WordPress Security

By Josh Highland in software, tutorials, wordpress

wordpress-lock

I love WordPress. Of all the blogging and web content management systems I have tried WordPress wins hands down. I’ve moved several of my clients sites and my personal sites to the WordPress platform over the last few months.

As a web developer with a checkered past, security is always a concern of mine when using an out of the box solution that I didn’t write.  I think that anyone who takes the time to develop a nice website would want to help protect it from those who would want to vandalize it.

WordPress is very stable and fairly secure (one of the benefits of open source software), but I have found a few places in the software that I beef up through a few simple steps that I believe everyone should take.

Security point 1: wp-config.php
wp-config.php is the key to the wordpress operation. This file hold usernames and passwords to your databases. Scary stuff if it fell into the wrong hands. By default this file is protected from direct web access because it has a .php extension, and doesn’t output anything. This is a common practice and is fairly secure. Suppose this, there is a problem with your php install of your web server, and instead of the .php file getting processed, it just gets served out and anyone who wanted to could download the passwords to your database. scary stuff! An easy way to fix this is through your .htaccess file.

open the .htaccess file in the root of your wordpress install, and add the following lines:

<FilesMatch ^wp-config.php$>
deny from all
</FilesMatch>

This will tell the web server to NEVER serve out the wp-config.php file. Sure its a long shot that your server would server this file out, but an ounce of prevention is better then a pound of trouble!

Security point 2: browsable plugins directory by default
Do this on your server, go to http://www.your-domain.com/wp-content/plugins/
did you see the plugins that you have installed? What if one of those plugins has a security hole in it? A hacker could lurk around for sites with an exploitable version of a plugin installed, and then have their way with your site. The solution to this is SO SIMPLE, I dont know what wordpress doesnt to this by default.

create a blank file named “index.html” and place it in the /plugins directory. Now try to navigate to http://www.your-domain.com/wp-content/plugins/
The plugins list should not show up, and would-be-hackers have no way of knowing all the plugins you have installed. A simple and elegant solution.

Conclusion:
wordpress is a great piece of software and with age, it will get more secure and more stable. The community of wordpress users are the people who make wordpress truly powerful. As I find things that I believe need changed, I will continue to blog about them, and submit changes to the wordpress project.

WordPress 2.7 is almost here!

By Josh Highland in php, web 2.0

OMG OMG OMG! WordPress 2.7 is almost here. Here is a long list of the changes that are going to be in the latest release. I have been a huge wordpress fan for some years now. Its always treated me well. Its treated me so well that I have decided to move my main website, notPopular.com, to the wordpress platform for content management. I’m really nervous though, I have done a lot of custom work on the notpop install of wordpress, and it isnt released yet. I hope that my plugins and custom code doesnt break to badly. I will have a full review of wordpress 2.7 once it is released later this week.

WordPress iPhone app

By Josh Highland in hardware, internet, iPhone, Josh's Rambling, software, web 2.0, wordpress

I love wordpress as a blogging platform an I love the iPhone as a mobile computing solution. Yesterday I saw that there was a wordpress app avaliable for the iPhone, so I had to try it out.

This is a post from the wordpress app, and so far it’s easy to use. I don’t know how much milage I will get out of this app, I tend to blog from home and use Twitter on the run. Who knows, this app might change that!

Let’s see how the image attachment feature works. This is me, right now in my office.

photo

WordPress 2.5 image upload problem : SOLVED

By Josh Highland in hacks, internet, php, software, tutorials, wordpress

This afternoon I upgraded my blog to the latest version of wordpress, 2.5. The install went great and it was simple to do. I didn’t realize that I had any problems until I went to make a blog post and upload an image. When I tried to upload, I was greeted with the following:

Something was for sure messed it. I tried it in several browsers, but had the same results. no luck. I started to go some searching online but since wordpress 2.5 is so new, there was little info to be found. After about an hour of stumbeling around I came across a post on a forum where someone said they got the image upload to work by adjusting their .htaccess file on thier site with the following code.

<IfModule mod_security.c>
<Files async-upload.php>
SecFilterEngine Off
SecFilterScanPOST Off
</Files>
</IfModule>

I made the change to my .htaccess file, and like magic the image upload feature started to work again!

I am making this post in the hopes that other people with similar problems will stumble across this post and be able to fix their problem with out having to wade through all the pages of people trying to diagnose what the problem is when the solution is super easy.

2011 Year In Review

By Josh Highland in Josh's Rambling

 

For the last few year I list the goals that I would like to achieve for the year (2011, 2010, 2009). With this post I’d like to take some time and see how many of my 2011 goals I managed to achieve.

  • Speak at more tech conferences and user groups

I only managed to speak at 1 tech conference this year, OC WordCamp. I tried to get on the speaking list for BlogWorld Expo, but my topic, “Optimizing  the performance of WordPress” was too awesome for them, so it was rejected. Their Loss. I love public speaking, so I imagine this will continue to be one of my goals in the future. Since I only spoke once this year, I’m going to give myself a #FAIL

  • Travel more, possible out of the country

Well, I managed to spend a week in Kentucky camping with my friends. It was an amazing time. I had plans to visit @JasonXKeller in Prague, in the Czech Republic, but he moved back to America before I made my trip. At least I have my passport now, and I’m glad I get to hang out with him on the reg. #FAIL

  • Rehab my leg back to 100% strength
  • Work out more, get into awesome shape

I grouped these two goals together because they are very closely related. A bit of a back story in case you are new to following me… in January 2008 I destroyed my left knee and had to have major surgery.  The Doctor and physical therapist told me that the only way to get back to 100% strength was to hit the gym really hard for the next 2 years due to the massive damage and muscle atrophy that happened to my leg.

One thing I can say is that 2011 has been the year of #getBig. I hit the gym 2 hours a day, 5 days a week. I’ve also gotten really into sport nutrition and bodybuilding. My brother is my lifting partner and we push each other. Having a vegan diet has made weight lifting an extra challenge, but I love it. My leg still has a ways to go, but I have been able to stack on an insane amount  of muscle. I’m finally starting to develop a body builder physique. 17 inch arms… #EpicWIN

  • Develop more iPhone apps

This is a simple answer, I was able to release 4 iPhone apps this year. That’s a #WIN

  • Get an android phone to test / develop with

Nope, didn’t happen, but I’m ok with that. #noCareEver

  • Do more community service

This year I hooked up with a great group of guys from South Orange County called WSB (We Still Believe). I helped out a few times cooking and distributing food to the homeless. WSB also organized a few food drives and concerts that raised money for homeless shelters in the Inland Empire. It’s super rewarding and something I want to continue with. #WIN

  • Pay off more of my debt

Well, I’m not 100% debt free, but I’m closer then I ever have been before, so yeah thats a #WIN. It’s a good goal for us all to have.

  • Automate more of my income

This year, I was able to increase my automated income through iPhone app sales, Google Adsense, and Shopify referrals. It’s a far cry from being able to live off it, but its a start and its inspiring to see what I was able to accomplish. I’m giving myself the #WIN for this, but I’m going to be working on this moving forward.

  • Get more tattoos

I got two new tattoos this year, both from my buddy Marc Jackson at Tattoo Revolution in Redlands Ca. Bonus points for you if you understand why I got the first tattoo on St. Patrick’s day. If you don’t know, watch this video. Marc Jackson and I actually got matching “Leprechaun” tattoos. The second tattoos is my 5th Straight Edge tattoo, and reads “Cradle To The Grave”, and is based on lyrics from “Path of Resistance”. It was featured in a tattoo book, “With the light of Truth“. So yeah, an internet meme tattoo, and a straight edge tattoo, total #WIN