Category Archives: WordPress

WP Super Cache 1.4

WP Super Cache version 1.4 is out now. This release finally removes the mfunc, mclude and dynamic-cached-content tags as I warned about three months ago.

If your site uses that dynamic cached content functionality do not upgrade yet. There is a replacement dynamic cached content system but it’s not compatible so you’ll need to update your themes and helper plugins. It’s not difficult but there’s a lot to take in. I hope the example plugin and explanation in that post gets you most of the way there.

If you don’t use mfunc and it’s friends then you should upgrade immediately and it should be painless.

This release also has a few bug fixes and other features. It will now try to repair broken installs after a site migrates. It will update the wp-config.php and rebuild wp-content/advanced-cache.php. It will also delete tags and category cache files when a post publish status changes.

The shiny new dynamic content in WP Super Cache

With the next release of WP Super Cache in a day or two the long awaited move away from mfunc, mclude and friends will be complete.

This means that if you have been using mfunc, mclude or dynamic-cached-content the dynamic portions of your sites will go blank if you upgrade WP Super Cache without updating that dynamic code. This may seem complicated but there’s an example script included and detailed explanations below. A lot of effort was made to make this backwards compatible but unfortunately it wasn’t possible.

In their place is a new cacheaction filter called wpsc_cachedata and it’s sidekick wpsc_cachedata_safety. In the future when a site owner using WP Super Cache wants to make part of their website dynamic they will use those filters to modify pre-defined text strings and replace them with the data they want displayed to the end user. There’s an example script ready to be ripped apart to help you figure all this out.

There are two ways of using this:

  1. The dynamic content is the return value of a simple process, be it date() or any of the numerous get_*() functions in WordPress. That data can simply be slotted in place of the pre-defined text mentioned above.
  2. The more difficult bit comes when you need to use an output buffer to collect the data for display. Due to a limitation in PHP it’s impossible to run an output buffer in the callback function of another output buffer, which is when the wpsc_cachedata filter runs. We need to collect that data before the callback function executes.

The first way above is easy. Simply add a text string of random characters to your theme where you want the dynamic content to appear, then hook a function on to the wpsc_cachedata filter to str_replace() it with your dynamic content. These functions in this script do that:

  • dynamic_cache_test_filter()
  • dynamic_cache_test_template_tag()
  • dynamic_cache_test_init()

You’ll have to hook on to the wpsc_cachedata_safety action and return the numeral 1 to actually run the wpsc_cachedata filter. This is a fail safe used by the plugin to make sure things are ok when the filter runs.

Unfortunately if you want to use an output buffer it’s a lot harder. As stated above an output buffer can’t run in the callback function of another output buffer. This means you have to generate your dynamic content earlier in the PHP process.
This could be as easy as calling your dynamic content function (dynamic_output_buffer_test() in the example script) from the wp_footer action, or calling it from any action before shutdown, whichever is appropriate. You’ll also need to add a template tag of your own choosing to your theme.
Your dynamic content function will run just fine for cached pages, so after the new page has run it store the output in a constant or global variable that the same function can look for when the wpsc_cacheaction runs it. If it finds that information, it can do the search and replace of your template tag without running the output buffer again.
Some pages won’t run the dynamic content function however. This includes feeds and sitemaps. Those pages will generate a PHP error because the output buffer will try to run in the callback!

“PHP Fatal error: ob_start(): Cannot use output buffering in output buffering display handlers in…”

To stop that happening you must check that there’s text to shove in the cached page. That’s what happens in the function dynamic_output_buffer_test_safety() in the example script. It fires on the wpsc_cachedata_safety filter and returns the numeral 1 if successful.

Anatomy of an Output Buffer

I’m going to try and explain the output buffer functions in more detail here. They’re only example functions and if you spot a bug or can suggest improvements please do!

define( 'DYNAMIC_OUTPUT_BUFFER_TAG', '' ); // CHANGE THIS!

