Beyond the 5-minute InstallSteve Taylorhttp://sltaylor.co.uksteve@sltaylor.co.uk@sltayloresqueWordCamp Portsmouth UK 2011
Security & best practices●   .htaccess●   wp-config.php●   robots.txt●   functions.php / “functionality plugin”●   Plugins...
A bit about me●   Custom theme developer●   No themes released●   A few pluginsThis talk●   Advice for beginners ●   Tips...
.htaccess●   “hypertext access”●Controls requests to server before any PHP /WordPress processing●   Apache only (IIS?)●   ...
www or not www?●   Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other●   Tell G...
www or not www?●   Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other●   Tell G...
www or not www?●   Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other●   Tell G...
Protect important files●# Protect .htaccess files<Files .htaccess>    order allow,deny    deny from all</Files>●# Protect ...
WordPress pretty permalinks
WordPress pretty permalinksInclude at end of .htaccess:●# BEGIN WordPress<IfModule mod_rewrite.c>RewriteEngine OnRewriteBa...
WordPress pretty permalinksReally bad idea for big sites:
WordPress pretty permalinksReally bad idea for big sites:Better:http://ottopress.com/2010/category-in-permalinks-considere...
wp-config.php●   Create your own wp-config-sample.php●Check the file for new stuff in new versions ofWordPress●   Edit and...
Server-dependent settings●// ** MySQL settings - You can get this info from your web host ** ///** The name of the databas...
Server-dependent settings●switch ( $_SERVER[HTTP_HOST] ) {    case dev.example.com: {            // Dev server            ...
Authentication Keys and SaltsChange them for every installation!define(AUTH_KEY,           put   your   unique   phrase   ...
Database table prefixThe default:$table_prefix   = wp_;
Database table prefixThe default:$table_prefix   = wp_;Much better:$table_prefix   = a3rfGtQ1_;
Database table prefixWhen coding database queries, don’t use hard-codedtable names!
Database table prefixWhen coding database queries, don’t use hard-codedtable names!A standard WP table:global $wpdb;$custo...
Database table prefixWhen coding database queries, don’t use hard-codedtable names!A standard WP table:global $wpdb;$custo...
Server needs FTP for upgrades?define( "FTP_HOST", "ftp.example.com" );define( "FTP_USER", "myftpuser" );define( "FTP_PASS"...
Debuggingdefine( WP_DEBUG, true );
Debuggingdefine( WP_DEBUG, true );http://dev.example.com/?debug=1●switch ( $_SERVER[HTTP_HOST] ) {    case dev.example.com...
Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );
Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );// Don’t keep revisions ...
Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );// Don’t keep revisions ...
Disable plugin and theme editingdefine( DISALLOW_FILE_EDIT, true );
robots.txt User-agent: * Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/ca...
Custom theme functions.php /“functionality” plugin●   Snippets not worth making into a plugin●   Plugin is more portable● ...
Disable upgrade notifications forpeople who cant do upgradesif ( ! current_user_can( update_core ) ) {    add_action( init...
Remove nofollow fromcomments remove_filter( pre_comment_content, wp_rel_nofollow ); add_filter( get_comment_author_link, s...
Better default display namesadd_action( user_register, slt_default_user_display_name );function slt_default_user_display_n...
PluginsForce Strong Passwords. Copies WordPresss JavaScriptpassword strength meter into PHP and forces “executive” usersto...
Other issues●   File permissionshttp://codex.wordpress.org/Hardening_WordPress#File_permissions●   .htpasswd for /wp-admin...
Cheers!http://sltaylor.co.uk@sltayloresque
Upcoming SlideShare
Loading in...5
×

Beyond the WordPress 5 minute Install

5,414

Published on

The slides for the talk I gave at WordCamp Portsmouth UK 2011, 16/7/11. It basically covers some security and best practices hints and tips that aren't part of the standard WordPress installation.

Published in: Technology, Business
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total Views
5,414
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
56
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Beyond the WordPress 5 minute Install

  1. 1. Beyond the 5-minute InstallSteve Taylorhttp://sltaylor.co.uksteve@sltaylor.co.uk@sltayloresqueWordCamp Portsmouth UK 2011
  2. 2. Security & best practices● .htaccess● wp-config.php● robots.txt● functions.php / “functionality plugin”● Plugins● Other issues?
  3. 3. A bit about me● Custom theme developer● No themes released● A few pluginsThis talk● Advice for beginners ● Tips for developers 
  4. 4. .htaccess● “hypertext access”●Controls requests to server before any PHP /WordPress processing● Apache only (IIS?)● Root of website (sub-directories?)● Sometimes simple, sometimes complex!http://httpd.apache.org/docs/http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
  5. 5. www or not www?● Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other● Tell Google Webmaster Tools!
  6. 6. www or not www?● Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other● Tell Google Webmaster Tools!# Force no “www”RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]
  7. 7. www or not www?● Personal choice / aesthetics●Both should be accessible; one should redirect (301)to the other● Tell Google Webmaster Tools!# Force no “www”RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]# Force “www”RewriteCond %{HTTP_HOST} ^example.com$ [NC]RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
  8. 8. Protect important files●# Protect .htaccess files<Files .htaccess> order allow,deny deny from all</Files>●# Protect wp-config.php<Files wp-config.php> order allow,deny deny from all</FilesMatch>
  9. 9. WordPress pretty permalinks
  10. 10. WordPress pretty permalinksInclude at end of .htaccess:●# BEGIN WordPress<IfModule mod_rewrite.c>RewriteEngine OnRewriteBase /RewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-dRewriteRule . /index.php [L]</IfModule># END WordPress
  11. 11. WordPress pretty permalinksReally bad idea for big sites:
  12. 12. WordPress pretty permalinksReally bad idea for big sites:Better:http://ottopress.com/2010/category-in-permalinks-considered-harmful/http://codex.wordpress.org/Using_Permalinks
  13. 13. wp-config.php● Create your own wp-config-sample.php●Check the file for new stuff in new versions ofWordPress● Edit and initialize BEFORE installing WordPress!http://codex.wordpress.org/Editing_wp-config.phphttp://digwp.com/2010/08/pimp-your-wp-config-php/
  14. 14. Server-dependent settings●// ** MySQL settings - You can get this info from your web host ** ///** The name of the database for WordPress */define(DB_NAME, database_name_here);●/** MySQL database username */define(DB_USER, username_here);●/** MySQL database password */define(DB_PASSWORD, password_here);●/** MySQL hostname */define(DB_HOST, localhost);
  15. 15. Server-dependent settings●switch ( $_SERVER[HTTP_HOST] ) { case dev.example.com: { // Dev server define( DB_NAME, aef4RgX_mysitedev ); define( DB_USER, aef4RgX_mysitedev ); define( DB_PASSWORD, Jyt6v48jS9frkGgZyS5iIjif6LnosuYr ); define( DB_HOST, localhost ); break; } default: { // Live server define( DB_NAME, sd6FE2xc_mysitelive ); define( DB_USER, sd6FE2xc_mysitelive ); define( DB_PASSWORD, as3d56JvDlPisYwU7c1nfZ3Yct0NEiZR ); define( DB_HOST, localhost ); break; }}https://www.grc.com/passwords.htm
  16. 16. Authentication Keys and SaltsChange them for every installation!define(AUTH_KEY, put your unique phrase here);define(SECURE_AUTH_KEY, put your unique phrase here);define(LOGGED_IN_KEY, put your unique phrase here);define(NONCE_KEY, put your unique phrase here);define(AUTH_SALT, put your unique phrase here);define(SECURE_AUTH_SALT, put your unique phrase here);define(LOGGED_IN_SALT, put your unique phrase here);define(NONCE_SALT, put your unique phrase here);https://api.wordpress.org/secret-key/1.1/salt/
  17. 17. Database table prefixThe default:$table_prefix = wp_;
  18. 18. Database table prefixThe default:$table_prefix = wp_;Much better:$table_prefix = a3rfGtQ1_;
  19. 19. Database table prefixWhen coding database queries, don’t use hard-codedtable names!
  20. 20. Database table prefixWhen coding database queries, don’t use hard-codedtable names!A standard WP table:global $wpdb;$custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” );
  21. 21. Database table prefixWhen coding database queries, don’t use hard-codedtable names!A standard WP table:global $wpdb;$custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” );A custom table:global $wpdb;$custom_query = $wpdb->get_results( “SELECT field FROM ” . $wpdb->prefix . “table” );http://codex.wordpress.org/Class_Reference/wpdb
  22. 22. Server needs FTP for upgrades?define( "FTP_HOST", "ftp.example.com" );define( "FTP_USER", "myftpuser" );define( "FTP_PASS", "hQfsSITtKteo1Ln2FEhHlPkXZ" );
  23. 23. Debuggingdefine( WP_DEBUG, true );
  24. 24. Debuggingdefine( WP_DEBUG, true );http://dev.example.com/?debug=1●switch ( $_SERVER[HTTP_HOST] ) { case dev.example.com: { // Dev server define( WP_DEBUG, isset( $_GET[debug] ) ); break; } default: { // Live server define( WP_DEBUG, false ); break; }}
  25. 25. Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );
  26. 26. Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );// Don’t keep revisions of postsdefine( WP_POST_REVISIONS, false );
  27. 27. Control revisions and autosave// Only keep 3 revisions of each postdefine( WP_POST_REVISIONS, 3 );// Don’t keep revisions of postsdefine( WP_POST_REVISIONS, false );// Autosave posts interval in secondsdefine( AUTOSAVE_INTERVAL, 60 );
  28. 28. Disable plugin and theme editingdefine( DISALLOW_FILE_EDIT, true );
  29. 29. robots.txt User-agent: * Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /trackback Disallow: /feed Disallow: /comments Disallow: /category/*/* Disallow: */trackback Disallow: */feed Disallow: */comments Disallow: /*?* Disallow: /*? Allow: /wp-content/uploads Sitemap: http://example.com/sitemap.xmlhttp://codex.wordpress.org/Search_Engine_Optimization_for_WordPress#Robots.txt_Optimization
  30. 30. Custom theme functions.php /“functionality” plugin● Snippets not worth making into a plugin● Plugin is more portable● Check out /mu-plugins/http://justintadlock.com/archives/2011/02/02/creating-a-custom-functions-plugin-for-end-usershttp://wpcandy.com/teaches/how-to-create-a-functionality-pluginhttp://codex.wordpress.org/Must_Use_Plugins
  31. 31. Disable upgrade notifications forpeople who cant do upgradesif ( ! current_user_can( update_core ) ) { add_action( init, create_function( $a, "remove_action( init,wp_version_check );" ), 2 ); add_filter( pre_option_update_core, create_function( $a, "returnnull;" ) );}
  32. 32. Remove nofollow fromcomments remove_filter( pre_comment_content, wp_rel_nofollow ); add_filter( get_comment_author_link, slt_dofollow ); add_filter( post_comments_link, slt_dofollow ); add_filter( comment_reply_link, slt_dofollow ); add_filter( comment_text, slt_dofollow ); function slt_dofollow( $str ) { $str = preg_replace( ~<a ([^>]*)s*(["|]{1}w*)s*nofollow([^>]*)>~U, <a ${1}${2}${3}>, $str ); return str_replace( array( rel="", " rel=" ), , $str ); } }http://digwp.com/2010/04/wordpress-custom-functions-php-template-part-2/
  33. 33. Better default display namesadd_action( user_register, slt_default_user_display_name );function slt_default_user_display_name( $user_id ) { $first = get_usermeta( $user_id, first_name ); $last = get_usermeta( $user_id, last_name ); $display = $first . " " . $last; wp_update_user( array( "ID" => $user_id, "display_name" => $display ));}
  34. 34. PluginsForce Strong Passwords. Copies WordPresss JavaScriptpassword strength meter into PHP and forces “executive” usersto have a strong password when updating their profile.http://wordpress.org/extend/plugins/force-strong-passwords/Google XML Sitemaps (or equivalent).http://wordpress.org/extend/plugins/google-sitemap-generator/Use Google Libraries.http://wordpress.org/extend/plugins/use-google-libraries/WordPress Database Backup.http://wordpress.org/extend/plugins/wp-db-backup/
  35. 35. Other issues● File permissionshttp://codex.wordpress.org/Hardening_WordPress#File_permissions● .htpasswd for /wp-admin/● Settings > Discussion
  36. 36. Cheers!http://sltaylor.co.uk@sltayloresque
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×