This post is to quickly get a zip file online for the Free Display Widgets Plugin v4.0.0
Display Widgets Plugin v4.0.0 Download
See “Plugin Installation” section below for how to upgrade etc…
The Display Widgets Plugin v2.6.3.1 was recently removed from the WordPress Plugin Repository for adding malicious hacking code (I was the person who reported it multiple times to the WP Plugin team) and the WP Plugin Team decided (in September 2017) to close the plugin permanently and downgraded the plugin to v2.05 (renamed v2.7).
If your site is running any 2.6.* version your site is compromised: see the Display Widgets Plugin Includes Malicious Code to Publish Spam on WP Sites article: I’m the David Law mentioned in the article.
The Display Widgets Plugin Repository page is closed (only the support forum remains open) and only users who already have the plugin installed can easily find the relevant v2.7 update: when the plugin is installed there’s an update to v2.7 under the WP Dashboards Upgrade page.
This means there’s 200,000+ active Display Widgets users (many running malicious code!!!) with no support and no possibility of future development: no new features and no bug fixes (the 2.05/2.7 code has bugs).
The Display Widgets Plugin v4.0.0 is Born
I created a fork of the original plugin in November 2016 called the Display Widgets SEO Plus Plugin, this fixed all the bugs I found including the broken WPML Language Plugin support and added a lot of new widget logic features.
While I was trying to help protect Display Widgets plugin users from the low life which added hacking code to v2.6.* of the plugin I was unfairly moderated on the support forum!!!!
Being moderated is an insult and a negative mark on my reputation (my reputation is very important to me) and so I removed ALL my plugins from the WordPress Repository including the Display Widgets SEO Plus Plugin.
I plan to release an updated premium version of the Display Widgets SEO Plus Plugin (on this page, renamed to the Display Widgets Plus Plugin) AND an accompanying free version the Display Widgets Plugin v4.0.0.
The first release is the free Display Widgets Plugin v4.0.0.
Display Widgets Plugin v4.0.0 Download
Display Widgets Plugin v4.0.0
Display Widgets Plugin Version 4
The Display Widgets Plugin v4.0.0 is a direct upgrade to the now closed Display Widgets Plugin v2.7 from the WordPress Plugin Repository: in September 2017 version 2.6 of the plugin was closed because the current ‘owner’ (user: ‘@displaywidget’) had been caught (by yours truly) adding malicious hacking code to the plugin!
The WordPress plugin team closed the plugin, rolled the download back to v2.05 with a new version number (v2.7) and have said the plugin will never be reopened, which means it will never be updated/supported.
As it stands current users of the Display Widgets plugin can upgrade (technically downgrade) to v2.7 under their WordPress Dashboard, but the WordPress Plugin team do not want new sites installing the v2.7 plugin, they want the plugin to die off: doesn’t make sense to me, but it’s their call.
The Display Widgets plugin is a good plugin used on over 200,000 WordPress sites without major problems (had small bugs: fixed in v4.0.0) prior to the v2.6 updates and it feels wrong to end it this way, so I’ve taken the v2.05 plugin code, added bug fixes and new widget logic features.
If a significant number of people upgrade to v4.0.0 I’ll develop the code further.
To distance my new version from the hacked version I’ve jumped direct to version 4.0.0 skipping v3.0.0.
Display Widgets Plugin v4.0.0 Features
Note: when the plugin is first installed/activated by default, ‘Hide on checked pages’ is selected with no boxes checked, so all current widgets will continue to display on all pages. After activation go to ‘Appearance’ > ‘Widgets’ to set widget logic options.
WordPress widgets by default include no widget logic, when a widget is added to a widget area it will load sitewide: unless the widget area has widget logic, some themes include widget areas for specific sections of a site.
For example if you want a widget only to load on a specific Static Page or only on Categories the Display Widgets plugin can achieve this.
