Category: WordPress

How To Display & Modify Allowed HTML Tags in WordPress Comments

How To Display & Modify Allowed HTML Tags in WordPress Comments

In this tutorial I will show you how to display the WordPress default allowed HTML Tags list for the comment form on your WordPress blog, as shown in the image below:

Also, I will show you how to modify the allowed HTML tags and attributes list to fit your needs. I will show you how to remove tags from the default list and how to add HTML tags to the list for the Comment textarea in WordPress.

Do you know that readers can use some HTML tags in the comment section? Specifically in the Comment´s textarea? To make things easier for your readers, you should notify them about what HTML tags they can use in the comment form.

Display/Show Allowed (X)HTML Tags in WordPress Comments

In order to make things convenient for your readers, you should notify them about what (X)HTML tags they can use in the comment form. Here is a simple way to do it.

Open comments.php file located in your theme´s folder, and add the following CODE-1 to below the comment´s textarea. Save the file and upload it to the server.

CODE-1 :: comments.php File

<!-- Displays all of the WordPress default allowed HTML tags with attributes.-->
<p><strong>XHTML:</strong> You can use: <code><?php echo allowed_tags(); ?></code></p>

CODE-1 Reference:

allowed_tags()

The allowed_tags() function is defined in wp-includes/general-template.php of your WordPress directory. This function calls the $allowedtags global variable defined in wp-includes/kses.php. The allowed_tags() function displays all of WordPress default allowed HTML tags with their respective attributes.

It is preferable to use CSS for styling as a better approach than using the <strong> tag.

In some themes, the allowed_tags() function is just commented out. In this case, all you have to do is Uncommenting that line of code, in order to show what HTML tags are allowed to use in the Comment textarea.

If the below line of code (or something similar) already exists in your theme´s comments.php file, then all you have to do is to Uncomment it (meaning remove <!–– from the beginning of the line AND ––> from the end of the Line. That´s ALL.

<!--<p><small><strong>XHTML:</strong> You can use these tags: 
<code><?php echo allowed_tags(); ?></code></small></p>-->

Note: The allowed_tags() function merely shows the user what are the allowed HTML tags for WordPress comment textarea. Commenting this function out or removing it from comments.php file does not prevent a knowledgeable WordPress user from using the default WordPress allowed HTML tags in the Comment textarea. This function merely displays the tag on the browser´s window, it does not prevent the user from using them. Hidden tags does not mean that they can´t be used.

Real Example | Diary Theme

To give you an example. One of the themes I am using for this Blog is the Diary Theme. Below is where I added CODE-1 in the comments.php file. Some sections of the file are removed for brevity.

comments.php File :: Diary Theme

Note: To scroll within the code, you can also click on the code window and use your keyboard´s arrow keys.

<?php
// Diary theme. Do not delete these lines.
     
    /* CODE REMOVED FOR BREVITY. */
?>
 
<!-- You can start editing here. -->
 
<?php if ( have_comments() ) : ?>
    <!-- CODE REMOVED FOR BREVITY. -->
 
<?php if ('open' == $post->comment_status) : ?>
 
<div id="respond">
 
<h2 id="commentsForm" class="clear"><?php comment_form_title( 'Anything to say? Leave a comment!', 'Leave a comment to %s' ); ?></h2>
 
<div class="cancel-comment-reply">
    <small><?php cancel_comment_reply_link(); ?></small>
</div>
 
<!-- CODE REMOVED FOR BREVITY. -->
 
<form action="<?php echo get_option('siteurl'); ?>/wp-comments-post.php" method="post" id="commentform">
<fieldset>
 
<!-- CODE REMOVED FOR BREVITY. -->
 
<?php else : ?>
 
<p><label for="author">Name <?php if ($req) echo "(real name, or name@keywords)(required)"; ?></label>
<input type="text" name="author" id="author" value="<?php echo $comment_author; ?>" size="22" tabindex="1" <?php if ($req) echo "aria-required='true'"; ?> />
</p>
 
<p><label for="email">Mail (will not be published) <?php if ($req) echo "(required)"; ?></label>
<input type="text" name="email" id="email" value="<?php echo $comment_author_email; ?>" size="22" tabindex="2" <?php if ($req) echo "aria-required='true'"; ?> />
</p>
 
<p><label for="url">Website</label>
<input type="text" name="url" id="url" value="<?php echo $comment_author_url; ?>" size="22" tabindex="3" />
</p>
 
<?php endif; ?>
 
<p><label for="comment">Comment</label>
<textarea name="comment" id="comment" rows="10" tabindex="4"></textarea></p>
 
<!--****This is where I added CODE-1, immediately after the Comment textarea. -->
<!--Displays all of the WordPress default allowed HTML tags with attributes.-->
<p><strong>XHTML:</strong> You can use: <code><?php echo allowed_tags(); ?></code></p>
 
<p><input name="submit" type="submit" id="submit" tabindex="5" value="POST COMMENT" />
<?php comment_id_fields(); ?>
</p>
 
<?php do_action('comment_form', $post->ID); ?>
</fieldset>
</form>
<!-- CODE REMOVED FOR BREVITY. -->

How To: Remove HTML Tags from the Allowed Default List

As I said before, the default set of allowed HTML tags and attributes for blog comments are stored in the $allowedtags global variable.

If you want to remove some of the allowed HTML tags and attributes from the default list. You can either add CODE-2 to your functions.php, or you can hack the kses.php file. Of course, modifying the kses.php file is not advisable, since you will loose your changes on the next WordPress version upgrade.

General Warning

When you add several PHP code blocks in your theme´s funtions.php file, make sure that you don´t leave any white space (spaces, newline) before the opening PHP tag or after the closing PHP tag. Like so (the correct way):

<?php 
//Some Code here beetween the opening PHP tag (above) 
//and the closing PHP tag (below)...
?>
<?php 
//Some other Code here ...
?>

In the above code, if you leave any white space or a newline between lines 4 and 5, you will get the following error: Warning: Cannot modify header information – headers already sent by (… , in your login screen and after you login to your WordPress dashboard.

Your Turn to Talk

In this tutorial, I showed you how to display the allowed (X)HTML Tags in WordPress Comment section, to make it easier for your users. Also I showed how to unobtrusively modify the WordPress default Allowed Tags list for the Comment textarea by either removing tags from the default list or adding tags to the list.

12 Practical Tips to Improve WordPress Security

12 Practical Tips to Improve WordPress Security

Securing your WordPress Website is critical in growing your online presence. As your Website becomes more popular it becomes more attractive for Hackers. Keeping WordPress Website secure is not something many administrators take seriously.

WordPress security starts by using a reputable hosting company. If by default, your server´s setup is not secure, then no added security measures is going to keep Crackers, Spammers, Black hat Hackers, and Script Kiddies out.

Why should I care about WordPress security? Many administrators think the chance of their Website being cracked is slim. But it happens more than you think. Your insecure Website has the potential to damage your online reputation, loss of revenues, and may even lead to your Website being dropped from Search Engines.

How can you make WordPress more Secure? If you implement some of the practical tips outlined below, you will harden your WordPress Website and keep the bad guys out. Here are the tips.

Tip1. Keep WordPress Up to Date

You should always have the latest stable version of WordPress as soon as time permits. Upgrading to the latest version is necessary because upgrades usually include security enhancements. Go and upgrade to the latest version. This is the easiest step you can take to harden the security of your WordPress Website. This is a first good step but it is not the only step, you need to take.

Tip2. Become a Plugin Minimalist & Upgrade Current Ones

Plugins add a lot of functionality to your Website. However, I want to caution you that there is almost no quality check when it comes to plugin coding. Each plugin you add, increases the risk that your Website might be compromised. Many plugins are like security holes to your Website. Badly coded plugins can be a backdoor for crackers.

Reducing the Number of plugins reduces the security risk on your Website. Ask yourself whether a plugin adds value to your Website. If it does keep it, otherwise delete (not just deactivate) it. Also when evaluating a plugin check its ratings, statistics, popularity, and its update frequency. For the plugins you decide to keep, make sure that they are updated to the latest version.

Did you know! You can just replace the functionality of many plugins by directly adding the code to your theme.
How to do that? Just Google what you are trying to do. The result will often lie in a few lines of code. Your Website will be faster and more secure with fewer plugins.

Same thing applies to your WordPress themes. Do you have any unused themes installed but not activated? Delete them.

Tip3: Complete Backup of Your Website and Database

In the event your Website is compromised, don´t you want to recover fast? You need to be prepared for the worst case scenario, by creating database and file backups on a regular basis. There are 2 essential steps to fully backup your WordPress Website: backup content and backup structure.

  1. Backup Content: you can backup the database through either a Plugin, phpMyAdmin, or your Webhost´s control panel. This method backups the full content of your database, but it does not include the structure or media files of your Website.
  2. Backup Structure: Backup all WordPress structure through an FTP client to your local drive. The point here is that you need to create a duplicate copy of all files located on the remote server into your local drive.

