SlideShare a Scribd company logo

Beyond the 5-minute Install: Tips for Security, Performance and Best Practices

Steve Taylor
Steve Taylor

The document provides tips and best practices for securing and optimizing a WordPress site beyond the basic installation. It discusses .htaccess configuration for redirects, file protection, and permalinks. It also covers hardening wp-config.php by changing passwords and salts, prefixing tables, and configuring database settings for different environments. Additional topics include plugins, revisions, debugging, and discussion settings. The presentation aims to advise beginners and developers on security, performance, and maintenance of WordPress sites.

TechnologyBusiness
1 of 36
Download to read offline
Beyond the 5-minute Install Steve Taylor http://sltaylor.co.uk steve@sltaylor.co.uk @sltayloresque WordCamp Portsmouth UK 2011
Security & best practices ● .htaccess ● wp-config.php ● robots.txt ● functions.php / “functionality plugin” ● Plugins ● Other issues?
A bit about me ● Custom theme developer ● No themes released ● A few plugins This talk ● Advice for beginners  ● Tips for developers 
.htaccess ● “hypertext access” ●Controls requests to server before any PHP / WordPress processing ● Apache only (IIS?) ● Root of website (sub-directories?) ● Sometimes simple, sometimes complex! http://httpd.apache.org/docs/ http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
www or not www? ● Personal choice / aesthetics ●Both should be accessible; one should redirect (301) to the other ● Tell Google Webmaster Tools!
www or not www? ● Personal choice / aesthetics ●Both should be accessible; one should redirect (301) to the other ● Tell Google Webmaster Tools! # Force no “www” RewriteCond %{HTTP_HOST} ^www.example.com$ [NC] RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]
www or not www? ● Personal choice / aesthetics ●Both should be accessible; one should redirect (301) to the other ● Tell Google Webmaster Tools! # Force no “www” RewriteCond %{HTTP_HOST} ^www.example.com$ [NC] RewriteRule ^(.*)$ http://example.com/$1 [R=301,L] # Force “www” RewriteCond %{HTTP_HOST} ^example.com$ [NC] RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
Protect important files ●# Protect .htaccess files <Files .htaccess> order allow,deny deny from all </Files> ●# Protect wp-config.php <Files wp-config.php> order allow,deny deny from all </FilesMatch>
WordPress pretty permalinks
WordPress pretty permalinks Include at end of .htaccess: ●# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress
WordPress pretty permalinks Really bad idea for big sites:
WordPress pretty permalinks Really bad idea for big sites: Better: http://ottopress.com/2010/category-in-permalinks-considered-harmful/ http://codex.wordpress.org/Using_Permalinks
wp-config.php ● Create your own wp-config-sample.php ●Check the file for new stuff in new versions of WordPress ● Edit and initialize BEFORE installing WordPress! http://codex.wordpress.org/Editing_wp-config.php http://digwp.com/2010/08/pimp-your-wp-config-php/
Server-dependent settings ●// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'database_name_here'); ●/** MySQL database username */ define('DB_USER', 'username_here'); ●/** MySQL database password */ define('DB_PASSWORD', 'password_here'); ●/** MySQL hostname */ define('DB_HOST', 'localhost');
Server-dependent settings ●switch ( $_SERVER['HTTP_HOST'] ) { case 'dev.example.com': { // Dev server define( 'DB_NAME', 'aef4RgX_mysitedev' ); define( 'DB_USER', 'aef4RgX_mysitedev' ); define( 'DB_PASSWORD', 'Jyt6v48jS9frkGgZyS5iIjif6LnosuYr' ); define( 'DB_HOST', 'localhost' ); break; } default: { // Live server define( 'DB_NAME', 'sd6FE2xc_mysitelive' ); define( 'DB_USER', 'sd6FE2xc_mysitelive' ); define( 'DB_PASSWORD', 'as3d56JvDlPisYwU7c1nfZ3Yct0NEiZR' ); define( 'DB_HOST', 'localhost' ); break; } } https://www.grc.com/passwords.htm
Authentication Keys and Salts Change them for every installation! define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); https://api.wordpress.org/secret-key/1.1/salt/
Database table prefix The default: $table_prefix = 'wp_';
Database table prefix The default: $table_prefix = 'wp_'; Much better: $table_prefix = 'a3rfGtQ1_';
