Tag: wordpress

Human Avatar for Robohash WordPress plugin

I was tired of the similar looking avatars offered for comments. When changing them in Settings>Discussion>Default Avatar I noticed there was a new one, Robohash.

Robohash has further customisation options but unfortunately they were not available to select in the avatar configuration options of WordPress.

Specifically I liked their “human” set which I think Robohash keep pretty low key as it was only referenced briefly in a single paragraph at the very end.

No point it customising the WordPress core directly because of updates, so instead I created a plugin for others to enjoy:

Human Avatar for Robohash

Tuesday, 11 March 2025
Erroneous redirect to login page after commenting as guest
This one had me bewildered for a while. Every single WordPress page is made up of many parts (core, themes, plugins, customisations, etc.). This powerful and flexible architecture also derives into complexity, especially when debugging, making bug hunting a tedious process.

After resolving the previous comments issue, I needed to finish off this matter where a guest commenter was wrongfully redirected to the login page after leaving a comment. The default behaviour is to redirect the commenter to its new comment on the post page. Despite WordPress asking for authentication the comment was actually published immediately.

Working backwards, the HTTP headers revealed that after posting the comment, the commenter was first redirected to the WordPress Dashboard, but being a guest, there was a second redirect to the login page. Now that this was determined, I just had to figure out why the commenter was redirected to the Dashboard.

After disabling all plugins and a lot of code inspection in the active theme and WordPress core, I came across the wp_safe_redirect function in pluggable.php. This function has the following lines which include the fall-back redirect to the Dashboard (admin_url):
```
/**
	 * Filters the redirect fallback URL for when the provided redirect is not safe (local).
	 *
	 * @since 4.3.0
	 *
	 * @param string $fallback_url The fallback URL to use by default.
	 * @param int    $status       The HTTP response status code to use.
	 */
	$fallback_url = apply_filters( 'wp_safe_redirect_fallback', admin_url(), $status );

	$location = wp_validate_redirect( $location, $fallback_url );
```
Then it was time to determine what triggers the fallback_url to the Dashboard to be applied instead of the default post’s location. This leads to the next function wp_validate_redirect which tries to validate the URL being correct and if not, it returns the aforementioned admin_url fall-back. One of the checks is done by wp_sanitize_redirect and its sub-function _wp_sanitize_utf8_in_redirect:
```
/**
	 * Sanitizes a URL for use in a redirect.
	 *
	 * @since 2.3.0
	 *
	 * @param string $location The path to redirect to.
	 * @return string Redirect-sanitized URL.
	 */
	function wp_sanitize_redirect( $location ) {
		// Encode spaces.
		$location = str_replace( ' ', '%20', $location );

		$regex    = '/
		(
			(?: [\xC2-\xDF][\x80-\xBF]        # double-byte sequences   110xxxxx 10xxxxxx
			|   \xE0[\xA0-\xBF][\x80-\xBF]    # triple-byte sequences   1110xxxx 10xxxxxx * 2
			|   [\xE1-\xEC][\x80-\xBF]{2}
			|   \xED[\x80-\x9F][\x80-\xBF]
			|   [\xEE-\xEF][\x80-\xBF]{2}
			|   \xF0[\x90-\xBF][\x80-\xBF]{2} # four-byte sequences   11110xxx 10xxxxxx * 3
			|   [\xF1-\xF3][\x80-\xBF]{3}
			|   \xF4[\x80-\x8F][\x80-\xBF]{2}
		){1,40}                              # ...one or more times
		)/x';
		$location = preg_replace_callback( $regex, '_wp_sanitize_utf8_in_redirect', $location );
		$location = preg_replace( '|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()@]|i', '', $location );
		$location = wp_kses_no_null( $location );

		// Remove %0D and %0A from location.
		$strip = array( '%0d', '%0a', '%0D', '%0A' );
		return _deep_replace( $strip, $location );
	}

	/**
	 * URL encodes UTF-8 characters in a URL.
	 *
	 * @ignore
	 * @since 4.2.0
	 * @access private
	 *
	 * @see wp_sanitize_redirect()
	 *
	 * @param array $matches RegEx matches against the redirect location.
	 * @return string URL-encoded version of the first RegEx match.
	 */
	function _wp_sanitize_utf8_in_redirect( $matches ) {
		return urlencode( $matches[0] );
	}
```
The important part to notice is that UTF-8 characters in the URL are being URL encoded. For the common ASCII domain names this would never be an issue, however this particular site is using the letter “ö” (Latin small letter o with diaeresis, U+00F6) in its IDN schönbeck.dk. When replacing the UTF-8 letter with the URL encoded equivalent (%C3%B6), then we suddenly have an invalid URL that cannot be validated by WordPress, and therefore the fall-back redirect to admin_url is being triggered.

