Scripted websites/ blogs using WordPress are becoming more and more common. And as such they are becoming ever more tempting targets for hackers and trashers. It might be something as simple as putting a picture on your site that goes “phhpttttt!!! I was here!” Or it might go so far as to taking over your site, denying you access to it and then holding your site for ransom. Malicious code can be placed on your site that might infect visitors’ computers and not the least of your worries, get you banned by the search engines.

Wordpress.org does a great job of eliminating potential entryways into the WordPress code with frequent updates. However, it is open-source code and is developed by hundreds if not thousands of people. (especially when you consider the myriad of themes and plugins available) Unfortunately, hackers work just as hard to find ways to exploit WordPress any way they can.

What can you do?

I have compiled a number of things that you can do proactively to help keep your WordpPress secure. Note: I said “help” keep your site secure. When it comes to websites and hackers, there is no guarantee that your site can’t be successfully attacked. But you can make your site unpalatable to attack and more secure.

Warning! The security measures below range from quick and easy to those demanding some “chops” in coding. It is possible to incorrectly implement some these steps and lock yourself out from your site with no way to correct your mistake. You could even damage your site yourself. I can take no responsibility for any problems you might have from applying these security measures.

That being said… we’ll start with the basic ones and get more complicated as we go on.

1. Always use the latest version of WordPress. As I mentioned, software security is an ongoing struggle and WordPress.org does a great job of addressing the latest threats. If you have concerns about being a “first adopter” of new versions, wait a few days or a week before updating. Be aware that updating may cause problems with your plugins or themes. You should back-up your WordPress before updating. See wordpress.org for details.




2. Don’t use a simple, easy password. Did you know that the most commonly used passwords are “password” and “1234567″? Is that you? As reported by PCmag.com here are the 10 Most Common Passwords. You should use a strong password that incorporates numbers, upper and lower case letters and “special” characters like ! ” ? $ % ^ & ) I know, I know, it’s going to be hard to remember. Write it down, have your browser memorize it… It’s better than giving carte blanche to your site! WordPress can generate a random strong password for you. In your Dashboard go to “Users” and select your account name (for most people it’s probably “admin”) and make sure that your email address is correct. Log out from WordPress and then instead of logging in again, click on “Lost Your Password?” Your WordPress will email a new, strong randomly generated password.




3. Now that we have talked about your “admin” user account… Get rid of it!  Well, not totally. Add a new user with full administrator privileges.  Use a not totally obvious username and a strong password. Log out of WordPress and then login with your new username and password. Now you can go to the “Users” area and edit the “admin” user account. Most people leave the main username as “admin” … attackers know this!  Edit your “admin” user by changing its role from “administrator” to “subscriber”. Save the change. Now if a hacker tries to take over the standard “admin” account, they will have no privileges to change anything.
   Note! If you installed your WordPress site using Fantastico, you were probably already prompted to enter your own username and password during setup. Change your password to a strong one if you did not do so originally.




4. In the Dashboard navigate to  Settings-General. Make sure that the “Membership-Anyone can register” checkbox is unchecked. Be sure that the “New User Default Role” is set to subscriber.




5. This is a good time to add some login protection. Hackers will often try a brute force means of accessing your site by trying thousands of passwords in hopes of discovering the right one. The “Login Lockdown” plugin will, upon activation, deny login access for 60 minutes to anyone who tries 3 wrong passwords in 5 minutes. If you want to adjust these settings, you can modify them on the Login Lockdown configuration page.




6. Here’s another plugin that can help keep the wolves at bay. It’s the WordPress Firewall plugin. This plugin does a lot! It monitors your WordPress site for attacks, protects your plugins, and is a Swiss Army Knife of protection… You can read about its features at the plugin homepage.




7. Now this is where we start getting more geeky. In the root of your WordPress installation is a file called .htaccess. It can control a lot of things on your website. More than I can go into in this post. Anyway, you can add this following line into the .htaccess file using a text editor.

   # prevent directory browsing  
   Options All -Indexes

   Normally browsers can see into folders and report on and even access the files within. To prevent this random viewing website designers put an empty index.html file into each folder. WordPress has many, many folders – too many to make this practical. Making this addition to the .htaccess file denies folder will keep browsers (and people) out of folders where they have no need of access.