Database table prefix When coding database queries, don’t use hard-coded table names!
Database table prefix When coding database queries, don’t use hard-coded table names! A standard WP table: global $wpdb; $custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” );
Database table prefix When coding database queries, don’t use hard-coded table names! A standard WP table: global $wpdb; $custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” ); A custom table: global $wpdb; $custom_query = $wpdb->get_results( “SELECT field FROM ” . $wpdb->prefix . “table” ); http://codex.wordpress.org/Class_Reference/wpdb
Server needs FTP for upgrades? define( "FTP_HOST", "ftp.example.com" ); define( "FTP_USER", "myftpuser" ); define( "FTP_PASS", "hQfsSITtKteo1Ln2FEhHlPkXZ" );
Debugging define( 'WP_DEBUG', true );
Debugging define( 'WP_DEBUG', true ); http://dev.example.com/?debug=1 ●switch ( $_SERVER['HTTP_HOST'] ) { case 'dev.example.com': { // Dev server define( 'WP_DEBUG', isset( $_GET['debug'] ) ); break; } default: { // Live server define( 'WP_DEBUG', false ); break; } }
Control revisions and autosave // Only keep 3 revisions of each post define( 'WP_POST_REVISIONS', 3 );
Control revisions and autosave // Only keep 3 revisions of each post define( 'WP_POST_REVISIONS', 3 ); // Don’t keep revisions of posts define( 'WP_POST_REVISIONS', false );
Control revisions and autosave // Only keep 3 revisions of each post define( 'WP_POST_REVISIONS', 3 ); // Don’t keep revisions of posts define( 'WP_POST_REVISIONS', false ); // Autosave posts interval in seconds define( 'AUTOSAVE_INTERVAL', 60 );
Disable plugin and theme editing define( 'DISALLOW_FILE_EDIT', true );
robots.txt User-agent: * Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /trackback Disallow: /feed Disallow: /comments Disallow: /category/*/* Disallow: */trackback Disallow: */feed Disallow: */comments Disallow: /*?* Disallow: /*? Allow: /wp-content/uploads Sitemap: http://example.com/sitemap.xml http://codex.wordpress.org/Search_Engine_Optimization_for_WordPress#Robots.txt_Optimization
Custom theme functions.php / “functionality” plugin ● Snippets not worth making into a plugin ● Plugin is more portable ● Check out /mu-plugins/ http://justintadlock.com/archives/2011/02/02/creating-a-custom-functions-plugin-for-end-users http://wpcandy.com/teaches/how-to-create-a-functionality-plugin http://codex.wordpress.org/Must_Use_Plugins
Disable upgrade notifications for people who can't do upgrades if ( ! current_user_can( 'update_core' ) ) { add_action( 'init', create_function( '$a', "remove_action( 'init', 'wp_version_check' );" ), 2 ); add_filter( 'pre_option_update_core', create_function( '$a', "return null;" ) ); }
Remove nofollow from comments remove_filter( 'pre_comment_content', 'wp_rel_nofollow' ); add_filter( 'get_comment_author_link', 'slt_dofollow' ); add_filter( 'post_comments_link', 'slt_dofollow' ); add_filter( 'comment_reply_link', 'slt_dofollow' ); add_filter( 'comment_text', 'slt_dofollow' ); function slt_dofollow( $str ) { $str = preg_replace( '~<a ([^>]*)s*(["|']{1}w*)s*nofollow([^>]*)>~U', '<a ${1}${2}${3}>', $str ); return str_replace( array( ' rel=""', " rel=''" ), '', $str ); } } http://digwp.com/2010/04/wordpress-custom-functions-php-template-part-2/
Better default display names add_action( 'user_register', 'slt_default_user_display_name' ); function slt_default_user_display_name( $user_id ) { $first = get_usermeta( $user_id, 'first_name' ); $last = get_usermeta( $user_id, 'last_name' ); $display = $first . " " . $last; wp_update_user( array( "ID" => $user_id, "display_name" => $display ) ); }
Plugins Force Strong Passwords. Copies WordPress's JavaScript password strength meter into PHP and forces “executive” users to have a strong password when updating their profile. http://wordpress.org/extend/plugins/force-strong-passwords/ Google XML Sitemaps (or equivalent). http://wordpress.org/extend/plugins/google-sitemap-generator/ Use Google Libraries. http://wordpress.org/extend/plugins/use-google-libraries/ WordPress Database Backup. http://wordpress.org/extend/plugins/wp-db-backup/
Other issues ● File permissions http://codex.wordpress.org/Hardening_WordPress#File_permissions ● .htpasswd for /wp-admin/ ● Settings > Discussion
Cheers! http://sltaylor.co.uk @sltayloresque