The Settings>General page actually permits IDNs in both the Site Address and WordPress Address fields, so why is the rest of the code not taking this into account? Obviously a bug. The solution is to leave out the domain part of the location redirect and only apply the UTF-8 URL encoding on the remainder of the URL.

Until this WordPress IDN bug is fixed the work around is to input the IDN in the Site Address and WordPress Address fields in Punycode, avoiding UTF-8 altogether.
Saturday, 08 March 2025
Post comment notification email woes

After having done an upgrade of a very old WordPress install, notification emails were not arriving properly.

Since this installation was originally set up almost two decades ago, back when emails were sent directly from the same hosting server to the MTA. Due to the level of spam this caused, emails nowadays have to be submitted through a proper mail system, not forgetting the fact that port 25 is now blocked at nearly all providers.

I do run some mail servers myself, however I wanted something quick to move on so I decided to use Mailgun which I had an account with already. They actually provide their own Mailgun WordPress plugin so I was up and running as soon as the new DNS records had propagated. Emails started arriving immediately when I updated the Administration Email Address under Settings>General with the new email address. Great stuff!

However I realised that a new comment would no longer trigger the comment notification email. Nothing in the logs of nginx revealed what could be happening. I needed to figure out if the emails were even generated, and if so, where did they get stuck.

Luckily there is another plugin which logs each email sent by WordPress. Once I tested another comment and checked the plugin’s log page in WordPress, I immediately realised what the issue was. It was still being sent to the old administrator email address!

Later I did spot that Mailgun’s own logs actually revealed the same data, but at the time in question I was under the impression that the emails never left WordPress.

Now the mystery… why the heck was WordPress still using the previous email address from Administration Email Address? This field was updated and other admin notification emails were being received just fine.

The issue when dealing with a self-hosted WordPress for oneself is that in the vast majority of cases, one is both the site administrator as well as the only user posting. Apparently the new comment notifications emails are only sent to the post author and not the site administrator. I had simply forgotten about the old email address under the posting user’s profile (Users>Profile)!

Comment moderation emails on the contrary do go to both site administrator and post author.

Do not forget to add or update your Gravatar profile with the new email address.

Friday, 07 March 2025
Failing to update a very old WordPress version

Download failed.: cURL error 60: SSL certificate problem: unable to get local issuer certificate

Installation Failed

If you receive the above error when updating a stale installation of WordPress read on.

Every installation of WordPress comes with its own Certificate Authority (CA) file which gets refreshed automatically upon each version update. If you have not updated your installation of WordPress for a few years the certificates within have expired and therefore cURL will not be able to verify the integrity of the server you are connecting to and fail the download and update process.

Verifying the chain of trust is important to avoid pulling WordPress from the wrong source in the event that you may be exposed e.g. to a man in the middle (MITM), DNS hijacking, etc. scenario.

To resolve the issue we need to break out of this catch 22 situation where we need the latest version of WordPress to update to the latest version of WordPress… d’oh!

Some would simply download a fresh WordPress installation directly on the server, however it can be error prone risking your old installation’s data, plus the fact that the included updater runs its checks and updates both core files and database. So the quickest way is to simply overwrite the old certificates file at wp-includes/certificates/ca-bundle.crt with the latest one from WordPress’ development repository:

https://raw.githubusercontent.com/WordPress/WordPress/refs/heads/master/wp-includes/certificates/ca-bundle.crt

Once replaced cURL will no longer have any issues connecting to WordPress, retrieving the latest version and completing the update.

Wednesday, 12 February 2025
Google+ integration

I wanted a tighter integration with my blog and my Google+ stream to avoid having to visit two places.

I have added a little widget which will display the latest posts.

Friday, 21 October 2011

Tag: wordpress

Human Avatar for Robohash WordPress plugin

Erroneous redirect to login page after commenting as guest

Post comment notification email woes

Failing to update a very old WordPress version

Google+ integration