Site Section – WordPress Conditional Function
* Static Front Page – is_front_page()
* Home Page Archives – is_home()
* Category Archives – is_category()
* Specific Categories : New v4 Feature
* Posts Within Specific Categories : New v4 Feature
* Tag Archives – is_tag()
* Dated Archives – is_date() : New v4 Feature
* Author Archives – is_author() : New v4 Feature
* Search Results – is_search()
* Archives – is_archive()
* Posts – is_single()
* Static Pages – is_page() : New v4 Feature
* Specific Static Pages
* Attachment Pages – is_attachment() : New v4 Feature
* Singular Pages (Posts, Pages, Attachments) – is_singular() : New v4 Feature
* 404 Error Page – is_404()
* Custom Taxonomy Archives – is_tax()
* Custom Post Type Archives – is_post_type_archive()
* Specific Custom Post Type – via get_post_type()
* Full WPML Language Plugin support : New v4 Feature
* Basic BuddyPress Plugin support – is_buddypress() : New v4 Feature
* Basic bbPress Plugin support – is_bbpress() : New v4 Feature
The above conditional options are further extended with these conditional functions in the Premium Display Widgets Plus plugin:
* Paged Archives/Paged Comments – via is_paged() : Premium Feature
* Specific bbPress sections : Premium Feature
* Specific BuddyPress sections : Premium Feature
BuddyPress Plugin and bbPress Plugin Support : Premium Feature
Display Widgets Plus v4.0.0 (Premium version) includes support for the BuddyPress plugin and the bbPress plugin.
BuddyPress Plugin Conditional Widget Logic Functions
* ALL BuddyPress Pages – is_buddypress() : New v4 Feature
* BuddyPress Members Directory – bp_is_members_directory() : Premium Feature
* BuddyPress User Pages – bp_is_user() : Premium Feature
* BuddyPress Activity Streams Directory – bp_is_activity_directory() : Premium Feature
* BuddyPress Activity Streams Item – bp_is_single_activity() : Premium Feature
* BuddyPress Groups Directory – bp_is_groups_directory() : Premium Feature
* BuddyPress Group – bp_is_group() : Premium Feature
* BuddyPress Group Forum – bp_is_current_action( ‘forum’ ) : Premium Feature
* BuddyPress Group Forum Topic – bp_is_group_forum_topic() : Premium Feature
* BuddyPress Registration Page – bp_is_register_page() : Premium Feature
bbPress Plugin Conditional Widget Logic Functions
* ALL bbPress Pages – is_bbpress() : New v4 Feature
* bbPress User Pages – bbp_is_single_user() : Premium Feature
* bbPress Forum Archive – bbp_is_forum_archive() : Premium Feature
* bbPress Category Forum – bbp_is_forum_category() : Premium Feature
* bbPress Forum – bbp_is_single_forum() : Premium Feature
* bbPress Forum Topic – bbp_is_single_topic() : Premium Feature
* bbPress Topic Tag – bbp_is_topic_tag() : Premium Feature
Plugin Installation
You can use the built in WordPress plugin installer:
1. Go to the Display Widgets Plugin Page and download the latest Display Widgets zip file (filename display-widgets.zip).
2. Under your Dashboard go to ‘Plugins’ > ‘Add New’ : ‘Upload’ and click the ‘Browse’ button to find the zip file you just downloaded on your computer and install it.
3. Activate the Display Widgets plugin through the ‘Plugins’ menu in WordPress.
4. Under ‘Appearance’ > ‘Widgets’ each widget includes a new Display Widgets Options section.
Or you can use an FTP program like Filezilla:
1. Go to the Display Widgets Plugin Page and download the latest Display Widgets zip file (filename display-widgets.zip).
2. Extract the ‘display-wigets.zip’ file on your computer.
3. Inside the ‘/display-wigets/’ folder there’s another folder ‘/display-wigets/’.
4. Upload the second ‘/display-widgets/’ folder to the ‘/wp-content/plugins/’ directory using FTP so it reads as ‘/wp-content/plugins/display-wigets/’.
5. Activate the Display Widgets plugin through the ‘Plugins’ menu in WordPress.
6. Under ‘Appearance’ > ‘Widgets’ each widget includes a new Display Widgets Options section.
See FAQ section for upgrading from v2.05/v2.7.
Frequently Asked Questions
How to upgrade the Display Widgets Plugin v2.05/v2.7 to the new Display Widgets Plugin.
To upgrade from Display Widgets v2.05/v2.7 to Display Widgets v4.0.0.
1. Go to the Display Widgets Plugin Page and download the latest Display Widgets zip file (filename display-widgets.zip).
2. Under ‘Plugins’ > ‘Installed Plugins’ deactivate the Display Widgets Plugin v2.05/v2.7.
3. Still under ‘Plugins’ > ‘Installed Plugins’ DELETE the Display Widgets Plugin v2.05/v2.7. This won’t delete your widget settings.
