Check your web host file permissions first!

November 23, 2010 | No Comments Yet

WordPress security issues come and go, and while some stay because it’s tough to get the crud out, other times it’s because site owners overlook an important part of keeping their hosts protected: file permissions.

A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.

Matt Mullenweg warns against web hosts and other security announcements that place the blame on the WordPress software without first checking if proper file permissions are in place.

Devlounge has an old but still applicable article on protecting your wp-config.php files, for starters. This article on WP Tavern also tackles the issue above and shares more file permission advice especially on shared hosting accounts.

Leave a Comment | Tags: , , , , , , , , , ,

wp-config.php code snippets for autosave, post revisions, trash settings

April 28, 2010 | No Comments Yet

These are useful lines of code modifying the default settings on post revisions and autosave intervals, which you can insert in your WordPress site’s wp-config.php file at the root folder.

define('AUTOSAVE_INTERVAL', 160 );

Explanation: Set the length between autosaves to 160 seconds.

define('WP_POST_REVISIONS', false );

Explanation: Disable post revisions completely.

define('WP_POST_REVISIONS', 3);

Explanation: Limit the number of post revisions to 3. (Tip: install Revision Diet so you don’t need to do this manually, and you can also delete excess revisions created beforehand.)

define('EMPTY_TRASH_DAYS', 0 );

Explanation: Disable the Trash functionality completely.

define('EMPTY_TRASH_DAYS', 30 );

Explanation: Set the number of days between the contents of the WordPress Trash bin are completely deleted—posts, pages, comments, etc. This will be done automatically and without confirmation.

Even more snippets can be found at the Codex. Though I hope that in the future, WordPress can integrate these as configurable settings in the admin interface.

Leave a Comment | Tags: , , , , , , ,

Instant Install WordPress

May 19, 2009 | No Comments Yet

Instant Install WordPress is a small PHP script that downloads and extracts the latest WordPress version on your site server. Once uploaded all you have to do is call it (e.g. http://www.yoursite.com/easywp.php) and it will ask for details to fill out the configuration file, then installs WordPress. This basically winds down installation time from the famous 5 minutes to just about a few seconds!

(Note: This tool was first called EasyWP but the creator discovered it had the same name as an existing plugin.)

Download Instant Install WordPress

Leave a Comment | Tags: , , , ,

10 ways to secure your WordPress administration panel

January 27, 2009 | No Comments Yet

Sergej Müller and Alex Frison on Smashing Magazine have written a 10-step guide to protecting and ensuring your WordPress admin area is as safe as can be. Here’s the list:

  1. Rename and upload the wordpress Folder
  2. Extend the file wp-config.php
  3. Move the wp-config.php file
  4. Protect the wp-config.php file
  5. Delete the admin User Account
  6. Choose strong passwords
  7. Protect the wp-admin Directory
  8. Suppress Error Feedback on the Log-In Page
  9. Restrict Erroneous Log-In Attempts
  10. Keep Software Up to Date

Read the whole thing here.

It’s best if you perform these safety measures right after installing WordPress, and add it to your routine in case you’ve got a slew of WP-powered sites.

Leave a Comment | Tags: , , , , , , ,