GNUCITIZEN Wordpress Plugins
Over the last couple of days we realized that hei, we have a bunch of cool inhouse Wordpress plugins that we can give back to the community
. So there you go! Here you will be able to find some of the many custom-built plugins for Wordpress that we have developed because of basic needs. There is no guarantee that we will support them in the future. Drop us a nice word if you find them useful.
Wordpress IPS (Intrusion Prevention System)
The Wordpress IPS is probably one of the lightest plugins you will ever encounter but its power is immense and incomparable to anything else seen. The plugin is designed to simply block malicious requests before being processed by the Wordpress engine and therefore secure against common and well known attack vectors. But wait, there is a lot more into it.
The GNUCITIZEN Wordpress IPS works with PHP5 only and it is based heavily on the all-mighty PHP-IDS project. This plugin is an essential part of your Web threat survival kit.
App Gateway
This plugin allows you to define a secure storage for your online credentials and then use it in order to automatically loing into your online profiles. The Application gateway plugin can be used in situations where you trust your Wordpress blog installation so much that you can use it as a primary authentication gateway to all other resources associated with your online persona, like Google, Yahoo, Microsoft Live, etc.
In case your Wordpress instance is compromised, attackers won’t be able to get to your secret information. The data which resides within the database is encrypted with the Blowfish cryptographic algorithm on the client-side before being stored on the server. In order to get the data out, you have to decrypt it with the passphrase provided when encrypting the data. The stronger your passphrase is, the harder for attackers it will be to break your secure storage.
There are some funny implications that emerged while coding this plugin. It can also be used for client-side application launch pad. For example, blog administrators can write their own homemade client-side applications and provide them to the blog users. Check gc-app-gateway-catalog.jsn for more information.
Content Tags
This plugin is nothing special really. At the moment, all it does is to provide users with a mechanism to import feeds withing their posts. Here is a simple usage:
<!-- feed http://www.gnucitizen.org/feed -->
<!-- feed 5 http://www.gnucitizen.org/feed -->The first comment tag will import and render the entire feed (all items), while the second comment tag will render only the first 5 items. More tags will come in the future as the need arises.
Custom Categories
Again, this is another not that special
plugin for Wordpress but it does an excellent job in what it does. The plugin will allow you the specify the name of the custom field, which you use for additional tags, keywords. While building your feeds, the plugin will lookup for this field and add extra categories for each entry. So, you can keep your categories list nice and clean and still define all the tags that you need. I think that Wordpress 2.3 has a builtin support for this feature, though I need to verify. If this is the case, then we will simply make it redundant.
Custom Templates
The plugin makes possible to create per-post/page/comments customizations. You can define custom templates for each, without much of a trouble. Simply create a file called single-{post id here}.php within your template folder in order to customize the template of a single post. You can do the same with page-{post id here}.php and comments-{post id here}.php. This plugin is suitable in situations where you need to customize the blog to a greater degree. We use this plugin for all our database frontend interfaces.
Google Analytics
Well, what do you know? The plugin does nothing but to provide nice and clean interface for enabling and using Google Analytics. The reason we had to write this plugin was because all other Google Analytics plugins out there are vulnerable to simple and persistent XSS, no CSRF trickery required, just post your comments on the vulnerable site. Shame! It is absolutely possible to write an AJAX Wordpress comment worm.
Nicer
Wordpress can be a bit bulky and very dirty at some places. This plugin makes sure that the output is simply nice! Nice one! For example, the plugin will remove the default HTML autofix no-need feature Wordpress currently implements and leave you to code your HTML straight from your management Window. Keep in mind that the security of the blog is not compromised when the feature is eliminated. So, if you are still struggling with posting code and weired tags on your site and you have editor and up access, this plugin is the right solution for you. It will also make your excerpts looks nice and even change the code output to look… what… you’ve got it: nice!
SSL Normalizer
Are you using Wordpress via HTTP? You must be mad! Quickly login into your blog and change the transport protocol of your Wordpress instance (i.e. from http://www.gnucitizen.org/wordpress to https://www.gnucitizen.org/wordpress). As a side effect, you will notice that not only your admin is served over SSL but also parts of your blog. Nc nc nc! Wordpress cannot make the difference. The following plugin will resolve this issue and will make sure that only content served up from the admin console goes through SSL and everything else goes as normal. The plugin also provides some perks for attachment links. It normalizes them as well, so that your blog is nice, secure and kind of clean.
These plugins were brought to you by GNUCITIZEN and Hakiri (GNUCITIZEN’s subsidiary). We use Wordpress all the time for all kinds of projects. Along the way of learning how Wordpress works, we have came up with various plugins to enable better utilization of our infrastructure. These plugins are now freely available for the benefit of the Open Source community. Pay us a tribute by subscribing to our feeds (here and here) or by linking to us through your Blogroll. Thank you!
