Archive for 'August, 2009'

If you’ve been looking for a Wordpess Affiliate Store Theme or WordPress Niche Store theme for download – you came to the right place!  Brian from TemplateLite.com WordPress Themes contacted me about sponsoring a theme, and I knew this would be a great way to build links.  I’ve written so many posts on this blog about niche stores and  WordPress affiliate stores – many of you will make great use of this theme!

I can’t tell you how many hours I’ve spent searching online for the perfect theme for a WordPress “store” because I wanted to either feature eBay auctions or setup a product store with datafeedr.  Sometimes when you feature products, all you want is a simple theme with a single sidebar and a high level search box.  So I present to you the “Mouse IT WordPress 7-in-1 Affiliate Store Theme“!

This is what the theme looks like:

I like gadgets, computers, and electronics, and these are they types of sites I tend to setup most frequently.  I decided it would be great to take this theme and set it up with the most common types of electronics in the header image.  This way more of you will be able to take advantage of it!

Here’s a cell phone WordPress theme:

Wordpress Affiliate Niche Store Cellphone Theme

And this version is a  computer WordPress Theme:

Wordpress Affiliate Niche Store Computer Theme

This is an iPod or MP3 Player WordPress Theme:

Wordpress Affiliate Niche Store iPod Theme

This is a laptop or mobile electronics WordPress Theme:

Wordpress Affiliate Niche Store Laptop Theme

This is an LCD TV or HD TV WordPress Theme:

Wordpress Affiliate Niche Store LCD TV Theme

This is a video game WordPress Theme:

Wordpress Affiliate Niche Store Video Game Theme

I call this a “7-in-1″ WordPress theme because you get all 7 designs in one theme!  Instructions are in the download for switching out the header graphic for any one of the 7 designs above!  If you are planning on setting up any electronics related WordPress site, you should be covered by one of these.  If you want to take your hand at creating your own WordPress theme, read my post on Artisteer, if you’re interested in sponsoring a WordPress theme and generating thousands of links back to your web site read my post on sponsoring a theme.

Download this theme now below

[drain file 12 url Download-My-Online-Office-3-Column] [drain file 12 icon]

This section of my WordPress Security Guide deals with how to block spam and hack attempts.  Do you have any idea how many times per day someone or something tries to break into your web site?  Server admins that review the log files know because they see them every day, but as a blogger you may have no clue how often it happens.

I want you to think about this for a second…if you were sitting in your living room watching TV and five times an hour you heard somebody wiggle all your door handles and windows to see if they were locked or unlocked – wouldn’t you think about beefing up security a bit?  This is exactly what is already happenning on your blog 24 hours a day!

Hackers and spammers want to hack or hijack your web site to install scripts, build links, hijack your traffic, and more.  Don’t believe me?  Not worried because you’ve never been hacked?  Talk to some of my clients on my testimonials page – they thought it would never happen to them either.

Here are some of the most common WordPress hacks I hear about every week:

• Our WordPress blog has been hit by the Spam Link Injection Hack
• WordPress exploit: wordpress_options
• WordPress hack: sattan.org spam redirect in wp-blog-header.php files
• WordPress QahTaN-SniPer Hack
• WordPress google redirect hack

Those are just a very few out of dozens and dozens.  So now let’s get started figuring out how to block all these bad guys!

Do you get a lot of spammy comments on your web site? If you allow uses to register on your blog, do you get some accounts that seem to be created by automated software or bots? If you’re not protected against these kinds of things, you are encouraging “bad behaviour” on your blog. WordPress comes with “askimet” out of the box, a plugin that does a pretty decent job at cutting out spam comments – but some still manage to slip through, don’t they? Consider some additional protection such as WP Spamfree. I recommend Spamfree because it works silently, and unlike other plugins it requires no intervention from the user at all, such as challenge questions or Captcha’s. It gets rid of automated comments from bots, and trackback and pingback spam. In addition, it works with WP Cache and Super Cache, as well as WordPress MU. Oh – did I mention it’s updated (as of this writing) to work with even WordPress 2.9 (which isn’t even out yet)?  This plugin can be used with askimet activated, but says it’s not necessary.  I actually got rid of Askimet when I installed this – and personally for me I think it works much better.  I know that I gets out double the amount of spam comments that Askimet did.

