.htaccess is a configuration file used by Apache Web Server. It is used to provide settings and extensions to the web server, such as URL rewrite and security rules.


WordPress Limits The Number of Items on a Menu

I just ran into a problem on a client site: I went to add two new items to their primary navigation. The first was was successful.  And even though clicking save said it was successful, when the Menu tool refreshed and I refreshed the live page, the second item was missing.

WordPress doesn’t actually set a limit on the number of menu items you can have. It seems like it does though, since an never never actually occurs when it stops adding them.

Some Googling turned up this issue in the WordPress Bug Tracker. Apparently when you click Save WordPress returns every menu item as a separate request variable.  When you get to 89 menu items, the number of variables being sent passes the default limit set by PHP, and menu items 90 and beyond get ignored. While the fix suggested by the bugtracker didn’t help me, the solution was easy. I just added the following line to my site’s .htaccess:

php_value max_input_vars 2000

Adding that PHP configuration variable will override the default max_input_vars limit, which causes WordPress not to receive and therefore save menu items beyond 89.

.htaccess rewrite rules that impacted the search feature on my WordPress site.

IThemes Security Plugin and Dangerous Search Queries

I’m a huge fan of iThemes Security (formerly Better WP Security).  I’m such a fan, in fact, that I use it on many of my own sites as well as the WordPress sites that I manage for my current employer.  But anyone that’s used iThemes Security knows that sometimes it’s does a little too good a job and you eventually run into false positives and unintended consequences.

Today I ran into such a situation.  I manage 4 separate WordPress sites for distributor of industrial plumbing and HVAC components.  A client who was looking for a very specific part let them know that their site was crashing when he entered it into the search bar.

That part they needed was an insert.

What do we know about the word “insert” that might explain why only that search term was causing a problem?

We know that WordPress uses a MySQL database, and we know that an insert is a type of SQL query that writes to the database.

Could it be that iThemes is being helpful, and blocking requests to the site that look like they might be trying to write to our database?

The fact that I was seeing an Apache generated error page and WordPress wasn’t even trying to handle the request suggested that the problem happened before the request was ever passed off to the CMS. So I opened the .htaccess file for one of their sites, searched for the word insert, and found the offending lines.

Update: I’ve moved the code over to GitHub.

Basically these rules cause Apache to drop requests with suspicious data in the query string. If you look closely, one of those rules includes words like request, contact, union, declare, and insert. Deleting the offending line from the .htaccess solved the problem.  I like the added protection these rules provide, so I only recommend removing them if they cause a problem.  These rules try to prevent hackers from sending malicious code to your website in the first place, so if some code in your WordPress install forgets to sanitize user data, you’re still somewhat protected.

I had to remove this rule because insert is actually the name of a product the client was selling through their site and blocking this search term could affect sales.  Before you remove these rules, weigh the pros and cons of your own situation.