Confident Clean a Hacked Site Workshop Join me March 21st for this 90 Minute Workshop  Claim your spot

WordPress Hard Coded Options

WordPress

In my recent “Must Use” plugins post, I mentioned one of the plugins I use is a plugin that allows you to hard code options as PHP constants, rather then getting them from wp_option database table.

In the article I said:

This small plugin takes a list of predefined config options, and then makes use of pre_option_optionname function to return the declared config option rather then looking at the database wp_options table. This is useful both from a security point of view, as we can make a set of read only options that even if they are overwritten in DB will be read from the config file, and also provides a performance boost assuming reading a static file is quicker then executing an SQL query, though the gain is minimal. It is also really handy for deployments and working on multiple servers allowing you to override certain options at a server level while sharing the same database.

Couple of people asked for more information, so I cleaned it up a bit and it’s available on GitHub.

Installation

Simply upload it to your MU-Plugins folder and it will install automatically.

Usage

If you want to set an option use:

 
define( WP_OPTIONS_TESTVALUE, 'test123' );

Then if you want to call an option:

 
get_option( 'testvalue' );

Notice the case change! You can also override options for example

 
define( WP_OPTIONS_ADMIN_EMAIL, 'tim@example.com' );

For example will override the admin_email option.

Things to bare in mind

You are not overriding default behaviour simply hijacking the output, so if WordPress modifies an option in the database and you have a defined constant, the option WILL change in the database but these changes WON’T be reflected until you remove the constant.

You also may wish to make sure you store option constants in a sensible locations, if you are adding just a couple then wp-config.php is probably a good place, or a local config file. For large scale usages you might wish to store them in a config file and load that file into wp-config.

So How does it work?

It grabs all the constants with the prefix WP_OPTIONS_ (this can be overridden by changing the content of WP_OPTIONS_PREFIX) and then loops through and adds each one to the pre_option_xxx filter. The class makes use of the __call function to dynamically create a method which grabs the constant and returns it. If something goes wrong it returns false and WordPress continues to make a call to the DB to look for the option. If however it returns a value it short circuits get_option and returns the specified value. In terms of performance it doesn’t impact non defined options as the filter never exists and for those that defined depending on setup may provide a small speed increase then reading from database.

Feel free to grab and use, any questions give me a shout. By the way did you know I’m running a “Advanced” WordPress workshop in Scaling and Managing WordPress if you find this sort of plugin useful or interesting and you can get to Leeds UK on the 23rd September 2014, you should come along. For details see Scaling & Managing WordPress Workshop.

Helping you and your customers stay safe


WordPress Security Consulting Services

Power Hour Consulting

Want to get expert advice on your site's security? Whether you're dealing with a hacked site or looking to future-proof your security, Tim will provide personalised guidance and answer any questions you may have. A power hour call is an ideal starting place for a project or a way to break deadlocks in complex problems.

Learn more

Site Reviews

Want to feel confident about your site's security and performance? A website review from Tim has got you covered. Using a powerful combination of automated and manual testing to analyse your site for any potential vulnerabilities or performance issues. With a comprehensive report and, importantly, recommendations for each action required.

Learn more

Code Reviews

Is your plugin or theme code secure and performing at its best? Tim provides a comprehensive code review, that combine the power of manual and automated testing, as well as a line-by-line analysis of your code base. With actionable insights, to help you optimise your code's security and performance.

Learn more

Or let's chat about your security?

Book a FREE 20 minute call with me to see how you can improve your WordPress Security.

(No Strings Attached, honest!)