Once you install WP Spamfree “it just works”. It says in the documentation that it will work just fine with Askimet activated, but it’s not necessary (because this plugin is more effective). If you allow users to register on your WordPress site, you are a target. Installing a wordpress plugin to Prevent Bot Registrations will save you a lot of headache. It will keep bots from registering from on your site, it blocks any bot who’s IP shows up more than twice, anyone listed in spamhaus, or that you’ve blacklisted.

You’ve blocked the bots and the spam, but what if a live person gets through with the intent of crafting a comment with the intent on doing your site harm? Some of the latest attacks infecting blogs use “XSS” or cross-site-scripting. To guard against that you could install HTML Purified. It replaces the default wordpress comment filter with a super HTML filtering library. It produces XHTML compliant code for your comments, but more importantly it’s “XSS Safe”. You have fine grained control over what tags are allowed, and whether or not to filter admin users as well.

Another incredible plugin I’ve found recently is WordPress Firewall.  I have to say – this thing is great!  I’ve installed a lot of plugins to do individual things, but WP Firewall seems to kill a lot of birds with one stone.  Here are some of the fetures:

• WP Firewall configures itself as the first plugin to load for better security
• It looks are suspicious incoming requests to protect your wordpress files and other plugin files as well
• Attacker requests get a 404 error page or home page redirect
• Turn on or off “directory indexing”
• WP Firewall can detect SQL injection attacks
• Can detect wordpress specific database attacks
• it can block executable file uploads
• email alerts for attack attempts

If you want to know how good it works, check out this email I got within 24 hours of installing it:

Unbelievable, huh!?  Out of all the free wordpress security plugins available, I think that WordPress firewall is one of the beste so far.

Tracking Errors and Hack Attempts

I think in addition to blocking spam and hackers, it’s also important to track your errors and hack attempts if you can, and review them on a regular basis.  Check out the following plugins to watch what’s going on in your WordPress blog:

Tripwire

Tripwire is a plugin that scans for changed files within your wordpress site. Once installed all you have to do is tell it how many days back to check, and it will list all the files that have been changed in that period. In the case of my example image, I had upgraded WordPress on June 11th, and all those files were listed. If you check your files for the last 30 days and lots of files have been changed (and you didn’t upgrade everything) – you may have an issue. It’s worth mentioning again that the WP Antivirus plugin will check your wordpress theme files and email you automatically if one of them has a suspected virus. Tripwire will check all the files in your WordPress site, but has no automatic notification.

Login Lockdown

Login Lockdown is a plugin that monitors login attempts to your WordPress site. It records the IP address and timestamp of every attempt. If there are a certain number of attempts within a period of time, logins are disabled for that IP range. The default is 3 failed login attempts within 5 minutes, and the lockout time is 1 hour. You can of course change these in the plugin options to any amount you want. Without this plugin installed, you would never know if you have failed login attempts at all.

Error Reporting

Error Reporting is a WordPress plugin that will save any errors your WordPress generates in a log file for you to view. In the configuration options you can choose what kinds of errors are saved, from what folders, and if you want repeat errors to be saved more than once. You can even choose to have the errors sent to you in email. I like this plugin because it also detects failed ping attempts as well. Every WordPress site has errors from time to time, and sometimes then only occur once or twice. It become problematic if you get constant errors from a theme, plugin, or WordPress itself. A plugin like this is the only way to check for those errors. Even if you can’t take care of the problem yourself, you will at least have an error message to ask about in WordPress Support, or to give a WordPress consultant. Here’s an image of the log file options for the “Error Reporting plugin”:

404 Notifier

Another handy plugin is “404 Notifier”. Once installed, it will email you each time your site generates a “404 Not Found” error. This is helpful in 2 regards. First, if you get error for the same page all the time – you can fix them by creating that page. More importantly (and most likely) the errors you get will be ones you won’t expect, like missing CSS files or includes for plugins or themes – and you can fix those too. The second reason is probably one you don’t know about, many attackers will send your site a garbage request such as “http://mysite.com/crap/garbargeurl?=3o2349-admeknow.js” or something like that. It’s basically just a quick check to see what your server will do, generate a 404 error, or show a directory index – and also check if you’re running WordPress (or something else), and what version. This, by itself isn’t enough information, but it’s a good start. I once had a site that received hundreds of incoming garbage requests like this per day, I found them in the logs about a month later. A 404 Notification plugin like this would have clued me in right away. You can then block the incoming IP address they are coming from, and you can always contact support at your web host for assistance with something like this (or follow the directions earlier to limit access to your site using your .htaccess file). Here’s an image of the 404 Notifier setup options. You’ll see that not only can you get email notification, but the events are also saved via RSS feed as well.

