IntroductionWelcome| 00:04 | Hello, I am Jeff Starr.
| | 00:06 | Welcome to WordPress 3: Developing Secure Sites.
| | 00:09 | It was recently reported that WordPress
sites make up 12% of the entire Internet.
| | 00:15 | That's pretty incredible if you think about it.
| | 00:17 | One of the downsides to this
popularity is that WordPress is a huge target
| | 00:21 | for malicious attacks.
| | 00:23 | In this course, I'll show you how to
diminish the threat of these attacks and
| | 00:27 | make your site more secure.
| | 00:29 | First, we'll take a look at some basics,
like backing up and restoring, setting
| | 00:35 | up strong passwords, and
choosing trusted plug-ins and themes.
| | 00:39 | We'll also explore how to increase
security by monitoring users and files,
| | 00:45 | scanning for exploits, and using a
firewall to defend against attacks.
| | 00:50 | Then we'll move on to more advanced
topics, such as protecting RSS feeds,
| | 00:55 | stopping hotlinking, and blocking proxy servers.
| | 00:59 | Join me in WordPress 3: Developing
Secure Sites, and I'll show you how to keep
| | 01:05 | your WordPress site safe and secure.
| | Collapse this transcript |
| Using the exercise files| 00:00 | This video tutorial series provides
everything you need to follow along and
| | 00:04 | complete the course in the exercise files.
| | 00:09 | If you have access and are a Premium
member, just grab a copy of the exercise
| | 00:13 | files and place them on the
Desktop as you follow along.
| | 00:17 | If you don't have access to
the exercise files, that's okay.
| | 00:21 | You can still follow along. Just pause
the movie when some code is presented and
| | 00:25 | type it out manually.
| | 00:27 | This course is not code intensive, so
you should have no problems doing so.
| | 00:31 | Also in this video tutorial series, we're
working with several key pieces of software.
| | 00:37 | First and foremost, for our demo site,
we're using a default installation
| | 00:41 | of WordPress, which is easy for you to
replicate by going to wordpress.org,
| | 00:46 | downloading the latest version, and
performing the Famous 5-minute Install process.
| | 00:52 | A good idea for following along with
the series is to set up your own demo
| | 00:55 | site, as I have done.
| | 00:57 | Note that at the time of this
screencast, the current version of WordPress is
| | 01:02 | 3.1.3. Next, we're using the Chrome
browser, which is also free and ready for
| | 01:09 | download at google.com/chrome.
| | 01:14 | And for various parts of the tutorial,
we're also using the Firefox browser,
| | 01:19 | which is available at mozilla.com.
| | 01:23 | On the other side of the browser, we
are using a software program called CODA
| | 01:27 | for our FTP/file editing needs.
| | 01:31 | When you hear me mention the
FTP editor or FTP/file editor, I'm referring to
| | 01:37 | CODA, which is available at panic.com/coda.
| | 01:41 | Of course, any FTP/file
editor will work just fine.
| | 01:47 | Also, all of the plug-ins, themes,
and code is open source and GPL licensed.
| | 01:54 | All of the plug-ins and themes used in
this tutorial are freely available at the
| | 01:59 | wordpress.org web site, and all of the
code snippets are from my personal/design
| | 02:05 | site perishablepress.com.
| | Collapse this transcript |
|
|
1. Getting StartedBacking up your site| 00:00 | Keeping current backups is the most
important thing you can do to protect your site.
| | 00:04 | It's like your site's life insurance policy.
| | 00:07 | In a worst-case situation, having
current backup files enables you to get
| | 00:11 | everything back up and running.
| | 00:12 | Of course the easiest way to back up
everything with WordPress is to do it
| | 00:17 | automatically with a plug-in.
| | 00:18 | There are several good backup plug-ins
available, but the most powerful and
| | 00:22 | flexible is one called BackWPup.
| | 00:26 | Let's check it out from the Install New
Plugins screen in the admin where we do
| | 00:32 | a quick search and see it listed right here.
| | 00:37 | So we click on Details to read more about
it, and we see that it's got a great rating.
| | 00:42 | Daniel Husken is a reputable author.
| | 00:45 | It's been downloaded 54,000 times.
| | 00:47 | Says it has not been tested, but it is
compatible with WordPress 3.1, so they
| | 00:54 | are referring to the .3
current version of WordPress.
| | 00:58 | We use it on several sites and it works great.
| | 01:01 | Here is a list of the things that
we're going to be doing: backing up our
| | 01:04 | database, optimizing the database, and
it also checks and repairs the database.
| | 01:09 | You can also do file backups and as you
can see here, we get a host of options
| | 01:14 | for where it should store the backup files.
| | 01:18 | The plug-in is already installed on
this demo site and as you can see here, the
| | 01:22 | installation is as usual.
| | 01:25 | So let's go to the Plugin
page and configure the Plugin.
| | 01:30 | It's under the Tools menu, BackWPup.
| | 01:34 | The first thing we want to do is
configure the plug-in's main settings,
| | 01:38 | so we click on the Settings link.
| | 01:40 | Here on the Settings page, most of
the fields should be pre-filled with the
| | 01:44 | correct information, so let's take a look.
| | 01:47 | First is the entire Send Mail panel,
which looks just fine using default values.
| | 01:52 | Then scrolling down, the Logs panel.
The Log file folder is going to be the
| | 01:58 | location on your server where
the backup log files are stored.
| | 02:01 | It should be fine using the
default values, and then for Max.
| | 02:07 | Log Files in Folder, pick a reasonable
number to keep on your server to avoid
| | 02:12 | file build up, because they
will just keep adding files.
| | 02:16 | And then these two options
we can leave at the default,
| | 02:18 | the Gzip Log files!, Log a detailed
file list. And these last two panels, Disable
| | 02:25 | Cron and Temp Folder, those will be fine;
you don't need to mess with those.
| | 02:29 | When everything looks good, click Save
Changes and then go to the Jobs panel to
| | 02:36 | create our first backup job.
| | 02:38 | To do so, we click the Add New
button, and give it a useful name.
| | 02:42 | We are going to back up
everything, so we'll call it that.
| | 02:48 | In our first panel here, Database Jobs,
we leave everything unchecked to back up
| | 02:54 | everything, and these two options, we can
leave those set at the default as well.
| | 03:00 | Scrolling down to File Backup, let's
check root, Content, Plugins, Themes, and
| | 03:06 | uncheck the Uploads.
| | 03:08 | You'll want to back up your uploads
according to your own schedule, especially
| | 03:12 | if you have lots of files.
| | 03:13 | Then we fine-tune which files to
back up by excluding directories and
| | 03:19 | folders that aren't needed.
| | 03:22 | So we can always obtain these folders
and files from a default installation, and
| | 03:28 | we don't need to back up our temporary
files or our old or existing backups.
| | 03:34 | We do not need to include our
plug-ins, so let's exclude these.
| | 03:40 | You should keep a list of your
plug-ins in case you do need to restore them.
| | 03:48 | And for Themes, let's just back
up the one that we are using, 2010.
| | 03:53 | Here are two more fields for including
and excluding other items as you wish.
| | 04:00 | In this panel, Backup to Directory,
we're going to specify the location on the
| | 04:04 | server where the backup files will go.
| | 04:07 | Here we don't want to have a bunch
of files accumulate on the server,
| | 04:11 | so let's give it a reasonable number, like 10.
| | 04:14 | And then everything beneath this point
are alternate locations, other places
| | 04:21 | to store your backups.
| | 04:23 | If we scroll down, we see Backup to
E-Mail, and we want to include our Email
| | 04:29 | address here, so we are backing up
everything to the server and to your email.
| | 04:37 | In the right column, let's check
everything and make a complete backup, and
| | 04:42 | then we are almost done.
| | 04:44 | We want to activate automatic backups
and to do this--let's say we want to
| | 04:49 | do this every day. To do that, we set 0, 0, Any,
Any, Any is the magic recipe for every day.
| | 05:00 | Then your backup file, you can
customize the prefix and the compression method.
| | 05:06 | The default value should work just
fine. And if you'd like to receive email
| | 05:11 | notification when there are errors,
then go ahead and include your e-mail
| | 05:15 | address here and check the option
to send only if there are errors.
| | 05:22 | Once everything is
configured, that's pretty much it.
| | 05:25 | All we need to do is save our changes,
and we've created our job, and we can
| | 05:29 | return now to the Jobs overview and we
see we have Backup Everything ready to go.
| | 05:37 | The type of backup, we're backing up
the database, files, and everything else.
| | 05:43 | The file size, the database size is a
little over a megabyte and the files,
| | 05:49 | less than a megabyte.
| | 05:50 | So, total backup file size
is good at about 2 MB, roughly.
| | 05:55 | It's set to run tomorrow, and it hasn't
been run yet, so let's go ahead and do
| | 05:59 | that by clicking the Run Now button,
which you can click at any time to make an
| | 06:04 | instant backup of everything.
| | 06:05 | So we click Run Now and it shows the
progress, and here it says the job was done
| | 06:13 | in one second, which is great.
| | 06:15 | Let's scroll through and see if there
are any errors or warnings that will be
| | 06:20 | highlighted in red or yellow.
| | 06:22 | And there's not, but if there are, you can
use this information to help troubleshoot.
| | 06:28 | At this point, the BackWPup
plug-in is set up and ready to go.
| | 06:33 | You should begin receiving your backup
files via email and also see the backup
| | 06:37 | files on your server the next time you're there.
| | 06:39 | In this screencast, we've set up an
automatic backup strategy using the
| | 06:43 | versatile BackWPup plug-in.
| | 06:46 | Your site's life insurance policy is
now in full effect, with current site
| | 06:50 | backups available to you at a moment's notice.
| | Collapse this transcript |
| Restoring your site| 00:00 | In this screencast, we're going to
restore a WordPress site that, for whatever
| | 00:04 | reason, has crashed and lost a bunch of data.
| | 00:07 | The only solution is performing a full
site restoration, which includes both the
| | 00:12 | database and the physical files.
| | 00:15 | The restoration process takes
some time, but conceptually is
| | 00:19 | very straightforward.
| | 00:20 | Here are the basic steps.
| | 00:23 | First, obtain the most current
version of your backup files.
| | 00:26 | Second, set up a temporary maintenance page
telling visitors that you'll be back soon.
| | 00:31 | Third, upload the new files.
| | 00:33 | Fourth, restore the database and lastly,
remove the temporary maintenance page.
| | 00:39 | To do this, we will need an FTP
connection for the file upload and an app to
| | 00:43 | work with the database.
| | 00:45 | A very popular, well-documented,
and open-source app is phpMyAdmin.
| | 00:52 | If it's not, ask your host
for help finding an alternative.
| | 00:55 | In any case here is what our WordPress
database looks like using phpMyAdmin.
| | 01:01 | All of our tables are listed here in
the left, and we have options to do just
| | 01:06 | about anything we need to do with the database.
| | 01:08 | So with this open and ready to go,
let's return to our FTP editor and set up the
| | 01:13 | temporary maintenance page.
| | 01:16 | First, grab a copy of the
maintenance.html file that's included with the
| | 01:21 | exercise files and upload to your server.
| | 01:25 | If you don't have the exercise files,
copy this code the best you can, and that
| | 01:30 | should work just fine.
| | 01:31 | You want to save the file and
upload to the server, like so.
| | 01:36 | Next, place a copy of the blank htaccess
file--also included in the exercise files--
| | 01:42 | place it in the root directory of
your site, open it, and then paste in the
| | 01:49 | htaccess code that's also
included with the exercise files.
| | 01:54 | Save the file and upload it to the server.
| | 01:59 | We do need to make sure that
the IP address matches your own.
| | 02:03 | Return to the browser and
type in 'what is my IP?' in Google.
| | 02:08 | That will take you to a page such as this
where it lists your IP address right upfront.
| | 02:13 | Grab a copy, return to the editor, and
replace the IP address with your own, and
| | 02:21 | save the file and upload it to the server.
| | 02:26 | This will ensure that you have
access to your site while everyone else is
| | 02:30 | redirected to the maintenance page.
| | 02:33 | To see this in action, let's go to a
proxy server, such as the one at proxy.org,
| | 02:39 | and we'll try visiting our site using a
different IP address other than our own.
| | 02:43 | We enter the URL, click on the Go button,
and we see our maintenance file in effect.
| | 02:49 | The redirect is working and everyone
except for us will see this message.
| | 02:55 | This means that we can work on the
server in a relaxed fashion, without worry
| | 02:59 | that visits might be interrupted.
| | 03:02 | So with the maintenance page in place,
we're now ready to begin the site
| | 03:05 | restoration process.
| | 03:07 | Because file uploading takes the
most time, we'll get that started first.
| | 03:12 | Return to the FTP file editor
and we are connected to the server.
| | 03:18 | As you can see, besides the
maintenance.html file and htaccess files, all files
| | 03:25 | have been removed, leaving
us a clean slate to work with.
| | 03:29 | Note that if you have large
collections of non-WordPress files on the server,
| | 03:33 | such as image files or video uploads,
you'll save time by not deleting them;
| | 03:38 | however, part of the restoration
process is to start completely fresh and
| | 03:43 | eliminate any hacked files. So it's your call.
| | 03:46 | If you do decide to leave the files on
the server, just make sure to check them
| | 03:50 | thoroughly for anything unexpected or unusual.
| | 03:53 | That said, let's begin the restoration process
by uploading our backup files to the server.
| | 03:59 | We select all of our files and
click the Upload button to go.
| | 04:05 | It is totally okay to replace the
existing htaccess and maintenance.html files.
| | 04:11 | Let's click Replace, and while that's
happening, let's go back to phpMyAdmin to
| | 04:18 | restore the database.
| | 04:22 | Here in the phpMyAdmin app, we are
looking at the WordPress database, and the
| | 04:27 | first thing we want to do is delete
all traces of the previous database by
| | 04:32 | clicking Check All and then
selecting Drop from the dropdown menu.
| | 04:37 | It will ask you if you really want to do this.
| | 04:41 | It's a big move, and you do.
| | 04:43 | We have a backup of the database, so we
want to delete everything in this database.
| | 04:48 | Here we see that the tables have been dropped.
| | 04:50 | Everything is ready to go for a
fresh import of your backup database.
| | 04:54 | So to do this, click on the Import
tab at the top of the page. Then browse
| | 04:58 | to the location of your most current
backup and leave everything else set at
| | 05:08 | the default settings.
| | 05:11 | Finally, select Go to upload the database.
| | 05:14 | It can take some time for large
files, but a default WordPress database
| | 05:18 | should go pretty quick.
| | 05:19 | And as seen here, our database is
now restored to the most recent backup.
| | 05:24 | Let's return to the FTP/file editor and
check on those files. And we're all set.
| | 05:31 | At this point, all files have been
uploaded to the server, as you can see here,
| | 05:37 | and the database has been
completely restored as well.
| | 05:41 | So let's return now to the
site and see if it works.
| | 05:46 | Refreshing the page. Yes, it's working great.
| | 05:49 | From here, it's just a matter of
going through and making sure that
| | 05:53 | everything is working.
| | 05:54 | Check as much as you need to be
convinced that the site has been fully restored.
| | 06:00 | Maybe you want to log in to the admin
area and take a look around, check posts
| | 06:05 | and pages, and so on.
| | 06:07 | Once everything is running smooth,
let's go ahead and delete the
| | 06:10 | maintenance.html file and remove
the htaccess code that we added to
| | 06:18 | redirect site visitors.
| | 06:20 | We now want them to enjoy
full access to our restored site,
| | 06:25 | so we can just delete this and upload
the file, and for the maintenance page we
| | 06:32 | need to go to the server and just
delete that from the server like so. And with
| | 06:40 | that, normal traffic should be
flowing once again through our site.
| | 06:46 | We can hit Refresh and then visit the
proxy site again one more time to see what
| | 06:52 | happens when someone from a different
IP address tries to request the site.
| | 06:58 | There it is, and I have the WordPress
directory right here, and it looks like it's just fine.
| | 07:09 | In the screencast, we've completely
restored our WordPress site, using our most
| | 07:13 | current set of backup files.
| | 07:16 | We covered an excellent method of keeping
good backups in the previous screencast,
| | 07:20 | so be sure to check that out too.
| | Collapse this transcript |
| Keeping your site up to date| 00:00 | An important step in securing your WordPress
site is keeping things current and up to date.
| | 00:05 | Running the most up-to-date version of
WordPress ensures that you have all the
| | 00:09 | latest bug fixes, security
patches, and new features.
| | 00:13 | This screencast demonstrates how to stay
current with everything, right from the
| | 00:17 | comfort of the WordPress admin area.
| | 00:20 | With WordPress there are three
things that should be kept current: core
| | 00:24 | files, plug-ins and themes.
| | 00:28 | The good news is that by default
WordPress will let you know when it's time to
| | 00:32 | update any of these three items.
| | 00:35 | When it's time to update WordPress
itself, you'll see the famous 'update nag', as
| | 00:40 | it's called, appearing at the top of
every page in the WordPress admin area.
| | 00:44 | Let's click on the Posts menu, and we
will see the menu there. Or if we're in the
| | 00:48 | Comments area, we will see the menu as well.
| | 00:52 | When you see this message, a new
version of WordPress is available, and so
| | 00:55 | it's time to upgrade.
| | 00:56 | To begin the process, click on the Please
update now link and review your options.
| | 01:03 | It's important to make a good backup
before you perform the upgrade, and then
| | 01:08 | you have the option of updating
automatically or downloading the current version
| | 01:12 | and doing a manual upgrade.
| | 01:15 | Likewise, when a plug-in update is available,
the Plugins menu panel will look like this.
| | 01:21 | First you will notice a circle
with a number of available updates.
| | 01:26 | Then, scrolling down through the Plugins
page, you can see which plug-ins are available.
| | 01:32 | You should see a link next to each
available update to update automatically, but
| | 01:37 | you always have the option
of upgrading manually as well.
| | 01:42 | And likewise, when a theme update is
available, a similar update reminder will
| | 01:47 | appear in the Admin area, in the
Dashboard Update screen. Click on Dashboard and
| | 01:54 | then Updates and we see the
plug-ins and themes listed here.
| | 02:01 | Here we can see that a new version of
the Skulls theme is available, and we also
| | 02:06 | see our plug-in update available as well.