   
   

8. In the WordPress root there is a file named wp-config.php, it’s quite an important file and you don’t want someone to “accidentally” gain access to it as it contains the username and password for your mySQL database connection. We can deny access to it by adding a few more lines to the same .htaccess file that we mentioned in #7.

   # protect wpconfig.php
   <files wp-config.php>
   Order deny,allow
   deny from all
   </files>




9. This next tip I found is from Jeff Starr at the Perishable Press website.  Many recent attacks on WordPress have used very long request strings… Much longer than legitimate ones would be. The code below can be copied to make a php file that can be placed in your WP plugin folder. Further explanation may be found at his blog post “Protect WordPress Against Malicious URL Requests”

   <?php /* Plugin Name: Block Bad Queries */
   
   if (strlen($_SERVER['REQUEST_URI']) > 255 || 
        strpos($_SERVER['REQUEST_URI'], "eval(") || 
   	strpos($_SERVER['REQUEST_URI'], "base64")) {
             @header("HTTP/1.1 414 Request-URI Too Long");
             @header("Status: 414 Request-URI Too Long");
             @header("Connection: Close");
             @exit;
   } ?>




10. WordPress.org suggests replacing the “Secret Keys” in your wp-config.php file with your own secret ones. If you go to the WordPress Secret Key Generator a randomly set will be generated similar to these below (don’t use these.. they wouldn’t be very secret!)
    

    define('AUTH_KEY',        'N!3MZ9+>l-5)=K&+_j7mM+}ZK5UFvZQ E{=*Vzp0Eae+i^oXY]!)B@vFj?x;&y=c');
    define('SECURE_AUTH_KEY', 'OeX>dl;tuRc$w+ehD{2]k%k{3uhH|L|8DNQu[/Np8_&qz_ rp7v+z6YODdjz9%~s');
    define('LOGGED_IN_KEY',   'oOO1smvP?<4fSU0Sv,5yeT`z#ns5_I?tEEL9Y[|CW!YO@fkjw@

    Just copy and then paste the secret keys over the ones in your wp-config.php file. Don’t worry about having to remember them, they are used by WordPress to encrypt information.

Have you forgotten your WordPress Admin password? Did you lose access to your WordPress because you fell prey to the WP password vulnerability and your p/w got hacked? (Problem now corrected with WordPress 2.8.4). Take heart, your password can be reset outside of WordPress by using phpMyAdmin.

CAUTION!

phpMyAdmin allows you to directly edit your WordPress database! You can totally and permanently ruin your WordPress installation and have to start it all over again. While I have attempted to make this tutorial easy-to-follow and and accomplish, I take no responsibility for any problems that may occur from your modification of your WordPress database.  If you are not comfortable with attempting to work on your WP database yourself, find someone technically competent to assist you in restoring your password.

When you set up your webhosting, your host likely gave you a login and password to your account. This would be the place where you set up your email addresses and the like. Most webhosting companies use CPanel as an interface. CPanel makes life much easier!

Anyway, you want to log onto your hosting account and find phpMyAdmin and click it.

Here’s what it looks like in my CPanel…

Click on phpMyAdmin to open the program in your browser. If your phpMyAdmin is the current version (as of this writing), you should see this…

Click on your WordPress database.  You should see the following…

Scroll down to find the row named “wp_users” and click on the “Browse” icon. This will take you to the next screen…

Find the row for the “admin” user and click on the pencil icon to edit the admin password…

Locate the “user_pass” row in the field column. In the “Function” column of that row, click on the dropdown list and select “MD5″. Continue to the “Value” column. What you will see there is an encrypted version of the current password. Click on it and remove it so that there is nothing in that box. Now, enter the password that you want to use for the “admin” account. Don’t worry that it isn’t encrypted, that will be taken care of automatically. Lastly, at the bottom of this last screen, be sure to clock on “Go” to save your change of password.

Congratulations! You should now be able to log into your WordPress with your new password!

With the issuing of WordPress 2.8.3 and 2.8.4 a lot of people have run into the dreaded “Allowed memory size error” when you try to run the automatic upgrade for your WordPress. (you did backup everything, just in case, yes?)

Did you get an error something like “Allowed memory size of 33554432 bytes exhausted (tried to allocate …yadda yadda)”?  This is likely caused by “too much stuff” in your WordPress, like lots of plugins.

There are a few things to do to try to get past this.

