Incapsula is a very nice service. I use it on many sites. And they like WordPress enough to make an official plugin so you can just install and activate it to still being able to retain your visitor’s real IP instead of Incapsula’s proxy when you’re using their service.
But after latest update to the Incapsula WordPress plugin I get curious about the changes on the new version (because they don’t put any information about updates on changelog :( ). And then I found that only very few changes was made and some of them are only for debugging purposes…
And while watching that, I also found that the method used to place Incapsula plugin at the top of execution cycle to allow all other plugins to obtain real user IP is a very unfriendly one, and not following WordPress’s standards in any way!
Let’s take a look to that code:
/**
* Makes the pluging run first in order.
*/
function this_plugin_first() {
// ensure path to this file is via main wp plugin path
$wp_path_to_this_file = preg_replace('/(.*)plugins\/(.*)$/', WP_PLUGIN_DIR."/$2", __FILE__);
echo('this_plugin_first');
$this_plugin = plugin_basename(trim($wp_path_to_this_file));
$active_plugins = get_option('active_plugins');
$this_plugin_key = array_search($this_plugin, $active_plugins);
if ($this_plugin_key) { // if it's 0 it's the first plugin already, no need to continue
array_splice($active_plugins, $this_plugin_key, 1);
array_unshift($active_plugins, $this_plugin);
update_option('active_plugins', $active_plugins);
}
}
add_action("activated_plugin", "this_plugin_first");WTF! So it seems that people at Incapsula thinks that the best way to ensure their plugin is running before any other is to “poke” the active_plugins record on the database when the plugin is activated… I’m sorry but, no thanks, I dont want you to poke my database for this.
I think there is a much friendly way and complies with WordPress standards, above code can be replaced by this line:
add_action("init", "Incapsula_IP",-1000000);This way we simply hooked the responsible code for getting the real IP from HTTP headers (I put it in a new function called ‘Incapsula_IP’) to the ‘init’ hook with a priority high enough (insanely high maybe it’s more accurate) to run before any other (normal) plugin.
The only downside for this method would be to have another plugin in your WordPress with an even higher priority. But I bet that it’s pretty difficult you to have another plugin managing IP data in a higher priority… And for me at least is a minor risk that I can accept better that poking the database for something like this.
I have tested my modified Incapsula plugin for two weeks and all goes ok. So If you want to try this custom version of WordPress Incapsula plugin, simply download it and overwrite the one you have installed.
And by the way, if someone at Incapsula read this, feel free to apply this change to your plugin if you like :)
Updated! 24-09-2013: I’m very happy to see that Incapsula’s team have adopted my fix to their WordPress plugin and even added the changelog to the plugin! Thank you guys! ;)