If there are multiple themes and/or
| | 02:10 | plug-ins available, they will be listed
here on the Updates page, ready for an
| | 02:15 | easy bulk update at your command.
| | 02:19 | So for those of us who log in to the
WordPress Admin area on a regular basis,
| | 02:24 | these reminders definitely help to stay
current, but not so much if you rarely
| | 02:28 | visit the admin area. Without seeing
these messages, you may never know that a
| | 02:32 | new version of a plug-in or theme is
available, and your site may be unnecessarily
| | 02:38 | left at risk for attacks and exploits.
| | 02:41 | Fortunately, there's a handy
little plug-in called Update Notifier.
| | 02:46 | If we click on the Plugins page, we
see Update Notifier installed, and this
| | 02:52 | plug-in is great because it sends an
email whenever an update is available,
| | 02:56 | it's easy to install, and provides a
simple settings page in the Settings menu.
| | 03:03 | Click on Update Notifier, and as
you can see here, everything is very
| | 03:08 | straightforward and basic.
| | 03:11 | If we need to add a second email for
notifications, we can do so here, and we can
| | 03:16 | even limit our notifications to that email only.
| | 03:22 | There are also options for update
notifications for plug-ins and themes.
| | 03:27 | Once you have your settings in place,
click Save Changes, and you're good to go.
| | 03:32 | This is a perfect way to keep track of any
site that you don't visit on a regular basis.
| | 03:38 | Lastly, a great way to keep an eye on
things is to check the Dashboard feeds.
| | 03:43 | If they aren't showing, you can enable them
by going to Screen Options and selecting
| | 03:48 | WordPress Blog and Other WordPress News.
Close the Screen Options and you will
| | 03:55 | see the news feeds appearing here.
| | 03:58 | This information is a great way to stay
current with breaking news, and it's only
| | 04:03 | a click away from within the WordPress admin.
| | 04:06 | Remember, staying current with themes,
plug-ins, and WordPress itself helps keep
| | 04:11 | your site secure against potential
threats and vulnerabilities. By displaying
| | 04:15 | visual reminders in the Admin area,
WordPress makes it easy to stay current as
| | 04:20 | new updates become available.
| | Collapse this transcript |
|
|
2. Security EssentialsImplementing strong passwords| 00:00 | This screencast is all about using
strong passwords to improve the security of
| | 00:04 | your WordPress-powered web site.
| | 00:07 | Choosing strong passwords for your
users helps to keep the bad guys out.
| | 00:12 | Weak passwords are things like
'password1234' and other easy-to-guess phrases.
| | 00:18 | Conversely, strong passwords contain
numbers, upper- and lowercase letters, and
| | 00:24 | in WordPress they can also
contain special characters like these.
| | 00:28 | Using a good random mix of upper- and
lowercase letters, numbers, and symbols is
| | 00:32 | a great way to create strong passwords.
| | 00:35 | And doing so is an
important part of good security.
| | 00:39 | With WordPress there are
three key things to remember:
| | 00:42 | You create your admin
password during installation.
| | 00:46 | A password must be created for
each new user, and passwords should be
| | 00:50 | changed frequently.
| | 00:52 | During installation, you'll see the
setup screen, and right here it asks for
| | 00:58 | your password, twice.
| | 00:59 | There are many ways to pick a strong
password, but the easiest is to use an
| | 01:05 | online password generator, like this
one at onlinepasswordgenerator.com.
| | 01:11 | Just click the button, and grab a password, copy,
and paste then it into the password fields.
| | 01:21 | Of course you can, and should, change
the admin password regularly after
| | 01:27 | installation, but setting a strong
password from the get-go is an excellent way
| | 01:31 | to begin your new site.
| | 01:33 | In addition to the primary admin
account, you may also need to set up accounts
| | 01:37 | for other users, which is done
here in the User Settings page.
| | 01:41 | Click the Users menu to
see a list of your users.
| | 01:45 | For existing users, just click on
the User Name and scroll down a bit.
| | 01:50 | There you will see fields for
resetting your password, here and here.
| | 01:55 | This should be done on a periodic
basis according to your own security policy,
| | 02:00 | and for new users we click Add New and
fill out the details, with the username,
| | 02:09 | email, and then choose a
strong password, and repeat it.
| | 02:20 | Notice here on the strength meter
that this user's password is strong, which
| | 02:24 | is always the desired setting, and with that,
click the Add New user button and you're done.
| | 02:32 | Strong passwords are going to help
keep your site secure, and it's a good
| | 02:35 | practice to change them on a regular basis.
| | 02:39 | I like to change my passwords every few
months for most sites. Admittedly, it's
| | 02:43 | not always the first thing on the mind,
but when I see the opportunity to change
| | 02:47 | password, I will just go ahead and do it.
| | 02:50 | To help with things like changing
passwords and choosing strong passwords, here
| | 02:53 | are plug-ins worth checking out.
| | 02:56 | WordPress Password Cracker is a useful
tool for auditing your users' choice of passwords.
| | 03:02 | The WordPress Password Generator is an
easy-to-use plug-in the autocompletes
| | 03:07 | the password field that
is required for new users.
| | 03:11 | And lastly, Bulk Password Reset
makes it easy to update the passwords of
| | 03:16 | all users all at once, and there
are way more plug-ins available in the
| | 03:21 | WordPress Plugin directory.
| | 03:23 | We return to the WordPress admin area,
click on the Plugins menu, and then click
| | 03:30 | on Add New, type in the 'password' in the
search field, and there you will see many
| | 03:38 | plug-ins available to you, for free,
for better password management.
| | 03:43 | In this screencast, we've seen how to
create strong passwords and change them
| | 03:47 | for different users.
| | 03:48 | WordPress provides tools for doing
this, and there are some great plug-ins to
| | 03:52 | make things even easier.
| | Collapse this transcript |
| Understanding users and roles| 00:00 | In this screencast we will explore how
WordPress uses roles and capabilities to
| | 00:05 | handle its registered users.
| | 00:07 | A good understanding of this helps keep
users where they're supposed to be and
| | 00:11 | away from things they shouldn't be messing with.
| | 00:13 | Here at our demo site, let's click on
the Users Link in the Users menu to see a
| | 00:18 | list of all of our users for this site.
| | 00:21 | Here we see the admin and four others.
| | 00:24 | WordPress gives us an overview
of their names, emails, and roles.
| | 00:30 | To better understand what we're looking
at here, let's check out a visual showing
| | 00:34 | the default roles used by WordPress.
| | 00:37 | In WordPress there are five different
roles: administrator, editor, author,
| | 00:43 | contributor, and subscriber.
| | 00:45 | Each of these different roles is
granted a default set of privileges
| | 00:48 | called capabilities.
| | 00:50 | If needed, a role's capabilities may be
changed using a plug-in or theme function.
| | 00:56 | As expected, the user who
installs WordPress is the administrator.
| | 01:01 | Administrators can do it all.
| | 01:03 | They can install plug-ins and themes,
create and manage users, manage options and
| | 01:09 | settings, and import and export content--
plus they can do everything that all of
| | 01:14 | the other roles can do.
| | 01:17 | Editor capabilities include moderating
comments, managing categories, publishing,
| | 01:22 | and editing posts and uploading files--
plus they can also do everything that
| | 01:28 | authors and contributors can do.
| | 01:30 | Author capabilities include editing and
publishing, deleting posts, and uploading
| | 01:35 | files--plus everything that
the other two roles can do.
| | 01:40 | Contributor capabilities are
simply edit and delete posts.
| | 01:44 | Plus they can read, which is the only
thing that subscribers can really do.
| | 01:50 | Subscribers can read, similar to regular
visitors, but subscribers are actually
| | 01:54 | registered with your site.
| | 01:56 | When WordPress multisite is enabled
the administrator becomes super admin,
| | 02:02 | Super admin can manage the network of
sites, manage users, and manage all network
| | 02:07 | themes and options.
| | 02:08 | Plus super admins have all the same
capabilities as regular administrators.
| | 02:13 | Let's check out the super admin and
see what it looks like when multisite is
| | 02:17 | enabled. First returning to our
Users page in the Admin area, we see the
| | 02:24 | various roles listed here.
| | 02:28 | Notice that there are two
administrators at this point: Admin and Roger.
| | 02:34 | The Admin user is the one that
installed WordPress, and then later somehow Roger
| | 02:40 | was added also as another administrator.
| | 02:43 | Once multisite is enabled, both of these
administrators will become super admins.
| | 02:47 | To see this, let's pause
to enable multisite mode.
| | 02:51 | Now with multisite enabled, we click
the Network Admin link in the upper
| | 02:56 | right-hand corner and then go to the
Users page by clicking on the Users
| | 03:00 | link in the Users menu.
| | 03:02 | As seen here, the two administrators
have assumed super admin capabilities now
| | 03:08 | that multisite is enabled.
| | 03:09 | But let's say we want Roger to
be a regular non-super admin.
| | 03:14 | To do this, we click on his username
and then uncheck the option to grant
| | 03:19 | this user super admin privileges, and then we
click the Update User button to save our changes.
| | 03:28 | After saving our changes, let's click
Back to Authors and Users to verify on
| | 03:33 | the User Settings page.
| | 03:35 | And yes, we now have only one
super admin user, as seen here.
| | 03:41 | Returning now to single site mode, we
click on the Users menu link and we see
| | 03:47 | that there are still two
administrators listed in the Role column, so we see
| | 03:52 | that the super admin stuff only
happens when working in multisite mode.
| | 03:57 | Finally, let's change the role of a
user. To do this, we click on the user's Edit
| | 04:01 | link and go to the Role dropdown menu
to change the user's role to whatever we
| | 04:08 | wish. Then we scroll down and
click Update User to save our changes.
| | 04:15 | Returning to the Users page, we can verify
that the user's role was changed to author.
| | 04:22 | Remember, a good user management
strategy is to give out only as many
| | 04:26 | capabilities as is needed for each user.
| | 04:29 | And the take-home message here is that
WordPress provides a powerful, flexible
| | 04:33 | user role system that will help you
effectively and securely manage your users.
| | 04:38 | Understanding how this system works
will help you better manage your users and
| | 04:42 | keep everyone exactly
where they're supposed to be.
| | Collapse this transcript |
| Choosing trusted plug-ins and themes| 00:00 | Did you know that installing insecure
plug-ins and themes puts your site at risk?
| | 00:05 | If the plug-in or theme contains any
sort of vulnerability, your entire site may
| | 00:10 | be targeted and attacked.
| | 00:11 | Choosing trusted plug-ins and themes only
takes a few minutes, and you can do most
| | 00:16 | of it from the comfort of the WordPress Admin.
| | 00:18 | In this screencast we will demonstrate
some practical guidelines and helpful
| | 00:22 | tips for choosing safe and
secure plug-ins and themes.
| | 00:26 | The goal is simple: review as much
information as it takes to make the best choice.
| | 00:31 | There are no hard-and-fast rules,
but applying some practical guidelines will
| | 00:36 | help you find a safe and reliable plug-in.
| | 00:39 | Whenever possible choose plug-ins
from the WordPress Plugin Directory.
| | 00:43 | Look for intelligent, informative
descriptions, look at the version number of
| | 00:47 | the plug-in, look for an active
changelog, and look at the plug-in rating.
| | 00:52 | Let's see an example of this by
going to the install plug-ins screen in the
| | 00:57 | WordPress Admin area.
| | 00:59 | We click on the Add New button and do a
quick search for Google XML sitemaps.
| | 01:06 | Let's click on the Details link to see
an example of a safe and reliable plug-in.
| | 01:12 | Notice the description is
well written and intelligent.
| | 01:15 | It suits our purposes and explains
everything that we need, provides related
| | 01:20 | links, some fine print, and everything
else we need to know about this plug-in.
| | 01:25 | Clicking on the Installation page,
we also see--very informative, well written, thorough.
| | 01:30 | That's good. We are going to need that,
especially if it's anything other than typical.
| | 01:34 | Screenshots, here are screenshots
of the plug-in, and what we are looking
| | 01:39 | for here is quality.
| | 01:40 | We are looking for a functionality and
things that may be useful for us if we
| | 01:44 | decide to install the plug-in.
| | 01:46 | The changelog is very important
because it shows whether or not the plug-in is
| | 01:50 | actively developed and maintained.
| | 01:53 | The changelog for this plug-in is
actually listed on this web page here outside
| | 01:59 | of the Admin area, but that's okay.
We just scroll down and we begin to see the
| | 02:05 | amount of work that has been put into
this plug-in, and we begin to understand why
| | 02:10 | it is the best XML site map
plug-in. According to many people,
| | 02:15 | it is just amazing.
| | 02:16 | So let's return to the Admin and look
at more clues for this great plug-in.
| | 02:20 | It has a good frequently asked questions,
FAQ, section, includes some other notes
| | 02:26 | about the license, translations, and so forth.
| | 02:29 | But perhaps the most valuable piece
of information is in the sidebar here.
| | 02:34 | This summary provides clues that
will help you decide whether or not this
| | 02:38 | plug-in is right for you.
| | 02:40 | First look at the version number. 3.2.4
suggests that this plug-in has been around a while.
| | 02:46 | Look at the author. Is it a
reputable author, one that you recognize?
| | 02:50 | When was it last updated?
| | 02:51 | 374 days ago. That's roughly a year, and
so we may be hesitant by seeing that.
| | 02:59 | It says it is compatible with the
latest version of WordPress, and here is an
| | 03:04 | amazing tidbit of information: it has
been downloaded over 5 million times, which
| | 03:09 | is an incredibly large number for a plug-in.
| | 03:13 | Another important clue is here in the
average rating, and 4 1/2 stars based on
| | 03:18 | that many, 2,000--over 2000--votes.
Definitely this would make up my mind right here.
| | 03:24 | I would probably go with this plug-in
maybe after looking at a couple more.
| | 03:28 | But if you still can't decide after
all that, look for an external plug-in page
| | 03:32 | that you can do visit. If one is
available, the link will be listed right here in
| | 03:36 | the sidebar beneath the WordPress org link.
| | 03:39 | We can click on that go to the web site for
the plug-in and learn more about the plug-in.
| | 03:46 | Now, applying this strategy, let's find
a good plug-in for say formatting our
| | 03:50 | theme for mobile devices.
| | 03:54 | So we click on the Add New link and
type in a keyword to get us started,
| | 03:59 | something like 'mobile' and then click on
Search Plugins to bring up the results.
| | 04:05 | As you can see, there's quite a bit
to choose from, as is the case with
| | 04:08 | most WordPress plug-ins.
| | 04:10 | So first, let's scan the list to get
a general idea of what's available.
| | 04:14 | There's some good ratings, looks like some new
plug-ins here, and then let's begin our
| | 04:20 | search by clicking on the
Details link for the first result.
| | 04:24 | This looks good, but it says it hasn't
been tested with our current version of
| | 04:28 | WordPress. Something to keep in mind is
that Word press releases what are called
| | 04:33 | point updates, where the plug-in will
go from version 3.0.5 to 3.1, or 3.0.6.
| | 04:42 | In many cases, plug-ins will
work just fine for point updates.
| | 04:46 | WordPress's current version is 3, so
chances are this plug-in will work just fine,
| | 04:52 | and the reason that it says this
message is because somebody has not taken the
| | 04:56 | time to log in to WordPress.org and let
the software know that it is compatible.
| | 05:02 | You see a nice thorough description
here, version number 1.2.4. It's been
| | 05:08 | downloaded 192,000 times. Some great
ratings here, four stars, based on a good
| | 05:15 | number of ratings. The installation looks doable.
| | 05:19 | It includes some screenshots
here of what the plug-in looks like.
| | 05:24 | That's nice to know.
| | 05:26 | So everything looks good, and we
would continue flipping through tabs and
| | 05:30 | seeing things like this right here, the
changelog. Good, good changelog. Active development.
| | 05:37 | We would continue shopping through a
plug-ins to narrow it down and fin the best of
| | 05:41 | the best of the best.
| | 05:42 | Once you get that far, it becomes a matter of
personal preferences, features, and so forth.
| | 05:48 | For WordPress themes the
same sort of strategy applies.
| | 05:52 | Look for themes that point toward
active development, trusted authors,
| | 05:56 | compatibility, and popularity.
| | 06:00 | To see an example of this, let's
return to the demo site admin area and go to
| | 06:05 | the Appearance menu and click on Themes.
| | 06:09 | Click on the Install Themes tab and enter
your keyword or keywords. For us, it is mobile.
| | 06:15 | So we click Search, and we
see we have some great results.
| | 06:19 | As you can see, there's not as much
information available as for plug-ins, but we
| | 06:23 | can get a good idea by clicking the
Details link and looking at the version
| | 06:28 | number, author, and ratings.
| | 06:31 | Once you decide on a theme and have
it installed, a great way to check it
| | 06:35 | out under the hood is to use the
handy Theme Check plug-in, as seen here in
| | 06:41 | the Appearance menu.
| | 06:42 | Let's run a quick check
on the default 2010 Theme.
| | 06:47 | Let's suppress the extraneous
information and click Check it!
| | 06:52 | Here we see that the results are very
good: Twenty Ten has passed the tests and
| | 06:57 | is squeaky clean, safe to use.
| | 07:00 | To see an example of a theme with
less-than-stellar results, we rerun the Theme
| | 07:05 | Check on a randomly chosen theme
named Skulls. We click Check it!
| | 07:12 | And as we see, the Skulls theme is
missing a number of required items, as well as
| | 07:18 | a number of recommended items.
| | 07:20 | Does this mean that you shouldn't use the theme?
| | 07:23 | Well, that's up to you.
| | 07:25 | But if you see anything serious, you
should either investigate further or just
| | 07:29 | move on to the next theme.
| | 07:30 | In this screencast, we've seen some
smart ways to stay savvy when adding
| | 07:35 | new themes and plug-ins.
| | 07:36 | From the comfort of the Admin area,
WordPress makes it easy to find, install, and
| | 07:41 | update safe and secure
plug-ins and themes for your site.
| | Collapse this transcript |
| Removing unused plug-ins, themes, and files| 00:00 | In this screencast we go through the
different parts of a WordPress installation
| | 00:04 | and look at how to clean things up,
| | 00:06 | which files and plug-ins are safe to remove
from the server, where to look, and so on.
