Tag: hooks

Quick Tip: Script Debugging in WordPress
If you’re debugging core WordPress scripts, one thing you might run into is dealing with cached copies of the script. Due to how script-loader.php enqueues the core files, their versions are “hard coded” and short of editing script-loader.php as well, there’s a way to fix this via a filter:
```
add_filter( 'script_loader_src', function( $src, $handle ) {
     if ( false !== strpos( $src, 'ver=' ) ) {
         $src = remove_query_arg( 'ver', $src );
         $src = add_query_arg( array( 'ver', rawurlencode( uniqid( $handle ) . '-' ) ), $src );
     }
     
     <span style="background-color: inherit; color: rgb(248, 248, 242); font-size: inherit; letter-spacing: -0.015em;">return $src;</span>
 }, -1, 2 );Code language: PHP (php)
```
This will apply a unique ver argument to the core scripts on each refresh, so no matter what you’re editing you should get the most recent version from both any page cache you may have and also the browser cache (🤞).

Also, don’t forget to enable SCRIPT_DEBUG if you’re hacking away at core scripts to debug issues.

I couldn’t find a good related image, so enjoy this delicious toilet paper.
April 30, 2021

Debugging WordPress Hooks: Speed

If you google debugging WordPress hooks you’ll find a lot of information.

About 1,180,000 results

Let’s add another one.

WordPress hooks are powerful, but also complex under the hood. There’s plenty of topics I could talk about here, but right now I’m only going to talk about speed. How long does it take for a hook to fire and return?

Some cool work in this area has already been done thanks to Debug Bar Slow Actions and Query Monitor, but outside of something like Xdebug or New Relic, you’ll have a hard time figuring out how long each individual hook callback takes without modifying either WordPress core or each hook call.

… or maybe not …

While doing some client debugging for my job at WordPress VIP (did I mention we’re hiring?) I came across the need to do this exact thing. I’ve just finished the code that will make this happen, and I’m releasing it into the wild for everyone to benefit.

What’s the problem we’re trying to solve? Well, this client has a sporadic issue where posts saving in the admin time out and sometimes fail. We’ve ruled out some potential issues, and are looking at a save_post hook going haywire.

Now I can capture every single save_post action, what the callback was, and how long it took. Here’s an example for this exact post:

START: 10:save_post, (Callback: `delete_get_calendar_cache`)
STOP: 10:save_post, Taken 132.084μs (Callback: `delete_get_calendar_cache`)
START: 10:save_post, (Callback: `sharing_meta_box_save`)
STOP: 10:save_post, Taken 15.974μs (Callback: `sharing_meta_box_save`)
START: 10:save_post, (Callback: `Jetpack_Likes_Settings::meta_box_save`)
STOP: 10:save_post, Taken 19.073μs (Callback: `Jetpack_Likes_Settings::meta_box_save`)
START: 10:save_post, (Callback: `SyntaxHighlighter::mark_as_encoded`)
STOP: 10:save_post, Taken 19.073μs (Callback: `SyntaxHighlighter::mark_as_encoded`)
START: 10:save_post, (Callback: `AMP_Post_Meta_Box::save_amp_status`)
STOP: 10:save_post, Taken 16.928μs (Callback: `AMP_Post_Meta_Box::save_amp_status`)
START: 20:save_post, (Callback: `Publicize::save_meta`)
STOP: 20:save_post, Taken 428.915μs (Callback: `Publicize::save_meta`)
START: 9000:save_post, (Callback: `Debug_Bar_Slow_Actions::time_stop`)
STOP: 9000:save_post, Taken 11.921μs (Callback: `Debug_Bar_Slow_Actions::time_stop`)
START: 1:save_post, (Callback: `The_SEO_Framework\Load::_update_post_meta`)
STOP: 1:save_post, Taken 6.016ms (Callback: `The_SEO_Framework\Load::_update_post_meta`)
START: 1:save_post, (Callback: `The_SEO_Framework\Load::_save_inpost_primary_term`)
STOP: 1:save_post, Taken 1.535ms (Callback: `The_SEO_Framework\Load::_save_inpost_primary_term`)
START: 10:save_post, (Callback: `delete_get_calendar_cache`)
STOP: 10:save_post, Taken 179.052μs (Callback: `delete_get_calendar_cache`)
START: 10:save_post, (Callback: `sharing_meta_box_save`)
STOP: 10:save_post, Taken 247.002μs (Callback: `sharing_meta_box_save`)
START: 10:save_post, (Callback: `Jetpack_Likes_Settings::meta_box_save`)
STOP: 10:save_post, Taken 25.988μs (Callback: `Jetpack_Likes_Settings::meta_box_save`)
START: 10:save_post, (Callback: `The_SEO_Framework\Load::delete_excluded_ids_cache`)
STOP: 10:save_post, Taken 185.966μs (Callback: `The_SEO_Framework\Load::delete_excluded_ids_cache`)
START: 10:save_post, (Callback: `SyntaxHighlighter::mark_as_encoded`)
STOP: 10:save_post, Taken 15.020μs (Callback: `SyntaxHighlighter::mark_as_encoded`)
START: 10:save_post, (Callback: `AMP_Post_Meta_Box::save_amp_status`)
STOP: 10:save_post, Taken 12.875μs (Callback: `AMP_Post_Meta_Box::save_amp_status`)
START: 20:save_post, (Callback: `Publicize::save_meta`)
STOP: 20:save_post, Taken 377.893μs (Callback: `Publicize::save_meta`)
START: 9000:save_post, (Callback: `Debug_Bar_Slow_Actions::time_stop`)
STOP: 9000:save_post, Taken 14.067μs (Callback: `Debug_Bar_Slow_Actions::time_stop`)Code language: CSS (css)

So how does it work?

We add an all action that will fire for every other action.
In the all callback, we make sure we’re looking for the correct hook.
We then build an array to store some data, use the $wp_filter global to fill out information such as the priority and the callback, and store the start time.
Next we have to add a new action to run for our hook right before the callback we want to time. We use the fact that, even though add_action() is supposed to use an int for the priority, it will also accept a string. We add new hooks, and re-prioritze all of the existing hooks with floats that are stringified.
This allows us to capture the start time and end time of each individual callback, instead of the priority group as a whole.

Of course, this does add a tiny bit of overhead, and could cause some problems if any other plugins use stringified hook priorities, or other odd issues–so be careful 🙂

Finally, here’s the code:

class VIP_Hook_Timeline {
	public $hook;
	public $callbacks     = [];
	public $callback_mod  = 0.0001;
	public $callback_mods = [];

	public function __construct( $hook ) {
		$this->hook = $hook;
		add_action( 'all', array( $this, 'start' ) );
	}

	public function start() {
		// We only want to get a timeline for one hook.
		if ( $this->hook !== current_filter() ) {
			return;
		}

		global $wp_filter;

		// Iterate over each priority level and set up array.
		foreach( $wp_filter[ $this->hook ] as $priority => $callback ) {
			// Make the mod counter if not exists.
			if ( ! isset( $this->callback_mods[ $priority ] ) ) {
				$this->callback_mods[ $priority ] = $priority - $this->callback_mod;
			}

			// Make the array if not exists.
			if ( ! is_array( $this->callbacks[ $priority ] ) ) {
				$this->callbacks[ $priority ] = [];
			}

			// Iterate over each callback and set up array.
			foreach( array_keys( $callback ) as $callback_func ) {
				if ( ! is_array( $this->callbacks[ $priority ][ $callback_func ] ) ) {
					$this->callbacks[ $priority ][ $callback_func ] = [ 'start' => 0, 'stop' => 0 ];
				}
			}
		}

		foreach( $this->callbacks as $priority => $callback ) {
			foreach ( array_keys( $callback ) as $callback_func ) {

