Tag Archives: tips

WordPress, WordPress development agency

Three Most Wanted Tricks For WordPress Developers

WordPress is a specially crafted platform to publish content on the web. Many of the big giant content publishers are using WordPress like CNN, NYTimes, etc. You, as a content writer, find WordPress deadly easy and super cool to work on because WordPress provides many customizations to make your content looks good, and also many of us are spending time to add some spice to WordPress. Here I want you to add even more to your content writing experience.

Following are the three most wanted WordPress tricks to make your writing experience easy and even better.

How to restrict the authors to view only the comments which belong to their own posts in the admin area?

Just open up functions.php of your current theme and put this code in it, but keep in mind if you put this code in your functions.php will only be limited to your current theme. So better to make a plugin.

require( ABSPATH . WPINC . '/pluggable.php' );

function myplugin_get_comment_list_by_user($clauses) {
    if (is_admin()) {
        global $user_ID, $wpdb;
        $clauses['join'] = ",". $wpdb->base_prefix."posts";
        $clauses['where'] .= " AND ".$wpdb->base_prefix."posts.post_author = ".$user_ID." AND ".$wpdb->base_prefix."comments.comment_post_ID = ".$wpdb->base_prefix."posts.ID";
    };
    return $clauses;
};
// ensure that editors and admins can moderate everything
if(!current_user_can('edit_others_posts')) {
    add_filter('comments_clauses', 'myplugin_get_comment_list_by_user');
}

As you know the comments are stored in a separate table and are identified by post_id. So, I have just modified the query which is run by WordPress whenever the comments page opened in the admin.

How to set the first image of the post as a featured image?
Sometimes, we need to set our post’s first image as a featured image and WordPress doesn’t give any support for this thing. You can use the following code snippet to get this functionality.

add_filter('the_content', 'set_post_featured_image');
function set_post_featured_image($content) {
global $post;
if (!has_post_thumbnail()) {

$all_attached_images = get_children(array(
'post_parent' => $post->ID, 
'post_status' => 'inherit', 
'post_type' => 'attachment', 
'post_mime_type' => 'image', 
'order' => 'ASC', 
'orderby' => 'menu_order'
));
if ($all_attached_images) {
foreach ($all_attached_images as $attached_image) {
set_post_thumbnail($post->ID, $attached_image->ID);
break;
}
$content = the_post_thumbnail() . $content;
}
}
return $content;
}

I am applying a filter to the contents of the post and the job done.

How to retrieve your Gravatar image?

Having a profile picture on your profile means great credibility and recognition on social networks and other websites, which is usually known as “avatar image”.

WordPress provides its own service know as Gravatar. We will walk you through that how to retrieve your profile image from Gravatar.

WordPress has a built-in function to retrieve an image from Gravatar, this function required two parameters: ID or usre_email of the user and the size of an image.

$user_id = get_the_author_meta('ID');
echo get_avatar($user_id, 80);

If you want to use user email, use get_the_author_meta() function with user_email

$user_id = get_the_author_meta('user_email');
echo get_avatar($user_id, 80);

This will give us an image of 80px.

If you know any other way of doing these tricks for WordPress, let us know in the comments below.

WordPress nonce, What is WordPress nonce and how it works

What is WordPress nonce and how it works?

Today, I am going to share with you a tip that how we can make our WordPress plugins are themes more secure. I have seen in my plugins and themes where WordPress developers are not using WordPress nonces even though it is VERY important. If you are working as a WordPress freelancer developer and g custom plugins or themes, I am sure this article is going to be very helpful for you.

What actually WordPress nonce means?

WordPress Nonce basically in short is the term used for number used once. It’s a string value, a temporary unique key that is generated by WordPress automatically and acts as a special security token to check whether you are the same person who’s performing an action or someone else while submitting a form, adding a post, deleting a post, etc.

Why we should use WordPress nonce?

