Run PHP code in a WordPress widget

I had an advertiser who wanted his link to appear in the right sidebar of the site, but only on the home page of site. Sidebar widgets usually appear throughout the site, so I had to figure out how to make it work.

I knew WordPress supported an is_home() conditional statement, but PHP code can only be executed in themes and plugins, not in free text/HTML. I tried inserting the code into the functions.php code, but never got it to work exactly right.

It turns out there’s a WordPress plugin called PHP Code Widget that lets you execute PHP code inside a widget. Just type it in along with your text and HTML and it works. Here’s the code:

<?php if( is_home() ) : ?>
Text and HTML go here and will appear only on the home page.
<?php endif;?>

Turn Your WordPress/Blogger/LiveJournal Blog Into a Book or PDF

Someone asked me about exporting their entire blog into something readable and printable. Here ya go.

90,000 Strong Botnet Trying to Break in to WordPress Sites

wordpress-logo-notext-rgbArs TechnicaHuge attack on WordPress sites could spawn never-before-seen super botnet:

Security analysts have detected an ongoing attack that uses a huge number of computers from across the Internet to commandeer servers that run the WordPress blogging application.

The unknown people behind the highly distributed attack are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported. At least one company warned that the attackers may be in the process of building a “botnet” of infected computers that’s vastly stronger and more destructive than those available today. That’s because the servers have bandwidth connections that are typically tens, hundreds, or even thousands of times faster than botnets made of infected machines in homes and small businesses.

The attacks currently target the “admin” username and 1,000 common passwords. If you’ve got a simple or obvious password, now’s the time to change it.

If your WordPress admin account is admin you need to change that, too, and not just because of this bot network. I monitor failed login attempts, and 99% are using “admin” for the username.

I recommend the Better WP Security WordPress plugin for changing the admin username, monitoring failed logins and excessive 404s, and a whole lot more:

  • Change the database prefix from the default of “wp_”.
  • Disable admin logins during times when you never login.
  • Hide WordPress information in source code and files such as readme.html. That makes it less likely that Google searches and script tools can discover WordPress installations or WordPress versions with specific vulnerabilities.
  • Monitor file changes. I exclude directories that are supposed to have frequent file changes, like cache and backup directories:
    • wp-content/backup-db
    • wp-content/cache
    • wp-content/updraft
  • Temporarily or permanently ban access from IP addresses with excessive failed logins or 404s. Be careful with this setting. A search engine might hit the 404 limit when trying to access old URLs.
  • Optionally enable SSL for logins, admin area, or even the front end.

Backup WordPress First

Before making the security changes, backup your WordPress install. You should be doing automated backups anyway in case of successful hacks, server problems, or human error. Better WP Security has a backup feature, but I’ve tried it on two separate WordPress installations and couldn’t get the scheduled backup feature to work.

Instead I’m using the UpdraftPlus WordPress plugin for backups. It can backup the database and files separately. You should backup the database more often than the files. The database changes every time you create or modify a page or blog post, or receive a comment. The database is relatively tiny – even with thousands of blog posts and comments mine is only 437 MB – so backing it up doesn’t take much processor time or disk space.

Updraft Plus can email you the files, FTP or SSH them to another server, or upload them to cloud storage. Amazon S3, Dropbox, and Google Drive cloud storage are currently supported. You can choose to receive an email report every time the backup runs.

Using WordPress? Install Better WP Security to See How Many People are Trying to Break Into Your Site

I’m writing an article for work about WordPress security. Part of the process is trying different WordPress security plugins. One of the plugins I tried it Better WP Security, a Swiss army knife of security tools. One of its features is to log failed attempts to log into the WordPress backend.

Better WP Security Failed Logins Log

50 failed logins to the administrator account in 6 hours – Click to Enlarge

It turns out I’m getting hundreds of login attempts every day from people trying to guess the administrator password. That’s a bad thing.

A couple of things you can do if people are trying to log into your site:

  • Make sure you’re using a strong password.
  • Change the administrator account to something other than the default of “admin.” It’s under the User tab in Better WP Security. All of the failed logins for my site are for the “admin” username.
  • Turn off verbose login error messages (Remove WordPress Login Error Messages under Tweaks tab). By default, WordPress tells people whether their login failed because the username was bad or the password was bad. With this option off they won’t know which part of the login was incorrect. Let them think they should keep trying to get in with “admin.”
  • Enable login limits (Log tab). Users who give bad login credentials x number of times in y time period will be locked out of the site for z minutes. Optionally you can block IP addresses after a certain number of lockouts. You can opt to be notified by email when lockouts occur. The emails include the person’s IP address, which the log screen doesn’t. On my site about 50% of bad logins are from China, 30% are from Russia, and 20% are scattered all over the world.

Use Google XML Sitemaps for WordPress? Check your sitemap.xml.gz for corruption.

Recent versions of the Google XML Sitemaps plugin for WordPress create bad versions of the gzipped sitemap.xml file. Here’s how to check if yours does and fix the problem.

First, find out which sitemap your site is telling search engines to use by checking your robots.txt file. It should be at the document root. For my site it’s at


If it’s the .gz version, load that URL in your browser. Here’s a screenshot of what happened when I tried to load sitemap.xml.gz in Firefox:

Internet Explorer gave a similar error: “An invalid character was found in text content. Error processing resource ‘’. Line 1…”

That was happening on my personal blog and work blog, both running Google XML Sitemaps. According to Google WebMaster Tools Google was still reading the sitemap and indexing the site, but to me that’s still bad juju and not what I want to see.

I went into Google XML Sitemap setting and unchecked the .gz option:

Robots.txt now shows the .xml version only. I manually deleted the .gz version.

