joaovpmamede/WP_Bag_of_Tricks.txt

## WP_Bag_of_Tricks.txt
WP Bag of Tricks

1. Helpful Scripts/Plugins:

Hacks:

	http://wordpress.org/extend/plugins/tac/
	http://wordpress.org/extend/plugins/exploit-scanner/ (Can be extremely resource intensive.)
	http://wordpress.org/extend/plugins/wp-malwatch/

Troubleshooting:

	http://yoast.com/wordpress-debug-theme/
	http://yoast.com/emergency-wordpress-access/
	http://wordpress.org/extend/plugins/wpdb-profiling/ (I love this plugin!)
	http://wordpress.org/extend/plugins/tpc-memory-usage/
	http://wordpress.org/extend/plugins/debug-bar/ (Adds a "debug" menu to the WP menu bar. Like Firebug for WP.)
	http://wordpress.org/extend/plugins/debug-bar-extender/ (Adds a lot of helpful tools to the plugin above.)

Full Site Backups:

	http://wordpress.org/extend/plugins/wp-time-machine/ (Can be easily hacked to work with Ceph beta.)

DB Backups:

	http://wordpress.org/extend/plugins/dbc-backup/
	http://wordpress.org/extend/plugins/wp-dbmanager/

Caching:

	http://wordpress.org/extend/plugins/wp-super-cache/
	http://wordpress.org/extend/plugins/db-cache-reloaded/

Spam:

	http://wordpress.org/extend/plugins/akismet/
	http://wordpress.org/extend/plugins/wp-hashcash/

2. On the Site:

Hard coding the site URL via wp-config.php:

	define('WP_HOME','http://domain.com'); // These two settings will remove the ability to change the site URL in wp-admin.
	define('WP_SITEURL','http://domain.com'); // Use at your own peril!

Changing the URL values in the database via wp-config.php:

	define('RELOCATE',true); // Visit wp-login.php. Log in. Remove this line!

Tell WordPress to use whatever URL you visit it from:

	define('WP_HOME', 'http://'.$_SERVER['HTTP_HOST']);
	define('WP_SITEURL', 'http://'.$_SERVER['HTTP_HOST']);

Change the URLs post site move before you have the chance to do a find/replace on the DB:

	// Add this to wp-config.php - but then actually change the URLs in the database.
	// Don't be lazy!
	ob_start( 'nacin_dev_urls' );
	function nacin_dev_urls( $buffer ) {
	$live = 'http://olddomain.com';
	$dev = 'http://newdomain.com'; return str_replace( $live, $dev, $buffer );
	}

Repair & Optimize DB:

	http://example.com/wp-admin/maint/repair.php

Clean debugging:

	// Add this to wp-config.php to cleanly debug a site.
	// Just make sure to turn it off when you're done!
	define('WP_DEBUG',         true);  // Turn debugging ON
	define('WP_DEBUG_DISPLAY', false); // Turn forced display OFF
	define('WP_DEBUG_LOG',     true);  // Turn logging to wp-content/debug.log ON

	# Drop this in a .htaccess file in wp-content to keep the log safe.
	<files debug.log>
	order allow,deny
	deny from all
	</files>

	# tail -f wp-content/debug.log

White Screen of Death:

	- Add "define('WP_DEBUG', true);" to "wp-config.php".
	- Comment out "define('WP_CACHE', true);" line in "wp-config.php".
	- Edit "wp-content/advanced-cache.php" and make sure the path matches up to the actual paths.
	- Disable plugins by moving/renaming plugins directory.
	- Change "template" and "stylesheet" in wp_options to another theme.

500 Errors:

	- Disable plugins by moving/renaming plugins directory.
	- Change "template" and "stylesheet" in wp_options to another theme.

When wp-login.php directs back to itself:

	- Disable plugins by moving/renaming plugins directory.
	- Check to make sure that the "siteurl" and "home" values match. Sometimes one is missing a www when the other has it - or is just wrong.

Seeing "Briefly unavailable for scheduled maintenance. Check back in a minute." error:

	- Remove .maintenance file from user's home directory.

Change wp-admin to a language you can read:

	- Comment out "define ('WPLANG', 'pt_BR');" or whatever value is set in "wp-config.php".
	- Insert "define ('WPLANG', '');" into "wp-config.php". Now the dashboard is in English!
	- Do what you need to do.
	- Remove the inserted value and uncomment the old value.
	- Make sure you can't read the dashboard anymore. ;)

Let yourself into wp-admin without password info:

	- Open database in phpMyAdmin.
	- Browse to "wp_users" or whatever it might be called with an alternate prefix.
	- Click the little pencil icon next to the "admin" account.
	- In "user_pass" field, copy out the hashed info in "Value" to a safe place.
	- Select "MD5" from the Function dropdown for "user_pass".
	- Insert plain text password in "Value" field where hashed value was.
	- Click "Go".
	- Use the password you set to log in to site's wp-admin and do what you need to.
	- Change the password back by editing the user, pasting in the old (saved) value and pressing "Go". Do not select "MD5" from the dropdown!

