How to make WordPress secure

Want to make WordPress secure? Then let’s harden it now! OK this is going to be a long article that I’ll add to as “best practice” changes with new releases.  For starters, let’s clear up what I’m trying to teach.  What we are doing here is limiting access by people who are trying to compromise your WordPress installation. And they are out there, believe me.

So first off, the easy stuff….

  1. Keep your WordPress and Plugins updated. You can lock down WP all you want but if you have a dodgy plugin you could be wide open to the world.
  2. Keep your server up to date. Vulnerabilities in older versions of php and various scripts mean that an attacker could get in outside of the WordPress installation.
  3. Shared hosting. I personally don’t use this as it can severely compromise security. Even if you do all the locking down possible, someone else may leave wide-open gaps on the server.  If you want reliable VPS hosting I recommend taking a look at  Servint dedicated and VPS hosting.
  4. Use a decent antivirus and antimalware on your own PC.  The largest amount of compromised servers come from password attacks and if you have malware on your PC that gets your FTP password then it’s ‘Game Over’. Use Kaspersky and MalwareBytes for a great solution.
  5. Choose strong passwords. Never underestimate how easy most passwords are to crack with a computer. Passwords such as “Password”, “abc123”, “Letmein” are crackable in minutes. Pets’ names, people’s names, car names are all easily guessable too. Consider putting non-alphabet characters in there too such as $ or !

 

WordPress file permissions

Now let’s move on to WordPress file permissions.  These are most people’s nightmare but it doesn’t have to be difficult.  All files should be owned by your account and writable only by you. For directories, if you use SuPHP on your server (and I recommend you do) they should all be 755. If not using SuPHP then follow these rules:

  • /wp-content/plugins/ These are the plugin files. All files should be writable only by your user account.
  • /wp-includes/ WordPress’s ‘logic’ files.  All files should be writable only by your user account.
  • /wp-content/themes/ Your theme files. If you want to use the built-in theme editor, all files need to be group writable. If not, all files can be writable just by your user account
  • /wp-admin/ This is the WordPress admin area. All files should be writable only by your user account.
  • /wp-content/ This is for your content which should be writable by everyone (owner/user, group, and public)

For other directories under /wp-content/ you should read the relevant plugin or theme documentation.  Err on the side of caution here though, locking down first and working backwards to release permissions where required.

For novices looking for a quick guide, if you are not using SuPHP then do this:

Set all directories to 755 and all files to 644.  If you are on a shared-server, set your wp-config.php to 750 so no other user will be able to read your database username and password!


From WordPress version 2.7, there has been the facility to automatically update the WordPress installation.  It is remarkably stable and well tested so I recommend this is used.  The great thing is that after the update, all files are set to 644 and all directories to 755  and writable by only the user.  They are still readable by everyone else, including the web server.

This now leads us on to ‘security by obscurity’. In other words, making the default stuff different so attackers spend more time at the first hurdle. Here are my top tips for quick and easy fixes.

  1. Stop showing the WP version you are currently running. Why? Well, if you are running an older WordPress version with a known vulnerability then you effectively display this to the world. There are numerous plugins to do this for you but you can simply add <?php remove_action('wp_head', 'wp_generator'); ?> to your theme’s function.php file. Note that there are other ways of finding out the version that a WP website uses but this works well to hide the obvious.
  2. Rename the admin account. I do this on a new install from within Fantastico but you can also create a new Administrative account from WordPress’s back end and delete the default admin account. You will get prompted to pass ownership of all the deleted user’s posts to the new Admin which is recommended.
  3. Change the WordPress database table prefix. A lot of the  WordPress-specific SQL injection attacks assume that the database table prefix is “wp_” , so changing this blocks many (but nit all) SQL-injection attacks.

Finally, 3 words I can’t stress the importance of……Backup, Backup and Backup.  Don’t hesitate to make this a priority. For a complete backup AND a brilliant way to clone your entire site check out the excellent WP-Twin WordPress Clone Software. This not only creates a FULL backup of WordPress’s database, but it backs up all other files and folders for you. It will enable you to move your installation across servers too, something most backup software won’t do. Most blogs can be completely cloned and backed up in a few minutes without any technical knowledge.

Good luck and hope this helps you to make WordPress secure.

 


Stop annoying ftp username password prompt in WordPress

When upgrading plugins, even WordPress itself, you can get the ftp prompt, asking you for server username and password details.  Here’s what I use to stop this:

Navigate to your wp-config.php file on the server.  Download it to your computer and modify it by adding the following lines:

//*From https://www.pcrepairmansblog.com*
//*Stop the username and password prompt when upgrading plugins*
define(‘FTP_HOST’, ‘ftp.yoursite.com’);
define(‘FTP_USER’, ‘Your_FTP_Username’);
define(‘FTP_PASS’, ‘Your_FTP_password’);
//*If you use an SSL connection set this to true, otherwise set it to false*
define(‘FTP_SSL’, false);

Upload it back to the server. That’s it, you’re set to go!


