Home › Forums › BulletProof Security Pro › WordPress 4.4 brought more bad news
- This topic has 19 replies, 2 voices, and was last updated 8 years, 10 months ago by Krzysztof.
-
AuthorPosts
-
KrzysztofParticipant
Howdy!
Yet again I woke up with a head ache. The last major update brought us emoji scripts injecting into our site which is supposed to be working without js. This could be solved… with a plug-in. Now the story repeats – a footer script was added and again, a plug-in had to be installed – Disable Embeds. The thing is that we wanted to keep the plugin number as low as possible, and here we have – 2 more…
Now for the hard part – there is also a third script thing – https://wordpress.org/support/topic/wp-44-remove-json-api-and-x-pingback-from-http-headers
Some thing is added into the head section. This is not easily removed. There is plug-in but we do not have a testing environment to check if it works:
https://wordpress.org/support/topic/does-this-work-with-the-latest-wordpress-version-44
In the first link there is a code snipet which we have tried to add int htaccess but without luck.
Any hints how to strike back this nonsense?
With each and every release we get surprised and this whole pushing users to things starts to be more and more annoying. Moving 13.000 posts to something different will not be easy and cheap but this starts to show up in my head as at some point I will have 10 plug-ins just to disable wordpress crap.
This whole json api contacts https://api.w.org which allows one to track the process of using of wordpress. The same goes for google fonts inside wordpress admin. Each time we log in google knows it as their fonts are loaded. Not nice. Not nice at all.
I have decided to run a self hosted instance of wordpress to be the master of situation and to get rid of google and co but now they just don’t want to stop.The end of my little rant 😉
AITpro AdminKeymasterWordPress normally provides a way to disable or turn off things you do not want that is usually easy to implement or you can always add code to your Theme functions.php file instead of installing a plugin for that. You do have a valid point though. It seems to me that WP should have a master option settings page where you can choose your own personal option setting preferences. In BPS we create Turn On and Off option settings and/or additional setting preferences because typically folks want different things/settings or do or do not want to use something.
Example: To disable emojis you can add this code in your Theme functions.php file
function disable_wp_emojicons() { // all actions related to emojis remove_action( 'admin_print_styles', 'print_emoji_styles' ); remove_action( 'wp_head', 'print_emoji_detection_script', 7 ); remove_action( 'admin_print_scripts', 'print_emoji_detection_script' ); remove_action( 'wp_print_styles', 'print_emoji_styles' ); remove_filter( 'wp_mail', 'wp_staticize_emoji_for_email' ); remove_filter( 'the_content_feed', 'wp_staticize_emoji' ); remove_filter( 'comment_text_rss', 'wp_staticize_emoji' ); // filter to remove TinyMCE emojis add_filter( 'tiny_mce_plugins', 'disable_emojicons_tinymce' ); } add_action( 'init', 'disable_wp_emojicons' ); function disable_emojicons_tinymce( $plugins ) { if ( is_array( $plugins ) ) { return array_diff( $plugins, array( 'wpemoji' ) ); } else { return array(); } }
Example: To disable oEmbed you can add this code in your Theme functions.php file.
Note: This code below is copied directly from the Disable Embeds plugin and the functions have been renamed to avoid a function name conflict/collision.function disable_wp_oembeds_init() { global $wp; // Remove the embed query var. $wp->public_query_vars = array_diff( $wp->public_query_vars, array( 'embed', ) ); // Remove the REST API endpoint. remove_action( 'rest_api_init', 'wp_oembed_register_route' ); // Turn off oEmbed auto discovery. add_filter( 'embed_oembed_discover', '__return_false' ); // Don't filter oEmbed results. remove_filter( 'oembed_dataparse', 'wp_filter_oembed_result', 10 ); // Remove oEmbed discovery links. remove_action( 'wp_head', 'wp_oembed_add_discovery_links' ); // Remove oEmbed-specific JavaScript from the front-end and back-end. remove_action( 'wp_head', 'wp_oembed_add_host_js' ); add_filter( 'tiny_mce_plugins', 'disable_wp_oembeds_tiny_mce_plugin' ); // Remove all embeds rewrite rules. add_filter( 'rewrite_rules_array', 'disable_wp_oembeds_rewrites' ); } add_action( 'init', 'disable_wp_oembeds_init', 9999 ); // Removes the 'wpembed' TinyMCE plugin. function disable_wp_oembeds_tiny_mce_plugin( $plugins ) { return array_diff( $plugins, array( 'wpembed' ) ); } // Remove all rewrite rules related to embeds. function disable_wp_oembeds_rewrites( $rules ) { foreach ( $rules as $rule => $rewrite ) { if ( false !== strpos( $rewrite, 'embed=true' ) ) { unset( $rules[ $rule ] ); } } return $rules; }
Example: To Remove the REST API link tag in page header you can add this code in your Theme functions.php file.
