Solved: WordPress wp_insert_post problem with post_status and tax_input keys

wp_insert_post is the WordPress functions used to create new post. I used the function to create a plugin with a front end to allow anyone (anonymous users) to create posts. The function appeared to ignore several documented parameters. wp_insert_post would create the post but would not set the Category and Tags fields when anonymous users ran the code. The offending code:

$post = array(
	'post_title'    => $title,
	'post_name'     => $slug,
	'post_author'   => $poster_id,
	'post_content'  => $content,
	'post_type'     => 'music',
	'post_status'   => 'publish',
	'tags_input'    => $tags,
	'tax_input'     => array('genre' => $term)
);
$new_post_id = wp_insert_post($post);

It turns out that the post_type and tax_input keys only works if you user running the code is an administrator. If the user is not an administrator then all subsequent keys after the offending key will be ignored. To solve this problem, use wp_publish_post and wp_set_object_terms functions instead of using post_status and tax_input keys, respectively. These functions will work properly regardless of users’ permissions.

This code will allow anonymous users to create and publish posts:

$post = array(
	'post_title'    => $title,
	'post_name'     => $slug,
	'post_author'   => $poster_id,
	'post_content'  => $content,
	'post_type'     => 'music',
	'tags_input'    => $tags
);
$new_post_id = wp_insert_post($post);
wp_set_object_terms( $new_post_id, array($term), 'genre' );
wp_publish_post( $new_post_id );

If you omit the wp_publish_post then the post’s status is subject to the current user’s permissions (Reference). Anonymous users will create pending posts.

This behavior is not undocumented in the codex. Additionally, the behavior seems to be unintended. The function fails ungracefully by simply breaking when a permissions error is encountered rather than processing the remaining keys.

ARP Cache Poisoning Defense

Last summer I attended the US Cyber Challenge Conference in Virginia. I was in the hotel room getting ready for a week of exciting security courses. The WiFi was unbearably slow but I attributed that to the masses of other conference goers downloading OS images needed for the morning classes.

The morning class was Packet Crafting with Scapy, a powerful packet manipulation tool for Python. I was refreshing my Wireshark skills for the morning class and noticed something odd — there was a flood of constant ARP traffic. Someone was poisoning my ARP cache and intercepting all of my web traffic. This was my first up-close and personal introduction to ARP Poisoning.

That experience inspired me to write a personal ARP Defense script. The script monitors a computer’s ARP table and notifies the user when an Attack is detected. The script can be found here. Additional information on ARP Poisoning can be found at arppoisoning.com.