Posts Tagged ‘wordpress blog’

02
Mar
2009

How to Secure Your WordPress Website

13 Comments

Running a WordPress website is one of the easiest ways to run a high quality, free web site content management engine but since there are millions of other websites running the same software, there are lots of bad guys out there who would like nothing more than to break into your website. So how do you stop them? In this article I’ll examine some processes your blog should implement to ensure it’s more secure than the ‘out of the box’ version of WordPress.

Basic Security

Plugin Directory

Step One of any WordPress security installation is to hide the contents of the plugin directory. By default, WordPress ships with the directory exposed (it can be found by typing http://[yourwebsite]/wp-content/plugins/) but this allows the bad guys to see what plugins you’re running and possibly take advantage of them. To solve this, simply upload an empty file named index.html or index.php into the base plugin directory.  Another very easy way to do this for your entire WordPress site is to simply add Options -indexes to your .htaccess file. This tells your web server to never list directory contents.

Quick Note: .htaccess files are funny things, they don’t have a filename in the traditional sense so when you download them, all you download is the extension (filename.extension). This can make working with them tough. What I like to do is rename the file -.htaccess or something similar before downloading it, which allows Windows computers to properly interact with the file.

Limit Access to the Admin

Step Two of the basic plan of attack is to limit access to your administration tool. An .htaccess file is a server level control file, meaning that it interacts with the web server before it interacts with a web browser, what we want to do is limit the IP addresses of computers to your wp-admin directory. Need a more basic explanation? Each computer on the internet has a unique Internet Protocol (IP) address made up of four numbers ranging from 0 to 256 for example, 123.456.123.456 this number reflects your unique signature on the Internet. What we want to do is control which computers can access your account.

To do this, first we need to know what your IP address is. Luckily there’s a website for that at http://whatismyipaddress.com/ which will tell you what your current IP address is. After you have that, create a new file called .htaccess on your desktop and add the following code to it:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
allow from [paste your IP address here]

Once you upload that code to your wp-admin directory only computers from the IP address you specified will be able to access your WordPress admin directory. You can add multiple allow from lines to ensure you can access your site from work or home. If you ever need to access your admin panel from outside the IP range, simply comment (place a # symbol) before the deny from all line and you’ll be able to access it normally.

One final note here, since many people have dynamic IP addresses (they change whenever you reboot your internet connection) you might want to check with your Internet Service Provider to determine their IP range. For example, once you know that your IP address is always 142.167.66.[0- 255] you can use the allow from address of 142.167.66.* so anybody in your local subnet group (the last octal) can access your admin directory. A little less secure but still better than allowing the whole world to access it.

An Extra Level of Password Control

password protect directory 300x199 How to Secure Your WordPress Website imageJust like the .htaccess file can be used to limit access from specific IP addresses it can also be used to force a server level username and password check before prompting you to input your WordPress username and password. You can do this fairly easily if you’re hosting with BlueHost or if you’re using another hosting company you can create a secure login using an .htaccess file and .htpasswd files or the AskApache Password Protect plugin. This process is a little more complex but a great extra layer of security.

Change Your Admin Account

By default the most powerful account on your WordPress website is called admin, since everybody in the world knows this they only need to guess your password but if you change the admin account name, you make guessing both your username and password infinitely harder. One other point here, since your password is case sensitive (A and a are different letters) you should always use long, complex passwords that mix uppercase and lowercase letters, at least one number and if possible a symbol such as an ampersand (&) or dollar sign. The more complex you make your password, the less chance somebody will guess it.

WordPress Version

Some WordPress themes include a line such as <meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />  in the header.php file. While this is great for WordPress it’s a security blunder since you’re announcing to the world which version of WordPress your using and if it’s not the most recent … which security holes your website is vulnerable to. Simply remove this line from your header and you’ll be more secure.

 

WordPress displaying security issues

WordPress displaying security issues

The next step when it comes to security with regards to versions is to always upgrade to the most recent version promptly. I recommend upgrading your website (and your plugins) as quickly as possible after a new release has been updated.  You’ll see from the graphic to the right that my hotel web design company Getaway Graphics hasn’t had some of it’s plugins or base code upgraded in weeks, this is a major security flaw which could lead to hackers gaining access to my files. Luckily, I did this to demonstrate the potential flaws and the site is actually perfectly safe.

