Scripted websites/ blogs using WordPress are becoming more and more common. And as such they are becoming ever more tempting targets for hackers and trashers. It might be something as simple as putting a picture on your site that goes “phhpttttt!!! I was here!” Or it might go so far as to taking over your site, denying you access to it and then holding your site for ransom. Malicious code can be placed on your site that might infect visitors’ computers and not the least of your worries, get you banned by the search engines.

Wordpress.org does a great job of eliminating potential entryways into the WordPress code with frequent updates. However, it is open-source code and is developed by hundreds if not thousands of people. (especially when you consider the myriad of themes and plugins available) Unfortunately, hackers work just as hard to find ways to exploit WordPress any way they can.

What can you do?

I have compiled a number of things that you can do proactively to help keep your WordpPress secure. Note: I said “help” keep your site secure. When it comes to websites and hackers, there is no guarantee that your site can’t be successfully attacked. But you can make your site unpalatable to attack and more secure.

Warning! The security measures below range from quick and easy to those demanding some “chops” in coding. It is possible to incorrectly implement some these steps and lock yourself out from your site with no way to correct your mistake. You could even damage your site yourself. I can take no responsibility for any problems you might have from applying these security measures.

That being said… we’ll start with the basic ones and get more complicated as we go on. Or you can have me install my Web Mechanic’s WordPress Security Package.

1. Always use the latest version of WordPress. As I mentioned, software security is an ongoing struggle and WordPress.org does a great job of addressing the latest threats. If you have concerns about being a “first adopter” of new versions, wait a few days or a week before updating. Be aware that updating may cause problems with your plugins or themes. You should back-up your WordPress before updating. See wordpress.org for details.

 

2. Don’t use a simple, easy password. Did you know that the most commonly used passwords are “password” and “1234567″? Is that you? As reported by PCmag.com here are the 10 Most Common Passwords. You should use a strong password that incorporates numbers, upper and lower case letters and “special” characters like ! ” ? $ % ^ & ) I know, I know, it’s going to be hard to remember. Write it down, have your browser memorize it… It’s better than giving carte blanche to your site! WordPress can generate a random strong password for you. In your Dashboard go to “Users” and select your account name (for most people it’s probably “admin”) and make sure that your email address is correct. Log out from WordPress and then instead of logging in again, click on “Lost Your Password?” Your WordPress will email a new, strong randomly generated password.

 

3. Now that we have talked about your “admin” user account… Get rid of it!  Well, not totally. Add a new user with full administrator privileges.  Use a not totally obvious username and a strong password. Log out of WordPress and then login with your new username and password. Now you can go to the “Users” area and edit the “admin” user account. Most people leave the main username as “admin” … attackers know this!  Edit your “admin” user by changing its role from “administrator” to “subscriber”. Save the change. Now if a hacker tries to take over the standard “admin” account, they will have no privileges to change anything.
   Note! If you installed your WordPress site using Fantastico, you were probably already prompted to enter your own username and password during setup. Change your password to a strong one if you did not do so originally.

 

4. In the Dashboard navigate to  Settings-General. Make sure that the “Membership-Anyone can register” checkbox is unchecked. Be sure that the “New User Default Role” is set to subscriber.

 

5. This is a good time to add some login protection. Hackers will often try a brute force means of accessing your site by trying thousands of passwords in hopes of discovering the right one. The “Login Lockdown” plugin will, upon activation, deny login access for 60 minutes to anyone who tries 3 wrong passwords in 5 minutes. If you want to adjust these settings, you can modify them on the Login Lockdown configuration page.

 

6. Here’s another plugin that can help keep the wolves at bay. It’s the WordPress Firewall 2 plugin. This plugin does a lot! It monitors your WordPress site for attacks, protects your plugins, and is a Swiss Army Knife of protection…  It is an updated version of the original Firewall plugin by SEOEgghead. You can read about its features at the original plugin homepage.

 

7. Now this is where we start getting more geeky. In the root of your WordPress installation is a file called .htaccess. It can control a lot of things on your website. More than I can go into in this post. Anyway, you can add this following line into the .htaccess file using a text editor.

