The document provides tips and best practices for securing and optimizing a WordPress site beyond the basic installation. It discusses .htaccess configuration for redirects, file protection, and permalinks. It also covers hardening wp-config.php by changing passwords and salts, prefixing tables, and configuring database settings for different environments. Additional topics include plugins, revisions, debugging, and discussion settings. The presentation aims to advise beginners and developers on security, performance, and maintenance of WordPress sites.

1. Beyond the 5-minute Install
Steve Taylor
http://sltaylor.co.uk
steve@sltaylor.co.uk
@sltayloresque
WordCamp Portsmouth UK 2011

2. Security & best practices
● .htaccess
● wp-config.php
● robots.txt
● functions.php / “functionality plugin”
● Plugins
● Other issues?

3. A bit about me
● Custom theme developer
● No themes released
● A few plugins
This talk
● Advice for beginners 
● Tips for developers 

4. .htaccess
● “hypertext access”
●Controls requests to server before any PHP /
WordPress processing
● Apache only (IIS?)
● Root of website (sub-directories?)
● Sometimes simple, sometimes complex!
http://httpd.apache.org/docs/
http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/

5. www or not www?
● Personal choice / aesthetics
●Both should be accessible; one should redirect (301)
to the other
● Tell Google Webmaster Tools!

6. www or not www?
● Personal choice / aesthetics
●Both should be accessible; one should redirect (301)
to the other
● Tell Google Webmaster Tools!
# Force no “www”
RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]
RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]

7. www or not www?
● Personal choice / aesthetics
●Both should be accessible; one should redirect (301)
to the other
● Tell Google Webmaster Tools!
# Force no “www”
RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]
RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]
# Force “www”
RewriteCond %{HTTP_HOST} ^example.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

8. Protect important files
●# Protect .htaccess files
<Files .htaccess>
order allow,deny
deny from all
</Files>
●# Protect wp-config.php
<Files wp-config.php>
order allow,deny
deny from all
</FilesMatch>

9. WordPress pretty permalinks

10. WordPress pretty permalinks
Include at end of .htaccess:
●# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

11. WordPress pretty permalinks
Really bad idea for big sites:

12. WordPress pretty permalinks
Really bad idea for big sites:
Better:
http://ottopress.com/2010/category-in-permalinks-considered-harmful/
http://codex.wordpress.org/Using_Permalinks

13. wp-config.php
● Create your own wp-config-sample.php
●Check the file for new stuff in new versions of
WordPress
● Edit and initialize BEFORE installing WordPress!
http://codex.wordpress.org/Editing_wp-config.php
http://digwp.com/2010/08/pimp-your-wp-config-php/

14. Server-dependent settings
●// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');
●/** MySQL database username */
define('DB_USER', 'username_here');
●/** MySQL database password */
define('DB_PASSWORD', 'password_here');
●/** MySQL hostname */
define('DB_HOST', 'localhost');

15. Server-dependent settings
●switch ( $_SERVER['HTTP_HOST'] ) {
case 'dev.example.com': {
// Dev server
define( 'DB_NAME', 'aef4RgX_mysitedev' );
define( 'DB_USER', 'aef4RgX_mysitedev' );
define( 'DB_PASSWORD', 'Jyt6v48jS9frkGgZyS5iIjif6LnosuYr' );
define( 'DB_HOST', 'localhost' );
break;
}
default: {
// Live server
define( 'DB_NAME', 'sd6FE2xc_mysitelive' );
define( 'DB_USER', 'sd6FE2xc_mysitelive' );
define( 'DB_PASSWORD', 'as3d56JvDlPisYwU7c1nfZ3Yct0NEiZR' );
define( 'DB_HOST', 'localhost' );
break;
}
}
https://www.grc.com/passwords.htm

16. Authentication Keys and Salts
Change them for every installation!
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
https://api.wordpress.org/secret-key/1.1/salt/

17. Database table prefix
The default:
$table_prefix = 'wp_';

18. Database table prefix
The default:
$table_prefix = 'wp_';
Much better:
$table_prefix = 'a3rfGtQ1_';

19. Database table prefix
When coding database queries, don’t use hard-coded
table names!

20. Database table prefix
When coding database queries, don’t use hard-coded
table names!
A standard WP table:
global $wpdb;
$custom_query = $wpdb->get_results( “SELECT ID, post_title FROM
$wpdb->posts” );

21. Database table prefix
When coding database queries, don’t use hard-coded
table names!
A standard WP table:
global $wpdb;
$custom_query = $wpdb->get_results( “SELECT ID, post_title FROM
$wpdb->posts” );
A custom table:
global $wpdb;
$custom_query = $wpdb->get_results( “SELECT field FROM ” .
$wpdb->prefix . “table” );
http://codex.wordpress.org/Class_Reference/wpdb

22. Server needs FTP for upgrades?
define( "FTP_HOST", "ftp.example.com" );
define( "FTP_USER", "myftpuser" );
define( "FTP_PASS", "hQfsSITtKteo1Ln2FEhHlPkXZ" );

23. Debugging
define( 'WP_DEBUG', true );

24. Debugging
define( 'WP_DEBUG', true );
http://dev.example.com/?debug=1
●switch ( $_SERVER['HTTP_HOST'] ) {
case 'dev.example.com': {
// Dev server
define( 'WP_DEBUG', isset( $_GET['debug'] ) );
break;
}
default: {
// Live server
define( 'WP_DEBUG', false );
break;
}
}

25. Control revisions and autosave
// Only keep 3 revisions of each post
define( 'WP_POST_REVISIONS', 3 );

26. Control revisions and autosave
// Only keep 3 revisions of each post
define( 'WP_POST_REVISIONS', 3 );
// Don’t keep revisions of posts
define( 'WP_POST_REVISIONS', false );

27. Control revisions and autosave
// Only keep 3 revisions of each post
define( 'WP_POST_REVISIONS', 3 );
// Don’t keep revisions of posts
define( 'WP_POST_REVISIONS', false );
// Autosave posts interval in seconds
define( 'AUTOSAVE_INTERVAL', 60 );

28. Disable plugin and theme editing
define( 'DISALLOW_FILE_EDIT', true );

29. robots.txt
User-agent: *
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /trackback
Disallow: /feed
Disallow: /comments
Disallow: /category/*/*
Disallow: */trackback
Disallow: */feed
Disallow: */comments
Disallow: /*?*
Disallow: /*?
Allow: /wp-content/uploads
Sitemap: http://example.com/sitemap.xml
http://codex.wordpress.org/Search_Engine_Optimization_for_WordPress#Robots.txt_Optimization

30. Custom theme functions.php /
“functionality” plugin
● Snippets not worth making into a plugin
● Plugin is more portable
● Check out /mu-plugins/
http://justintadlock.com/archives/2011/02/02/creating-a-custom-functions-plugin-for-end-users
http://wpcandy.com/teaches/how-to-create-a-functionality-plugin
http://codex.wordpress.org/Must_Use_Plugins

31. Disable upgrade notifications for
people who can't do upgrades
if ( ! current_user_can( 'update_core' ) ) {
add_action( 'init', create_function( '$a', "remove_action( 'init',
'wp_version_check' );" ), 2 );
add_filter( 'pre_option_update_core', create_function( '$a', "return
null;" ) );
}

32. Remove nofollow from
comments
remove_filter( 'pre_comment_content', 'wp_rel_nofollow' );
add_filter( 'get_comment_author_link', 'slt_dofollow' );
add_filter( 'post_comments_link', 'slt_dofollow' );
add_filter( 'comment_reply_link', 'slt_dofollow' );
add_filter( 'comment_text', 'slt_dofollow' );
function slt_dofollow( $str ) {
$str = preg_replace(
'~<a ([^>]*)s*(["|']{1}w*)s*nofollow([^>]*)>~U',
'<a ${1}${2}${3}>', $str );
return str_replace( array( ' rel=""', " rel=''" ), '', $str );
}
}
http://digwp.com/2010/04/wordpress-custom-functions-php-template-part-2/

33. Better default display names
add_action( 'user_register', 'slt_default_user_display_name' );
function slt_default_user_display_name( $user_id ) {
$first = get_usermeta( $user_id, 'first_name' );
$last = get_usermeta( $user_id, 'last_name' );
$display = $first . " " . $last;
wp_update_user( array( "ID" => $user_id, "display_name" => $display )
);
}

34. Plugins
Force Strong Passwords. Copies WordPress's JavaScript
password strength meter into PHP and forces “executive” users
to have a strong password when updating their profile.
http://wordpress.org/extend/plugins/force-strong-passwords/
Google XML Sitemaps (or equivalent).
http://wordpress.org/extend/plugins/google-sitemap-generator/
Use Google Libraries.
http://wordpress.org/extend/plugins/use-google-libraries/
WordPress Database Backup.
http://wordpress.org/extend/plugins/wp-db-backup/

35. Other issues
● File permissions
http://codex.wordpress.org/Hardening_WordPress#File_permissions
● .htpasswd for /wp-admin/
● Settings > Discussion

36. Cheers!
http://sltaylor.co.uk
@sltayloresque