How to stop people using a weak password in WordPress

I was once with a client who changed their password for a government website to “password2016” and the website let them do it too! Thankfully,
Wordpress gives you a message to warn a user that a password is weak, but it allows users to check a box to override the warning. Noooooo!

I don’t want to allow users to create weak passwords, so what I want is that line “Confirm Password”, allowing a user to use a weak password to be disabled. Like so…

Turns out it is pretty simple to do with some CSS and javascript.


Stops the line appearing and this javascript snippet

document.getElementById("pw-checkbox").disabled = true;

ensures the checkbox is disabled.

Add theme to your theme, or use this simple and lightweight plugin I created to block the creation of weak passwords on WordPress. Right click to download and upload to your website plugins and activate.

You may want to force all current users to have strong passwords at the same time, by using my emergency password reset plugin.

Restricting WordPress search

I needed to stop certain content appearing in any search on a WordPress so here’s how…

function my_no_restricted($search,$wp_query)
global $wpdb;
if ( empty( $search ) )
return $search;
$q = $wp_query->query_vars;
$n = ! empty( $q['exact'] ) ? '' : '%';

$searchand = ' AND ';
foreach ( (array) $q['search_terms'] as $term ) {
$term = esc_sql( $wpdb->esc_like( $term ) );
$search .= "{$searchand}($wpdb->posts.post_content NOT LIKE '%DONT SEARCH ME%')";
$searchand = ' AND ';
return $search;
add_filter( 'posts_search', 'my_no_restricted', 500, 2 );

Replace DONT SEARCH ME with whatever you want to prevent being searchable!
Just pop it in a theme/plugin function.php file

JQuery real world form clone script

I wanted to be able to clone form elements easily include checkboxes and radio buttons, which are themselves an array. My offering below appends an incremented number to the name of each field along with how many to expect on submission for easy processing..
How to use it
1) Enclose the elements you want to be able to clone in <div class=”clonearea” id=”input1″></div>
2) Give an id for each form element that is the field name without appended number…
3) Append each name with 1

and here’s the jQuery magic

Bible Books Array in PHP

Here’s an array of all the Bible books in common abbreviations…

9=>array('1 Samuel','1 Sam','1 Sa','1Samuel','1S','I Sa','1 Sm','1Sa','I Sam','1Sam','I Samuel','1st Samuel','First Samuel'),
10=>array('2 Samuel','2 Sam','2 Sa','2S','II Sa','2 Sm','2Sa','II Sam','2Sam','II Samuel','2Samuel','2nd Samuel','Second Samuel'),
11=>array('1 Kings','1 Kgs','1 Ki','1K','I Kgs','1Kgs','I Ki','1Ki','I Kings','1Kings','1st Kgs','1st Kings','First Kings','First Kgs','1Kin'),
12=>array('2 Kings','2 Kgs','2 Ki','2K','II Kgs','2Kgs','II Ki','2Ki','II Kings','2Kings','2nd Kgs','2nd Kings','Second Kings','Second Kgs','2Kin'),
13=>array('1 Chronicles','1 Chron','1 Ch','I Ch','1Ch','1 Chr','I Chr','1Chr','I Chron','1Chron','I Chronicles','1Chronicles','1st Chronicles','First Chronicles'),
14=>array('2 Chronicles','2 Chron','2 Ch','II Ch','2Ch','II Chr','2Chr','II Chron','2Chron','II Chronicles','2Chronicles','2nd Chronicles','Second Chronicles'),
22=>array('Song of Solomon','Song','So','Canticle of Canticles','Canticles','Song of Songs','SOS'),
46=>array('1 Corinthians','1 Cor','1 Co','I Co','1Co','I Cor','1Cor','I Corinthians','1Corinthians','1st Corinthians','First Corinthians'),
47=>array('2 Corinthians','2 Cor','2 Co','II Co','2Co','II Cor','2Cor','II Corinthians','2Corinthians','2nd Corinthians','Second Corinthians'),
52=>array('1 Thessalonians','1 Thess','1 Th','I Th','1Th','I Thes','1Thes','I Thess','1Thess','I Thessalonians','1Thessalonians','1st Thessalonians','First Thessalonians'),
53=>array('2 Thessalonians','2 Thess','2 Th','II Th','2Th','II Thes','2Thes','II Thess','2Thess','II Thessalonians','2Thessalonians','2nd Thessalonians','Second Thessalonians'),
54=>array('1 Timothy','1 Tim','1 Ti','I Ti','1Ti','I Tim','1Tim','I Timothy','1Timothy','1st Timothy','First Timothy'),
55=>array('2 Timothy','2 Tim','2 Ti','II Ti','2Ti','II Tim','2Tim','II Timothy','2Timothy','2nd Timothy','Second Timothy'),
60=>array('1 Peter','1 Pet','1 Pe','I Pe','1Pe','I Pet','1Pet','I Pt','1 Pt','1Pt','I Peter','1Peter','1st Peter','First Peter'),
61=>array('2 Peter','2 Pet','2 Pe','II Pe','2Pe','II Pet','2Pet','II Pt','2 Pt','2Pt','II Peter','2Peter','2nd Peter','Second Peter'),
62=>array('1 John','1 John','1 Jn','I Jn','1Jn','I Jo','1Jo','I Joh','1Joh','I Jhn','1 Jhn','1Jhn','I John','1John','1st John','First John'),
63=>array('2 John','2 John','2 Jn','II Jn','2Jn','II Jo','2Jo','II Joh','2Joh','II Jhn','2 Jhn','2Jhn','II John','2John','2nd John','Second John'),
64=>array('3 John','3 John','3 Jn','III Jn','3Jn','III Jo','3Jo','III Joh','3Joh','III Jhn','3 Jhn','3Jhn','III John','3John','3rd John','Third John'),
66=>array('Revelation','Rev','Re','The Revelation')

