WordPress Hooks, filters and actions

WordPress Hooks, filters and actions


What are wordpress Hooks

WordPress Hooks provide the ability to enhance, modify or customise a wordpress functionality by writing your own code without modifying the wordpress core code.

A WordPress Hook code can either be written directly in your themes (preferably child theme’s) functions.php or by creating your own plugin (recommended way)

Types of hooks

There are 2 types of wordpress hooks

  1. action hooks: These hooks can also be called as trigger hooks as they gets triggered based on a certain action/event. e.g. when a user registers on your site an action hook can be set up to geocode the user address and add the latitude longitude to the user_meta table.
  2. filter hooks: This hook allows to enhance or modify wordpress functionality or data e.g. it allows to use a custom template for certain post types, allows to use your custom page for lost password functionality, filter user data before displaying on browser or storing in the database.

Examples of hooks

user_register action hook: This action hook allows you to access data for a new user immediately after they are added to the database. The user id is passed to hook as an argument.

template_include filter hook: Allows to select custom template for your custom post types



List of action hooks

List of filter hooks


Creating Custom hooks for your own plugin

Creating your own custom hooks is also possible so that other developers can extend and modify it, without having to fork it.

Read more on how to create custom hooks



WordPress Custom Login page

Creating a WordPress custom login page has 2 benefits

  1. Login page can be created based on your own theme
  2. The URL for the login page would be different to the WordPress login URL. This is a good security practice provided you block the Wordpress default login page or redirect it to your custom login page.

This does not mean that you need to create your own methods to store and retreive cookies by creating your own login function. WordPress provides easy to use functions using which you can create own own plugin to create a wordpress custom login page.

So here is the sample login form

WordPress custom login page – form

Here the form action submits to a page which does the authentication part. If you have created your own plugin the page would most likely be in your plugin folder.

Here is the page which does the authentication and sets the cookie

WordPress custom login page – authentication

wp_authenticate authenticates the user. If ok wp_set_auth_cookie sets the cookie for the user


Automatic Database backups using free Sypex Dumper tool

Photo credit – williamhook2631871046

Automatic database backups can be set up very easily using a simple shell script and a cron job. However it may not be a practical solution for huge databases and the restoration process can also be difficult. There are various tools available to make this process simple. Sypex Dumper is just one of them.

What is Sypex Dumper

Sypex Dumper is a software product (PHP-script), which can help you create a backup copy (dump, export) of a MySQL database, and also restore the database from the backup file if needed. Read more and download

With this tool huge databases can be backed up and restored with very high speed using least server resources and greatly reducing the size of the database dumps.

Free version of the tool is enough to create the automatic backups. The Paid version allows to selectively restore a particular table from the entire database.

Steps to set up automatic Database Backups

Let’s assume you want to create backup of your database every day and keep the recent 30 backups on your server

Create the required job in SXD

1. Login to Sypex Dumper with your database user credentials

Setup automatic database backups using Sypex Dumper

2. Click on the Export option

3. Select the database from the Database drop down

4. Since we want to keep only the last 30 database backups add 30 in the Autodelete If number of files more than box.

5. Add some comments e.g. Last 30 backups

6. Clicking the Save button will create the backup job with the name specified

Create the shell script to execute the job

Now that the job is created we want to execute it using a shell script. Here is a sample script

Automate the script

Finally just add the above script to a cron job so that it runs once daily



MySQL archive records based on date column

Photo credit: 27892629@N04 - cc
Photo credit: 27892629@N04cc

Let’s assume you have a logs table and you want to delete the logs which are more than 1 year old.

Ideally you would like to automate this using a cron job.

MySQL Between query

Using the above query we can delete all the logs for the year 2014. However we cannot automate this query since we are providing the dates manually.


Above query deletes all the records which are older than a year. Here we do not need to provide dates. It automatically finds the records which are older than a year using NOW and INTERVAL parameters.

So let’s say you want to delete all the records which are 6 months old then the query would be

Now lets automate the process of archiving our logs table

This can be done through a number of ways.

Shell Script

A shell script can be created with above code. The script can then be added to a cron job.

MySQL event scheduler

Read more

PHP Script

Create a PHP page to run the query and then create a cron job for the PHP page

A php script is the most recommeded system in this case because deleting records does not need lot of memory and it is easier to manage the PHP Script.

WordPress XMLRPC attacks – How to prevent

Wordpress XMLRPC

What is wordpress XMLRPC

RPC stands for Remote Procedure Call. WordPress XMLRPC is a protocol which allows remote systems to communicate with WordPress. The language to communicate is XML.

With WordPress XMLRPC support, you can post to your WordPress blog using many popular Weblog Clients.

XML-RPC functionality is turned on by default since WordPress 3.5.

Brute Force Attack through wordpress XMLRPC

Attackers user system.multicall method in XML-RPC to create hundreds of request combined in a single request to attack a system i.e. mostly to guess the username and password to the system. This is called as Brute Force Amplification Attacks  via WordPress XML-RPC

How to prevent XMLRPC attack

  1. The most recommended way is to disable XML-RPC completely. To disable XML-RPC completely add following to your APACHE configuration file.
  1. Some plugins in wordpress e.g. Jetpack is based on XML-RPC. In that case it is not possible to disable XML-RPC entirely. In that case you can disable system.multicall requests through your firewall
  2. Check server logs regularly and find IPs trying to access XML-RPC. Any suspicious IP can be blocked through your Firewall or iptables. Here are some sample logs