Blog

WordPress

Posted on

WordPress Popular Posts 7.2: Security Enhancements, wpp.min.js Hook (Sort of)

This version patches a security vulnerability, and also introduces a new feature to grant you the ability to control when a visit is saved to the database.

Version 7.2 includes a security patch and so it’s highly recommended to update as soon as you can. Also, a new “hook” system has been implemented so users can better control when the plugin tracks a visit.

This a small release to address a couple of issues, including a security vulnerability, and also to introduce a new feature that some of you out there have been requesting for some time now.

Arbitrary Shortcode Execution Bug

Researcher @mikemyers and the Wordfence team reached out to report a vulnerability that makes it possible for attackers to execute arbitrary shortcodes on any site running WordPress Popular Posts up to version 7.1.0 (CVE-2024-11733).

Version 7.2 fixes this issue so please update as soon as possible.

Views Tracking “Hook”

Version 7.2 also introduces a new way to control when WordPress Popular Posts should track a page view.

In the past, many users have asked questions like how do I stop users from inflating the views count of a post? or is it possible to have WordPress Popular Posts ignore views from bots / web crawlers? I really didn’t have a good answer for these, until now.

This release implements a JavaScript based “hook” that provides a way to implement some custom logic to help the plugin decide whether a view should be stored on the database. WPP’s script (wpp(.min).js) will now check for the presence of a global variable called wpp_do_request and check its value: if it’s equal to boolean true then WordPress Popular Posts will proceed to track this visit, otherwise it won’t.

To see how this works in practice let’s see a couple of examples:

Preventing Users from Inflating the Views Count

Imagine for a moment that you’re holding a popularity contest on your site where the most viewed articles will be given an award / prize. Now, where there’s a contest there will also be people who will do anything to win – even cheating. And how do you win an online “most viewed” competition, you ask? You could just hit the F5 button repeatedly to artificially increase the views count. Easy as that.

Naturally this isn’t ideal for the people organizing the event. Participants who genuinely put some actual effort to write a good piece will rightfully so be upset, and that’s not good for the longevity and reputation of the contest.

The script below -which you can find in full here– will keep track of the articles that someone has viewed today, and only increase the views count of the article the first time it loads for this visitor.

Note that this is a proof-of-concept, there’s no guarantee that sufficiently motivated people won’t find a way to work around it. Feel free to build upon it to make it better / harder to circumvent.

Preventing Bots from Inflating the Views Count

Another popular request is to have WordPress Popular Posts avoid tracking page views generated by bots.

The vast majority of bots out there generally don’t care about executing JavaScript code since this increases the time needed to crawl a page and so their visits won’t increase the views count of your posts & pages since WPP’s script will not run. However, more advanced bots like Googlebot for example can and will execute JavaScript code while crawling a page which may impact the general accuracy of your views data.

The script below (which you can find here) will perform some checks to determine whether the current visitor is a bot and if so it’ll signal WordPress Popular Posts to not track its page view.

Keep in mind that this script is merely a proof-of-concept. Feel free to change it how you see fit.

You may be wondering “why doesn’t WordPress Popular Posts include this bot detection script in the first place?”, and the answer to that is: it’s a losing battle. Bots are becoming smarter / more sophisticated as time goes by, even more so with technologies like machine learning / AI, and no script will catch them all. Also, keeping a bot detection script up-to-date is a whole project on its own, and I just don’t have the resources (including time) to dedicate to it.

Thoughts? Leave a comment below!