Recommended

Vagrant WordCamp Hamilton
Vagrant WordCamp HamiltonVagrant WordCamp Hamilton
Vagrant WordCamp HamiltonPaul Bearne
 
[Bristol WordPress] Supercharging WordPress Development
[Bristol WordPress] Supercharging WordPress Development[Bristol WordPress] Supercharging WordPress Development
[Bristol WordPress] Supercharging WordPress DevelopmentAdam Tomat
 
Web-Performance
Web-PerformanceWeb-Performance
Web-PerformanceWalter Ebert
 
Writing your Third Plugin
Writing your Third PluginWriting your Third Plugin
Writing your Third PluginJustin Ryan
 
Transients are good for you - WordCamp London 2016
Transients are good for you - WordCamp London 2016Transients are good for you - WordCamp London 2016
Transients are good for you - WordCamp London 2016Boiteaweb
 
Optimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Optimising Your Front End Workflow With Symfony, Twig, Bower and GulpOptimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Optimising Your Front End Workflow With Symfony, Twig, Bower and GulpMatthew Davis
 
深入淺出 MVC
深入淺出 MVC深入淺出 MVC
深入淺出 MVCJace Ju
 
Vue 淺談前端建置工具
Vue 淺談前端建置工具Vue 淺談前端建置工具
Vue 淺談前端建置工具andyyou
 

Recommended

Vagrant WordCamp Hamilton
Vagrant WordCamp HamiltonVagrant WordCamp Hamilton
Vagrant WordCamp HamiltonPaul Bearne
 
[Bristol WordPress] Supercharging WordPress Development
[Bristol WordPress] Supercharging WordPress Development[Bristol WordPress] Supercharging WordPress Development
[Bristol WordPress] Supercharging WordPress DevelopmentAdam Tomat
 
Web-Performance
Web-PerformanceWeb-Performance
Web-PerformanceWalter Ebert
 
Writing your Third Plugin
Writing your Third PluginWriting your Third Plugin
Writing your Third PluginJustin Ryan
 
Transients are good for you - WordCamp London 2016
Transients are good for you - WordCamp London 2016Transients are good for you - WordCamp London 2016
Transients are good for you - WordCamp London 2016Boiteaweb
 
Optimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Optimising Your Front End Workflow With Symfony, Twig, Bower and GulpOptimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Optimising Your Front End Workflow With Symfony, Twig, Bower and GulpMatthew Davis
 
深入淺出 MVC
深入淺出 MVC深入淺出 MVC
深入淺出 MVCJace Ju
 
Vue 淺談前端建置工具
Vue 淺談前端建置工具Vue 淺談前端建置工具
Vue 淺談前端建置工具andyyou
 
Head First Zend Framework - Part 1 Project & Application
Head First Zend Framework - Part 1 Project & ApplicationHead First Zend Framework - Part 1 Project & Application
Head First Zend Framework - Part 1 Project & ApplicationJace Ju
 
What happens in laravel 4 bootstraping
What happens in laravel 4 bootstrapingWhat happens in laravel 4 bootstraping
What happens in laravel 4 bootstrapingJace Ju
 
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.Graham Dumpleton
 
Mojolicious - A new hope
Mojolicious - A new hopeMojolicious - A new hope
Mojolicious - A new hopeMarcus Ramberg
 
