I learned an important lesson about WP-Cron, the easy way. A plugin developer I was working with said an update was released and I should see it any minute now. I waited, and waited, and waited…
After a few days of not seeing the update (it wasn’t my top priority) I downloaded the WP Crontrol plugin to see what’s up. WP Crontrol is a plugin that allows you to see all the scheduled jobs WordPress will run. One of those jobs is to check for plugin updates every 12 hours. To my surprise I saw about 300 various jobs waiting to run. At first I thought, oh no, one of the plugins on the site has a bug. But then I noticed an error at the top:
There was a problem spawning a call to the WP-Cron system on your site. This means WP-Cron events on your site may not work. The problem was: Unexpected HTTP response code: 403
I contacted WPEngine (the website host) and they did their thing, setup an Alternate Cron and all was well. They couldn’t tell me what went wrong or why WP-Cron stopped working. At the same time, the staging site and all other websites on WPEngine still work fine.
Luckily, that site only depended on WP-Cron for plugin updates and WordPress update notices. As a matter of fact, I even logged into the site when it wasn’t working and didn’t notice the lack of plugin update notices! If this had been a site depending on payment subscriptions like from WooCommerce this would have been a disaster.
I developed WP-Cron Status Checker the very next day. The plugin ensures WP-Cron is running so emails can go out, subscriptions can renew, and plugin receive update notices. If for any reason it stops working I get an email on what went wrong. Best of all, the plugin runs in the background without much configuration needed.
View the plugin in the WordPress repository:
Some screenshots below:
UPDATE: This post on SPF records puts my post to shame. I’ve included some answers below.
If your website sends email to you and it ends up in the spam folder, or in gmail you can see “via notmydomain.com”, you’ll need to at least add an SPF record for the domain and set the Return-Path in your emails.
First, make sure the From address is from a domain you own (for example: “[email protected]”). You will need access to your DNS records.
Next, you’ll need to set your SPF record on your domain. The SPF record is a record on your domain that lets mail exchangers know that mail from a specified domain is OK and allowed to send mail. I’m not an expert at this, so I’ll let Google explain this better here: https://support.google.com/a/answer/33786?hl=en
For hosting companies you’ll need to find out where the actual emails are sent from. For WPEngine WordPress installs, use include:mailgun.org. An excerpt from openspf.org:
The other problem is more subtle:
include:networksolutions.comwould include mail servers authorized to send mail from the domain networksolutions.com. This may or may not be the same list of mail servers Network Solutions uses to send mail out using customer domains! Sometimes an ISP will create a special SPF record that customers can include with their record, such as
_spf.example.com. If you want to use an ISP’s mail server(s) you should ask them if they maintain an SPF record for their customers to include, or else you will need to change your record every time your ISP adds, removes, or changes a mail server’s name and/or address.
The Return-Path is another thing you need to set. The Return-Path of each email should match the email’s From address. WordPress (and the popular Contact Form 7 plugin) do not do this for you so I made a plugin to set the Return-Path along with other helpful tweaks.
In some cases, you may need to set your DKIM key on your domain. This further prevents spoofing and helps keep your email out of the spam filter. DKIM adds a digital signature to outgoing messages. More on this here: https://support.google.com/a/answer/174124
You can check the spammyness of your email at https://www.mail-tester.com/
Often times, ideas from WordPress Ideas or bugs from WordPress Trac take years to make it into WordPress Core. Sometimes even if everyone agrees on the fix it still doesn’t get in. This plugin is the temporary patch you’ve been waiting for. Activate any feature you want and disable any you don’t want. Additional features will be occasionally added as I find them missing.
This plugin can be downloaded in the WordPress repository:
Below is a description of the features found in this plugin:
Scramble the WordPress version on public side.
Obscure the login errors on the Login and Lost Password forms.
If a bad username or password is entered when logging in, WordPress will say exactly which one is wrong. While user-friendly, an attacker could find out what usernames are used on the site. The Lost Password form is also vulnerable to this, so only the user’s email will be allowed.Before Login Error:
ERROR: Invalid usernameAfter Login Error:
ERROR: Invalid username or incorrect password.Before Lost Password form action:
Entering a correct username will send a password.After Lost Password form action:
Only entering a correct email will send a password
Automatically set the Return-Path to the From Address if it’s not already set.
If you get email from your website and in gmail it says something like “via notmydomain.com”, you will likely need this option checked. If you’re email’s From address is “[email protected]”, this plugin will will set your Return-Path. More on getting rid of “via” here. This has been in WordPress Trac (#22837) since 2012 with a severity of “Major” set for a “future release”.
Add shortcodes to output the current [ year ] and [ date ]
A lot of times a footer has a copyright date and it is a year or two old. Using the year shortcode will always show the current year. Same goes for the date shortcode.