This is the string you add to your theme where your dynamic content will appear. The plugin will replace this string with the code generated by your dynamic content function.

function dynamic_output_buffer_test( &$cachedata = 0 ) {
	if ( defined( 'DYNAMIC_OB_TEXT' ) )
		return str_replace( DYNAMIC_OUTPUT_BUFFER_TAG, DYNAMIC_OB_TEXT, $cachedata );
	ob_start();
	// call the sidebar function, do something dynamic
	echo "<p>This is a test. The current time on the server is: " . date( 'H:i:s' ) . "</p>";
	$text = ob_get_contents();
	ob_end_clean();

	if ( $cachedata === 0 ) // called directly from the theme so store the output
		define( 'DYNAMIC_OB_TEXT', $text );
	else // called via the wpsc_cachedata filter. We only get here in cached pages in wp-cache-phase1.php
		return str_replace( DYNAMIC_OUTPUT_BUFFER_TAG, $text, $cachedata );

}
add_cacheaction( 'wpsc_cachedata', 'dynamic_output_buffer_test' );
  • 1. dynamic_output_buffer_test() is the function that will generate the dynamic content inserted into the cached page.
  • 2-3. DYNAMIC_OB_TEXT stores the previous output of this function. If it’s set that means we’re in the wpsc_cachedata filter and should insert it into the cached page and return it.
  • 4-8. This creates the output buffer, echoes a string with the current time and copies the buffer into a variable called $text before closing the output buffer.
  • 10-13. This is how we decide to return data. If $cachedata is 0 that means this function was called from the theme so we should define the constant DYNAMIC_OB_TEXT for later use. Otherwise, we must be dealing with an already cached page so insert the dynamic content into the page and return it.
  • 16. Add the dynamic_output_buffer_test() function to the wpsc_cachedata action. “add_cacheaction” is used as it loads before the regular WordPress action code loads.
function dynamic_output_buffer_test_safety( $safety ) {
	if ( defined( 'DYNAMIC_OB_TEXT' ) )
		return 1; // ready to replace tag with dynamic content.
	else
		return 0; // tag cannot be replaced.
}
add_cacheaction( 'wpsc_cachedata_safety', 'dynamic_output_buffer_test_safety' );
  • 1-6. dynamic_output_buffer_test_safety() is a function that checks if dynamic content was generated correctly. If that constant is not defined the output buffer will run within the callback function of the main WP Super Cache output buffer and generate a PHP error.
  • 7. Add the wpsc_cachedata_safety() function to the dynamic_output_buffer_test_safety action.

sidebar.php

As an example, if I wanted to display my dynamic content in the sidebar of my blog I would load sidebar.php in my theme’s directory and add the following code.

if ( function_exists( 'dynamic_output_buffer_test' ) )
    dynamic_output_buffer_test();
?>WORDPRESS ROCKS THE WORLD<?php

I had previously edited the example script, uncommented it and changed the appropriate tag:

define( 'DYNAMIC_OUTPUT_BUFFER_TAG', 'WORDPRESS ROCKS THE WORLD' ); // CHANGE THIS!

Final Note and Download Link

Please grab the development version of the plugin and try it on a staging server before you put it live. Feedback would be appreciated!

Warning! Keep the tags you use secret. You don’t want someone leaving a comment on your blog with that string! Do not use the same function names or constant names as in this post or example script. They’re in this very public post. Someone is bound to use them and cause you problems when you install their plugin.

Finally, barring any last minute major bugs this version of WP Super Cache will be released on Wednesday. Be careful upgrading. Pass the word around if you know someone is using mfunc as their site will stop working!

Like a dog and his ball

Like a dog and his ball

That there is Oscar, my shih tzu. He loves chasing tennis balls but his activity these days is limited as he suffers from joint pains and has a heart complaint. I did however notice a spring in his step this morning and I think it may have to do with the newly released WordPress 3.6 or “Oscar” as it has been named. Matt says the release was named after the famous jazz pianist Oscar Peterson but we all know the cute little dog that really inspired the naming of the release, now don’t we?