Setting up mail on MAMP on El Capitan

I’ve only recently switched over to Macs and have found setting up mail sending on the MAc’s MAMP as hard as Windows! So here’s how.

Firstly it all needs to be down in the “Terminal” – so click on Finder, then Applications, then Utilities to open a terminal (looks pretty similar to Windows CMD!)

Check a program called Postfix exists by typing


That should give you the following errors – which for once is good news!
postfix: error: to submit mail, use the Postfix sendmail command
postfix: fatal: the postfix command is reserved for the superuser

Next we can start configuring for gmail – but first head over to you gmail account to set up using for less secure apps

In the terminal type or copy and paste
sudo vi /etc/postfix/

Than type your password and enter.
Scroll down and check the following lines exist…

mail_owner = _postfix
setgid_group = _postdrop

Editing took some googling for me as it is not intuitive! Here’s a cheatsheet
i) To delete – put the cursor over the character and press x
ii) To start inserting – place your cursor and press i, then start type or use copy (CTRL C) and paste (CTRL V).
To exit with out saving press key and then :q
To exit with saving press and then :wq

At the bottom of the file add the following

# Use Gmail SMTP
relayhost =
smtp_sasl_mechanism_filter = plain
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
tls_random_source = dev:/dev/urandom

You can change the relayhost to whatever server you like, I’m using gmail.
We need to create a gmail username/password file. So save and exit the file – , followed by :wq

sudo vim /etc/postfix/smtp_sasl_passwd

and press i to start inserting again and add the following line

Save the file using :wq
Now we need to get it turned into what postfix wants by typing

sudo postmap /etc/postfix/smtp_sasl_passwd

Next we need to set it up for TLS

sudo vim /etc/postfix/smtp_tls_sites
Press i to start editing and add


Save :wq

And then type

sudo postmap /etc/postfix/smtp_tls_sites

And then sudo postfix start

Now we just need to test it all!
echo "Test sending email from Postfix" | mail -s "Test Postfix"

A quick php script to test from your MAMP server

Lastly to make these changes work for starting up your mac we need to do some more worrk, changing a file called /System/Library/LaunchDaemons/org.postfix.master.plist
which is read only because it is being used!

sudo launchctl unload /System/Library/LaunchDaemons/org.postfix.master.plist stops it!
Add the following before

And then restart the daemon thingie…
sudo launchctl load /System/Library/LaunchDaemons/org.postfix.master.plist

Hope that helps you!

WordPress 4.5.2 produced database errors

I just updated a clients WordPress website to 4.5.2 this evening and immediately experienced database errors around the category listing.

The wp-termmeta table was missing.

Thankfully if you can get into phpmyadmin, the fix is simple. Select the database, click on “SQL” and run this

meta_id bigint(20) unsigned NOT NULL,
term_id bigint(20) unsigned NOT NULL DEFAULT '0',
meta_key varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,
meta_value longtext COLLATE utf8_unicode_ci

Change the wp_ as necessary!

Urgent Update

If you are using a version of the church admin plugin older than 0.810, please update immediately!
Two security vulnerabilities to older versions have been discovered – one of which has a “proof of concept” youtube video public.
Essentially, people with more time and less godliness than they would have in Christ, could insert some Javascript code into the address field of the [church_admin_register] shortcode when they fill the form in or into the “new sermon series” input field in the sermon podcast admin area.

Potentially that could be used to steal cookies and fake your login. It’s called a “Stored XSS vulnerability”

v0.810 stops that and renders any previous attempts harmless.

There’s no evidence that anyone has used the exploit yet, but now it’s public, they may on your site if you don’t update now! Please update even if you don’t use those features as v0.810 has been thoroughly checked for that vulnerability in all it’s features.

