I’ll be also listing various resources that can be used to further strengthen the security however, firstly I would like to put forth my views on the topic of why web-masters should use Mac or Linux. I would only list those points that are logical and none of them are influenced by any sorts. So here’s why I suggest so and how its easy to switch too -

1. To keep yourself safe from viruses :  I’ve used all three OSes and I’ve personally experienced that Mac & Linux aren’t prone to viruses as Windows is and the simple fact is that the market share of Windows is more than 90% and thats why almost every virus is targeted towards Windows Users. So, if you are using any of those two OSes you’d be safe from viruses and thus you reduce the chances of getting your website hacked.

2. For keeping others safe : As I’ve said that majority of cases that I’ve dealt are those where the webmaster’s computer was compromised. Moreover, once the sites are infected, they infect those computer who visit that site and that’s how they spread so quickly! Now, if at the first place the webmaster would have been using linux or mac, it would have ensured that at least they are not making the situation worse.

3. Switching is pretty easy – Most of the users give a reason that they won’t be able to switch because of the incompatibility issue and that they think that it would be pain to switch the platforms because of unavailability of ssoftware. I agree at one time it would have been difficult for most of the people, however web-masters specifically won’t find any issues in choosing these two platforms as most of their tasks are done online, else most of the software required have either a worthy alternative or if you are an open-source fan then you’d surely find most of them available for all three platforms. Here are some of the resources -

• A wonderful guide you can follow to make the easy switch.
• Various Windows Software alternatives for linux.
• Various Open-source software for Mac.

Try a gradual switch and start using these OSes and if you really want to run a windows software then you can try WineHQ or CrossOver (commercial) and most likely the software will work fine for you. If the software still doesn’t work and you don’t find any alternative then you can simply use VirtualBox or Parallels to run Windows inside Linux or Mac.

So when we know that for web-masters it can be easy to switch to Mac or Linux then why not use either of those two operating systems and keep yourself and the world safe from those malware? Anyway, enough of ranting – as I said that during my research, I did read quite a bit about security websites, so I would like to share that with you :

How to strengthen the security of your WordPress blog?

1. Don’t forget to read my articles that I wrote a while back on the topic of securing wordpress.
2. If possible switch your OS as soon as possible – Don’t think it as a stupid suggestion. Consider this one for sure!
3. Restrict WordPress admin use by IP Address.
4. Learn to restrict the FTP server access for specific IPs using VSFTPD – I know that not everyone gets a static IP address from their internet service providers, however use of VPN can certainly [I use StrongVPN] help you get over that problem.
5. More security steps that can be done through htaccess file, here are some 11 more steps that you can use.
6. Jeff Starr has created wonderful instructions for securing servers via htaccess and blocking the know malware techniques.
7. Blocking spam is equally important – Chances are that some spam comment will have the URL to a site that is infected, so its important to ensure that no spam comment passes through.

What else can be done other than IP address, Htaccess tricks?

Some of WordPress’ cool features come from allowing some files to be writable by web server. However, letting an application have write access to your files is a dangerous thing, particularly in a public environment. It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images. In short we are talking about CHMOD settings of the server.

All files should be owned by your user account, and should be writable by you and any file that needs write access from WordPress should be group-owned by the user account used by the webserver. Of course, learning this can surely take some time, but if you really want to secure your server, then this is one thing you should focus on!

• / — the root WordPress directory: all files should be writable only by your user account.
  • EXCEPT .htaccess if you want WordPress to automatically generate rewrite rules for you
• /wp-admin/ — the WordPress administration area: all files should be writable only by your user account.
• /wp-includes/ — the bulk of WordPress application logic: all files should be writable only by your user account.
• /wp-images/ — image files used by WordPress: all files should be writable only by your user account.
• /wp-content/ — variable user-supplied content: intended by Developers to be completely writable by all (owner/user, group, and public).
  • /wp-content/themes/ — theme files. If you want to use the built-in theme editor, all files need to be group writable. If you do not want to use the built-in theme editor, all files can be writable only by your user account
  • /wp-content/plugins/ — plugin files: all files should be writable only by your user account.
  • other directories under /wp-content/ should be documented by whatever plugin / theme requires them. Permissions may vary.

Plugins that I prefer for securing WordPress

1. WordPress File Monitor - Think of it as a watch dog! It monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address. So even if you add files using FTP, it will let you know. This is a fantastic way to ensure that no compromised file will go on server without going through its nose.

2. WordPress Firewall – I personally love this plugin. Of course, using this plugin means that you’d lose out on WordPress theme/plugin editing capabilities and few things here and there, however this plugin will ensure that everything will be super secure.

3. Block Bad Queries – Another gem from Jeff Starr. This plugin will ensure that your WordPress site will be safe from known vulnerabilities.

Well there have been countless number of posts on the topic of security and the worst part is that things aren’t improving a little bit. Its important to choose the right web-hosts as well. If this post of mine was a request towards web-masters, Mark Jaquith has asked web hosts to become more secure and to help web-masters in understanding the security of blogs/websites. It is one interesting read, so even if you are not a web host,  I would suggest you to read it.

What are your thoughts about changing the OS for ensuring safe and secure website? Do you think that one should go ahead and change their OS to ensure that their site will remain secure from malware to a large extent? Please share your thoughts in comments.

© mayank for Blog Design Studio, 2010. | Permalink

Related posts

• Is Dynamic CMS good or Static CMS? (5)
• Why I ditched WordPress for Blogger! (0)
• Google Fonts, WordPress 3.0 & 7 yrs of Powerful blogging! (1)
• How I find bloggers who want custom blog designs through Twitter? (1)
• Thanks to all the developers – You rock! (8)

WordPress has been considered as a memory hog and I can agree to that as I’ve faced the issues in the past as well. If you don’t use plug-ins like WP Super Cache or W3 Total Cache, you’d get an email from your shared hosting provider to upgrade the hosting plan pretty soon. As traffic increases you’d have to change the hosting plan and then the question will arise, to go for managed hosting or unmanaged hosting?

Personally I like things under my control where I can change just about anything as that way I don’t have to depend on anyone and things get done much faster as compared to a situation, where I’d have to call the tech support hoping that the support guy will help me in finishing the task and I’d get less than satisfactory answer. Anyway, to cut the story short, I got an email from my fantastic web hosting company i.e. WPWebHost, however as I was looking for cloud based hosting [I definitely like buzz words], I thought that I would rather go for Rackspace Cloud Servers as I get more control over things. Here are few things that you’d have to keep in mind, if you are interested in going for Cloud Servers -

You do get the complete control of the server but that also means that you have to setup everything from the scratch! You just get a server with a vanilla linux installation and that you’d have to install and configure – web server, database server, take care of the security issues and just about everything that you can imagine! So if you are weak heart then you should not read this guide and instead you should carry on your research for other hosting plans that offer managed servers.

However, More control over server means that you’d be able to have to have a much faster running site and that also means that you will get better rankings in Google!

One of the main purpose for getting the cloud server was that I wanted to run WordPress on Nginx, a much better and light alternative to Apache web server and wanted to play around with HipHop for PHP, pure innovation from Facebook! Here’s what HipHop for PHP is all about [I'm still working on this part and will be sharing my experiences in upcoming posts]-

HipHop transforms your PHP source code into highly optimized C++ and then compiles it with g++ to build binary files. You keep coding in simpler PHP, then HipHop executes your source code in a semantically equivalent manner and sacrifices some rarely used features – such as eval() – in exchange for improved performance.

And now lets find out that how can we setup an optimized web server that would handle lots of traffic with minimum amount of resources that would make your blog load faster as well.

Setting up Linux server from scratch!

Note 1- In this case we are using CentOS 5.3 and all the commands will be mentioned step wise, so you can simply copy and paste them one by one and you should be good to go, I will give explanation of all the steps as we go along -

Note 2 - If you are new to these things, then make sure that you should go through this guide properly and should not skip anything.

1. Setting up basic security

When you get a fresh installed Linux box that you want to use as a web server, it can be vulnerable to various attacks and in order to avoid them we will setup basic security settings that a linux web server should have and for that you should connect to your linux server through SSH [ssh root@YOUR SERVER IP ADDRESS] and then run the following commands -

• passwd [First time you login as Root and we must change the password of the root. Here's a guide for keeping secure password.]
• adduser wordpress
• passwd wordpress
• usermod -a -G wheel wordpress
• visudo [for newbies - vi is a text editor and here are the commands that will help you operate it.]
• Find # %wheel  ALL=(ALL)   ALL and remove # from it.

These commands will basically setup a new user called “wordpress” in the Wheel group and will ensure that the user will be able to gain the root privileges at required times. If you want to use a different username then simply replace “wordpress” with your desired name.

Now we’d configure SSH to disable the root access and change the port to ensure that no hacker will be able to easily access the server. For that fun the following commands -

• nano /etc/ssh/sshd_config

And you need to ensure that the following settings should be in the whole file. Nano is also a text editor and it displays the most basic and useful commands at the bottom so you won’t need to go through a guide. I definitely like it more than vi. Anyhow, here are the settings that you need to keep in SSH’s configuration file -

Once we are done with the SSH configuration, we’d make changes in the IP Tables which is like the firewall settings to only allow certain ports that would be open. Run the following commands to ensure that IP Table settings are as per the way we desire -

• iptables -L  <—- this will show the current IP Table configuration. Just copy and paste it in a text file.
• iptables -F  <– this flushes the existing IP table rules. The following commands set desired new rules.
• iptables -A INPUT -i lo -j ACCEPT
• iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
• iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
• iptables -A OUTPUT -j ACCEPT
• iptables -A INPUT -p tcp –dport 80 -j ACCEPT
• iptables -A INPUT -p tcp –dport 443 -j ACCEPT
• iptables -A INPUT -p tcp -m state –state NEW –dport 30000 -j ACCEPT  <— this should be the port that you selected in last settings.
• iptables -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
• iptables -A INPUT -j REJECT
• iptables -A FORWARD -j REJECT
• service iptables save
• /etc/init.d/sshd reload    <— this will reload the new settings.

Now open a new tab of Terminal (Mac Users)/Putty (Windows Users) and try to connect to the server using the new settings that we’ve put all this while. If it connects then everything is fine, else go back to the previous tab, flush the settings again and try the above commands again.

• ssh -p 30000 wordpress@Your Server’s IP Address

2. More CentOS configuration and setting development tools

In this section we’d configure CentOS to use external repositories, so that installation of various tools becomes easier and that in case you want to install any software then it should be able to find the dependencies without much issues. One of the most known repository other than default one is RPMFORGE and we need to configure our server for that. Please follow this article to install RPMFORGE. Once we are done with that, we will run the following commands -

• sudo yum update
• sudo yum groupinstall ‘Development Tools’ ‘Development Libraries’

This will update the YUM and will install most of the development tools and its libraries that you’d need in future. I hope that most of you would not find problems till this point of time as these are some simple steps, however things will start getting a little complicated when we’ll start installing Nginx, WordPress, MySQL, caching systems configuring them for optimum results. So gear up for the fun and awesome challenge that we’ll experience in forthcoming posts.

© mayank for Blog Design Studio, 2010. | Permalink

Related posts

• Task Series – Task # 1 : Update your twitter profiles! (1)
• Will you carry a laptop for blogging, if you get iPhone with 3G connection? (5)
• Coding the WordPress Loop explained (1)
• What you need to learn from Valleywag’s blogger! (1)
• Improve seo and integrate sitemap in 404! (4)

As we all know that WordPress is powered through PHP & MySql and by far phpMyAdmin is considered to be most adopted way of managing the MySQL databases. Most of the web hosting companies have it installed for their users and most of the users find it pretty intuitive. Same goes with WordPress these days. At times, it looks like a perfect marriage between the two!

When it comes to WordPress, there are various obnoxious situations that we can avoid with the help of phpMyAdmin and its neat little tricks. Thankfully, Many tech savvy and generous bloggers have shared those neat tricks with the world and in this post, I would like to accentuate them.

Tricks related to WordPress Users

1. Reset WordPress user password using phpMyAdmin – by WPBeginner.
2. Change WordPress admin username – by Mahesh Kukreja
3. Disable New User Registration – by Rajesh Patel [I don't see any reason for taking this step as it can be easily done through options under settings, but still you never know when these things can come handy].
4. Change post attribution from one author to another – WpRecepies.

Tricks related to WordPress Posts & Comments

1. Delete all spam comments using phpMyAdmin – by Technofriends
2. Batch delete posts revisions – by WPRecepies
3. Restore commenting back using repair feature of WordPress – by Speed of Creativity [of course, this is more of a troubleshooting trick, but one handy trick that may help you at certain time]

Troubleshooting WordPress using phpMyAdmin when nothing works

There are times, when you might be playing with some broken plugin/theme or not an updated plugin/theme that can cause WordPress to break then it gets little hard to Troubleshoot things if you don’t have the database backup already. However, you can save yourself by ensuring that you can create the database backup or restoring it with the help of phpMyAdmin -

1. Create WordPress database backup using phpMyAdmin.
2. Restore WordPress database backup using phpMyadmin.

Various other useful tricks

1. Move WordPress blog from one domain to another.
2. 12 quick and easy MySql tricks. [This is not through phpMyAdmin, however can come in handy through SSH]
3. Running multiple WordPress blog on single database. [not recommended, however if you are running out of number of database then this is the only solution - else change your hosting provider - Here's the guide to do so]

If you know more tricks, feel free to share it with us as we’ll keep this page up to date with all those wonderful tricks!

© mayank for Blog Design Studio, 2010. | Permalink

Related posts

• What should one do if the WordPress automatic upgrade fails? (3)
• Part 1 : How to setup Cloud Servers for blog optimisation (1)

In a previous post I wrote about a simple and easy way to convert your html into WordPress theme. Starting from today I will post a small series of articles that will explain the sweet little details when building a new WP theme. So first things first, we will start by explaining how to install WordPress on a local computer (Learn how to install wordpress locally on mac). By doing so, it will save you time from updating and previewing files, also we will mention some problems that you may encounter during the installation and after it.

1. First get XAMPP lite, open the exe file, and install it at the root of some of your drives, usually C, but I prefer to install it on D to keep it separate.

2. Than go to C:\xampplite (or D:\xampplite in my case) and double click on setup_xampp.bat file. Than open xampp-control.exe and start the Apache and Mysql services, the upper two boxes.

3. Now Open your browser and go to http://localhost/ and click on phpMyAdmin on the left column. Now you should create a new database by entering wordpress in the field and than select utf8_unicode_ci in the drop down box in the next field. That’s it. Xampp setup is done.

4. Now you need WordPress. Go to their site and download the latest version of WordPress, than go to the c:\xampplite\htdocs folder in which you installed the Xampp and unzip it there.

5. Than find the file named wp-config-sample.php in that folder, open it in your favourite text editor and update the database details (db_name, user, password, host).

6. Finally open your browser and go to http://localhost/wordpress/wp-admin/install.php , follow the instructions and install WordPress.

There is just one little thing left: If you already have Skype installed it will occupy port 80 which is the port that XAMPP needs to communicate with your Internet connection, so open Skype and go to Tools and than select Options. From the list select Advanced and then Connection. There is a checkmark inside where it says “Use port 80 and 443 as alternatives for incoming connections” uncheck that box and save your changes. Don’t worry, Skype will still function as usual but now XAMPP will be able to use port 80 to run.

© Igor for Blog Design Studio, 2010. | Permalink

Related posts

• MakeTheDaysCount.com design (0)
• Can blogging help me in marketing or improving my business ? (0)
• How to build multi-author blog with WordPress? (0)
• Widgetizing Your Non-Widget WordPress Theme (0)
• NewBlue theme – contest entery and a free theme! (29)

Parts of the loop

The loop has three parts:

<?php if (have_posts()) : ?>
<?php while (have_posts()) : the_post(); ?>

Part 1) Here stands the content that you want to be displayed in the Loop

<?php endwhile;?>

Part 2) Here stands what is displayed when the Loop is over

<?php else : ?>

Part 3) If there’s nothing to display

<?php endif; ?>

Template Tags in the Loop

Basic tags:

if (have_posts()) – checks to see if you have any post.

while (have_posts()) – if you do have it, while you have any post, execute the_post().

the_post() – call for the posts to be displayed.

endwhile; – this is used to close while()

else – is what to do when you don’t have any post at all

endif; – close if()

Than there are more template tags within the Loop that will output things such as the post title, the permalink, the content, etc:

<?php the_permalink() ?>

– This tag echos the permalink of the post

<?php the_title(); ?>

– This one echos the post title

<?php the_time(’F jS, Y’) ?>

– This will echo the date, for example July 4th, 1776.

<?php the_author() ?>

– This will display the author’s name

<?php the_tags(’Tags: ‘, ‘, ‘, ‘<br />’); ?>

– This will display the tags assigned to the post, separated by commas, and followed by a line break

<?php the_category(’, ‘) ?>

– This will display the categories

<?php edit_post_link(’Edit’, ”, ‘ | ‘); ?>

– This will display the  edit post link which will be visible only to those with permission.

<?php comments_popup_link(’No Comments »’, ‘1 Comment »’, ‘% Comments »’); ?>

– Will display the link to the comments. This will not be displayed on single posts or pages.

The rest of the tags are available at WordPress Codex.

Posts Nav Link

After the loop you should make the pagination that you see on the homepage, archives, and search results (but not on the single posts or pages):

<div>

<?php posts_nav_link(); ?>

</div>

where

posts_nav_link() – call for the Next and Previous links

If there are no posts to display then the following will be displayed after the <?php else : ?>:

<h2>Not Found</h2>
<p>Sorry, but you are looking for something that isn't here.</p>

Insert ads after the first post

OK, now let’s hack it just a little bit. The ads usually are displayed on the blog sidebar, footer or header, but if you think that’s not the best solution then you can insert them after the first post. You can do this by replacing your current loop with the following one:

<?php if (have_posts()) : ?>

<?php $count = 0; ?>

<?php while (have_posts()) : the_post(); ?>

<?php $count++; ?>

<?php if ($count == 2) : ?>

//Paste your ad code here

<h2><a href="<?php the_permalink(); ?>"><?php the_title(); ?></a></h2>

<?php the_excerpt(); ?>

<?php else : ?>

<h2><a href="<?php the_permalink(); ?>"><?php the_title(); ?></a></h2>

<?php the_excerpt(); ?>

<?php endif; ?>

<?php endwhile; ?>

<?php endif; ?>

That’s more or less what the loop in WordPress is about, its parts, template tags, necessary “navigation” after it and maybe the “ads” too.

© Igor for Blog Design Studio, 2009. | Permalink

Related posts

• What you need to try before upgrading to WordPress 2.7 (1)
• 11 Must install plugins for multi-authored WordPress blogs (6)
• MakeTheDaysCount.com design (0)
• WordPress 3.0 – The Ultimate One! (5)
• Improve seo and integrate sitemap in 404! (4)

WordPress is a blog publishing application and content management system. It has a templating system, which includes widgets that can be rearranged without editing PHP or HTML code, as well as themes that can be installed and switched between.

Theme or WP theme are all the files you’re using: texts, images, codes, etc, etc. Every theme has at least two files: index.php and style.css. You tell your theme where everything goes within index.php same as you do in index.htm and you tell your theme how everything will look like within style.css. Apart from these two files the theme can contain:  home.php, single.php, page.php, category.php, archive.php, search.php, 404.php, comments.php, comments-popup.php, author.php etc.

Probably you already know how to install WordPress by now. Make sure that your WordPress engine is running, then go ahead and drop your folder that contains all the HTML in it into the wp-content/themes folder. Wp-content contains all the content, uploads, themes, plugins, upgrade files, etc, etc.

OK, let’s go.

Step 1 – The basic template files

First of all change the style.css by pasting this into it:

/*
Theme Name: WordPressify your XHTML in 5 simple steps
Theme URI:
Version: 1
Author: Blog Design Studio
Author URI: http://blogdesignstudio.com/
*/

After that change index.htm to index.php and that’s it, now you have the two basic template files.

Step 2 – The breakup

Now open the index.php file, than simply cut and paste the content this way: the header of the code in new file named header.php, the right column in a new file called sidebar.php, the footer in footer.php than just save the rest of it like it is.

Step 3 – header.php

After all that done, now let’s take care of the separate files one by one. Open header.php and replace the <head> with this code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
<title><?php wp_title('&laquo;', true, 'right'); ?> <?php bloginfo('name'); ?></title>
<link rel="stylesheet" href="<?php bloginfo('stylesheet_url'); ?>" media="screen" />
<script type="text/javascript" src="<?php echo bloginfo(stylesheet_directory) .'/js/domtab.js'; ?>"></script>
<?php if ( is_singular() ) wp_enqueue_script( 'comment-reply' ); ?>
<?php wp_head(); ?>

Done? Than go to the menu, get rid of the li’s, but keep the wrapping ul and the current page item. Type this in:

<?php wp_list_pages('title_li='); ?>

Than put these into the current page item:
Into <li class=”

page_item page_item_1 <?php if ( is_home() ) { ?>current_page_item<?php } ?>

than into <a href=”

<?php echo get_settings('home'); ?>

Save, refresh, and that’s it. Your menu is dynamic now.

Step 4 – index.php

Now let’s take care of the posts. Here you got “the Loop”. “The Loop” is a code that has information passed through it. Then it ‘loops’ or goes through the Database number of times to get the data required.

OK, now take the beginning of the loop:

<?php if(have_posts()) : while(have_posts()) : the_post(); ?>

And place it before your content i.e. the post, than close the loop with this:

<?php endwhile; endif; ?>

Now fill in the content tags, the tags that pull the information from the database within the loop.

<?php the_permalink() ?>"><?php the_title() ?>

gets the title of the post

<?php the_time('j M, Y'); ?>

gets the time (day, month, year)

<?php the_author_posts_link() ?>

gets the author

<?php the_category(', '); ?>

the category

<?php the_content('read more'); ?>

displays the contents of the current post.

<?php comments_popup_link('No Comments', '1 Comment', '% Comments'); ?>

displays a link to the comments

Here is an example with the content tags in bold:

<div id="leftcolumn">

 <?php if (have_posts()) : while (have_posts()) : the_post(); ?>
<div class="post">
<div class="title">
<h2><a href=" <?php the_permalink() ?> "> <?php the_title() ?></a></h2>
<div class="postdata">
<?php the_time('j M, Y'); ?> written by <?php the_author_posts_link() ?> in <?php the_category(', '); ?>
</div>
</div>
<?php the_content('read more'); ?>
<div class="postcom"> <?php comments_popup_link('No Comments', '1 Comment', '% Comments'); ?></div>
</div>
<?php endwhile; ?>
<?php else : ?>
<h2 class="center">Not Found</h2>
<p class="center">Sorry, but you are looking for something that isn't here.</p>
<?php get_search_form(); ?>
 
 <?php endif; ?>
</div>

Just don’t forget to put these include tags in the code:

At the beginning of the index.php:

<?php get_header(); ?>

This tag includes the file header.php from your current theme’s directory.

At the end of the index.php:

<?php get_sidebar(); ?>

includes the file sidebar.php from your current theme’s directory.

<?php get_footer(); ?>

includes the file footer.php

Step 5 – sidebar.php

The Sidebar may look difficult, but it isn’t at all. Simply put this into the ul:

<?php if ( function_exists('dynamic_sidebar') && dynamic_sidebar('Sidebar') ) : else : ?>

<?php endif; ?>

Than create a new file called functions.php, and paste this into it:

<?php
if ( function_exists('register_sidebar') )
register_sidebar(array(
'name' => 'Sidebar',
'before_widget' => '<li id="%1$s">',
'after_widget' => '</li>',
'before_title' => '<h2>',
'after_title' => '</h2>',
));
?>

Now you can go to Appearance >Widgets in your wp-admin and add the some widgets like categories, archives etc.

Well, that’s it, now you have a fully functioning homepage. The only small thing left is to take care of the single.php, page.php, archive.php and 404.php. Now again create four new php files: single, archive, page and 404.

Copy the contents of index.php. Paste that in archive.php, than replace

the_content()

to

the_excerpt()

than paste it into single.php. Delete the comments_popup_link, navigation links and the read more link. Paste that in page.php. Copy everything from page.php now, and paste it into 404.php. Than post this in the post area:

<div class="post">
<div>
<h2>Error 404 - Not Found</h2>
</div>
</div>

© Igor for Blog Design Studio, 2009. | Permalink

Related posts

• Is Dynamic CMS good or Static CMS? (5)
• Coding the WordPress Loop explained (1)
• RIP my-hacks.php in WordPress 2.8 (0)
• WordPress 2.6.2 released – Update it ASAP! (0)
• We have the winner of business card design contest (3)

Recently, there have been reports that older versions of WordPress self-hosted blogs are under attack by an online creature named “eval/base64_decode” that changes the Permalinks (URL-Structure) of your blog posts such as : example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/.

Why I say that it’s our own fault?

WordPress team has been working hard all the time to give us new features in the new versions. They have been quick enough to supply the security updates, in case there is any in the new versions. It’s only the bloggers who don’t really give importance to these new updates by not updating the engines and we tend to raise the question about WordPress Security or play the blame game after our blog’s get attacked by these nasty tricks played by “some jerk”.

Will it be not your fault, if you don’t lock the doors of your house and go out on a holiday. Will it not be like, giving an open invitation to thieves? It’s exactly the same here as well, by not upgrading your WordPress installations, you are inviting hackers to exploit your blog.

What all can I do to keep my blog safe?

I’ve already written a series on how to secure your WordPress installations and I’m sure that those safety measures will surely keep your blog safe from prying eyes. However, that are the safety measures that you can take. However, if your blog is already hit by “eval/base64_decode” then you should go ahead and follow these FAQ on how you can save yourself from this nasty attack.

Suggestions for the Automattic team

Considering that how WordPress has grown in the internet world and how other engines are secure enough that they don’t get attacked by these exploits (It’s pretty much same as why Microsoft Windows gets viruses and other operating systems don’t), there are certain suggestions for the Automattic team that they should implement to keep things more secure than ever -

1. Certify the plugins – This wonderful suggestion came from Allen Stern and I think he’s right on the money. If there will be a system in WordPress or someone who’d look in the code of every WordPress plugin that’s uploaded on WordPress Extend, then it’ll give more assurance to the bloggers about the authenticity of the plugin.

2. Put Some WatchDog – Corsin Camichel suggests that it’ll be nice if the bloggers get an automated report every day by WordPress installation that tells them about the activity of the blog. I’m sure that a person will get alerted if he sees that 30 new posts were added on his/her blog when he was busy somewhere else.

3. Educated users through WordPress.TV – WordPress.TV is an excellent resource that has lots of videos that educate users about various sections of WordPress. I’m sure bloggers will certainly appreciate if they can get more videos (other than this video) on the topic of security and what all they can do to keep their blogs safe from prying eyes.

If you have any more suggestions for the Automattic team, then why not take part in the conversation and let them know that what all we are expecting from them! <sarcasm>After all, it was their fault that they built such a wonderful app; people will automatically have lot more expectations from them.</sarcasm>

Is your blog doesn’t look as cool as other blogs? Feel free to contact us (Free quote) and we’d love to help you in building a beautiful blog for you!

© mayank for Blog Design Studio, 2009. | Permalink

Related posts

• Can blogging help me in marketing or improving my business ? (0)
• One should definitely install IntenseDebate Comments plugin! (3)
• IndiBloggies – Do you think we can make it? (3)
• Want to use WordPress as an E-commerce site? (3)
• Two files required to update to wordpress 2.6.3! (1)

While you ponder over the question (are you still thinking about it? if the answer is yes, go ahead and take these mind exercises or play these games), I would remind you to ensure that you subscribe to our blog for regular tips like these.

WordPress by default has “admin” as the username and thus it becomes easier for the hackers to run the bruteforce attack on your blog. If you use default username (i.e. “admin”), they just have to work on the password, however if you don’t use this username and have something different or personal, then it’ll be equally difficult for the hackers to crack the username and password (this explanation is for those who are still thinking about the question). Anyway, here are some of the steps that you should perform to ensure that you are safe from the “username” point of view as well -

1. Rename the admin username -

a. Using your webhost’s MySQL admin tool (e.g. phpmyadmin), locate and select your WordPress database.
b. Then – locate and select the wp_users table (wp prefix may differ) and then click the browse icon.
c. Locate “admin” and click the edit icon.
d. Under the user_login section, change “admin” to your preferred name and click go.

2. Mention your public name in profile – WordPress allows you to change your display name and gives the option of displaying the username, nickname, first name or full name as the author name in the post. It becomes an important step because by default, it displays your username as the author name.

So, you should specify the first name, last name and if you want you may specify the nickname too and then change the display name accordingly.

3. Create another username – I’ve been an avid supporter of not using the admin username for day to day stuff. It’s always sensible to have an extra and limited account. I will suggest you to add another username for your blog and give it the role of “editor” instead of admin rights and use it for everyday task.

I hope that you’ll be finding this series a little bit useful and that you’ll be able to keep your blog safe from the prying eyes!

© mayank for Blog Design Studio, 2009. | Permalink

Related posts

• How to change Admin Username (2)
• Find out if your WordPress theme is worth your love? (0)
• WordPress Security Service for free! (3)
• Security Check – How about a stronger password for WordPress blogs? (0)
• Security Check – Do upgrades regularly and be secure! (0)

While installation of WordPress, we come across a value called Table Prefix, in Wp-config.php file. By default, this value is “wp_” and most of the bloggers tend to leave the default value over there. This is where, automated bots can easily start attacking as they already know the major structure of the whole database.

There can be two approach for this particular problem -

1. Changing the table prefix before installation – This is a no brainer! If you are doing manual installation, you just need to change the table prefix from “wp_” to anything else (e.g. wp12_ , wp_1_ – in short just about anything), in wp-config.php file.

2. Changing the table prefix after installations – There are many bloggers who tend to install WordPress through automated scripts like Fantastico or through one-click installers. Those scripts don’t allow you to change the table prefix and thus the only resort in that case is to play around with phpMyAdmin and by running sql queries. There is an automated way as well.

a. Manual way of changing – Sherif has posted a wonderful and detailed tutorial that allows you to change the table prefix in 6 simple steps.

b. Automatic way of changing – Fortunately, there are plugins available to automate this 6 step process and you may use them to make your life even simpler. Blog Security has already released a plugin that automates the things for you. WP-Security scan plugin also allows you to do the same work.

***Words of Caution*** – Don’t forget to make backup of your database.

I told you! It only sounds scary, however it isn’t that difficult to play around with WordPress and little advanced tools. Now you know that why I advocate for WordPress!

© mayank for Blog Design Studio, 2009. | Permalink

Related posts

• Find out if your WordPress theme is worth your love? (0)
• Webmasters! For heaven’s sake start using Mac or Linux! (5)
• How to have VaultPress like protection for your WordPress blog (4)
• WordPress Security Service for free! (3)
• Secure your blog using USB key! (2)

What is CHMOD?

The chmod command (abbreviated from change mode) is a shell command and C language function in Unix and Unix-like environments. When executed, it can change file system modes of files and directories. The modes include permissions and special modes.

The values that we are playing with are -

755 – 755 means read and execute access for everyone and also write access for the owner of the file.
644 – 644 means that it can be written by you, however can only be read by rest of the world.

1. Root directory – This is the directory where your WordPress is installed. This directory needs CHMOD value as 755.
2. wp-includes – This is the sub-directory and has various important files that perform various important functions for the blog. This directory needs CHMOD value as 755.
3. wp-admin/index.php – This is the file that displays you the WordPress Dashboard. It requires 644 as the CHMOD value.
4. wp-admin, wp-admin/js/ – Both these folders have the files that are again useful in various WordPress admin section. They requires 755 as the CHMOD value.
5. wp-content/, wp-content/themes/, wp-content/plugins/ – These three folders require the CHMOD value as 755 and these are the folders where you store the theme [ you can't beat us on that ;) ] and plugins.

How can I change these values?

You’ll need an FTP software for the same. FileZilla is an excellent, free and open-source software that should take care of all your needs. In most of the FTP software, you just need to right click on it and you’ll see something like Properties or Get Info or Permissions as the option where you’ll be able to change the CHMOD value.

If you really want to ensure that your WordPress blog should be safe and secure then you should change the CHMOD value of all these directories and files. This should keep things slightly tight for the notorious fellows.

© mayank for Blog Design Studio, 2009. | Permalink

Related posts

• No related posts.