WordPress Archives

The Global WordPress Brute Force Flood attack the we experience recently affected litlerally thousands of WorPress sites. Many were recovered. But, many were lost.

In March, on HostGator's Blog, one customer reported having three hundred and fifty sites affected. All this, not to mention, the hours lost by WordPress blog owners attempting to regain access to their sites.

So, what can you do to hep protect your WordPress sites from a similar attack? Well, let's talk about some steps that you can take to add some layers of protection to your installations. As well as, ongoing actions that you can take to secure your sites and information.

Your Initial WordPress Installation

I'm sure that you have heard of the one-click installations for WordPress. You web host likely provides Fantastico, Fantastico Deluxe or a similar application to quickly get your sites up and running. I do all my installations manually. We are not going to cover a complete installation here. We are just going to close some security holes.

When you begin your installation, it is a good idea to open a text editor, like notepad, to copy and paste all of your settings into. Things like the database name, database user name and password. You will need them to complete the installation.

Once you have your WordPress files either placed in a folder in your home directory by Fantastico or uploaded yourself, open the wp-config-sample.php file in notepad or your favorite text editor for a little editing. Do Not use Word or Wordpad.

It will look like this, once opened:

Now, copy and past in your DB_Name, DB_User, and DB_Password into the highlighted areas. Then scroll down to the section under 'Authentication Unique Keys and Salts'.

Copy and paste the url, https://api.wordpress.org/secret-key/1.1/salt/ into your browser. This will display a series unique key phrases that are for this installation only. Copy and paste these keys into the highlighted area shown. Be sure to paste these into your notepad file and save later.


That done, scroll down just a bit to the 'WordPress Database Table prefix' area. This section is simple. Your table prefix is a series of numbers or letters or a combination, up to six or characters. It's really up to what you put here. Just type yours in after the underscore. Like this; 'wp_XXXXXXXX'.


The table prefix basically allows you to run multiple WordPress installations from a single database by assigning each it's own individual table prefix. Whether or not you intend to have multiple instances from a single database, it's still a good idea to fill this in.

Remember to add your table prefix to your settings file!

When you have completed these steps, you will want to save your updated wp-config-sample.php file. But you want to save the updated file as 'wp-config.php'. To do this, in notepad, click 'File>save as' and when prompted, type wp-config.php and save it to your desktop.

Then, just upload the the wp-config.php file to the WordPress installation files and delete the wp-config-sample.php file.

Now you are ready to complete the final steps to installing your new site. When you have completed those steps, go back to your WordPress directory, open the 'wp-admin' folder and delete the 'install.php' file. You no longer need it and it can allow someone access to your site.

If you have already installed your site and did not complete these steps, don't worry. Just follow the steps above and you're good to go!

Useful Plugins for Your Site Security

One of the things that makes WordPress such a popular site platform is it's versatility. There are literally hundreds of themes plug-ins and add-ons to extend the capabilities o the basic platform.

There are five primary plug-ins that I suggest. Until recently, I used the Simple-Login-Lockdown plug-in. But, this plug-in has not been updated for quite some time.

Bad Behavior - Michael Hampton
Deny automated spambots access to your PHP-based Web site.

BulletProof Security - AITPro, Edward Alexander
BulletProof Security protects your website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts

BruteProtect - Sam Hotchkiss, Rocco Tripaldi
If any single IP has too many failed attempts in a short period of time, they are blocked from logging in to any site with this plugin installed.

TimThumb Vulnerability Scanner - Peter Butler
Keep your instances of Timthumb up to date and free from vulnerabilities simply. Bonus - checks for obvious signs of compromised sites.

WordPress Hashcash Extended - Elliot Back
Client-side javascript blocks all spam bots. XHTML 1.1 compliant.

As I said earlier, there are many plug-ins available. Just as there are as many opinions as to which are the best or not.

A one hundred percent secure site is a dream. If someone wants in bad enough, they will get in. Bottom line!

But, as site owners, it is up to us to make our sites as safe and secure as possible for our visitors and clients.

Until next time!

Technorati Tags: Global WordPress Brute Force Flood, WordPress, WordPress Security

Our guest Expert speaker for today's segment was Mike Paetzold, 'The WordPress Guy'.

Mike Paetzold got started blogging in 2003 and has become an expert on using WordPress. He has become known as 'The WordPress Guy'.

After being an under ground niche marketer using his blogs, he has surfaced to share some of the ways he uses PLR to enter various niches profitably.

As for the some of the reasons for the WordPress platforms popularity among bloggers and marketers, Mike cites the ease of installation, the availability of a huge assortment of themes, and, of course, the ability to install various plugins that enable you to create a fully customized and unique blog site.

However, Mike suggests that you should learn to install WordPress manually as opposed to the simple 'one click install' route normally taken. Some reasons for this is, by default, the simple install crates duplicated settings for each installation that you do. And who has just one blog, right?

One of the most important plugins to add to you installation is the 'All in One SEO Pack'. This plugin provides not only some basic optimization settings, but more importantly, the ability to set your own custom 'Title Tag' for each post.

As Mike explains it, by default, WordPress assigns the same 'General Description tag to every post. Since the 'Title Tag' accounts for about seventy percent of your on page SEO, your title tag should be set with your main keywords, for the post, at the beginning of you 'Title Tag'.

We also discussed the importance of tags for each of your posts, and another plugin called 'Simple Tags'. One advantage of 'Simple tags' is that, at the end of post, it adds a list of other posts on your blog that are related to that post. This provides you reader with direct access to additional relevant information inside your blog.

Of course, these are just a few of the highlights from the show. To get all of the content, download the mp3 and have a listen. As always, I encourage you to do so with a pen and paper nearby to take notes.

Mike provides a program train you to correctly set up WordPress that even includes a process map to guide you through setting up your blogs. It's called 'Wordpress Made Easy'.

Once you've listened to the call and picked up Mike's program, you will have no trouble understanding why Mike is known as 'The WordPress Guy'.

Thanks for your time! I hope that you have found this useful.



Technorati Tags: Affiliate, Blogging, Blogs, internet marketing, Mike Paetzold, PLR, The WordPress Guy, WordPress Made Easy