// Remove the REST API link tag in page header. // <link rel='https://api.w.org/' href='http://example.com/wp-json/' /> remove_action( 'wp_head', 'rest_output_link_wp_head', 10 ); remove_action( 'wp_head', 'wp_oembed_add_discovery_links', 10 );
Example htaccess Method: To Remove the Link header for the WP REST API from your Headers add this code to BPS Root Custom Code (If this htaccess code/method does not work then use the PHP method below):
1. Copy the code below to this BPS Root Custom Code text box: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.# Remove the Link header for the WP REST API # [link] => <http://www.example.com/wp-json/>; rel="https://api.w.org/" <IfModule mod_headers.c> Header unset Link </IfModule>
Example PHP Method: Remove the Link header for the WP REST API from your Headers by adding this code in your Theme functions.php file.
// Remove the Link header for the WP REST API // [link] => <http://www.example.com/wp-json/>; rel="https://api.w.org/" remove_action( 'template_redirect', 'rest_output_link_header', 11, 0 );
Example: To disable the WP REST API entirely instead of just removing the Link Header field you can add this code in your Theme functions.php file.
Note: This code below is copied directly from the Disable JSON API plugin.// Filters for WP-API version 1.x add_filter('json_enabled', '__return_false'); add_filter('json_jsonp_enabled', '__return_false'); // Filters for WP-API version 2.x add_filter('rest_enabled', '__return_false'); add_filter('rest_jsonp_enabled', '__return_false');
KrzysztofParticipantWOW!
Thanks!
Is there a specific place in which I should put tha code or I can just dump it on the end of te file?AITpro AdminKeymasterYep, just add the code after any other code that already exists in your Theme functions.php file.
KrzysztofParticipantI will test it!
The htaccess snipet doesn’t work for some reasons. I have checked with the admins and mod_headers is up and running.AITpro AdminKeymasterThere are other possible ways to do this with PHP code, but all of those other methods have problems and do not work consistently depending on whatever else you have installed on your website (caching plugins, etc) so the optimum best way to handle headers is with htaccess code since htaccess code/files are processed first before any PHP code. So instead of posting PHP code that will not work consistently for everyone and you personally, you need to figure out why the htaccess Header unset code is not working on your server.
Do/check things like clearing your Browser and plugin cache, double check that you have added Header unset code above any htaccess caching code, double check that you have done all the Custom Code steps correctly, if you are using a caching plugin then deactivate it and remove any caching code for testing, etc.
