WordPress Security

wordpress-lock

I love WordPress. Of all the blogging and web content management systems I have tried WordPress wins hands down. I’ve moved several of my clients sites and my personal sites to the WordPress platform over the last few months.

As a web developer with a checkered past, security is always a concern of mine when using an out of the box solution that I didn’t write.  I think that anyone who takes the time to develop a nice website would want to help protect it from those who would want to vandalize it.

WordPress is very stable and fairly secure (one of the benefits of open source software), but I have found a few places in the software that I beef up through a few simple steps that I believe everyone should take.

Security point 1: wp-config.php
wp-config.php is the key to the wordpress operation. This file hold usernames and passwords to your databases. Scary stuff if it fell into the wrong hands. By default this file is protected from direct web access because it has a .php extension, and doesn’t output anything. This is a common practice and is fairly secure. Suppose this, there is a problem with your php install of your web server, and instead of the .php file getting processed, it just gets served out and anyone who wanted to could download the passwords to your database. scary stuff! An easy way to fix this is through your .htaccess file.

open the .htaccess file in the root of your wordpress install, and add the following lines:

<FilesMatch ^wp-config.php$>
deny from all
</FilesMatch>

This will tell the web server to NEVER serve out the wp-config.php file. Sure its a long shot that your server would server this file out, but an ounce of prevention is better then a pound of trouble!

Security point 2: browsable plugins directory by default
Do this on your server, go to http://www.your-domain.com/wp-content/plugins/
did you see the plugins that you have installed? What if one of those plugins has a security hole in it? A hacker could lurk around for sites with an exploitable version of a plugin installed, and then have their way with your site. The solution to this is SO SIMPLE, I dont know what wordpress doesnt to this by default.

create a blank file named “index.html” and place it in the /plugins directory. Now try to navigate to http://www.your-domain.com/wp-content/plugins/
The plugins list should not show up, and would-be-hackers have no way of knowing all the plugins you have installed. A simple and elegant solution.

Conclusion:
wordpress is a great piece of software and with age, it will get more secure and more stable. The community of wordpress users are the people who make wordpress truly powerful. As I find things that I believe need changed, I will continue to blog about them, and submit changes to the wordpress project.

Let cURL do your heavy lifting

curlrobot

In a previous post, I talked about using cron to do your bidding. If you do a lot of web development like I do, you may have some web based tasks that you need to automate. A good example of this could be clearing a file cache or tipping of a script to rebuild your xml site map.

One of the best ways to do that would to be cURL and cron together. cURL is an application used to transfer the contents of a url. Insistently, to transfer the contents of a url, curl has to connect to that url, and the server has to process that url/script… do you see what I am going with this? cURL can be used to do anything you would normally do from the url of your browser.

This is the usage of cURL:

curl [options] [URL…]

lets say you have the following URL that you want to connect to on a regular schedule
http://SomeDomain.com/SomeFile.php?var1=abc&var2=zyz

you would use the following cURL command:
/usr/bin/curl -G -d var1=abc -d var2=zyz http://SomeDomain.com/SomeFile.php

We are using the “-G” argument to simulate a “GET” command, and each “-d” is a variable/value pair

note: “/usr/bin/curl” is the location on my computer that cURL is installed

running cURL from the command line will show you results that get returned from the processing of the script.

To fully automate this processs, add the curl command into cron. now you are one step closer to world domination!

Modifying MimboPro to Add Paged Navigation To Category Pages

Recently I have been doing a lot of work with WordPress. I love WordPress. one of the things I like most about WordPress is the plugins and themes.

I recently bought a copy of the MimboPro theme. Mimbo is clean and very professional. More of a CMS theme then a blogging theme, prefect for what I want to use it for.

As I dug into MimboPro and WordPress, I realized something strange, the MimboPro theme doesn’t support paging in a category view. What this means is EVERY SINGLE post you make is shown on one page. If you have a very active site, like the one I’m working on, this quickly gets out of hand. Look at this image and you will see what I mean (click for full version).

One of the reasons I like MimboPro was the support that the authors of the theme offer. I headed over to their message forums and found other people like me asking for the Additon of Paged Navigation To Category Pages. The original post was 8 months ago, and no one had resolved anything. I made a post to the MimboPro authors only to be told that there is going to be a new theme that will handle this and it will be available at a deep discount to MimboPro owner. This upset me a bit, so taking matters into my own hand, I fixed what Mimbo wont, and I am handing out my own patch to solve this issue. Below are the instructions to hack your own files, or you can just download my zip file with the pre-hacked files.

Pre-Hacked Files:
Download with pre-hacked files: JoshHighlands_MimboPro_CategoryPagingHack.zip

DIY INSTRUCTIONS (click images for full sizes):

  1. Save a copy of your current categories.php and styles.css files inside of the MimboPro theme directory to a safe location
  2. Open up categories.php inside of the MimboPro theme directory, and find line 17
  3. Comment line 17 with a double back slash (//)
  4. Go to line 87 of category.php and add the following code
  5. Save and close category.php
  6. Open up style.css inside of the MimboPro theme directory
  7. Add the following CSS code to the bottom of the file (should be close to line 852)
  8. Save styles.css
  9. Upload categories.php and styles.css to the MimboPro theme directory on your server
  10. Everything should be working. Here is what my wordpress running MimboPro looks like

That’s it! MimboPro will now have paging in all of the categories. The next and previous links will only show up when you have enough posts. The WordPress default is 10 posts. You can edit the number of posts by going to change the number of posts to show on a category page, go into to the admin and under “setting” > “reading” you will find the option, as highlighted here.

If you had any problem reading the code in the image files, download the zip files with the pre-hacked files in them.

Download with pre-hacked files: JoshHighlands_MimboPro_CategoryPagingHack.zip

If you have any further questions, please post them in the comment.

How I do layouts and views in CodeIgniter

I have been a loyal fan of the kick-ass php framework, codeIgniter, for some time now. A while back I made a post on how to improve the view handling of codeIgniter. I would like to retract that post. Through the comments on that post I found out about an undocumented parameter (as of version 1.7, it has been documented) that allows view to be rendered into a variable. This changes everything, and totally negates any of the complaint I had about how CI handles layouts and views.

Below is an example of live code I have running at loudsongs.com. It shows how I have been able to take advantage of of this powerful third parameter that stops CI from rendering a view to the screen when loading it.


Inside of my controller

function index()
 {
 $base_url = base_url();

//what the nav needs
 $navigation_data['navTab'] = "home";

//basic info for the header
 $layout_data['pageTitle'] = "LoudSon.gs";
 $layout_data['meta_description'] = "Under Ground Lyrics, hardcore, metal, emo, rock";
 $layout_data['meta_keywords'] = "lyrics,song,songs,words,hardore,metal,emo,rock";
 $layout_data['meta_url'] = "$base_url";
 $layout_data['meta_classification'] = "home";
 $layout_data['searchInput'] = "";
 $layout_data['searchOptions'] = "";

$this->load->model('search');
 $lastest_albums = $this->search->last_n_albumsAdded(10);
 $popular_songs = $this->search->popular_n_songs(10);

//get the featured Albums
 $featuredAlbums = $this->search->getFeaturedAlbums();

$body_data['featured'] = $featuredAlbums;
 $body_data['newest'] = $lastest_albums;
 $body_data['popular'] = $popular_songs;

//load the content variables
 $layout_data['content_navigation'] = $this->load->view('navigation', $navigation_data, true);
 $layout_data['content_body'] = $this->load->view('home/homePage', $body_data, true);

$this->load->view('layouts/main', $layout_data);
 }

/views/navigation.php

<div id="header">
 <h1 title="Loud Songs Logo">LoudSongs search - hard to find obscure lyrics</h1>

<ul title="navigation">
 <li <? if($navTab == "about"){echo " id=\"active\"";}?>><a href="<?= base_url(); ?>about" title="About Page">About</a></li>
 <li <? if($navTab == "add"){echo " id=\"active\"";}?>><a href="<?= base_url(); ?>add" title="Add Lyrics">Add Lyrics</a></li>
 <li <? if($navTab == "home"){echo " id=\"active\"";}?>><a href="<?= base_url(); ?>" title="Home Page">Home</a></li>
 </ul>
 </div>

/views/home/homePage.php

<div>
 Thanks for visiting LoudSongs
 <br/>
 We are trying to build a maintain a collection of punk rock, hardcore, emo, metal and other lyrics.
 This website is free and open to all.
 Please help us by <a href="http://www.LoudSon.gs/add">contributing to the collection</a>.
 </div>

<div>
 <? $this->load->view('home/featuredAlbums'); ?>
 </div>

<div class="middle_col_split">
 <? $this->load->view('home/recentlyAdded'); ?>
 </div>

<div class="middle_col_split">
 <? $this->load->view('home/mostPopularSongs'); ?>
 </div>

/views/layouts/main.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html;charset=us-ascii">
 <meta name="description" content="<?= $meta_description ?>">
 <meta name="keywords" content="<?= $meta_keywords ?>">
 <meta http-equiv="expires" content="0" />
 <meta name="classification" content="<?= $meta_classification ?>" />
 <meta name="Robots" content="index,follow">
 <meta name="revisit-after" content="2 Days">
 <meta name="language" content="en-us">

<link href="<?= base_url() ?>includes/styles/lyrics.css" rel="stylesheet" type="text/css" media="screen" title="default">

<script language="javascript" type="text/javascript" src="<?= base_url() ?>includes/scripts/jquery-1.2.6.min.js"></script>

<title><?= $pageTitle ?></title>
 </head>

<body id="home">
 <div id="nav">
 <?= $content_navigation; ?>
 </div>

<div id="middle_column">

<?= $content_body ?>

</div>
 </body>

</html>


wow, ok, so that might be a lot to digest. The bottom line is this, CI doesnt have “layouts” like other frameworks, so you have to become creative and use a view AS a layout by using the mythical 3rd parameter when loading a view. We load data into the navigation view and store all of that into the $layout_data array, then we load a view named homePage and pass data into it, and stor it into the $layout_data array. When we are done loading all of the views into the array, we pass that array into another view. This view acts as our layout. easy as that! check it out below:

//load the content variables
 $layout_data['content_navigation'] = $this->load->view('navigation', $navigation_data, true);
 $layout_data['content_body'] = $this->load->view('home/homePage', $body_data, true);

$this->load->view('layouts/main', $layout_data);

I hope this helps someone understand how codeigniter does have layout and view functionality, you just have to structure it that way in your code.

post some comments if you need more clarification.

iPhone screen shots made easy

If you have the new 2.0 software, follow the diagram below to take a screen shot of the current screen on your iPhone.

Press and hold the home button and the screen on/off button together. The screen will flash, and the image will be added to your camera roll, so you can download it or email it off. Great for remembering your settings!