Regardless of naming inspiration, the new version has fixed a ton of bugs, added new features and has the amazing Twenty Thirteen theme I’m really looking forward to trying out. Make sure you upgrade ASAP!

Integrate Google+ and Facebook Comments in your WordPress blog

screenshot-1

If posts are the life blood of a successful blog, then comments are probably the heart as they encourage the author and provide a discussion mechanism around a story*. The problem is that blogs can be seen as an island in the ocean surrounded by social media continents such as Google Plus and Facebook. The islands may not get much attention.

That’s where the plugin Google+ Comments for WordPress comes in. It’s simple to install and adds a tabbed comment interface at the end of each post where visitors can comment using their identities on their favourite social media site.

I left a Google Plus comment on a previous post and allowed it to be shared on Google Plus. I got a few replies on that post which also appeared on my blogh. I wouldn’t go sharing every comment you make from your blog. Spamming is spamming, whatever way you do it.

* On Youtube of course it’s usually the reverse. Never read the comments on a popular Youtube video. It’ll hurt your brain.

mfunc in WP Super Cache 1.4 and beyond

WP Super Cache is a full page caching plugin for WordPress. It creates static pages that are served quickly by the web server. Sometimes however, users still want parts of their pages to remain dynamic and be non static. That’s where mfunc, mclude and dynamic-cached-content came in.

Security

Unfortunately it was reported recently that remote visitors to sites using the plugin could execute any code they like by simply leaving a comment containing the right mfunc code. These functions are now disabled by default, and a filter removes harmful code from comments but if enabled they pose a security risk. I considered adding a security code to the mfunc tag but unfortunately the best way of dealing with this problem is to replace it completely with something different. The next release of the plugin will do away with mfunc, mclude and dynamic-cached-content entirely.

The new dynamic cache system

The development version of WP Super Cache has already been updated with a new filter based system. It uses a cacheaction filter called “wpsc_cachedata”. This filter runs when a page is first cached and also when a cached page is subsequently served. It also runs when caching is disabled for known users, something that has always been broken when using mfunc.

Almost all the data that is displayed on your website will run through the cacheaction filter “wpsc_cachedata”. When a page is first cached, the data that is shown to the first visitor of that page goes through that filter. The second visitor gets a cached page and that page too goes through the filter. What this allows us to do is define a template tag (or more than one) that a function hooked on that filter can search for in the filtered data. It can replace that tag with some other text, usually derived from code that has to run on each request. The visitor is then shown the page with the replaced tag.

Example code

The readme.txt hasn’t been updated yet but an example plugin, dynamic-cache-test.php is included in WP Super Cache. It’s fairly simple but it’s documented so it should be easy enough to follow. A template tag is inserted at the bottom of the page using the wp_footer action, and a filter then replaces that tag with text and the current server time. That test plugin replaces mfunc code that would look like this, excluding the necessary code to hook on to wp_footer and print it.

<!--mfunc echo "<!-- Hello world at " . date( 'H:i:s' ) . " -->"; -->
<?php echo "<!-- Hello world at " . date( 'H:i:s' ) . " -->" ?>
<!--/mfunc-->

WP Super Cache has it’s own action hooks using add_cacheaction() and do_cacheaction(), and work like WordPress actions or filters. The reason the plugin needs those is because they are available before WordPress is loaded. They allow developers to hook into the plugin from the very start of the PHP process and modify how it works using plugins. Those plugins are usually copied into wp-super-cache/plugins/ but I encourage you to move that directory elsewhere because when WordPress updates the plugin it will delete any custom changes you make. The next time a new version of WP Super Cache comes out WordPress will delete the wp-super-cache folder, replacing it with the new update. In your wp-config.php set $wp_cache_plugins_dir to the location of the new plugins directory.

If you use this filter system in your own plugin for distribution do not ever define the template tag for the user. Let the user decide what it is or generate a random tag and save it somewhere. It’s important to keep the tag secret so visitors cannot trigger your function maliciously. It is however better than the remote user running any code they like as was the case with mfunc!