Deploying
DeployingDeploying
Deployingsoon
 
Best Practices in Plugin Development (WordCamp Seattle)
Best Practices in Plugin Development (WordCamp Seattle)Best Practices in Plugin Development (WordCamp Seattle)
Best Practices in Plugin Development (WordCamp Seattle)andrewnacin
 
SocketStream
SocketStreamSocketStream
SocketStreamPaul Jensen
 
Cool like a Frontend Developer: Grunt, RequireJS, Bower and other Tools
Cool like a Frontend Developer: Grunt, RequireJS, Bower and other ToolsCool like a Frontend Developer: Grunt, RequireJS, Bower and other Tools
Cool like a Frontend Developer: Grunt, RequireJS, Bower and other ToolsRyan Weaver
 
Front End Performance
Front End PerformanceFront End Performance
Front End PerformanceKonstantin Käfer
 
Front end performance optimization
Front end performance optimizationFront end performance optimization
Front end performance optimizationStevie T
 
Puppet at janrain
Puppet at janrainPuppet at janrain
Puppet at janrainPuppet
 
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...andrewnacin
 
Front end performance tip
Front end performance tipFront end performance tip
Front end performance tipSteve Yu
 
Mehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp KölnMehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp KölnWalter Ebert
 
Extending the WordPress REST API - Josh Pollock
Extending the WordPress REST API - Josh PollockExtending the WordPress REST API - Josh Pollock
Extending the WordPress REST API - Josh PollockCaldera Labs
 
You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011andrewnacin
 
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)DK Lee
 
BP-6 Repository Customization Best Practices
BP-6 Repository Customization Best PracticesBP-6 Repository Customization Best Practices
BP-6 Repository Customization Best PracticesAlfresco Software
 
jQuery Plugin Creation
jQuery Plugin CreationjQuery Plugin Creation
jQuery Plugin Creationbenalman
 
Powershell: Tu nuevo mejor amigo
Powershell: Tu nuevo mejor amigoPowershell: Tu nuevo mejor amigo
Powershell: Tu nuevo mejor amigoGonzalo Balladares Rivera
 
A WordPress workshop at Cefalo
A WordPress workshop at Cefalo A WordPress workshop at Cefalo
A WordPress workshop at Cefalo Beroza Paul
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIWP Engine
 

More Related Content

What's hot

Head First Zend Framework - Part 1 Project & Application
Head First Zend Framework - Part 1 Project & ApplicationHead First Zend Framework - Part 1 Project & Application
Head First Zend Framework - Part 1 Project & ApplicationJace Ju
 
What happens in laravel 4 bootstraping
What happens in laravel 4 bootstrapingWhat happens in laravel 4 bootstraping
What happens in laravel 4 bootstrapingJace Ju
 
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.Graham Dumpleton
 
Mojolicious - A new hope
Mojolicious - A new hopeMojolicious - A new hope
Mojolicious - A new hopeMarcus Ramberg
 
Deploying
DeployingDeploying
Deployingsoon
 
Best Practices in Plugin Development (WordCamp Seattle)
Best Practices in Plugin Development (WordCamp Seattle)Best Practices in Plugin Development (WordCamp Seattle)
Best Practices in Plugin Development (WordCamp Seattle)andrewnacin
 
Cool like a Frontend Developer: Grunt, RequireJS, Bower and other Tools
Cool like a Frontend Developer: Grunt, RequireJS, Bower and other ToolsCool like a Frontend Developer: Grunt, RequireJS, Bower and other Tools
Cool like a Frontend Developer: Grunt, RequireJS, Bower and other ToolsRyan Weaver
 
Front end performance optimization
Front end performance optimizationFront end performance optimization
Front end performance optimizationStevie T
 
Puppet at janrain
Puppet at janrainPuppet at janrain
Puppet at janrainPuppet
 
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...andrewnacin
 
Front end performance tip
Front end performance tipFront end performance tip
Front end performance tipSteve Yu
 
Mehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp KölnMehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp KölnWalter Ebert
 