With all of these tracking and notification plugins – your mileage may vary. I would recommend trying them all one by one, to see how they work for you. Also remember, you may not need to have them turned on all the time. You could run tripwire as needed, run login lockdown all the time, and turn on error reporting and 404 notifier as you feel necessary.

Stay tuned, the next installment of my Wordperss Security Guide will go over how to use secure connections to make sure your username and passwords aren’t jacked each and every time you login!

Visit the WordPress Security Guide home to skip to other sections

Need Help Quick? Just Hire Me.

Are you using your WordPress blog to promote yourself?

I’ve been very busy for the last month, and I’ve asked a select few people if they would like to submit a guest post. Rather than ask the “gurus” to post on my blog, I’d much rather have you hear from people just like yourself that have been working hard to build their site with some real elbow grease! Bobby Linkemer writes for a living, she’s authored 14 books – and I felt she would have a pretty good perspective on promoting your own services through a blog. I hope you enjoy this post, and if you would like to share you real world experiences, frustrations, or just ask me questions that I can respond to in a future post – please fill out my contact form.

7 Ways to Promote Yourself With Your Blog
By Bobbi Linkemer

Times have changed since the earliest bloggers wrote what were little more than on-line journals. According to Technorati, 150,000 new blogs are launched every day, and many of them are intended for a far wider audience than their pioneering predecessors. One of the significant reasons for creating a blog is to promote an individual or a business. What follows are seven ways to promote yourself or your enterprise by blogging:

1. Define your purpose.

Before you start designing your blog on WordPress, Blogger, or Godaddy, take some time to think about why you want to do this. It may be that you just need to emote or rant, but as business objectives, those are unlikely to attract the kind of followers you want. Think of your blog as an equation: purpose + content + packaging = subscribers. It’s a foolproof formula for successful blogging.

2. Develop a following of loyal readers.

All writers crave readers. Bloggers certainly do. If you have what you think is a compelling message, naturally, you want others to read it and become captivated. But one visit to your blog is not enough. You want readers to return, again and again. In fact, you want them to subscribe and have your blog land in their e-mail in boxes every time you post. Your blog host does its part by providing RSS feeds and widgets to make subscribing easy. Learn about these tools, and take advantage of them.

3. Demonstrate your expertise.

There is a lot of competition for attention out there on the WWW. Why should people read what you have to say? You may be an expert on your subject matter, but don’t assume everyone knows it. In fact, you have to prove it with every blog post. It may be the first time someone has been to your blog, or he may be deciding whether to subscribe or move on. Give people a reason to read and return.

4. Provide something of value.

The first rule of having a presence on the Web is to create a benefit for anyone who lands on your site. Web surfers have short attention spans. There is so much to see and so little time. If they don’t find a reason to read past your first line, they are gone in a click. The old WIIFM (what’s in it for me?) applies. Most successful bloggers are generous. So, give away lots of free information.

5. Inform, teach, guide, or entertain.

The content of that information is important because it relates to the purpose of your blog. With every post, remind yourself of what you want to accomplish, and check to see if you succeeding. If your goal is to teach, then provide facts, news, instruction, advice, or guidance readers can use. If it is to provoke, don’t abandon good taste. The word “provocative” means many things, including irritating, infuriating, insulting, and inflammatory. If self-promotion is your intent, those are hardly the ways to achieve it.

6. Create and reinforce your brand.

Branding products is not a new idea, but branding yourself may be. You are your brand; and everything you do, say, or write is a way to expose and expand awareness of your brand to a potentially huge audience. Remember, WWW stands for World Wide Web. That means your message and the way it is presented are being broadcast all around the world. Be consistent, be careful, be creative.

7. Sell your ideas, services, or products

There is a caveat here: You have products, even if they are concepts, ideas, or philosophies. If you’re in business, what you are selling may be more concrete. But, even though selling is part of your purpose, if your blog is one big, online commercial, people may not find that worth too many return visits.

Remember: Content is king.
You have to have something to say, something worth reading. But WIIFM applies to you, as well as your reader. What’s in it for you to be blogging? Well, if you are writer, it won’t be difficult; you already have the skills. If you love to write, as I do, it will be rewarding and fun. But even if neither of those applies, you will be getting your name, your brand, and your message out to many people who will benefit from what you have to say. That’s called a win-win situation.

