While doing routine troubleshooting I noticed an error appearing multiple times in the server log (a truncated version is replicated below).
WordPress database error Unknown column 'actioned_text' in 'field list' for query SELECT ... FROM wc_admin_note_actions WHERE ...
Messages in the server log are not necessarily problematic but when the same one is logged multiple times that’s probably a sign to start investigating.Read more »
I consider myself a craftsman in that I dedicate myself to my work. I’m probably a few steps short of a perfectionist (though that terms has been applied to me in the past) and while I may not know best any newfangled idea or technique must convince me of its value before I’ll give it a second look. I pride myself in creating the best work I am capable of.
But reality does not always give me the luxury of doing so. While a craftsman would prefer having ample time and resources to work on their projects, the real world cannot always accommodate this. In most cases it’s “now or preferably yesterday!”
Did you know you can disable Jetpack’s Downtime Monitoring module using the ever-so-useful WP-CLI? Perhaps you’re doing some routine Website Maintenance and don’t want to be barraged by emails alerting you to the planned website downtime (and if you’re the type to never do maintenance on your website, you really should think about starting).
As divisive as the Jetpack WordPress plugin is, the Downtime Monitoring module is an easy, free way to be alerted when your WordPress website goes down. The problem is that Jetpack has been very indecisive about how to allow users to disable the Downtime Monitoring module.
Currently you can toggle it from your WordPress Admin but previous versions redirected you to the linked WordPress.com account where, in my experience anyway, it failed more often than not. So if you’ve been having trouble disabling the Downtime Monitor and if you happen to have WP-CLI installed (why wouldn’t you?), you can use this nifty command:
wp jetpack module deactivate monitor
Simple, isn’t it? Just don’t forget to turn it back on when you’re done!
Sometimes all you need is a simple plugin to add custom CSS to WordPress websites. Heaven knows there’s no lack of them in the WordPress repository.
I prefer to keep all CSS in the theme’s folder but sometimes I need to add some custom CSS on-the-fly without having to go through the trouble of updating the actual theme code. Maybe the client has reported a visual anomaly or I spotted something off while browsing their website. Either way, it’s much easier to log into the WordPress admin and add the CSS code. Migrating it to the theme can be done at a properly scheduled time.
We were doing routine maintenance on a client’s WordPress website when we noticed that they’d installed a plugin. Installing plugins is something we don’t normally encourage (or even allow) our clients to do but there are of course exceptions to the rule. We wanted to learn more about the plugin so we could determine if it could safely be removed and to cut a long story short we ended up going through the code itself only to find the plugin displays, without permission, a hyperlink to an external website. This was ad injection.
The Adminimize WordPress Plugin is one of those things I wish I had found sooner. To protect our clients from themselves, we remove and block access to certain WordPress Admin pages that we feel could accidentally allow them to mess up their website. We use to do this through a combination of WordPress Roles and custom code that had to be painstakingly collected and tested. Most, if not all, that code is now redundant thanks to Adminimize.
There are lots of things in the WordPress admin area that your users don’t need to see or use. [The Adminimize WordPress] plugin help [sic] you to hide unnecessary items from WordPress admin area.
Read more »
This article was updated on 26th September 2022.
When you’re still developing your WordPress website you usually want to keep things under wraps. Here is a list of WordPress plugins that will help support your websites while they are still in development.
Prevent development websites from updating WordPress: Advanced Automatic Updates
Advanced Automatic Updates gives you the option of preventing your WordPress core from updating in your development website. This will help minimize the risk of functionality breaking when things update. You have the option of completely disabling all updates, enabling major version updates or enabling security updates.
(Update 26th September 2022) Automatic Updates are a bit more complex than they used to be but not by much. To disable all Automatic Updates (core, plugins & themes) add the following line to your
define( 'AUTOMATIC_UPDATER_DISABLED', true );
Check out Configuring Automatic Background Updates to learn how you can customize the automatic update behaviour.
Protect development websites from being seen: WP Maintenance Mode
There are a lot of “Under Construction” plugins available but I keep going back to WP Maintenance Mode. This plugin will display a customizable “Under Maintenance” message to all non-Admin users who have are not logged in. You can also select which WordPress users you want to grant access to.
An additional benefit of the plugin is that it keeps search engine crawl bots at bay too. You can allow them to crawl the development website or block them with a 503 HTTP response.
Fun fact: This is the plugin I use when doing routine website maintenance.
Get (some) Jetpack functionality without connecting to WordPress.com: Unplug Jetpack
Without getting into an argument about Jetpack’s bloat-factor, Unplug Jetpack gives you access to some Jetpack functionality without connecting to WordPress.com. Just install the plugin, activate it and… that’s all really.
(Update 26th September 2022) Unplug Jetpack hasn’t been updated in 3 years. While it still works (as of writing) it uses deprecated code which may one day cease to function. Fortunately Jetpack has an Offline Mode which you can enable by adding the following line to your
define( 'JETPACK_DEV_DEBUG', true );
When enabled there will be a notification on the Jetpack Dashboard.
There’s also a filter hook if you prefer using that. Check out the previous link to Jetpack’s Offline Mode to learn more.
Stop emails from sending: Stop Emails
I’ve only recently discovered Stop Emails and haven’t put it through it’s paces yet but this plugin will (you guessed it) stop emails from sending. Note that the plugin only stops emails sent using WordPress’s
wp_mail() function. Any emails sent through PHP’s
mail() function will still go through.
True story: I was once testing a custom function which just so happened to send emails to a couple accounts I have with Yahoo! Mail and Mail.com. I must have sent well over 3 dozen emails within the span of an hour to test things out causing Yahoo! to think I was trying to spam the account. To this day all, emails sent from that development website domain is blocked by Yahoo.
Now this was a head-scratcher: the BackupBuddy settings on 5 of my client websites simply reset for no apparent reason. And that means the websites were not being automatically backed up. Not good.
After chatting with iThemes Support (the people who make BackupBuddy), I learned that connectivity issues between the website and database can fool BackupBuddy into thinking there are no settings causing the plugin to revert to defaults. Connectivity issues could be due to DDoS attacks or a problem with the hardware. iThemes said they are aware of this issue and have built in more checks but as is life they can’t account for every single scenario.
Fortunately I caught the problem during a routine maintenance check on a client’s website. BackupBuddy now comes with a way to export the plugin settings so it’s a good idea to save a copy just in case.
You’ve probably heard the news already that WordPress websites are facing an XML-RPC Brute Force Amplification Attacks. But did you also know that Sucuri, iThemes and Wordfence already have you protected?
If you use Sucuri’s Website Application Firewall (WAF), the company has you covered:
Note that users of our WAF are already protected against this attack, so if you are on CloudProxy you are safe.
Similarly, the Wordfence Security Plugin has login protection that takes into account XML-RPC. Just remember to enable Login Security in the Wordfence Options.
Yes we do protect against brute force via XML-RPC and we have for some time now. We also protect against multiple attempts via a single XML-RPC call
Finally, the iThemes Security Plugin protects against XML-RPC Brute Force attacks (even the free version):
Brute Force Protection in iThemes Security just got more robust. Now when you enable Brute Force Protection this feature includes protection from XML-RPC attacks
Make sure your websites are protected!
Edit (16th October 2015): iThemes Security v5.1.0 and iThemes Security Pro v2.0.0 protect against the XML-RPC Brute Force Amplification Attacks.
New Feature: Added “Multiple Authentication Attempts per XML-RPC Request” setting to the WordPress Tweaks section. When this setting is set to “Block”, iThemes Security will block brute force login attacks against XML-RPC
Edit (15th October 2015): If you have Jetpack installed, the Protect Module also stops XML-RPC attacks.