WH Tweaks

Common fixes WordPress core should have but maybe shouldn’t

Often times, ideas from WordPress Ideas  or bugs from WordPress Trac take years to make it into WordPress Core.  Sometimes even if everyone agrees on the fix it still doesn’t get in.  This plugin is the temporary patch you’ve been waiting for.  Activate any feature you want and disable any you don’t want.  Additional features will be occasionally added as I find them missing.

This plugin can be downloaded in the WordPress repository:
https://wordpress.org/plugins/wh-tweaks/

Below is a description of the features found in this plugin:

Security

  • Scramble the WordPress version on public side.

    To force browsers to get a fresh copy of javascript and stylesheets, the WordPress version is appended to filenames.

    Before:
    wp-includes/js/comment-reply.min.js?ver=4.5.3.
    After:
    wp-includes/js/comment-reply.min.js?ver=994.5.01.3.
  • Obscure the login errors on the Login and Lost Password forms.

    If a bad username or password is entered when logging in, WordPress will say exactly which one is wrong.  While user-friendly, an attacker could find out what usernames are used on the site.  The Lost Password form is also vulnerable to this, so only the user’s email will be allowed.

    Before Login Error:
    ERROR: Invalid username
    After Login Error:
    ERROR: Invalid username or incorrect password.

    Before Lost Password form action:
    Entering a correct username will send a password.
    After Lost Password form action:
    Only entering a correct email will send a password

Additions

  • Automatically set the Return-Path to the From Address if it’s not already set.

    If you get email from your website and in gmail it says something like “via notmydomain.com”, you will likely need this option checked.  If you’re email’s From address is “website@mydomain.com”, this plugin will will set your Return-Path.  More on getting rid of “via” here.  This has been in WordPress Trac (#22837) since 2012 with a severity of “Major” set for a “future release”.

  • Add shortcodes to output the current [ year ] and [ date ]

    A lot of times a footer has a copyright date and it is a year or two old.  Using the year shortcode will always show the current year.  Same goes for the date shortcode.

  • Make child categories show with a light gray background.

    Sometimes when category names extend more than one line it is hard to tell the parent from the child.  This highlights the children categories with a light gray background.

    Before:
    categories-before

    After:
    categories-after

  • Let excerpts show links.

    HTML in the excerpts is a pretty highly requested feature to have in WordPress.  However, a lot of formatting problems could come up if HTML were allowed.  For example if you have a small area for your excerpts, but have a huge image or text, this would not look good in that small area.   On the opposite end of the argument, having content like “click here to see something” without a link is really annoying.  Activating this option allows the link to show in the excerpt so “click here to see something” will show properly.  A good compromise.

  • Show private pages in parent dropdowns

    A page, whether public or private, should be able to be a parent to another page.  Currently WordPress Core does not allow private pages to be chosen as a parent to another page.  This problem is listed in WordPress Trac (#8592) as a “critical” issue set for a “future release” since 2008 and is also in WordPress Ideas since 2011.  With this option activated, a private page can be selected as a parent in both the Quick Edit and single page editing page.

    Before:

    After:

  • Allow commas in Category terms

    Currently commas are used as delimiters to separate one taxonomy term from another.  By adding double quotes around a term, you would think the comma would not be seen as a delimiter and would be added as part of the term.  In WordPress Core this is not so and has been an issue in WordPress Trac (#14691) as a “normal” issue set for a “future release” since 2010.  With this option activated, category terms can have commas in them as long as it is surrounded by a double quote.  Currently this does not work for Tags.  More investigation is needed to see if this can be done with Tags in this plugin.

    Before:
    Adding “a,b,c”:

    After:
    Adding “a,b,c”:

  • Responsive Videos

    Currently embedded videos are set to a specific width unless the theme does something about this. Enabling this option puts a container around the embed and adds some styling to make the video expand to the full width of the content while keeping its aspect ratio.

 

Subtractions

  • Don’t send the admin email notifications when a new user signs up or a user changes their password.

    A lot of times when you are the admin who sets up WordPress for a client or someone else who uses the site, you don’t care if users sign up.  This option will prevent emails from being sent to the email address in the General Settings.

    Before:
    Email will be sent anytime a user is added or a user changes their password.
    After:
    No email will be sent when a user is added or a user changes their password.
  • Disable the default WordPress REST API endpoints

    New in WordPress 4.7 is the REST API.  This allows any website and application to access public data on your site programmatically.  If you don’t know what the REST API is, you can think of it as something similar to RSS Feeds.  It’s just another way for other people to access your data, but with much more flexibility.  If you have private data the same security protocols are in place to keep your data private.  But sometimes you just don’t want something and this lets you disable that feature you don’t want.

  • Remove the author pages

    Any author who has a published post or page will have their own “author” page.  But many times, you don’t want to let the world know the usernames of your users.  This is especially true if your user’s usernames are actually their email addresses.  If you aren’t using the author page, it’s best to remove them.  Activating this option redirects visitors to a 404 page.

    Before:
    http://example.com/author/admin shows the author page .
    After:
    http://example.com/author/admin shows a 404 Page not found page.
  • Prevent author enumeration

    User ids are incremental, so by starting off with 1 and going all the way up, hackers or anyone can query your website and find out all the usernames on your website.  If you’ve removed author pages by activating the previous option, hackers can’t find out the usernames, but they will still try.  If your web host offers protection from this allow them to handle it as it doesn’t involve WordPress running and taking up valuable server resources.  If your web host does not offer protection from this and you do not want to manually configure your server, the next best thing is to have this plugin detect it and redirect the visitor to a 403 Forbidden page as quickly as possible.

    Before:
    http://example.com/?author=1 redirects to http://example.com/author/admin .
    After:
    http://example.com/?author=1 shows a 403 Forbidden page.

Optimize

  • Don’t load emojis styles and scripts

    Did you know WordPress developers only added emojis to cover up a humangous fix?  Checking this won’t undo that fix so if you don’t need emojis, you don’t need to load them. 

    Before:
    emoji-before
    After:
    emoji-after

 

Multisite

  • Show the main site’s static sidebar on all sites by default.

    This feature is a workaround for WordPress Trac #22370.  On Multisite only, this feature will show the main site’s sidebar on any of its sites when the sidebar is empty.  For example if you want the same footer widgerts on all sites in your Multisite installation, this will show the footer from the main site as long as the other sites don’t have their own widgets.  Each site can enable or disable this feature.  Just be aware that the sidebar that is shown is the sidebar of the main site at the time you save.  So if you have a shopping cart widget, weather widget or anything that changes without you saving a widget, it will not work correctly.

    Before:
    Sites without any widgets in their sidebar will not show anything.
    After:
    Sites without any widgets in their sidebar will show whatever is set in the main site’s sidebars.

Personalize Login Form

  • Link logo on login page to your home page.

    The WordPress logo normally links to http://wordpress.org.  Checking this option will make the logo link to your home page.

    Before:
    Clicking on the logo takes you to wordpress.org.
    After:
    Clicking on the logo takes you to your home page.
  • The rest of the logo settings

    The rest of the logo settings are pretty self explanatory.  The logo for retina screens should be 2 times larger than the normal logo.  If you have a logo that is wider or taller than 320×84 pixels, you can adjust the Logo Width and Logo Height values.

 

View the plugin in the WordPress repository:
https://wordpress.org/plugins/wh-tweaks/