About the author:

Bobbi Linkemer is a ghostwriter, book coach, editor, and the author of 14 books. Her articles on all aspects of writing appear on more than 35 article sites on the Web, including top-ranked EzineArticles.com. Bobbi has been a professional writer for 40 years, a magazine editor and journalist, and a book-writing teacher. Her clients range from Fortune 100 companies to entrepreneurs and individuals who want to write nonfiction books in order to build their businesses or share their stories.

You can find Bobbi at the following:

Website: http://www.WriteANonfictionBook.com
E-mail: bobbi@writeanonfictionbook.com
The Writing Life: http://writeanonfictionbook.blogspot.com
PRISM: http://www.bobbi-linkemer.blogspot.com
Twitter: http://twitter.com/BobbiLinkemer
Phone: 314-968-8661
Cell: 314-495-8589

If you want to build links, sponsoring a WordPress Theme is one of most sure fire ways I know of for quality backlinks!

I’ve taken on a lot of WordPress clients this year, and one of the most frequent things I’m asked to do for people is to build links, or get them ranked in the search engines higher so they’ll get more traffic (and make more money). Some people contact me just plain asking of better ways to build links. If you’ve been a reader of my blog for any period of time – you know that I don’t like “gurus”, and I don’t like “quick fixes”. The last thing I want is some crazy kind of link building strategy that works for about a month and then gets you knocked out of google completely!

In analyzing my own competition for this blog I’ve found that the best way to get massive links back to your site for targeted keywords is to get your link added to the bottom of a WordPress theme. My main competitor has over one million backlinks for this very reason, and has only released a single WP theme to date.

You basically have three options:

• Design and code your own WordPress theme and release it
• Pay someone to design and code a WordPress theme and release it
• Sponsor a WordPress theme design and have your link added to the footer

So many clients have asked me for this (or how to do this) I can now offer you the following options:

1. If you’re not a coder or designer read my post How to Create a WordPress Theme in Minutes
2. Hire Me to design and code a WordPress theme for you to release
3. Contact Me to sponsor a WordPress Theme for as little as $200

By choosing one of those 3 options you can either figure out how to create your own custom WordPress theme (with no technical experience), you can hire me to create a custom one for you, or you can sponsor a WordPress theme on one a popular WP Theme download site.

The third option only recently became available through a new partner of mine, and now I can offer you WordPress Theme Sponsorship for as little as $200 per 1,000 downloads. Imagine if a theme is downloaded 1,000 and only half of those people use it on a live site. Let’s say each installed theme is worth about 20 links minimum the first month, that’s 1,000 backlinks! If only half of those people keep blogging beyond a month, that’s 500 new backlinks each and every month they continue blogging!

Considering most link building services charge nearly $200 for just 100 PR1 or PR2 links (more for higher PR) – I believe this is a steal for building links. So much so that I’m only prepared to offer it to the first 10 people that contact me through the form below. I’ve never offered a linkbuilding service like this directly to my readers before (and I may never again). Don’t hesitate if you’re interested, you may miss your chance.

It never amazes me how many people aren’t worried at all about WordPress security. They just go along every day thinking their blog can never be hacked into because it “never has”. That’s like thinking you’ll never get into an accident because you’ve always been careful, or you’ll never need health insurance because you’v enever been sick.

If you’re reading this post right now, chances are you’ve reached my web site because you are investing a lot of time online – your business might even be online. You are working hard, and if someone broke into your WordPress web site you could lose a lot of work, time, and money. Today we’re going to talk about webhosting and usernames and passwords. These are two areas you can easily tighten up your security.

This is Part 4 of my WordPress Security Guide, be sure to read the other parts in the series to be fully protected.

Things to Ask a Web Hosting Company

The cost of a web host has nothing to do with the security or competence of their support department. If you have a web host, or are looking for a new one, just try two simple google searches for your host: “webhostname sucks” and “webhostname hacked”. Replace ‘webhostname’ with the name of the host you want information on. Then, read the blog and forum posts of people that had problems with that host. This takes only a few minutes and it’s always good to get some “real world” opinions. It’s also good to see if a host has just a few complaints, or hundreds. Next, ask your current or potential host some very important questions.

• How often are backups performed? If you ever are hacked, you need to know you can get your data restored ASAP!
  • How far back are backups kept for?
  • At what time of day are they performed?
  • Can I specify a specific date and time for a restore?
• Do they offer “SFTP” or “secure” FTP? If not, you don’t want to host with them (explained later)
• What “account” does the apache web server use to serve pages? It should use a “www-data” type user so your files in your hosting account run under your user, and other hosting accounts on the same (shared) server run under their own user – helping to prevent cross-account attacks.
• Does MySQL run on the same server as the web server? Better web hosts typically have MySQL databases running on separate servers.
• Does your web host you allow “777″ file permissions? Not only is this dangerous, but not necessary. Normally “755″ permissions are all that’s necessary for any web site, and hosts that don’t allow “777″ permissions (writeable by all groups) are normally more security concious than those that do.
• Could a virus from another users web site infect mine? If no, why not? Have your current or potential web hosting company explain to you exactly what precautions they’ve taken to ensure that one infected account can’t take down an entire server. Companies that can’t answer this question with an intelligent answer aren’t worth doing business with.

On top of all this, you want to make sure that if something bad happens you find out about it right away and there’s someone to talk to at all times in support. Ask if your current or potential web hosting company has 24/7 monitoring, and if they have toll free support via phone 24/7 as well. In addition, it never hurts to call a company at midnight to see if a live person actually picks up – or it goes to an answering or “call-back” service.

I get asked a LOT which web hosts I would recommend. Here are shared web hosting companies that I personally use and would recommend:

Hostgator: I’ve been using Hostgator a loooong time, and they are on top of security. You can use secure FTP to transfer files and you can login to your web control panel securely. They have helped me with hacked sites, and can tell you the exact data and time files were changed (and most times by who). This is a North American company with a North American data center.

Servage: Servage has also been a hosting company I’ve been using for years. They have their own internal control panel with lots of features, and you can use secure FTP here as well. The control panel login is secure (https), and they take security very seriously. This is a European company with a European data center.

How to make BOTH usernames and passwords MORE secure

Choose strong usernames and passwords: By default every WordPress powered site starts with an “admin account”. Every hacker in the world knows that nearly all wordpress sites have this account. So the first thing you should do is create a new account, grant it “administrator” access, and delete the “admin” account.

Strong Usernames: Make your username unique by using both letters and numbers, and make it 8 characters or more. If you make it more than 8 characters you make it much, much stronger. The username you choose should be unique, don’t make it the same as other online logins you have, the same as your email, or the same as your web control panel or MySQL database login. Most people only put letters in their username, adding in some numbers and characters makes it much more secure.

Strong Passwords: Make your password unique by using letters, numbers, AND symbols – 8 characters or more. Don’t use the same password username combination as any other login, and definitely DO NOT make your passwords the same on your WordPress login, MySQL database login, or hosting web control panel login. Visit Strong Password Generator for examples of what really good random passwords are.

Choose unique usernames and passwords for different logins: This was already mentioned, but it’s worth mentioning again. You want to use different username/password combination for your WordPress login, MySQL WordPress database login, and web hosting control panel login. If someone breaks into one account, at least they won’t have access to every account you have.

Change password regularly: WordPress and (most) web hosting providers don’t require you to change your password on a regular basis, but most online banking does. Isn’t the time you spend on your web site or blog like putting money in the bank? If you lost it all would you be losing money? Changing your password every 30, 60, or 90 days just like online banking is a good idea.

Many people buy expensive alarm systems for their car, and purchase extra strength dead bolt locks for their house. Having piss-poor login names and passwords for your blog is like leaving the door to your house wide open!

Visit the WordPress Security Guide home to skip to other sections

Need Help Quick? Just Hire Me.

In Part 3 of this WordPress Security Guide we’re going to learn how to limit access to your web site. If you’re new, please visit the WordPress Security Guide home to view all the sections of the guide.

Now that you know why Wordrpess security is important, and you’ve found some exploits in your blog – we’re going to learn how to do probably the most important thing to prevent attackers from compromising your site – LIMIT ACCESS. Let’s face it, if those guys can’t get into your site then they can’t hack it. Most people don’t realize that the chances of getting hacked by a real live person are pretty minimal. Odds are much greater of being the victim of an automated attack.

Hackers write automate web bots and software to scan web sites night and day, scouring the web looking for old outdated versions of open source software they can attack. Staying up to date is important, making sure that you have the latest versions of WordPress and your plugins at all times. There are ways to limit access to your wordpress site, so hackers know less about what you have installed.

