Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Beyond the WordPress 5 minute Install

6,057 views

Published on

The slides for the talk I gave at WordCamp Portsmouth UK 2011, 16/7/11. It basically covers some security and best practices hints and tips that aren't part of the standard WordPress installation.

Published in: Technology, Business
  • I have done a couple of papers through ⇒⇒⇒WRITE-MY-PAPER.net ⇐⇐⇐ they have always been great! They are always in touch with you to let you know the status of paper and always meet the deadline!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • An update on the permalink issue... /%postname%/ permalinks should no longer be a problem as of WP 3.3. See http://core.trac.wordpress.org/ticket/16687
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Beyond the WordPress 5 minute Install

  1. 1. Beyond the 5-minute InstallSteve Taylorhttp://sltaylor.co.uksteve@sltaylor.co.uk@sltayloresqueWordCamp Portsmouth UK 2011
  2. 2. Security & best practices● .htaccess● wp-config.php● robots.txt● functions.php / “functionality plugin”● Plugins● Other issues?
  3. 3. A bit about me● Custom theme developer● No themes released● A few pluginsThis talk● Advice for beginners ● Tips for developers 
  4. 4. .htaccess● “hypertext access”●Controls requests to server before any PHP /WordPress processing● Apache only (IIS?)● Root of website (sub-directories?)● Sometimes simple, sometimes complex!http://httpd.apache.org/docs/http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
  5. 5. www or not www?● Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other● Tell Google Webmaster Tools!
  6. 6. www or not www?● Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other● Tell Google Webmaster Tools!# Force no “www”RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]
  7. 7. www or not www?● Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other● Tell Google Webmaster Tools!# Force no “www”RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]# Force “www”RewriteCond %{HTTP_HOST} ^example.com$ [NC]RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
  8. 8. Protect important files●# Protect .htaccess files<Files .htaccess> order allow,deny deny from all</Files>●# Protect wp-config.php<Files wp-config.php> order allow,deny deny from all</FilesMatch>
  9. 9. WordPress pretty permalinks
  10. 10. WordPress pretty permalinksInclude at end of .htaccess:●# BEGIN WordPress<IfModule mod_rewrite.c>RewriteEngine OnRewriteBase /RewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-dRewriteRule . /index.php [L]</IfModule># END WordPress
  11. 11. WordPress pretty permalinksReally bad idea for big sites:
  12. 12. WordPress pretty permalinksReally bad idea for big sites:Better:http://ottopress.com/2010/category-in-permalinks-considered-harmful/http://codex.wordpress.org/Using_Permalinks
  13. 13. wp-config.php● Create your own wp-config-sample.php●Check the file for new stuff in new versions ofWordPress● Edit and initialize BEFORE installing WordPress!http://codex.wordpress.org/Editing_wp-config.phphttp://digwp.com/2010/08/pimp-your-wp-config-php/
  14. 14. Server-dependent settings●// ** MySQL settings - You can get this info from your web host ** ///** The name of the database for WordPress */define(DB_NAME, database_name_here);●/** MySQL database username */define(DB_USER, username_here);●/** MySQL database password */define(DB_PASSWORD, password_here);●/** MySQL hostname */define(DB_HOST, localhost);
  15. 15. Server-dependent settings●switch ( $_SERVER[HTTP_HOST] ) { case dev.example.com: { // Dev server define( DB_NAME, aef4RgX_mysitedev ); define( DB_USER, aef4RgX_mysitedev ); define( DB_PASSWORD, Jyt6v48jS9frkGgZyS5iIjif6LnosuYr ); define( DB_HOST, localhost ); break; } default: { // Live server define( DB_NAME, sd6FE2xc_mysitelive ); define( DB_USER, sd6FE2xc_mysitelive ); define( DB_PASSWORD, as3d56JvDlPisYwU7c1nfZ3Yct0NEiZR ); define( DB_HOST, localhost ); break; }}https://www.grc.com/passwords.htm
  16. 16. Authentication Keys and SaltsChange them for every installation!define(AUTH_KEY, put your unique phrase here);define(SECURE_AUTH_KEY, put your unique phrase here);define(LOGGED_IN_KEY, put your unique phrase here);define(NONCE_KEY, put your unique phrase here);define(AUTH_SALT, put your unique phrase here);define(SECURE_AUTH_SALT, put your unique phrase here);define(LOGGED_IN_SALT, put your unique phrase here);define(NONCE_SALT, put your unique phrase here);https://api.wordpress.org/secret-key/1.1/salt/
  17. 17. Database table prefixThe default:$table_prefix = wp_;
  18. 18. Database table prefixThe default:$table_prefix = wp_;Much better:$table_prefix = a3rfGtQ1_;
  19. 19. Database table prefixWhen coding database queries, don’t use hard-codedtable names!
  20. 20. Database table prefixWhen coding database queries, don’t use hard-codedtable names!A standard WP table:global $wpdb;$custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” );
  21. 21. Database table prefixWhen coding database queries, don’t use hard-codedtable names!A standard WP table:global $wpdb;$custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” );A custom table:global $wpdb;$custom_query = $wpdb->get_results( “SELECT field FROM ” . $wpdb->prefix . “table” );http://codex.wordpress.org/Class_Reference/wpdb
  22. 22. Server needs FTP for upgrades?define( "FTP_HOST", "ftp.example.com" );define( "FTP_USER", "myftpuser" );define( "FTP_PASS", "hQfsSITtKteo1Ln2FEhHlPkXZ" );
  23. 23. Debuggingdefine( WP_DEBUG, true );
  24. 24. Debuggingdefine( WP_DEBUG, true );http://dev.example.com/?debug=1●switch ( $_SERVER[HTTP_HOST] ) { case dev.example.com: { // Dev server define( WP_DEBUG, isset( $_GET[debug] ) ); break; } default: { // Live server define( WP_DEBUG, false ); break; }}
  25. 25. Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );
  26. 26. Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );// Don’t keep revisions of postsdefine( WP_POST_REVISIONS, false );
  27. 27. Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );// Don’t keep revisions of postsdefine( WP_POST_REVISIONS, false );// Autosave posts interval in secondsdefine( AUTOSAVE_INTERVAL, 60 );
  28. 28. Disable plugin and theme editingdefine( DISALLOW_FILE_EDIT, true );
  29. 29. robots.txt User-agent: * Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /trackback Disallow: /feed Disallow: /comments Disallow: /category/*/* Disallow: */trackback Disallow: */feed Disallow: */comments Disallow: /*?* Disallow: /*? Allow: /wp-content/uploads Sitemap: http://example.com/sitemap.xmlhttp://codex.wordpress.org/Search_Engine_Optimization_for_WordPress#Robots.txt_Optimization
  30. 30. Custom theme functions.php /“functionality” plugin● Snippets not worth making into a plugin● Plugin is more portable● Check out /mu-plugins/http://justintadlock.com/archives/2011/02/02/creating-a-custom-functions-plugin-for-end-usershttp://wpcandy.com/teaches/how-to-create-a-functionality-pluginhttp://codex.wordpress.org/Must_Use_Plugins
  31. 31. Disable upgrade notifications forpeople who cant do upgradesif ( ! current_user_can( update_core ) ) { add_action( init, create_function( $a, "remove_action( init,wp_version_check );" ), 2 ); add_filter( pre_option_update_core, create_function( $a, "returnnull;" ) );}
  32. 32. Remove nofollow fromcomments remove_filter( pre_comment_content, wp_rel_nofollow ); add_filter( get_comment_author_link, slt_dofollow ); add_filter( post_comments_link, slt_dofollow ); add_filter( comment_reply_link, slt_dofollow ); add_filter( comment_text, slt_dofollow ); function slt_dofollow( $str ) { $str = preg_replace( ~<a ([^>]*)s*(["|]{1}w*)s*nofollow([^>]*)>~U, <a ${1}${2}${3}>, $str ); return str_replace( array( rel="", " rel=" ), , $str ); } }http://digwp.com/2010/04/wordpress-custom-functions-php-template-part-2/
  33. 33. Better default display namesadd_action( user_register, slt_default_user_display_name );function slt_default_user_display_name( $user_id ) { $first = get_usermeta( $user_id, first_name ); $last = get_usermeta( $user_id, last_name ); $display = $first . " " . $last; wp_update_user( array( "ID" => $user_id, "display_name" => $display ));}
  34. 34. PluginsForce Strong Passwords. Copies WordPresss JavaScriptpassword strength meter into PHP and forces “executive” usersto have a strong password when updating their profile.http://wordpress.org/extend/plugins/force-strong-passwords/Google XML Sitemaps (or equivalent).http://wordpress.org/extend/plugins/google-sitemap-generator/Use Google Libraries.http://wordpress.org/extend/plugins/use-google-libraries/WordPress Database Backup.http://wordpress.org/extend/plugins/wp-db-backup/
  35. 35. Other issues● File permissionshttp://codex.wordpress.org/Hardening_WordPress#File_permissions● .htpasswd for /wp-admin/● Settings > Discussion
  36. 36. Cheers!http://sltaylor.co.uk@sltayloresque

×