Gazzas Clothing Store

Gazzas Clothing StoreA client wanted a simple Paypal based ecommerce site, so I built him He had been using ebay and had some WordPress experience, so wanted a simple interface.

It features

  • a  responsive theme that looks great on all devices
  • Simple product entry, image upload and stock control.
  • Product categories
  • Paypal instant payment notification back end.

Why not take a a href=””>look?

How to rescue a WordPress Hack

livesaverThis evening, I rescued a client’s WordPress website from a hack that was so bad their host shut it down. I have a checklist that I use now to recover WordPress sites, which I’d like to share with you. Or you can hire me to do it for you as it requires some technical confidence!

You’d save a lot of heartache, if you backed up your database regularly!
The following step are for when you haven’t and your site is trashed. These should get you back up and running. Take them at your own risk and don’t blame me or sue me – hey your site was trashed anyway!

Gather your account passwords

You’ll need to be able to access PHPMyAdmin and FTP.
PHPMyAdmin is a script on most webhosts control panel that allows you to work on the MySQL database that drives WordPress.
FTP means File Transfer Protocol – it’s the way that you can make changes to the files on your server using a program like Filezilla.
You’ll need usernames and passwords to get into both.
I’m going to assume you know how to use them – if not hire me!

1) Put WordPress in maintenance mode

If your host hasn’t taken the site offline, you’ll want to prevent anyone from doing anything within a wordpress login by putting the site into maintenance mode.
Create a one line php file with the filename .maintenance (just like .htaccess it’ll be a “hidden” file)
the one line you need is

Upload the file to the root directory of the install – usually the same directory as wp-config.php
That forces WordPress into maintenance mode with the message “Briefly unavailable for scheduled maintenance. Try again in a minute.”

2)Change the database passwords

Delete the database user in your webhost control panel and create a new one with a completely different password.
Download the wp-config.php file and edit it. Most wordpress hacks are through a compromised login, where the hacker then uploads a plugin. Assume they know now your db password.
Adjust the wp-config.php lines

Replacing the hashes with the new username and password combination.

Next scroll down to the Authentication Unique Keys and Salts section.
It will look something like this…

Changing these will force logout of anyone logged in.
The WordPress boys and girls have provided a useful tool to regenerate these at Don’t be lazy and copy the above 😉

Go ahead and change these in wp-config.php.
Have a quick scan through the rest of the file to check nothing weird is in there. You can compare it to wp-config-sample.php to be sure!
Your wp-config.php is now ready – but don’t upload yet.

3) Delete the current WordPress Install

I think it’s safest to upload a complete fresh install, rather than update.
So delete the following directories – wp-admin, wp-includes and all the files in the root except .htaccess. Do not delete wp-content!

4) Note what plugins and theme were active

If your site is down and you can’t remember which plugins and theme were active then follow this step
Login to PHPMyAdmin and find your WordPress table and click the wp_options (you may have a different prefix than wp_) and then SQL tab

Use the statement SELECT * FROM wp_options WHERE option_name = “active_plugins”
Click on edit to see what the value is
It will look something like this

Yikes! That is a serialized arrray – but I can see PostLikes, akismet, church-admin-csv, church-admin, emergency-password-reset, never-loose-contact-form and signup-before-leaving are the plugin directories of active plugins.

Simpler is finding which theme was active
The SQL statement
SELECT * FROM gateway_options WHERE option_name = “current_theme”
will show which theme was active!

5) Clean up the users

Go to the wp_users table and delete any unknown users – especially with date stamps around when your site was hacked.
If you still have an “admin” user – change the username away from admin right NOW! That is likely how the hackers got in!

6) Check the Database for hacked posts and comments…

In phpmyadmin, click your database name at the top, so that all tables are showing and then click “search” – search for “iframe” in all tables


You can then check the entries that show for anything untoward.

7)Clean the wp-content directory

This is where the hacker will have most likely done damage. You should have the directories plugins,themes,upload and upgrade there. Some plugins may have added other directories or even files too.
The index.php file in wp-content should just have

Goto the plugin directory – delete everything! You will upload fresh copies later.
Next the themes directory – again delete everything (careful you have copies of bespoke/child themes stored elsewhere!)
Then go through the uploads directory, by year and month. Delete any .php files – should just be images, pdfs and other user uploaded files.
Delete anything in the wp-content directory that looks suspicious and especially any files ending in .php that don’t look like above.

8) Download fresh copies of plugins and themes

The quickest approach is to download them all as zips, unzip and uplaod back to wp-content/plugins, so that when you get wordpress going again, they are already in their activated state.

9) Download a fresh copy of wordpress from

Unzip all files and upload

9) Upload your prepared wp-config.php files

10) Finally delete the .maintenance file

Delete the .maintenance file from the root directory and you should be live again

I’m happy to help – get in touch for a quote

Does anyone have any other steps they take to clean hacked wordpress sites?