References:

WordPress has the built-in Export function that you can use from your WordPress dashboard (Tools -> Export). While this method is built into WordPress, it is not a complete backup. It will ONLY export your posts, pages, comments, categories, and tags. This method is not a substitute to the database backup mentioned above. But it does not hurt to add this to your backup strategy as an additional step.

In my next tutorial, I will go into more details how to perform this tip.

There are also plugins that do Backups, especially for your database. But I will not recommend any because I don´t use any.

Tip4. Pick a Strong Password

The most common sense to secure your Website is to have a strong, hard to guess password for your WordPress login screen. The password should be at least eight characters long and include a mix of lower and upper case letters, numbers and other characters. Also don´t use the same password for your WordPress Admin panel, your FTP account, and your phpMyAdmin account.

By default WordPress allows unlimited login attempts to your Admin panel. Obviously, this is not good for security. Limit Login Attempts plugin, listed in Tip12, limits the number of failed login attempts and thus making password cracking impossible.

References:

  • Password Cracking
  • Password Strength Checker

Tip5. Set Unique Keys and Salts

These are a set of random variables that improve encryption of information stored in the user’s cookies. There are 8 security keys which are set in your wp-config.php file and are used to create and generate hard to guess and unique random number when calculating hash value for WordPress to encrypt the password, especially on cookie authentication. To increase the security of passwords stored in your WordPress database, make sure that your wp-config.php file has unique Keys and Salts values.

Self-hosted WordPress Websites don´t have these security keys defined. You need to add them yourself. After adding these unique keys, all login session will be invalidated, and users will have to login again, that´s all. Here is what this section, taken from wp-config-sample.php file, looks like:

/**#@+
 * Authentication Unique Keys and Salts.
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 * @since version 2.6.0
 */
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');
 
/**#@-*/

Now, if this is what you still have in your wp-config.php file, you need to get your own secret keys. WordPress has a tool that randomly generates secret keys.

Here is what this section will look like after replacing the default text above with unique keys and salts obtained from WordPress Random Secret Key Generator.

define('AUTH_KEY',         '6r@06GVf[1x-X*Ic|XCqX|Me(y_~X*bF`w5z)kS6tEk_|(9SC/w~-}G|{QS6h');
define('SECURE_AUTH_KEY',  'HwhIV-R}^:j)^+ie4h++e-)?vuecgRas~|*fsn=e0e`_Hw}*8j@P14Bs#Y.M:');
define('LOGGED_IN_KEY',    'rL=~VmbTg?X%]:kp du(cX$VEFTxX8vCn|$0-2|O@bN-wWn-0Q6NY.Q_W1-E#');
define('NONCE_KEY',        '*`r+{|/IFWEp0tC7xN ?$OGTPzgG%3pb-I^lJ9+iaviy)W__BC?VUU~}}s?iz');
define('AUTH_SALT',        ':XoDSEUSl3w^~0`C%pWpk{^WbNr|Jp xZ*Bk+Q2piQyH=Q*|_r_{e=mM7oK0%');
define('SECURE_AUTH_SALT', 'sm35O.Gp*|teE4kn%5$,Qos@iWO!:xk0-nL7?oO2`|7Jg3-Ya-;Gt6uBa)I`l');
define('LOGGED_IN_SALT',   '|F#N(wqV@oRRdjZI~T3LY!Uh/fiW3 3U|z`X:}gt_9KmkI=^o8]ji:55(+Q|v');
define('NONCE_SALT',       '3icDRQEY^d[Mh,Ien|-+ K[V|{Wzg{q*JilbmYBaRC@]ebu(=CwJ0-ee%{1n5');

References:

  • Editing wp-config.php
  • wp_salt() Function

Tip6. Move Your wp-config.php File

This is just “security through obscurity” tip. Since WordPress 2.6 you can move your wp-config.php file ONE level higher than where it resides by default. WordPress will automatically checks in the alternate directory if the file is not found in its default directory. If you installed WordPress in the root of your domain, then moving the wp-config.php file one level up will end up outside of the root.

For an Apache server You can also block access to the wp-config.php file by adding the following directive to your .htaccess file. I am not sure what needs to be done for Windows Web servers.

