Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Check Point Blog:
Finding Vulnerabilities in Core WordPress: A Bug Hunter’s Trilogy, Part I
Aug 06, 2015 @ 11:44:14

The Check Point blog has posted the first part of a series from one of their vulnerability researchers about finding security vulnerabilities in the core WordPress code (and some of the results along with CVE numbers).

In this series of blog posts, Check Point vulnerability researcher Netanel Rubin tells a story in three acts – describing his long path of discovered flaws and vulnerabilities in core WordPress, leading him from a read-only ‘Subscriber’ user, through creating, editing and deleting posts, and all the way to performing SQL injection and persistent XSS attacks on 20% of the popular web.

In this first part he focuses on the concept of "identity" in a WordPress application. He focused on the "roles and capabilities" functionality to find bypass methods in operations like editing and adding new posts. As he works through his process, code is included from the WordPress core showing where the issue(s) lie and what would be needed to exploit the issue.

tagged: bug hunt wordpress vulnerability core code part1 series checkpoint

Link: http://blog.checkpoint.com/2015/08/04/wordpress-vulnerabilities-1/

Zend:
Debugging WordPress with Zend Server and Z-Ray on AWS
Aug 05, 2015 @ 11:57:02

The Zend.com blog has a post showing you how to debug WordPress running on Zend Server with the help of the Z-Ray plugin. In their example they're hosting it on an AWS instance, but the same technique can apply on any other hosted version as well.

More and more PHP development is being done in the cloud and on virtual platforms nowadays. The workflow detailed in this brief tutorial is just one way to develop PHP in these environments, but it illustrates just how easy and productive this type of development can be. More specifically, it demonstrates how to launch the newly available Zend Server 8.5 instance on AWS with a WordPress application already deployed, and then use Z-Ray to introspect and debug the code.

The tutorial walks you through the setup and configuration of a new AWS instance with Zend Server and WordPress installed (you can skip to the end if you already have this). They show you how to:

  • Launch the Zend Server AWS instance
  • Configure the instance to install WordPress as a part of the setup process
  • Access the Zend Server control panel
  • Accessing the WordPress application deployed on the instance

Once the WordPress application is accessed, the Z-Ray inspection bar will appear at the bottom giving you insight into various configuration options, performance metrics and server information. They also link to a video with more information about the WordPress plugin.

tagged: zendserver wordpress aws amazon instance zray debug tutorial install configure

Link: http://blog.zend.com/2015/08/04/debugging-wordpress-with-zend-server-and-z-ray-on-aws

SitePoint PHP Blog:
WP API and OAuth – Using WordPress without WordPress
Jul 16, 2015 @ 13:08:54

The SitePoint PHP blog has posted a tutorial showing you how to "use WordPress without WordPress" via a basic RESTish API installed via plugin. The article focuses on using the OAuth authentication method to connect a client to the WP instance, linked to a system user via generated tokens.

In this tutorial, we’ll learn how to install and use WP-API with OAuth – a WordPress plugin which uses REST-like API endpoints to allow reading of WP content to unauthenticated users, and writing of WP content to users who authenticate via OAuth (or via Cookies for themes and plugins). Using the plugin isn’t very straightforward, and the prerequisite list is quite long, so this post was written to make it simple and relatively approachable (as long as you’re in control of your own server).

The tutorial walks you through the steps to get a WordPress instance installed (via a git clone) and setting it up to work with Homestead Improved. He then installs the "wp-cli" tool to get the OAuth1 plugin needed to make things work correctly and how to use it to generate the needed key and secret for the OAuth connection. He then makes a simple script that uses the Guzzle HTTP client and it's OAuth handling to make the OAuth request for a token, call the callback page and return the bearer token for the remainder of the requests. Finally he creates a simple page that uses this token to submit a new article via the API and views it in the WordPress interface.

tagged: wordpress api tutorial oauth guzzle oauth1 wpcli rest

Link: http://www.sitepoint.com/wp-api-and-oauth-using-wordpress-without-wordpress/

Sameer Borate:
Accessing WordPress data using the new REST api
Jul 16, 2015 @ 09:53:57

Sameer Borate has posted an article showing you how to use the WordPress REST API (set up by this plugin) to access the data housed inside your WP installation.