4. Follow the standard Installation instructions listed earlier.
Note: You have to delete Display Widgets plugin v2.05/v2.7 before installing via the built in WordPress plugin installer, WordPress can’t install a plugin via a zip file if the plugin already exists. Also makes sense to delete the plugin first if you plan to install via FTP because the old v2.6 plugin has malicious code, so best to start with a fresh install. If there’s any problems deleting the plugin using FTP go to ‘/wp-content/plugins/’ and manually delete the ‘/display-widgets/’ folder.
Deactivating the Display Widgets v2.05/v2.7 (any version) won’t delete your current widget options, you can turn this plugin on/off as many times as you like and the options will remain intact. The same is true for deleting the plugin folder, in both cases your widget logic options are safely stored in the WordPress database and when you install the new plugin it will use those options.
Some widgets lack the Display Widgets options?
Old widgets created for WordPress versions pre 2.8 are quite basic in format and lack the WordPress hooks to add additional widget logic options.
This tends to be widgets which lack a multi-widget option (can’t add the same widget multiple times).
There’s no work around.
Widgets are no longer available when the Display Widget Plugin is active!
Some WordPress plugins and themes alter when widget checking starts.
Try adding this to your WordPress themes functions.php file or within a plugin:
add_filter( 'dwplus_callback_trigger', 'dwplus_callback_trigger' );
function dwplus_callback_trigger() {
return 'wp_head'; // change to: plugins_loaded, after_setup_theme, wp_loaded, wp_head, or a hook of your choice
}
The above code is also commented out near the top (between lines 32 and 37) of the ‘display-widgets.php’ file under ‘/wp-content/plugins/display-widgets/’.
Edit the file and activate this code by deleting the `/*` on line 32 and the `*/` on line 37.
I’d like to hide some widget titles, is this possible?
Yes it is.
Maybe you have a WordPress site with dozens of widgets with different widget logic settings and some of them lack widget titles on the front-end: no obvious way to distinguish one widget from another on the Widget options page.
For example if you have 10 Text Widgets with empty widget titles all 10 will be listed under ‘Appearance’ > ‘Widgets’ with the the Widget Title ‘Text’. This can be difficult to manage, to edit a specific widget you might have to open up all 10 Text Widgets to find the right one!
As of Display Widgets v4.0.0 you can add a ‘Hidden Widget Title’ simply by adding an explanation mark (!) before the widget title like so.
!Hidden Widget Title
This would result in the Widget Title (!Hidden Widget Title) NOT showing on the front-end (your visitors won’t see it), but under ‘Appearance’ > ‘Widgets’ you can see the widget title.
Plugin Changelog
= 4.0.0 =
* Rolled code back to the 2.05/2.7 code base to remove 2.6 hacking code added by the `@displaywidget` user. Note, ALL 2.6 versions are problematic.
* Multiple bug fixes including fixing transients and WPML plugin support.
* Add lots of new widget logic options including BuddyPress/bbPress support.
* Added ability to hide widget titles.
* Added a custom update process using the [Plugin Update Checker library] (https://github.com/YahnisElsts/plugin-update-checker).
* All updates above are by the new developer [David Law] (https://profiles.wordpress.org/seo-dave/)
= 2.7 =
* The WordPress Plugin Team has permanently closed the plugin on the WordPress Plugin Repository.
* The WordPress Plugin Team made a copy of the 2.05 plugin, renamed it to 2.7 and released it as a upgrade to replace 2.6 code.
* There won’t be any more updates from the WordPress Plugin Repository, if you want updates move to v4.
= 2.6 =
* The original developer sold the plugin to [displaywidget] (https://profiles.wordpress.org/displaywidget/) in May 2017.
* The new developer added malicious code to the 2.6 updates!
* Do NOT use the v2.6 updates.
= 2.05 =
* All updates below and including v2.05 were by the original developer [strategy11] (https://profiles.wordpress.org/strategy11/) and are safe: v2.03 had a XSS vulnerability, so don’t use that version.
* Add “Text Domain” to the plugin header to enable translations
* Add Brazilian Portuguese translation
David Law
Website - SEO Gold Services
I would like to use your version of Display widgets on sites currently running the 2.05 v (and they may have been updated and then reupdated to 2.05)
You make it sound as if I can just delete Display widgets 2.05 & install your version 4 and WP will remember all the data in DW?