| | 00:10 | Running a tight ship is a key part of
good security, and removing unused files
| | 00:15 | and plug-ins eliminates potential
attack vectors and helps keep your site
| | 00:19 | clean and organized.
| | 00:20 | There are three main areas where we
want to clean things up: files and folders,
| | 00:25 | unused or outdated plug-ins,
and unused or outdated themes.
| | 00:30 | The first place to check is the Plugins page.
| | 00:32 | Here in the WordPress Admin, click
on the Plugins link to go there.
| | 00:36 | We want to take a good look through our
installed plug-ins and see if there are
| | 00:42 | any that we don't need, are no longer
supported, or have become obsolete.
| | 00:47 | For example, here is the ubiquitous
Hello Dolly plug-in, which is fun but
| | 00:53 | not needed, so we could remove it to
keep things clean and focused. To do
| | 00:58 | so, we would simply click on the Delete button,
or we could do it manually from the server.
| | 01:03 | We also want to check our installed
themes and see if there is anything that
| | 01:08 | doesn't need to be there.
| | 01:10 | It's okay to keep inactive
themes, such as these three.
| | 01:14 | It doesn't hurt anything to do so,
but whenever possible go ahead and eliminate
| | 01:18 | anything that you don't need.
| | 01:20 | For example, the Skulls theme was
used for a demonstration in a previous
| | 01:24 | screencast, and it is no longer needed.
| | 01:27 | So to keep things clean and tidy, we
would go ahead and click the Delete button
| | 01:32 | to remove it as well.
| | 01:34 | After cleaning up the Admin area of
unused plug-ins and themes, we take a look at
| | 01:40 | the core files by visiting our FTP/file editor.
| | 01:44 | Here is a view of the root directory of
our WordPress installation where we see
| | 01:49 | several files that are included
with WordPress but not needed.
| | 01:54 | These files may be safely removed.
| | 01:56 | The wp-config-sample.php file is
not needed after installing WordPress,
| | 02:03 | readme.html contains the WordPress
version number and should be deleted, and of
| | 02:09 | course there's license.txt--it's your call.
| | 02:12 | I usually delete it.
| | 02:14 | In addition to these files, check for
any non-WordPress directories, files,
| | 02:18 | scripts, images, and so
forth, that are not needed.
| | 02:22 | As you go through your files, you may
want to archive any removed content.
| | 02:29 | For each of my sites I like to keep
an offline folder where I keep notes,
| | 02:33 | unused code, and development files.
| | 02:36 | That keeps the junk off the
server but still available if needed.
| | 02:39 | In this screencast, we've cleaned up
our plug-ins, themes, and core files for
| | 02:44 | better organization and
easier-to-manage site security.
| | 02:47 | Of course good housekeeping is an
important part of any comprehensive
| | 02:50 | WordPress security strategy.
| | Collapse this transcript |
| Changing and recovering passwords| 00:00 | If you lose your password,
that's okay. Don't panic.
| | 00:04 | There are plenty of ways to
retrieve and reset lost passwords.
| | 00:08 | In this screencast, we'll show you
three quick methods for recovering and/or
| | 00:13 | changing forgotten passwords with WordPress.
| | 00:17 | In general, there are three
good ways to reset your password.
| | 00:21 | Method one, change your password
when you are logged in to the Admin area.
| | 00:25 | Method two, change your password when you
are locked out and don't have your password.
| | 00:31 | And method three, which is a failsafe
and works under any situation, is just to
| | 00:36 | change the password directly via the database.
| | 00:39 | So let's go through each of these
methods, beginning with the simplest.
| | 00:43 | Method one, change your password
when logged in to the Admin area.
| | 00:47 | The first and easiest way to change
your password is to simply log in to the
| | 00:51 | Admin area and update any user's
password via the user profile page.
| | 00:58 | Simply click on the Edit link for
that user, scroll down, and enter the new
| | 01:04 | password here, and repeat it here.
Click Update Profile and you're done.
| | 01:09 | This works great, and is the intended
way of changing your WordPress password,
| | 01:13 | but what if you can't log in to the Admin area?
| | 01:16 | If you forget your password, it's going to
be impossible to change it from the Admin.
| | 01:21 | So let's try method two,
change password when locked out.
| | 01:28 | The second method of changing your
WordPress password takes this scenario into account.
| | 01:32 | If you forget your password and are
unable to log in to change it, simply
| | 01:36 | navigate to the Reset your password
page by clicking Lost your password.
| | 01:42 | From this screen, a new
password is just a few clicks away.
| | 01:45 | Just simply enter your username or
email and click Get New Password.
| | 01:50 | In WordPress the Recover your
Password page is by default located at the
| | 01:55 | following URL, where example.com is
the domain name for your web site.
| | 02:01 | Simply enter your username or email and
click Get New Password. Then check your
| | 02:06 | email for the confirmation link.
| | 02:09 | The process takes a few clicks
but seems to work perfectly well.
| | 02:13 | Of course without access to your email
account, it's impossible to change your
| | 02:17 | password using this method, so we
bring out the big guns with method three.
| | 02:22 | With method three, we change the
password directly via the database.
| | 02:26 | This bypasses all requirements by
modifying the database directly.
| | 02:31 | All that's needed is a way of
interfacing with your database.
| | 02:34 | Here we're using the incredibly
awesome phpMyAdmin, which is readily
| | 02:39 | available on most servers.
| | 02:41 | To change your password, click on
your database name in the sidebar and
| | 02:46 | then click on the users table and then on
the Browse tab, to see a list of your users.
| | 02:55 | Here's the only user for this site,
and so to change the password, we click on
| | 03:00 | the Pencil icon to edit.
| | 03:03 | Looking at the user_pass field here,
you see our MD5 encrypted password.
| | 03:10 | This is the current password--you know,
the one we forgot. The new password also
| | 03:16 | needs to be encrypted, and this is
easily done from within the software.
| | 03:23 | Delete the old value and enter the
plain text version of your new password. Then
| | 03:29 | in the dropdown menu,
select MD5 and then click Go.
| | 03:38 | You'll see that our new password has also
been encrypted with MD5 encryption method.
| | 03:43 | At this point, our new password is ready to use.
| | 03:47 | Just return to the login page
for our web site and click Log In.
| | 03:59 | In this screencast, we've seen three
quick and efficient methods for recovering
| | 04:03 | forgotten passwords.
| | 04:04 | These techniques will help you regain
control in the event that someone hijacks
| | 04:09 | your site and changes your passwords, or
for changing passwords on any occasion.
| | Collapse this transcript |
|
|
3. Hardening WordPressProtecting the configuration file| 00:00 | In this screencast, we improve
site security by protecting the
| | 00:04 | WordPress configuration file.
| | 00:06 | As seen here, the configuration file
is located in the root directory of our
| | 00:11 | WordPress installation.
| | 00:13 | It contains the username and database
name and password for our database,
| | 00:18 | as well as other super-sensitive information.
| | 00:21 | This file is essentially the key to
WordPress, and so it's mission-critical to
| | 00:25 | keep it safe and secure.
| | 00:27 | Here are two good ways of
protecting the configuration file:
| | 00:30 | restricting access via htaccess and
restricting access via file permissions.
| | 00:36 | So let's return to the FTP editor and
close the wp-config file and protect it
| | 00:42 | with the htaccess code
provided in this screencast.
| | 00:46 | Just copy and paste beneath any
existing rules in your htaccess file, as seen
| | 00:52 | here, and then save and
upload the file to your server.
| | 00:56 | Returning to the Browser, let's check to
make sure that our site is still working,
| | 01:00 | that everything looks good still.
| | 01:02 | We have the homepage, loads fine,
single post works great, and we click around
| | 01:08 | and see that everything is working great.
| | 01:10 | Now, let's check the actual
configuration file and see what happens if somebody
| | 01:14 | tries to access it directly.
| | 01:16 | In the address bar of your browser, enter
the installation directory of WordPress,
| | 01:22 | followed by /wp-config.php, and hit Enter.
| | 01:29 | We see a 403 Forbidden error, as expected.
| | 01:33 | This means that the configuration
file is now protected at the server level
| | 01:37 | using our slice of htaccess code.
| | 01:40 | Once the htaccess file is in place, we
also want to ensure that file permissions
| | 01:44 | are set to 640 or 644 for both
wp-config and htaccess files.
| | 01:51 | These numbers correspond to the types of
things that users can do with their files.
| | 01:56 | In general, the lower the number, the
less users may actually do with the file.
| | 02:01 | For WordPress the recommended
permission settings for folders is 755, and for
| | 02:06 | files, it's 644 or less.
| | 02:08 | So a setting of 644 for wp-config and
htaccess allows WordPress to access the
| | 02:15 | files, while returning the 403
Forbidden error to all external requests.
| | 02:19 | So with our htaccess code in place,
let's return to the browser and go look at
| | 02:24 | the files on the server.
| | 02:26 | Here in the browser we're looking at
the list of files and directories in the
| | 02:31 | root directory of our WordPress
installation, and here is the htaccess file.
| | 02:37 | So if we look over in the Permissions
column, we see rw-r--r--, so we click
| | 02:44 | that. What does this mean? It means
that the owner, group, and others can read
| | 02:48 | the file, and the owner can write to the file,
but nobody can execute or search the file.
| | 02:55 | What do these permissions mean?
| | 02:56 | So we go to an online conversion tool,
like the one here, and we convert the RW
| | 03:04 | values to what's called CHMOD number, by
replicating the pattern here. Everyone
| | 03:11 | can read, and the owner can write, which
gives us the desired CHMOD value of 644,
| | 03:18 | which is WordPress's
recommended permission settings for files.
| | 03:22 | So now let's return and take a
look at the configuration file.
| | 03:27 | We scroll down a bit, and here is our
configuration file, and we see that it has
| | 03:32 | the same 644 settings, as
shown here in our online tool.
| | 03:37 | So, our wp-config file is now
protected, and we are good to go.
| | 03:42 | Normally, good hosts will set the
best default permissions for files and
| | 03:45 | directories, so there's really nothing
to worry about, but even so, it's a good
| | 03:49 | idea to double-check the
settings for these key files.
| | 03:52 | Technically, either of these methods,
htaccess or proper file permissions, is
| | 03:57 | going to protect your
configuration file just fine.
| | 03:59 | So if you can't get into your server
control panel right away, just adding the
| | 04:03 | htaccess code is going to work
perfectly well to keep it safe.
| | 04:06 | In this screencast, we've seen how to
protect the WordPress configuration file
| | 04:10 | against malicious attacks.
| | 04:12 | Two techniques are combined for maximum
paranoid protection, but either one will
| | 04:16 | do the job just fine.
| | 04:18 | Just remember, the goal is to restrict
access to the WordPress configuration file to
| | 04:23 | help keep it and your site safe and sound.
| | Collapse this transcript |
| Configuring authentication keys| 00:00 | In this screencast, we improve the
security of the WordPress user login process
| | 00:05 | by adding a set of secret keys
to the site's configuration file.
| | 00:09 | This is an important step designed by the
WordPress team to better secure your site.
| | 00:14 | Here we are in our FTP/file editor,
looking at the WordPress configuration file.
| | 00:19 | Scroll down to just beneath the
database credentials, to where it says,
| | 00:23 | "Authentication Unique Keys and Salts."
| | 00:27 | As you can see, freshly installed
WordPress doesn't provide any of the
| | 00:31 | secret keys, so we'll need to add our own,
and the more random and complicated, the better.
| | 00:37 | The quickest and easiest way to
generate strong key values is to visit
| | 00:41 | WordPress's own secret key service in
the browser at secret-key/1.1/salt, and
| | 00:51 | then copy and paste the entire
block of code, and then return to your
| | 00:56 | configuration file and just
paste it into place, like so.
| | 01:02 | Once the keys are in place, save and
upload the file, like so, and that's
| | 01:07 | all there is to it. Of course you don't want to
use the example keys shown here; the whole idea is
| | 01:13 | to specify your own unique phrases to
improve login security, and it's totally
| | 01:18 | fine to replace these keys
at any time, for any reason.
| | 01:21 | The worst that will happen is the currently
logged in users will need to log in again.
| | 01:27 | Trust me, the extra security is
worth the minor inconvenience.
| | 01:30 | In this screencast, we enabled WordPress to
more securely manage the user login process.
| | 01:36 | This functionality is built into
WordPress by default, but you need to enable it
| | 01:40 | by adding your own set of unique secret keys.
| | 01:43 | In the next screencast, we further
improve security by specifying a
| | 01:47 | unique database prefix.
| | Collapse this transcript |
| Customizing the database prefix| 00:00 | As the world's most popular blogging
software, WordPress is a huge target for
| | 00:05 | malicious scripts, hacks, and spam.
| | 00:07 | One of the best ways to secure your
WordPress database is to change the
| | 00:12 | default table prefix.
| | 00:14 | In this screencast, we see how to
do this quickly and easily during the
| | 00:18 | WordPress installation process.
| | 00:21 | Let's go to the WordPress database,
as seen through phpMyAdmin. WordPress
| | 00:27 | prefixes each of its tables with wp_.
WordPress tables that use this default
| | 00:34 | value are heavily targeted by
bad bots and malicious scripts.
| | 00:38 | So by changing the default prefix to
something unique, you'll effectively
| | 00:42 | immunize your database
against such automated attacks.
| | 00:46 | The easiest and recommended method of
changing the default prefix happens before
| | 00:50 | the installation process.
| | 00:52 | Before submitting this setup page, go
to your FTP/file editor and open the
| | 00:58 | WordPress configuration file/ Scroll
down to right here, where it says WordPress
| | 01:03 | Database Table prefix.
Here is the default prefix wp_.
| | 01:08 | Changing this prefix to anything
different is going to work just fine, and it's
| | 01:13 | perfectly safe to include wp_, as
long as that's not the entire prefix.
| | 01:19 | But even so, here are three helpful tips
for customizing your own database prefix.
| | 01:26 | First, begin the prefix with wp_ so the
tables appear in order among other tables
| | 01:33 | that are added by plug-ins and themes.
| | 01:36 | In the middle here, pick any sequence of
random alphanumeric characters, and then
| | 01:40 | finally, end the prefix with an
underscore so that the actual table names--for
| | 01:45 | example, posts, users, meta, and so
forth--stand out and are easily recognizable.
| | 01:52 | Let's return to the FTP/file editor
and put this strategy into practice.
| | 01:59 | Following these tips, we will
use wp_s3CUr3_ as the new prefix.
| | 02:10 | So we now simply save the file and
upload it to the server, and at this point
| | 02:16 | WordPress is ready to install as usual.
| | 02:18 | So let's return to the browser and
complete the installation so that we can go
| | 02:22 | to the database and look at
our custom prefix in place.
| | 02:27 | And we add our email, and we do not want
our demo site to appear in the search engines.
| | 02:35 | So we click Install
WordPress and it says, "Success!
| | 02:38 | WordPress has been successfully installed."
| | 02:41 | So let's return to phpMyAdmin and
refresh the database to take a look.
| | 02:46 | As we can see, everything looks great.
All of over tables are now prefixed with
| | 02:51 | the default wp_s3Cur3_ for
each table. We're all set.
| | 02:58 | Note that if you've already set up
WordPress and want to change the default
| | 03:01 | prefix, it's still possible,
but beyond the scope of this tutorial.
| | 03:05 | For an excellent step-by-step guide,
check out my post at Digging Into WordPress.
| | 03:12 | Either way of changing the database
prefix is fine, but setting up custom
| | 03:16 | prefixes during the
installation process is much easier.
| | 03:19 | The point is that by using something
other than the default prefix, you'll
| | 03:23 | protect your database from a
majority of automated attacks.
| | 03:26 | In this screencast, we've seen how
trivial it is to do this for new sites, a
| | 03:30 | a prime example of how a few seconds
upfront can save you countless hours of
| | 03:34 | stress and frustration down the road.
| | Collapse this transcript |
| Changing the admin username| 00:00 | The default username created by
WordPress is, and always has been, admin.
| | 00:06 | Scripts that target your site at the
login page typically assume that you're
| | 00:11 | using admin as the username,
| | 00:14 | so changing it to something, anything
else, is going to block a lot of automated
| | 00:20 | attacks looking for access
via the default admin username.
| | 00:25 | Fortunately, it is possible to change
the default admin username rather easily.
| | 00:30 | If you're setting up a new WordPress
site, you specify a unique username during
| | 00:36 | the installation process, as seen here.
| | 00:38 | Simply change admin to
anything else and you're all set.
| | 00:44 | Let's proceed with the installation.
| | 00:50 | Add our email address and click
Install WordPress, and once installation is
| | 00:55 | complete, you're all set.
| | 00:57 | No more admin as the username.
| | 00:59 | You are now MyAdmin or whatever you
decided to use for your custom admin username.
| | 01:06 | Now, if you already have a username
admin, as is the case here, you may notice,
| | 01:13 | trying to change it, that
usernames cannot be changed.
| | 01:18 | But there is an easy enough workaround.
| | 01:21 | Go to the Users page by clicking the
Users link in the Users menu and then
| | 01:25 | click on Add New, create your new user
using a unique username, such as MyAdmin,
| | 01:34 | and fill out the other details as required.
| | 01:39 | Choose a strong password,
and click Add New User.
| | 01:44 | Now we see a new user with a non-admin
username listed in the Users screen.
| | 01:51 | Next, we click Edit to change the
role of this user from Subscriber to
| | 01:56 | Administrator and then click Update User.
| | 02:01 | We now need to log out of the current admin
account and then log back in as our new user.
| | 02:09 | We type in our new username and our
chosen password to log back in as MyAdmin.
| | 02:22 | Once back in the Admin area,
return to the Users page and delete the
| | 02:27 | default admin user.
| | 02:30 | And then on this screen, we want to
attribute all posts and links to our new
| | 02:36 | admin user, so we don't lose any data.
| | 02:39 | Once we've done this, we click Confirm
Deletion, and that's all there is to it.
| | 02:44 | Let's refresh the user page, and we see
that we have MyAdmin instead of admin
| | 02:52 | as the administrator.
| | 02:54 | This simple change is an excellent
way to improve security and protect
| | 02:57 | against automated attacks.
