Step 1 – Setting up a secure database

Because the database is associated with virtually everything you do on your site, it is best to perform any modifications before configuring your options, installing plugins, and adding options. During the installation process, there are some effective ways of increasing the overall security of your WordPress site.

One of the first things that you can do to bolster security is to setup a proper database, user, and password. First, create the table that will be used for your WordPress installation:

CREATE DATABASE `wordpress`;

Now we need a user to go with that database. The key here is to create a user with only the required permissions. Enter the following SQL query to create a user that will have access only to the wordpress from the local server:

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON wordpress.* TO 'wpuser'@'localhost'
IDENTIFIED BY 'password';

By requiring that the user access the database from the local server only, we mitigate the possibility of remote database attacks. Further, by granting the user access to only the wordpress database, we ensure that other databases will remain safe should an attacker gain access.

Once the database and user have been setup, install WordPress as normal and continue with the next step.

Step 2 – Setting up a secure configuration file

There are two things we want to do with the wp-config.php file: implement Authentication Unique Keys and change the default database prefix. Let’s do it..

Implement Authentication Unique Keys

Directly after your MySQL database credentials in the wp-config.php file, you have the option of specifying a set of Authentication Unique Keys. These keys improve WordPress’ authentication system, providing strong security to your site. It is highly recommended that you take advantage of this feature.

/**#@+
 * Authentication Unique Keys.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
/**#@-*/

To do so, visit the official secret-key generation service and paste the results into your config.php file (replace the four lines beginning with “define”).

While you are you setting up the WordPress configuration file, you also may want to go ahead and optimize performance and implement some other choice configuration tricks.

Change the default database table prefix

While in your wp-config.php file, take a few moments to change your default database table prefix. By default, it’s “wp_”, but this is a well-known fact of which attackers and automated scripts take full advantage. By changing the table prefix to something unknown/random, you are using security through obscurity to help mitigate SQL-injection threats.

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

In your wp-config.php file, locate the above lines and change the table prefix to something random or difficult to guess. I like to include the letters “wp” within the new prefix to help me identify tables specific to WordPress. For example, I might change it to something like, “wp_i337”.

Step 3 – Setting up a secure administration

Once you have finished with your database and configuration file, it’s time to setup a secure WordPress Admin area. We can do this by changing the default Admin username and protecting the wp-admin directory.

changing the default Admin username

By default, all WordPress installations have a default Admin username of, creatively enough, “admin”. As with the default database prefix, this fact is well-known to attackers, who target the admin account with password brute-force attacks. Thus, changing the username of your Admin account will help mitigate this potential vulnerability. To do so, execute the following SQL query on your WordPress database via phpMyAdmin:

UPDATE wp_users SET user_login = 'admin', user_login = 'digwp';

Your default Admin username is now changed to whatever you specified in the query. In this example, your new username will be “digwp”, so you will probably want to change it to something that is more difficult to guess.

Additionally, make sure that the password for the Admin account is as strong as possible. Use a random mix of uppercase and lowercase letters, and throw in a few underscores and numbers for good measure.
 

Protecting the wp-admin directory

All of the administrative files for your WordPress site are contained in the wp-admin directory. By protecting this directory against unauthorized access, we greatly strengthen the security of our site. Depending on your particular needs, there are at least two ways to go about doing this. Let’s look at each of them.

Allow open access only to specific addresses

This method uses a few choice HTAccess directives placed in your site’s root .htaccess file:

# SECURE WP-ADMIN
<FilesMatch "*.*">
 Order Deny,Allow
 Deny from all
 Allow from 123.456.789
</FilesMatch>

Once in place, this code will deny access to all visits from any IP address that is not listed. Simply edit the “Allow from” line with your actual address, and create additional lines for multiple IPs. You can then check that it’s working by visiting your Admin area via proxy service. This is an effective way of protecting your wp-admin directory, but you may prefer using a password-based method instead..

Password-protect

Another option for securing your Admin area involves implementing secondary password protection via basic HTTP authentication. This is an excellent way to lock things down while still enabling access by anyone with the password from anywhere on the Web. To set it up, we need to create a text file with your desired username/password, and then require the username and password via .htaccess file.

