Archive for 'July, 2009'

**UPDATE** – View my WordPress Security Guide instead of the link below – it has more in depth information to secure your wordpress blog than the post below – and it’s free!

Last month I wrote the Ultimate Guide to Securing WordPress for NetTuts+. It is an all probability one of the longest articles that I’ve ever written (8,000 words). Through about 75 hours of research I wrote an exhaustive guide that is a must-read for every WordPress owner.

What you will learn:

• How to scan and look for exploits in your WordPress site
• How to monitor your WP site for theme file changes
• How to limit access to your WP site
• How to use Secure FTP
• What to look for in a good web host
• How to make your usernames and passwords more secure
• How to lockdown comments and lockout bots
• How to find and monitor errors
• How to use a more secure connection
• What you should change in your wp-config file

I wrote this guide for several reasons. In the last few months I’ve had a few clients that had their wordpress sites broken in to, and I had to fix them and teach them how to implement some wordpress security. A few forums I frequent had some posts where people panicked about cross site scripting (XSS) attacks and wordpress “viruses”. When I started to do some research I found bits and pieces of information all over online, but nothing “all in one place” – and that’s the way this guide was born!

Check out The Ultimate Guide to Securing WordPress, you’ll be glad you did!

If you’re not a NetTuts member, you might instead be interested in my WordPress Security Guide.

I’m going to show you how to export sections of a large wordpress site, since we’re talking about plugins this week. This blog is pretty large now with hundreds of posts and thousands of comments. I get 20-30 comments daily, even when I don’t post a thing. The database is getting pretty big, even though I routinely clean it out and trim it down – it continues to grow.

There are many reasons you may need to export your wordpress database – and one is backup. Maybe you’ve been writing for many years, and want to permanently archive everything more than 2 years old. You could even want to export only things by a certain author, in a certain category, or only all your old drafts. WordPress has an export function, but the only option it currently has is to restrict by “author”. You can’t limit the export by any other criteria.

Check out Advanced Export for WordPress and WPMU:

As you can see in the image, you can selectively export sections of your blog at a time, and then “import” them to another (or the same) blog. You could export an entire category and then delete all those posts from your blog, or you could move them to a completely new site. Maybe you run a multi-author blog and somebody wants a copy of everything they wrote over time. You could even archive all your posts for an entire year in one file.

This export plugin is great, just remember that it’s only for posts. If you want to learn how to export and import a very large wordpress database (including all settings, pages, posts, comments, etc), one of my earlier posts might be better suited for you: “How to Import and Export Very Large MySQL Databases“.

Want to know how to rid WordPress of all spam in one step? I mean ALL spam too, comment spam, pingback and trackback spam – EVERYTHING!

It’s not very often that I come across a plugin that I’ve never heard of, never used before, never read about – and it turns out to be one of the best ones that I’ve used in years! Probably the most famous plugin of all is “Askimet”, not only because it’s included with WordPress, but because it was created (and is constantly updated) by WordPress Founder Matt Mullenweg. It’s been the de-facto standard for so long, I never considered using anything else. What happenned here completely proves that no matter how good something is, there is ALWAYS room for something more outstanding to come along and dethrone it!

I would like to introduce you to the completely free WP-Spamfree Anti-Spam plugin for WordPress! I can honestly say I didn’t initially believe it’s ability to “replace Askimet”, but I was kind of intrigued when I read the description “finally there is an anti-spam plugin for WordPress that provides an effective solution, without CAPTCHA’s, challenge questions, or other inconvenience to site visitors”.

I mean, come on – who isn’t just sick to death of answering a question or those damn captcha’s? So like a wide-eyed housewife who just watched yet another informercial about the greatest way to keep the floors clean with the most revolutionary vacuum EVAR – I installed it just to see what would happen.

Sometimes I get so busy working I don’t get to post to this blog as often as I’d like, but regardless of how infrequent my posting seems to be – it sure doesn’t slow down the amount of incoming comments on a daily basis. With more comments means more spam. If you’re a regular blogger I’m sure you’ve noticed lately the amount of “automated comment spam” that’s been floating about. If you get a comment like “good post – keep up the good work!”, that’s not a real comment, it’s some idiot that is using a web site or automated software to spam blogs all over the world with automated comments. In fact, I’ve found that nearly ALL comments that don’t directly relate to the page they were posted are FAKE.

Some of them are REALLY clever too, let me give you some recent examples:

• “Whats the best free hosting and web site creator service on the net?”
• “Anyone had any luck with 7search.com?”
• “This is great and helpful. Thank you for posting “
• “This is very nice tips… Thanks.”
• “have good information on a good site would be useful to people thank you”
• “What an awesome theme – did you design it yourself?”
• “The idea is very interesting. Maybe someday I’ll do that.”

It’s funny, because I’ve seen many of these comments posted on other (very busy, and very reputable) blogs – but I know for a fact they’re automated SPAM! I might not have thought much about it if I got just one, but when I get a dozen per day with the same phrase and URL – I KNOW for a fact it’s spam!

WP-Spamfree Features:

• Ability to use two different methods to set cookies for regular commenters
• Ability to use an enhanced comment blacklist, which instead of sending comments for moderation – completely blocks them
• Block any commenter’s IP with one click
• Disable pingback’s or trackback’s with one click
• Turn on or off user’s ability to comment behind a proxy
• Turn on or off additional technical data in comment notification emails
• Setup a completely free “contact form” for your blog

Check out the last feature, this Anti-Spam plugin also allows you to setup a completely Spam Free Contact form! So, you might even be able to replace 2 other plugins with WP-SpamFree!

One last thing I’ll show you beore I go, and it’s what got me thinking about this first thing today for this post. WP-Spamfree has cut down my blog spam by 98%, but still once or twice per day one of these idiots that bought auto blog commenting software manage to get a comment through. Take a look at this image:

Every single comment email I get for my blog has these technical details added by WP-Spamfree. Now, I was pretty sure this comment was spam since all it had was 3 sentences completely copied from my post and pasted into the comment, but look at the details – the “Reverse DNS Authenticity” is “Possibly Forged”. That (combined with the comment content) tells me this is bonafide spam. You can’t see it in the image, but above these details is a links to “blacklist this IP address” with one click!

If I were to make a list of the greatest new plugins I’d found in the last year – so far WP-Spamfree would be at the top of my list. I’m proud to recommend it – click here to download WP-Spamfree.

Oh – in case you’re wondering if I’ve actually deactivated Askimet – I have!

One feature you might want to turn off is WordPress post revisions. You might not even know that it’s there. Did you know that every time you make an update to a post or a page in WordPress 2.6+ a “revision” is saved? If you’ve updated the page 100 times, WordPress actually has the last 100 versions stored in your database. Multiply that times all the posts and pages in your web site, and your database could be the morbidly obese! In addition the WordPress “autosave”feature saves a version of your posts while you work, and if you take an hour to write a post a half dozen versions could be “autosaved” during that time.

The table in your database that holds posts is “wp_posts”. If you log into phpMyAdmin to look at your database and click on the “wp_posts” table check how many records you have. For instance, the intial page that pops up when you click on wp_posts usually shows 30 posts. At bottom right it was “page number” – click the dropdown and and see how many pages you have, and times that by 30 (records per page). I had 690 records. My blog has only 201 posts and 26 pages, so I have more than 3 times as many records than I need because of the additional “revisions” that I’ve saved. If you make updates to your posts and pages – you could have many more than that.

Many people feel that “post revisions” should be an optional feature of WordPress – and in fact it is, but by default it’s turned on. If you don’t want to use that feature (and bloat up your database) it’s up to you to turn it off.

You’ll probably kick yourself when you find out how easy this is. I’m going to show you how to turn off post revisions AND change your autosave settings at the same time. Just add the following lines to your ‘wp-config.php’ file:

define(’WP_POST_REVISIONS’, false);
define(’AUTOSAVE_INTERVAL’, 300);

The first line of course turns post revisions off with the false statement, and the second line changes the autosave settings to 300 (seconds), or 5 minutes. I you don’t want to use autosave – then just set it to something really high like 7200 seconds (2 hours).

Oh – if you’re database savvy and know how to run a query in MySQL, you can easily delete all the revisions you’ve stacked up so far by running the following one line of code in phpMyAdmin:

DELETE FROM wp_posts WHERE post_type = “revision”;

If you don’t like mucking around with code, then just install the Delete Revision wordpress plugin, and you can delete your old revisions manually using that!