Limiting Access with an .htaccess file

First – let me say that there are two wordpress plugins that say they can limit access for you – but presently both are outdated and don’t play nice with wordpress 2.8+. I’m going to list the URL’s only so that you know what they are and can look for a newer version (if you so choose):

WordPress Guard

htaccess Password Protect

As I said – those links were provided just in case you ran across them one day and thought “wow – I should try one of those”. Make sure they’ve been updated if you do, and know that your mileage may vary. Lots of comments and support posts indicated some people experienced major problems once they were installed (on the right wordpress versions) including being locked out of their own blogs. .htaccess files are a very tricky thing, since there are all kinds of things they can do – and some web hosts have different configurations and setups than others.

What you can do with .htaccess

• Rewriting URL’s: you know that little thing in WordPress called “permalinks”? An .htaccess file rewrites pages from URL’s like “/?p=106″ to “/this-is-the-title-of-my-post”
• 301 Redirects: You can setup permanent 301 redirects to redirect incoming request to a new page if the URL has changed. This is handy if you change your permalink structure
• Limit access by IP Address: You can limit access by the IP address of your computer (or a ‘range’ of IP addresses)
• Limit access by Password: You can limit access by a password you set.
• Stop Directory Indexing: You can stop people from traversing directories without an index file
• Show a Different index file: Although not pertinent to WordPress, you can use an .htaccess file to show a different index file than your web site default. In other words, you could use index.htm, index.html, index.php, etc.

My advice to you would be to limit access to your WordPress admin directory either by password, IP address, or both. Just remember, if you limit by access by IP address – you won’t be able to access your admin when on the road, roaming wifi, or at another location (unless you add in that IP as well). By locking down your /wp-admin directory with a password – you will have “double lockdown” protection (in combination with the WordPress login).

Because of the different configurations of apache and setup of web hosts, I can’t give you definitive instructions that will absolutely work in every situation for everyone. Even though you can add password protection to an .htaccess file, you still to add users and passwords to an “.htpasswd” file. Users are easy to add, but passwords have to be encrypted in that file. This .htaccess password tutorial can help you with that, but my recommendation is to use your “web control panel” if you have one, and add your password protection there (because it’s automatic). You could also use the previously mentioned .htaccess file generator and upload the files manually. Here is the Official cPanel documentation for password protecting directories. If you’re unsure, submit a ticket to your web host for help password protecting your /wp-admin directory.

Another thing you could consider is limiting access to your /wp-admin directory by allowing access to specific (or a range of) IP addresses. This way you don’t have to remember a password, and you could limit access to multiple groups of people easily. Once again, if you have problems doing this, submit a support ticket to your web host for assistance.

Consider setting up a double login for WordPress by password protecting your /wp-admin directory (using an .htaccess file). Nearly all web hosts have a web control panel that allows you to password protect directories with no technical knowledge. Use that to0l to password protect your /wp-admin folder, just be aware that to get to the WordPress dashboard you’ll need to login twice, once in a popup for the server, and then for wp-admin. Doing this is extra security against automated bots trying to access your admin files.

Limiting Access through file permissions

The vast majority of web hosts for WordPress blog owners are Linux, and access to files within your site is controlled by UNXI based file permissions. Basic permissions are assigned in 3 areas “read, write, and execute”. Permissions can be assigned to 3 groups “owner, group, and world”. The WordPress Codex has an entire page dedicated to Changing File Permissions. Essentially, it’s dangerous to assign “write” permissions to the world from a web browser when it’s not necessary. It’s a loophole hackers can potentially use to write files and gain access to your site. 755 (and below) file permissions are best whenever possible for directories because this removes “write” access from the group and the world. Ideally 644 permissions are best for files on most web hosts.

Often you can change file pemissions in your FTP program, such as right clicking a file in “Filezilla” as in this image:

You can also do it in “telnet” (command line, or shell) if you have that kind of access, and on some web hosts you can change file permissions from your web based control panel using a web based file editor or FTP program.

Limit Access through robots.txt

There’s an old saying that “an ounce of prevention is worth a pound of cure”, and there’s a lot of truth to that. By limiting access to your site using a robots.txt file, you can prevent certain items from accidentally getting indexed in search engines – and the less hackers can find in your site, the less your chances of getting hacked are. You should limit access to your 3 wordpress install directories, and any additional directories you have (if you don’t want them indexed).

