Category Archives: WordPress

How to cache the wp_oembed_get() function

The wp_oembed_get() function is not cached by default. Unfortunately, many themes (like Elegant Themes Divi) still use it which leads to your page making many background requests to YouTube and similar video embedding sites. This slows down your pageloads since WordPress has to wait for YouTube to response before showing your page.

If you’re not able to fix your theme, you can add the code below into an mu-plugin or into your themes functions.php file. It will cache embeds that are using wp_oembed_get(). Please note that embeds that fail to resolve (for example: deleted youtube video) will still not be cached. This is due to the way wp_oembed_get() works internally and is not trivial to fix.

<?php
/**
 * Cache wp_oembed_get()
 * Version: 1.0
 */

define('CUSTOM_OEMBED_CACHE_KEY', 'coc_');

function _wp_custom_oembed_cache_key($url, $args) {
  $args_serialized = serialize($args);
  return CUSTOM_OEMBED_CACHE_KEY . md5("{$url}-{$args_serialized}");
}

/**
 * This function caches the result
 */
add_filter('oembed_result', function($data, $url, $args) {
  // Cache result
  set_transient(_wp_custom_oembed_cache_key($url, $args), $data, DAY_IN_SECONDS);
  return $data;
}, 999, 3);

/**
 * This function serves the cached result
 */
add_filter('pre_oembed_result', function($result, $url, $args) {

  // Clean out empty oembed calls caused by Divi
  if(trim($url) === '') {
    return '';
  }

  // Return cached result if available
  if($cached_result = get_transient(_wp_custom_oembed_cache_key($url, $args))) {
    return $cached_result;
  }

  return $result;
}, 2, 3);

Configure how often WordPress sends recovery mode emails about errors

By default, WordPress sends a maximum of one email per day to the site administrator if a fatal error is discovered. (Since WordPress 5.2)

To configure this, use the following snippet:

add_filter('recovery_mode_email_rate_limit', function($rate) {
  return HOUR_IN_SECONDS;
});

Instead of using one of the predefined constants like HOUR_IN_SECONDS, you can use any integer value, like 600, which would correspond to every 10 minutes.

Sending emails to multiple users when WordPress goes into recovery mode

WordPress 5.2 pioneered a new “Recovery mode” feature that can notify site administrators by email if their site experiences a fatal error.

By default, the email is sent to either an email configured under the RECOVERY_MODE_EMAIL constant or the user that created the website (admin_email option).

If you want this email to multiple addresses, you can use the snippet below in your themes functions.php or in a plugin. Configure the extra address on line 6.

add_filter('recovery_mode_email', function($email, $url) {
  $email_array = [];
  $email_array[] = $email['to'];

  // Adds another email
  $email_array[] = 'your-email@gmail.com';

  $email['to'] = $email_array;

  return $email;
}, 10, 2);

Configuring WordPress to work behind an Application Load Balancer (ALB) in AWS

When putting WordPress behind an ALB that has SSL configured it might result in a configuration where the ALB uses SSL but WordPress communicates with the ALB over regular HTTP.

This can cause WordPress to server HTTP (non-ssl) CSS and JavaScript resources and/or fail in other ways.

The solution is to check the X-Forwarded-Proto header that ALB sets and let WordPress know whether it should treat the incoming request as an SSL request or not.

Put this code at the top of wp-config.php to do exactly that:

// Get true SSL status from AWS load balancer
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
  $_SERVER['HTTPS'] = '1';
}

Cache warming on low-traffic WordPress sites

If you have a WordPress site that relies on time-based static page caching (like W3 Total Cache), you may notice that the low default cache timeouts (1-5 minutes) aren’t really working well for sites that receive a low amount of traffic.

In these cases, cache warming provides a great option to make sure every visitor gets a fast TTFB response.

I recently wrote a PHP script to enable cache warming based on a sitemap. (Which both Yoast WordPress SEO and Google XML Sitemaps provide.)

You can find the script and setup instructions by clicking on this link.

Caching strategy for low-traffic WordPress deployments

Let’s talk about caching strategy! Sites fall into one of two categories:

Low amount of content (~20-30 unique posts or pages)

Use a long cache expiration time (24 hours or more), but make sure that the cache is flushed when any content changes. (This is usually configurable in the cache plugin.)

Schedule crawls generously, as crawling will be fast as long as cache hasn’t expired. Crawling every 15 minutes or so is no problem.

Large amounts of content (> 100 posts or pages)

If you have a lot of infrequently accessed pages, the problem gets harder to manage. Crawling hundreds of pages will take a toll on your server, racking up high CPU usage. The only option here is to cache indefinitely, to only flush parts of the cache that are affected by a change, or cache for even longer periods of time (over 1 week).

For caching, I recommend the free Cache Enabler.

