WordPress 4.4 brought more bad news

Home Forums BulletProof Security Pro WordPress 4.4 brought more bad news

This topic contains 19 replies, has 2 voices, and was last updated by  Krzysztof 2 years, 5 months ago.

Viewing 15 posts - 1 through 15 (of 20 total)
  • Author
    Posts
  • #27275

    Krzysztof
    Participant

    Howdy!
    Yet again I woke up with a head ache. The last major update brought us emoji scripts injecting into our site which is supposed to be working without js. This could be solved… with a plug-in. Now the story repeats – a footer script was added and again, a plug-in had to be installed – Disable Embeds. The thing is that we wanted to keep the plugin number as low as possible, and here we have – 2 more…
    Now for the hard part – there is also a third script thing – https://wordpress.org/support/topic/wp-44-remove-json-api-and-x-pingback-from-http-headers
    Some thing is added into the head section. This is not easily removed. There is plug-in but we do not have a testing environment to check if it works:
    https://wordpress.org/support/topic/does-this-work-with-the-latest-wordpress-version-44
    In the first link there is a code snipet which we have tried to add int htaccess but without luck.
    Any hints how to strike back this nonsense?
    With each and every release we get surprised and this whole pushing users to things starts to be more and more annoying. Moving 13.000 posts to something different will not be easy and cheap but this starts to show up in my head as at some point I will have 10 plug-ins just to disable wordpress crap.
    This whole json api contacts https://api.w.org which allows one to track the process of using of wordpress. The same goes for google fonts inside wordpress admin. Each time we log in google knows it as their fonts are loaded. Not nice. Not nice at all.
    I have decided to run a self hosted instance of wordpress to be the master of situation and to get rid of google and co but now they just don’t want to stop.

    The end of my little rant 😉

    #27279

    AITpro Admin
    Keymaster

    WordPress normally provides a way to disable or turn off things you do not want that is usually easy to implement or you can always add code to your Theme functions.php file instead of installing a plugin for that.  You do have a valid point though.  It seems to me that WP should have a master option settings page where you can choose your own personal option setting preferences.  In BPS we create Turn On and Off option settings and/or additional setting preferences because typically folks want different things/settings or do or do not want to use something.

    Example:  To disable emojis you can add this code in your Theme functions.php file

    function disable_wp_emojicons() {
      // all actions related to emojis
      remove_action( 'admin_print_styles', 'print_emoji_styles' );
      remove_action( 'wp_head', 'print_emoji_detection_script', 7 );
      remove_action( 'admin_print_scripts', 'print_emoji_detection_script' );
      remove_action( 'wp_print_styles', 'print_emoji_styles' );
      remove_filter( 'wp_mail', 'wp_staticize_emoji_for_email' );
      remove_filter( 'the_content_feed', 'wp_staticize_emoji' );
      remove_filter( 'comment_text_rss', 'wp_staticize_emoji' );
    
      // filter to remove TinyMCE emojis
      add_filter( 'tiny_mce_plugins', 'disable_emojicons_tinymce' );
    }
    add_action( 'init', 'disable_wp_emojicons' );
    
    function disable_emojicons_tinymce( $plugins ) {
      if ( is_array( $plugins ) ) {
        return array_diff( $plugins, array( 'wpemoji' ) );
      } else {
        return array();
      }
    }

    Example: To disable oEmbed you can add this code in your Theme functions.php file.
    Note: This code below is copied directly from the Disable Embeds plugin and the functions have been renamed to avoid a function name conflict/collision.

    function disable_wp_oembeds_init() {
    	global $wp;
    
    	// Remove the embed query var.
    	$wp->public_query_vars = array_diff( $wp->public_query_vars, array(
    		'embed',
    	) );
    
    	// Remove the REST API endpoint.
    	remove_action( 'rest_api_init', 'wp_oembed_register_route' );
    
    	// Turn off oEmbed auto discovery.
    	add_filter( 'embed_oembed_discover', '__return_false' );
    
    	// Don't filter oEmbed results.
    	remove_filter( 'oembed_dataparse', 'wp_filter_oembed_result', 10 );
    
    	// Remove oEmbed discovery links.
    	remove_action( 'wp_head', 'wp_oembed_add_discovery_links' );
    
    	// Remove oEmbed-specific JavaScript from the front-end and back-end.
    	remove_action( 'wp_head', 'wp_oembed_add_host_js' );
    	add_filter( 'tiny_mce_plugins', 'disable_wp_oembeds_tiny_mce_plugin' );
    
    	// Remove all embeds rewrite rules.
    	add_filter( 'rewrite_rules_array', 'disable_wp_oembeds_rewrites' );
    }
    
    add_action( 'init', 'disable_wp_oembeds_init', 9999 );
    
    // Removes the 'wpembed' TinyMCE plugin.
    function disable_wp_oembeds_tiny_mce_plugin( $plugins ) {
    	return array_diff( $plugins, array( 'wpembed' ) );
    }
    
    // Remove all rewrite rules related to embeds.
    function disable_wp_oembeds_rewrites( $rules ) {
    	foreach ( $rules as $rule => $rewrite ) {
    		if ( false !== strpos( $rewrite, 'embed=true' ) ) {
    			unset( $rules[ $rule ] );
    		}
    	}
    
    	return $rules;
    }

    Example: To Remove the REST API link tag in page header you can add this code in your Theme functions.php file.

    // Remove the REST API link tag in page header.
    // <link rel='https://api.w.org/' href='http://example.com/wp-json/' />
    remove_action( 'wp_head', 'rest_output_link_wp_head', 10 );
    remove_action( 'wp_head', 'wp_oembed_add_discovery_links', 10 );

    Example htaccess Method: To Remove the Link header for the WP REST API from your Headers add this code to BPS Root Custom Code (If this htaccess code/method does not work then use the PHP method below):
    1. Copy the code below to this BPS Root Custom Code text box: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # Remove the Link header for the WP REST API
    # [link] => <http://www.example.com/wp-json/>; rel="https://api.w.org/"
    <IfModule mod_headers.c>
    Header unset Link
    </IfModule>
    

    Example PHP Method: Remove the Link header for the WP REST API from your Headers by adding this code in your Theme functions.php file.

    // Remove the Link header for the WP REST API
    // [link] => <http://www.example.com/wp-json/>; rel="https://api.w.org/"
    remove_action( 'template_redirect', 'rest_output_link_header', 11, 0 );

    Example: To disable the WP REST API entirely instead of just removing the Link Header field you can add this code in your Theme functions.php file.
    Note: This code below is copied directly from the Disable JSON API plugin.

    // Filters for WP-API version 1.x
    add_filter('json_enabled', '__return_false');
    add_filter('json_jsonp_enabled', '__return_false');
    
    // Filters for WP-API version 2.x
    add_filter('rest_enabled', '__return_false');
    add_filter('rest_jsonp_enabled', '__return_false');
    #27315

    Krzysztof
    Participant

    WOW!
    Thanks!
    Is there a specific place in which I should put tha code or I can just dump it on the end of te file?

    #27317

    AITpro Admin
    Keymaster

    Yep, just add the code after any other code that already exists in your Theme functions.php file.

    #27318

    Krzysztof
    Participant

    I will test it!
    The htaccess snipet  doesn’t work for some reasons. I have checked with the admins and mod_headers is up and running.

    #27319

    AITpro Admin
    Keymaster

    There are other possible ways to do this with PHP code, but all of those other methods have problems and do not work consistently depending on whatever else you have installed on your website (caching plugins, etc) so the optimum best way to handle headers is with htaccess code since htaccess code/files are processed first before any PHP code.  So instead of posting PHP code that will not work consistently for everyone and you personally, you need to figure out why the htaccess Header unset code is not working on your server.

    Do/check things like clearing your Browser and plugin cache, double check that you have added Header unset code above any htaccess caching code, double check that you have done all the Custom Code steps correctly, if you are using a caching plugin then deactivate it and remove any caching code for testing, etc.

    #27325

    Krzysztof
    Participant

    Here is my CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE:
    Everything is checked via private mode in browser. I have also used two different browsers. For caching I use Bat Cache but it only kicks in when there is a lot of requests to one page, when we have light usage it does not work.

    <IfModule mod_headers.c>
    Header always unset Link
    </IfModule>
    
    # Protects against Drive-by Download attacks
    # Protects against MIME/Content/Data sniffing
    <IfModule mod_headers.c>
    Header set X-Content-Type-Options nosniff
    </IfModule>
    
    # Block other sites from displaying your website in iFrames
    # Protects against Clickjacking
    <IfModule mod_headers.c>
    # Using DENY will block all iFrames including iFrames on your own website
    # Header set X-Frame-Options DENY
    # Recommended: iFrames from the same site are allowed - other sites are blocked
    Header always append X-Frame-Options SAMEORIGIN
    </IfModule>
    
    # Expire images header
    ExpiresActive On
    ExpiresDefault A0
    ExpiresByType image/gif A2592000
    ExpiresByType image/png A2592000
    ExpiresByType image/jpg A2592000
    ExpiresByType image/jpeg A2592000
    ExpiresByType image/ico A2592000
    ExpiresByType text/css A2592000
    ExpiresByType text/javascript A2592000
    