<files wp-config.php>
order allow,deny
deny from all
</files>

References:

  • Apache HTTP Server – Core Features
  • Almost Perfect htaccess File for WordPress

Tip7. Remove WordPress Version

This is another “security through obscurity” tip. Your WordPress Website will be a little more secure if you don´t advertise what version of WordPress you are using. Why remove this? Because there are security vulnerabilities related to specific versions of WordPress. By hiding your WordPress version, it will become a bit harder for a cracker to know which vulnerabilities to use. By default WordPress version can be found in these two places:

In the header of your page. Something like that:

<meta name="generator"; content="WordPress 6.6.1" />;

In your feed. Something like that:

<generator>http://wordpress.org/?v=6.6.1</generator>

To hide WordPress version, just add the following code to the functions.php file located in your theme´s directory:

<?php
//Remove WordPress Version from the theme header and from the feed
function remove_wp_version() {
return ''; //returns nothing, exactly the point.
}
add_filter('the_generator', 'remove_wp_version');
?>

Tip8. Change WordPress Default Table Prefix

This is yet another “security by obscurity” measure added to your installation. By default, WordPress table prefix is wp_, which will be the staring point of all WordPress table names stored in the MySQL database. Upon installing WordPress you can easily change this by changing the $table_prefix value in your wp-config.php file.

Many published WordPress specific SQL injection attacks make the assumption that the table prefix is still the default wp_. Changing this will block some SQL injection attacks, by making it much harder to guess your table names. If you want to change the table prefix after you have installed WordPress you can either use a plugin, or you can do that manually.

This is what this section, taken from wp-config-sample.php file, looks like:

/**
 * WordPress Database Table prefix.
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

Reference:

  • Change Table Prefix « WordPress Codex
  1. In my next tutorial I show you in more details how to do this tip when your WordPress Website is already online.
  2. There are also plugins that change the table prefix, like WP Security Scan. But I haven´t tried it myself.
  3. Make sure that you Backup your database before doing this, just in case.

Tip9. Change WordPress Default admin Username

By default WordPress calls the administrator´s user account “admin”. The problem that if someone wants to crack your Website, they can start with the default Username, and if they are right that cuts their work in half. When installing WordPress, and if you have the option, remember to use a different Username. If you already have WordPress installed, the fix is quite simple.

There are 2 ways to change the Username: in WordPress dashboard or in phpMyAdmin. To change the admin Username After WordPress is already installed, you can manually edit the value using phpMyAdmin Web interface. Here is what you need to do:

  1. Log into your phpMyAdmin, select your WordPress database.
  2. From your WordPress database, select the wp_users table.
  3. At the top left of the table, click “Browse” select the admin user row, then select “Edit”.
  4. Under the user_login column, modify the username to any other name you like and then click “Go” to save.

See the picture below:

One more important step that you need to take: By default, WordPress displays the author name in your posts as your Username. To change that, login to your WordPress Admin panel, under Users -> Your Profile, in the Name section, and for the field “Display name publicly as” select the option that is NOT your Username (Make sure your Nickname is different than your Username).

ALWAYS backup your database before executing any SQL commands. You can create a backup copy of your database from phpMyAdmin with the Export function.

For completeness, I mentioned above that you can also change the admin Username in WordPress Dashboard. This is how it is done:

  1. Go to Users -> Add New, fill out the information needed and make sure to set the Role as Administrator.
  2. Log out and then log back into WordPress with the new user you just created.
  3. Go to Users -> Users, select and delete the admin user account and click Apply.
  4. When asked what to do with the admin user posts, make sure you assign them to the new user you just created.
  5. Click on “Confirm Deletion” and that´s it.

Tip10. Prevent Directory Browsing

By default, a Web server allows browsing of directories, which means that you can use your Web browser as a file browser to reveal the content of any directory that contains no index.html (or index.php). For an Apache server, modify this behavior by adding the following code to your .htaccess file in the root directory. I am not sure how it is done for Windows Web server.

#prevent folder browsing
Options All -Indexes

Tip11. Use SFTP Instead of FTP

The problem is that FTP is not secure and is an old standard. By using FTP to connect to your server, you are sending your username and password in plain text. This is unsafe and poses a security risk, as crackers can intercept this information, and gain access to your Website´s files on your server where they can change your files and add spam.

If your Web host offers SFTP as part of your plan, then start using it. If not, consider changing plans.

References:

  • SSH File Transfer Protocol
  • Secured SFTP using FileZilla

Tip12. Check Regularly For Exploits

Here are some WordPress security plugins that monitors your Website for any security exploits. I suggest that you choose and use one that fits your needs from the list below.

References:

  • Exploit Scanner
  • WordPress File Monitor Plugin
  • Limit Login Attempts
  • WP Security Scan

Conclusion

If you implement few of the tips I discussed above, your WordPress Website will be more secure from exploits than the vast majority of WordPress Websites. However, new exploits are discovered often and when a fix is not yet available, everyone is at risk.