Revisions & Auto Save:

Place these values in wp-config.php to limit and slow down auto saves:

	define('AUTOSAVE_INTERVAL', 120 ); // Default value is 60 seconds.
	define(’WP_POST_REVISIONS’, 3); // Number of revisions to save.

Place these values in wp-config.php to kill auto saves completely:

	define(’WP_POST_REVISIONS’, false); // Turns off post revisions.

MySQL command to clear out revisions:

	DELETE FROM wp_posts WHERE post_type = "revision";

MySQL command to clear out posts in the trash:

	DELETE FROM wp_posts WHERE post_type = "trash";

MySQL command to clear out spam:

	DELETE FROM wp_comments WHERE comment_approved = "spam";

MySQL command to clear out comments in the trash:

	DELETE FROM wp_comments WHERE comment_approved = "trash";

MySQL command to clear out a large run of unapproved comments:

	DELETE FROM wp_comments WHERE comment_approved = "0";

Re-running approved comments thru Akismet:

	http://jasoncosper.com/archives/rekismet/ (Note: Very load intensive on sites with LOTS of comments.)

Secret Key (for wp-config.php) Generator:

	https://api.wordpress.org/secret-key/1.0/ (For 2.5.x users. One key. Not recommended!)
	https://api.wordpress.org/secret-key/1.1/ (For 2.6.x to 2.9.x users. Four keys.)
	https://api.wordpress.org/secret-key/1.1/salt/ (For 3.0.x and up. Eight keys. This is the way to go!)

If the user has an SSL cert for their domain:

	define('FORCE_SSL_ADMIN', true); // Force visits to wp-admin to go thru SSL.

Extra security - it's a good thing. ;)

3. Known Issues:

	http://wordpress.org/support/
	http://core.trac.wordpress.org/
	https://irclogs.wordpress.org/
	http://www.wpsecure.net/ (Current exploits)

Note: Paste errors into "Search" on first 3 links.

4. Developer News:

	http://wpdevel.wordpress.com/
	http://lists.automattic.com/mailman/listinfo/wp-hackers

5. URLs of Interest:

	http://www.smashingmagazine.com/2010/07/01/10-useful-wordpress-security-tweaks/
	http://ottopress.com/2011/how-to-cope-with-a-hacked-site/
	http://www.exploit-db.com/search/?action=search&filter_description=wordpress&filter_type=6
	http://www.w3-edge.com/weblog/2011/02/optimize-social-media-button-performance/

6. WP on nginx:

This goes in "/home/user/nginx/example.com/wordpress.conf" at DreamHost.

#######################
# FeedBurner
# This always goes on top of any permalink rules.
# Swap "your-feed" and "your-comment-feed" for the appropriate feeds at FeedBurner.

if ($http_user_agent !~ FeedBurner) {
  rewrite ^/comment/feed/ http://feeds.feedburner.com/your-comment-feed last;
  rewrite ^/feed/ http://feeds.feedburner.com/your-feed last;
}

#######################
# Classic Permalinks
# You should be caching. But if you're not, here's what you need.

if (!-e $request_filename) {
  rewrite ^.*$ /index.php last;
}

#######################
# WP Super Cache
# Use these in place of the standard permalink rules if WP Super Cache is on.
# Not needed if "Use PHP to serve cache files." is checked in WP Super Cache.

# if the requested file exists, return it immediately
if (-f $request_filename) {
  break;
}

set $supercache_file '';
set $supercache_uri $request_uri;

if ($request_method = POST) {
  set $supercache_uri '';
}

# Using pretty permalinks, so bypass the cache for any query string
if ($query_string) {
  set $supercache_uri '';
}

if ($http_cookie ~* "comment_author_|wordpress|wp-postpass_" ) {
  set $supercache_uri '';
}

# if we haven't bypassed the cache, specify our supercache file
if ($supercache_uri ~ ^(.+)$) {
  set $supercache_file /wp-content/cache/supercache/$http_host/$1index.html;
}

# only rewrite to the supercache file if it actually exists
if (-f $document_root$supercache_file) {
  rewrite ^(.*)$ $supercache_file break;
}