Extending the WordPress REST API - Josh Pollock
Extending the WordPress REST API - Josh PollockExtending the WordPress REST API - Josh Pollock
Extending the WordPress REST API - Josh PollockCaldera Labs
 
You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011andrewnacin
 
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)DK Lee
 
BP-6 Repository Customization Best Practices
BP-6 Repository Customization Best PracticesBP-6 Repository Customization Best Practices
BP-6 Repository Customization Best PracticesAlfresco Software
 
jQuery Plugin Creation
jQuery Plugin CreationjQuery Plugin Creation
jQuery Plugin Creationbenalman
 

What's hot (20)

Head First Zend Framework - Part 1 Project & Application
Head First Zend Framework - Part 1 Project & ApplicationHead First Zend Framework - Part 1 Project & Application
Head First Zend Framework - Part 1 Project & Application
 
What happens in laravel 4 bootstraping
What happens in laravel 4 bootstrapingWhat happens in laravel 4 bootstraping
What happens in laravel 4 bootstraping
 
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
 
Mojolicious - A new hope
Mojolicious - A new hopeMojolicious - A new hope
Mojolicious - A new hope
 
Deploying
DeployingDeploying
Deploying
 
Best Practices in Plugin Development (WordCamp Seattle)
Best Practices in Plugin Development (WordCamp Seattle)Best Practices in Plugin Development (WordCamp Seattle)
Best Practices in Plugin Development (WordCamp Seattle)
 
SocketStream
SocketStreamSocketStream
SocketStream
 
Cool like a Frontend Developer: Grunt, RequireJS, Bower and other Tools
Cool like a Frontend Developer: Grunt, RequireJS, Bower and other ToolsCool like a Frontend Developer: Grunt, RequireJS, Bower and other Tools
Cool like a Frontend Developer: Grunt, RequireJS, Bower and other Tools
 
Front End Performance
Front End PerformanceFront End Performance
Front End Performance
 
Front end performance optimization
Front end performance optimizationFront end performance optimization
Front end performance optimization
 
Puppet at janrain
Puppet at janrainPuppet at janrain
Puppet at janrain
 
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
 
Front end performance tip
Front end performance tipFront end performance tip
Front end performance tip
 
Mehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp KölnMehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp Köln
 
Extending the WordPress REST API - Josh Pollock
Extending the WordPress REST API - Josh PollockExtending the WordPress REST API - Josh Pollock
Extending the WordPress REST API - Josh Pollock
 
You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011
 
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
 
BP-6 Repository Customization Best Practices
BP-6 Repository Customization Best PracticesBP-6 Repository Customization Best Practices
BP-6 Repository Customization Best Practices
 
jQuery Plugin Creation
jQuery Plugin CreationjQuery Plugin Creation
jQuery Plugin Creation
 
Powershell: Tu nuevo mejor amigo
Powershell: Tu nuevo mejor amigoPowershell: Tu nuevo mejor amigo
Powershell: Tu nuevo mejor amigo
 

Similar to Beyond the 5-minute Install: Tips for Security, Performance and Best Practices

A WordPress workshop at Cefalo
A WordPress workshop at Cefalo A WordPress workshop at Cefalo
A WordPress workshop at Cefalo Beroza Paul
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIWP Engine
 
Making WordPress Your CMS and Automatically Updating a Self Hosted WordPress ...
Making WordPress Your CMS and Automatically Updating a Self Hosted WordPress ...Making WordPress Your CMS and Automatically Updating a Self Hosted WordPress ...
Making WordPress Your CMS and Automatically Updating a Self Hosted WordPress ...cehwitham
 
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)arcware
 
Manage WordPress with Awesome using wp cli
Manage WordPress with Awesome using wp cliManage WordPress with Awesome using wp cli
Manage WordPress with Awesome using wp cliGetSource
 
WordCamp Vancouver 2012 - Manage WordPress with Awesome using wp-cli
WordCamp Vancouver 2012 - Manage WordPress with Awesome using wp-cliWordCamp Vancouver 2012 - Manage WordPress with Awesome using wp-cli
WordCamp Vancouver 2012 - Manage WordPress with Awesome using wp-cliGetSource
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentBrad Williams
 
Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Jeff Jones
 
Laying the proper foundation for plugin and theme development
Laying the proper foundation for plugin and theme developmentLaying the proper foundation for plugin and theme development
Laying the proper foundation for plugin and theme developmentTammy Hart
 
WordPress Plugin development
WordPress Plugin developmentWordPress Plugin development
WordPress Plugin developmentMostafa Soufi
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress PluginBrad Williams
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009Brad Williams
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
Using Geeklog as a Web Application Framework
Using Geeklog as a Web Application FrameworkUsing Geeklog as a Web Application Framework
Using Geeklog as a Web Application FrameworkDirk Haun
 
Childthemes ottawa-word camp-1919
Childthemes ottawa-word camp-1919Childthemes ottawa-word camp-1919
Childthemes ottawa-word camp-1919Paul Bearne
 
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)Mike Schinkel
 
Getting to The Loop - London Wordpress Meetup July 28th
Getting to The Loop - London Wordpress Meetup July 28thGetting to The Loop - London Wordpress Meetup July 28th
Getting to The Loop - London Wordpress Meetup July 28thChris Adams
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Bastian Grimm
 
WordPress Configuration tips
WordPress Configuration tipsWordPress Configuration tips
WordPress Configuration tipsMasharul Pamir
 

Similar to Beyond the 5-minute Install: Tips for Security, Performance and Best Practices (20)

A WordPress workshop at Cefalo
A WordPress workshop at Cefalo A WordPress workshop at Cefalo
A WordPress workshop at Cefalo
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
 
Making WordPress Your CMS and Automatically Updating a Self Hosted WordPress ...
Making WordPress Your CMS and Automatically Updating a Self Hosted WordPress ...Making WordPress Your CMS and Automatically Updating a Self Hosted WordPress ...
Making WordPress Your CMS and Automatically Updating a Self Hosted WordPress ...
 
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
 
Manage WordPress with Awesome using wp cli
Manage WordPress with Awesome using wp cliManage WordPress with Awesome using wp cli
Manage WordPress with Awesome using wp cli
 
WordCamp Vancouver 2012 - Manage WordPress with Awesome using wp-cli
WordCamp Vancouver 2012 - Manage WordPress with Awesome using wp-cliWordCamp Vancouver 2012 - Manage WordPress with Awesome using wp-cli
WordCamp Vancouver 2012 - Manage WordPress with Awesome using wp-cli
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!
 
Laying the proper foundation for plugin and theme development
Laying the proper foundation for plugin and theme developmentLaying the proper foundation for plugin and theme development
Laying the proper foundation for plugin and theme development
 
WordPress Plugin development
WordPress Plugin developmentWordPress Plugin development
WordPress Plugin development
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress Plugin
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
Using Geeklog as a Web Application Framework
Using Geeklog as a Web Application FrameworkUsing Geeklog as a Web Application Framework
Using Geeklog as a Web Application Framework
 
Childthemes ottawa-word camp-1919
Childthemes ottawa-word camp-1919Childthemes ottawa-word camp-1919
Childthemes ottawa-word camp-1919
 
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
 
Getting to The Loop - London Wordpress Meetup July 28th
Getting to The Loop - London Wordpress Meetup July 28thGetting to The Loop - London Wordpress Meetup July 28th
Getting to The Loop - London Wordpress Meetup July 28th
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
 
WordPress Configuration tips
WordPress Configuration tipsWordPress Configuration tips
WordPress Configuration tips
 

Recently uploaded

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Beyond the 5-minute Install: Tips for Security, Performance and Best Practices

