ajax-actions.php of Wordpress 4.0 we see this render-and-return routine
requiring a post_id of post the user can edit:

function wp_ajax_parse_media_shortcode() {
    global $post, $wp_scripts;

    if ( ! $post = get_post( (int) $_REQUEST['post_ID'] ) ) {

    if ( empty( $_POST['shortcode'] ) || ! current_user_can( 'edit_post',
$post->ID ) ) {

    setup_postdata( $post );
    $shortcode = do_shortcode( wp_unslash( $_REQUEST['shortcode'] ) );

    if ( empty( $shortcode ) ) {
        wp_send_json_error( array(
            'type' => 'no-items',
            'message' => __( 'No items found.' ),
        ) );

(Continue reading)

Dino Termini | 21 Aug 05:24 2014

Language Packs for plugins


does anyone know what's the status of this feature?

Otto had announced this feature in version 3.7: is there a page where we 
can learn more on how to implement it in our plugins?

Dino Termini | 20 Aug 14:01 2014

Work on draft while page is published

Hi all, 

Say I've already published a page or post. I now want to make changes, but I want a colleague to check them over
before they go live. Is there any way of doing this? 

Thank you, 

Sent from my Android device with K-9 Mail. Please excuse my brevity.
dxw Security | 20 Aug 12:32 2014

Information disclosure vulnerability in WordPress Mobile Pack allows anybody to read password protected posts (WordPress plugin)

Software: WordPress Mobile Pack
Version: 2.0.1
Advisory report:
CVE: Awaiting assignment
CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)

Information disclosure vulnerability in WordPress Mobile Pack allows anybody to read password
protected posts

WordPress Mobile Pack contains a PHP file which allows anybody – authenticated or otherwise – to
read all public and password protected posts (draft and private posts appear not to be affected).

Proof of concept

Create a password-protected post
Enable WordPress Mobile Pack
Visit http://localhost/wp-content/plugins/wordpress-mobile-pack/export/content.php?content=exportarticles&callback=x
Your password-protected post is now visible to everybody in the form of JSON wrapped in “x()”

Example output:
x (
(Continue reading)

Sinan | 20 Aug 00:49 2014

Is anyone here has experience with wpmu membership plugin

Is anyone here has experience with wpmu membership plugin?


Sinan İŞLER <>
wp-hackers mailing list
wp-hackers <at>
Nikola Nikolov | 8 Aug 13:36 2014

Discontinuing a plugin on

Hi everyone,

I was working with a client that was using the Fundify WordPress theme,
which was powered by a combination of Fundify Crowdfunding( ) and EDD.

I wanted to download the source of the plugin to my computer to easily
navigate through the codebase. On the plugin page they've added "(Moved)"
to the name of the plugin.
Once I extracted the archive, there was nothing but an empty .php file and
a readme.txt file.

My question in this case is - is this allowed and isn't that a terrible way
of discontinuing a plugin? What if someone updates the plugin and their
site stops working? Or someone installs the plugin and nothing happens...

Is there anything the plugins team can do about it?

Best regards,
David Anderson | 7 Aug 10:20 2014

Re: Blocking SEO robots

Jeremy Clarke wrote:
> The best answer is the htaccess-based blacklists from PerishablePress. I
> think this is the latest one:
This looks like an interesting list, but doesn't fit the use case. The 
proprietor says "the 5G Blacklist helps reduce the number of malicious 
URL requests that hit your website" - and reading the list confirms 
that's what he's aiming for. I'm aiming to block non-malicious actors 
who are running their own private search engines - i.e. those who want 
to spider the web as part of creating their own non-public products 
(e.g. databases of SEO back-links). It's not about site security; it's 
about not being spidered each day by search engines that Joe Public will 
never use. If you have a shared server used to host many sites for your 
managed clients, then this quickly adds up.

At the moment the best solution I have is adding a robots.txt to every 
site with "Crawl-delay: 15" in it, to slow down the rate of compliant 
bots and spread the load around a bit.

Best wishes,


UpdraftPlus - best WordPress backups -
WordShell - WordPress fast from the CLI -
David Anderson | 6 Aug 14:08 2014

Re: Blocking SEO robots

Haluk Karamete wrote:
> Could this list help you?
At first this looks potentially useful - since it is in a 
machine-readable format, and can be parsed to find a list of bots that 
match specified criteria.... but on a second glance, it looks not so 
useful. I searched for 3 of the recent bots I've seen most regularly in 
my logs: SEOKicks, AHrefs, Majestic12 - and it doesn't have any of them.

Blue Chives wrote:
> Depending on the web server software you are using you can look at using the htaccess file and block
users/bot based on their user agent.
> This article should help:
The issue's not about how to write blocklist rules; it's about having a 
reliable, maintained, categorised list of bots such that it's easy to 
automate the blocklist. Turning the list into .htaccess rules is the 
easy bit; what I want to avoid is having to spend long churning through 
log files to obtain the source data, because it feels very much like 
something there 'ought' to be pre-existing data out there for, given how 
many watts the world's servers must be wasting on such bots.

Best wishes,


UpdraftPlus - best WordPress backups -
WordShell - WordPress fast from the CLI -
(Continue reading)

pushpendu mondal | 6 Aug 12:46 2014

Adding Date-picker to Widget.

Hi ,

I want to add a Datepicker field to my custom widget. So that I can select
a date from backend. I have tried a lot but no proper solution. Can anyone
help me out how can I complete the task.