Secure Your WordPress Development

If you develop WordPress plugins professionally or as a side hustle, it is important to recognize security issues. With WordPress powering large swaths of the internet, code security should be a vital part of your development.

In this light, I wanted to share several key areas of security that every WordPress developer should be mindful of during their development of code projects.

Don't Let Direct Access Occur

While many web hosts are built around allowing access to files that reside on the server, we shouldn't allow our plugin files to be accessed directly.  We need to make sure that its only "WordPress itself" that is accessing the plugin files.

The best way to handle this is to perform a conditional check at the top of the plugin files that makes sure the file isn't being accessed from outside WordPress.

Page Template Bug in WordPress 4.9

When the latest version of WordPress (4.9) was released, it also contained a strange little bug that was introduced with some of the modifications to the internal "file editor" in WordPress. This bug caused page templates to either not display properly in the Page Edit screen or to not update until the default WordPress cache was cleared (60 minutes).  But there is a quick fix you can place into your theme's functions.php file that will automatically clear the cache of the theme so you don't have to wait for the cache to clear or raise your theme's version number.

Here is an example code snippet:

Or you can use a code snippet/plugin provided by the greater WordPress community:

Thanks to the WordPress community for sharing variations of this fix.  Note: This bug will be fixed in an upcoming version of WordPress, so once that is fixed, you'll be able to remove this code from your active theme's functions.php file.

Danger Zone Weekend Coming October 20-21, 2017

I'm excited to announce a special (and free) event here at taking place on October 20-21, 2017. The inaugural WordPress Danger Zone event will take place over the course of five live webinar sessions. You can signup for the event below.

What do you do when something goes horribly wrong with your WordPress site? Can you prevent disasters from striking WordPress? How do you recover when everything goes wrong on your client's WordPress websites? All of these questions and more will be answered during the WordPress Danger Zone weekend starting on October 20th. It can be frustrating and be aggravating when you start seeing your WordPress sites swerving into the danger zone. Join the WPStudio community for this free WordPress training weekend.

Booking Benjamin is a Thing

For years I have been asked if I offered the opportunity to hire/book me for projects, personal one-on-one training, and more. I'm happy to say that today begins this opportunity.

I have now provided several ways to reserve a dedicated time slot for you and/or your business.

  • Book Benjamin for one-on-one training that deals with a WordPress theme, plugin, code solution, or some other technology you are interested in learning more deeply.
  • Book Benjamin for a consulting session to process through your business ideas or to help refine your closing ability with clients.
  • Book Benjamin for an honest evaluation when choosing between two plugin solutions or what direction you should pursue with your client project.
  • Book Benjamin to help you solve a bug with a website or to find a custom solution to enhance a client's website.

Require a specific password length

Many of the leading WordPress security plugins have the ability to force/require strong passwords for users. But one of the requests I've received from people is if there is a way to require passwords to be of a certain length. It seems that some users who work with clients are finding that some clients will reset a password to something "easier to remember" but not entirely secure, or the developer is trying to enforce a specific "password policy" and one of the aspects of a policy specifies a certain number of characters.

How to Set a Password Length Requirement

Setting a password length requirement is fairly easy since WordPress already provides a hook that occurs before a password is actually reset.  The hook is validate_password_reset, and it allows developers to verify aspects of the user entered password before passing it through the password reset function.

Using Dashicons in WordPress Theme

Many WordPress users learn about using Dashicons when they go to create their first Custom Post Type and assign a Dashicon to represent that Custom Post Type in the Admin menu.  But then the frustration begins as soon as you attempt to use a Dashicon on the frontend of the site.

The developer resources at make it extremely easy to copy/paste either the Glyph, HTML, or CSS version of a Dashicon.  But if you have ever tried to copy/paste a Dashicon into a widget area or a post you would have experienced the frustration of nothing showing up.


WordPress 4.7.5 has been released

Like with any WordPress update that gets released, it is always a good idea to make sure you have a solid backup before you update.  But I'm sure the actual question many of you have is what's in this latest maintenance release?

  • This is mainly a security release that patches 3 bugs as well.
  • 4.7.5 patches the following security issues
    • Insufficient redirect validation in the HTTP class.
    • Improper handling of post meta data values in the XML-RPC API.
    • Lack of capability checks for post meta data in the XML-RPC API.
    • A cross-site request forgery (CRSF) vulnerability in the filesystem credentials dialog.
    • A cross-site scripting (XSS) vulnerability when uploading large files.
    • A cross-site scripting (XSS) vulnerability in the Customizer.