# all other requests go to Wordpress
if (!-e $request_filename) {
  rewrite ^.*$ /index.php last;
}
	WP Bag of Tricks

	1. Helpful Scripts/Plugins:

	Hacks:

	http://wordpress.org/extend/plugins/tac/
	http://wordpress.org/extend/plugins/exploit-scanner/ (Can be extremely resource intensive.)
	http://wordpress.org/extend/plugins/wp-malwatch/

	Troubleshooting:

	http://yoast.com/wordpress-debug-theme/
	http://yoast.com/emergency-wordpress-access/
	http://wordpress.org/extend/plugins/wpdb-profiling/ (I love this plugin!)
	http://wordpress.org/extend/plugins/tpc-memory-usage/
	http://wordpress.org/extend/plugins/debug-bar/ (Adds a "debug" menu to the WP menu bar. Like Firebug for WP.)
	http://wordpress.org/extend/plugins/debug-bar-extender/ (Adds a lot of helpful tools to the plugin above.)

	Full Site Backups:

	http://wordpress.org/extend/plugins/wp-time-machine/ (Can be easily hacked to work with Ceph beta.)

	DB Backups:

	http://wordpress.org/extend/plugins/dbc-backup/
	http://wordpress.org/extend/plugins/wp-dbmanager/

	Caching:

	http://wordpress.org/extend/plugins/wp-super-cache/
	http://wordpress.org/extend/plugins/db-cache-reloaded/

	Spam:

	http://wordpress.org/extend/plugins/akismet/
	http://wordpress.org/extend/plugins/wp-hashcash/

	2. On the Site:

	Hard coding the site URL via wp-config.php:

	define('WP_HOME','http://domain.com'); // These two settings will remove the ability to change the site URL in wp-admin.
	define('WP_SITEURL','http://domain.com'); // Use at your own peril!

	Changing the URL values in the database via wp-config.php:

	define('RELOCATE',true); // Visit wp-login.php. Log in. Remove this line!

	Tell WordPress to use whatever URL you visit it from:

	define('WP_HOME', 'http://'.$_SERVER['HTTP_HOST']);
	define('WP_SITEURL', 'http://'.$_SERVER['HTTP_HOST']);

	Change the URLs post site move before you have the chance to do a find/replace on the DB:

	// Add this to wp-config.php - but then actually change the URLs in the database.
	// Don't be lazy!
	ob_start( 'nacin_dev_urls' );
	function nacin_dev_urls( $buffer ) {
	$live = 'http://olddomain.com';
	$dev = 'http://newdomain.com'; return str_replace( $live, $dev, $buffer );
	}

	Repair & Optimize DB:

	http://example.com/wp-admin/maint/repair.php

	Clean debugging:

	// Add this to wp-config.php to cleanly debug a site.
	// Just make sure to turn it off when you're done!
	define('WP_DEBUG', true); // Turn debugging ON
	define('WP_DEBUG_DISPLAY', false); // Turn forced display OFF
	define('WP_DEBUG_LOG', true); // Turn logging to wp-content/debug.log ON

	# Drop this in a .htaccess file in wp-content to keep the log safe.
	<files debug.log>
	order allow,deny
	deny from all
	</files>

	# tail -f wp-content/debug.log

	White Screen of Death:

	- Add "define('WP_DEBUG', true);" to "wp-config.php".
	- Comment out "define('WP_CACHE', true);" line in "wp-config.php".
	- Edit "wp-content/advanced-cache.php" and make sure the path matches up to the actual paths.
	- Disable plugins by moving/renaming plugins directory.
	- Change "template" and "stylesheet" in wp_options to another theme.

	500 Errors:

	- Disable plugins by moving/renaming plugins directory.
	- Change "template" and "stylesheet" in wp_options to another theme.

	When wp-login.php directs back to itself:

	- Disable plugins by moving/renaming plugins directory.
	- Check to make sure that the "siteurl" and "home" values match. Sometimes one is missing a www when the other has it - or is just wrong.

	Seeing "Briefly unavailable for scheduled maintenance. Check back in a minute." error:

	- Remove .maintenance file from user's home directory.

	Change wp-admin to a language you can read:

	- Comment out "define ('WPLANG', 'pt_BR');" or whatever value is set in "wp-config.php".
	- Insert "define ('WPLANG', '');" into "wp-config.php". Now the dashboard is in English!
	- Do what you need to do.
	- Remove the inserted value and uncomment the old value.
	- Make sure you can't read the dashboard anymore. ;)

	Let yourself into wp-admin without password info:

	- Open database in phpMyAdmin.
	- Browse to "wp_users" or whatever it might be called with an alternate prefix.
	- Click the little pencil icon next to the "admin" account.
	- In "user_pass" field, copy out the hashed info in "Value" to a safe place.
	- Select "MD5" from the Function dropdown for "user_pass".
	- Insert plain text password in "Value" field where hashed value was.
	- Click "Go".
	- Use the password you set to log in to site's wp-admin and do what you need to.
	- Change the password back by editing the user, pasting in the old (saved) value and pressing "Go". Do not select "MD5" from the dropdown!

	Revisions & Auto Save:

	Place these values in wp-config.php to limit and slow down auto saves:

	define('AUTOSAVE_INTERVAL', 120 ); // Default value is 60 seconds.
	define(’WP_POST_REVISIONS’, 3); // Number of revisions to save.

	Place these values in wp-config.php to kill auto saves completely:

	define(’WP_POST_REVISIONS’, false); // Turns off post revisions.

	MySQL command to clear out revisions:

	DELETE FROM wp_posts WHERE post_type = "revision";

	MySQL command to clear out posts in the trash:

	DELETE FROM wp_posts WHERE post_type = "trash";

	MySQL command to clear out spam:

	DELETE FROM wp_comments WHERE comment_approved = "spam";

	MySQL command to clear out comments in the trash:

	DELETE FROM wp_comments WHERE comment_approved = "trash";

	MySQL command to clear out a large run of unapproved comments:

	DELETE FROM wp_comments WHERE comment_approved = "0";

	Re-running approved comments thru Akismet:

	http://jasoncosper.com/archives/rekismet/ (Note: Very load intensive on sites with LOTS of comments.)

	Secret Key (for wp-config.php) Generator:

	https://api.wordpress.org/secret-key/1.0/ (For 2.5.x users. One key. Not recommended!)
	https://api.wordpress.org/secret-key/1.1/ (For 2.6.x to 2.9.x users. Four keys.)
	https://api.wordpress.org/secret-key/1.1/salt/ (For 3.0.x and up. Eight keys. This is the way to go!)

	If the user has an SSL cert for their domain:

	define('FORCE_SSL_ADMIN', true); // Force visits to wp-admin to go thru SSL.

	Extra security - it's a good thing. ;)

	3. Known Issues:

	http://wordpress.org/support/
	http://core.trac.wordpress.org/
	https://irclogs.wordpress.org/
	http://www.wpsecure.net/ (Current exploits)

	Note: Paste errors into "Search" on first 3 links.

	4. Developer News:

	http://wpdevel.wordpress.com/
	http://lists.automattic.com/mailman/listinfo/wp-hackers

	5. URLs of Interest:

	http://www.smashingmagazine.com/2010/07/01/10-useful-wordpress-security-tweaks/
	http://ottopress.com/2011/how-to-cope-with-a-hacked-site/
	http://www.exploit-db.com/search/?action=search&filter_description=wordpress&filter_type=6
	http://www.w3-edge.com/weblog/2011/02/optimize-social-media-button-performance/

	6. WP on nginx:

	This goes in "/home/user/nginx/example.com/wordpress.conf" at DreamHost.

	#######################
	# FeedBurner
	# This always goes on top of any permalink rules.
	# Swap "your-feed" and "your-comment-feed" for the appropriate feeds at FeedBurner.

	if ($http_user_agent !~ FeedBurner) {
	rewrite ^/comment/feed/ http://feeds.feedburner.com/your-comment-feed last;
	rewrite ^/feed/ http://feeds.feedburner.com/your-feed last;
	}

	#######################
	# Classic Permalinks
	# You should be caching. But if you're not, here's what you need.

	if (!-e $request_filename) {
	rewrite ^.*$ /index.php last;
	}

	#######################
	# WP Super Cache
	# Use these in place of the standard permalink rules if WP Super Cache is on.
	# Not needed if "Use PHP to serve cache files." is checked in WP Super Cache.

	# if the requested file exists, return it immediately
	if (-f $request_filename) {
	break;
	}

	set $supercache_file '';
	set $supercache_uri $request_uri;

	if ($request_method = POST) {
	set $supercache_uri '';
	}

	# Using pretty permalinks, so bypass the cache for any query string
	if ($query_string) {
	set $supercache_uri '';
	}

	if ($http_cookie ~* "comment_author_\|wordpress\|wp-postpass_" ) {
	set $supercache_uri '';
	}

	# if we haven't bypassed the cache, specify our supercache file
	if ($supercache_uri ~ ^(.+)$) {
	set $supercache_file /wp-content/cache/supercache/$http_host/$1index.html;
	}

	# only rewrite to the supercache file if it actually exists
	if (-f $document_root$supercache_file) {
	rewrite ^(.*)$ $supercache_file break;
	}

	# all other requests go to Wordpress
	if (!-e $request_filename) {
	rewrite ^.*$ /index.php last;
	}