Update those Web server clocks for Daylight Savings Time

In WordPress it’s under Settings -> General.

For UNIX on a bash shell and a date of March 12 and a time of 8:35 AM you’ll need to be root and run the command:

date -s “3/12/2012 08:35:00”

New versions of WordPress are pretty smart about strikethroughs

In this post I used megabytes when I should have used gigabytes. Sean noticed the error and mentioned it in comments.

Different bloggers handle that in different ways. Some people would just change it. Since it came up in comments I decided to leave the MB, but strike it out, like this: MB, and type in GB. That way the original mistake is there alongside the correct information. Anyone reading the comments can follow what happened without getting bumfuzzled.

When I struck out the MB in the WordPress blogging software I noticed something. The latest WordPress puts a note in the del tag showing the date and time of the strikethrough.

SanDisk 32 <del datetime=”2012-01-31T19:05:24+00:00″>MB</del> GB SanDisk thumbdrive

Pretty cool.

P.S. Playing around with it, though, I noticed that in WordPress 3.3.1 that only works in HTML view, not Visual view. Buggy.

WordPress RSS Feed Errors Fixed, Feedburner-powered Twitter Feed Working Again

Everything works now. You can skip the rest of this post unless you’re having the same problem and need a fix.
Read more of this post

Strange Character Problem Fixed

Since moving the blog in December I’ve had a long-standing problem with special characters – things like curly quotes and em dashes – displaying incorrectly. I’ve tried fixing it on and off, but other things this year kept me from giving it my full attention.

After more study I realized what had happened. My older WordPress data was encoded in ISO-8859-1. Newer WordPress installs like the one on the new host default to UTF-8. I updated the MySQL database to UTF-8, but the ISO-8859-1-encoded data was still there.

The easy fix was to tell WordPress to use ISO-8859-1 (under Settings -> Reading). At some point I may convert the data. There’s a plugin that’s supposed to do convert ISO-8859-1 to UTF-8, but it’s a 1.0 plugin that’s pretty old. I’ll be backing up the data for sure before trying that.

WordPress Smart Quote Insanity

Since moving the blog I got quotation mark problems. Smart quotes are showing up as unknown characters. Example here:

Efforts to fix that problem introduced other problems. Anyone know a bulletproof fix?

YouTube’s iframe embedding option causes problems with WordPress

Just a heads up. YouTube has switched their default embedding option from an object to an iframe.

YouTube iframe embed option causes problems for WordPress

If you snag the embed code from the video’s popup panel you’ll still get the the Object code. It’s only when you’re on YouTube’s site and click YouTube’s Embed button that you’ll get the iframe code.

The iframe option is supposed to improve compatibility with mobile devices. Unfortunately, if you paste that code into WordPress, WordPress will strip it out when the page renders and you won’t get any video. (Tested with WordPress 2.9.2 and 3.04.) You’ll need to check the box next to “Use old embed code” to get the object code:

The "old embed code" option uses an Object tag, which works fine with WordPress

WordPress Embed ButtonYou can also put the video’s YouTube URL on a line by itself and WordPress will automatically embed it. You can set some options by adding them to the URL. Instructions here. Or just use the Embed button (it looks like a green piece of film) which has a user interface for setting the size, autoplay, and other options.

Movin’ movin’ movin’

Some time Thursday this blog is moving to a new Web host and WordPress 3. I don’t expect any problems, but if you see anything quirky it’s probably because of the move.

Moving WordPress Sites to a New Server or Domain

A subject near and dear to my heart. I’m bookmarking some information for reference and hoping it can help someone else. First up, some useful links:

Pro Tip – Use a Temporary Domain

My favorite way to move a site to a new server or Web host is to set it up on a temporary domain (like A domain is 10 bucks a year at Godaddy. That 10 bucks buys you the convenience of thoroughly staging and testing the new site at its temporary domain without fooling around with IP addresses and such.

When the new site on the temporary domain is ready, just switch that server to the regular domain:

  • Point the DNS for the domain to the new server.
  • Change the domain in under WordPress General Settings.
  • Under WordPress Privacy Setting make sure your blog is visible to search engines.
  • Use the SQL queries below to change all of the URLs in the database from the temporary domain to the regular domain.
  • Run a link check with a tool like Xenu to make sure all of the links work.
  • If you’re changing domains set up 301 redirects and tell Google you’ve moved using Google Webmaster Tools. If your URL scheme has changed set up 301 redirects for individual pages. It’s a small hassle, but worth it to preserve your Google link juice and to avoid 404 errors if people find an old URL via a link or search engine.

SQL Code for Replacing Domain Name in WordPress

update wp_options set option_value=replace(option_value,’’,’’);

update wp_postmeta set meta_value=replace(meta_value,’’,’’);

update wp_posts set post_content=replace(post_content,’’,’’);

update wp_posts set guid=replace(guid,’’,’’);

WordPress Links

I’m bookmarking all of these from Joost de Valk’s awesome WordPress newsletter. Highly recommended if you administer WordPress sites.

Common WordPress Multisite Problems and Solutions. WordPress 3.0 is multi-user out of the box, so every WordPress blog can now host multiple blogs. I’ve got an idea for using that at work if I can find the time.

Lessons Learned From Maintaining a WordPress Plug-In

Add a Facebook “Like” button to your WordPress blog

16 Vital Checks Before Releasing a WordPress Theme. Here’s the easiest one.

11: Enable Custom Backgrounds

This is a new feature in WordPress 3.0, and it’s also the easiest to implement. It’s literally one line:

1. add_custom_background();


That’s it! Users can now choose any custom background they want.

Tired: Sitemaps; Wired: Video Sitemaps

I had never heard of them. Joost de Valk has more info and plans for a WordPress plugin to generate video sitemaps.