Cheap freelance work on Friskk

Gigs for a fiverrIf you are looking for cheap freelance work then one site stands out above all others. Friskk has high quality services by freelancers from around the world. Starting from a ridiculously low $5 ( 3.17 GB Pounds at today’s exchange rates! ) Friskk users offer services in many different sectors.

Want a WordPress site cloning then moving to another server? $10

Want a new logo for your website, designed and built to a high standard? $15

See the PCRepairMan up top? He was designed and built using services found on Friskk.com.

Other cheap freelance work includes video intros, cheap website backlinks, zombie transformations to photos of your friends, singing birthday videos….sky’s the limit really.  Some of the imagination is incredible and for gift ideas this site is really top notch.  Each service offered is for a fixed price and these are called ‘gigs’. On completion of the gig you pay the service provider an agreed fee. You pay nothing to register, and no fees to the website. How cool is that?  If you want to sell a service then you would pay a small commission on the final sale price.  If you don’t see the service you need, then you can request a service using the instant suggestion box.

Cheap freelance work by professionals

Many of the users on Friskk are professionals in their field, looking to earn extra money with small projects. This means that they often finish the project in very good time and can deliver excellent results.

So have a look around, see what’s on offer and get something unique for less than the price of a Starbucks!    www.friskk.com

 

 


Website waits for lite.piclens.com

The problem is caused by the NextGen Gallery and its default settings with PicLens

The usually fantastic NextGEN Gallery plug-in can cause this issue.  It shows in the status bar of the browser as waiting for lite.piclens.com

The simplest solution!

Disable PicLens by logging into the back end of the site then choosing “Gallery”, “Options” and unticking “Activate PicLens/CoolIris support”

You will now notice that website load speeds are faster as there is no external request to PicLens.


Tim Thumb exploit – vulnerability found in popular script

The popular image resizing library TimThumb, used in many a good WordPress theme has had a major exploit carried out against versions of its code. The TimThumb code vulnerability allows third parties to execute PHP code in the TimThumb cache directory after uploading it themselves. As many people are aware, running malicious PHP code can easily compromise a website or an entire server.

We recommended deleting timthumb.php or thumb.php or indeed the complete theme or plugin when this zero day exploit was announced. There is a later version of TimThumb available that now patches this vulnerability.

If the file exists in a theme or plugin that you’re no longer using you may want to remove the entire theme or just the relevant plugin directory. After you remove the TimThumb library, check your site is still working as it should.

If using the later version, please check that you  set ALLOW_EXTERNAL to false like this:

define( 'ALLOW_EXTERNAL', false );

then find the $allowedSites array inside the file and completely remove the associated domain names to prevent remote file downloading like this:

$allowedSites = array();

Fatal error cannot redeclare class TextStatistics Easy WP Seo

Problem: You try to save a draft, publish or update a post in WordPress and you get:

Fatal error: Cannot redeclare class TextStatistics in /home/nasalcon/public_html/wp-content/plugins/easywpseo/onpageseo-readability.php on line 35

This is caused by a conflict between Yoast’s excellent WP SEO plugin and the (equally excellent) Easy WP SEO plugin. It was triggered on the v1.2 update of the Yoast plugin that happened on 12th June 2012. Now I’ll make it clear that the problem does not appear to be with Yoast’s plugin, it seems to be the fact that both are using the php Text Statistics code released here:

https://code.google.com/p/php-text-statistics/

I have contacted the developer of EasyWP SEO but, to date, have had no reply. Since it renders a website unable to create posts, I thought I’d better write a fix for my clients and for those of you who use both plugins. I have added a small text link to this article in case the developer updates the plugin, I’ll let you know here if he does.

Many people use Yoast’s plugin for its useful sitemap and meta description functionality and have no need for the SEO scoring tools that were introduced in the last update as they use alternative plugins.

The TextStatistics fix

What I have done is modified the code to temporarily disable the calls to the readability class within Easy WP SEO.  Most, if not all of my clients do not use the Flesch-Kincaid Reading Ease tests in the ‘Readability’ section so this has no adverse effect.

To apply my fix, you’ll need to update just 2 files on your server. I presume that you are familiar with FTP and unzipping, let me know if not. I’ll also presume you are running the latest version of Easy WP SEO (v1.6 or 1.6.2), I am unable to check any backwards compatibility. My method does create backups of both files though so should be very safe.