Also no where I have read today (this is all new news to me) is anyone talking about sites who were compromised, how do we tell? I have run my sites through the web interface at Securi, and they come back clean, but I wonder?
thanks for any help and insight
The Display Widgets plugin v4.0.0 is a drop in replacement for all earlier versions and will use your current settings with a few caveats (see the main article for details).
For most sites it will be install the v4.0.0 plugin and everything runs like it did before.
I would however go check each widget to be sure, there are new widget logic options so there might be better options to set and the WPML language plugin support in the old plugin didn’t work correctly, fixed in v4.0.0.
Regarding WordPress security.
If you’ve never run v2.6.* of the Display Widgets Plugin (so only ran v2.05 or earlier or the 2.7 update) your site isn’t at risk, just update to v4.0.0 and your good to go. I estimate 3/4s of the 200,000 active installs fall into this category (so 150,000 sites could just update). The remaining sites (estimated at 50,000 sites) COULD have other vulnerabilities AFTER updating.
Before deleting anything make a backup of your site and database and also edit the entries you plan to delete and make a copy of it’s contents in a text file.
By making a copy in a text file you can look through it to see what it does, if it’s just a spammy dynamic Post with links to payday loan companies etc… you might be OK, but there could be links to scripts to add more vulnerabilities to your site and those would need checking out.
If you’ve installed any of the 2.6.* versions there’s going to be at least one entry in your database that to be safe should be deleted.
It’s in the “wp_options” table: the “wp_” might be something else in your database.
You have to look through the “wp_options” table and find an entry called “displaywidgets_ids” the contents of which will be something like this:
a:1:{s:26:"__3371_last_checked_3771__";s:10:"1499359495";}Note the 3371, that’s the ID of the dynamic Post the malicious code creates.
This doesn’t make your site vulnerable per se, but was added by the Display Widgets plugin v2.6.* and is used by the malicious code to create another database entry which includes data for a dynamic Post (presumably with ID 3371).
So rather than the hacker creating a WordPress Post or Page you could find by going to your Dashboard and looking for Posts/Pages, it’s hidden in the database.
The first warning this has occurred will probably be Google sending you a warning under Webmastertools.
I’ve not seen an example of what the database entry looks like, but apparently it mentions display widgets or displaywidgets. If I get more information I’ll post about it.
I’d look through the “wp_options” table for entries mentioning display widgets or displaywidgets and checkout any you find and then delete them.
A hacker with access to your database might be able to get access to your username and password, so to be safe after cleaning the site change all usernames (if possible) and passwords including FTP, MySQL and the WordPress login password (you can’t be too paranoid).
David Law
Thank you so much for this option to get away from the original Display Widgets plugin.
I’m sad to hear that you were unfairly moderated on the WordPress support forum when you were the person trying to help protect Display Widgets plugin users “from the low life which added hacking code to v2.6.* of the plugin”.
I can well understand you would find that offensive.
Is there anywhere on the support forum where your users can complain about the unfair moderation?
Would that help a little?
Thanks for your kind words.
As far as I’m aware there isn’t a feedback process for the forum moderators etc…, but I appreciate the offer.
I took it up with the plugin team (via email) and both Mika Epstein and Samuel Wood (AKA: Otto) both agreed with the moderation which was more annoying than being moderated!
To some degree I can understand the moderator WARNING from Jan Dembowski, the moderators presumably weren’t aware of the dozen or so emails exchanged between me and the plugin team regarding the developer and a brief look at my forum posts out of context (not taking into account the Display Widgets plugin downtime and the developer going quiet for over a week) could be construed as trying to promote my plugin by bad mouthing another plugin and it’s developer.
Jan Dembowski then made a mistake moderating me for one comment that I still don’t understand the moderation reason for. Though since then I’ve got moderation notes about adding my name (David/David Law) at the end of comments, so maybe anything is a reason to be moderated on the forums!
I can’t give the plugin team the same benefit of the doubt, they knew how shitty the new developer was, one of them agreed the privacy issue was a problem, but didn’t care as long as the people installing the plugin had the option to read the terms and it was optin. Basically if the terms said by using this plugin you agree to become a satanist and will sacrifice your first born to the devil, that’s OK as long as it’s in the terms and optin :-)
You know what it’s like when people get a little power with no oversight, they take advantage :-(
They’ve made themselves look incompetent and petty.