| | 02:59 | In this screencast, we've increased site
security by replacing the default admin
| | 03:03 | name with something
unique and difficult to guess.
| | 03:07 | This makes it harder for the bad
guys to access and exploit your site.
| | Collapse this transcript |
| Setting proper file permissions| 00:00 | Most web hosts do a good job at
setting up default permissions for files
| | 00:05 | and directories, but it's a good
idea to check that everything is
| | 00:08 | configured for optimal security.
| | 00:10 | In this screencast, we'll see how to
check for proper file permissions for your
| | 00:14 | WordPress-powered site.
| | 00:16 | Let's look at files included with a
default installation of WordPress.
| | 00:21 | Here we are in our demo site's server
control panel looking at a list of files
| | 00:25 | in the WordPress installation directory.
| | 00:28 | For directories, the permissions are
here, and then they change for files.
| | 00:33 | Everything beneath here is a
permission for a corresponding file.
| | 00:37 | We want to translate this rwx r-
whatever into an actual chmod value, like 644
| | 00:46 | and 755, which we can do using this tool.
| | 00:50 | Let's check the directories
first, which look like this.
| | 00:55 | We have read and execute privileges
for everyone, owner, group, and others.
| | 01:03 | And we have write privileges for the owner.
| | 01:06 | So let's return to the Online
Conversion tool and replicate that pattern.
| | 01:11 | Read, Write and Execute for the owner,
Read for everyone and Execute for everyone.
| | 01:19 | This gives us a chmod value of
755, which is ideal for directories.
| | 01:25 | Now let's return to the file listing by
clicking Cancel and scrolling down a bit,
| | 01:32 | we look at the permissions for our
files and pick one, click it, and we see that
| | 01:38 | we have Read privileges for every
one and Write privileges for the owner.
| | 01:44 | Nobody has Execute privileges for our files.
| | 01:46 | So returning to our Online Conversion
tool, we enter those values into the form
| | 01:54 | and we get a chmod value
of 644, which is also ideal.
| | 01:59 | According to the WordPress Codex, all
core WordPress files should be writable
| | 02:04 | only by the server's user account,
which is indeed the case for our demo site,
| | 02:09 | as we've seen here.
| | 02:10 | Just remember that the default settings
for all WordPress files is 644, and the
| | 02:16 | default settings for all
WordPress directories is 755.
| | 02:20 | These settings ensure that WordPress
has proper access to everything it needs
| | 02:24 | for proper functionality.
| | 02:26 | Now, if you don't have access to your
server control panel, which looks something
| | 02:31 | like this, you may also check your
file permissions by using a handy plug-in
| | 02:35 | called WordPress Security Scan.
| | 02:39 | We have the plug-in installed here
at our demo site, and it's activated,
| | 02:44 | so let's navigate to the
Scanner menu and take a look.
| | 02:48 | This takes you to a page where key
files and directories are scanned by the
| | 02:52 | plug-in for proper file permissions.
| | 02:55 | Here we see that everything
is in green and good to go.
| | 02:59 | Any items with insufficient
permissions will be shown in red and should be
| | 03:04 | dealt with accordingly.
| | 03:05 | We cover the WP Security Scan plug-in in more
depth in a later screencast in this series.
| | 03:11 | Chances are high that if you're using
a decent host, you are already set with
| | 03:15 | the optimal permissions settings for
your site. But if that's not the case and
| | 03:19 | you need to change something, consult
with your host for the best way forward.
| | 03:23 | The default permissions settings are
normally just fine, but you should not
| | 03:27 | take this for granted.
| | 03:28 | Verifying them is an easy process, and it
could save you a lot of grief later on.
| | Collapse this transcript |
| Preventing directory listings| 00:00 | In this screencast, we increase the
security of your WordPress installation by
| | 00:05 | disabling directory views.
| | 00:07 | Many hosts disable directory views
on their servers by default, but it's
| | 00:12 | important to know for sure.
| | 00:14 | If your files are visible, there are a
couple of easy effective ways to lock things down.
| | 00:20 | An open listing of your files such as
this one maybe the first thing a hacker
| | 00:24 | sees before ultimately destroying your web site.
| | 00:27 | When directory views are enabled, any
directory that does not include some sort
| | 00:31 | of an index file, such as an index.html
file, will openly display a list of all
| | 00:37 | files in the directory, as seen here.
| | 00:40 | Obviously, this is a huge security risk.
| | 00:43 | If malicious individuals were to gain
access to your WordPress configuration
| | 00:48 | file, for example, they could easily
access your database and steal sensitive
| | 00:52 | data, destroy your entire site, and
make your life miserable in general.
| | 00:56 | Fortunately, disabling
directory views is drop-dead easy.
| | 01:00 | Simply open the root htaccess file for
your site and add the following line,
| | 01:08 | "Options -Indexes" with the correct
casing--that is important--and put it preferably
| | 01:14 | near the top of the file.
It will work anywhere though.
| | 01:16 | We save the file and upload to the server.
| | 01:19 | Now let's return to that open directory
listing on the web. Let's hit Refresh.
| | 01:24 | Excellent! We see the files no longer listed.
| | 01:27 | This greatly improves the security of our site.
| | 01:30 | If htaccess is not an option, you may
prevent directory listings by simply
| | 01:34 | adding a blank index.html file to any
directory that doesn't already include one.
| | 01:41 | Before doing so, let's reset our example
directory by re-enabling file listings.
| | 01:47 | Once again file listings are enabled.
| | 01:49 | So let's return to the FTP/file
editor and upload our index.html file, which
| | 01:57 | contains some simple code.
| | 01:59 | Once that file has been uploaded,
return to the browser, and reload the page,
| | 02:05 | to see that our index file is in
place and working and preventing open
| | 02:10 | directory listings.
| | 02:12 | The index.html file can be completely blank,
but it may also contain any sort of markup desired.
| | 02:19 | In this example HTML file, I've
included some basic markup to help
| | 02:23 | demonstrate the technique.
| | 02:25 | While most versions of WordPress
include such faux index files by default
| | 02:30 | for certain directories, there are still
many subdirectories that should be protected.
| | 02:35 | This is where the htaccess
method is going to save time.
| | 02:39 | But in the event that htaccess is not
available to you, simply adding an index
| | 02:44 | file to any open
directory will work just as well.
| | 02:47 | In this screencast, we've improved
security by disabling directory listings.
| | 02:52 | Without this protection,
you're taking an unnecessary risk.
| | 02:55 | Using either htaccess or the blank
file method, it's best to play it safe
| | 03:00 | and lock things down.
| | Collapse this transcript |
| Protecting the admin directory| 00:00 | In this screencast, we improve
security by preventing unwanted access to the
| | 00:05 | WordPress Admin directory.
| | 00:07 | We do this using a small slice of
htaccess code, which provides strong, flexible
| | 00:12 | protection against malicious behavior.
| | 00:15 | Here we are in our FTP/file editor,
looking at the files in our default
| | 00:19 | WordPress installation.
| | 00:21 | Here is the directory that we want
to protect, wp-admin, mostly because it
| | 00:27 | contains a plethora of sensitive functionality.
| | 00:31 | To secure this directory, grab a copy
of the blank htaccess file included in
| | 00:36 | the resource files with this
screencast and paste it into this wp-admin
| | 00:42 | directory, as seen here.
| | 00:44 | Next, open the file and then copy and
paste the following code, which is also
| | 00:50 | included with this screencast.
| | 00:54 | Before uploading the htaccess file, we
want to edit the IP address in the Allow
| | 00:59 | from line to match our own.
| | 01:02 | Your IP information is readily available online,
| | 01:05 | so just do a quick search for 'what's my IP?' and
then click on one of the results. Go ahead and copy,
| | 01:13 | return to the htaccess file, and paste
that IP address into place, like so.
| | 01:18 | Then save and upload the file to your server.
| | 01:22 | And now, with that, all requests that are
not from my IP address are going to be
| | 01:28 | denied access to anything in the Admin area.
| | 01:32 | To see this, let's visit
the site from a proxy server.
| | 01:36 | There are many available online. Just do a
quick search for proxy and pick your favorite.
| | 01:41 | Here is a random 'proxy' that seems to be working.
| | 01:44 | So let's try accessing our wp-admin directory
by entering our URL in the Web Address field.
| | 01:53 | Click on the Go button to see the results.
| | 01:56 | Here at the top, we see that the
remote server has returned a (403) Forbidden
| | 02:00 | error, which is just what we want.
| | 02:03 | That means that we were
denied access to the Admin area,
| | 02:08 | so the htaccess protection that
we uploaded here is working great.
| | 02:15 | But do we still have
access from our own address?
| | 02:18 | Let's check by requesting the same page
from our whitelisted IP address and
| | 02:23 | sure enough, here is the Login page
for our Admin area. We do have access.
| | 02:28 | We're all set now, but there are a
couple of things to keep in mind.
| | 02:33 | First, if you aren't able to work
with htaccess files, you may want to
| | 02:37 | check with your web host.
| | 02:38 | On most setups these days, it's pretty
easy to password-protect directories from
| | 02:44 | your server control panel.
| | 02:46 | And lastly, you can always add other
IP addresses and allow access, like so.
| | 02:52 | Simply copy and replicate the line
and replace the IP address with any IP
| | 02:58 | address, such as a mobile device or a
different computer from which you would
| | 03:04 | like to access the Admin area.
| | 03:05 | Whatever it is, enter the IP address
there and then upload to your server.
| | 03:10 | You may replicate this pattern as many
times as necessary to account for as many
| | 03:15 | IP addresses as you would like.
| | 03:17 | In this screencast, we better secured
the WordPress Admin area by protecting
| | 03:22 | the files in the WordPress Admin
directory, which is a very critical part of any
| | 03:27 | WordPress site.
| | Collapse this transcript |
| Removing version numbers| 00:00 | A big part of good security is keeping
sensitive information away from the bad guys.
| | 00:06 | WordPress has one particular
weakness in this department:
| | 00:09 | it likes to display its version number in
the source code of your web pages and feeds.
| | 00:14 | The WordPress version number is
displayed in the source code of your web pages,
| | 00:19 | and it looks like this here.
| | 00:21 | The version number is also displayed in
your RSS feeds, and the version number is
| | 00:25 | also displayed elsewhere and in other feeds.
| | 00:29 | This information seems harmless
| | 00:31 | but may enable attackers to target
security holes in specific versions of WordPress.
| | 00:38 | In this screencast, we'll see how to
better protect your site by preventing
| | 00:41 | WordPress from announcing its version number.
| | 00:44 | Let's peek behind the scenes at the
HTML markup for the homepage of this
| | 00:49 | WordPress demo site.
| | 00:51 | Notice here in the head section that
WordPress is providing the version number
| | 00:56 | of this installation right here.
| | 00:59 | This information is used by hackers
and automated scripts to attack specific
| | 01:03 | versions of the software.
| | 01:05 | We can also see it in the
source code of the various feeds that
| | 01:09 | WordPress generates.
| | 01:11 | Returning to the homepage, click on
the RSS link, and we see right here the
| | 01:17 | version number of WordPress,
displayed in the source code.
| | 01:21 | Of course, if you're always running
the latest most up-to-date version of
| | 01:25 | WordPress, there is no reason not to
show this information, but people can't
| | 01:30 | always upgrade the minute a new
version of WordPress is available.
| | 01:34 | So it's smart to play it safe and
just prevent the information from being
| | 01:37 | displayed on any occasion.
| | 01:39 | Let's return to the FTP editor.
| | 01:41 | So to stop WordPress from displaying
its version number, let's navigate to our
| | 01:46 | active theme, which for the demo
site is the default TwentyTen theme.
| | 01:51 | Then we open our theme's
functions.php file, as we have done here.
| | 01:57 | We want to add the following lines
of code to the bottom of this file.
| | 02:03 | Included with the screencast is this code
here, which you may copy and then paste
| | 02:09 | after all other code in the functions.php file.
| | 02:13 | Now let's save the file and
upload it to the server.
| | 02:17 | Here in the source code, we can see
that the version number is no longer
| | 02:21 | available, not being displayed, and
that's a good thing, but that's not the only
| | 02:25 | place, as we have seen.
| | 02:26 | So let's check the RSS feed.
| | 02:30 | As we can see, our code snippet in
the functions.php file has prevented
| | 02:35 | WordPress from displaying its
version number in the RSS feed as well.
| | 02:39 | In fact, with that code in place, WordPress
will not display the version number anywhere
| | 02:44 | that is easily accessible by hackers
and people who want to exploit your site.
| | 02:49 | In this screencast a simple code
snippet in the functions.php file stops
| | 02:54 | WordPress from displaying sensitive
information in feeds, posts, pages,
| | 02:59 | and everywhere else.
| | 03:00 | By simply disabling the version
generator, we add yet another layer of security
| | 03:05 | to our WordPress-powered site.
| | Collapse this transcript |
|
|
4. Improving Security with Plug-InsFighting comment spam| 00:00 | Here we are at the Akismet web site
to make a point. Check out this number.
| | 00:05 | Akismet has blocked over
27 billion spam comments.
| | 00:10 | That's incredible, and there's a reason why.
| | 00:13 | Akismet is the easiest safest way to
protect your site against comment spam.
| | 00:18 | It just works, and it's all you need for a
spam-free site, so we definitely want to use it.
| | 00:23 | This screencast will show you how.
| | 00:28 | Here in the WordPress Admin area we
go to the Plugins page by clicking the
| | 00:33 | Plugins link in the Plugins menu.
| | 00:35 | Awesomely, Akismet is included with
WordPress by default, so it's ready to go.
| | 00:41 | Simply click on the Activate link like
so to go ahead and activate the plug-in,
| | 00:47 | and notice now that there's a
message that asks for your Akismet API key.
| | 00:52 | If you already have one of these for
another site, it may be used here as well,
| | 00:57 | so go ahead and enter it.
| | 00:59 | Otherwise, let's go back to the
Akismet web site and get one of our own.
| | 01:03 | We click on Sign up for Akismet and
we are presented with a screen that
| | 01:11 | provides us several options.
| | 01:13 | If you're running a personal site,
there's a free option here that will work
| | 01:17 | just fine; otherwise, you may want
to look at some of the other deals.
| | 01:21 | So let's go it's free, give it
a click, and fill out the form.
| | 01:28 | They do a great job at asking for money.
| | 01:30 | We get a sad face for $0 and a big
smile for the max amount, but really, Akismet
| | 01:37 | is totally free for personal sites.
| | 01:41 | So if you have a personal site, slide
it to 0, fill out the form, and then click
| | 01:47 | the Continue button to get your API
key, which will be emailed to you.
| | 01:51 | Once you have it, return to your web site.
Click on the enter your Akismet API key link.
| | 02:00 | Here at the Akismet Configuration page,
simply enter your API key here in this
| | 02:06 | field, and selecting both of these
options is also recommended. Auto-deletion of
| | 02:12 | spam makes Akismet even more
hands-free and here, displaying approved comment
| | 02:19 | count is going to make
managing comments much easier.
| | 02:23 | Finally, click Update options to
save your info, and you're ready to go.
| | 02:27 | Akismet is now configured and working
properly to protect your site against spam.
| | 02:33 | Note, also that you can check the
Akismet network status at any time to make
| | 02:38 | sure everything is working great,
but honestly, I've never needed this
| | 02:41 | information. Akismet just always
works, but it is there if you need it.
| | 02:47 | Now that Akismet is activated and
configured, let's see how to keep an eye on it.
| | 02:51 | We go to the Comments menu, and here on
the Comments page we click on the Spam link.
| | 03:00 | These are all the comments that Akismet
has caught and marked, or labeled, as spam.
| | 03:06 | Periodically you may want to visit
this area and scroll through to see if
| | 03:10 | there's anything that doesn't belong here.
| | 03:13 | See, right here is a comment from Mr.
| | 03:15 | WordPress. That shouldn't be there, so let's
restore it by clicking Not Spam, and that's done.
| | 03:23 | The other cool feature that we enabled
during the configuration of the plug-in
| | 03:28 | was to display the number of approved
comments next to each comment author.
| | 03:32 | That information is displayed right here.
| | 03:36 | These spammers have no approved comments.
| | 03:39 | This provides a convenient way to sort
of scan down the column and check for
| | 03:43 | false positives, cleverly referred to as
'ham' To see your site's ham, plus a ton of
| | 03:48 | other awesome data, visit the
Akismet Stats link in the Dashboard menu.
| | 03:53 | There is really nothing to see yet for
this demo site, but I can show you the
| | 03:59 | Akismet stats for our WordPress site, digwp.com.
| | 04:05 | Here we get a variety of useful
statistics, such as accuracy rate, total ham, and
| | 04:11 | even something called yummy pie.
| | 04:13 | Lots of historical data is
available here and below, too,
| | 04:17 | so dig deep and learn
more about your spam and ham.
| | 04:28 | And that's about it. Akismet is what's
referred to as a 'set it and forget it' type plug-in.
| | 04:33 | It does an excellent job of keeping
your site spam free and should be the only
| | 04:38 | anti-spam plug-in you need
for your WordPress-powered site.
| | Collapse this transcript |
| Securing your login page| 00:00 | In this screencast, we prevent unwanted
access to the WordPress admin by locking
| | 00:05 | down the login page,
| | 00:07 | which essentially is the doorway to your site.
| | 00:09 | It's important to keep it as secure as possible.
| | 00:13 | As you can see, the login page is
readily available on any WordPress site, at a
| | 00:19 | predictable URL, and by default, there is
no limit to how many times someone can
| | 00:24 | try to guess your password
and gain access to everything.
| | 00:30 | To fix this, we want to
secure the login page itself.
| | 00:34 | The easiest way to do this is with a
plug-in, and one of the best is called Login
| | 00:38 | Lock, which is newly listed here in
the plug-in directory. Just do a quick
| | 00:43 | search from the Admin for Login Lock and
click on the Details link for the first result.
| | 00:50 | Let's view some of the
highlights for this plug-in.
| | 00:53 | Version 2.2.3, reputable author,
recently updated, compatible with the latest
| | 00:59 | version of WordPress.
| | 01:00 | It's relatively new, only been
downloaded about a thousand times. It's got some
| | 01:06 | great ratings, but only based on four votes.
| | 01:10 | Still, this plug-in enforces strong
password policies, monitors logins, blocks IP
| | 01:17 | addresses, and much more.
| | 01:20 | As we see here, the plug-in is already
installed on this site, and as you can see
| | 01:25 | here, installation is typical, as usual.
| | 01:29 | So let's close out of here and go to the
Plugin Configuration page to set up the
| | 01:34 | plug-in and get it working for our site.
| | 01:37 | First, if you're short on time, know that
the default options for this plug-in are
| | 01:42 | going to work just fine.
| | 01:43 | Now let's go through and fine-tune
things and see how to use Login Lock to
| | 01:47 | protect your site and improve security.
| | 01:49 | Here is the main part of the plug-in here.
| | 01:52 | Login Protection Settings.