For the username/password text file, use a password-generation service and paste the results into a file named “.htpasswd” (without the quotes!) and place it in a secure location on your server, preferably above your “public_html” or root-web directory.

Once the password file is in place, create an .htaccess file for your wp-admin directory and add the following code:

# SECURE LOGIN PAGE
<IfModule mod_auth.c>
 AuthUserFile /full/path/.htpasswd
 AuthType Basic
 AuthName "Password Required!"
 Require username
</IfModule>

After editing the username and full server path to your password file, you’re good to go. Make sure to test that everything is working before cracking a beer.

Important note about protecting wp-admin

As you implement this method, keep in mind that the wp-admin directory is used by a number of plugins, scripts, and even users. For example, if you allow open registration to your visitors, they will be unable to access the registration pages if your admin directory is blocked. Another good example is the Subscribe to Comments plugin, which provides an admin page through which users may unsubscribe to comments. This ain’t gonna work if they can’t access the admin area.

Just the beginning..

Of course, when it comes to the security of your WordPress site, these techniques are merely the beginning. As you continue in your WordPress travels, you will discover many, many more ways to increase the security of your site. By implementing the methods presented in this article during the setup process, you will be strengthening the security of your site’s foundation, providing yourself a solid platform on which to build.

Like the article? Get the book!
Learn how to take your web design skills to the next level by building sites with WordPress.
Sign up now for a special discount - Coming This Fall!

© 2009 Digging into WordPress | Permalink | 10 comments | Add to Delicious
Categorized: Security | Tagged: database, Security

Not even Akismet..

“Sure,” you are thinking, “you don’t need any plugins except for Akismet.” I mean, you definitely need that plugin, right? After all, it’s included with WordPress, so it’s got to be important. Umm, not so much. Yes, there are certain blogs that would probably be wise to take advantage of the additional spam-protection that Akismet might provide, but for 99% of the sites out there, it really isn’t necessary.

WordPress is strong enough..

I think one of the most underrated strengths of WordPress is its built-in anti-spam functionality. With an ounce of knowledge and a pound of forethought, you can configure your WordPress Discussion settings to act as a powerful and effective defense against the evil forces of spam. No plugins required! Let’s look at WordPress’ anti-spam tools and see why they’re all you need for a spam-free site..

Default article settings

First up, consider your default article settings. If comments aren’t enabled, of course you know that you don’t need Akismet or any other anti-spam plugin for that matter. If comments are enabled, you can cut out a significant portion of spam by simply disallowing pingbacks and trackbacks. By clicking a single checkbox, all of that crap that comes rolling in as trackback spam will stop. That’s a huge step right there, and it will eliminate every plugin that has anything to do with displaying or controlling ping/trackbacks.

Comment author must fill out name and e-mail

Another smart move, although I think most sites do this one already. By requiring your commentators to at least fill out these two fields (even if it is just dummy data most of the time), you brush off all of those lazy spammers who are picking up the easy ground fruit. Most legitimate commentators don’t mind filling in this info because they usually have something they want to say. Lazy spammers, not so much.

Users must be registered and logged in to comment

If possible given the specific goals of your site, requiring users to log in before commenting is an extremely effective way of preventing comment spam. Although requiring registration will stop a lot of legit comments as well, it is a powerful deterrent to lazy spammers and completely stops automated scripts. Sure, you may still get some trolls stinking up the place, but you would be getting those anyway. Plus, if they’re registered, it makes it easier to deal with them.

Automatically close comments on articles older than XX days

This is my favorite WordPress anti-spam feature. For a long time, we needed a plugin to get this done, but now that it is built into WordPress, everyone should be using it. Here at Digging into WordPress, we close comments on old posts after 90 days, which seems to be just about the right amount of time. Anything longer than that, and your posts begin to get targeted by spammers and automated spam scripts. Especially if your posts tend to do well and build up a lot of page rank, they will be prime targets for spam as time rolls on.