David Law
This is an interesting issue where the WordPress plugin team have a policy of allowing breaches of privacy as long as the people installing the plugin had the option to read the terms and it was an optin.
I experienced this kind of problem myself in the past when I asked for help from my anti-virus software provider to clean up some horrible PUP malware that was persistently clinging to my browsers and couldn’t be deleted by normal means.
Their answer was that it was not their responsibility because I had opted in by accepting the default checkmark to download the PUP along with another piece of software.
In other words, it’s OK for software providers to do unethical things as long as the user opts in, even through ignorance and trickery. Taken to the extreme, if I agree to allow someone to murder me, does that exonerate that person of murder?
If that were true in a court of law, then there would be no issue over euthanasia.
It’s odd that an issue that wouldn’t stand up in a court of law is somehow acceptable when it comes to software downloads.
Back to your unfair moderation, it would seem that the moderators are blindly following rules, and failing to see the forest for the trees.
You have my sympathy and vote of confidence.
Hi,
i have installed version 4.0
But after delete or update the hacked version i have problems with login (cookie problem) and other actions like a white site after save a site and many more.
Is there anything else, what the hacked version changed?
Sorry to hear of the problems.
In principle yes the hack could have compromised your site in other ways.
I never installed the Display Widgets Plugin v2.6.* on a live site, only tested it in Localhost, so have no examples to look at beyond the “displaywidgets_ids” example I’ve pasted below (that was from my localhost test install).
The Display Widgets plugin v2.6.* adds a database option in the “wp_options” table looks like this:
displaywidgets_ids
a:1:{s:26:"__3371_last_checked_3771__";s:10:"1499359495";}
This in itself doesn’t cause any harm per se, but the entry and the plugin code allowed the developer to add a dynamic post into your database.
I don’t have an example of what this looks like, but understand it includes the name of the plugin “Display Widgets” and would assume it’s also in the “wp_options” table.
I’m afraid it’s a case of going through the database to see if anything stands out, for most WordPress sites the wp_options table tends to be below a few hundred entries so doesn’t take too long to look through. You are looking for anything that mentions Display Widgets or displaywidgets.
If the hacker went as far as to add one of these dynamic posts into your database there’s no reason why the entry couldn’t include other malicious code.
So basically they add a database entry which the malicious plugin (v2.6.*) uses to make a dynamic post database entry, but it could also be used to do other malicious things to your site. They could add all sorts of vulnerabilities to add backdoors.
The best advice would be to use a backup from before you installed the v2.6.* code, but that could be a backup from over 3 months ago!!!
Even though I have regular backups, if I had installed the malicious code I couldn’t go back three months (would loose important articles/comments), so would have to go with a manual security clean. I wrote a comment about what I’d do with the sites files now I know a little more about what the backdoor hack does I’d also go through the database looking for options related to displaywidgets (did this in my localhost test installs, found nothing).
The person/people behind the malicious code has been doing this for years, they own loads of sites related to payday loans, finance, gambling… and have been hacking sites for years (found one mentioned on the WP forums from ~4 years ago) to add SEO link SPAM (they have a very well thought out SEO link SPAM program: I’m impressed). To put things into perspective the main suspect is in his early twenties and lives in a property that was bought in December 2016 for over £750,000 and they say black hat SEO techniques don’t work anymore :-)
BTW Before doing anything I’d look through your sites log files for errors, white screen suggests a 500 error. The logs can point you in the right direction.
If you find it difficult to access your log files you can also get WordPress to output a “debug.log” file by adding this to your “wp-config.php” file:
Download the “wp-config.php” file via FTP to your computer, edit it with a text editor.
Find this line:
$table_prefix = 'wp_';Might not be ‘wp_’, doesn’t matter.
Below it add
define('WP_DEBUG', true);define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);
when there’s errors it creates a file under:
“example.come/wp-content/debug.log” this file is publicly available (anyone can read it).
Browse through your site and check the file (can load it in a browser).
After finding and fixing the errors modify the code to:
#define('WP_DEBUG', true);#define('WP_DEBUG_LOG', true);
#define('WP_DEBUG_DISPLAY', false);
Adding # comments out the code so it won’t run, but it’s in the file for next time (just remove the #s to check for other issues).
Also go to “/wp-content/” and delete the “debug.log” file, error notifications can be used by hackers to test for vulnerabilities, so you don’t want an easy to find log file left behind.