Download the zip file here (UPDATE – THIS IS NO LONGER NECESSARY, THE AUTHOR HAS NOW FIXED THE PROGRAM) and follow this method:

  • Extract the files onto your desktop, they’ll be in a folder called PCRMB-EWPSEO-fix-v1.
  • Using an FTP client, navigate to wp-content/plugins/easywpseo/ and rename the file “onpageseo-admin.php” to “onpageseo-adminBAK.php
  • Copy the extracted file “onpageseo-admin.php” from your new desktop folder to wp-content/plugins/easywpseo/
  • Now navigate to wp-content/plugins/easywpseo/templates/ and rename the file “admin-score-metabox.php” to “admin-score-metaboxBAK.php
  • Copy the extracted file “admin-score-metabox.php” to wp-content/plugins/easywpseo/templates/

Create a test post and fill in some keywords in the Easy WP SEO box. You should now have no conflict between Yoast’s WP SEO and Easy WP SEO.

Please note that you should not fill in the WP SEO ‘Focus Keyword’ as you are choosing to keep the more graphical Easy WP SEO tool as the primary SEO scoring indicator.

Please drop me a comment below or click one of the social buttons if this helped you. Also please let me know if you get any other errors.

 


Yoast WordPress SEO double title fix

If you are getting a double title appear in the tab of your browser as you hover over it, there is a good chance that it’s because you have WordPress SEO by Yoast installed. Often just ticking the box ‘Force overwrite titles’ (from the Titles and Metas section on the General tab) will suffice, but I have seen this on many customer themes where it doesn’t work and usually gives the address as a simple URL. Not great for SEO!

Here’s the fix. Look in your WordPress theme files for header.php and then open it in Notepad or ideally Notepad++. Now look for this line or similar (it differs from theme to theme):

<?php wp_title('|',true,'right'); ?>
<?php bloginfo('name'); ?>

Now replace it with:

<?php wp_title(''); ?>

Upload this file to your WordPress theme, overwriting the existing header.php.

Make sure the ‘force overwite titles’ is still unticked. Save your changes and empty any caches you have, eg W3 Total Cache. Check your category titles and post/page titles and they should be fixed!

 


Manage multiple WordPress sites with WPRemote

Looking for an easy way to manage updates on multiple WordPress websites? Well there’s a new tool in town and it’s called WP Remote. Here’s a brief review.

This nifty tool installs on WP sites via a small plugin and gives you a single console from which to monitor your sites for plugin updates, theme updates and WordPress updates. You can apply the updates from the console so no need to login to any site after the initial plugin install. Not only that but it allows manual backups of files and MySQL databases in one click. Fiddly and incomplete WordPress backups are a thing of the past, you can expect to add the site to the console, update all plugins and themes and do a complete backup within a few minutes. Stunning.

It’s free, easy to setup, minimalist, stable and incredibly useful. And no, I don’t own the company, just thought you might like it as much as I do. Look out for this company over the next few months as I think this is going to be very popular!

https://wpremote.com


How to force a line break in WordPress

Wordpress force line break fixMany bloggers are complaining that they can’t see how to force a line break in WordPress.  It has been a problem right from its inception to the current iteration (3.4.1 as I write). The problem stems from the way that WordPress’s inbuilt editor – TinyMCE – handles spaces and returns. Adding break and paragraph tags ( for example <br> and <p> ) within the HTML editor doesn’t work as they are stripped out upon publishing. And as for combining this with images, they float in some pretty bizarre places making the formatting of some pages look simply dreadful.

So we could try to update TinyMCE.  There is a fix we can do, but for the sake of brevity I won’t post it because every time WordPress gets updated this will be overwritten. This makes the TinyMCE fix not suitable for most people who want a permanent solution.

So here is the best solution I have found, simple and effective. It involves going into the HTML tab of the visual editor (at the top of where you type your post content). Select this and position your cursor where you want the line break to occur.

Add <br class=”blank”> anywhere you want your line break to appear, this is usually after some plain text.

Update your post and view it, you should see the elusive WordPress line break has appeared. If you have the time, please drop me a comment below if it works for you.

 


How to display all posts in a category in WordPress sidebar

Had a few requests by clients to do this and the code is pretty simple:

<li id="recent-posts">
<h2>Our services</h2>
<ul>
<?php query_posts('category_name=abc123&showposts=10'); ?>
<?php while (have_posts()) : the_post(); ?>
<li><a href="<?php the_permalink(); ?>">
<?php the_title(); ?>
</a>  </li>
<?php endwhile; ?>
</ul>
</li>

Replace abc123 in the example above with your actual category name (the “slug”) and change the amount after “showposts” to the desired quantity you wish to display.