Break comments into pages with XX comments per page

This one’s not as obvious, but it is also a great way to reduce the incentive to spam your site. Spammers target strong pages for their junk, so by breaking your comments into pages of, say, 20 comments each, you get the best comments on the first page (the same page as the article), and then the typically declining-quality comments on subsequent non-ranking pages. Just make sure you are using meta canonical tags to keep the juice where it should be.

E-mail me whenever..

Unless your site is literally flooded with comments on every post, getting email alerts for new comments is an excellent way to kill any spam nonsense that gets through. I have done this at Perishable Press for four years now, and you would be hard-pressed to find even one spam comment anywhere on the site.

Before a comment appears an administrator must always approve the comment

This could get kind of labor-intensive, but it is a 100%-guaranteed way of completely eliminating spam without using any plugins whatsoever. Zero. Nada. Nil. If you are one of the many millions whose blog receives fairly few comments, this method will keep your comments squeaky clean.

Comment author must have a previously approved comment

A super-effective strategy that is not as labor-intensive as moderating all comments and not as restrictive as requiring registration. The idea here is that you get a chance to “meet” each one of your commentators and leave the door open only for the good guys. This technique drastically cuts back on human spam, and virtually eliminates automated spam (unless you don’t catch it the first time).

Hold a comment in the queue if it contains XX or more links

Lots of comment spam is just crawling with links. A few mindless words and then BAM — they drop in a few hundred links. Some of the more subtle spammers are less obvious, but still have to unload their payload somehow, so they usually integrate a couple of links within some not-so-carefully crafted text. You know what I’m talking about. You definitely want to moderate anything with more than like two or three links. This trick is great for catching some of the craftier spam maggots.

Comment Moderation Blacklist and Spam Blacklist

A finely tuned WordPress Blacklist list eliminates the need for many types of plugins, scripts, and third-party blacklists. Any words, characters, or IP addresses included in either the Moderation or Spam Blacklist will be used to innoculate your site against any matching comments. Granted, it takes a bit of persistence to build up a good list, but once you do, it is very difficult for spammers to get around it. Note that, unless you are absolutely sure, you should probably stick with the Moderation Blacklist (regular expressions are powerful things!).

All of these great anti-spam features are like having fifty plugins already built-in to WordPress. With them, you can configure a powerful anti-spam strategy for just about any type of site without any plugins — not even Akismet.

Why not just use a bunch of plugins instead?

Because you don’t have to. Plugins require maintenance, frequent updating, etc. Every upgrade of WordPress and/or your plugins opens the door to possible issues and conflicts. Further, plugins consume valuable server resources, affecting the performance and consistency of your site. In general, the fewer plugins you have, the easier and more efficient things are going to be. I guess my feeling is, try to take the “zen” approach as much as possible — if something isn’t absolutely necessary, don’t bother with it. More and more, I am realizing that anti-spam plugins simply aren’t needed to run an effective and spam-free site.

Like the article? Get the book!
Learn how to take your web design skills to the next level by building sites with WordPress.
Sign up now for a special discount - Coming This Fall!

© 2009 Digging into WordPress | Permalink | 39 comments | Add to Delicious
Categorized: Plugins, Security | Tagged: comments, spam

Direct Link to Article — Permalink on DiW

Like the article? Get the book!
Learn how to take your web design skills to the next level by building sites with WordPress.
Sign up now for a special discount - Coming This Fall!

© 2009 Digging into WordPress | Permalink | Comments | Add to Delicious
Categorized: Links | Tagged:

There has been a few other things people have done for WP Typo, so I thought now would be a good opportunity to share them.

• Grib has added i18n support (.mo files) and a Russian translation here.
• Jussi Linkola has released a Finish version here.
• Mijk has released a patch for the theme that includes widgetization and the use of Cufon to show the font jGaramond. (Regular Garamond isn’t really one of the “web safe” fonts). That patch is available here.
• Hassan Derakhshandeh has released an RTL (right to left text) version here.

Like the article? Get the book!
Learn how to take your web design skills to the next level by building sites with WordPress.
Sign up now for a special discount - Coming This Fall!