				// Get data befmore we move things around.
				$human_callback = $this->get_human_callback( $wp_filter[ $this->hook ][ $priority ][$callback_func] );

				// Modify the priorities.
				$pre_callback_priority = $this->callback_mods[ $priority ];
				$this->callback_mods[ $priority ] = $this->callback_mods[ $priority ] + $this->callback_mod;

				$new_callback_priority = $this->callback_mods[ $priority ];
				$this->callback_mods[ $priority ] = $this->callback_mods[ $priority ] + $this->callback_mod;

				$post_callback_priority = $this->callback_mods[ $priority ];
				$this->callback_mods[ $priority ] = $this->callback_mods[ $priority ] + $this->callback_mod;

				// Move the callback to our "new" priority.
				if ( $new_callback_priority != $priority ) {
					$wp_filter[ $this->hook ]->callbacks[ strval( $new_callback_priority ) ][ $callback_func ] = $wp_filter[ $this->hook ]->callbacks[ $priority ][ $callback_func ];
					unset( $wp_filter[ $this->hook ]->callbacks[ $priority ][ $callback_func ] );
					if ( empty( $wp_filter[ $this->hook ]->callbacks[ $priority ] ) ) {
						unset( $wp_filter[ $this->hook ]->callbacks[ $priority ] );
					}
				}

				// Add a new action right before the one we want to debug to capture start time.
				add_action( $this->hook, function( $value = null ) use ( $callback_func, $priority, $human_callback ) {
					$this->callbacks[ $priority ][ $callback_func ]['start'] = microtime( true );

					// Uncomment this if you just want to dump data to the PHP error log, otherwise add your own logic.
					//$message = 'START: %d:%s, (Callback: `%s`)';
					// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
					//error_log( sprintf( $message,
					//	$priority,
					//	$this->hook,
					//	$human_callback,
					//) );

					// Just in case it's a filter, return.
					return $value;
				}, strval( $pre_callback_priority ) );

				// Add a new action right after the one we want to debug to capture end time.
				add_action( $this->hook, function( $value = null ) use ( $callback_func, $priority, $human_callback ) {
					$this->callbacks[ $priority ][ $callback_func ]['stop'] = microtime( true );

					// Uncomment this if you just want to dump data to the PHP error log, otherwise add your own logic.
					//$message = 'STOP: %d:%s, Taken %s (Callback: `%s`)';
					// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
					//error_log( sprintf( $message,
					//	$priority,
					//	$this->hook,
					//	$this->get_human_diff( $priority, $callback_func ),
					//	$human_callback,
					//) );

					// Just in case it's a filter, return.
					return $value;
				}, strval( $post_callback_priority ) );
				
			}
		}
	}

	public function get_human_callback( $callback ) {
		$human_callback = '[UNKNOWN HOOK]';
		if ( is_array( $callback['function'] ) && count( $callback['function'] ) == 2 ) {
			list( $object_or_class, $method ) = $callback['function'];
			if ( is_object( $object_or_class ) ) {
				$object_or_class = get_class( $object_or_class );
			}
			$human_callback =  sprintf( '%s::%s', $object_or_class, $method );
		} elseif ( is_object( $callback['function'] ) ) {
			// Probably an anonymous function.
			$human_callback =  get_class( $callback['function'] );
		} else {
			$human_callback =  $callback['function'];
		}
		return $human_callback;
	}

	public function get_start( $priority, $callback_func ) {
		return (float) $this->callbacks[ $priority ][ $callback_func ]['start'];
	}

	public function get_stop( $priority, $callback_func ) {
		return (float) $this->callbacks[ $priority ][ $callback_func ]['stop'];
	}

	public function get_diff( $priority, $callback_func ) {
		return (float) ( $this->get_stop( $priority, $callback_func ) - $this->get_start( $priority, $callback_func ) );
	}

	public function get_human_diff( $priority, $callback_func ) {
		$seconds = $this->get_diff( $priority, $callback_func );