If you want to harden WordPress a little also add this to the “wp-config.php” file:
# Disable Editing in Dashboarddefine('DISALLOW_FILE_EDIT', true);
This turns file editing under your Dashboard off: this assumes you don’t edit plugin and theme files under your Dashboard (which you shouldn’t do as there’s no backup).
David Law
In my DB i have the database option
external_updates-display-widgets
O:8:”stdClass”:5:{s:9:”lastCheck”;i:1506066928;s:14:”checkedVersion”;s:5: ….
When i delete this entry it will open a new one. Use Display widgets 4.0 also this entry. Is it now a normal entry?
Got my last replay wrong so deleted it and posted this, DOH!
The database entry “external_updates-display-widgets” is added by my own Display Widgets v4.0.0 plugin code, it’s the custom update database entry and NOT related to the hacked code from v2.6.*.
The “external_updates-display-widgets” database entry when edited will have code like this:
O:8:"stdClass":5:{s:9:"lastCheck";i:1505614069;s:14:"checkedVersion";s:5:"4.0.0";s:6:"update";O:8:"stdClass":9:{s:4:"slug";s:15:"display-widgets";s:7:"version";s:5:"4.0.0";s:12:"download_url";s:66:"https://seo-gold.com/updates/?action=download&slug=display-widgets";s:12:"translations";a:0:{}s:2:"id";i:0;s:8:"homepage";s:49:"https://seo-gold.com/display-widgets-plus-plugin/";s:6:"tested";s:15:"4.9-alpha-41379";s:14:"upgrade_notice";N;s:8:"filename";s:35:"display-widgets/display-widgets.php";}s:11:"updateClass";s:22:"Puc_v4p2_Plugin_Update";s:15:"updateBaseClass";s:13:"Plugin_Update";}From the above (from one of my sites) it tells us my site is running
Latest Version : v4.0.0
Plugin Slug: display-widgets
Download URL: https://seo-gold.com/updates/?action=download&slug=display-widgets (latest v4.* display-widgets.zip file)
and other stuff like the plugins homepage (https://seo-gold.com/display-widgets-plus-plugin/) and which version of WordPress it was last tested on (4.9-alpha-41379).
The above is only used by the custom update process: mimics the WordPress plugin repository update, but checks this site for an update rather than wordpress.org.
If you delete this database entry the Display Widgets Plugin v4.0.0 will recheck for an update and add the entry back into the database: won’t cause damage doing this over and over again, so when doing a security clean it’s OK to delete this.
If that’s the only entry related to the Display Widgets plugin after an update and a check through the “wp_options” table it sounds like your “wp_options” table is clean.
When cleaning a Display Widgets hacked site look for
displaywidgets_idsa:1:{s:26:"__3371_last_checked_3771__";s:10:"1499359495";}
Delete this entry
displaywidgets_optionsa:1:{s:18:"enable_geolocation";b:1;}
Delete this entry
The “displaywidgets_ids” entry is part of the hacking process, alone it won’t cause harm, but it’s not needed.
The “displaywidgets_options” entry is the on/off option from the main Plugins page the developer added to get over the privacy issues. This isn’t part of the hacking code, but again it’s not needed so can be deleted.
If anyone has examples of what the database entries are for the dynamic Post, LMK. The only info I have on this (these) entries (I don’t know if it’s one or several) is they include a reference to display widgets (mentioned in a WordPress track ticket), but no one has posted an example.
Consider I’ve not secured a site that’s been hacked by the Display Widgets v2.6.* code, so I’m having to make assumptions, I don’t know how sophisticated the hacker(s) is/are.
This is what I’d do:
Delete the Display Widgets Plugin v2.6.*
Install Display Widgets Plugin v4.0.0 (no rush to do this part, this will replace the bad version with a good one).
Look through the “wp-options” table for entries mentioning “Display Widgets”, “displaywidgets”, display-widgets” or similar (the “external_updates-display-widgets” is safe, but edit it and check it against what I posted earlier to be 100% safe and it’s OK to delete it during a security clean).
If you haven’t been fully hacked you’ll find two entries “displaywidgets_ids” and “displaywidgets_options”, delete them.
