Ready to watch this entire course?
Become a member and get unlimited access to the entire skills library of over 4,900 courses, including more Developer and personalized recommendations.Start Your Free Trial Now
- View Offline
- Building a design in Photoshop
- Converting Photoshop design to HTML and CSS
- Setting up MAMP on Mac and WAMP on Windows
- Moving HTML and CSS into a WordPress theme
- Building navigation
- Using custom fields
- Creating a commenting system
Skill Level Intermediate
One thing that's going to be very important for us to talk about is WordPress security. We're working locally here so WordPress security isn't a big deal, but ultimately we're going to be moving this site live, out to the web, out in public, and security is a very big deal there. Because bad guys, basically they want into your site, they want to do nefarious things to it, they want to insert their links to it to help them out with SEO in some terrible way, or they want to redirect your site to their site, all kinds of nasty things.
We're trying to fight against them and make sure that they can't get access to do those things. So WordPress, unfortunately, because it's basically the world's number one publishing platform, is a big target. Bad guys are always trying to break into WordPress and find exploits for it. It's a little bit akin to the Windows versus Mac kind of thing, in that Windows is such a bigger target that bad guys are always trying to work on viruses for Windows, because there are so many more Windows computers out there.
There's a lot of WordPress sites out there, so they have all the incentive they need to be working in hacks for that. So some of the most simple things you can deal with, and that are absolutely some of the most important things as well, is just picking strong passwords. Ultimately you're going to have FTP access to your site. Make sure that the password to FTP is very strong. That your database password is very strong and that literally your user, if we go under here, into our Dashboard, into our Admin area, into our User area, our password for our login to WordPress is very strong as well.
Now, maybe a year ago or so, mid-2009, there was an exploit found in WordPress that would be able to create a new admin user and that would have access to do everything to your account. Change things in the database of course, because they have access to back here, which is where we do that, and your theme as well, because literally you can edit your theme from the Appearance Editor and change theme files as well. So if somebody gets access to the backend here of the site, they can really trash it in a way.
So that's no good. Make sure your passwords are strong. Now, another important consideration is when we're going to be moving this site live to the web through an FTP Editor, all those files have certain file permissions. Like who is allowed to edit it, and the numbers that we're shooting fo -- now, if you're an FTP client and you like right-click on a file and Get Info, those files-- and the files I'm talking about here are the core WordPress files in our htdocs folder here.
Files have a permission of 644 and folders have a permission of 755. Those are the numbers that you're shooting for to keep things locked down. Now, there's a number of security precautions that we can take directly in this file, this wp-config file. I'm going to double-click that to open it in our code editor. Now, you remember at the top of this file, we had to edit it to add the database user, the database password and the database name. Now, we didn't do anything else in here and WordPress recommends that for one thing, we set up these authentication keys. This is just an easy quick step.
It gives you this URL that you can put into your browser and it's going to give you code to replace this with. I have that open here. We can just copy and paste that code and put it in there as an extra security measure. The thing below that is this thing called table_prefix. You can see its value is wp_. I'm going to go ahead and open up the database that we're using to run our WordPress site locally. It's this free software, Sequel Pro. I have it open here. I'm going to go ahead and connect to our local MySQL Server and choose the WordPress database that we set up when we installed WordPress.
Now it's all populated with the tables for all of our WordPress data. You can see that each one of these tables starts with wp_. So we could literally come in here and change that table_prefix on each one of these tables. If we do that, it's going to basically break our WordPress site, until we come in here and change it to what we changed the table_prefix to be. Now, the reason you would do that is that a bad guy might try and get access to your site and if they do get access, run a bunch of scripts to insert or delete stuff from your database, and that script probably depends on this default table_prefix.
So if you change yours, their scripts will break and you'll be safe, so it's kind of a security measure that way. Now, one of the most important things in regards to security is not only prevention but being able to roll back to a non-hacked site in case your site is hacked up. So I'm talking about backups. Now, when you're talking about backups in WordPress, we're talking about two different things. We're talking about the files, your theme, all that stuff that we've been working on, basically our theme file here and anything else that we've edited in the WordPress-land, but we're talking about the database as well.
So we need to back up both of those things. You can do it manually. You can login through an FTP site and just grab all these files and maybe drag them to your Desktop and burn them to a CD and mail it to your mom or anything like that. You can also do it manually. Now, to do it manually for the database, there's a great plug-in called the WP-DBManager. So if you go to wordpress.org, into their Plugin Directory, and look around for the WP-DBManager, it's at this URL, go ahead and download that, install it to your site, and activate it from the Plugins menu.
There're a few steps that you have to take, but it allows you to do on-demand backup of your database and you can literally even have it email you your database, like on a daily basis. So if all of a sudden you found out your site was hacked, there was a database problem, you would have a copy of your WordPress database from before the hack, so that's a great plugin for that. Now, another one that I really like is called WordPress File Monitor. It looks at all the different files from your installation, literally all of these files, and it will watch and see if they ever change.
If any file changes, you can have it notify you. So again, you just activate it as a plug-in and we'll add a new setting. Go under Settings there and you can give it an email address, where it will send those notifications to you. If you have specific files that you don't want to be notified about, you can put their paths here. Examples being if you upload new files or cache folders. You wouldn't want to be notified of those things changing, but anything else. So a bad guy gets into your site, changes the file, you get an email that's like wow, a file change, I wasn't in there doing anything, so you'd know that something is happening right away.
Now, there's one more thing that deals with both database backups and file backups combined into one. The makers of WordPress is a company called Automattic and they have another product here called VaultPress. Now, it's an online service. It's not free, but it's not too expensive either. I think it's $15 a month or $40 a month. But it's a plug-in you install on your WordPress site and it backs up to their servers securely your database and all the files from your site, so combined.
It does all of that, and then it looks through all those files for potential security problems and tells you about it. So it's a backup solution, an all-in-one backup solution, a cloud-based backup solution. So your data is safe up there. And a security monitoring tool. So if your site is important enough to have all this stuff, definitely consider VaultPress as a tool and definitely take security seriously on your site.