Schedule crawles less frequently, once per 1-4 hours. Keep track of the time it takes to run a crawl. If your web host enforces low PHP timeout the crawler might get killed before crawling all the pages.

Restrict viewing of uploaded attachments to logged-in users using WordPress and Nginx

Even if you lock down your WordPress site so outside visitors can’t see it, all uploaded attachment such as media, images and PDFs are available to anyone as long as they know the direct link to those files, or can find it by other means such as search engines. Sometimes that’s not acceptable and you want to make sure only logged in users can see uploaded media files.

This approach works by proxying all files in /wp-content/uploads through a script (dl-file.php) which should be placed in the root of your WordPress installation. The script checks whether the user is logged in before serving the file. If the user is not logged in a redirect is performed so that the user can log in before viewing the file.

Because this approach uses the same check as WordPress itself, it should be considered a very safe way of protecting attachments. You could also extend the proxy script to check for different access levels (for example if you have a membership site) and much more!

The Nginx config

# Hotlink protection
location ~ ^/wp-content/uploads/(.*) {
    try_files /dl-file.php =403;
    include fastcgi_params;
    fastcgi_pass php7;
}

This config should be placed in a server block and the example is for servers running EasyEngine, but it should work with minor modification on any php-fpm server.

The proxy script

<?php
/*
 * dl-file.php
 *
 * Protect uploaded files with login.
 *
 * Based on http://wordpress.stackexchange.com/questions/37144/protect-wordpress-uploads-if-user-is-not-logged-in
 * 
 * @author hakre <http://hakre.wordpress.com/> / khromov
 * @license GPL-3.0+
 * @registry SPDX
 */

require_once('wp-load.php');

//Check if we are logged in before attempting to serve the file
is_user_logged_in() || auth_redirect();

//FIXME ... simplify this
list($basedir) = array_values(array_intersect_key(wp_upload_dir(), array('basedir' => 1)))+array(NULL);

//Check if file exists
$getFile = isset($_GET[ 'file' ]) ? $_GET[ 'file' ] : $_SERVER['REQUEST_URI'];

//Normalize file path
$getFile = str_replace('..', '', $getFile);
$getFile = str_replace('wp-content/uploads/', '', $getFile);

//This provides a notice in the log
trigger_error('Loading protected file ' . $getFile);

$file =  trailingslashit($basedir) . $getFile;

//If file is missing, 404 it
if (!$basedir || !is_file($file)) {
    status_header(404);
    die('404 &#8212; File not found.');
}

$mime = wp_check_filetype($file);
if( false === $mime[ 'type' ] && function_exists( 'mime_content_type' ) )
    $mime[ 'type' ] = mime_content_type( $file );

if( $mime[ 'type' ] )
    $mimetype = $mime[ 'type' ];
else
    $mimetype = 'image/' . substr( $file, strrpos( $file, '.' ) + 1 );

header( 'Content-Type: ' . $mimetype ); // always send this

// If we made it this far, just serve the file
readfile( $file );

Similar StackOverflow question

Photo by Micah Williams on Unsplash

Fix broken / overlapping Instagram embed for WordPress

At some point recently (February 2018), Instagram broke their oEmbed implementation which causes JavaScript errors and embeds that overlap each other. Use the snippet below to mitigate this issue and hopefully Instagram will fix it in the future. The snippet makes sure only one

/**
 * Remove Instagram embed.js script on each embed
 */
add_filter('embed_oembed_html', function($html, $url, $attr, $post_id) {
  $regex =    '/<script.*instagram\.com\/embed.js.*\s?script>/U';
  $regex_2 =  '/<script.*platform\.instagram\.com\/.*\/embeds\.js.*script>/U';

  if(preg_match($regex, $html) || preg_match($regex_2, $html)) {
    add_filter('kh_has_instagram_embed', '__return_true');

    $html = preg_replace($regex, '', $html);
    $html = preg_replace($regex_2, '', $html);

    return $html;
  }

  return $html;
}, 100, 4);

/**
 * Enqueue the embed.js script once at the bottom of the page, if at least one Instagram embed is enqueued
 */
add_filter('wp_footer', function() {
  if(apply_filters('kh_has_instagram_embed', false)) :
    ?>
      <script async defer src="//www.instagram.com/embed.js"></script>
    <?php
  endif;
}, 999);

List authors by post count in WordPress using MySQL

A query to list authors / users by post count:

SELECT wp_users.ID, wp_users.user_nicename, COUNT(*) as count FROM wp_posts, wp_users WHERE wp_posts.post_type='post' AND wp_posts.post_status='publish' AND wp_posts.post_author = wp_users.ID GROUP BY post_author ORDER BY count DESC LIMIT 5 ;

Resulting table:

ID,user_nicename,count
29,"user-a",18
66,"user-b",16
26,"user-c",10
24,"user-f",9
48,"user-z",6