© 2009 Digging into WordPress | Permalink | Comments | Add to Delicious
Categorized: Theme | Tagged: layout, Links, Theme

1. Enter title without HTML

2. Create a custom field for the title with HTML

3. Output custom field on pages you want the HTML

For example, on the single.php page where you would have used

<h1><php the_title(); ?></h1>

Now you use

<?php

   $html_title = get_post_meta($post->ID, "HTML_title", true);

   if ($html_title) { ?>
                
      <h1><?php echo $html_title; ?></h1>
                
   <?php } else { ?>
                
      <h1><?php the_title(); ?></h1>
                    
<?php } ?>

This checks and sees if that custom field is set. If it is, it outputs that. If not, it uses the regular function.

Because the RSS templates use the regular the_title() function, your titles are same from being weirdified in feed readers.

Example

The example used here was from my new blog layout, where I’m trying to have as much control as possible for doing interesting post layouts.

Like the article? Get the book!
Learn how to take your web design skills to the next level by building sites with WordPress.
Sign up now for a special discount - Coming This Fall!

© 2009 Digging into WordPress | Permalink | 14 comments | Add to Delicious
Categorized: Theme | Tagged: custom-fields, title, tricks

In this one we cover the GPL and how it benefits WordPress, why WP is under the GPL, commercial themes, how the GPL fosters innovation, creates value, and affects themes and plugins.

I certainly learned some stuff about the GPL. Like 1) You can sell/profit from themes that are GPL and 2) Anything built around an existing GPL product must also be GPL.

Direct Link to Article — Permalink on DiW

Like the article? Get the book!
Learn how to take your web design skills to the next level by building sites with WordPress.
Sign up now for a special discount - Coming This Fall!

© 2009 Digging into WordPress | Permalink | Comments | Add to Delicious
Categorized: Links | Tagged:

<?php
if(is_single()) {

	// do something

} else {

	// do something else

}
?>

This is a great way to conditionally apply styles, scripts, and markup to single-view pages.

But did you know about the conditional tag, is_singular()? The is_singular() tag enables you to target single-view pages, regular page pages, and attachment pages all in one fell swoop.

So, instead of writing something like this:

<?php
if(is_single() || is_page() || is_attachment()) {

	// do something

} else {

	// do something else

}
?>

We can write this instead:

<?php
if(is_singular()) {

	// do something

} else {

	// do something else

}
?>

The is_singular() tag is what’s known as a “boolean” function, meaning that it returns one of two values, either TRUE or FALSE. No parameters are associated with this tag.

Now you know :)

Like the article? Get the book!
Learn how to take your web design skills to the next level by building sites with WordPress.
Sign up now for a special discount - Coming This Fall!

© 2009 Digging into WordPress | Permalink | 3 comments | Add to Delicious
Categorized: PHP | Tagged: tags, template, tips

In any case, the Feed Count plugin is too awesome to let disappear into the ether, so it will be hosted here at Digging into WordPress until Francesco’s site checks into a rehab center and cleans itself up. Hopefully that will be sometime soon. In the meantime, to download a squeaky-clean copy of the Feed Count plugin, simply click on the title of this post.

Direct Link to Article — Permalink on DiW

Like the article? Get the book!
Learn how to take your web design skills to the next level by building sites with WordPress.
Sign up now for a special discount - Coming This Fall!

© 2009 Digging into WordPress | Permalink | Comments | Add to Delicious
Categorized: Links | Tagged: plugin

Direct Link to Article — Permalink on DiW

Like the article? Get the book!
Learn how to take your web design skills to the next level by building sites with WordPress.
Sign up now for a special discount - Coming This Fall!

© 2009 Digging into WordPress | Permalink | Comments | Add to Delicious
Categorized: Links | Tagged:

To fix this, use the_time() instead. There is quirk though, as the_time() ouputs, by default, literally a time like “6:02 pm”. You can pass date parameters into it though, and make it output a date instead like the_time(m/d/Y). This means that the date formatting is controlled by your theme though, instead of the Admin area. To get the control back, use this instead:

the_time(get_option('date_format'));

Like the article? Get the book!
Learn how to take your web design skills to the next level by building sites with WordPress.
Sign up now for a special discount - Coming This Fall!

© 2009 Digging into WordPress | Permalink | 5 comments | Add to Delicious
Categorized: PHP | Tagged: date, echo, tips