   # prevent directory browsing
   Options All -Indexes

   Normally browsers can see into folders and report on and even access the files within. To prevent this random viewing website designers put an empty index.html file into each folder. WordPress has many, many folders – too many to make this practical. Making this addition to the .htaccess file denies folder will keep browsers (and people) out of folders where they have no need of access.

    

8. In the WordPress root there is a file named wp-config.php, it’s quite an important file and you don’t want someone to “accidentally” gain access to it as it contains the username and password for your mySQL database connection. We can deny access to it by adding a few more lines to the same .htaccess file that we mentioned in #7.

   # protect wpconfig.php
   <files wp-config.php>
   Order deny,allow
   deny from all
   </files>

 

9. This next tip I found is from Jeff Starr at the Perishable Press website.  Many recent attacks on WordPress have used very long request strings… Much longer than legitimate ones would be. The code below can be copied to make a php file that can be placed in your WP plugin folder. Further explanation may be found at his blog post “Protect WordPress Against Malicious URL Requests”

   <?php /* Plugin Name: Block Bad Queries */
   if (strlen($_SERVER['REQUEST_URI']) > 255 ||
        strpos($_SERVER['REQUEST_URI'], "eval(") ||
   	strpos($_SERVER['REQUEST_URI'], "base64")) {
             @header("HTTP/1.1 414 Request-URI Too Long");
             @header("Status: 414 Request-URI Too Long");
             @header("Connection: Close");
             @exit;
   } ?>

   UPDATE: Instead of copying and pasting the above to make your own plugin, Jeff has uploaded it as a downloadable plugin on WordPress.org – Block Bad Queries (BBQ) Plugin

 

10. WordPress.org suggests replacing the “Secret Keys” in your wp-config.php file with your own secret ones. If you go to the WordPress Secret Key Generator a randomly set will be generated similar to these below (don’t use these.. they wouldn’t be very secret!)
    

    define('AUTH_KEY',        'N!3MZ9+>l-5)=K&+_j7mM+}ZK5UFvZQ E{=*Vzp0Eae+i^oXY]!)B@vFj?x;&y=c');
    define('SECURE_AUTH_KEY', 'OeX>dl;tuRc$w+ehD{2]k%k{3uhH|L|8DNQu[/Np8_&qz_ rp7v+z6YODdjz9%~s');
    define('LOGGED_IN_KEY',   'oOO1smvP?

    Just copy and then paste the secret keys over the ones in your wp-config.php file. Don’t worry about having to remember them, they are used by WordPress to encrypt information.

    UPDATE: I have found an easier way to do this with a downloadable plugin called the WordPress.org – Update Unique Keys Plugin. With this plugin you can periodically change and update your “Unique Keys” from within your WordPress Dashboard… Easy!

Have you forgotten your WordPress Admin password? Did you lose access to your WordPress because you fell prey to the WP password vulnerability and your p/w got hacked? (Problem now corrected with WordPress 2.8.4). Take heart, your password can be reset outside of WordPress by using phpMyAdmin.

CAUTION!

phpMyAdmin allows you to directly edit your WordPress database! You can totally and permanently ruin your WordPress installation and have to start it all over again. While I have attempted to make this tutorial easy-to-follow and and accomplish, I take no responsibility for any problems that may occur from your modification of your WordPress database.  If you are not comfortable with attempting to work on your WP database yourself, find someone technically competent to assist you in restoring your password.

When you set up your webhosting, your host likely gave you a login and password to your account. This would be the place where you set up your email addresses and the like. Most webhosting companies use CPanel as an interface. CPanel makes life much easier!

Anyway, you want to log onto your hosting account and find phpMyAdmin and click it.

Here’s what it looks like in my CPanel…

Click on phpMyAdmin to open the program in your browser. If your phpMyAdmin is the current version (as of this writing), you should see this…

Click on your WordPress database.  You should see the following…

Scroll down to find the row named “wp_users” and click on the “Browse” icon. This will take you to the next screen…

Find the row for the “admin” user and click on the pencil icon to edit the admin password…

Locate the “user_pass” row in the field column. In the “Function” column of that row, click on the dropdown list and select “MD5″. Continue to the “Value” column. What you will see there is an encrypted version of the current password. Click on it and remove it so that there is nothing in that box. Now, enter the password that you want to use for the “admin” account. Don’t worry that it isn’t encrypted, that will be taken care of automatically. Lastly, at the bottom of this last screen, be sure to clock on “Go” to save your change of password.