Make child categories show with a light gray background.
Sometimes when category names extend more than one line it is hard to tell the parent from the child. This highlights the children categories with a light gray background.
Let excerpts show links.
HTML in the excerpts is a pretty highly requested feature to have in WordPress. However, a lot of formatting problems could come up if HTML were allowed. For example if you have a small area for your excerpts, but have a huge image or text, this would not look good in that small area. On the opposite end of the argument, having content like “click here to see something” without a link is really annoying. Activating this option allows the link to show in the excerpt so “click here to see something” will show properly. A good compromise.
Show private pages in parent dropdowns
A page, whether public or private, should be able to be a parent to another page. Currently WordPress Core does not allow private pages to be chosen as a parent to another page. This problem is listed in WordPress Trac (#8592) as a “critical” issue set for a “future release” since 2008 and is also in WordPress Ideas since 2011. With this option activated, a private page can be selected as a parent in both the Quick Edit and single page editing page.
Allow commas in Category terms
Currently commas are used as delimiters to separate one taxonomy term from another. By adding double quotes around a term, you would think the comma would not be seen as a delimiter and would be added as part of the term. In WordPress Core this is not so and has been an issue in WordPress Trac (#14691) as a “normal” issue set for a “future release” since 2010. With this option activated, category terms can have commas in them as long as it is surrounded by a double quote. Currently this does not work for Tags. More investigation is needed to see if this can be done with Tags in this plugin.
Currently embedded videos are set to a specific width unless the theme does something about this. Enabling this option puts a container around the embed and adds some styling to make the video expand to the full width of the content while keeping its aspect ratio.
Don’t send the admin email notifications when a new user signs up or a user changes their password.
A lot of times when you are the admin who sets up WordPress for a client or someone else who uses the site, you don’t care if users sign up. This option will prevent emails from being sent to the email address in the General Settings.Before:
Email will be sent anytime a user is added or a user changes their password.After:
No email will be sent when a user is added or a user changes their password.
Disable the default WordPress REST API endpoints
New in WordPress 4.7 is the REST API. This allows any website and application to access public data on your site programmatically. If you don’t know what the REST API is, you can think of it as something similar to RSS Feeds. It’s just another way for other people to access your data, but with much more flexibility. If you have private data the same security protocols are in place to keep your data private. But sometimes you just don’t want something and this lets you disable that feature you don’t want.
Remove the author pages
Any author who has a published post or page will have their own “author” page. But many times, you don’t want to let the world know the usernames of your users. This is especially true if your user’s usernames are actually their email addresses. If you aren’t using the author page, it’s best to remove them. Activating this option redirects visitors to a 404 page.Before:
http://example.com/author/admin shows the author page .After:
http://example.com/author/admin shows a 404 Page not found page.
Prevent author enumeration
User ids are incremental, so by starting off with 1 and going all the way up, hackers or anyone can query your website and find out all the usernames on your website. If you’ve removed author pages by activating the previous option, hackers can’t find out the usernames, but they will still try. If your web host offers protection from this allow them to handle it as it doesn’t involve WordPress running and taking up valuable server resources. If your web host does not offer protection from this and you do not want to manually configure your server, the next best thing is to have this plugin detect it and redirect the visitor to a 403 Forbidden page as quickly as possible.Before:
http://example.com/?author=1 redirects to http://example.com/author/admin .After:
http://example.com/?author=1 shows a 403 Forbidden page.
Don’t load emojis styles and scripts
Did you know WordPress developers only added emojis to cover up a humangous fix? Checking this won’t undo that fix so if you don’t need emojis, you don’t need to load them.
Show the main site’s static sidebar on all sites by default.
This feature is a workaround for WordPress Trac #22370. On Multisite only, this feature will show the main site’s sidebar on any of its sites when the sidebar is empty. For example if you want the same footer widgerts on all sites in your Multisite installation, this will show the footer from the main site as long as the other sites don’t have their own widgets. Each site can enable or disable this feature. Just be aware that the sidebar that is shown is the sidebar of the main site at the time you save. So if you have a shopping cart widget, weather widget or anything that changes without you saving a widget, it will not work correctly.Before:
Sites without any widgets in their sidebar will not show anything.After:
Sites without any widgets in their sidebar will show whatever is set in the main site’s sidebars.
Link logo on login page to your home page.
The WordPress logo normally links to http://wordpress.org. Checking this option will make the logo link to your home page.Before:
Clicking on the logo takes you to wordpress.org.After:
Clicking on the logo takes you to your home page.
The rest of the logo settings
The rest of the logo settings are pretty self explanatory. The logo for retina screens should be 2 times larger than the normal logo. If you have a logo that is wider or taller than 320×84 pixels, you can adjust the Logo Width and Logo Height values.
View the plugin in the WordPress repository: