Beyond the WordPress 5 minute Install
Upcoming SlideShare
Loading in...5
×
 

Beyond the WordPress 5 minute Install

on

  • 5,676 views

The slides for the talk I gave at WordCamp Portsmouth UK 2011, 16/7/11. It basically covers some security and best practices hints and tips that aren't part of the standard WordPress installation.

The slides for the talk I gave at WordCamp Portsmouth UK 2011, 16/7/11. It basically covers some security and best practices hints and tips that aren't part of the standard WordPress installation.

Statistics

Views

Total Views
5,676
Views on SlideShare
5,488
Embed Views
188

Actions

Likes
1
Downloads
52
Comments
1

5 Embeds 188

http://wprockers.com 144
http://www.wordpress-designer.co.uk 40
http://feeds.feedburner.com 2
http://www.netvibes.com 1
http://translate.googleusercontent.com 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • An update on the permalink issue... /%postname%/ permalinks should no longer be a problem as of WP 3.3. See http://core.trac.wordpress.org/ticket/16687
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Beyond the WordPress 5 minute Install Beyond the WordPress 5 minute Install Presentation Transcript

  • Beyond the 5-minute InstallSteve Taylorhttp://sltaylor.co.uksteve@sltaylor.co.uk@sltayloresqueWordCamp Portsmouth UK 2011
  • Security & best practices● .htaccess● wp-config.php● robots.txt● functions.php / “functionality plugin”● Plugins● Other issues?
  • A bit about me● Custom theme developer● No themes released● A few pluginsThis talk● Advice for beginners ● Tips for developers 
  • .htaccess● “hypertext access”●Controls requests to server before any PHP /WordPress processing● Apache only (IIS?)● Root of website (sub-directories?)● Sometimes simple, sometimes complex!http://httpd.apache.org/docs/http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
  • www or not www?● Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other● Tell Google Webmaster Tools!
  • www or not www?● Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other● Tell Google Webmaster Tools!# Force no “www”RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]
  • www or not www?● Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other● Tell Google Webmaster Tools!# Force no “www”RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]# Force “www”RewriteCond %{HTTP_HOST} ^example.com$ [NC]RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
  • Protect important files●# Protect .htaccess files<Files .htaccess> order allow,deny deny from all</Files>●# Protect wp-config.php<Files wp-config.php> order allow,deny deny from all</FilesMatch>
  • WordPress pretty permalinks
  • WordPress pretty permalinksInclude at end of .htaccess:●# BEGIN WordPress<IfModule mod_rewrite.c>RewriteEngine OnRewriteBase /RewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-dRewriteRule . /index.php [L]</IfModule># END WordPress
  • WordPress pretty permalinksReally bad idea for big sites:
  • WordPress pretty permalinksReally bad idea for big sites:Better:http://ottopress.com/2010/category-in-permalinks-considered-harmful/http://codex.wordpress.org/Using_Permalinks
  • wp-config.php● Create your own wp-config-sample.php●Check the file for new stuff in new versions ofWordPress● Edit and initialize BEFORE installing WordPress!http://codex.wordpress.org/Editing_wp-config.phphttp://digwp.com/2010/08/pimp-your-wp-config-php/
  • Server-dependent settings●// ** MySQL settings - You can get this info from your web host ** ///** The name of the database for WordPress */define(DB_NAME, database_name_here);●/** MySQL database username */define(DB_USER, username_here);●/** MySQL database password */define(DB_PASSWORD, password_here);●/** MySQL hostname */define(DB_HOST, localhost);
  • Server-dependent settings●switch ( $_SERVER[HTTP_HOST] ) { case dev.example.com: { // Dev server define( DB_NAME, aef4RgX_mysitedev ); define( DB_USER, aef4RgX_mysitedev ); define( DB_PASSWORD, Jyt6v48jS9frkGgZyS5iIjif6LnosuYr ); define( DB_HOST, localhost ); break; } default: { // Live server define( DB_NAME, sd6FE2xc_mysitelive ); define( DB_USER, sd6FE2xc_mysitelive ); define( DB_PASSWORD, as3d56JvDlPisYwU7c1nfZ3Yct0NEiZR ); define( DB_HOST, localhost ); break; }}https://www.grc.com/passwords.htm
  • Authentication Keys and SaltsChange them for every installation!define(AUTH_KEY, put your unique phrase here);define(SECURE_AUTH_KEY, put your unique phrase here);define(LOGGED_IN_KEY, put your unique phrase here);define(NONCE_KEY, put your unique phrase here);define(AUTH_SALT, put your unique phrase here);define(SECURE_AUTH_SALT, put your unique phrase here);define(LOGGED_IN_SALT, put your unique phrase here);define(NONCE_SALT, put your unique phrase here);https://api.wordpress.org/secret-key/1.1/salt/
  • Database table prefixThe default:$table_prefix = wp_;
  • Database table prefixThe default:$table_prefix = wp_;Much better:$table_prefix = a3rfGtQ1_;
  • Database table prefixWhen coding database queries, don’t use hard-codedtable names!
  • Database table prefixWhen coding database queries, don’t use hard-codedtable names!A standard WP table:global $wpdb;$custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” );
  • Database table prefixWhen coding database queries, don’t use hard-codedtable names!A standard WP table:global $wpdb;$custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” );A custom table:global $wpdb;$custom_query = $wpdb->get_results( “SELECT field FROM ” . $wpdb->prefix . “table” );http://codex.wordpress.org/Class_Reference/wpdb
  • Server needs FTP for upgrades?define( "FTP_HOST", "ftp.example.com" );define( "FTP_USER", "myftpuser" );define( "FTP_PASS", "hQfsSITtKteo1Ln2FEhHlPkXZ" );
  • Debuggingdefine( WP_DEBUG, true );
  • Debuggingdefine( WP_DEBUG, true );http://dev.example.com/?debug=1●switch ( $_SERVER[HTTP_HOST] ) { case dev.example.com: { // Dev server define( WP_DEBUG, isset( $_GET[debug] ) ); break; } default: { // Live server define( WP_DEBUG, false ); break; }}
  • Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );
  • Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );// Don’t keep revisions of postsdefine( WP_POST_REVISIONS, false );
  • Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );// Don’t keep revisions of postsdefine( WP_POST_REVISIONS, false );// Autosave posts interval in secondsdefine( AUTOSAVE_INTERVAL, 60 );
  • Disable plugin and theme editingdefine( DISALLOW_FILE_EDIT, true );
  • robots.txt User-agent: * Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /trackback Disallow: /feed Disallow: /comments Disallow: /category/*/* Disallow: */trackback Disallow: */feed Disallow: */comments Disallow: /*?* Disallow: /*? Allow: /wp-content/uploads Sitemap: http://example.com/sitemap.xmlhttp://codex.wordpress.org/Search_Engine_Optimization_for_WordPress#Robots.txt_Optimization
  • Custom theme functions.php /“functionality” plugin● Snippets not worth making into a plugin● Plugin is more portable● Check out /mu-plugins/http://justintadlock.com/archives/2011/02/02/creating-a-custom-functions-plugin-for-end-usershttp://wpcandy.com/teaches/how-to-create-a-functionality-pluginhttp://codex.wordpress.org/Must_Use_Plugins
  • Disable upgrade notifications forpeople who cant do upgradesif ( ! current_user_can( update_core ) ) { add_action( init, create_function( $a, "remove_action( init,wp_version_check );" ), 2 ); add_filter( pre_option_update_core, create_function( $a, "returnnull;" ) );}
  • Remove nofollow fromcomments remove_filter( pre_comment_content, wp_rel_nofollow ); add_filter( get_comment_author_link, slt_dofollow ); add_filter( post_comments_link, slt_dofollow ); add_filter( comment_reply_link, slt_dofollow ); add_filter( comment_text, slt_dofollow ); function slt_dofollow( $str ) { $str = preg_replace( ~<a ([^>]*)s*(["|]{1}w*)s*nofollow([^>]*)>~U, <a ${1}${2}${3}>, $str ); return str_replace( array( rel="", " rel=" ), , $str ); } }http://digwp.com/2010/04/wordpress-custom-functions-php-template-part-2/
  • Better default display namesadd_action( user_register, slt_default_user_display_name );function slt_default_user_display_name( $user_id ) { $first = get_usermeta( $user_id, first_name ); $last = get_usermeta( $user_id, last_name ); $display = $first . " " . $last; wp_update_user( array( "ID" => $user_id, "display_name" => $display ));}
  • PluginsForce Strong Passwords. Copies WordPresss JavaScriptpassword strength meter into PHP and forces “executive” usersto have a strong password when updating their profile.http://wordpress.org/extend/plugins/force-strong-passwords/Google XML Sitemaps (or equivalent).http://wordpress.org/extend/plugins/google-sitemap-generator/Use Google Libraries.http://wordpress.org/extend/plugins/use-google-libraries/WordPress Database Backup.http://wordpress.org/extend/plugins/wp-db-backup/
  • Other issues● File permissionshttp://codex.wordpress.org/Hardening_WordPress#File_permissions● .htpasswd for /wp-admin/● Settings > Discussion
  • Cheers!http://sltaylor.co.uk@sltayloresque