Always upgrade your website and your plugins to the most recent version after you have done a backup of your site files and data. As a bit of shameless self promotion, let me pipe in here that for a fairly reasonable fee, I can do this for you on a monthly schedule or train you how to maintain and monitor your website.

Secure Your .htaccess file

I think we’re now all aware how powerful the .htaccess file is correct? Great, so let’s secure it simply by adding the following code to the very bottom of the file:

<Files wp-config.php>
Order Deny,Allow
Deny from All
</Files>

This simple piece of code makes it impossible for people to see all the security customizations you’ve done to your blog.

Report Issues

WordPress is, at it’s heart a community project. If there’s something wrong and you discover it, send a bug report immediately so the team can fix security holes. This will make the software more secure both for you and the rest of the WordPress users.

Security Plugins for WordPress

Beyond the common sense security steps outlined above, there are several plugins related to security which every WordPress website should be running:

 

  • Login Lockdown – records failed attempts to access your WordPress admin panel. Frankly, if you don’t know people are knocking on your door … how do you know to protect it?
  • WP Security Scan – tests your website for common security holes.
  • WP Database Backup – backs up the content of your database regularly. Not really a security tool but it will allow you to restore to a previous version if you ever need to.
  • AskApache Password Protect – add a password to your wp-admin directory.

 

Other Great Sources

While I was putting together this article, I had help from some other sources on the net including:

One Final Note …

wordpress How to Secure Your WordPress Website imageThe steps I’ve outlined in the above article are all fairly straight forward and necessary to ensure a strong, safe WordPress blog but I appreciate some people simply lack the technical confidence to perform the steps effectively. I’m available as a WordPress consultant and can generally perform all the necessary upgrades to your WordPress website quickly, effectively and easily so why not give me a call?

Tags: , , , , , , , , , , , , , , , ,
Posted in WordPress Help

read more
28
Jan
2009

What Plugins are the best WordPress websites running?

10 Comments

So a while back I wrote an entry called Ten Awesome WordPress Web Sites, that featured some really amazing website designs all running WordPress. Today I decided to play a little game with the ten sites and see which of those ten amazing WordPress websites took the time to protect their own security.

You’d be amazed how many websites don’t protect the /wp-content/plugins/ directory. It’s generally open to the public, which allows anybody to see what plugin’s your website is using. Why’s this important? Well, for starters it destroys any competitive advantage your website might have but it also allows potential hackers to determine which plugins (if any) have weaknesses that can be exploited.

The good news? Nine of the ten websites in my earlier article took the time to block access to their /wp-content/plugins/ directory. Here’s a fun game to play … next time you’re looking at a WordPress blog and you’d like to know more about how they do it, change the URL in the address bar to http://[theiraddress]/wp-content/plugins and you’ll get to see all their plugins.

Tags: , , , , , , , , , ,
Posted in WordPress Help

read more
07
Jan
2009

How do you install WordPress Plugins?

18 Comments

So the other day I was talking to a friend online, he’s pretty tech savvy but he’s never run a website so I set him up with WordPress. As soon as the site’s live, I’ll be sure to post a link to it but the funny thing was that after a few days of him doing tweaks to the content I showed him the plug-in directory and he was shocked. He’d always used Joomla before, so the idea of true ‘drag and drop’ plug-ins blew him away.

This got me thinking however, maybe there’s a lot of people out there who want to run their own website, maybe they even want to do it for only a $100 (or less) but are terrified of the technology so I’ve decided over the next few weeks to post some fairly entry level tutorials for WordPress, my more regular readers might roll their eyes but bear with us while we delve into some of the less technical aspects of WordPress and help new users learn the system.

Today, I’d like to look at installing a plug-in. I think this is one of the most terrifying endeavors for a new WordPress blog owner but honestly, it’s one of the easiest especially with the new WordPress 2.7 installer.