Congratulations! You should now be able to log into your WordPress with your new password!

So what the heck is a Permalink and why do I care?

Until fairly recently, when you looked at the top of your browser, where you can type in the URLs of sites you want to visit, what you saw up there likely made sense. If you were on the site’s “About” page, at the end of the URL you probably saw … /about.html. If you were on the “Contact” page it said /contact.html. Made sense, didn’t it?

Nowadays what do you see? If its a WordPress site or blog, the end of the URL may say something like   …/post.php?post=447.  What did that mean? Websites all used to be what are called “static” websites. Once a page was up coded and on the web,  its name was there until it needed to change or was taken down. These days many websites and blogs are “dynamic” sites. This means that the content is not fixed and the page is generated on-the-fly as you click around to that page. From a website construction point of view, this makes life a lot easier. For instance – if a website has ten pages and has the same footer information on each page, you don’t have to make those entries on each of the ten pages, you can just write one “footer” file and then just have each page grab that information when it is accessed. (and then with something like WordPress just about everything is actively generated)

Permalink Page

Anyway, those letters, numbers,?’s, etc. mean something to computers… but its mostly gibberish to you and me. The good news is that when WordPress was developed, they put in the capability to change that gobbeldy gook into something decipherable by humans. Unfortunately, WordPress doesn’t come out of the box set to make use of this. Over on the left side of your Administrator panel, click on “Settings” and then “Permalinks”. At the top of the Permalink page, you’ll see a number of choices, including the one that has been pre-chosen for you. At the bottom of that list you’ll see “Custom”. In the space provided enter the following (without the quotes) “%postname%“. Now, when you write a post, the URL for it will show the name of the post as part of the URL. This makes it easier for people to remember and it will help the search engine robots navigate your site more readily.  (look up at the top of this site ↑) Those robots like English as much as we do!

What about those other options? They might be revalent to your site, especially if it is big.  Check out the WordPress Codex for more extensive Permalink information.

Now, one thing to keep in mind! If you have already made pages or posts in your WordPress, don’t go changing the Permalink setting willy-nilly! You can break your site! WordPress will have already cataloged your pages and posts, and if you change the Permalink setting, WordPress will lose track of the names it has already given them. Don’t worry, there are ways around it and I will have a post about how to change things in the middle of the stream.  If you need assistance on that before I get around to writing that post, drop me a line and I’ll fill you in)

Back: I have WordPress Installed-Now What?

Yes, it can even happen to The Web Mechanic!

Recently I thought my website (this website) was running a little slow… but it wasn’t anything that I was concerning myself about very much. Then yesterday, it slowed to a stop! I would try to access a page and my browser would just sit there trying to load the page. I didn’t think it was me, so I contacted my webhost service folks. They could see that there were a bunch of process’ running that were gumming up the works. We both thought it was something spurious but also something to keep an eye on.

The next day I received a couple of “Tweets” telling me that my site was acting odd… The front page was fine, but everything else threw up and error page. Not good!

Well, being the Chief Wrench at the The Web Mechanic, it was time to get under the hood! To make a long story short, I discovered that a WordPress plug in was causing the error. The plugin, called “Tweet This” had, I thought, been running fine, but it had been throwing errors for some time I found out. It just hadn’t gotten to the point of taking my site down …until today. I deactivated “Tweet This” and presto! The Web Mechanic is back up and running!

I have used “Tweet This” in a number of my client’s websites without a problem. (I have now gone back to check) It may be a conflict with a plugin that is on my site and not theirs. Hopefully, the plugin author will soon be able to correct the problem!

My problem with a plugin highlights a strength and a weakness of WordPress. Because WordPress is both “open source” and modular in nature, plugins can and are made by many, many people. They don’t always get the rigorous testing that a commercial product might. If you add a new plugin to your WordPress, keep track of when you added it and note it anything seems “different” about your site. That information could prevent hours of troubleshooting down the line, should a problem arise. The WordPress strength? Because it is robust and modular, once I removed the problem “Tweet This” plugin…

The Web Mechanic was back and working fine…immediately!

