Monthly Archives

July 2015

WordPress

cPanel hacking of WordPress

Several months ago, I noticed that of the many websites I had on one server, one of them was not updating properly. In fact, it never updated WordPress, and it actually acted like there was no such thing as an update.

I forced an upgrade by uploading the new core via FTP, but as this was a live site, I didn’t want to do anything crazy to the database, or even take the site offline at all. Upgrading via FTP worked, but it still never flagged or showed that updates were needed, as time went on.

Usually, and this is seen on one old demo site, the dashboard will say the current version number, along with the button to update if one is available.

Also, navigating to the Upgrades page on the dashboard,

This was something that I did not have time to deal with. It was a minor issue, as it was only affecting a couple of sites. However, I stumbled across this blog today dealing with how cPanel had been changing Core to prevent upgrades. Suddenly, I realized what was happening.

It turned out the culprit in this case wasn’t even cPanel – it was a GoDaddy plugin. What’s weird is that the site had never been on GoDaddy. It was once on MediaTemple, early on, and I’m thinking that’s a possible culprit since they’re related. It has been on multiple hosts, and I can’t verify how it happened at all, but there was a plugin placed in the mu-plugins folder – which was why the manual FTP updates hadn’t fixed a thing! Due to the above blog post I was able to search on various terms, and I located the mu-plugins GoDaddy plugin by searching for “core_upgrade”.

Header information from the plugin:


/*
Plugin Name: System Plugin
Description:
Author:
Plugin URI:
Author URI:
Version:
Text Domain: gd_system
Domain Path: /gd-system-plugin/lang
*/

Offending item snippet:


// Don't auto upgrade core
add_filter( 'auto_update_core', '__return_false' );
add_filter( 'pre_site_transient_update_core', create_function( '', 'global $wp_version; $x = new stdClass(); $x->version_checked = $wp_version; return $x;' ) );
add_filter( 'user_has_cap', array( $this, 'block_core_upgrades' ), 10, 3 );

// Use default WP settings for these three
// add_filter( 'auto_update_plugin', '__return_false' );
// add_filter( 'auto_update_theme', '__return_false' );

// Disable e-mails 3.7 Beta -> RC
add_filter( 'automatic_updates_send_email', '__return_false' );

// Disable e-mails 3.7 RC -> Final
add_filter( 'enable_auto_upgrade_email', '__return_false' );

// No debug e-mails
add_filter( 'automatic_updates_send_debug_email', '__return_false' );

// 3.7 Final filter
add_filter( 'auto_core_update_send_email', '__return_false' );
}

As it was the only mu-plugin, I deleted the whole mu-plugins directory from the installation to remove all the offending code. Magically… we have an update button now, and are happily running the very latest version of WordPress.

WordPress

WordPress 4.3 and the little joys in life

As someone who deploys a lot of WordPress sites over time, rather than just maintaining a couple large sites, there are two major (major to me!) changes coming in WordPress 4.3 that I am very happy about.

1) Comments are now turned off by default.

As anyone who launches many non-blog websites with WordPress knows, one big step in a site launch is deactivating comments everywhere. We suggest every user have a blog, because blog posts increase total website word count which can increase SEO and make a site more popular. However, most companies that might be convinced to post a blog once a week are not ready for the headache of regulating comments. Many don’t want to deal with comments at all – and certainly not on “Pages” of the site. One big step in every site staging or launch has been removing comments. It’s so exciting that this step gets to leave my workflow. No more headaches when someone goes in and adds hundreds of pages/posts before turning off comments, causing the need to mass edit in the database.

2) Favicon support.

As someone who has attempted to provide favicon support over time with customizer options for users, this new favicon option will be much better, and I don’t have to worry about it! Integrating Favicon support is awesome, and just one more thing to be really, really excited about.