The main purpose of the nonce is to protect your site from malicious hacking attacks such as Cross-Site Request Forgery (CSRF) or sometimes pronounced sea-surf or XSRF, which is used to trick someone to submit a form or click on a link that will cause harm to your site.

How nonce works in WordPress?

It is very simple. As I mentioned earlier that it is generated by WordPress itself and when a form is submitted or a link is clicked, WordPress checks the nonce value and if it matches, you are free to proceed.

A thing to remember, you don’t need to do anything about nonce in those forms or links which are generated by WordPress, like “add post”, “edit post”, but you have to use nonce in your custom build plugins or themes you will create later.

How to use nonce in WordPress?

Before we walk you through a complete example of how to implement a nonce in a form or in a URL, lets us understand how the nonce works in WordPress.

There are three steps that we must follow to implement a nonce in WordPress plugin or a theme:

1. How to create a nonce.
2. How to pass a nonce through a Form or URL.
3. How to verify a nonce before doing a specific action.

1. How to create a nonce?

To create a nonce, there is a function name “wp_create_nonce ($action)”, which generates and returns a unique value based on the current time and the $action.
The “$action” parameter is optional but recommended, $action parameter refers to what will happen.

$nonce= wp_create_nonce('delete-post');

2. How to pass a nonce through a Form or URL?

How to pass a nonce in URLs.

<a href="myplugin.php?_wpnonce=<?php echo $nonce; ?>">

How to pass a nonce in Forms.

<form method="post"><?php wp_nonce_field( 'name_of_my_action', 'name_of_nonce_field' );?>
<!-- some inputs here ... -->   
</form>

We use “wp_nonce_field($action,$name)” to pass a nonce through forms. wp_nonce_field() function will generate a hidden input field which stores a nonce value and can be retrieved later on.

The parameter “name_of_my_action” is the context in which you are using the nonce field and “name_of_nonce_field” is any name you want to specify. Default is “_wpnonce”. It’s better to use $action and $name parameter for better security.

3. How to verify a nonce?

After putting it into the form you can get it like this:

if ( isset( $_POST['name_of_nonce_field'] ) &&
wp_verify_nonce( $_POST[‘name_of_nonce_field’], ‘name_of_my_action’ ) ) {

// process form data

} else {
print ‘Sorry, your nonce did not verify. It is a secure WordPress site. go get a coffee !!';
exit;
}

Example:

In this example, we are creating a form and an embedded nonce field in it. This form can be used for your contact page or anything you like for your site where you are taking inputs from users.

The HTML code for the form is (notice the wp_nonce_field function):

<form id="form">
<?php wp_nonce_field( 'contact_form_submit', 'cform_generate_nonce' );?>
            <label>Name</label> <input type="text" name="name" class="text" id="name"><br>
            <label>Email</label> <input type="email" name="email" class="text" id="email"><br>

            <label>Subject</label> <input type="text" name="subject" class="text" id="subject"><br>
            <label>Message</label><textarea id="message" class="textarea" name="message"></textarea>
            <input name="action" type="hidden" value="simple_contact_form_process" />
            <input type="submit" name="submit_form" class="button" value="send Message" id="sendmessage">
            <div class="formmessage"><p></p></div>
        </form>

So, you have your contact form ready and now want to take the data from form inputs and process it. Form Inputs are the doors where mostly malicious attacks happen and hackers run anything they like. So, you should properly sanitize your inputs which are very important for your website security.

Here is how you will verify nonce in your contact form.

<?php

if(isset($_POST['submit_form'])) {
  if(!wp_verify_nonce('cform_generate_nonce','contact_form_submit')){
      wp_die('Our Site is protected!!');
   }else{
      // process here your contact form with proper sanitize inputs.
  }
}

?>

Conclusion

WordPress nonce is playing a very important role in WordPress security and I recommend it should be implemented in every WordPress plugin and theme, but I see many plugins and themes are not using it. If this article was helpful for you in any way I would love to hear your feedback.