WordPress is without doubt the most used CMS system around. Various sources peg the usage around 20-30% of all web sites. Whatever the correct figure, there is no doubt that the collective content of WordPress sites is enormously large. However almost all content is virtually held in independent WordPress sites with no way to easily access a sites content programmatically. [...] As WordPress is moving towards becoming a fully-fledged application framework, we need new APIs. At present a REST api plugin is available to access your site’s data in simple JSON format, including users, posts, taxonomies and more.

He walks you through the installation of the plugin and how to make a request to the REST API's test endpoint to ensure everything's functioning correctly. He also includes an example request that fetches the contents of a post by it's ID. The tutorial wraps up with a look at authentication and how the plugin provides two kinds of handling: basic authentication (HTTP Auth) and OAuth. You can find out more about the structure and functionality of the API on the project's website.

tagged: wordpress rest api tutorial installation setup plugin

Link: http://www.codediesel.com/wordpress/accessing-wordpress-data-using-the-new-rest-api/

SitePoint WordPress Blog:
The WordPress Plugin Boilerplate Part 2: Developing a Plugin
Jun 30, 2015 @ 10:07:50

The SitePoint WordPress blog has posted the second part of their series covering the creation of a WordPress plugin with the help of the WordPress Plugin Boilerplate. In this latest article they build on the first part of the series and start in on the actual plugin development.

In the first part of my series, an introduction to the WordPress Plugin Boilerplate, we looked at how the code is organised within the Boilerplate. To continue with this series, we’ll apply what we’ve learnt previously to build a real working plugin. We are going to take a look at how quickly we can get our plugin up and running using the Boilerplate code, with as little work as possible. This article will focus on creating and activating the plugin, as well as developing the admin facing functionality of the plugin.

They show you how to create a simple "time since posted" plugin with a few customizations available. They show how to use the Boilerplate generator to set up the basic plugin file structure and installing it on your WordPress application. From there they show you how to create a simple "Settings" page for the plugin and making it work via the functionality Boilerplate offers. The post then shows how to register the plugin, populate the options page and saving the changes the user makes.

tagged: wordpress boilerplate plugin generator tutorial development lastposted

Link: http://www.sitepoint.com/wordpress-plugin-boilerplate-part-2-developing-a-plugin/

HHVM Blog:
Lockdown Results and HHVM Performance
Jun 10, 2015 @ 09:02:59

The HHVM blog has a new post today sharing the results of their first open source lockdown. During this time they worked to improve not only HHVM itself but how well it supports other open source projects using it as a platform.

The HHVM team has concluded its first ever open source performance lockdown, and we’re very excited to share the results with you. During our two week lockdown, we’ve made strides optimizing builtin functions, dynamic properties, string concatenation, and the file cache. In addition to improving HHVM, we also looked for places in the open source frameworks where we could contribute patches that would benefit all engines. Our efforts centered around maximizing requests per second (RPS) with WordPress, Drupal 7, and MediaWiki, using our oss-performance benchmarking tool.

They share some of the benchmark improvements made by the updates during the session including performance boosts for WordPress & MediaWiki. They also talk about the community involvement during the event and updates made to their own tooling too. The post then spends some time talking about their methodology on development and testing during the lockdown and how the results compare pre- and post-lockdown. The remainder of the post looks at some more specific issues and covers a few technical notes about software used and how the results were reported.

tagged: hhvm lockdown opensource benchmark improvement wordpress drupal mediawiki results

Link: http://hhvm.com/blog/9293/lockdown-results-and-hhvm-performance

Kinsta Blog:
HHVM vs PHP 7 – The Competition Gets Closer!
May 26, 2015 @ 10:19:02

In this new post to thier blog Kinsta shares benchmark results comparing PHP 7 to HHVM, both in their own experience and some shared from other companies too.

A few years ago, engineers at Facebook went on a swashbuckling mission to rebuild the foundation of the world’s most populated social network struggling to sustain acceptable performance levels. PHP was all the rage a decade ago when Facebook was gaining steam and pursuing a global target audience.