If you’ve been fully hacked you’ll find at least one more entry (I don’t know it’s name), edit this, make a copy of it’s contents inside a text file for later analysis, delete this entry. IMO it’s important to make a copy of what’s in this entry, it could lead you to other vulnerabilities added by the hacker, if you skip this step you are cleaning a site blind. If you find references to scripts in the database entry a little research could indicate what they do and save a lot of hassle cleaning future hacks.
The hacker naming the database entries “displaywidgets_ids” and “displaywidgets_options” has made finding them easy, a little on the lazy/sloppy side, could have gone with something obscure or similar to legitimate entries making them harder to find. If they’ve been as sloppy on the actual dynamic Post entry it will be easy to find.
If you do find an entry with link SPAM (payday loan links for example) I would do a full security audit and follow the instructions in a comment I made at How to Clean a Hacked WordPress Site.
Sorry about the confusion in the previous (deleted) comment, only recently started working with the update code and didn’t realise it had the name “external_updates-display-widgets”.
David Law
David,
Thank you very much for your hard work on this. I am currently helping a friend out who did update to the 2.6x version of the plug in. I do have a complete site back up from before the malicious code was installed, through Back Up Buddy. If I restore this back up, will there be any more concern of backdoors/vulnerabilities? Sorry if this seems like an ignorant question.
Also, I will be testing out your fork of the plugin, thank you so much for all the hard work put into this.
Best,
Esteban
Is there another place for support on your new Display Widgets v4?
I removed the 2.05 Display Widgets and replaced with Display Widgets v4, everything that was in there migrated fine.
But in trying to add new OIO ads, they are not showing up as they would with the original version. We are perplexed and need assistance.
I would like to continue this in am email exchange if possible, and I am willing to pay for support. Thank you.
~bobbi
I’m not familiar with the OIO Publisher Plugin and it’s a premium plugin so not easy to access the code (for free) to check what it does, time for some guess work :-)
Did a little research and on one of the tutorial pages regarding theme support found:
That suggests the plugin hooks into ‘wp_head()’ and ‘wp_footer()’.
The original Display Widgets Plugin author (Steph Wells) added some work around code for when themes/plugins interact with the widgets and stop the Display Widgets plugin from working normally.
See the FAQ: Widgets are no longer available when the Display Widget Plugin is active!
add_filter( 'dwplus_callback_trigger', 'dwplus_callback_trigger' );function dwplus_callback_trigger() {
return 'wp_head'; // change to: plugins_loaded, after_setup_theme, wp_loaded, wp_head, or a hook of your choice
}
Since you’ve been running Display Widgets v2.05 (I assume for a while) you might have already implemented this fix previously, but in my Display Widgets Plus code I changed some function names to avoid conflicts with the Display Widgets plugin and in hindsight, I probably shouldn’t have changed the function above from ‘dw_callback_trigger’ to ‘dwplus_callback_trigger’.
If you’ve implemented this fix (probably in your themes function.php file or you might have modified the Display Widgets v2.05 code) your code will have three instances of ‘dw_callback_trigger’ which need changing to ‘dwplus_callback_trigger’.
Consider the above is guess work, your issue might have nothing to do with the above.
You could also do a quick test and edit the v4.0.0 ‘display-widgets.php’ file to activate the code above, remove /* on line 32 and */ on line 37.
This will change when the Display Widget plugin activates, with the code above it will activate with ‘wp_head’, if that doesn’t work try modifying line 35 as well:
return 'wp_head'; //plugins_loaded, after_setup_theme, wp_loaded, wp_headTest the list of hooks one by one by changing line 35 to the code below.
#Triggers with wp_head
return 'wp_head';#Triggers with plugins_loaded
return 'plugins_loaded';#Triggers with after_setup_theme
return 'after_setup_theme';#Triggers with wp_loaded
return 'wp_loaded';These basically change when the plugin activates, if another feature (theme/plugin) is changing the widgets before the Display Widgets plugin activates this should fix it.
If this doesn’t fix it the next step would be to downgrade to a fresh copy of the v2.05 code from https://downloads.wordpress.org/plugin/display-widgets.2.05.zip to see if the original plugin works or not with the OIO Publisher Plugin.
If a fresh copy (it’s important to test with the zip file above, that’s the original 2.05 code from 3 years ago) of the old plugin works it means something I’ve changed has resulted in an incompatibility: could be the OIO Publisher plugins developers are aware of an issue (they’ve been developing the code for over 5 years), added a fix, but my changes have resulted in the fix not working.
