Beyond the WordPress 5 minute Install

  • 5,123 views
Uploaded on

The slides for the talk I gave at WordCamp Portsmouth UK 2011, 16/7/11. It basically covers some security and best practices hints and tips that aren't part of the standard WordPress installation.

The slides for the talk I gave at WordCamp Portsmouth UK 2011, 16/7/11. It basically covers some security and best practices hints and tips that aren't part of the standard WordPress installation.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • An update on the permalink issue... /%postname%/ permalinks should no longer be a problem as of WP 3.3. See http://core.trac.wordpress.org/ticket/16687
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
5,123
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
53
Comments
1
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Beyond the 5-minute InstallSteve Taylorhttp://sltaylor.co.uksteve@sltaylor.co.uk@sltayloresqueWordCamp Portsmouth UK 2011
  • 2. Security & best practices● .htaccess● wp-config.php● robots.txt● functions.php / “functionality plugin”● Plugins● Other issues?
  • 3. A bit about me● Custom theme developer● No themes released● A few pluginsThis talk● Advice for beginners ● Tips for developers 
  • 4. .htaccess● “hypertext access”●Controls requests to server before any PHP /WordPress processing● Apache only (IIS?)● Root of website (sub-directories?)● Sometimes simple, sometimes complex!http://httpd.apache.org/docs/http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
  • 5. www or not www?● Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other● Tell Google Webmaster Tools!
  • 6. www or not www?● Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other● Tell Google Webmaster Tools!# Force no “www”RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]
  • 7. www or not www?● Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other● Tell Google Webmaster Tools!# Force no “www”RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]# Force “www”RewriteCond %{HTTP_HOST} ^example.com$ [NC]RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
  • 8. Protect important files●# Protect .htaccess files<Files .htaccess> order allow,deny deny from all</Files>●# Protect wp-config.php<Files wp-config.php> order allow,deny deny from all</FilesMatch>
  • 9. WordPress pretty permalinks
  • 10. WordPress pretty permalinksInclude at end of .htaccess:●# BEGIN WordPress<IfModule mod_rewrite.c>RewriteEngine OnRewriteBase /RewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-dRewriteRule . /index.php [L]</IfModule># END WordPress
  • 11. WordPress pretty permalinksReally bad idea for big sites:
  • 12. WordPress pretty permalinksReally bad idea for big sites:Better:http://ottopress.com/2010/category-in-permalinks-considered-harmful/http://codex.wordpress.org/Using_Permalinks
  • 13. wp-config.php● Create your own wp-config-sample.php●Check the file for new stuff in new versions ofWordPress● Edit and initialize BEFORE installing WordPress!http://codex.wordpress.org/Editing_wp-config.phphttp://digwp.com/2010/08/pimp-your-wp-config-php/
  • 14. Server-dependent settings●// ** MySQL settings - You can get this info from your web host ** ///** The name of the database for WordPress */define(DB_NAME, database_name_here);●/** MySQL database username */define(DB_USER, username_here);●/** MySQL database password */define(DB_PASSWORD, password_here);●/** MySQL hostname */define(DB_HOST, localhost);
  • 15. Server-dependent settings●switch ( $_SERVER[HTTP_HOST] ) { case dev.example.com: { // Dev server define( DB_NAME, aef4RgX_mysitedev ); define( DB_USER, aef4RgX_mysitedev ); define( DB_PASSWORD, Jyt6v48jS9frkGgZyS5iIjif6LnosuYr ); define( DB_HOST, localhost ); break; } default: { // Live server define( DB_NAME, sd6FE2xc_mysitelive ); define( DB_USER, sd6FE2xc_mysitelive ); define( DB_PASSWORD, as3d56JvDlPisYwU7c1nfZ3Yct0NEiZR ); define( DB_HOST, localhost ); break; }}https://www.grc.com/passwords.htm
  • 16. Authentication Keys and SaltsChange them for every installation!define(AUTH_KEY, put your unique phrase here);define(SECURE_AUTH_KEY, put your unique phrase here);define(LOGGED_IN_KEY, put your unique phrase here);define(NONCE_KEY, put your unique phrase here);define(AUTH_SALT, put your unique phrase here);define(SECURE_AUTH_SALT, put your unique phrase here);define(LOGGED_IN_SALT, put your unique phrase here);define(NONCE_SALT, put your unique phrase here);https://api.wordpress.org/secret-key/1.1/salt/