  • First, log into your administration area and click the Plugins link on the left hand side.
  • Next, follow the link  Plugin Browser/Installer at the bottom of your page.
  • Honestly, you’re almost done.
  • Find a plugin that you like. I recommend searching for the WordPress.com Stats plugin, it’s amazingly cool, easy to use and free.
  • Once you search, you can read about the plugin and click the Install button to the right.
  • Yep, that’s all there is to it.

With the new version 2.7 of WordPress, things are getting so easy that just about anybody can setup and operate a WordPress website without needed a web developer at all. :(

Tags: , , , , , , , , , , , , ,
Posted in WordPress Help

read more
17
Oct
2008

Simple tricks to speed up your WordPress website.

12 Comments

WordPress is a great tool but for those of us on shared hosting it’s important that as our web traffic increases we look at ways to decrease the amount of stress our sites put on the web server. I found a couple of wonderful suggestions on Lorelle’s website and I’ve added a few of my own.

There’s a couple of reasons for this, first we want to make sure our web pages load as quickly as possible but as importantly we want to ensure our website stays online. There are countless stories on the internet about websites that suddenly found themselves very popular and struggled to keep up with the traffic, only to have their account temporarily shut down by the hosting company.

WordPress is written in PHP and uses a MySQL database to serve up content. This is great except the content on your website doesn’t change all that often so why are you dynamically generating it for each visitor? Instead of rebuilding the xHTML for each visit, why not serve them a previously saved version? We call this caching a website and it can be done with the wp-cache plugin from Ricardo Galli Granada.

So the first step to increased speed of your WordPress website is to download and install the WP-Cache plugin. It allows you to set how many seconds between page caching as well as if any specific files should never be cached. Very handy. You should also make sure you’re on a reliable web host who can handle the traffic.

Diggproof & Speed up Your Wordpress Blog has a great and often overlooked suggestion. Upgrade your WordPress blog. This might sound silly but generally speaking the latest code releases for WordPress are stable and optimized, so taking a little bit of time to upgrade your site during each release is a solid idea.

Unused plugins can kill performance so before you go installing and forgetting about your plugins, make a habit of deleting unused plugins. Some people might assume deactivating them is good enough but personally I prefer to delete them.

Using a tool such as phpMyAdmin take time once a week to optimize your MySQL tables. If you don’t have access to phpMyAdmin, execute the following SQL statement from your command line to make sure your tables are in the best shape possible:

OPTIMIZE TABLE `wp_comments`, `wp_links` , `wp_options` , `wp_postmeta` , `wp_posts` , `wp_ratings` , `wp_terms` , `wp_term_relationships` , `wp_term_taxonomy` , `wp_usermeta` , `wp_users` , `wp_wpsb_users`

Arne has some great suggestions for MySQL Query Cache and PHP Compiler Cache options, they’re pretty technical but well worth it if your running into significant server speed issues. If you’re technical, give this article on how to configure Apache a read as well, it will help you optimize your whole site.

Paul Stamatiou makes a great point by writing “Every HTTP request, or loading each item on your website, has an average round-trip latency of 0.2 seconds. So if your site is loading 20 items, regardless of whether they are stylesheets, images or scripts, that equates to 4 seconds in latency alone“. So, take a good long look at your theme and determine what you really need in there. I saved a ton of time per page load by stripping out over 20 JavaScript calls and replacing them with PHP scripts which are cached once every five minutes. I also combined all my CSS files into a single file which decreased the number of HTTP requests my server had to take. Paul also have a great article on Compressing CSS with PHP that you should read if you still need to speed up your site more.

There’s another great suggestion from WPCandy that I’m extremely reluctant to do, but I know they’re right. First, use shorthand CSS so:

#commentarea li {
margin-top: 10px;
margin-bottom: 10px;
}

should become:

#commentarea li {
margin: 10px 0px 10px 0px;
}

You should also decrease whitespace (that’s the empty space between tags), sure it makes it look better but it also takes up bandwidth.

Finally, decrease your overall database calls. WordPress gives us all sorts of great functions in our templates but really do you need to call the website name from your database? The simple answer is no, so let’s decrease the over all number of MySQL queries by optimizing our templates. Replacing with your title for example will help decrease the server load.

I hope this helps, if you have any other suggestions for how to optimize WordPress and speed up the site please let me know.