If the fresh zip file doesn’t work (same result as the 4.0.0 code) that strongly suggests you’ve implemented a code fix in the old plugin code: easy to forget fixes from years ago, I do it all the time :-)
Regarding premium support, wasn’t planning on offering paid support per se, I’ll be releasing a premium version of the plugin soon (Display Widgets Plus) for $20.
I activated the “Subscribe to Comments Reloaded Plugin” last night, if you subscribe to comments the notifications will have my email address within. I prefer to keep support in the comments, the answers help other users and I use a couple of custom plugins (will be releasing as premium plugins in the future) which output long comments like this one that Google can index and rank: this comment will generate Google traffic related to “OIO Publisher Plugin Compatibility with Display Widgets Plugin v4.0.0”.
David Law
DW v 2.05 worked flawlessly, no theme issues or any changes to make it so were necessary – we have been using the original DW and same theme since day one.
So I am assuming something in your code changes to v4 are what is causing the OIO to not work now.
I found a github version dW 2.05 from Steph and may just add that back in.
We are also working on somethings in OIO to see if that can address this issue.
Thank you for your support,
but a lot is a bit over my head at the moment, I will try the first suggestion sometime tomorrow.
thank you very much for your time
Thank you so much for this!
Especially the easy-to-follow instructions and taking care of the whole thing. You’re awesome!
Hi David,
Thanks for cleaning up this plugin, you’re a legend!
I’m just doing a migration test on my dev server and I’m having a strange issue.
Hide On Ticked and Show On Ticked are reversing.
So basically anything that says Hide One Ticked shows on the selected pages, cats etc..
And visa versa.
Do you have any idea why this would be happening?
Thanks in advance
Nik
Hi David,
First of all, let me congratulate you for the fantastic plugin you took over (and continue to maintain); It’s completely part of my website, and I probably wouldn’t be able to run it without this plugin.
I was using Display Widgets SEO Plus (v 3.0.0) until today, when I realized that Display Widgets (v 4.0.0) was the new thing. So I updated to Display Widgets (v 4.0.0) and everything’s still working smoothly! I just wanted to know whether it is safe to delete Display Widgets SEO Plus (v 3.0.0), since Display Widgets (v 4.0.0) replaces it, and is the reference for displaying/hiding widgets.
Thanks for your answer!
Hey everyone!
I wanted to share an issue I came across while using the “Display Posts” plugin. It seems like I’ve encountered a critical bug related to using get_option() to fetch widget settings.
Here’s the error message I spotted on my site:
A PHP fatal error occurred while validating the URL. This may indicate either a bug in theme/plugin code or it may be due to an issue in the AMP plugin itself. The error details appear below. If you are stuck, please search the support forum for possible related topics, or otherwise start a new support topic including the error message, the URL to your site, and your active theme/plugins. Please include your Site Health Info.
Uncaught Error: Object of class AMP_Validation_Callback_Wrapper could not be converted to string in /home//domains/domain.com/public_html/wp-content/plugins/display-widgets/display-widgets.php:348
Stack trace:
#0 /home//domains/domain.com/public_html/wp-content/plugins/amp/includes/validation/class-amp-validation-callback-wrapper.php(144): DWPlugin->sidebars_widgets(Array)
#1 /home//domains/domain.com/public_html/wp-includes/class-wp-hook.php(324): AMP_Validation_Callback_Wrapper->__invoke(Array)
#2 /home//domains/domain.com/public_html/wp-includes/plugin.php(205): WP_Hook->apply_filters(Array, Array)
#3 /home//domains/domain.com/public_html/wp-includes/widgets.php(1043): apply_filters(‘sidebars_widget…’, Array)
#4 /home///domains/domain.com/public_html/wp-content/plug
Location: /home//domains/domain.com/public_html/wp-content/plugins/display-widgets/display-widgets.php:348
Based on my analysis, it appears that the problem is originating from this line of code:
$instance = get_option( ‘widget_’ . $id_base );
The issue is that this error might be causing compatibility problems with other plugins or the latest WordPress version. I’ve already tried a few troubleshooting steps like updating plugins and themes, but the error persists.
I wanted to share this problem with fellow users in the hope that someone might have an idea to resolve it. Perhaps you could assist me?
Huge thanks in advance for any help or insights you can provide! Your guidance would be greatly appreciated.