Cookie-based snippets temporary switch-off

  • Hello again,

    when reading your support forum I stumbled upon a topic (closed already 3 years ago) under the motto “Oh my God, after the recent change my super-snippet brought my website down and now I cannot even login as an administrator to fix it!”.

    What you propose is to temporarily set a constant CODE_SNIPPETS_SAFE_MODE=true in wp-config.php file. Personally, I don’t think it’s a good solution. Firstly, fiddling with wp-config is generally not the best idea ever. Secondly, if someone already has FTP access to his/her website, there is no need to edit the master configuration file: it’s enough to rename the wp-content/plugins/code-snippets directory to anything else, and the plugin will be immediately switched off by WordPress. This works for any plugin, and code-snippets is not an exception.

    Instead, I have implemented a cookie-based temporary switching off mechanism on my own website. It requires just a few lines of code.

    Firstly, I have stored the following file into the WP root directory:


    <?php // file code-snippets-off.php
    $seconds = 180;
    setcookie( "code-snippets-off", "true", time()+$seconds, "/", $_SERVER['HTTP_HOST'] );
    echo "Code snippets inactive for {$seconds} seconds";
    ?>

    Next, I have changed just one line of code in your snippet-ops.php file (first line of the execute_active_snippets function): instead of


    if ( defined( 'CODE_SNIPPETS_SAFE_MODE' ) && CODE_SNIPPETS_SAFE_MODE ) {return false;}

    I put


    if ( isset($_COOKIE['code-snippets-off']) ) {return false;}

    I think it’s pretty obvious how it works: it’s enough to type e.g. “https://my-website/code-snippets-off.php&#8221; in the address box of a web browser to get a 180-second cookie named “code-snippets-off” in the current browser session. This in turn suspends snippets execution.

    I think 3 minutes should be perfectly enough to login to a website and deactivate either the whole Code Snippets plugin or just the troubled snippet. Also, the solution requires no FTP access (to be precise, one needs FTP access to set up the whole mechanism, but not to disable the snippets). This can be done even from a smartphone: everybody has a web browser on a smartphone, but few people have an FTP client installed (I don’t!).

    This is also safe: the cookie disables the snippets just for your browser session, so the villains cannot paralyse the website e.g. by constantly calling code-snippets-off.php from the outside. Well, if someone needs an additional security measure, the cookie-setting file can be renamed to anything crazy-and-hard-to-guess. But then you’d better bookmark it in your browser, because you can also forget this crazy name when in panic…

    Cheers — Jarek

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Shea Bunge

    (@bungeshea)

    Hi Jarek,

    You are correct that changing constants in wp-config.php is not an ideal solution. I do think that it’s nicer than simply renaming the plugin folder, as it allows the plugin to remain active but disables the snippets, meaning that it is safe to log in and manually disable the snippet which caused the error.

    I do really like your solution – I hadn’t considered using a cookie method before, and it seems like it would work rather well.

    I’m not sure that keeping the cookie disabling functionality in a file which can be accessed by anyone is a super fantastic idea – I realise renaming it would make it slightly more difficult to be exploited, but security through obscurity is not really at all reliable. Having said that, I am sure that a more robust method could be worked out which works in a similar manner, but through the WordPress authentication system.

    I think the file method is quite nice for a site-by-site basis, but it might be a bit specialised for general use as part of the plugin. I will definitely keep the idea of using cookies in mind when thinking about enhancing this system in the plugin itself in the future.

    Thanks for posting your idea here for other plugin users to find and adapt themselves. Just a quick note: instead of editing the plugin files, you can add code like this to wp-config.php, or a must-use or regular plugin:

    if ( ! defined( 'CODE_SNIPPETS_SAFE_MODE' ) ) {
	define( 'CODE_SNIPPETS_SAFE_MODE', isset( $_COOKIE['code-snippets-off'] ) );
}
    Thread Starter JarekM

    (@jmilewski)

    Wow! Perfect! I did not realise that a PHP constant can be defined in that way.

    This really adds another dimension to Code Snippets flexibility and I will keep on using the cookie-based solution for my own, but I fully agree it does not necessarily suit everyone.

    Thanks for the tip!
    — Jarek

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Cookie-based snippets temporary switch-off’ is closed to new replies.