semwired

Restrict access to users on WordPress

Have you ever thought of make some content of your WordPress blog available only to certain users? Do you need to restrict access only to a certain type of users to selected blog pages or post? Ever thought of create a reserved area for registered users on your WordPress blog?

Some time ago, while working on a client’s project with a*dult content, I came up with the idea of restricting access only to a certain type of users. This would have avoided any problem with underage visitors. The thing was that he only wanted to use WordPress, because it was the only content management system it was familiar with.

So I started thinking how this could be sorted out. Actually WordPress does not come out of the box with such a feature. What we needed was some sort of plugin able to distinguish between users according to some extra information.

The issue was promtly solved with two different plugins:

• Disclose Secret allows to restrict access to certain pages or posts only to users complying with certain criteria.
• Cimy Extra Fields for WordPress makes some more data available for any users. This extra fields can be used to distinguish in between differents types of users therefore setting up specific access to content

With these two plugins we can manage access to any type of content for any type of users, even feeds, archieves, homepages and search results.

WordPress is indeed versatile and fully customizable. However, if you really want to create reserved areas for users with a secured login procedure, there’s plenty of CMS out there which can do this job pretty well, even through a SSH connection.

Still, if you just want to make sure that you blog is read only by the right people, this might be the best option: simple, easy to deploy and safe enough.

Have you ever wondered of being able to see visitor’s IP addresses with Google Analytics?

It’s actually posssible. It’s an old trick but it works pretty well…

Actually I can think of enough scenarios in which to apply this one:

• we want to track competitors visitors
• we want to exclude our own ip address from reports
• we have to exclude several different ip address on an internal network
• we want to find out who’s posting spam on our blog’s comments
• many more…

1. Getting to know custom filters

The weirdest thing though is that we can easily filter ip with custom filters. While creating a custom filter we can set up the IP address as a parameter… even if Google hides it from us.

When creating a custom filter (click on Filter Manager, then Add Filter and from the drop-down menu select Custom Filter) we have to choos the first parameter (Field A -> Extract A) to which makes our filter work. The IP address option is hidden.

2. Hide & Seek

If we’re clever enough to take a peak into the source coude on line we’ll find this on line 76:

<option value="30">Visitor Flash version</option>
<option value="31">Visitor IP Address</option>
<option value="32">Visitor Geographical Domain</option>

The chance to track IP address it’s right there, but to use it we have to write the line down in the drop-down menu… Anyway. It does not work, but we can sort it out anyway.

Back in 2006 someone found this out, then Google quickly patched it.

Still there’s some way to get what we’re looking for.

3. Gotcha!

Giving the right variable to track to the _trackPageview() call we can store all the visitors IPs.

The PHP code would look like this:

pageTracker._setVar("<?php echo $_SERVER['REMOTE_ADDR'];?>");

…it works!

There’s only a problem: it is not legal. According to Google Analytics Terms of Service:

7. PRIVACY . You will not (and will not allow any third party to) use
the Service to track or collect personally identifiable information of
Internet users, nor will You (or will You allow any third party to)
associate any data gathered from Your website(s) (or such third
parties' website(s)) with any personally identifying information from
any source as part of Your use (or such third parties' use) of the
Service. You will have and abide by an appropriate privacy policy and
will comply with all applicable laws relating to the collection of
information from visitors to Your websites. You must post a privacy
policy and that policy must provide notice of your use of a cookie that
collects anonymous traffic data.

It’s a silly restriction honestly. Everyone is still able to parse is own server logs and find out who is who. On the other hand it shows Google’s care for privacy of his users and all internet users. It definetely makes a point for them.

Anyway, it’s a neat trick and still it’s worth to talk about it for the sole purpose of spreading some “hacking” mentality to people working in analytics and marketing.

Disclaimer

This technique is a violation of Google Analytics Terms of Service. This technique might result in Google suspending your account or even worse. I reject any responsability for any consequence of this. This post is intended only for educational purpose.

I don’t mean to break any rules (neither want anybody to do that because of this post) but playing around with code can lead us to interesting discoveries, making us more aware of the tools we use everyday rather than being just simple users… it’s just up to you.

This is a good example on how versatile Analytics is. If someone though putting out Analytics would have been only to get on a massive amount of date (even if users are allowed to keep their statistics out of Google’s sight), I guess it just a great added value to Google’s brand as it’s getting closer to other big analytics names like Webtrends or Nedstat.

Anyway, this article explains in depth how to start tracking article campaigns on Analytics. Since sending press releases around has become a standard practice in web promotion strategy, this one will help you out in case you need to get exact figures about that traffic.