WordPress Search Tips and Security Flaws


WordPress Search Tips

Tags: search, security, WordPress

If you want to customize WordPress’s search functionality you’ll have to scour the internet for bits of WordPress code in a post apocalyptic wasteland of seemingly irrelevant information. Not anymore! I’ve put these chunks of code and tips below to help you customize your users’ search experience without banging your head against the wall to get things working. In some situations you may have strangle your WordPress search for security/survival reasons, but don’t worry, we’ll cover that too.

Custom search functions

I create complex WordPress builds for small and large companies. While many web designers and developers tell you to ditch WordPress’s search capabilities for an off site engine like Google’s. Others suggest using bloated plugins that play with your WordPress code. I personally suggest using WordPress’s search with some simple tips. Here I’ll show you how to alter your WordPress theme to make it much more powerful.

Exclude custom post types

With the introduction of custom post types to WordPress 3.0 you might need to exclude your new items from the built in search engine. There are some extremely complicated methods we could use to do this, but the simplest method is to use the exclude_from_search property when you create the custom post type. For more information check out the WordPress codex on creating custom post types.

This is a quick, simple, and problem free WordPress tip that will make your life much easier. Although this is the simplest way to exclude custom post types, I’ve listed an alternative method below.

// Here we create our custom post type for a feeds add_action('init', 'my_custom_init'); // This is where we set our variables function my_custom_init() { $labels = array( 'name' => _x('Feeds', 'post type general name'), 'singular_name' => _x('Feed', 'post type singular name'), 'add_new' => _x('Add Feed', 'Feed Item'), 'add_new_item' => __('Add New Feed'), 'edit_item' => __('Edit Feed'), 'edit' => _x('Edit', 'feed'), 'new_item' => __('New Feed'), 'view_item' => __('View Feed Information'), 'search_items' => __('Search Feeds'), 'not_found' => __('No feeds were found with that criteria'), 'not_found_in_trash' => __('No feed found in Trash'), 'view' => __('View Feed') ); // Additional arguments (where we place our search exclusion) $args = array( 'labels' => $labels, // This is where we set whether the new post type gets included in a search or not // Defaults to false, but you'll want to set it to true to exclude the item 'exclude_from_search' => true, 'public' => true, 'publicly_queryable' => true, 'show_ui' => true, 'query_var' => true, 'rewrite' => true, 'capability_type' => 'post', 'hierarchical' => true, 'menu_position' => null, 'supports' => array('title', 'editor', 'author', 'custom-fields', 'revisions', 'page-attributes') ); register_post_type('feeds',$args); } 

Search a specific post type

WordPress gives you the ability to target specific post types. Place this at the bottom of your functions.php file and you’re good to go! This is a slightly modified version of the ingenious category search exclude script that has been floating around web design blogs for a while. I’d love to give credit for this, but so many designers are claiming it that I don’t know who the original author is.

function SearchFilter($query) { if ($query->is_search) { // Insert the specific post type you want to search $query->set('post_type', 'feeds'); } return $query; } // This filter will jump into the loop and arrange our results before they're returned add_filter('pre_get_posts','SearchFilter'); 

We can modify this a bit to search two custom post types or more such as podcasts along with our feeds category. This is done by inserting our items into an array so WordPress can swallow the data without choking on our awesome request.

function SearchFilter($query) { if ($query->is_search) { // Insert the specific post types you want to search $query->set('post_type', array('feeds', 'podcasts')); } return $query; } add_filter('pre_get_posts','SearchFilter'); 

Search posts only

On the occasion I need to shut off all of my pages search posts only. Since WordPress can take any post_type query information we throw at it, why not just tell it to search posts only?

function SearchFilter($query) { if ($query->is_search) { $query->set('post_type', 'post'); } return $query; } add_filter('pre_get_posts','SearchFilter'); 

Search specific categories only

You can search specific categories using the same logic for the custom post type search used above. Just plug in your categories and WordPress will take care of everything you need. To get your category IDs, you’ll need to go to “Your Post’s Name” -> Categories (or chosen taxonomy name) and look for the id in the link such as http://www.ashbluewebdesign.com/wp-admin/categories.php?action=edit&cat_ID=125. If you need a more detailed explanation check out this simple post on WordPress IDs. Once again just shove this into the bottom of your functions.php file.

function SearchFilter($query) { if ($query->is_search) { // Insert the specific categories you want to search $query->set('cat', '8,9,12'); } return $query; } add_filter('pre_get_posts','SearchFilter'); 

Search pages only

Sometimes what you really need is to serach pages only. This can be easily done by setting your post type to page.

function SearchFilter($query) { if ($query->is_search) { $query->set('post_type','page'); } return $query; } add_filter('pre_get_posts','SearchFilter'); 

Putting it all together

Taking what we’ve done with these functions, you can shove them into an array and force out some really unique search results. For instance, why not search only pages and feeds, while excluding posts?

function SearchFilter($query) { if ($query->is_search) { $query->set('post_type', array('page', 'feeds')); } return $query; } add_filter('pre_get_posts','SearchFilter'); 

Shutting off WordPress’s search

A really good tip I can give you is to completely shut off the search when you don’t need it. I’ve personally used the search on websites against their will by simply plugging in http://www.yoursite.com/?s=yoursearchtermshere. Feed the user a 404 error page with no results. Do so by telling your functions.php file to direct all searches to it. This code originally comes from WPEngineer. Check out the article for a more thorough explanation.

function fb_filter_query( $query, $error = true ) { if ( is_search() ) { $query->is_search = false; $query->query_vars[s] = false; $query->query[s] = false; // to error if ( $error == true ) $query->is_404 = true; } } add_action( 'parse_query', 'fb_filter_query' ); add_filter( 'get_search_form', create_function( '$a', "return null;" ) ); 

Security Flaw – Private Page Excerpt Tip

If you set a page in WordPress to password protected you’ll notice that it won’t display an excerpt for people searching. Problem is that private pages still display an excerpt, leaving sensitive data open to potential hackers. The best thing you can do here is set the pages to password protected if the information is extremely important. The alternative would be to delete the excerpt in your WordPress search loop. Making it so no excerpt whatsoever appears when somebody searches. Either method is not necessarily ideal. Currently I’m searching for a method to strip private pages from the search, but I’m having trouble finding out how to do so. Please let me know if you have any leads that don’t involve a plugin.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: