If you’re responsible for a WordPress site then you need to know how to keep it secure. You cannot afford to leave your product and investment unprotected. Most of these strategies will take you under two minutes to implement but can save you many hours of agonizing over how to clean up a mess created by the ravenous robots that roam the internet. You’ve heard the nightmarish stories of friends who have been hacked but you will never be among them if you take the time to implement a WordPress security strategy. Here’s a few quick strategies that will help you to make your WordPress installation less vulnerable.
Add a New User With Admin Permissions and Delete the Admin User
You may have heard this before but may not have taken the time to do it. This is the easiest and perhaps one of the most important adjustments you can make to boost your security. Don’t ever use “admin” for a username. All the robots who target WordPress know that it automatically generates the admin user and that most people are unlikely to change it. Create a new user first and make it an administrator. Select a username that is not easy to guess. Then use it to delete the admin user.
Allow Only Your IP Address to Access the wp-admin Directory
If you are the only person you want to have access to your blog and you don’t have any editors or contributors, considering denying access to every IP address except your own. The wp-admin directory is vulnerable to attack, but this quick .htaccess trick will help you to protect it from security risks. Add the following code snippet to your .htaccess file. Replace the xx.xx.xx.xx with your static IP address. You can list multiple IP addresses by entering them on another line if you wish to allow access from other places.
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xx.xx.xx.xx
</LIMIT>
If you really want to cover your tracks and keep sniffers off your trail, use SSH to access your WordPress files instead of FTP. PuTTY is a free SSH client that you can use to transfer files between your machine and your server. SSH uses cryptographic technology to secure your session and will help keep you safe from traffic sniffers.
Get Regular Security Scans
This is essentially like a dental checkup for your WordPress blog to ensure that you don’t have any cavities. There are plugins that will take care of this for you. One is WP Security Scan. This plugin will scan your blog and notify you of any vulnerabilities and suggest things for you to do to make your blog more secure. It checks passwords, file permissions, database security, version hiding, WP admin protection/security, and removes WP generator meta tag from the core code of your blog.
Keep Your WordPress Version Updated
Chances are that your blog has not attracted the attention of a malicious hacker intent on destroying you. However, there are wicked armies of robots out there using any number of automated methods to try to exploit security holes in your installation. I know that upgrading can cause some tangles with plugins and is from time to time a huge pain, but it is necessary for your blog’s security, even if you’re not desiring new and updated features. Robots are very familiar with WordPress and know how to hack it, but if you keep your blog on the cutting edge you will generally be one step ahead of them.
Password Protect Your Most Important Directories
Enlist the help of AskApache Password Protection For WordPress. It adds multiple layers of security to your blog. The plugin is simple tot use. Simply choose a username and password and you are done. The plugin writes the .htaccess file without messing it up, encrypts your password and creates the .htpasswd file as well as setting the correct security-enhanced file permissions on both. Beyond keeping you safe from malicious attacks, it may even assist you in decreasing spam received on your blog.
Change Your WordPress Database Tables Prefix
This will help to protect you from SQL injections that can make your blog into a link farm. If this has ever happened to you, then you know it’s basically like getting heartworms. If you want to add an extra boost of protection when you install WordPress, make your table prefixes unique by editing wp-config.php file:
$table_prefix = 'wp_';
Change the ‘wp’ to something that is meaningful to you and this will automatically make your database more difficult to inject than 99% of all WordPress blogs.
One of the most exciting features coming in WordPress 3.0 is custom post types, which will vastly expand WordPress’ CMS capabilities. You can be one of the first users to pounce on this functionality by setting up a WordPress 3.0 test site and installing the new Custom Post Type UI plugin. Prior to WordPress 3.0 if you wanted to utilize custom post types you’d need to write the new post types into the database as well as an interface to let you easily handle them from within WordPress. WP 3.0 has this functionality built in and the Custom Post Type UI plugin will help you to start taking advantage of it.
What Are Custom Post Types?
If you think of WordPress as a site-building framework, custom post types are the different kinds of content blocks that make up your website. For example, you can have a unique post type for portfolio items, houses for sale, podcasts, journal entries, or anything that might warrant its own formatting. If a site is set up specifically for a client who is not so familiar with WordPress, a custom post type can be easier to understand than sorting out posts and pages, which have more of a generic meaning. Adding custom post types is a helpful way to tailor a WordPress site specifically for the content that it will be delivering.
How To Use Custom Post Types
The first thing you need to do is set up a test install of WordPress 3.0. The WordPress Beta Tester plugin makes this easy. Simply set up a WordPress installation the same way you normally would with the Famous 5 Minute Install. Then upload and activate the beta tester plugin. Navigate to “Tools” and select “Upgrade and update to the latest Beta Release.” This will automatically switch your blog onto the point release development track. It also offers the option to select the bleeding edge nightly, but this is not for the faint of heart.
Now you can try out the magical world of custom post types. Install the Custom Post Type UI plugin. Navigate to Settings > Custom Post Type UI. You should see a fancy new menu where you can set up your new custom post types. The clear advantage here is that you can limit whether or not this post type includes custom fields, excerpts, comments, post thumbnails, etc., so that the editing screen is not cluttered by superfluous content boxes that you or your user may not require.
Once you create a custom post type it will automatically add it to the dashboard menu as you can see pictured left. You create as many as you need, so that future content updates can be quickly cranked out according to the unique specifications of your post.
Many thanks to Brad Williams, the developer for this plugin. He also created CollabPress, a project management and task tracking tool for WordPress and WPMU, which is another giant leap in establishing WordPress as a leader in open source CMS. Managing content with WordPress has never been easier! Set up your own test site and make sure you’re ready to deliver all the exciting new features that 3.0 has to offer.
Have you ever wished for multiple content blocks, in addition to pages and posts, that can be edited within the WordPress dashboard and placed in custom regions of your template? The MultiEdit plugin is your key to breaking open new possibilities for a more modular approach to WordPress. This is very similar to Drupal blocks and content types and allows you to add a greater level of flexibility in theming WordPress as a CMS. Whether you are editing the content and updating the site or passing it off to a client to manage for themselves, an organized content structure with easily updated blocks will ultimately save a great deal of time. It will also be more enjoyable for non-techies to use. We can sometimes forget how foreign the backend of WordPress can be to someone who is not using it every day. Do your users a little favor and simplify the way WordPress manages content.
This tutorial makes use of the Page.ly MultiEdit Plugin working in concert with custom page templates.
You can customize ID’s or classes to the div’s and style them however you like to fit your theme.
Step 4: Create a New Page Using Your Custom Template
Simply select the template from the drop down on the page edit screen.
Step 5: Refresh the Page to See the New Tabs MultiEdit Created
The tabs will appear above the visual editor like so:
Add your content and click save and you should see it displayed on the page. Here are the example regions:
How Does it Work?
All of the content associated with the regions you created is stored in the custom_fields table associated with that page or post. Therefore, even if you deactivate the plugin, your data will not be lost since it is stored as a meta item.
We’ve recently had several inquiries on Twitter concerning the viability of using WordPress and BuddyPress as a full-blown CMS. The MultiEdit plugin brings custom content blocks to WordPress without having to widgetize areas. Even with widgetized areas the visual editor is not available to the user when creating the content for that region. This plugin provides an all-around flexible solution for expanding the limited areas available for editing content. In future posts we’ll be looking into more tools that will make WordPress your CMS of choice.
This week on Friday Focus: excellent websites that happen to have fixed elements in them.
Designs of the Week
Not only do we have a light on dark design here, but a glowing light on dark design. It’s colorful too, because of the thick demarcations color-coded by content type. My only wish is for the search bar to be part of the fixed area; I think that’s just as important a navigation element as pagination.
Interesting choice of content in the fixed area: name and contact info (very important), quick links to portfolio items grouped by year, and quick links to additional info about the designer. Overall, neat and nicely organized.
Another split, one page site. Cool hover effect on the brain graphic, and interesting combination of background patterns (one ornate, one techie).
Brilliant effect on the blue markers, telling you exactly where you are on the page and keeping things dynamic.
A custom font makes a big difference. Big, bold, boxy, but not overwhelming.
Not so exciting fixed area (they’re more for utility anyway) but does well in presenting the portfolio.
More than half of the page is fixed—narrow content areas isn’t quite dead yet!
I like how you start with a practically blank screen when you load the site. Then you get a simple yet dramatic transition animation to load each section’s content.
Another thing that isn’t dead: left-aligned layouts. No skimping on the amount of whitespace either.
The thing about changing backgrounds is the foreground has to match, and amazingly enough, this site pulls it off. Other than that, graceful details everywhere.
I like the three different shades of blue in three different columns. Not too thrilled about the use of the drop shadows and inner shadows here though.
I love endless scrolling. I’m on the fence about the stark black icons, although they give a quirky feel to a text-filled site.
What really sets this design apart is the carefully chosen and crafted custom photos for each post, everything blends well. Not to mention custom type everywhere.
This simple plugin is designed for sites that are using Wordpress as a CMS. If you are using a more complex wordpress install and theme you are likely to end up with a long list of dialog boxes on the edit pages to manage the different elements of your site.
This can be a usability problem for two reasons, one being that a client may not know they have control over an element because it will be hidden way down the page. Additionally you can get to a point where you have to scroll way down and up to make changes and then publish the site.
I have been trying to figure out how to best describe the awesomeness that is content management systems to an audience whose technological knowledge will range from using email/Word to a little more advanced. By the way, I have less than an hour to do so.
Instead of bemoaning my fate I am looking at this as an opportunity. I get to think about the “elevator speech” for content management systems.
After much thought I identified the two most important aspects, content types and permission levels. These two aspects of CMSs are counter intuitive to organizations and individuals used to traditional websites.
ContentTypes
Separate the content from the presentation and let the content creators create the content. Content can be a blog entry, an image, a page, an advertisement for an event, a description of a database, a video, a link to a helpful website, anything really. The type of content doesn’t matter. What does matter is that the content is easy to put on the website for the content creator.
For example, I want my youth librarians to be able to add upcoming programs. The “youth program” content type will need to display the title of the program, a description, an image to draw the eye, the date, time, the age group the program is intended for, and how to sign up.
For the sake of uniformity, I want:
the title to be in the Arial font, grey, and to be defined as a header
the image to float to the right of the description and be sized to 75px by 75px
the description to also be in Arial, colored black, and the font to be sized to .9em, and be below the title
the date to be formatted to short hand (01/30/10) and be bold as will be the time
the age group to be in bold
the youth program to automatically be placed in the youth programs list (sorted by date), be put on a calendar of events, and move to a place of high contact as the program’s date comes closer
An example of a content type, input form on the left, output on the right.
To ask a non web designer to try to figure out the necessary HTML/CSS or follow lengthy step-by-step instructions to keep this uniform format is crazy and a complete waste of time on many levels. To have a single person format and position all the content is also wasteful. Any CMS designer will be able to make what I described happen fairly easily.
Permission Levels
The idea of permission levels takes some time to understand for those used to one or two people being the funnel to getting content on a website, but should never be overlooked or underestimated. Permission levels allows assigning particular users differing abilities.
For example, a youth librarian may be assigned the permission level/role “youth” and be able to add content such as youth programs, blog entries to the Youth Services Blog, databases to the youth research area, images to youth photo gallery, and administer comments on the youth blog. An anonymous user could be allowed to add certain types of content (pending approval or not), comment without permission, or anything else. The admin roll would be able to do everything. The best CMSs allow the creation of roles to suit any organization’s needs.
The ability to think in terms of permission levels is hugely important. It also completely revolutionizes websites which are meant to have community generated content, be that community: library employees, patrons in a town, or interested parties all over the world.
How are you selling content management systems? If you are not using a CMS, why not?
Back in July we posted about the remarkable project that WNET (PBS of NYC) put together with Tierra to launch 50 sites in ten months using one CMS, WordPress.
Dan Goldman and Jamie Trowbridge who headed up that project, were kind enough to present a case study of how it was all done, at the recent WordCamp NYC:
WPMU.org recently had the pleasure of looking in on the PURE project with Yves Hierneaux who agreed to answer a few questions about its use of WPMU. We were particularly interested in the launch of PURE, because it successfully leverages the WPMU platform as a project documentation site. If you have a similar use for WPMU, check out their process and recommendations.
1. Can you tell us a little bit about BeeBole and its involvement in the PURE project?
BeeBole is a web app that helps small and medium businesses to manage their timesheets, expenses and invoices. It is multi-lingual (English, French, Spanish and Dutch) and multi-currency.
PURE, which stands for Pure Unobtrusive Rendering Engine, is a piece of our technical infrastructure.
We wanted an engine to render HTML from JSON data that was really fast and unobtrusive.
As our search for one was unsuccessful, we created PURE, which rapidly became an open source project shared by many.
2. Why did you select WPMU as a platform for the PURE project?
We didn’t choose WPMU for PURE but for BeeBole (http://beebole.com/).
Our web app is currently delivered in four languages and probably more soon.
We needed an easy way to publish content in different languages. Still we didn’t want to create fully separated websites for each language and we didn’t want to create a monster of maintenance as our CMS system.
Thanks to WPMU, each language website is a WPMU blog used as a CMS.
Wordpress core files, plugins and themes are shared (which means less maintenance for us), while we still have a lot of flexibility in terms of content for each website.
Till recently, the PURE website was still a mix of html pages, wiki (github), discussion group, etc … A reduced time for maintenance and the SEO facilities featured in Wordpress triggered the move to our WPMU install.
3. How do you think WPMU measures up to other open source wiki platforms that are used for project documentation?
Wikis are great tools but they’re too complex for the use we currently have for our documentation.
With WPMU, we can easily manage the content of our websites and the documentation in one single place.
We don’t currently allow everybody to edit documentation, which is one of the main goal of a wiki, but the fact that it could easily be turned on thanks to the role/capabilities introduced in wp 2.0 was a also a major point.
4. How many regular contributors do you have using the site?
We have 3 frequent contributors.
5. I noticed that the “Discuss” tab goes to Google Groups. Why is that your preference over using WPMU or BuddyPress’ capabilities for discussing the project?
It is mainly for maintenance and participation reasons.
We tried bbpress but were not impressed by the community developed around the product until now.
Buddypress is very tempting.
We will not use it for BeeBole (we use Zendesk) but might consider it for PURE.
Still we haven’t the resources we would like today to really create a participative community around PURE, which remains a side project compared to BeeBole.
6. How is the PURE project site structured and through which avenues do your users contribute?
You have one WPMU instance on beebole.com.
From there you have 5 blogs used as CMS:
http://beebole.com/en/
http://beebole.com/fr/
http://beebole.com/es/
http://beebole.com/nl/
http://beebole.com/pure/
Contributions for PURE are currently done directly via the PURE admin panel.
7. What plugins and/or customizations do you believe are essential for a wiki-style/ documentation website?
· All In One SEO Pack (for SEO obviously)
· Exec-PHP (to make sure you can use absolute URL’s in the pages)
· Goole Analytics (to measure the way your documentation is read)
· Google XML sitemap (for Google indexation)
· Less Filters (to be able to easily add code in the posts/pages)
· Yoast Breadcrumbs
8. What was your greatest challenge in using WPMU as a platform for the PURE project?
The use of WPMU for the PURE project has been smooth and easy.
The challenging part was to make sure that 1 single instance of WPMU could deliver a multi-lingual, multi-sites solution for BeeBole and PURE.
9. How much day-to-day maintenance does a project documentation website require and what kind of hosting would you recommend?
We have considerably reduced the time for maintenance. It is now less than a day per month for the technical tasks.
No preferred hosting. WPMU is very portable. Choose something with a good service.
10. Now that PURE is up and running, what are BeeBole’s current projects and plans for the future?
We will launch our web app BeeBole for a public beta very soon.
If you need an online tool to manage your timesheets, expenses and invoices in your language or the language of your customers, stay tuned on http://beebole.com/en/.
Yves Hiernaux
Been awhile since we’ve had something to vote on but I’ve finally found a topic where we you can weigh in on one side or the other. Recently, there was a discussion on the WordPress Hackers Mailing list that discussed the idea of changing the blogging nomenclature found within the administration panel of WordPress. The line of thought is that WordPress is constantly being used for more than just blogging but it will never be taken seriously as a powerful CMS until the blog nomenclature is removed in favor for something more generic. As for myself, I’m fine with both sides but I lean slightly more in favor of switching the words to something more generic because by having the word blog splattered everywhere in the backend, it gives the sense that WordPress is only meant for blogging and nothing else. That may have been the case when the project was lifting off the ground but these days, WordPress is powering some pretty hefty sites that blow blogging out of the water. It’s a simple change that I think would have a big impact on the software especially as it relates to perception. What do you think?
Note: There is a poll embedded within this post, please visit the site to participate in this post’s poll.
One of the great tricks to keep traffic in site and lower the bounce rate on CMS and Blogs platform is the related posts / articles at the end of the content. here are some great wordpress plugins that will do that job.
LinkWithin is a blog widget that appears under each post, linking to related stories from your blog archive. looks very neat and professional and works smooth as well. you can see it in action on the bottom of every post here on our website and also here: http://blogs.nationalgeographic.com/intelligenttravel/.
gives you a list of posts and/or pages related to the current entry, introducing the reader to other relevant content on your site, features: templating (you can customize yourself the way it will display the results, disallow certain tags or categories and much more. very recommended!!!
Here are some great links and news from the wordpressphera this week.
a very clever way to use widgets for text areas or text blocks in wordpress, let’s say you want to display some text in your sidebar, footer or CMS website homepage, you can do it like this: look-ma-editable-text-regions. until i read it I used to open category called, let’s say, “textareas” and to add posts to that category. and then pell the data with a single post plugin, like this one, Get A Post plugin.
A new movie called “phobidilia” is going to show on the toronto international film festival, as many films does, they promote themselves with a trailer and downloads website, this one used wordpress to do that. very nice work.
One of our favorite themes marketplace is WPNOW, it really has the nicest themes.
Now there are two great reasons to check them out, first there is a summer sale there, a 50 Percent OFF discount coupon that applies to all themes; 50% Off Coupon code: WELOVESUMMER
The coupon is only available for the next 30 days and will expire on the 26th of Sept 2009.
And the second reason is a new theme called GameNow, one of the nicest looking gaming theme’s currently on the market, packed full with features, including two color schemes and a review system.
I learned about this through WP Engineer where the CMS Awards for 2009 are now open for nominations. The total prize purse is $24,000 with each winner of their respective category taking a share of that money. The categories are as follows:
Best Overall Open Source CMS
Most Promising Open Source CMS
Best PHP Open Source CMS
Best Other Open Source CMS
Open Source MVPs
During the nomination stage, they are giving away three 8GB iPod Nanos to three individuals at the nominations stage, and three 8GB iPod Touch’s to three individuals at the voting stage, all selected at random. The entire contest of sorts is being put on by Packt Publishing which is home to quite a few WordPress centric books. The last time WordPress appeared in the winners circle was back in 2007 where WordPress took the crown for Best Open Source Social Networking Content Management System. Drupal however seems to be near the top in each year while taking the crown in 2008.
I’ve nominated WordPress in the categories I see fit. Visit the nomination page here.
I’ve been chatting with the folks at Tierra Innovation and WNET.ORG (Channel Thirteen in New York) on their impressive collaboration utilizing WordPress MU as a CMS for WNET.ORG’s network of high-traffic websites:
Using WordPress MU’s built-in features along with custom themes and plugins such as WPDB Profiling, they made it easier and much cheaper for WNET.ORG to roll out multiple sites that provide a great user experience as well as editorial and creative flexibility. Before the new CMS, WNET.ORG could only launch 1-2 sites per month. Now, they have the capability of rolling out 5-10 sites per month for a fraction of the cost.
This episode of WordPress Weekly was centered around one topic, using WordPress as a CMS. Thanks to my special guests Randy Hoyt of Amesburyweb.com and Scott Clark co-author of the PODS plugin, we were able to dive deep into the topic of the PODS plugin and its capabilities while also discussing what it means to use WordPress as a CMS. This is a topic many listeners have wanted us to cover for a long time and so, here you go.
Ad Copy:
This episode of WordPress Weekly is sponsored by, WebDevStudios.com. WebDevStudios is a website development company specializing in WordPress support and development services. Contact them today for help with your WordPress powered website.
Jeff – PODS – Pods is a CMS framework that lets you create, manage, and display your own content types. Don’t bother hacking blog posts into becoming something they’re not. With Pods, create entirely new data structures with only the fields you need. Like Drupal CCK, you can set up relationships, allowing for a whole new level of interconnectedness.
David – Minimum Comment Length – Check the comment for a set minimum length and disapprove it if it’s too short. by Joost de Valk
Last Weeks WordPress Trivia Question:
Matt was recently interviewed for a blog post which I won’t name but one of the questions he was asked was: What can we expect from Matt in the near future besides WordPress advancements, of course? Your job is to provide the answer
What are the names of the 5 people who have core commit access to WordPress?
Announcements:
Next week I have schedule Sam Bauers, lead developer of bbPress to come on the show. If he is unable to make it, we’ll just catch up on all the happenings within the WordPress community.
If you’re responsible for a WordPress site then you need to know how to keep it secure. You cannot afford to leave your product and investment unprotected. Most of these strategies will take you under two minutes to implement but can save you many hours of agonizing over how to clean up a mess created by the ravenous robots that roam the internet. You’ve heard the nightmarish stories of friends who have been hacked but you will never be among them if you take the time to implement a WordPress security strategy. Here’s a few quick strategies that will help you to make your WordPress installation less vulnerable. 
An example of a content type, input form on the left, output on the right.
This episode of WordPress Weekly was centered around one topic, using WordPress as a CMS. Thanks to my special guests Randy Hoyt of