  • 1. Beyond the 5-minute Install Steve Taylor http://sltaylor.co.uk steve@sltaylor.co.uk @sltayloresque WordCamp Portsmouth UK 2011
  • 2. Security & best practices ● .htaccess ● wp-config.php ● robots.txt ● functions.php / “functionality plugin” ● Plugins ● Other issues?
  • 3. A bit about me ● Custom theme developer ● No themes released ● A few plugins This talk ● Advice for beginners  ● Tips for developers 
  • 4. .htaccess ● “hypertext access” ●Controls requests to server before any PHP / WordPress processing ● Apache only (IIS?) ● Root of website (sub-directories?) ● Sometimes simple, sometimes complex! http://httpd.apache.org/docs/ http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
  • 5. www or not www? ● Personal choice / aesthetics ●Both should be accessible; one should redirect (301) to the other ● Tell Google Webmaster Tools!
  • 6. www or not www? ● Personal choice / aesthetics ●Both should be accessible; one should redirect (301) to the other ● Tell Google Webmaster Tools! # Force no “www” RewriteCond %{HTTP_HOST} ^www.example.com$ [NC] RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]
  • 7. www or not www? ● Personal choice / aesthetics ●Both should be accessible; one should redirect (301) to the other ● Tell Google Webmaster Tools! # Force no “www” RewriteCond %{HTTP_HOST} ^www.example.com$ [NC] RewriteRule ^(.*)$ http://example.com/$1 [R=301,L] # Force “www” RewriteCond %{HTTP_HOST} ^example.com$ [NC] RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
  • 8. Protect important files ●# Protect .htaccess files <Files .htaccess> order allow,deny deny from all </Files> ●# Protect wp-config.php <Files wp-config.php> order allow,deny deny from all </FilesMatch>
  • 10. WordPress pretty permalinks Include at end of .htaccess: ●# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress
  • 11. WordPress pretty permalinks Really bad idea for big sites:
  • 12. WordPress pretty permalinks Really bad idea for big sites: Better: http://ottopress.com/2010/category-in-permalinks-considered-harmful/ http://codex.wordpress.org/Using_Permalinks
  • 13. wp-config.php ● Create your own wp-config-sample.php ●Check the file for new stuff in new versions of WordPress ● Edit and initialize BEFORE installing WordPress! http://codex.wordpress.org/Editing_wp-config.php http://digwp.com/2010/08/pimp-your-wp-config-php/
  • 14. Server-dependent settings ●// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'database_name_here'); ●/** MySQL database username */ define('DB_USER', 'username_here'); ●/** MySQL database password */ define('DB_PASSWORD', 'password_here'); ●/** MySQL hostname */ define('DB_HOST', 'localhost');
  • 15. Server-dependent settings ●switch ( $_SERVER['HTTP_HOST'] ) { case 'dev.example.com': { // Dev server define( 'DB_NAME', 'aef4RgX_mysitedev' ); define( 'DB_USER', 'aef4RgX_mysitedev' ); define( 'DB_PASSWORD', 'Jyt6v48jS9frkGgZyS5iIjif6LnosuYr' ); define( 'DB_HOST', 'localhost' ); break; } default: { // Live server define( 'DB_NAME', 'sd6FE2xc_mysitelive' ); define( 'DB_USER', 'sd6FE2xc_mysitelive' ); define( 'DB_PASSWORD', 'as3d56JvDlPisYwU7c1nfZ3Yct0NEiZR' ); define( 'DB_HOST', 'localhost' ); break; } } https://www.grc.com/passwords.htm
  • 16. Authentication Keys and Salts Change them for every installation! define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); https://api.wordpress.org/secret-key/1.1/salt/
  • 17. Database table prefix The default: $table_prefix = 'wp_';
  • 18. Database table prefix The default: $table_prefix = 'wp_'; Much better: $table_prefix = 'a3rfGtQ1_';
  • 19. Database table prefix When coding database queries, don’t use hard-coded table names!
  • 20. Database table prefix When coding database queries, don’t use hard-coded table names! A standard WP table: global $wpdb; $custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” );
