Category Archives: WordPress

WordPress Nonces Vulnerabilities

Quick Page/Post Redirect Plugin: A Case Study

Quick Page/Post Redirect Plugin has 200,000+ active installs, with version 5.1.5 and older vulnerable to an attacker setting redirects to any URLs in bulk.

Quick Page/Post Redirect WordPress Plugin Vulnerability

And why? All because the developer thinks a 5-byte WordPress Nonce will stop the bulk redirect import functionality from running. Newsflash: It won’t

Continue reading

Lighthouse – WordPress Performance Plugin Review

Like many rants, this one starts with a promise. One made by the developers of Lighthouse on their marketing page:

…optimize MySQL tables by removing all unused table space (both MyISAM and InnoDB)…

Lighthouse WordPress

All unused table space for InnoDB via a PHP plugin? Suspicious, I got my hands on a copy of the plugin to see how it accomplishes this claimed feat. Well, obviously it didn’t reclaim all InnoDB tablespace, just some of it using the OPTIMIZE TABLE method (only effective when innodb_file_per_table is set to “on” which is enabled by default in MySQL 5.6.6 and higher). The ibdata file remained untouched.

Okay, no problem, not unexpected. But then I read into some of the other code and a second, much more substantial promise:

A zero-footprint tuning plugin…

…I became pretty angry. I’ve always been a skeptic of magic optimization plugins, and Lighthouse was unfortunate enough to get my review.

Continue reading

Remove Duplicate WordPress Category Pages

A rather peculiar problem has come my attention yesterday. WordPress has an infinite amount of category pages that are absolutely identical. For example:

This happens for all hierarchical taxonomies, and here is why. Basically, WordPress only queries the last term in the path.

Continue reading

WordPress Dashboard Autobookmarks

Here’s something I put together as a conceptual idea. WordPress Dashboard Autobookmarks keeps track of how popular a dashboard page is by counting how many times it’s been visited by an administrator and provides an Admin Bar menu with the most often used dashboard screens. This allows administrators to keep returning to their most-used dashboard screens at click of a button.

WordPress Dashboard Autobookmarks

The plugin can be found on GitHub and is at a highly experimental stage for now.

The FancyBox for WordPress Vulnerability

…and how the exploit really worked

Last week a very popular plugin called FancyBox for WordPress was hit with a zero-day vulnerability which I happened to experience first-hand and dig into. If you’ve not heard about this here are a couple of links to get you up to speed:

The plugin was force-updated (where possible) on WordPress sites out there. This is the full disclosure of how the exploit worked.

Continue reading

rwasa + HHVM + WordPress

Yes, as exotic as it ever gets.

Continue reading

Profiling PHP Code in WordPress

I was honored to give a talk at the second WordCamp Russia event. Like last year, I decided to speak about a general development topic and how it can be applied to WordPress. This time my talk was on profiling.

Here’s a video. English subtitles are available by selecting “Subtitles” in the player.

And here’s wptop on GitHub, an XHProf-based WordPress plugin that gives you an overview of your WordPress website performance. Feel free to give it a spin and let me know what you think.

Building WordPress for Android

WordPress clients are available for many devices, but since I’m an Android fan I get to use WordPress for Android.
Yesterday, I came across a bug report outside of the developer ecosystem, managed to reproduce the bug using the release version, and, decided to write and submit a patch to fix the bug.

The main WordPress for Android repository is over at GitHub. But as it turns out…

Building WordPress for Android

…one does not simply build WordPress for Android.

Continue reading

WordPress Mail Routed via Postfix SMTP Relays

By default, the WordPress wp_mail function will not set the actual sender for sendmail and mail backends. This means that the Postfix relay will set the sender to the default $domain instead of the actual sender. Which, in turn, means that when using relay maps (sender_dependent_relayhost_maps) to map senders to correct SMTP relays none of them is matched because of the sender is not set correctly…


Fortunately, the mailer class used by WordPress, PHPMailer knows how to correctly specify the sender via the chosen backend (which in WordPress is the mail backend). By setting the Sender property of the mailer we’re able to have Postfix identify the sender correctly.

Continue reading

WordCamp Russia 2013

I took part in WordCamp Russia 2013 this year, which was organized by my brother (with huge help from a handful of volunteers and the WordPress Foundation). This was the first ever WordCamp in Russia.

My talk was on testing automation in custom WordPress code, which covered some basics of unit tests using PHPUnit, system tests using CasperJS.

The talk is in Russian, but English subtitiles are available. Also slides and code. To view all other talks visit

Konstantin wrote about the event in much detail.