I like to set this at five attempts within 30
| | 01:59 | minutes and then block for 60 minutes.
| | 02:04 | To email all admins, we
select Yes or No. That's up to you.
| | 02:09 | Password Policy Settings, the plug-in can
also enforce a solid password policy to
| | 02:15 | improve site security.
| | 02:17 | This is a great way to improve the
overall security of your site, so go ahead
| | 02:21 | and set Require password changes to
something that will suit your users.
| | 02:27 | Here, require passwords to be at
least 12 characters in length, and here,
| | 02:32 | setting password strength to at least
Medium makes it a little easier for
| | 02:36 | users, but High is recommended.
| | 02:40 | For password recycling, selecting Yes is
the best option. Then the final setting
| | 02:45 | is an option to log out idle
users after a certain amount of time.
| | 02:49 | Let's say 15 minutes is a
reasonable amount of time.
| | 02:52 | You many need more if you're prone to multitasking.
| | 02:55 | Once the settings are configured, click the
Update Settings button to save your changes.
| | 03:02 | The plug-in is now installed and fully
configured and will now help protect and
| | 03:06 | improve the security of your site.
| | 03:09 | Let's scroll down again. Just to be
aware, beneath the main settings is an
| | 03:15 | option to force password changes now.
This is a serious move that should only
| | 03:20 | be used in the case of an emergency and after
you've read and understood the implications.
| | 03:26 | Lastly, we see a list of currently blocked users
and the option to unblock any of that we prefer.
| | 03:31 | So when you get that urgent email or
tweet from a locked-out customer, you can
| | 03:36 | be sure to respond
swiftly with just a few clicks.
| | 03:39 | Once you get everything
configured, you're all set.
| | 03:42 | As seen in the screencast, protecting
the login page with better security is
| | 03:46 | easily done with the Login Lock plug-in.
| | 03:49 | It only takes a few minutes to
implement and doing so helps keep your login
| | 03:53 | page very secure.
| | Collapse this transcript |
| Monitoring file changes | 00:00 | The bad guys are clever when it
comes to covering their tracks.
| | 00:04 | Often they will gain access to your site
and leave only a small file, or slice of
| | 00:09 | code on the server, without
messing with anything else.
| | 00:13 | The small file or code is referred to
as a back door and enables the bad guys
| | 00:17 | to come and go as they please.
| | 00:20 | In this screencast, we'll see how to
keep a close eye on any changes, so you can
| | 00:24 | take swift action should this occur.
| | 00:26 | Here in our FTP/file editor we're
looking at the root directory of our demo
| | 00:32 | site and as we can see here, a typical
WordPress installation provides many
| | 00:37 | places, many files and places for bad
guys to get in and hide code snippets,
| | 00:47 | other files, evil scripts, and so on,
| | 00:52 | either tucked deep within one of
these files or inserted into a directory
| | 00:58 | somewhere. Unless you know
exactly what to look for,
| | 01:01 | finding these hacked files in your
WordPress installation is virtually
| | 01:05 | impossible, but there is an easy way to keep
track of what's being changed on your server.
| | 01:10 | Using a plug-in called WordPress File
Monitor helps us to keep track of any and
| | 01:17 | all changes made to anything on the
server, and it's all done automatically.
| | 01:21 | Let's go to the Add New Plugins screen
and type in WordPress File Monitor to take
| | 01:28 | a look at the plug in.
| | 01:33 | Click on the Details link for WordPress
File Monitor, and it says here that it
| | 01:38 | has not been tested with a current
version of WordPress, but in fact it is
| | 01:42 | compatible with WordPress 3.0.
| | 01:45 | I can say from personal experience that
this plug-in works great at the current
| | 01:50 | 3.1.3 version of WordPress.
| | 01:53 | This plug-in has been downloaded many
times, enjoys excellent ratings, was
| | 01:58 | updated not too long ago, and as you can
see, installation is typical. And since we
| | 02:05 | already have this plug-in installed on
our demo site, let's go ahead and click on
| | 02:10 | the WordPress File Monitor link in the
Settings menu to configure the plug-in.
| | 02:17 | Here we are at the Plugins Settings page.
| | 02:19 | Let's for now display a message on the
Dashboard whenever there's an active
| | 02:25 | alert. When this plug-in
notices a change on the server,
| | 02:29 | we can go to our dashboard and see
a notification of what's going on.
| | 02:33 | The Scan Interval, don't go too crazy
here. This is something that should be set.
| | 02:39 | 30--actually the default value is
fine. Leave it at 30. If anything, change
| | 02:44 | it to 60. I wouldn't go anything less
than 15 minutes, especially if you have a
| | 02:49 | lot of traffic on your site.
| | 02:51 | So let's just leave it at the default and let
the plug-in scan your files every 30 minutes.
| | 02:59 | For the Detection Method, let's just
leave this at the default setting. We don't
| | 03:03 | want to invoke any potential
performance issues, but feel free to experiment if
| | 03:08 | you have time. And here, enter your
email address and then replicate it here.
| | 03:15 | For the Notification Format, leave it at
detailed so you can see what a detailed
| | 03:19 | alert looks like, and then if it's too
much information, maybe change it later.
| | 03:25 | And here the site root will be pre-filled
by the plug-in, but if it doesn't look
| | 03:29 | right or if the plug-in
doesn't work, feel free to change it.
| | 03:33 | And here, exclude paths are helpful if
you're running specific plug-ins that
| | 03:39 | are changing files constantly or
continuously and should be excluded from these alerts.
| | 03:44 | For example, here we have w3 total cache
and we've added its directory here, so
| | 03:51 | that the plug-in knows not to worry
about changes made in this directory.
| | 03:56 | Once we have all of our settings in
place, click on the Submit button to save
| | 03:59 | our changes, and that's it.
| | 04:01 | Now that we've configured the
plug-in, let's see it in action.
| | 04:04 | We go to the FTP/file editor and we
open a random file, which we've done, and
| | 04:12 | let's make a change.
| | 04:13 | A good way of modifying a file without
actually changing anything is to simply
| | 04:18 | tab down, add some text, and then remove
your changes, and click Save, and put the
| | 04:25 | file back up on the server.
| | 04:28 | Then we return to the File
Monitor settings page and run a test by
| | 04:32 | clicking Performs Scan Now.
| | 04:34 | It may take a moment, especially
if you have a lot of files and aha!
| | 04:38 | The plug-in has noticed the change.
| | 04:41 | We can click this link here to view
changes and clear this alert, which is also
| | 04:46 | available from the WordPress dashboard.
| | 04:51 | Click on View changes and clear this
alert and you will see the changes we've
| | 04:55 | made, both for this
tutorial and previous tutorials.
| | 04:59 | When we're done we click Remove Alert
after we've inspected the changes.
| | 05:03 | If there's anything that you see that
you did not change, you're in a better
| | 05:07 | position to take immediate action.
| | 05:09 | We've been using WordPress File Monitor
at our Digging into WordPress site for
| | 05:13 | over a year, and with much success. It's a
great way to keep an eye on changes in
| | 05:18 | an easy automated way.
| | 05:20 | If our site is ever hacked, we'll
know exactly which files have been
| | 05:23 | added, deleted, or edited.
| | 05:26 | In this screencast, we've seen how to
improve the security of our site by keeping
| | 05:31 | a close eye on changes made to the server.
| | 05:34 | We do this with a plug-in called
WordPress File Monitor, which is free and easy to
| | 05:38 | install--highly recommended to
increase the security of your WordPress site.
| | Collapse this transcript |
| Monitoring admin users| 00:00 | For sites with multiple users, it can
be helpful to have a detailed record of
| | 00:05 | what they're doing while
working in the Admin area.
| | 00:09 | Being able to look at a history log of
user activity makes it easier to correct
| | 00:14 | errors and resolve issues.
| | 00:17 | In this screencast, we'll see how to
keep an eye on user activity with the
| | 00:21 | ThreeWP Activity Monitor plug-in, which
does a great job of logging user actions
| | 00:27 | with a simple, easy-to-use interface.
| | 00:31 | Let's look at the plug-in by going to
Add New and typing in ThreeWP Activity
| | 00:38 | Monitor and doing a search. Click on
the Details link for the first result.
| | 00:46 | We can see that it is compatible with
the latest version of WordPress, it's been
| | 00:50 | downloaded a fair number of
times, and it was recently updated.
| | 00:53 | It also enjoys stellar
ratings based on seven votes.
| | 00:58 | The description of the plug-in tells us
that this plug-in records login attempts,
| | 01:05 | anytime someone tries to reset or
retrieve their password. It records creation
| | 01:10 | of posts, pages, editing
of comments, and much more.
| | 01:15 | Basically anything that someone is
doing in the admin area this plug-in is going
| | 01:18 | to keep a record of. And as we
see here, installation is as usual,
| | 01:24 | and since the plug-in is already
installed on the site, let's go ahead and close
| | 01:28 | out of this screen, scroll up, and
click on the Dashboard menu, and then on
| | 01:33 | Activity Monitor to go to the
Activity Monitor overview page.
| | 01:39 | Here is the ThreeWP Overview screen
where user activity is displayed with a nice
| | 01:44 | graphic user interface.
No settings to configure here.
| | 01:49 | Next we have the Settings screen where the
default settings are pre-filled and work great.
| | 01:55 | If you have some reason for changing
any of these values, go right ahead.
| | 01:59 | You can limit the size of the database
here and if you want other lesser roles
| | 02:04 | to manage the activity of the logs
that are created by this plug-n, you can
| | 02:08 | fine-tune that information here.
| | 02:11 | Click Apply to save any changes and
then lastly, hop over to the Uninstall
| | 02:16 | screen, where you'll find convenient
options for uninstalling and removing the
| | 02:20 | plug-in, if/when necessary.
| | 02:22 | And that's all there is to it.
| | 02:24 | It's very straightforward. The plug-in should now
be monitoring user activity in the Admin area.
| | 02:30 | So with everything configured, let's see
it in action. Here is what we want to do.
| | 02:34 | We want to log out, log in, create a page,
create a post, and then delete the page.
| | 02:40 | So let's do that.
| | 02:42 | Let's log out and then log in and then
create a page and a post, and this is
| | 03:12 | totally random, just to see the plug-in work.
And finally, let's go back and delete the page.
| | 03:24 | After all of that activity, the plug-in
should have recorded everything for us and
| | 03:29 | display it here in the log screen.
| | 03:32 | Returning to the Activity Monitor
screen, we see the sheer awesomeness of this
| | 03:36 | plug-in, with convenient links for each
logged activity and a nice-looking icon
| | 03:40 | for easy recognition of various actions.
It's really a great way to keep an eye
| | 03:45 | on what's going on in the Admin area.
| | 03:49 | In this screencast, we've seen how to
use the ThreeWP Activity Monitor plug-in
| | 03:53 | to keep an eye on user
activity in the Admin area.
| | 03:57 | This provides valuable information
that will help if and when something goes
| | 04:01 | wrong, making it easier to backtrack
steps and return everything to normal.
| | Collapse this transcript |
| Implementing a firewall| 00:00 | The more popular your site gets,
the more of a target it becomes for
| | 00:04 | automated malicious attacks.
| | 00:07 | Scripted attacks occur frequently and
involve automated requests for known and/
| | 00:12 | or potential security vulnerabilities.
| | 00:15 | In this screencast, we protect against
these relentless automated attacks by
| | 00:20 | implementing a strong firewall.
| | 00:22 | As seen here in an excerpt from one
of my personal error logs, malicious
| | 00:27 | requests such as these are a
constant threat to your site.
| | 00:34 | In addition to the ongoing risk that
these unwanted requests bring, they also
| | 00:39 | chew up your server's precious
resources, like bandwidth and memory.
| | 00:44 | This slows things down for your
legitimate users and reduces the overall
| | 00:51 | performance of your web site.
| | 00:55 | Fortunately, there's a 'set it and forget
it' solution to stopping a great deal of
| | 00:59 | this malicious nonsense.
| | 01:01 | It's a plug-in called WordPress
Firewall 2, and it's one of best ways to protect
| | 01:06 | against evil requests.
| | 01:09 | Let's go to the Add New Plugins page
and search for the plug-in to take a look.
| | 01:13 | You just type 'WordPress
Firewall 2' and click Search Plugins.
| | 01:19 | It should be the first result, so just
go ahead and click Details to learn a
| | 01:23 | little bit more about the plug-in.
| | 01:25 | It says here that the plug-in has not
been tested with our current version of
| | 01:29 | WordPress, but indeed it has.
| | 01:31 | We've run this plug-in on our site
digging in to WordPress, and it works great.
| | 01:34 | It also says that it's compatible
with WordPress 3, which is the current
| | 01:40 | version of WordPress.
| | 01:41 | It's been downloaded over 12,000
times, enjoys excellent ratings based on 11
| | 01:47 | votes, and it was updated not too
long ago. As it describes in the
| | 01:53 | description here, this plug-in is a
powerful way of stopping automated
| | 01:58 | attacks and known exploits.
| | 02:00 | In the Installation screen we see that
the installation is typical, and as it
| | 02:06 | shows here, the plug-in is
already installed on this demo site.
| | 02:10 | So let's close out of the screen and
go to the Plugin Configuration page to
| | 02:16 | configure the plug-in and
get it working for our site.
| | 02:18 | Here at the Plugin Settings page, first
we have the Security Filters options where
| | 02:25 | the default settings are indeed optimal.
| | 02:28 | We want to block everything, except
for the last option, which is useful but
| | 02:33 | may also cause problems with various plug-ins
and scripts, so we leave this one unchecked.
| | 02:38 | Then next, we have Upon Detecting Attack.
| | 02:43 | This is your choice. I wish there were
an option for a simple 403 Forbidden
| | 02:48 | error, but there's not, so we choose to
display the 404 error page, just in case
| | 02:54 | a legitimate visitor is making the request.
| | 02:58 | Next, in the Email panel set your email
preferences, enter your email address here, and
| | 03:04 | for Email type, choose either plain text
or html format. And here for Suppress
| | 03:11 | similar attack warning emails, go ahead
and leave that set to off for now and
| | 03:16 | then change it later if needed.
| | 03:19 | Finally, we have two boxes, one for
whitelisting IPs and one for whitelisting pages.
| | 03:26 | For whitelisting IPs, we will leave this
blank for now, but you should definitely
| | 03:30 | add your own IP when configuring your own site.
| | 03:33 | And here for Whitelisted Pages, if you
have any issues with the plug-in blocking
| | 03:39 | specific pages, files, or variables,
just enter them here and the plug-in will
| | 03:44 | ignore them, and that's
really all there is to it.
| | 03:47 | WordPress Firewall 2 is now working
silently behind the scenes, blocking tons of
| | 03:53 | ill requests and other malicious
nonsense from getting into your site.
| | 03:57 | With WordPress Firewall 2 in effect,
you can sit back, relax, and enjoy better
| | 04:01 | protection against malicious requests.
| | 04:04 | Whenever the plug-in blocks something,
you will get an email notification
| | 04:07 | alerting you of the event.
| | 04:09 | As you'll see, this as an
excellent way to keep an eye on your site
| | 04:12 | anytime, anywhere.
| | Collapse this transcript |
| Blocking access| 00:00 | In this screencast, we equip ourselves
with a powerful way to protect our site
| | 00:04 | against the bad guys.
| | 00:05 | Keeping an eye on our server log files,
we employ the excellent WP-Ban plug-in
| | 00:11 | to block specific threats
and other malicious behavior.
| | 00:14 | To really take your security to the next
level, it's important to keep an eye on
| | 00:18 | your server access and error logs.
| | 00:21 | Such logs are readily available from
your server control panel and elsewhere, so
| | 00:26 | ask your host if you don't see them.
| | 00:27 | Here we have an excerpt from a
hypothetical error log where various details are
| | 00:33 | recorded for each 404 Not Found error.
| | 00:38 | Each of these are malicious requests,
as evidenced by the nasty-looking URL.
| | 00:47 | Timewise, these requests
happened about a minute apart.
| | 00:52 | Usually they're more frequently, but
it also depends on your server and what
| | 00:56 | your server is capable of.
| | 00:57 | They all have the same recorded IP address,
and they all also have the same user agent.
| | 01:06 | The sort of malicious activity recorded
here happens constantly, and it does a
| | 01:10 | good job of wasting server
resources and slowing things down for your
| | 01:15 | legitimate visitors.
| | 01:16 | There are many solutions for
defending against malicious requests, but for
| | 01:20 | WordPress-powered sites the easiest way
is to simply block them with a plug-in.
| | 01:26 | Going to the Plugins menu, let's
click on the Add New button and do a quick
| | 01:33 | search for the WP-Ban plug-in.
| | 01:37 | Enter the name and click Search, and
WP-Ban should be listed among one of
| | 01:42 | the first few results.
| | 01:44 | So we see it here, and we click on
the Details link to learn a little bit
| | 01:48 | more about this plug-in.
| | 01:50 | As we see here in the description,
the plug-in provides a way for WordPress
| | 01:55 | users to block malicious requests and
other malicious activity using the IP
| | 02:01 | address, user agent, and
other aspects of the request.
| | 02:06 | It's been a while since this plug-in
was updated, but it has been downloaded
| | 02:10 | many times and enjoys good ratings.
| | 02:14 | The installation, if we go to the web
site, we see that the installation is
| | 02:21 | typical, and as we see here, the plug-in
is already installed on the site, so we
| | 02:27 | are ready to jump into the Plugin
Configuration page to configure the plug-in.
| | 02:33 | We click on the Ban link in
the Settings menu to go there.