  • 21. Database table prefix When coding database queries, don’t use hard-coded table names! A standard WP table: global $wpdb; $custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” ); A custom table: global $wpdb; $custom_query = $wpdb->get_results( “SELECT field FROM ” . $wpdb->prefix . “table” ); http://codex.wordpress.org/Class_Reference/wpdb
  • 22. Server needs FTP for upgrades? define( "FTP_HOST", "ftp.example.com" ); define( "FTP_USER", "myftpuser" ); define( "FTP_PASS", "hQfsSITtKteo1Ln2FEhHlPkXZ" );
  • 24. Debugging define( 'WP_DEBUG', true ); http://dev.example.com/?debug=1 ●switch ( $_SERVER['HTTP_HOST'] ) { case 'dev.example.com': { // Dev server define( 'WP_DEBUG', isset( $_GET['debug'] ) ); break; } default: { // Live server define( 'WP_DEBUG', false ); break; } }
  • 25. Control revisions and autosave // Only keep 3 revisions of each post define( 'WP_POST_REVISIONS', 3 );
  • 26. Control revisions and autosave // Only keep 3 revisions of each post define( 'WP_POST_REVISIONS', 3 ); // Don’t keep revisions of posts define( 'WP_POST_REVISIONS', false );
  • 27. Control revisions and autosave // Only keep 3 revisions of each post define( 'WP_POST_REVISIONS', 3 ); // Don’t keep revisions of posts define( 'WP_POST_REVISIONS', false ); // Autosave posts interval in seconds define( 'AUTOSAVE_INTERVAL', 60 );
  • 28. Disable plugin and theme editing define( 'DISALLOW_FILE_EDIT', true );
  • 29. robots.txt User-agent: * Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /trackback Disallow: /feed Disallow: /comments Disallow: /category/*/* Disallow: */trackback Disallow: */feed Disallow: */comments Disallow: /*?* Disallow: /*? Allow: /wp-content/uploads Sitemap: http://example.com/sitemap.xml http://codex.wordpress.org/Search_Engine_Optimization_for_WordPress#Robots.txt_Optimization
  • 30. Custom theme functions.php / “functionality” plugin ● Snippets not worth making into a plugin ● Plugin is more portable ● Check out /mu-plugins/ http://justintadlock.com/archives/2011/02/02/creating-a-custom-functions-plugin-for-end-users http://wpcandy.com/teaches/how-to-create-a-functionality-plugin http://codex.wordpress.org/Must_Use_Plugins
  • 31. Disable upgrade notifications for people who can't do upgrades if ( ! current_user_can( 'update_core' ) ) { add_action( 'init', create_function( '$a', "remove_action( 'init', 'wp_version_check' );" ), 2 ); add_filter( 'pre_option_update_core', create_function( '$a', "return null;" ) ); }
  • 32. Remove nofollow from comments remove_filter( 'pre_comment_content', 'wp_rel_nofollow' ); add_filter( 'get_comment_author_link', 'slt_dofollow' ); add_filter( 'post_comments_link', 'slt_dofollow' ); add_filter( 'comment_reply_link', 'slt_dofollow' ); add_filter( 'comment_text', 'slt_dofollow' ); function slt_dofollow( $str ) { $str = preg_replace( '~<a ([^>]*)s*(["|']{1}w*)s*nofollow([^>]*)>~U', '<a ${1}${2}${3}>', $str ); return str_replace( array( ' rel=""', " rel=''" ), '', $str ); } } http://digwp.com/2010/04/wordpress-custom-functions-php-template-part-2/
  • 33. Better default display names add_action( 'user_register', 'slt_default_user_display_name' ); function slt_default_user_display_name( $user_id ) { $first = get_usermeta( $user_id, 'first_name' ); $last = get_usermeta( $user_id, 'last_name' ); $display = $first . " " . $last; wp_update_user( array( "ID" => $user_id, "display_name" => $display ) ); }
  • 34. Plugins Force Strong Passwords. Copies WordPress's JavaScript password strength meter into PHP and forces “executive” users to have a strong password when updating their profile. http://wordpress.org/extend/plugins/force-strong-passwords/ Google XML Sitemaps (or equivalent). http://wordpress.org/extend/plugins/google-sitemap-generator/ Use Google Libraries. http://wordpress.org/extend/plugins/use-google-libraries/ WordPress Database Backup. http://wordpress.org/extend/plugins/wp-db-backup/
  • 35. Other issues ● File permissions http://codex.wordpress.org/Hardening_WordPress#File_permissions ● .htpasswd for /wp-admin/ ● Settings > Discussion