KrzysztofParticipantHere is my CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE:
Everything is checked via private mode in browser. I have also used two different browsers. For caching I use Bat Cache but it only kicks in when there is a lot of requests to one page, when we have light usage it does not work.<IfModule mod_headers.c> Header always unset Link </IfModule> # Protects against Drive-by Download attacks # Protects against MIME/Content/Data sniffing <IfModule mod_headers.c> Header set X-Content-Type-Options nosniff </IfModule> # Block other sites from displaying your website in iFrames # Protects against Clickjacking <IfModule mod_headers.c> # Using DENY will block all iFrames including iFrames on your own website # Header set X-Frame-Options DENY # Recommended: iFrames from the same site are allowed - other sites are blocked Header always append X-Frame-Options SAMEORIGIN </IfModule> # Expire images header ExpiresActive On ExpiresDefault A0 ExpiresByType image/gif A2592000 ExpiresByType image/png A2592000 ExpiresByType image/jpg A2592000 ExpiresByType image/jpeg A2592000 ExpiresByType image/ico A2592000 ExpiresByType text/css A2592000 ExpiresByType text/javascript A2592000 Header unset Pragma FileETag None Header unset ETag <ifModule mod_gzip.c> mod_gzip_on Yes mod_gzip_dechunk Yes mod_gzip_item_include file \.(html?|txt|css|js|php)$ mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^application/x-javascript.* mod_gzip_item_exclude mime ^image/.* mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* </ifModule> <FilesMatch "\.ico$"> Header set Expires "Mon, 20 Apr 2016 23:30:00 GMT" </FilesMatch>
AITpro AdminKeymasterChange your Header unset code and remove “always” from your code as shown below:
<IfModule mod_headers.c> Header unset Link </IfModule>
Also if you want to combine the code into your existing cache code you can do this:
FileETag None Header unset Pragma Header unset ETag Header unset Link
KrzysztofParticipantHmmm still no luck:
# Protects against Drive-by Download attacks # Protects against MIME/Content/Data sniffing <IfModule mod_headers.c> Header set X-Content-Type-Options nosniff </IfModule> # Block other sites from displaying your website in iFrames # Protects against Clickjacking <IfModule mod_headers.c> # Using DENY will block all iFrames including iFrames on your own website # Header set X-Frame-Options DENY # Recommended: iFrames from the same site are allowed - other sites are blocked Header always append X-Frame-Options SAMEORIGIN </IfModule> FileETag None Header unset Pragma Header unset ETag Header unset Link # Expire images header ExpiresActive On ExpiresDefault A0 ExpiresByType image/gif A2592000 ExpiresByType image/png A2592000 ExpiresByType image/jpg A2592000 ExpiresByType image/jpeg A2592000 ExpiresByType image/ico A2592000 ExpiresByType text/css A2592000 ExpiresByType text/javascript A2592000 <ifModule mod_gzip.c> mod_gzip_on Yes mod_gzip_dechunk Yes mod_gzip_item_include file \.(html?|txt|css|js|php)$ mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^application/x-javascript.* mod_gzip_item_exclude mime ^image/.* mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* </ifModule> <FilesMatch "\.ico$"> Header set Expires "Mon, 20 Apr 2017 23:30:00 GMT" </FilesMatch>
AITpro AdminKeymasterI assume you did all of the Custom Code steps after changing the code? I will post some PHP code in a while to remove the Link Header. It may or may not work on your server. The best way to remove Headers is with htaccess code so you may want to find out why that htaccess code is not working on your server.
KrzysztofParticipantYes sir! I did all the steps, double checked, and then went to htaccess editor and clicked the tab with the current htaccess and the code was as posted above.
AITpro AdminKeymasterOk I’ll create some PHP code that will remove the Link Header in a little while. Note: The code may or may not work on your particular server/website. Headers are tricky using PHP code in WP.
AITpro AdminKeymasterI found a WordPress Action that can be used to remove the Link Header:
Remove the Link header for the WP REST API from your Headers by adding this code in your Theme functions.php file.// Remove the Link header for the WP REST API // [link] => <http://www.example.com/wp-json/>; rel="https://api.w.org/" remove_action( 'template_redirect', 'rest_output_link_header', 11, 0 );
KrzysztofParticipantUgh 😉 I ended up wit a blank page 😉
Maybe I did put it in a wrong place or something? Here are two chunk of codes for the same thing – which should I use?
http://forum.ait-pro.com/forums/topic/wordpress-4-4-brought-more-bad-news/#post-27279[15-Dec-2015 08:50:51 UTC] PHP Parse error: syntax error, unexpected 'disable_wp_emojicons' (T_STRING) in /home/admin/domains/infolotnicze.pl/public_html/wp-content/themes/InfoLotnicze_3/functions.php on line 14
AITpro AdminKeymasterPost your entire theme functions.php code so I can look at it to see where the coding mistake is and then I will delete the functions.php code after looking at it.
-
AuthorPosts
- You must be logged in to reply to this topic.