| | 02:37 | Here at the WP-Ban Settings page, first
and foremost, the plug-in tells us our
| | 02:43 | own IP address, hostname, user agent, and so on.
| | 02:48 | Next, we have the banned fields
themselves, where we will be listing and
| | 02:52 | blocking the bad guys.
| | 02:54 | We can ban by IP, IP range, host
name, referrer, user agent, and we can
| | 03:03 | even exclude IPs, and customize the banned
message that blocked requests will receive.
| | 03:09 | Really, at this point, there's nothing
to configure, but just beneath the Banned
| | 03:14 | fields, there are two more
sections worth mentioning.
| | 03:17 | First, the Ban Stats panel, where we
can see the statistics about what's being
| | 03:23 | blocked, and then beneath that an
Uninstall option, should you decide to
| | 03:27 | remove the plug-in later.
| | 03:29 | So there is nothing to configure
upfront, but let's return now to our
| | 03:33 | hypothetical error log and see how to
immunize our site against future attacks.
| | 03:38 | There are lots of choices for blocking.
| | 03:40 | We can block by the IP address,
referrer, user agent, and request string.
| | 03:46 | If we determine that the user agent
EmailSiphon is a bad bot, we can block it with WP-Ban.
| | 03:53 | We can also block the IP address specifically.
| | 03:56 | So let's start with the IP address.
| | 03:58 | We copy that and return to the plug-in
page and in the Banned IPs field, we just
| | 04:07 | paste the IP address.
| | 04:09 | Then let's returned to the error log
and grab that user agent, copy, and then
| | 04:17 | return to the plug-in page,
scroll down, and paste it into place.
| | 04:22 | Once we have these two items in
place, we click Save Changes, and done.
| | 04:29 | Any requests meeting our new criteria
will now be blocked and presented with the
| | 04:33 | official 'you've been banned' message.
| | 04:36 | Now, let's see it in action.
| | 04:38 | We can't spoof an IP here, but we can spoof a
user agent by going to bots versus browsers.
| | 04:44 | We need two things to see
this demonstration work.
| | 04:49 | We need the user agent, which we had
EmailSiphon, and we need the URL for our
| | 04:55 | web site, so we can try to access it.
| | 05:02 | Once these two items are in place, we
click the Go button and see the ban message.
| | 05:07 | We have been banned.
| | 05:08 | Anyone requesting our web site from using
this user agent, EmailSiphon, will be banned.
| | 05:15 | Likewise for the IP and likewise for
any other item, host name, IP range,
| | 05:21 | referrers and so on.
| | 05:23 | This plug-in will ban malicious
requests and specific threats.
| | 05:28 | Finally, back at the Banned Options
page, let's scroll down and verify that
| | 05:32 | that request was actually recorded in the Ban
Stats section of the plug-in, and here it is here.
| | 05:39 | Here is our IP address, here is the attempt,
and if we would like, we can reset this.
| | 05:44 | This is a great way to keep an eye on
the different requests that are being made
| | 05:48 | by the things that you are blocking.
| | 05:50 | So in this screencast, we've seen
how to get more fine-grain control over
| | 05:55 | your site's security.
| | 05:57 | The powerful WP-Ban plug-in makes it
easy to block specific threats and keep
| | 06:02 | your site safe, secure, and performing great.
| | Collapse this transcript |
| Detecting hacks| 00:00 | Once you're up and running with
WordPress, it's a good idea to periodically
| | 00:04 | search your files and
database for possible malicious code.
| | 00:08 | Exploit code happens when an attacker
finds a way into your site and plants the
| | 00:13 | payload somewhere in your files or database.
| | 00:16 | In this screencast, we look at an easy way
to scan your site for any signs of foul play.
| | 00:21 | For example, here at the Digging into WordPress site,
we explain a rather nefarious hack that
| | 00:28 | plagued the WordPress
community back in July of 2010.
| | 00:32 | This is a great article to familiarize
yourself with the type of stuff that we
| | 00:36 | are talking about when referring
to malicious code or exploit code.
| | 00:41 | As seen following the link here,
malicious code often looks like long strings
| | 00:46 | of encoded gibberish.
| | 00:49 | Make no mistake, exploit code like this
is malicious and used for evil purposes,
| | 00:53 | but there is a plug-in called Exploit
Scanner that does an incredible job of
| | 00:58 | actually finding this stuff.
| | 01:00 | It doesn't remove anything or make
any changes to your files, which is good,
| | 01:04 | but it does provide a detailed report, along
with some options to fine-tune the results.
| | 01:09 | It's a powerful tool, so let's set it
up and use it to keep an eye on things.
| | 01:16 | To install the plug-in, go to the Add New
Plugins page in the Admin area and type
| | 01:21 | in 'Exploit Scanner' in the Search field.
| | 01:25 | Click on the Search button to view the
results and you should see it listed
| | 01:28 | first in the list. Click on the Details link
to learn a little bit more about the plug-in.
| | 01:34 | As we see here in the description, this
plug-in does one thing, and it does it well.
| | 01:39 | It scans your database and
files for anything suspicious.
| | 01:43 | The author is a reputable author,
and the plug-in was updated recently.
| | 01:47 | It's compatible with the latest version of
WordPress, has been downloaded many times,
| | 01:52 | and enjoys an excellent rating.
| | 01:55 | Going to the Installation tab, we see
that the installation is typical and since
| | 02:00 | we have the latest version already
installed, let's close out of this screen and
| | 02:07 | configure the plug-in by clicking the
Exploit Scanner link in the Tools menu.
| | 02:12 | Here at the Exploit Scanner
settings page, we have several options.
| | 02:15 | First, Search for suspicious styles.
| | 02:18 | You can try this both ways, but keep in
mind there are way more false positives
| | 02:22 | with this checked. For Upper file size
limit, the default value is fine, but you
| | 02:28 | can change if needed.
| | 02:29 | Number of files per batch, again, leave
it at the default value unless you have
| | 02:33 | reason to do otherwise.
| | 02:35 | And finally, click Run the
Scan to run a scan on your site.
| | 02:41 | The scan is now complete. Before
digging in, let's look at the three
| | 02:45 | different levels of results. Level Severe,
| | 02:48 | usually a strong indicator
of a hack or exploit code.
| | 02:52 | Warnings are not as bad as severe,
but you should treat them with caution.
| | 02:56 | And then there are notes which are
lowest-priority results that are commonly
| | 03:00 | used and probably safe.
| | 03:02 | So now let's return to the admin area
and scan through our results. Because of
| | 03:09 | all the Security plug-ins that I have
installed on this demo site, this is a
| | 03:14 | pretty horrendous results set of data
here, and we're not going to have time in
| | 03:20 | the screencast to analyze everything.
| | 03:22 | So let's look at a more typical case
with only a few plug-ins installed at a
| | 03:29 | different demo site, here.
| | 03:32 | In the results, we see the
three different levels represented.
| | 03:36 | We have Level Severe with two matches, Level
Warning with six matches, and Level Note with one match.
| | 03:46 | These results are typical, and you may
have more or less depending on the plug-ins
| | 03:50 | and themes and other files
that you have in your site.
| | 03:53 | Let's begin with Level Severe, and we
see in wp-commentsrss2.php, they matched
| | 04:05 | eval and base64_decode, which are often
good indicators of a potential attack.
| | 04:15 | Level Warning, the license file and
these other files, things have been modified,
| | 04:20 | and you should look into those.
| | 04:24 | And Level Note, this is for your
information. If you feel this is something worth
| | 04:28 | looking at, then go ahead.
| | 04:30 | But let's focus now on Level Severe.
| | 04:32 | What we want to do is find this
file in our WordPress installation.
| | 04:37 | So we go to our FTP/file editor and we
look in our local files, and we open the
| | 04:43 | file and see that there's nothing here.
| | 04:46 | Well, that makes sense because if somebody
did hack our site, they did it on the server.
| | 04:51 | So let's look at the same file
as it exists on the server. Aha!
| | 05:01 | Notice the difference between these two
files, our local file and the one on the server.
| | 05:06 | Here, someone or something has injected
this malicious code into the file using
| | 05:14 | eval(base64_decode). This encoded
gibberish to do anything--we don't know, but
| | 05:20 | we want to get rid of it.
| | 05:22 | So we can either delete this or
simply upload our local file to the server.
| | 05:30 | Now, let's look at the file and make
sure that we have cleaned things up.
| | 05:39 | It looks good. Opening the local file,
the two files are identical, so we've
| | 05:47 | eliminated this threat.
| | 05:49 | Returning to the browser, let's
rerun the scan and see what happens.
| | 05:56 | Great, no Level Severe matches.
| | 05:59 | We do have Level Warnings, but we will
leave this up to you to research and find
| | 06:07 | out what's going on there.
| | 06:08 | It can be time consuming interpreting
the results, especially if you have lots
| | 06:13 | of plug-ins and themes installed.
| | 06:15 | So if you're at all unsure about a
particular result, it's best to err on
| | 06:18 | the side of caution.
| | 06:20 | For more help, ask around in the
WordPress support forum and/or other online
| | 06:25 | forums, or maybe search the Internet
for similar situations, code, and so on.
| | 06:30 | You'll inevitably see a lot of false
positives, but the chance to locate and
| | 06:35 | eliminate actual malicious code is worth it.
| | 06:38 | There are few big things to watch out
for: Matches around unknown or external
| | 06:43 | links, if you see a hyperlink in your
code and you see some sort of base 64
| | 06:49 | decoding or eval or anything weird, take
a good close look. base 64 encoded text
| | 06:56 | in modified core files is also
known a no-no. Keep a close eye on that.
| | 07:01 | Listing extra admin accounts in the
lower panel of the Plugins Settings page is
| | 07:06 | also something you should keep an eye on.
| | 07:08 | And then finally, just keep an eye out
for any bad code in posts, pages, and so on.
| | 07:14 | In this screencast, we've seen how to
configure Exploit Scanner to scan our files
| | 07:18 | and database for malicious content.
| | 07:21 | It usually takes some time interpreting
the results, but even finding just one
| | 07:25 | injected exploit makes the
effort completely worth it.
| | Collapse this transcript |
|
|
5. Advanced Tips and TricksStopping file hotlinking| 00:00 | You see this image here?
It's hotlinked from another web site.
| | 00:05 | That means that this site,
bluefeed.net, is linking directly to the image on
| | 00:11 | another server, essentially stealing
the file and benefitting at our expense.
| | 00:17 | This happens all the time on the web,
but there is a well-known htaccess
| | 00:21 | technique for stopping it.
| | 00:24 | In this screencast, we'll show you how to
stop other sites from stealing your images.
| | 00:31 | Here in our FTP/file editor, let's
open the root htaccess file for this
| | 00:37 | WordPress installation.
| | 00:39 | What we want to do is add a slice of
htaccess code beneath these existing rules.
| | 00:46 | The code is located in the
exercise files for this screencast.
| | 00:53 | Select everything for Method 1 from
here to here and copy it, return to your
| | 01:02 | htaccess file, and paste it into place.
| | 01:06 | This code looks more complicated than it is.
In plain language, the code does the following.
| | 01:12 | If there's a referrer and the requested
file exists, if the requested file ends
| | 01:18 | with any of these extensions and--this is
important--if the referring site is not
| | 01:25 | our own, then return a 403 Forbidden
error instead of the requested image.
| | 01:33 | It takes a bit of customization to work properly,
| | 01:36 | so before uploading the modified file
to our server, we need to change example
| | 01:43 | to match our own domain name. For example,
| | 01:45 | here the domain I am working with is
perishablepress.com, so I edit 'example'
| | 01:52 | to say 'perishablepress'.
| | 01:54 | We leave off the .com, .net
or .whatever you may have.
| | 01:58 | Next, look at the files that
we're blocking with this code.
| | 02:03 | We're blocking GIF files, any type
of JPEG files, and PNG files, but we
| | 02:10 | don't have to stop there.
| | 02:12 | We can actually protect any file
type: videos, music, Flash files, Word
| | 02:18 | documents, whatever.
| | 02:21 | You just need to add the appropriate
file extension to the list. For example,
| | 02:26 | let's say we also want to protect zip files.
| | 02:29 | We simply add another vertical bar
after PNG and then type 'zip' and this may be
| | 02:38 | repeated for as many file types as needed.
| | 02:41 | Let's add one for Word document, or docx.
| | 02:46 | Once everything is customized, we are
ready to upload the file and check the
| | 02:51 | results. We click Save and
upload the file to our server.
| | 02:59 | Returning to our online demo page,
which is the one that is stealing, or
| | 03:03 | hotlinking the image from our demo
site, we refresh the page. Voila!
| | 03:10 | No more hotlinked image.
| | 03:12 | This htaccess technique is very
effective at protecting your files from thieves,
| | 03:17 | and it only takes a minute
to set up, as we've just seen.
| | 03:20 | Bur now let's return to the FTP/file
editor and look at how to do a little bit more.
| | 03:28 | Instead of merely blocking the image,
we can send a message to the hotlinking
| | 03:33 | site. All we need is a simple image file
containing whatever special message we
| | 03:39 | want to send, and then we replace our
previous block of code here with the
| | 03:48 | second block of code included in the
exercise files, method 2. Copy that, return
| | 03:56 | to the htaccess file, and paste it into
place. Before uploading to the server, we
| | 04:02 | need to make a few changes. In this line,
we change 'example' to whatever our domain
| | 04:08 | name is leaving off the .net, .com or whatever.
| | 04:14 | Then we want to replace this path with
the path to our special message image
| | 04:20 | that we want to send to the hotlinkers.
| | 04:26 | I have placed my special file at this location.
| | 04:33 | Finally, save and upload
the file to your server.
| | 04:38 | Now let's return to the browser and
refresh the page, to see what the hotlinking
| | 04:43 | site will now receive when
trying to hotlink our images.
| | 04:48 | There we go, problem solved.
| | 04:51 | We could send any message we
want here, with any size file.
| | 04:54 | So be creative and have some fun.
| | 04:57 | The simple htaccess technique used here
will protect your site's images and other
| | 05:02 | files from leechers and bandwidth thieves.
| | 05:04 | Let's take another look
at another special message.
| | 05:13 | Using a different image, we
change the path and refresh the page.
| | 05:19 | It couldn't be funner.
| | 05:20 | There is at least one plug-in that will
do the same functionality for WordPress,
| | 05:25 | but it too also uses htaccess to make it happen.
| | 05:29 | There's no need to add the extra complexity
and maintenance of a plug-in to stop hotlinking.
| | 05:34 | It's faster and more elegant to
simply add the code directly, as described
| | 05:40 | in this screencast.
| | Collapse this transcript |
| Protecting the installation page| 00:00 | In this screencast, you'll see how to
protect the WordPress installation file
| | 00:04 | using a variety of different methods.
| | 00:07 | Protecting the installation file is
important because if things go wrong, it
| | 00:11 | could be used to gain
illicit access to your web site.
| | 00:15 | Here in our FTP/file editor we want to
open and take a look at the install file.
| | 00:21 | It's located in the
wp-admin directory, right here.
| | 00:27 | Here we are looking at the
install.php file as it is located in the
| | 00:31 | wp-admin directory.
| | 00:33 | This file is used when installing
WordPress and should be removed or protected
| | 00:37 | after the installation process is complete.
| | 00:41 | There are three different ways to do this:
| | 00:44 | Method one, delete the file
after installing WordPress.
| | 00:48 | Method two, add a slice of code to
your htaccess file. Or method three, replace
| | 00:54 | the file with something more useful.
| | 00:57 | Any of these methods only
takes a minute and works just fine,
| | 01:00 | so let's run through each of them.
| | 01:02 | Method one, just delete the file.
| | 01:05 | There is no reason to
keep it after installation.
| | 01:08 | The downside with this approach is that
WordPress will return the missing file
| | 01:12 | the next time you update.
| | 01:13 | This is certainly easy, but the file
will return the next time you upgrade, so
| | 01:18 | here is a more 'fix it and
forget it' type solution.
| | 01:21 | Open the htaccess file in
your root installation directory.
| | 01:26 | To protect the file at the server
level, grab a copy of the blank htaccess
| | 01:31 | file included with this screencast and paste
it into the wp-admin directory, as seen here.
| | 01:39 | Next, copy and paste the following code,
also included with the exercise files
| | 01:45 | of this screencast.
| | 01:48 | Copy this code and paste it beneath
any existing rules in your htaccess file.
| | 01:55 | Save the file and upload to the server.
| | 01:59 | No modifications are necessary.
| | 02:02 | Let's check to see if it works.
| | 02:03 | We return to the browser, and here is the
path to the installation file on the server.
| | 02:10 | Let's refresh the page now that we've made
changes to the htaccess file. Forbidden.
| | 02:15 | We see that the page is now safe and secure.
| | 02:18 | Any requests for your
installation file will be blocked.
| | 02:21 | But we can do even better
with our third and final method.
| | 02:25 | Instead of just deleting or blocking,
let's replace the insecure version of the
| | 02:30 | file with something more useful,
something that's more secure and informative.
| | 02:34 | Just follow these quick steps.
| | 02:37 | Rename the original install.php file
to something like install_disabled.
| | 02:44 | Create a new file in the WordPress
admin directory and call it install.php.
| | 02:49 | We are going to need to move
this ourselves. There we go.
| | 03:06 | We know have the install_disabled
file and the install.php file in our
| | 03:13 | wp-admin directory.
| | 03:17 | We now want to open our blank install.php
file and add the following slice of
| | 03:22 | code, which is also
available with this screencast.
| | 03:27 | Grab the entire chunk of
code and paste it into place.
| | 03:31 | The only required edit for this
code is right here, your email address.
| | 03:39 | After entering your email
address, everything is ready to go,
| | 03:43 | so save the changes and
upload the file to your server.
| | 03:46 | This new install.php file will prevent
any malicious behavior by serving up a
| | 03:51 | simple static web page that looks like this.
| | 03:55 | This looks simple enough, but behind the
scenes this install replacement page is
| | 03:59 | doing quite a bit more.
| | 04:01 | First, it communicates the proper 503
status code to anything that's making a
| | 04:07 | request for your file.
| | 04:08 | It also instructs clients and search
engines to return after 60 minutes, and
| | 04:13 | finally, it sends an email to your email
address informing you of the situation,
| | 04:19 | so that you may take action.
