Category: WordPress

WordPress Plugin Security Alert

Earlier this week, a friend (who, for the purposes of this post is named Stephen) relayed a story to me of an email that one of his friends had received recently.

This friend – let’s call him John – runs a local business that requires advance bookings from customers. He runs his entire booking calendar through his website, and as well as customers being able to register an account and book through the website, he can also create bookings on behalf of customers from the administration panel.

It’s this latter scenario that gave rise to the situation I’m about to delve into. John had booked this customer in to his calendar through the admin panel of his WordPress-powered website, and the customer received a confirmation email containing a “Manage Account” link.

The customer clicked this link to view his booking details, and was surprised to find that he could see a lot more bookings than just his own! He, very responsibly, emailed John to let him know, who then in turn got in touch with Stephen (who had built the website) and Stephen then relayed this whole story to me.

Immediately my ears pricked up – that’s not a great situation for a customer to find, as it suggests deep-seated problems with the website’s security, so I volunteered to take a look. The following is what I found…

WooCommerce: getAddress.io Postcode Lookup

Update: Version 2.2 released on 10th February 2022, on the WordPress plugin repository.

This, my third WordPress plugin (and also my third WooCommerce plugin, apparently I really like doing stuff with WooCommerce!) adds a postcode lookup tool to the checkout in WooCommerce 3.x that lets your UK-based customers quickly fill in their billing/shipping addresses based on their postcode.

It utilises the great getAddress.io API for the postcode lookup, and as such requires an API key for their service. I’d always recommend the £10 per month pricing plan, simply because it offers the best value, but they have a number of others available.

WooCommerce: Purchase Order Payment Gateway

Update: Version 1.1.5 released on 4th May 2021, on the plugin repository.

A recent project required the ability for customers on a client’s WooCommerce website to be able to request an invoice for their order (and thus pay offline) – but with the added twist that it required a Purchase Order number. This twist meant that simply changing the name of WooCommerce’s built-in “Offline” gateway was not enough.

I had a quick look around and found an existing plugin for WooCommerce that added this functionality, but as seems to be common when I do this, the functionality left a little bit to be desired.

First of all, the plugin required the customer to enter a postal address for the invoice (and curiously, didn’t automatically pull through the customer’s billing address) – I only needed a Purchase Order number field.

Additionally, it wasn’t very well internationalised – some strings were set as translated, but others – particularly in the HTML output that the plugin generated on the front-end and the admin back-end, were not.

So, I’ve taken it upon myself to learn a bit more about WooCommerce’s Payment Gateway API, and have written my own – which you can download below.

How to enable checkbox lists for non-hierarchical taxonomies in WordPress

WordPress’ taxonomy features are one of the most powerful aspects of the platform, giving you the capabilities to group posts (including custom post types) in pretty much as many ways as you can think of.

There are two types of WordPress taxonomy – hierarchical and non-hierarchical. In case it’s not obvious from the name, a hierarchical taxonomy has a hierarchy – that is, you can create terms that are children of a parent term (and even children of those children) – standard post categories in WordPress are an “out of the box” example of a hierarchical taxonomy.

A non-hierarchical taxonomy has no parent/child structure, and is basically just a “flat” list of terms. Post tags are the “out of the box” example here.

When you’re developing a plugin for WordPress (or maybe even a theme) you may find that you have a need to create custom taxonomies – for example, if creating a plugin for a property/real estate website, you may have a custom taxonomy for “Property Type”, that contains terms like “House”, “Apartment” etc.

It’s at this point that you may run into a bit of an annoyance with the default WordPress user interface…

WooCommerce: Use Product Images as Category Images

Update: Version 1.3.1 released on the 25th August 2020.

So, earlier this morning I found myself wishing that WooCommerce had the capability to use a product thumbnail when displaying a category link in situations where the category doesn’t have its own thumbnail defined.

I went on a bit of a hunt and found a couple of small plugins. One didn’t work at all, which I attribute mainly to it having not been updated for two years and much changing in both WordPress and WooCommerce since then, and another one that I found didn’t work until I made a couple of code changes – and had a couple of noteworthy problems;

  • it would only fetch product thumbnails from that immediate category – not delving deeper down into the category tree and fetch product thumbnails from child categories, and
  • it did no filtering for products that had no thumbnails set, so would in some cases return products that had no thumbnail

So, I’ve made my own. A zip download can be found below, you just need to drop the folder inside it into your wp-content/plugins folder and then activate the “WooCommerce Category Product Thumbnails” plugin.

I’m using WordPress 4.9.4 and WooCommerce 3.3.0 – please let me know in the comments if it doesn’t work on other versions.

Update version 1.1 –  23rd March 2018: Add option (found under WooCommerce -> Settings -> Products -> Auto Category Thumbnails) to change the image size used for the automatic thumbnails. By default it remains as “shop_thumbnail”, but you may find that “shop_catalog” is a better choice.

Download

Download the plugin from the WordPress Plugin Repository

Source

This plugin is open-source – view the source code on the GitHub repository.

Security isn’t a dirty word, Blackadder

I’m often surprised at just how some websites treat their users when it comes to security.

As any decent website developer knows, one of the basic tenets of application security is that you should never store a user’s password in an unencrypted format – and you shouldn’t really be storing a password in an encrypted format, either. The correct way to deal with storing a password is to use a password hashing algorithm (note: “password hashing”, not just “hashing”)

I’m not going to pretend that I’m perfect at this. It took me an embarrassingly long time to stop using MD5 for hashing passwords in my code (although, in my defence, it was at least salted and not just a straight hash) but I caught up with the zeitgeist and all’s well again. Of course, it seems these days I do most of my work with existing frameworks and applications, so don’t really have to worry too much about that kind of thing any more.

The fact that there are so many frameworks and other tools out there to help devs with this kind of thing just makes it all the more upsetting when I see someone doing it so drastically wrong. Someone like whoever it was that developed KidsPass.co.uk

For those unfamiliar, Kids Pass is a website aimed at parents that offers many discounts and other offers on things to do with their little’uns. It’s not a website aimed at children, which is just as well because with password security as poor as theirs that would be absolutely terrifying.

Privacy Policy & Powered by WordPress & Theme by Anders Norén