I hope to release a new version with this code late next week. If your plugin or site uses mfunc please download the development version on a test server and start the process of updating your code.
On the other hand, if you don’t want to update your mfunc tags you could try W3 Total Cache instead. It uses the mfunc tag with a secret code.

WP Super Cache 1.3.2

WP Super Cache is a full page caching plugin for WordPress that will speed up your website.

This is a security release and any users of the plugin should update as soon as possible. This release and the last 2 (1.3 and 1.3.1) address the following issues:

  • A visitor to a website using WP Super Cache can remotely execute code by way of a specially crafted comment left on the blog. The comment may even be moderated and it will still cause a problem. If you allow untrusted user content on your site through other means it should also be filtered in a similar way. See the function no_mfunc_in_comments for the existing filter. This will be mitigated in the next release by using a security keyword in the mfunc/mclude/dynamic-cached-content tag.
  • An XSS vulnerability was found in the plugins settings page of the plugin. This has been fixed as well.

The dynamic cached content features are now disabled by default as they should really have been a long time ago. This was announced in the Upgrade Notice of the previous release so hopefully site owners will be prepared for it. If you depend on this feature you can enable it again on the Advanced Settings page. I would encourage you to use Javascript instead for any dynamic features or use a short cache expiration time.

Support for the mobile theme in Jetpack has been added in this release by way of a helper plugin. If you enable this feature in Jetpack you should visit the Plugins tab of WP Super Cache and enable the Jetpack plugin there. Caching will be changed to PHP mode, and mobile device support enabled but you may have to manually remove the WP Super Cache mod_rewrite rules in the .htaccess at the root of your site.

I would like to thank WordPress.org user kisscsaby for finding the mfunc problem in WP Super Cache and W3 Total Cache and Frank Goossens for his help fixing it.

Edit: I should have stated this above. I did not know about the issue with mfunc until 3 weeks after kisscsaby posted it to a public forum. I don’t read every post on the support forum unfortunately and the user did not email me. I released version 1.3 within a day of hearing about the problem. Unfortunately the XSS vulnerability became known 24 hours after that requiring another release within 36 hours of the previous one. When it became clear that mfunc could be exploited still I released version 1.3.2

I’m leaning towards removing the mfunc/mclude/dynamic-cached-content feature completely. It’s only used by a tiny minority of users (who will be inconvenienced, sorry) but it’s dangerous code to have in the plugin.

WP Super Cache 1.2

UPDATE! I have just updated the plugin version number to 1.2. Thanks to everyone who tested it!

A new version of WP Super Cache is almost out and here are the changes in this full page caching plugin for WordPress.

OH! Hang on. Almost out? Yeah. I’m going to release it tomorrow but I would love a couple of hardy folks to try it first. People on the forums have been using the development version for several weeks without incident but I would really appreciate it if a few more tried it before the general public gets it. You know what to do, I don’t need to explain. Here’s wp-super-cache.zip. This is the version running on this very site right now and it’s very stable. Go at it! I’ll update this post in the morning, UTC. Thanks.

So, those changes eh?

  • Garbage collection of old cache files is significantly improved. I added a scheduled job that keeps an eye on things and restarts the job if necessary. Also, if you enable caching from the Easy page garbage collection will be enabled too.
  • Editors can delete single cached files from the admin bar now. (thread)
  • Fixed the cached page counter on the settings page (thread)
  • Some sites that updated to 1.0 experienced too much garbage collection. There are still stragglers out there who haven’t upgraded but that’s fixed now! (thread)
  • Supercached mobile files are now used as there was a tiny little typo that needed fixing. (thread)
  • If your site is in a directory and you saw problems updating a page then that should be fixed now. (thread)
  • The deactivate hook has been changed so your configuration isn’t hosed when you upgrade. Unfortunately this will only happen after you do this upgrade.
  • Some sites use custom cookies with the LOGGED_IN_COOKIE constant. Added support for that.
  • Added support for WPTouch Pro, but it appears to be flaky still. Anyone have time to work on that? I don’t.
  • Some sites had problems with scheduled posts. For some reason the plugin thought the post was in draft mode and then because it only checked the same post once, when the post magically became published the cache wasn’t cleared. That’s fixed, thanks to the debug logging of several patient users.
  • And more bug fixes and translation updates.

