[Event] Berlin Hack & Tell #61 – “Revolutionary May Hacks” – 30 May 2018

On my first visit of c-base Raumstation I had the pleasure to participate at Berlin Hack and Tell and present a 5 min demo of the project dyke.tech with the code hacks. The event itself was great, there were lots of interesting projects, each with totally different purpose and technology used, but nevertheless innovative and well thought out. Soon the list of all presented projects will be available at berlinhackandtell.rocks.

Here are some of the hacks I have presented in those 5 minutes that included the presentation of the project itself.


Each level in the challenge is implemented as password protected WordPress page with custom form


add_filter('the_password_form', 'custom_password_form');

function custom_password_form()
    global $post;
    $label = 'pwbox-'.(empty($post->ID) ? rand() : $post->ID);

    $custom_form = '';

    // level 1
    if (is_page(999)) {
        $custom_form .= '<!-- EDITED -->';
        $custom_form .= '<h2>Password is hidden</h2><div class="row justify-content-center"><p class="tip col-8">Find it on this website.</p></div>';
    /* ... */   
    return $custom_form;

When a password is submitted, by default a cookie is set and it expires in 10 days

This is defined in wp-login.php and it does not work well with next levels as it would show the error on the next page as the value of the cookie would not be correct. Therefore a filter was added in functions.php file of the theme to override the default setting.

function dyke_post_password_expires() {
    return time() + 1; // Expire in a second

add_filter( 'post_password_expires', 'dyke_post_password_expires' );

WordPress automatically completes the slugs

For example level01 gets resolved in level01-9975280837471640. To disable the autocomplete I needed to remove the filter in functions.php.

remove_filter('template_redirect', 'redirect_canonical');

Disable access via Post ID

As WordPress pages can not be accessed only thorugh permalink, but also with post ID e.g. /?p=<NUM> a redirect in .htaccess needed to be added:

RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} ^p=(\d+)
RewriteRule .* - [F]

These were the most interesting and surprising hacks I needed to implement on this project. There were a couple more, but I ran out of the time to present them at the event. So if you like web technologies go to dyke.tech and try to solve all nine tasks!