| | 04:21 | Plus, this is written in regular
PHP and good old fashion HTML,
| | 04:26 | so everything is completely customizable.
| | 04:28 | Feel free to modify this
template to suit your needs.
| | 04:32 | For further information on this technique,
check out my article at Perishable Press.
| | 04:37 | In this screencast, we've seen three
effective ways to prevent access to the
| | 04:40 | WordPress install.php file, which isn't
needed after installation is complete.
| | 04:46 | Any of these techniques will improve
security by preventing unwanted site access
| | 04:51 | via the default installation file.
| | Collapse this transcript |
| Stopping automated spam| 00:00 | In this screencast, we use the
htaccess file to prevent a type of spam known
| | 00:05 | as no-referrer spam.
| | 00:07 | No-referrer spam happens when
spammers target the WordPress comment script
| | 00:12 | directly without actually visiting
your web site like a regular human being.
| | 00:17 | Preventing this type of spam helps
to save bandwidth and other valuable
| | 00:21 | server resources and also helps keep your site
looking clean and respectable to your visitors.
| | 00:28 | Here in our FTP/file editor, we see the
files and directories that are located in
| | 00:34 | the WordPress installation directory.
| | 00:37 | To protect against no-referrer spam, we
open our site's root htaccess file, which
| | 00:43 | is open here already.
| | 00:45 | Next, we open the htaccess code that is
included with the exercise files for this
| | 00:52 | screencast, and we copy
the first block, Method 1.
| | 00:56 | Copy that entire block and paste
it beneath any existing rules in the
| | 01:01 | root htaccess file.
| | 01:03 | The only thing we need to edit
is the fifth line, right here.
| | 01:06 | We want to change example.com
to match our own domain name.
| | 01:11 | Mine is perishablepress.com, so I just
make that quick change and I'm all set.
| | 01:19 | Next is to save the file
and upload to the server.
| | 01:25 | And once that's done, we return to
our web site and check that everything
| | 01:28 | is working properly.
| | 01:32 | Pages are still loading, so everything is great.
| | 01:35 | Now, let's check that the code is actually
working and doing what it's supposed to
| | 01:39 | do, to block no-referrer spam.
| | 01:42 | Open a browser tab and go to this
extremely useful user agent simulation tool
| | 01:48 | at botsvsbrowsers.com.
| | 01:51 | Scroll down the page a bit and enter
the URL of your WordPress installation.
| | 01:57 | Next, we want to add the name of the file
that spammers are trying to hit directly.
| | 02:02 | To do that, return quickly to the
FTP/file editor and in the root WordPress
| | 02:08 | directory, you should see a
file named wp-comments-post.php.
| | 02:16 | By quickly renaming the file, you can
copy the name and return to the browser to
| | 02:23 | simply paste it into place.
| | 02:25 | Then, off to the right here, there
is a dropdown menu that will set the
| | 02:30 | request method, which should be set to post,
because that's what the spammers will be doing.
| | 02:37 | And with that, we click the Go
button to make it so. Excellent!
| | 02:43 | As expected, the post request returns a
403 Forbidden response, which is perfect
| | 02:49 | for spammers that are trying to directly
spam us using our comments post script.
| | 02:58 | Returning to our FTP/file
editor, we can do a little bit more.
| | 03:03 | If we would rather send our blocked
request to a particular location, just
| | 03:08 | replace the entire block of code with this
one, also included with our exercise files.
| | 03:16 | Copy Method 2 and paste into place,
| | 03:21 | replacing the previous block of code.
| | 03:24 | Next, with this code in
place, we need to make two edits.
| | 03:28 | We need to edit both instances of example.com.
| | 03:32 | The first one should be your domain name,
and the second should be the URL of the
| | 03:39 | location to which you want
to send the blocked spammers.
| | 03:42 | example.com is a reserve domain,
so it's ok to use for this demo.
| | 03:47 | But you should use caution
when sending spammers elsewhere.
| | 03:51 | Once we have our edits completed, we
save the file and upload it to the server.
| | 04:02 | Now, let's wrap things up by returning
to botsvsbrowsers and trying to request
| | 04:07 | our page again, now that the
redirect method is in place.
| | 04:11 | Clicking the GO button using the same values,
we see the redirect happening as expected.
| | 04:18 | Here is example.com.
| | 04:20 | If this were a spammer trying to spam
our web site directly with no-referrer
| | 04:25 | spam, this is where they'll end up.
| | 04:28 | At this point, our htaccess
code is in place and working great.
| | 04:33 | Spammers trying to hit our comments
script directly will now either be blocked
| | 04:37 | using method 1, or redirected to the URL of
your choice using method 2, and that's a wrap.
| | 04:44 | In this screencast, we learned how to use the
htaccess file to protect our site against spam.
| | 04:50 | This helps from a security
perspective and from a performance perspective.
| | 04:55 | No more leeching of resources means
a better experience for our valued
| | 04:59 | site visitors.
| | Collapse this transcript |
| Detecting and blocking bad bots| 00:00 | In this screencast, we are going to
protect our web site against bad bots.
| | 00:04 | We've seen how to do this with a plug-in
in the previous screencast, but there is
| | 00:08 | a better, more efficient, way to protect
your site directly, using the htaccess file.
| | 00:13 | Here, in our FTP/file editor, we're
looking at our site's web-accessible
| | 00:18 | route htaccess file.
| | 00:21 | To implement this method, grab a copy
of the htaccess code that's included in
| | 00:26 | the exercise files of this screencast.
| | 00:29 | Copy everything and then return to
your file editor and paste the code
| | 00:34 | beneath any existing rules.
| | 00:36 | This chunk of code is like a virtual control
panel for blocking bad bots and user agents.
| | 00:42 | First, we're blocking blank user agents.
| | 00:46 | Then these lines here collectively block
some of the worst known bad bots. Then this
| | 00:53 | last section here is the part that
actually does the blocking, based on what you
| | 00:58 | have listed in these previous directives.
| | 01:01 | And best of all, no upfront editing
is required for this code to work.
| | 01:06 | Just save and upload the file to your server.
| | 01:11 | To see it in action, let's return to
the browser and visit this ridiculously
| | 01:17 | handy user agent bot-simulation tool.
| | 01:21 | First, let's just see it work by adding the
URL of our web site and clicking the Go button.
| | 01:25 | Here is our demo site that we're working with.
| | 01:30 | So we copy the URL from the address bar
and return to Bots versus Browsers and
| | 01:37 | paste that URL here.
| | 01:39 | Then we click the Go button.
| | 01:42 | As expected, our site is accessible when
using the legit user agent, specified here.
| | 01:49 | So now let's check that the code is
working by spoofing a request from one of
| | 01:53 | our blocked user agents, or blocked bots.
| | 01:58 | Returning to our FTP editor.
Let's grab a random user agent, skygrid, copy, and
| | 02:05 | return to our Bots versus Browsers page.
| | 02:09 | Paste it into the user agent field
like so and then click Go with your site's
| | 02:15 | URL still in the URL field. A 403:
| | 02:18 | Forbidden means that the
request has been blocked.
| | 02:22 | This is exactly the response
we want to send to bad bots.
| | 02:25 | It's is a simple response
that's easy on the server.
| | 02:29 | Using a plug-in would have required
significantly more resources to deliver the
| | 02:34 | same response, requiring WordPress, plug-in
files, and the database just to block a bad bot.
| | 02:42 | Using htaccess lets Apache just make
the block directly at the server level,
| | 02:47 | which is the optimal way of doing it.
| | 02:50 | To add new bad bots to the list,
return to your file editor, and we can either
| | 02:55 | create a new line or just add the
name to an existing line, like so.
| | 03:01 | Casing shouldn't matter,
because of this directive here NoCase.
| | 03:06 | So you can use any combination of
upper- and lowercase letters and the result
| | 03:11 | will be the same. Or we can instead
just start a new line like so, sort of
| | 03:25 | emulate the previous lines, and then put
our new blocked bots on their own line.
| | 03:34 | And this is a good way to help keep
things nice and organized, as you use this
| | 03:38 | method to protect your site.
| | 03:40 | That's all there is to it, so let's
save and upload the file and return to our
| | 03:46 | handy Bots versus Browser page to see it work.
| | 03:52 | We type in the name of the user agent
that we just added and click the Go button.
| | 04:00 | That's it right there.
| | 04:02 | Our request using this
user agent has been blocked.
| | 04:06 | In this screencast, we've seen how
to block bad bots and user agents from
| | 04:10 | accessing our web site.
| | 04:12 | Using htaccess instead of a plug-in,
we're able to block bad bots directly, with
| | 04:17 | greater efficiency and better site performance.
| | Collapse this transcript |
| Firewalling your site| 00:00 | In this screencast, we're going to protect
our site with a powerful htaccess firewall.
| | 00:05 | The 5G firewall by Perishable Press is
designed especially for WordPress-powered
| | 00:10 | sites, and is very effective at blocking
a plethora of bad bots, requests, user
| | 00:16 | agents, and IP addresses.
| | 00:19 | Here in our FTP/file editor, we want to
open the htaccess file in the root directory.
| | 00:26 | Notice the existing PERMALINK
rules at the top of the file.
| | 00:29 | To add the firewall, grab the
code from the provided file,
| | 00:34 | copy everything, and then paste
into your htaccess file, like so.
| | 00:39 | No modifications are required.
| | 00:42 | The 5G firewall is ready to
protect your site, right out of the box.
| | 00:46 | Just save and upload the file to your
server and return to the browser to make
| | 00:52 | sure that everything is still working.
| | 00:55 | The pages are loading just fine.
| | 00:58 | Let's jump into the Admin
and click around a little bit.
| | 01:02 | This is always a good idea to check
your site for proper functionality after
| | 01:07 | working with your htaccess file.
| | 01:09 | Everything is working great, and our
site is now protected by a strong firewall.
| | 01:14 | Although the technique is simple,
there's actually a lot going on in the code.
| | 01:20 | Let's continue with a quick
walkthrough of the 5G firewall.
| | 01:25 | The first section of the code checks
the query string, part of the requested URL,
| | 01:30 | and blocks lots of the bad stuff.
| | 01:33 | This is a key part of the firewall.
| | 01:36 | The next section checks the user agent
making the request and blocks some of the
| | 01:41 | worst known user agents.
| | 01:43 | Note that this is the same block of
code used in our previous screencast.
| | 01:48 | There's no need to include it twice.
| | 01:50 | Next, the code looks at the main part of the
URL, which is everything but the query string.
| | 01:56 | If you include only one part of this
firewall, this would be it, and maybe the
| | 02:00 | query string section.
| | 02:02 | It blocks a ton of garbage from getting through.
| | 02:05 | Lastly, the firewall blocks a short
list of known terrible IP addresses.
| | 02:11 | It's included as more of an
example of how to block them.
| | 02:14 | If you find a bad IP address that
you would like to block, you simply add
| | 02:19 | another line, like so.
| | 02:22 | For default installations of WordPress,
the 5G firewall is a safe and powerful
| | 02:27 | way to protect your site.
| | 02:29 | It plays nice with many plug-ins and is
easily adjusted if and when issues arise.
| | 02:34 | For more information and help with the
5G firewall, visit perishablepress.com.
| | 02:40 | Using the techniques in this screencast,
we've protected our site with a strong
| | 02:44 | firewall that blocks tons of ill
requests, spammers, leechers, bandwidth
| | 02:49 | thieves, and other nonsense.
| | 02:52 | As expected, filtering out the garbage
saves system resources and helps keep
| | 02:57 | your site safe and secure for valued visitors.
| | Collapse this transcript |
| Protecting your RSS feeds| 00:00 | There are many ways to prevent content
scrapers from stealing your feed content,
| | 00:05 | but the Copyright Feed
plug-in is one of the best.
| | 00:08 | It protects your feed content by adding
copyright information, a unique digital
| | 00:13 | fingerprint, and more.
| | 00:15 | In this screencast, we'll
set it up and see it in action.
| | 00:18 | Before installing the Copyright Feed
plug-in, let's go to the Add New Plugins
| | 00:23 | page and check it out.
| | 00:24 | We click on Add New in the Plugins menu
and then type in the 'copyright feed' in
| | 00:31 | the search field. Click Search to
view the results, and here we see (c)Feed
| | 00:40 | listed as the second result.
| | 00:41 | Click on Details to learn more.
| | 00:45 | It says it has not been tested with the
current version of WordPress, but the
| | 00:48 | current version of Word press is 3.1.3,
which is very close to what we have here.
| | 00:55 | I run this plug-in on one of my own
sites and can assure you it works just fine.
| | 01:00 | The plug-in has been downloaded
almost 30,000 times, and the author is
| | 01:04 | reputable and well known.
| | 01:06 | It also has an excellent rating
based on a fair number of votes.
| | 01:10 | So let's click on the Installation tab
to see what installation looks like.
| | 01:16 | As we can see, this is typical, and
since we already have the latest version
| | 01:20 | installed, let's go ahead and close out
of the Information panel and click the
| | 01:25 | Copyright Feed link in the Settings
menu to configure the plug-in.
| | 01:30 | Here we are at the Copyright Feed Settings page.
| | 01:33 | Here, we have the main menu, which gives
a good overview of what the plug-in can
| | 01:38 | do, but let's jump right in with
the setting up of the main options.
| | 01:43 | This is the copyright notice that
will be displayed in your feeds.
| | 01:46 | Feel free to customize this to suit your needs.
| | 01:50 | Next, grab a copy of the randomly
generated authentication key and paste it
| | 01:56 | into this field here.
| | 01:58 | This will be your unique digital fingerprint.
| | 02:01 | If you'd rather use your own
authentication key then you may do so by
| | 02:05 | simply entering it here.
| | 02:08 | And the second part of the copyright
notice, this part will appear after the
| | 02:12 | digital fingerprint.
| | 02:14 | Scrolling down a little bit further, we
check this box to show alerts on the dashboard.
| | 02:21 | Here, we check to auto-scan for stolen
content, than set a reasonable amount of
| | 02:28 | time for each of the auto-scans and
here, check this box to exclude your site
| | 02:34 | from the scan results.
| | 02:36 | For Feedreader IP, we check this box
to include our IP with the results.
| | 02:43 | For Short Feed, let's just
leave that at the default settings.
| | 02:48 | These next three sections here are for
blocking the sites that are stealing our
| | 02:52 | feed, and there's also a place to leave
a custom message for people who try to
| | 02:57 | access your site after they've been blocked.
| | 03:02 | Scrolling through the other options,
we see that we can include comments and
| | 03:07 | related posts in our feeds.
| | 03:10 | These are two great features that
unfortunately are beyond the scope of this tutorial.
| | 03:16 | Getting near the end here, this
preview shows you what the plug-in will
| | 03:21 | actually add to your feed.
| | 03:22 | It will change once we update our settings.
| | 03:28 | And here and here, the plug-in provides some
quick search links for finding stolen
| | 03:34 | content, and finally, the button to Update
Options, which we now click to save our changes.
| | 03:40 | With everything configured, we return
to the public side of the demo site and
| | 03:46 | scroll down a bit to click on the
Entries RSS link, where we can check that
| | 03:51 | everything is working by
viewing the source code of this page.
| | 03:54 | Right-clicking on the page in Firefox,
we select View Page Source and scroll
| | 04:01 | down to the end of the first post.
| | 04:04 | Here is the copyright information, as
specified in the Plugin Settings page.
| | 04:09 | This information will now be
included with every post in your feed.
| | 04:13 | Here is the next post, and here is
the copyright message, and so on.
| | 04:20 | This information will now be included
with every post in your feed, enabling you
| | 04:25 | to periodically search the
web to find any stolen content.
| | 04:29 | Let's see a quick example of this process.
| | 04:33 | We return to the Plugin Settings page
and copy our unique digital fingerprint.
| | 04:39 | Then we go to our favorite search
engine and paste that into place.
| | 04:45 | After clicking the Search button, we
see that Google has found a result.
| | 04:49 | Clicking on the result, we see that
this site has stolen the Hello world!
| | 04:54 | post from our demo site's RSS feed.
| | 04:59 | We can now use this site's IP address to
stop this site from stealing future content.
| | 05:05 | To do so, first obtain the IP address
of the site that's stealing our content.
| | 05:10 | There are several ways to get the IP
information, but the easiest is to use one
| | 05:15 | of these handy add-ons for Firefox.
| | 05:18 | Here is the Show IP add-on that
we have installed in this browser.
| | 05:24 | To obtain the IP address of the
site that's stealing our feed content,
| | 05:28 | right-click in the lower-right corner of
the browser and select Copy to Clipboard.
| | 05:34 | Next, return to the Copyright Feed Settings
page in the Admin and scroll down to
| | 05:41 | the BlackList field.
| | 05:43 | There, paste the IP information into
place and then scroll down to click Update
| | 05:50 | Options to save our changes.
| | 05:53 | This IP is now blocked
from even accessing our site,
| | 05:57 | so it's an excellent way to stop them
from stealing future content from our feeds.
| | 06:02 | Once your content has been posted on
another site, you'll need to file a DMCA
| | 06:07 | notice to have it removed from the
search engines, but you can stop the same
| | 06:12 | site from stealing future
posted content using this method.
| | 06:16 | By no means does this strategy win the
war on content theft, but it does give
| | 06:20 | you the upper hand when responding
to known scrapers and content thieves.
| | Collapse this transcript |
| Controlling proxy access| 00:00 | It may be impossible to block 100%
of proxy visits to your site, but you
| | 00:06 | can block most of them.
| | 00:08 | In this screencast, we'll see how to
control proxy access with PHP and htaccess.
| | 00:15 | Keep in mind that not all proxies are evil.
| | 00:18 | So only use this technique if
you're sure that you don't want anyone
| | 00:21 | visiting via proxy.
| | 00:24 | Here in our FTP/file editor we're
looking at the root htaccess file for our
| | 00:29 | WordPress installation.
| | 00:32 | Currently, it contains only our
WordPress PERMALINK rules, as seen here.
| | 00:38 | After our existing rules, let's add this
htaccess snippet, graciously provided by
| | 00:46 | perishablepress.com.
| | 00:48 | We copy the code and return to our
htaccess file and paste into place.
