Important WordPress security update 3.0.4

Posted on December 30, 2010

Looks like the Christmas spirit of goodwill to all men lasted a couple of days before the nasty hackers got back to work.

There’s an important security update to WordPress just been released, v3.0.4. Anyone running a WordPress 3 blog should immediately update. Anyone who has comments enabled on their WordPress site should be particularly concerned. Why? Because it concerns a flaw in WordPress’ sanitation filter

One of the biggest problems with websites that accept user generated content from untrusted users (for example people leaving comment on a blog, making an update in Twitter or Facebook) is the possibility that they are able to insert code into their content that inserts JavaScript (or other executable code such as php) that is them displayed “raw” on the site. Typically they will insert JavaScript code that steals cookies, redirects users to other sites and a whole myriad of other exploits.

Sanitization filters parse the content they are fed and attempt to strip out any code that looks suspicious. This update specifically patches the WordPress KSES Sanitization filter, so I expect that someone’s found a way of getting round the filtering and is inserting malicious code into comments.

Of all the filters I’ve used, HTML Purifier seems to be the most comprehensive – so if you’re developing your own bespoke web application that will accept user generated content, I’d recommend you give it a once over…

Posted in Wordpress | Tagged , | Comments Off on Important WordPress security update 3.0.4

Stop iPhones overriding small font sizes in email marketing campaigns…

Posted on December 24, 2010

Because of the multitude of different email clients your customers might use, web designers and developers have to adopt some regressive and sometimes bizarre hacks to ensure HTML marketing emails look the same in every email client. The main culprit is Outlook 2007 – it’s taken email marketing back 10 years; but the iPhone and iPad also have their own quirks.

Chief amongst these is that they will insist on setting a minimum font size on text, which can cause your layouts to break. However, you can force them to render text at the size specified in your inline css styles by adding the snippet below into the <head /> tag.

<style type="text/css">
    div, p, a, li, td { -webkit-text-size-adjust:none; }
</style>

Need some help designing, developing and deploying email marketing campaigns? We’re based near Bath and have years of experience creating cost effective, profitable campaigns that look pixel perfect in every desktop and webmail client. Give us a call on 01380 830224 to find out more…

Posted in Web Development | Tagged , , | Comments Off on Stop iPhones overriding small font sizes in email marketing campaigns…

Customising Magento PDF Invoices to show personalised terms of sale

Posted on December 15, 2010

Magento is, as everyone knows, an ecommerce platform for the web. But it can also be used as a tool to tie your offline sales to your online sales. I’ve recently been working with a traditional “offline” retailer based in near Bath who have mainly sold to business customers – the standard Business-to-business (B2B) model. Typically in this environment, individual customers may have different payment terms that would be shown on invoices.

This presents a problem for Magento, as it’s not really geared up for this sort of situation. So I needed to make a few modifications so my client could service both sales to the general public (B2C) and to their business customers through Magento.

The first step was modifying the Customer model to add a new field to each customer record. I added a  Customer Terms textarea field to the Customer admin panel, so the client could enter the specific terms of sale for each customer.

Then we needed to modify the Invoice PDFs to pull this data out of the Customer object and into the PDF. It’s easiest to do this by duplicating the Mage_Sales_Model_Order_Pdf_Invoice class in to the /app/code/local folder and adding a simple method call

$page = $this->insertCustomerTerms($page, $order);

Duplicating the Mage_Sales_Model_Order_Pdf_Abstract class into /app/code/local and adding this utility method seemed to make most sense. Essentially all it needs to do is find the customer, get the contents of my Customer Terms field, and add it to the PDF. The only issue I came up against was that the string was typically longer than a single line, and Zend_Pdf sadly doesn’t support automatic line wrapping (yet). Some psuedo-ish code is shown below…

protected function insertCustomerTerms(&$page, $order, $store = null)
    {

        /* @var $customer Mage_Customer_Model_Customer */
        $customer = Mage::getModel("customer/customer")->load( $order->getCustomerId() );
        $terms = $customer->getCustomerterms();

        if( strlen($terms) < 10 ){
            return;
        }

        //Convert terms to array - each element is a line. Utility method not shown...
        $terms = $this->_formatTerms($terms);

        foreach ($terms as $term) {
            // Write each line of terms to $page
        }
    }

Looking for a Freelance Magento ecommerce developer to help you with your website? We’re experienced web developers based in Bradford on Avon. Within easy commuting distance of Bath and Bristol, we can work onsite in your offices, or remotely. We’d love to help you, so please get in contact or give us a call on 01380 830224…

Posted in Magento | Tagged , , , , | Comments Off on Customising Magento PDF Invoices to show personalised terms of sale

Fixing problems with DirectoryPress and other Premium templates.

Posted on December 7, 2010

I got a call a few days ago from a Search Engine Optimisation agency in Salisbury, who were having a problem with their WordPress website. They had bought a custom theme, DirectoryPress, which enables you to quickly develop a “Listing” website. Unfortunately, somewhere along the line something had gone wrong and the Home page was showing content in the wrong theme, even though all the inner pages seemed to work ok and used the DirectoryPress theme. Proper weird.

Now it’s impossible to be familiar with the quirks of every custom theme, but when things go wrong my first thoughts are always take a look at the Plugins and see if there are any I’m unfamiliar with. And boy were there! Over 50 plugins had been installed. We also had the TwentyTen theme that was partially installed, and there was evidence that the W3 Total Cache plugin had been used at some point. Trashing the caches seemed a good place to start…

We grabbed a copy of the database and all the files from the live server and started to build a test environment on our local development servers. Firstly we reinstalled the default WordPress files, then grabbed the latest version of the theme. The Home page now displayed in the correct theme, but had no content in the main content area. Disabling all the plugins did not resolve the issue, so we ended up reinstalling a default installation and configuration of DirectoryPress,, then copying across the tables that store the Pages, Posts and Category data. Lastly we had to recreate all the precise settings for the blog and the theme.

Not exactly delicate surgery, more like butchery – but it worked and the client is now able to continue to work on the site. The lesson in all this is when using any WordPress theme, be cautious about the plugins you install. Take a database backup before you install any new plugins, and be prepared to rollback to a previous version if things go wrong.

Need help safely upgrading your WordPress website? We can quickly and efficiently manage your website for you, installing all patches, plugins and themes whilst at all times making sure you have a fallback position to minimise disruption and downtime to your business.

Posted in Wordpress | Tagged , , | Comments Off on Fixing problems with DirectoryPress and other Premium templates.

New WordPress website build completed for Bath Direct Marketing Consultant

Posted on December 7, 2010

We’ve just wrapped up work on another WordPress website! We were hired by a web design agency, based in based in Bradford on Avon, to develop the website for a Direct Marketing Consultant who’s based in Bath. They gave us PSDs and we rapidly prototyped the site and placed it onto our development servers, so the customer had their leisure to create the necessary content away from Google’s prying eyes.

Once all the inevitable minor glitches had been ironed out and the necessary content had been generated, we backed up the WordPress database and FTP content, switched it over to the live server, and hey presto, the site was up and running with less than 5 minutes downtime.

Unfortunately, whilst we’d love to provide more information about the site and the project, it’s being done on the hush-hush, so I can’t say any more…

Looking for a talented web developer to help turn your ideas into reality? We’d be more than happy to help! Please call us on 01380 830224 for friendly, professional and sensibly priced web development expertise.

Posted in Wordpress | Tagged , , | Comments Off on New WordPress website build completed for Bath Direct Marketing Consultant