1.) Deactivate most or all of your plugins and then try the automatic upgrade again. That should help most people.

If you are more technically inclined or have someone who can do this for you (like me! )…

2.) In your WordPress root find the “wp-settings.php” file and find this line (around line 13)  “define(’WP_MEMORY_LIMIT’, ‘32M’);”  and increase the memory size to something larger, like  “define(’WP_MEMORY_LIMIT’, ‘64M’);” . Now try upgrading again.

And if that doesn’t fix it so that you can upgrade… Try this!

3.) Find the “php.ini” for your site (this is not a wordpress file, but one from your webhost – you may need to ask them how to make the change, if it’s not readily available to you) and change it to something larger like this  “memory_limit = 128M”

You should now be able to successfully upgrade your WordPress!

Yes, it can even happen to The Web Mechanic!

Recently I thought my website (this website) was running a little slow… but it wasn’t anything that I was concerning myself about very much. Then yesterday, it slowed to a stop! I would try to access a page and my browser would just sit there trying to load the page. I didn’t think it was me, so I contacted my webhost service folks. They could see that there were a bunch of process’ running that were gumming up the works. We both thought it was something spurious but also something to keep an eye on.

The next day I received a couple of “Tweets” telling me that my site was acting odd… The front page was fine, but everything else threw up and error page. Not good!

Well, being the Chief Wrench at the The Web Mechanic, it was time to get under the hood! To make a long story short, I discovered that a WordPress plug in was causing the error. The plugin, called “Tweet This” had, I thought, been running fine, but it had been throwing errors for some time I found out. It just hadn’t gotten to the point of taking my site down …until today. I deactivated “Tweet This” and presto! The Web Mechanic is back up and running!

I have used “Tweet This” in a number of my client’s websites without a problem. (I have now gone back to check) It may be a conflict with a plugin that is on my site and not theirs. Hopefully, the plugin author will soon be able to correct the problem!

My problem with a plugin highlights a strength and a weakness of WordPress. Because WordPress is both “open source” and modular in nature, plugins can and are made by many, many people. They don’t always get the rigorous testing that a commercial product might. If you add a new plugin to your WordPress, keep track of when you added it and note it anything seems “different” about your site. That information could prevent hours of troubleshooting down the line, should a problem arise. The WordPress strength? Because it is robust and modular, once I removed the problem “Tweet This” plugin…

The Web Mechanic was back and working fine…immediately!

Do you have a question about WordPress? Is there something that you want to do with your site that you can’t figure out how to do? A problem?

Ask The Web Mechanic!

On Wednesdays I will take questions and provide answers to your WordPress questions. You can fix many of the problems you might have with WordPress yourself, given a point in the right direction. Some problems may need “professional help”… I’ll let you know that as well.

Ask away!

Recently someone I know had a problem with her new blog. She was happy with it and then a friend told her that the blog wasn’t working and that nothing could be seen.  The problem? Her WordPress blog worked fine… in her Firefox browser. But in Internet Explorer, it was broken… Text was missing, funny code-like stuff like "<!--[endif]-->" is displayed, etc.

What happened? Well, she had written her blog entries in Microsoft Word and then copied and pasted the text into the WordPress editor. Unfortunately, Word can put code into what you type (it’s hidden) that when pasted into WordPress can fowl up in IE. WordPress has a Support entry explaining this and how to fix your posts. Please visit http://wordpress.org/support/topic/205637 to learn the specifics. (If it’s too “geeky” for you, drop me a line and I’ll translate )

When you write an entry in your blog there are a couple of ways to do it. You can just type it into the WordPress editor and format it there… You will avoid these kinds of problems.

If you write your post in another program, like Word, you can copy and paste, but don’t just paste it into the WordPress editor. Look at the WordPress editor and you will see two buttons, (for paste from text) and (for paste from Word). If you press “W” and paste your text into the window that pops up, WordPress will apply the formatting from Word so that your post will look like what you have written in in Word… Although there may still be problems as noted in the WordPress Support link above.

If the above still causes you problems, try typing your blog entry in Word and save it as a text document. Then open that file in a text editor like the Windows’ Notepad and copy and paste into WordPress from Notepad.

It’s always good to look at your blog or website in both Firefox and Internet Explorer as well as other browsers, like Opera and Google’s new Chrome – They don’t always present your site in  the same way!