As they put it the "competition is getting closer" and the performance gap between the two is growing smaller and smaller. They talk some about the performance improvements and new features that are being worked into PHP 7 and some speculations around a Just-In-Time engine and asynchronous programming features. Then comes the benchmarks. They provide the specifications of the machine they tested on and the results of tests runs of WordPress and Drupal (based on requests per second). The rest of the article talks about two stories from other companies using HHVM, Etsy and WikiMedia, and some of the lessons that have been learned along the way.

tagged: hhvm php7 performance benchmarks mediawiki etsy wordpress drupal

Link: https://kinsta.com/blog/hhvm-vs-php-7/

Sameer Borate:
Adding WordPress like shortcodes to your web applications
Apr 24, 2015 @ 09:14:50

Sameer Borate has posted a new tutorial showing you how to add shortcode-like handling to your application. Shortcodes are a feature that's common in tools like WordPress to make adding custom markup easier (like "[tag][/tag]").

One of the cool features of WordPress is its shortcode feature. There may be times one wished to add this capability to your PHP web applications. Recently I found one such library which allows you to add shortcode features to your web apps. The library discussed here implements WordPress style shortcode syntax as a standalone package. Its a small package and so can be easily integrated into you existing applications. Content from editors, databases, etc. can be scanned by the Shortcode Manager and the contents replaced by a custom callback.

He makes use of the maiorano84/shortcodes library (installable through Composer) that makes it simple to add the functionality to your existing application. He includes a few examples of tag formats that the library can parse and the code needed to parse and handle the formatting. The custom tags are processed via callbacks and can modify the incoming value easily. He also shows how to access any attributes that may be set on the codes and grouping all of his functionality into one self-contained class.

tagged: shortcode wordpress tag custom library maiorano84 tutorial

Link: http://www.codediesel.com/php/adding-wordpress-like-shortcodes-to-your-web-applications/

NetTuts.com:
Using HHVM With WordPress
Mar 31, 2015 @ 12:11:03

On the NetTuts.com site today they've posted a new tutorial showing you how you can use WordPress with HHVM now that they're 100% compatible.

Over the past few months HHVM has taken the PHP community by storm. Since WordPress 3.9 was released, HHVM is now 100% compatible with WordPress.

Unfortunately, HHVM is not quite ready for use in production in self-hosted environments. In my experience, HHVM crashes about once per day, which makes it not viable for a site where high availability is important. Recently, WP Engine has released project Mercury which seamlessly allows HHVM to gracefully fail by falling back to PHP 5.5 when it fails. In this article, we're going to install HHVM on an Ubuntu server running the latest LTS release, 14.04.

They walk you through the full process including:

  • installing MySQL
  • Installing Nginx
  • Installing HHVM
  • Setting up and configuring them all to play nicely with WordPress

It's a pretty short article and doesn't get into the specifics of the WordPress setup steps past ensuring it's working with HHVM but it does give a good starting place.

tagged: hhvm wordpress setup tutorial configure install ubuntu

Link: http://code.tutsplus.com/articles/using-hhvm-with-wordpress--cms-21596

Coen Jacobs:
Updating PHP is everyone’s responsibility
Mar 11, 2015 @ 10:06:46

In his latest post Coen Jacons suggests that updating PHP is everyone's responsibility - that keeping the PHP installation on your systems up to date is important for everyone, not just the system administrators.

The number one remark I heard when I launched WPupdatePHP, is that users shouldn’t be bothered with this. In an ideal world, this is true, but in reality this isn’t going to stand for long. [...] I know the WordPress core team is working really hard to get webhosting companies to update their PHP versions and I agree up to a certain level that this is the best way. It’s not the only way though. [...] This will help lower the percentage of PHP 5.2 and 5.3 users out there. There still will be people on older PHP versions who are caught out and without them knowing what is going on, nothing will change for them.

He talks about the efforts the WordPress core team is doing to try to convince hosting providers to update, but points out that while WordPress aims to run on those old versions, staying on them is a mistake. He also mentions that an effort like this is a constant thing, always changing as the PHP versions released change. He ends the post with a "call to arms" for users out there, encouraging them to get talking to their hosting provider and get those PHP versions updated.

Don’t understand me wrong, I like what WordPress is doing to get these requirements bumped, but I think it’s not enough. I disagree on the fact that users shouldn’t be involved in this. It’s easy enough for users to request their hosting platform to be upgraded. If their request isn’t heard, they should find a better webhosting company. [...] It’s been long enough, I choose to act now.
tagged: update version responsibility opinion hosting company wordpress

Link: http://coenjacobs.me/updating-php-everyones-responsibility/