  • 17. Database table prefixThe default:$table_prefix = wp_;
  • 18. Database table prefixThe default:$table_prefix = wp_;Much better:$table_prefix = a3rfGtQ1_;
  • 19. Database table prefixWhen coding database queries, don’t use hard-codedtable names!
  • 20. Database table prefixWhen coding database queries, don’t use hard-codedtable names!A standard WP table:global $wpdb;$custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” );
  • 21. Database table prefixWhen coding database queries, don’t use hard-codedtable names!A standard WP table:global $wpdb;$custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” );A custom table:global $wpdb;$custom_query = $wpdb->get_results( “SELECT field FROM ” . $wpdb->prefix . “table” );http://codex.wordpress.org/Class_Reference/wpdb
  • 22. Server needs FTP for upgrades?define( "FTP_HOST", "ftp.example.com" );define( "FTP_USER", "myftpuser" );define( "FTP_PASS", "hQfsSITtKteo1Ln2FEhHlPkXZ" );
  • 23. Debuggingdefine( WP_DEBUG, true );
  • 24. Debuggingdefine( WP_DEBUG, true );http://dev.example.com/?debug=1●switch ( $_SERVER[HTTP_HOST] ) { case dev.example.com: { // Dev server define( WP_DEBUG, isset( $_GET[debug] ) ); break; } default: { // Live server define( WP_DEBUG, false ); break; }}
  • 25. Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );
  • 26. Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );// Don’t keep revisions of postsdefine( WP_POST_REVISIONS, false );
  • 27. Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );// Don’t keep revisions of postsdefine( WP_POST_REVISIONS, false );// Autosave posts interval in secondsdefine( AUTOSAVE_INTERVAL, 60 );
  • 28. Disable plugin and theme editingdefine( DISALLOW_FILE_EDIT, true );
  • 29. robots.txt User-agent: * Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /trackback Disallow: /feed Disallow: /comments Disallow: /category/*/* Disallow: */trackback Disallow: */feed Disallow: */comments Disallow: /*?* Disallow: /*? Allow: /wp-content/uploads Sitemap: http://example.com/sitemap.xmlhttp://codex.wordpress.org/Search_Engine_Optimization_for_WordPress#Robots.txt_Optimization
  • 30. Custom theme functions.php /“functionality” plugin● Snippets not worth making into a plugin● Plugin is more portable● Check out /mu-plugins/http://justintadlock.com/archives/2011/02/02/creating-a-custom-functions-plugin-for-end-usershttp://wpcandy.com/teaches/how-to-create-a-functionality-pluginhttp://codex.wordpress.org/Must_Use_Plugins
  • 31. Disable upgrade notifications forpeople who cant do upgradesif ( ! current_user_can( update_core ) ) { add_action( init, create_function( $a, "remove_action( init,wp_version_check );" ), 2 ); add_filter( pre_option_update_core, create_function( $a, "returnnull;" ) );}
  • 32. Remove nofollow fromcomments remove_filter( pre_comment_content, wp_rel_nofollow ); add_filter( get_comment_author_link, slt_dofollow ); add_filter( post_comments_link, slt_dofollow ); add_filter( comment_reply_link, slt_dofollow ); add_filter( comment_text, slt_dofollow ); function slt_dofollow( $str ) { $str = preg_replace( ~<a ([^>]*)s*(["|]{1}w*)s*nofollow([^>]*)>~U, <a ${1}${2}${3}>, $str ); return str_replace( array( rel="", " rel=" ), , $str ); } }http://digwp.com/2010/04/wordpress-custom-functions-php-template-part-2/
  • 33. Better default display namesadd_action( user_register, slt_default_user_display_name );function slt_default_user_display_name( $user_id ) { $first = get_usermeta( $user_id, first_name ); $last = get_usermeta( $user_id, last_name ); $display = $first . " " . $last; wp_update_user( array( "ID" => $user_id, "display_name" => $display ));}
  • 34. PluginsForce Strong Passwords. Copies WordPresss JavaScriptpassword strength meter into PHP and forces “executive” usersto have a strong password when updating their profile.http://wordpress.org/extend/plugins/force-strong-passwords/Google XML Sitemaps (or equivalent).http://wordpress.org/extend/plugins/google-sitemap-generator/Use Google Libraries.http://wordpress.org/extend/plugins/use-google-libraries/WordPress Database Backup.http://wordpress.org/extend/plugins/wp-db-backup/
  • 35. Other issues● File permissionshttp://codex.wordpress.org/Hardening_WordPress#File_permissions● .htpasswd for /wp-admin/● Settings > Discussion
  • 36. Cheers!http://sltaylor.co.uk@sltayloresque