Redirecting attachment pages in WordPress

Spammers are a crafty bunch, using a variety of techniques to spread their unwanted junk. One way they do this is by submitting comments to the special pages WordPress creates for each image that has been uploaded. Spammers find these pages and submit spam. But there are ways to thwart their misdeeds!

7 Ways to Redirect WordPress Attachment Pages

Lately we’ve been using the Redirect Attachment Pages plugin, if the client does not have it available through an SEO plugin.

Adding stuff after the body tag in WordPress

Today I had to add some retargeting code to a site, and my research revealed that I needed to add it to the functions.php of the theme. No problem.


function jr_add_floodlight_retargeting() {
// Added 4/14/21 by EKB to put code on landing page for Floodlight campaign 
   if ( isset( $_GET['utm_source'] ) ) {
      if($_GET['utm_source'] == "ww") {
        ?>
         ... javascript code here ...
        <?php
      }
   }
} // end function jr_add_floodlight_retargeting
add_action( 'wp_body_open', 'jr_add_floodlight_retargeting' );

But then, my code wasn’t firing properly, and I discovered that the child theme was old enough that it didn’t have the necessary code in header.php. I found out from this article:

WordPress 5.2 action that every theme should use

Added that code to the theme’s header file, and away I went! Yay.

Spam comments on media attachment pages

One of our clients was getting spam comments on her media attachment pages, so I found this handy little plugin to make it so the attachment pages are no longer available for those kinds of shenanigans. It solves the problem nicely by redirecting each page to the media file itself.

Disable Media Pages

A similar feature is available in Yoast SEO, so if you have that plugin, you can go to SEO -> Search Appearance -> Media tab and turn on the option to Redirect attachment URLs. Sweet!

 

XML RPC in WordPress

Attackers quite frequently try to exploit xml-rpc.php, a built-in file for WordPress which provides access to external services, such as JetPack, marketing services, etc. Most sites don’t need this functionality, so it can be blocked. I found this article listing a couple of ways to do it, and it’s one of the services we’ll add to our site this year, as part of the security checkup.

Two Ways to Fully Disable WordPress XML-RPC

You have to be careful, sure that nothing is using it. I wonder if there’s a plugin already out there which helps determine if it’s being used on a site. Will check and update if I find something.

Note to self: Check out new plugin, Google Site Kit

Site Kit by Google – Analytics, Search Console, AdSense, Speed