Bug #9340


change the web preview?

Added by Marilyn Weber over 4 years ago. Updated over 4 years ago.

Priority name:
Category name:
WordPress Plugins
Target version:
Start date:
Due date:
% Done:


Estimated time:


user Michelle Zimmer asks
"Any idea how I can change the web preview (like on FB)? When I paste the link to my site (, it says, "THE BRONX WAS BREWING" and the pic is there, but underneath it reads

/* Prevent direct access to this file */ if (!defined('ABSPATH')) { exit( __('Sorry, you are not allowed to access this file directly.', DFCG_DOMAIN) ); } ?>"


Actions #1

Updated by Boone Gorges over 4 years ago

  • Assignee set to Raymond Hoh

Ray, could you have a look at this? I think there are two issues here:

1. Why is an unrendered PHP template showing up here? This seems like a fairly serious problem, maybe a security issue.
2. Is it possible/easy for us to allow users to customize these previews? I think it'd mean using a plugin like

Actions #2

Updated by Raymond Hoh over 4 years ago

1. It's because the site is using a custom frontpage in the WP admin dashboard's "Settings > Reading" page. When this occurs and you visit the homepage, WordPress adds some meta to the <head> element, allowing for it to be discovered via oEmbed:

<link rel="alternate" type="application/json+oembed" href="JSON OEMBED URL HERE" />
<link rel="alternate" type="text/xml+oembed" href="JSON OEMBED URL HERE" />

When copying and pasting the website's link into the TinyMCE editor and how WordPress oEmbed discoverability is always enabled, it will render the contents of that oEmbed response.

I'm not getting an unrendered PHP template on my end. I'm actually getting the rendered <iframe>. Tested in a forum post and on a WordPress post on the Commons. I might be getting the iframe because I'm an admin though. Haven't tested on a regular user account yet Tested on a regular user account on a forum post and I'm not seeing the iframe as expected.

Does anyone have any steps to duplicate the Prevent direct access to this file response?

2. We can't easily allow the oEmbed response to be customized on a per-site basis.

I think the easiest thing would be to disable the oEmbed <head> additions when using a static frontpage as this would avoid confusion like this ticket has shown.

Actions #3

Updated by Raymond Hoh over 4 years ago

Marilyn, can you ask Michelle where she is pasting the link into?

Is she pasting the link somewhere on the Commons or into another site such as Facebook. If it is the latter, then using something like a Facebook Open Graph plugin could be a way to address this.

Some steps to duplicate would be great.


Actions #4

Updated by Boone Gorges over 4 years ago

Thanks for looking into this, Ray!

Actions #5

Updated by Marilyn Weber over 4 years ago

She replies "It was FB for sure and I think Twitter."

Actions #6

Updated by Raymond Hoh over 4 years ago

  • Category name set to WordPress Plugins
  • Target version set to 1.12.10

Okay, so Boone was correct that we'll have to install some form of Open Graph plugin.

The one that Boone linked to is highly-rated, so we'll probably add that one to the Commons for our next maintenance release, scheduled for mid-March.

Actions #7

Updated by Boone Gorges over 4 years ago

  • Status changed from New to Resolved

Plugin installed in

Marilyn, could you please let the user know that they'll be able to activate this plugin and use it to modify the appearance of these cards. See, step 3. If there are issues, please report them back.


Also available in: Atom PDF