When WordPress is installed, it has a number of items that are set up generically. In this lesson I’ll go through some of the items you should take care of. Basic Housekeeping, as it were.

When your WordPress was installed you may or may not (depends on your webhost) have been prompted to supply a user name and password. WP will automatically give you a username of “admin” and a complex password if you are not asked to supply them. You should enter your own easy to remember username and password if requested.

Log onto your WordPress. The basic entry into the WP Dashboard will be wp-login.php i.e. www.xyz.com/wp-login.php

Users

On the left side of your WordPress Dashboard, click on the Users button. You will see a drop-down list and the Authors & Users will automatically be shown.  On this page, at the top, click on admin, this will take you to the Edit User page to edit your information for the user, admin.. Fill in the information requested. The admin account  cannot be deleted. At the bottom of the page you’ll see a place to change the WordPress login password.

Edit User

You can now change the admin password that WordPress assigned to you when it was set up. Change it to something that you can remember easily… but remember to make it a strong password for security reasons!

After you have made the changes to this page, be sure to click on the Save Changes button at the bottom of the page.

You may have seen another user listed when you clicked the Users button. You may want to Add a User. Just click the appropriate button and go through the same procedure as you did with the admin account. The only additional thing to look for is on the Edit User page look for the Roll setting. At this point you will likely want to grant administrator rights. The other settings are relevant if other people will be granted various, lesser, privileges. I’ll cover this in a later lesson.

Settings

Now, look over on the left of your WP-Dashboard (WP ver. 2.7 or greater), look for the Settings tab and click it.

You will see a drop-down menu with a number of items (the items will vary – plugins may add their controls here). Select General.

General

At the top of the General page you will see a few places where you can enter the Name of your blog and the Tagline for your blog. These are important to fill in as they will help the search engines know your blog exists!  The next two spaces are for the URL of your website and blog, respectively. They will probably already be filled in correctly. Follow the onscreen instructions to change them, if necessary. Finally, be sure to enter your e-mail address! There are a few other items on this page, but it is unlikely that you’ll need to change them from their defaults.

After you have made the changes to this page, be sure to click on the Save Changes button at the bottom of the page.

Back: WordPress IntroNext: Permalinks

Do you have a question about WordPress? Is there something that you want to do with your site that you can’t figure out how to do? A problem?

Ask The Web Mechanic!

On Wednesdays I will take questions and provide answers to your WordPress questions. You can fix many of the problems you might have with WordPress yourself, given a point in the right direction. Some problems may need “professional help”… I’ll let you know that as well.

Ask away!

Recently someone I know had a problem with her new blog. She was happy with it and then a friend told her that the blog wasn’t working and that nothing could be seen.  The problem? Her WordPress blog worked fine… in her Firefox browser. But in Internet Explorer, it was broken… Text was missing, funny code-like stuff like "<!--[endif]-->" is displayed, etc.

What happened? Well, she had written her blog entries in Microsoft Word and then copied and pasted the text into the WordPress editor. Unfortunately, Word can put code into what you type (it’s hidden) that when pasted into WordPress can fowl up in IE. WordPress has a Support entry explaining this and how to fix your posts. Please visit http://wordpress.org/support/topic/205637 to learn the specifics. (If it’s too “geeky” for you, drop me a line and I’ll translate )

When you write an entry in your blog there are a couple of ways to do it. You can just type it into the WordPress editor and format it there… You will avoid these kinds of problems.

If you write your post in another program, like Word, you can copy and paste, but don’t just paste it into the WordPress editor. Look at the WordPress editor and you will see two buttons, (for paste from text) and (for paste from Word). If you press “W” and paste your text into the window that pops up, WordPress will apply the formatting from Word so that your post will look like what you have written in in Word… Although there may still be problems as noted in the WordPress Support link above.

If the above still causes you problems, try typing your blog entry in Word and save it as a text document. Then open that file in a text editor like the Windows’ Notepad and copy and paste into WordPress from Notepad.

It’s always good to look at your blog or website in both Firefox and Internet Explorer as well as other browsers, like Opera and Google’s new Chrome – They don’t always present your site in  the same way!