Tags: , , , , , , , , , , , , , , , ,
Posted in WordPress Help

read more
04
Oct
2008

How can you make $500 a month part time from the web?

5 Comments

So maybe $500 a month isn’t going to let you retire this year but with the economy going down the tubes and our fearless political leaders still assuming that Wall Street will fix itself, it’s time to share a little secret with you … the web really does work.

Using the method below, I easily make $500 each month from my own web blogs and it’s really pretty easy. I spend about 10 hours a month working on my sites, you can do the math.

First, you need to cover a few basics in order to get your website up and running.

1) Select a blogging package

This is pretty simple really, there are a few out there but WordPress is my personal favorite, it’s super easy to use and even comes with some great looking themes. You can also use something like

3) Hosting

 

 

A web host is a dedicated place on the web that you can put your website. Personally I love hosting at BlueHost. They’re wonderful, friendly, helpful and have WordPress preinstalled. They can also take care of your domain name registration.

4) Analytics

You’ll want to signup for Google Analytics and insert the code into the footer of your website. Analytics are web statistics, it will tell you who’s reading your blog and where they’re coming from. Remember, without data your decisions are nothing more than guesses … Google takes the guessing away.

Now that you have the basic pieces of the puzzle, we need to put it all together.

5) Building your first blog

First, we need to activate our BlueHost account and log into our account manager. Towards the bottom of the control panel you’ll find a link called Fantastico, which we’ll need to click to install WordPress.

Fantastico will ask you some questions about what you want to call your blog etc. and when you’re done, it will redirect you to your WordPress blog. It’s really that simple.

6) Inserting your Google Analytics code

Now that your blog is running, you’ll need to do some technical stuff for a few minutes. Log into Your Google Analytics account and add your new website. Once done, select Get Code and copy the JavaScript.

Return to BlueHost and select Design > Edit Theme from your WordPress installation. On the right hand side you’ll see an option for your site Footer. This is the file that appears on the bottom of all your pages, you’ll want to open that file and paste the JavaScript just before the tag in your footer.

What this has done is installed the tracking scripts on every page your site generates, remember how to do it because later when we change your theme you’ll have to do it again.

7) Sign up for ad programs

There are a few great ad programs out there, the most popular of course is Google AdSense but there are plenty to choose from. Once you’ve signed up for some ad programs it’s time to start thinking about where (and how) to place ads on your website. There are aslo some great sites like Commission Junction and wonderful affiliate programs for you to use.

8) Designing a better website

There are plenty of great themes out there for WordPress, even the default one is pretty great but if you’re looking to make money from your sites you’ll want to find a good WordPress theme, ideally free. Once you’ve done that simply upload it to your website using an FTP program and activate it.

Remember, you’ll need to update your Google Analytics code (step 6) in the new template and you should take the Google Adsense code from the previous step and place it in your template.

9) Start blogging

Everything before this is pretty simple really, if you can’t do it yourself send me an email and I’ll take care of it for you but the hard part about making money on a blog is … writing the blog.

There’s a few things to keep in mind when you’re writing.

First, make sure that you’re writing about something people care about. It doesn’t have to be popular, and niche blogging is great but it has to be something that people really want to read otherwise you’re wasting your time.

Second, try to make it original. Search engines (and readers) are not looking for copy-and-paste posts from other sites, so write something original if you’re looking to get traffic.

Finally, write often. Try to write as often as you can but ensure it’s good, clean and useful writing. If you can do that, you’ll build a reputation as a reliable source quickly.

10) Promotion

The best way to get people to read your website is to post reliable comments in forums, on other blogs and sites with links back to your own online blog. Before you know it, if you’re a good net citizen other blog owners and readers will start visiting your site to see what else you have to say. Remember to always have a hyperlink to your blogs in your signatures to increase traffic to your site.

BlueHost also gives you $75 worth of advertising on Google and Yahoo, use it to build an online marketing campaign to draw even more traffic to your website.

I hope my suggestions helped, feel free to comment and share your own thoughts with me.

Tags: , , , , , , , , , , , , , , , , , , , , ,
Posted in Web Site Advice

read more