    Header unset Pragma
    FileETag None
    Header unset ETag
    
    <ifModule mod_gzip.c>
    mod_gzip_on Yes
    mod_gzip_dechunk Yes
    mod_gzip_item_include file \.(html?|txt|css|js|php)$
    mod_gzip_item_include handler ^cgi-script$
    mod_gzip_item_include mime ^text/.*
    mod_gzip_item_include mime ^application/x-javascript.*
    mod_gzip_item_exclude mime ^image/.*
    mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
    </ifModule>
    
    <FilesMatch "\.ico$">
    Header set Expires "Mon, 20 Apr 2016 23:30:00 GMT"
    </FilesMatch>
    #27327

    AITpro Admin
    Keymaster

    Change your Header unset code and remove “always” from your code as shown below:

    <IfModule mod_headers.c>
    Header unset Link
    </IfModule>

    Also if you want to combine the code into your existing cache code you can do this:

    FileETag None
    Header unset Pragma
    Header unset ETag
    Header unset Link
    #27332

    Krzysztof
    Participant

    Hmmm still no luck:

    
    # Protects against Drive-by Download attacks
    # Protects against MIME/Content/Data sniffing
    <IfModule mod_headers.c>
    Header set X-Content-Type-Options nosniff
    </IfModule>
    
    # Block other sites from displaying your website in iFrames
    # Protects against Clickjacking
    <IfModule mod_headers.c>
    # Using DENY will block all iFrames including iFrames on your own website
    # Header set X-Frame-Options DENY
    # Recommended: iFrames from the same site are allowed - other sites are blocked
    Header always append X-Frame-Options SAMEORIGIN
    </IfModule>
    FileETag None
    Header unset Pragma
    Header unset ETag
    Header unset Link
    
    # Expire images header
    ExpiresActive On
    ExpiresDefault A0
    ExpiresByType image/gif A2592000
    ExpiresByType image/png A2592000
    ExpiresByType image/jpg A2592000
    ExpiresByType image/jpeg A2592000
    ExpiresByType image/ico A2592000
    ExpiresByType text/css A2592000
    ExpiresByType text/javascript A2592000
    <ifModule mod_gzip.c>
    mod_gzip_on Yes
    mod_gzip_dechunk Yes
    mod_gzip_item_include file \.(html?|txt|css|js|php)$
    mod_gzip_item_include handler ^cgi-script$
    mod_gzip_item_include mime ^text/.*
    mod_gzip_item_include mime ^application/x-javascript.*
    mod_gzip_item_exclude mime ^image/.*
    mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
    </ifModule>
    
    <FilesMatch "\.ico$">
    Header set Expires "Mon, 20 Apr 2017 23:30:00 GMT"
    </FilesMatch>
    
    
    #27333

    AITpro Admin
    Keymaster

    I assume you did all of the Custom Code steps after changing the code?  I will post some PHP code in a while to remove the Link Header.  It may or may not work on your server.  The best way to remove Headers is with htaccess code so you may want to find out why that htaccess code is not working on your server.

    #27341

    Krzysztof
    Participant

    Yes sir! I did all the steps, double checked, and then went to htaccess editor and clicked the tab with the current htaccess and the code was as posted above.

    #27343

    AITpro Admin
    Keymaster

    Ok I’ll create some PHP code that will remove the Link Header in a little while.  Note:  The code may or may not work on your particular server/website.  Headers are tricky using PHP code in WP.

    #27352

    AITpro Admin
    Keymaster

    I found a WordPress Action that can be used to remove the Link Header:
    Remove the Link header for the WP REST API from your Headers by adding this code in your Theme functions.php file.

    // Remove the Link header for the WP REST API
    // [link] => <http://www.example.com/wp-json/>; rel="https://api.w.org/"
    remove_action( 'template_redirect', 'rest_output_link_header', 11, 0 );
    #27366

    Krzysztof
    Participant

    Ugh 😉 I ended up wit a blank page 😉
    Maybe I did put it in a wrong place or something? Here are two chunk of codes for the same thing – which should I use?
    http://forum.ait-pro.com/forums/topic/wordpress-4-4-brought-more-bad-news/#post-27279

    [15-Dec-2015 08:50:51 UTC] PHP Parse error: syntax error, unexpected 'disable_wp_emojicons' (T_STRING) in /home/admin/domains/infolotnicze.pl/public_html/wp-content/themes/InfoLotnicze_3/functions.php on line 14
    #27371

    AITpro Admin
    Keymaster

    Post your entire theme functions.php code so I can look at it to see where the coding mistake is and then I will delete the functions.php code after looking at it.

Viewing 15 posts - 1 through 15 (of 20 total)

You must be logged in to reply to this topic.