If you have problems the first place to look should be the forums (or try here too where things lived for a long time). Chances are someone else had the same issue before you and maybe they fixed it.

C64 fans will like this theme

If you’re a fan of that strikingly handsome and powerful computer, the Commodore 64, you will no doubt be itching to try this Commodore theme for WordPress. It turns your blog into what every C64 owner saw when they powered on the computer. I’m disappointed it doesn’t retain the 40 character line but I guess some exceptions had to be made “in the name of progress”. We didn’t have Youtube back then either but if we did you can be sure it would be full of dodgy VHS copies of Glenroe and Cheers.

Of much more interest to a certain demographic would be a WordPress theme that embeds blog posts in an Amiga intro or C64 intro using HTML5? Someone will read a DYCP version of this post, right?

(Thanks Ian for the link!)

Search more Twitter with Tweet Tweet

My Tweet Tweet plugin hasn’t been updated in a while. It stores Twitter conversations in your local database. Not just your own tweets but also the tweets of those you follow.

Storage can be a problem once the plugin has been running for a few months however. The log table gets quite big so last year I added code to the plugin that broke up those tables once they reached a predetermined size. In my case I go with 100,000 rows. I have over 20 of those tables now (some in an old database I haven’t copied over yet) and until today the search function in the plugin only searched the most recently created table.

All that’s changed now. It’ll search back through the other tables and compile a list of up to 10,000 tweets. It’s still a little rough but if you’ve been running the plugin for some time give the development version on the developers page a go. Here’s a search for Aurora. The original image was 21793 pixels high, so this is the latest and earlier tweets in that search:

aurora search on twitter

aurora search on twitter

WP Super cache 1.1

This is a bugfix release of the full page caching plugin WP Super Cache for WordPress.

Not much has changed in the week or so since I asked for testers but in case you missed that post here are the changes since 1.0:

  • Use $_SERVER[ 'SERVER_NAME' ] to create cache directories. No more non existant blogs appearing in your cache supercache and blogs folders.
  • Only create blogs cached directories if valid requests and blogs exist.
  • Only clear current blog’s cache files if navigation menu is modified
  • Added clean_post_cache action to clear cache on post actions
  • Removed garbage collection details on Contents tab
  • Added wp_cache_check_mobile cacheaction filter to shortcircuit mobile device check.
  • Don’t delete cache files for draft posts
  • Added action on wp_trash_post to clear the cache when trashed posts are deleted
  • Show a warning when 304 browser caching is disabled (because mod_rewrite caching is on)
  • New check for safe mode if using less that PHP 5.3.0
  • Added wp_supercache_remove_cookies filter to disable anonymous browsing mode.
  • Fixed garbage collection schedule dropdown
  • Fixed preload problem clearing site’s cache on “page on front” sites.
  • Fix for PHP variable not defined warnings
  • Fixed problem refreshing cache when comments made as siteurl() sometimes didn’t work
  • Preloading of taxonomies is now optional
  • Domain mapping fixes.
  • Better support for https sites. Remove https:// to get cache paths.
  • Added AddDefaultCharset .htaccess rule back in and added an option to remove it if required.
  • Added multisite plugin that adds a “Cached” column to Network->Sites to disable caching on a per site basis.
  • Added WPTouch plugin to modify browser and prefix list in mobile detection code. Added support for that plugin’s exclude list.
  • Fixed cache tester
  • Filter the tags that are used to detect end-of-page using the wp_cache_eof_tags filter.
  • Removed debug level from logging as it wasn’t helpful.
  • Removed mention of wp-minify.

As ever, the support forum is the best place to go for help as I monitor it all the time. Before you post there use Google to search for any error strings and use the debug system in the plugin as it will probably tell you what’s going on.