| | 00:54 | There is a lot going on in this slice of code,
| | 00:57 | so for more information visit
the short URL provided here.
| | 01:02 | There are no edits to make, so we save and
upload the file to the server, and we're done.
| | 01:08 | Now let's jump back over to our demo site
and check that everything is working okay.
| | 01:15 | The pages seem to be loading quickly,
and everything is working great.
| | 01:20 | If for some reason, the pages aren't
loading or if something isn't working
| | 01:23 | right, just remove the code and try again.
| | 01:27 | By itself, this code should reduce
the amount of proxy traffic hitting your
| | 01:32 | site, but there are many types of
proxies and blocking them happens in layers.
| | 01:38 | This htaccess code is like the first
layer, and so now let's add another strong
| | 01:44 | layer of protection, using PHP.
| | 01:47 | Here in the demo site, we go to wp-
content and then to the themes folder.
| | 01:53 | We want to find our header.php
file in the theme that we are using.
| | 01:59 | We're using the default TwentyTen
theme, and here's the header.php file
| | 02:05 | that we're looking for.
| | 02:06 | So we click to open it and then
grab the second slice of code included
| | 02:13 | with this screencast.
| | 02:15 | Copy this snippet, return to the FTP/file
editor, and paste this at the top of the page.
| | 02:25 | Next, save and upload the file and then
return to the browser and refresh the page.
| | 02:32 | As expected, everything is still working fine.
| | 02:35 | This second layer of code does an
excellent job of transparently blocking even
| | 02:40 | some of the most clandestine of proxy sites.
| | 02:44 | So let's wrap up this screencast by
visiting some currently available proxies and
| | 02:48 | seeing if we can access
our now protected demo site.
| | 02:53 | So let's head on over to proxy.org
for a list of active proxy services.
| | 03:00 | Try any of the ones listed in green.
| | 03:02 | We want to enter the URL for
our site and then click Go.
| | 03:13 | Some of them may be a little difficult
to determine what's actually happened,
| | 03:20 | but up in the corner here, we
see that access is not allowed.
| | 03:23 | We have been denied access to our
site using this particular proxy.
| | 03:28 | Let's quickly try another one.
| | 03:31 | Proxify is a reputable proxy. So we
enter our URL and click Proxify. Excellent.
| | 03:38 | Proxy access not allowed.
| | 03:40 | This is due to our script that we have in place.
| | 03:43 | Everything is all set at this point.
| | 03:46 | These two layers of protection, htaccess
and PHP, are going to block out most of
| | 03:52 | the proxy visits to your site.
| | 03:56 | Again, it's virtually
impossible to block all proxies.
| | 04:00 | There are many types of proxies
available: HTTP, SOCKS, VPNs, TOR, and so on.
| | 04:08 | Further filtering of proxies is possible,
but quickly goes beyond the scope of this tutorial.
| | 04:15 | Even so, in this screencast, we've seen
how combining a little PHP and htaccess
| | 04:20 | proves an effective way to block
many proxy visits to your site.
| | Collapse this transcript |
|
|
6. Applying Best PracticesFinding and reporting vulnerabilities| 00:00 | In this screencast, we look at how to find and
report vulnerabilities, bugs, and other issues.
| | 00:06 | If you happen to discover a bug while
working with WordPress, you may report it
| | 00:10 | at the designated page via the WordPress Codex.
| | 00:14 | If you think you've discovered a
security vulnerability, email the support team
| | 00:18 | as soon as possible at
security@wordpress.org, and include as much accurate and
| | 00:25 | descriptive information as possible.
| | 00:27 | For security issues, please do not post
anywhere on the web before hearing back
| | 00:31 | from the WordPress team.
| | 00:33 | There are several plug-ins that will
help you keep a close eye on the overall
| | 00:36 | security and integrity of
your WordPress-powered site.
| | 00:40 | They are WordPress File Monitor, which
monitors for changes made to your site;
| | 00:45 | Exploit Scanner, which scans your site
for signs of hacking; WordPress Security
| | 00:50 | Scan which scans your site
for potential vulnerabilities.
| | 00:54 | We covered WordPress File Monitor and
Exploit Scanner in previous screencasts,
| | 00:59 | so let's look at that third
one, WordPress Security Scan.
| | 01:03 | Here in the Admin area of our WordPress
demo site, we click on the Add New link
| | 01:08 | in the Plugins menu.
| | 01:09 | Then in the Search field we type in
'WordPress Security Scan' or 'WP Security Scan'
| | 01:17 | and click Search Plugins.
| | 01:19 | It's the first result, so go ahead and
click on the Details link to bring up
| | 01:23 | the information panel.
| | 01:24 | The description is complete and
explains that this plug-in scans for security
| | 01:30 | vulnerabilities and suggests corrective actions.
| | 01:35 | The author is well known and reputable.
| | 01:37 | The plug-in is compatible to WordPress
3.1.3, which is the latest, and this plug-in
| | 01:43 | has been downloaded many times.
| | 01:46 | Let's take a look at the
Installation tab by clicking on Installation.
| | 01:50 | This is a typical installation, and
you should have no problems doing so.
| | 01:54 | We have the latest version
installed here on this demo site,
| | 01:57 | so let's go ahead and close out of this
Information panel and scroll down to the
| | 02:03 | new Security menu, which
the plug-in creates for us.
| | 02:07 | Here at the plug-in's main Settings page,
here is sort of the Plugins dashboard,
| | 02:11 | giving you an overview of your site security.
| | 02:14 | If you see anything in red, the
plug-in will provide tips for fixing it, and
| | 02:19 | here's an overview of our server
configuration, PHP info, and so on--again,
| | 02:25 | purely informational.
| | 02:26 | Then you also get a scanner, which
makes it easy to check your files and
| | 02:32 | directories for proper file permissions.
| | 02:35 | We cover this in an earlier video
tutorial in the series. And there's also a
| | 02:40 | password tool for auto generating and
checking for strong passwords, and finally,
| | 02:45 | a database prefix manager that I would
recommend for newer installations, but
| | 02:51 | maybe not when you've got a lot of
plug-ins and/or customizations going on.
| | 02:55 | Granted, this plug-in doesn't actually
do a whole lot, but it does provide you
| | 02:59 | with valuable information about your
site, server details, and WordPress
| | 03:03 | installation in general.
| | 03:05 | However, when used alongside other
plug-ins, such as WordPress File Monitor and
| | 03:10 | Exploit Scanner, the WP Security Scan
plug-in fills in the gaps and lets you see
| | 03:15 | the big picture of what's
going on with your site.
| | 03:18 | In this screencast, we've seen how
to respond properly to bugs and other
| | 03:21 | issues, as well as how to use a variety
of plug-ins to keep a close eye on your
| | 03:25 | site's security.
| | Collapse this transcript |
| Auditing your site| 00:00 | In the screencast, we're going to do sort
of a live security audit on our demo site.
| | 00:06 | This walkthrough will hit the most
important points and provide a good
| | 00:10 | overview that should help bring
together a lot of what we've been talking about
| | 00:14 | in this screencast series.
| | 00:16 | So let's start in the Admin area and go to
the Settings menu and click on the General link.
| | 00:24 | The thing to look at on this page
is right here, Anyone can register.
| | 00:30 | We don't want to enable this right now.
| | 00:32 | If it's ever required later and we
know what we're doing, then yes, we can
| | 00:36 | allow anyone to register.
| | 00:37 | But for now, it's important to
understand that this enables people to register
| | 00:42 | for your site and gain access to the Admin area.
| | 00:47 | Also take a look at New User Default
Role, and leave this set to Subscriber,
| | 00:52 | unless you have a good
reason to do so otherwise.
| | 00:55 | After looking at this area, then go to
the Discussion screen by clicking the
| | 01:00 | Discussion link and look at this area
right here, Before a comment appears.
| | 01:06 | An administrator must always
approve the comment is a good idea.
| | 01:10 | Likewise, Comment author must
have previously approved comment.
| | 01:15 | Either that or having them both
checked is a good idea, especially when
| | 01:21 | you're first starting out.
| | 01:23 | As you begin to fine-tune your
discussion settings and know what you want to do
| | 01:28 | then come back in and take a look, and
you can change that to whatever you want.
| | 01:33 | It's important to be aware that this setting
exists, and you want to take a look at that.
| | 01:37 | Next, click on the Privacy link, and
take a look at your site's visibility.
| | 01:43 | Would you like to block search
engines or allow search engines?
| | 01:47 | For this demo site, I am blocking the
search engines because I do not want to
| | 01:51 | diminish my page rank.
| | 01:52 | However, if you have a public site
that you're trying to promote and bring
| | 01:57 | traffic to, make sure that this
setting is set at allow search engines.
| | 02:02 | Once you have that taken care of,
then click on over to the Users menu and
| | 02:07 | click on the Users link.
| | 02:10 | Take a look at the users that are
registered for your site and keep an eye on
| | 02:14 | the number of administrators that you have.
| | 02:17 | When possible, keep your
administrators down to one, or as few as possible.
| | 02:21 | If you see an administrator that
should not be an administrator, check their
| | 02:25 | name and then change the
role using this dropdown menu.
| | 02:31 | Once we've looked at the Users page,
let's go to the Plugins menu, and take a
| | 02:36 | look at the plug-ins that we have installed.
| | 02:38 | Here we should see no inactive or
obsolete plug-ins, plug-ins that are no longer
| | 02:44 | used. Just clear them out, deactivate
them, uninstall them, and remove them.
| | 02:48 | You should only keep plug-ins
around if you're going to be using them.
| | 02:52 | So take a look at your plug-ins and make
sure to keep that area nice and clean.
| | 02:56 | Once we are done in the Admin area,
let's go to our FTP/file editor and take a
| | 03:02 | look at the wp-config.php file.
| | 03:06 | The two things that we want to look
for are the configuration keys right here,
| | 03:11 | your Authentication
Unique Keys as they're called.
| | 03:15 | Make sure you have got those in place,
and also make sure that you have a custom
| | 03:20 | table prefix for your database.
| | 03:22 | We discussed all of this in previous
screencasts in this tutorial series.
| | 03:27 | We also want to make sure that our
wp-config file is protected with htaccess.
| | 03:33 | So let's open the root htaccess file
for our site, and we see right here, one of
| | 03:38 | the first things that we do is
we protect the wp-config file.
| | 03:42 | Once we've finished with the FTP/
fille editor, the next step is to look at
| | 03:46 | the database and make sure that we have our
custom prefix in place and working properly.
| | 03:52 | We do. All of our WordPress tables are
prefixed with our custom prefix.
| | 03:57 | Next, let's return to the htaccess
file and look at some of the other
| | 04:02 | things that we have incorporated
into the security strategy for this
| | 04:06 | particular web site.
| | 04:07 | We've disabled directory listings.
| | 04:10 | We are preventing hotlinking,
or stealing of our content.
| | 04:15 | We are blocking what's called no-
referrer spam, and we have implemented a strong
| | 04:22 | firewall with the 5G firewall
with these last five sections here.
| | 04:27 | And lastly, we block unwanted proxy
visits using this slice of htaccess code and
| | 04:36 | a small slice of PHP included in
our header.php file for our theme.
| | 04:44 | Again, all of this is
discussed in previous screencasts.
| | 04:48 | Lastly, let's open our functions.php
file and scroll down to make sure that
| | 04:54 | we're removing the version numbers
and preventing WordPress from telling
| | 04:58 | people what version it is.
| | 05:00 | At the end of our functions.php
file, we have our code in place here.
| | 05:07 | So, everything is set, but remember,
there is no such thing as perfect security.
| | 05:12 | Always assume that someone or
something can get past your best defenses.
| | 05:17 | Even so, this screencast demonstrates
some of the key things to look for in a
| | 05:21 | well-secured WordPress site.
| | Collapse this transcript |
| Choosing a good host| 00:00 | Choosing a good host is 99% of the battle.
| | 00:03 | The old saying 'you get what you
pay for' has never been more true.
| | 00:07 | In this screencast, we'll look at the
different types of hosting and what to
| | 00:11 | look for when choosing a good web host,
and then we'll wrap things up with my
| | 00:15 | personal collection of
reputable and reliable hosts.
| | 00:19 | In general, there are four
different types of hosting:
| | 00:21 | shared, virtual, dedicated and cloud hosting.
| | 00:25 | Shared hosting is good for multiple web
sites on the same server. Generally, it's
| | 00:29 | lower cost than the other types of
hosting, and you can get most of the common
| | 00:33 | features that you need,
such as software, and so on.
| | 00:36 | You also have limited flexibility
and control as one of the downsides.
| | 00:41 | I would say that shared hosting is
probably best for blogs and small sites
| | 00:46 | running standard software.
| | 00:48 | Next is virtual private hosting which is
similar to dedicated hosting, but at a lower price.
| | 00:54 | With virtual private hosting, multiple
sites are stored on the same server in
| | 00:58 | what are called virtual containers.
| | 01:00 | Most virtual private servers provide
root access and full control over features,
| | 01:05 | software, and tools.
| | 01:06 | I would say virtual private servers are
probably best for sites that need more
| | 01:11 | control, but at a lower cost.
| | 01:13 | Next we have dedicated servers which
provide maximum control over the web server.
| | 01:18 | The entire server is dedicated for
your web site, and of course with this kind
| | 01:23 | of service, dedicated server are
going to be more expensive than other types
| | 01:28 | of hosting options.
| | 01:30 | I would say that dedicated servers
are best for sites needing full control,
| | 01:34 | strong flexibility, and great performance.
| | 01:38 | Next, we have cloud hosting which is
infinitely scalable and designed to handle
| | 01:42 | large traffic spikes.
| | 01:44 | With cloud hosting, sites are hosted
across multiple servers, which are referred
| | 01:49 | to collectively as a cloud.
| | 01:51 | Cloud hosting generally provides all
the features required by most sites and
| | 01:56 | is best for sites with lots of traffic or
lots of unpredictable traffic spikes and surges.
| | 02:02 | When looking for a good host, it's
important to determine your needs.
| | 02:06 | If you have a regular blog or a small
site with moderate traffic, shared hosting
| | 02:11 | is probably going to be fine.
| | 02:13 | For larger sites, needing more
control over software and features, virtual
| | 02:18 | private hosting is probably the best bet.
| | 02:20 | For total control over every aspect,
you want your own dedicated server.
| | 02:25 | And then lastly, if you have a site with
large traffic spikes or massive amounts
| | 02:32 | of traffic, cloud hosting is going
to provide you the scalability and
| | 02:35 | flexibility needed to keep up.
| | 02:39 | A great way to get the scoop on
potential web hosts is to hit the search engines.
| | 02:44 | Google around for stuff like
webhostname review, or webhostname downtime
| | 02:49 | where webhostname is the name of
your host that you are considering.
| | 02:54 | As you search, look for hosting
forums where people are sharing experiences
| | 02:58 | with potential hosts.
| | 03:00 | I've gleaned much insight from reading
about good and bad experiences of others.
| | 03:05 | Along the way, I've put together a
collection of hosts that I found to be pretty
| | 03:09 | great and worth checking out.
| | 03:12 | First there's Media Temple
where I am hosted currently.
| | 03:15 | Media Temple is great.
| | 03:17 | I would stay away from their Grid
Server and go with anything above Grid, dv or
| | 03:23 | ve or any of these other options here,
and you're going to have an excellent
| | 03:27 | experience with them.
| | 03:28 | There is also linode.com which is great
with virtual private hosting and cloud hosting.
| | 03:34 | Laughing Squid, this is an underground favorite.
| | 03:37 | They have excellent customer service, and
their servers are very reliable and consistent.
| | 03:44 | WiredTree has phenomenal service
and some great deals on managed virtual
| | 03:49 | private servers, and so on.
| | 03:52 | Rackspace, if you absolutely need
the best and can afford it, Rackspace
| | 03:57 | should be something that you
definitely look at. midPhase, another great host
| | 04:02 | with affordable prices.
| | 04:04 | Joyent is used by many people
and is another excellent host.
| | 04:10 | There's also squarespace, which
provides just about every kind of hosting you
| | 04:15 | could want and also has
excellent customer service.
| | 04:20 | CloudFlalre is another one, and
ServInt.net is another host that you should check
| | 04:26 | out as you begin looking for the
best possible host for your site.
| | 04:31 | To see my entire
collection of collected hosts, visit
| | 04:35 | delicious.com/perishable/hosting.
| | 04:41 | In this screencast, we've explored the
different types of web hosting and what
| | 04:44 | to look for when choosing the
best possible host for your site.
| | 04:47 | I've also shared my private
collection of top hosts to help you get started
| | 04:52 | with your own search.
| | 04:53 | Once you know what you are looking for,
the tips presented here will help you
| | 04:57 | find the best host for your site.
| | Collapse this transcript |
|
|
ConclusionNext steps| 00:00 | This brings us to the end of our
tutorial series on securing WordPress sites.
| | 00:05 | As you continue your journey
with WordPress, there are many great
| | 00:08 | resources available.
| | 00:10 | Some of my favorites are WordPress Candy,
which is a great resource for
| | 00:15 | a variety of WordPress news, tips,
and tricks; and then WordPress Recipes,
| | 00:20 | which is an awesome resource
for handy WordPress code snippets, code,
| | 00:24 | and tips; and of course Digging into
WordPress, where you will find tons of great
| | 00:29 | WordPress content by myself
and co-author Chris Coyier.
| | 00:34 | I also write about WordPress, site
security, and web design in general at my
| | 00:38 | personal site, perishablepress.com.
And for the official scoop on everything
| | 00:43 | WordPress, make sure to bookmark the
WordPress Codex, which is the official
| | 00:48 | documentation for self-hosted WordPress sites.
| | 00:51 | There is also the WordPress Plugin
Directory, which is the place to go for
| | 00:55 | WordPress plug-ins and themes, and lastly,
the Free Themes Directory where you can
| | 01:01 | find free team-reviewed themes for your site.
| | 01:04 | Of course, as the world's leading
blogging platform, there are many more
| | 01:08 | incredible resources available online.
| | 01:11 | Just visit your favorite
search engine to discover it all.
| | 01:14 | This is Jeff Starr saying thanks for
tuning in and learning more about how to
| | 01:17 | secure your WordPress-powered site.
| | Collapse this transcript |
|
|