		// Seconds.
		if ( $seconds >= 1 || $seconds == 0 ) {
			return number_format( $seconds, 3 ) . 's';
		}

		// Milliseconds.
		if ( $seconds >= .001 ) {
			return number_format( $seconds * 1000, 3 ) . 'ms';
		}

		// Microseconds.
		if ( $seconds >= .000001 ) {
			return number_format( $seconds * 1000000, 3 ) . 'μs';
		}

		// Nanoseconds.
		if ( $seconds >= .000000001 ) {
			// WOW THAT'S FAST!
			return number_format( $seconds * 1000000000, 3 ) . 'ns';
		}

		return $seconds . 's?';
	}
}
new VIP_Hook_Timeline( 'save_post' );Code language: PHP (php)

January 15, 2020

Securing WordPress Plugins with more Plugins

I’ve written before about disabling plugin deactivation in WordPress, but I’ve finally used that knowledge in practice–on this site.

The Problem

Let’s say you’re going along your day, developing things, and fixing things, and making the world a better place when all of a sudden you get a call from a client that their website is broken!! After a bit of panicking and digging around, it turns out that they’ve been “optimizing” things by disabling random, but critical, plugins on the site.

The Solution

One way that you might fix this is to not install the plugins via the WordPress UI and require() them either in the theme directory, or as an mu-plugin. The downside with this is that you lose the ability to easily and auto-update the plugins (if you’re okay with that). You also the ability to easily see what plugins are active and installed in the admin UI.

The way I’ve got around this is to create this helper function inside an mu-plugin that allows the plugins to be installed and managed in the UI, but not disabled:

<?php
/**
 * Secures a plugin from accidental disabling in the UI.
 *
 * If a plugin is necessary for a site to function, it should not be disabled.
 * This functionc can also optionally "force" activate a plugin without having to
 * activate it in the plugin UI.  Forcing activation will cause it to skip all
 * core plugin activation hooks.
 *
 * @param string  $plugin              Plugin file to secure.
 * @param boolean $force_activation    Optional. Whether to force load the plugin. Default false.
 */
function emrikol_secure_plugin( $plugin, $force_activation = false ) {
	$proper_plugin_name = false;

	// Match if properly named: wp-plugin (wp-plugin/wp-plugin.php).
	if ( file_exists( WP_PLUGIN_DIR . '/' . $plugin . '/' . $plugin . '.php' ) && is_file( WP_PLUGIN_DIR . '/' . $plugin . '/' . $plugin . '.php' ) ) {
		$proper_plugin_name = $plugin . '/' . $plugin . '.php';
	} else {
		// Match if improperly named: wp-plugin/cool-plugin.php.
		if ( file_exists( WP_PLUGIN_DIR . '/' . $plugin ) && is_file( WP_PLUGIN_DIR . '/' . $plugin ) ) {
			$proper_plugin_name = $plugin;
		}
	}

	if ( false !== $proper_plugin_name ) {
		if ( true === $force_activation ) {
			// Always list the plugin as active.
			add_filter( 'option_active_plugins', function( $active_plugins ) use ( $proper_plugin_name ) {
				// Crappy hack to prevent infinite loops.  Surely there's a better way.
				global $emrikol_is_updating_active_plugins;

				if ( true === $emrikol_is_updating_active_plugins ) {
					unset( $emrikol_is_updating_active_plugins );
					return array_unique( $active_plugins );
				}

				if ( ! in_array( $proper_plugin_name, $active_plugins, true ) ) {
					$active_plugins[]                   = $proper_plugin_name;
					$emrikol_is_updating_active_plugins = true;

					update_option( 'active_plugins', array_unique( $active_plugins ) );
				}
				return array_unique( $active_plugins );
			}, 1000, 1 );
		}