That said, I have nothing else to add! :)
comments
Thanks for sharing these PDP… Rios and I may take a look at using some for our blog.
cool, let me know how they are coming. I have a few more to share but I need to get them to some sort of stable stage first.
Thanks for sharing.
“Well, what do you know? The plugin does nothing but to provide nice and clean interface for enabling and using Google Analytics. The reason we had to write this plugin was because all other Google Analytics plugins out there are vulnerable to simple and persistent XSS, no CSRF trickery required, just post your comments on the vulnerable site. Shame! It is absolutely possible to write an AJAX Wordpress comment worm”
Interesting. Could you go depeer in the topic?
José.
Joe,
I think that we’ve tested a few Analytics plugins and they all seamed to have at least one security problem. The one that we used to use, forgot the name but it should be the most popular plugin that does the job, has problems with quotes. Because the plugin automatically adds some JavaScript trickery for each anchor tag and because the author failed to sanitize single quotes, and because all Wordpress tags use single quotes for the tag attributes, it is possible to jail-break out of the XSS protection mechanisms and persistently store JavaScript within the comment. This was in particular quite nasty but I failed to report the problem due to the fact that I didn’t have much time back then. That was like 2-3 months ago. The plugin might be still very vulnerable.
This is a nice collection of plugins. I just installed App Gateway in a Wordpress MU installation (v. 1.25) that I’ve got set up at work. When I use the Designer on the App Gateway options page, the only option available in the type pull down is gmail. I want to use this plugin for google apps under my own domain. So I want to be able to configure accordingly. Can you give my any pointers?
Many thanks!
Ben, thanks. We have dozens more plugins to release to the public and we will do that as soon as possible. Let me answer your question here:
The App gateway currently supports GMail only. But it is very easy to make it support whatever else you want. Within the folder of the plugin, you will find a file called
gc-app-gateway-catalog.jsn. This file is responsible for defining what applications the plugin supports. Here is the content of the file:Notice the
gmailbranch. In order to add a new application, you have add a new branch. For example you can call itfacebook. For thetemplateparameter you have to specify the code that will be rendered within a new frame which will perform a CSRF request against the login form.Just follow the syntax in this file and you will quickly get the grip of it. There is a security reason why we choose this model instead of storing that kind of things in the database. I might add some more applications soon but if you can do that and help us expand on this wonderful plugin, it will be even better. Credits apply where due, you know that :)
Thanks for your reply! This looks quite doable. I’m looking forward to experimenting with this. My scheme here is to have an internal work blog that I’ve set up be the gateway to other information like a communications planning calendar. Might be a week or two before I’m able to work on this further. I’ll let you know how it goes.
cool plugin for Wordpress. I’ve been waiting for more plugin. Usefull and it’s great. Good job
Thanks for sharing. I’m a newbie in wordpress. Before I migrate to WP, I’m using free Blogspot blog. Once again thanks.
I am glad that you find them useful. Newer versions of the plugs will be released soon.
I’m kinda new to this whole gateway concept? I am primarily looking for a way for my users to be able to use Google Apps directly if they are logged in to my Wordpress site. Can this plugin help me do this?
all this plugin will do is to allow you to use your wordpress to authenticated with your google mail account, so you don’t have to login twice. your gmail credentials are locked with a master key which means that if somebody manages to crack into your wordpress account they still need to guess the master key in order to login into your other accounts. so, if you are planning to use it make sure that you choose significantly complicated key of at least 12 characters.
So that is, if I’m logged in to Wordpress and if I use the same login details for gmail, I’ll be taken to Gmail without asking for the login details is it?
you have to configure the plugin first but yes.
I’ve added the details and it works. But in my settings section it always shows -
pdp,
I’m looking for a way to secure my wordpress site using the same credentials my users are using in Google apps for domains.
Will this plugin allow people logged into Google apps for domains to seemlessly access my wordpress site?
hello Cameron, I might end up writing such a plugin. thanks for the idea.
If you could do this, to would open a whole world of possibilities for Google Apps for domains users.
I would love to use Word Press as a gateway to host a number of online applications I wish to integrate with our Google Apps for domains system. It’s simple enough to embed a Wordpress site into the new Google Sites -but securing the site and integrating it with existing Google Apps (for domains) user’s logins is the barrier to doing this.
Such a plugin would allow admins to integrate Quickbooks, Zoho Creator, or a number of other applications right inside google sites.
Hi there,
Know anyone which plugin to use if I want only the first part (first paragraph) of the article to be displayed? If someone want to read more there will be a “read more” link… On my blog right now is displayed all of article content and I don’t want this… I’m talking about the latest 10 articles displayed on the first page of my blog. I’m using Wordpress. Can anyone help?
Thanks guys, just downloaded and will use on our site shortly.
Great Work Keep it up :-)