		// Ensure the plugin doesn't get disabled somehow.
		// TODO: Diff arrays.  Only run if the plugin is being removed.
		add_filter( 'pre_update_option_active_plugins', function ( $active_plugins ) use ( $proper_plugin_name ) {
			if ( ! in_array( $proper_plugin_name, $active_plugins, true ) ) {
				$active_plugins[] = $proper_plugin_name;
			}
			return array_unique( $active_plugins );
		}, 1000, 1 );

		// Remove the disable button.
		$plugin_basename = plugin_basename( $proper_plugin_name );
		add_filter( "plugin_action_links_$plugin_basename", function( $links ) use ( $proper_plugin_name, $force_activation ) {
			if ( isset( $links['deactivate'] ) ) {
				$links['deactivate'] = sprintf(
					'<span class="emrikol-secure-plugin wp-ui-text-primary">%s</span>',
					$force_activation ? 'Plugin Activated via Theme Code' : 'Plugin Secured via Theme Code'
				);
			}
			return $links;
		}, 1000, 1 );
	}
}
Code language: HTML, XML (xml)

It’s not perfect, but it’s working for me right now. Like, right now on this site as you’re reading this. I’ve added it as an mu-plugin like so:

<?php
require_once( plugin_dir_path( __FILE__ ) . 'emrikol-defaults/secure-plugins.php' );

emrikol_secure_plugin( 'akismet' );
emrikol_secure_plugin( 'amp' );
emrikol_secure_plugin( 'jetpack' );
emrikol_secure_plugin( 'wp-super-cache/wp-cache.php' );Code language: HTML, XML (xml)

As you can see, this completely removes the “Deactivate” link in the UI:

The emrikol_secure_plugin() function takes two arguments:

The plugin to secure. This can either be the plugin slug (ex. jetpack) or the full plugin path if the plugin doesn’t follow standard naming conventions (wp-super-cache/wp-cache.php)
A boolean, defaults to false. If it is true the plugin will be forced to activate without user intervention. This can be used to activate a plugin on a new install without having to manually enable it in the UI or via WP-CLI

June 21, 2018

Auto-Upgrading users in WordPress

I made a small site recently where I wanted all newly registered users from a specific email domain to automatically be administrators (this is a terrible idea, don’t do it). The user registration was restricted by Single-Sign-On and 2-Factor Authentication, so I felt relatively safe doing this, especially since it was only a “for fun” project.

The interesting bit of code that upgraded users to admins is as follows:

add_action( 'user_register', 'upgrade_email_to_admin', 10, 1 );
function upgrade_email_to_admin( $user_id ) {
$user = get_user_by( 'ID', $user_id );
if ( false !== $user ) {
$email = $user-&gt;data-&gt;user_email;

   // Only example.com please.
    if ( false === strpos( $email, '@example.com' ) ) {
        return;
    }

    $roles = $user-&amp;gt;roles;

    if ( ! in_array( 'administrator', $roles, true ) ) {
        $user_update = array();
        $user_update['ID'] = $user_id;
        $user_update['role'] = 'administrator';
        wp_update_user( $user_update );
    }
}
Code language: PHP (php)

This is 100% insecure, please do not do this 🙂

September 28, 2017

Logging Post Status Transitions in WordPress

Last week an interesting issue came up for a client. Somehow a few posts were moved from Published to Draft. Unfortunately, post status isn’t stored in revisions so it’s unlikely we’ll ever know who or how it happened. Luckily there’s a simple solution I found to log all post status transitions in post meta:

add_action( 'transition_post_status', 'log_post_transition', 10, 3 );
function log_post_transition( $new_status, $old_status, $post ) {
if ( 'post' === $post-&gt;post_type ) {
$current_user = wp_get_current_user();
add_post_meta( $post-&gt;ID, '_post_status_log', sprintf( '%s %d, %s-&gt;%s', current_time( 'mysql' ), $current_user-&gt;ID, $old_status, $new_status ), false );
}
}Code language: PHP (php)

September 20, 2017