For example, these lines could be in your /robots.txt file:

User-agent: *
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /trackback
Disallow: /feed
Disallow: /comments
Disallow: /category/*/*
Disallow: */trackback
Disallow: */feed
Disallow: */comments
Disallow: /*?*
Disallow: /*?
Allow: /wp-content/uploads

That example from the WordPress Codex page on SEO limits access to your wp-admin, wp-includes, and wp-content directories, as well as your feed, trackbacks, comments, category pages, and comments. Visit the web robots pages to learn more about robots.txt files and web robots and crawlers. By limiting access to certain sections of your site via robots.txt you ensure they don’t inadvertently get indexed in search engines, making it even easier for hackers to easily search for things they can exploit!

In part 4 of this guide we’ll talk about the security of your web host, and how to make usernames and passwords more secure.

Visit the WordPress Security Guide home to skip to other sections

Need Help Quick? Just Hire Me.

Here’s my new WordPress theme entitled “Business Blues Skyscraper”. I took a little more time and created this one in about an hour. I took one of the default layouts in Artisteer and changed the colors and menus to a color scheme I liked better. Then I spruced up the menus, choose some better icons and buttons, and last I found a great skyscraper pic to use as the background washout to make this a true “widescreen wordpress theme”! It looks GREAT on my new 22″ monitor, but it will look just as good in 1024×768 on a 15″ (they just won’t see all of the skyscraper). I love themes like that.

I also like the top navigation bar with the multi-level dropdowns. Click the pic below if you want to see a fullscreen pic, I really like this theme! Download the theme using the links after the image below. If you’re not heard of Artisteer before you should check it out. It’s Windows software you can purchase and download to create your own WordPress theme! You can change every last option and create a completely original, completely unique WP theme with no coding or design experience at all! It’s just like using Word, and you export when down and upload to your theme directory and activate! Imagine creating all the themes you want (like I am) and releasing them for free to build links or get exposure for your blog! This is my third theme to date – I hope you like it. Use the download links below to get it.

New 2 Column Free WordPress Theme "Business Blues Skyscraper"

[drain file 11 url Download-My-Online-Office-3-Column] [drain file 11 icon]

In Part 2 of my WordPress Security Guide I’m going to show you how to examine your site for exploits using available free WordPress plugins. I always say – you can’t fix a problem if you don’t know it exists! Even if you’re a WordPress newbie, you might be surprised how easy it is to look for common problems if you know what to look for and are armed with a few key tools.

In case you missed the first post, visit the WordPress Security Guide home.

Examine Your Site for Exploits

There are some really good plugins that can help you to find existing problems and potential exploits with your WordPress site. Here are are some WordPress security plugins that perform scanning and alerting functions:

WP Security Scan

WP Security Scan will check you blog for some essential items. Once you download and install the plugin you’re presented with the initial results, which are conveniently displayed in either green or red depending on whether they need attention:

You can see in the image above there were only 2 things that needed attention in my test blog. Here’s a list of the initial checks it performs:

1. That you have the latest version of WordPress
2. The prefix of your wordpress tables, which by default is “wp_”. You can set the default prefix of wordpress database tables to something different, and leaving it as the default leaves you open to SQL injection attacks.
3. Your WordPress version is hidden
4. That WordPress database errors are turned off
5. That the WordPress ID metatag has been removed
6. The Admin user has been removed
7. There’s an .htaccess file protecting your /wp-admin directory

It also has a scanner function which will check the permissions of key files and folders within your WordPress installation, letting you know if you are open for attack. Green means the permissions are good, red behind any listing means they should be changed ASAP.

This plugin is a good way to automatically check some of the major items on our checklist, but while it reports the issues, it doesn’t give you the ability to make the necessary changes from your WordPress admin. It does have a section for attempting to change the prefix of your wordpress tables, but even though my test site had the proper database ALTER permissions, it still wouldn’t allow the plugin to make the changes for me. Just know that your mileage may vary on that part of the plugin. All the other items you’ll need to change on your own manually (which we will cover here shortly).

WordPress Exploit Scanner

Another way to check your blog for potential exploits is to install the WordPress plugin Exploit Scanner. The plugin author is Donncha O Caoimh, author of WP Super Cache. It has but one function, which is to search your wordpress files and database to see if you have wordpress plugins with known issues, or to see if you have suspicious posts or comments. This is very important because your plugins are checked against a database list of known “suspicious plugins”, and if you already have spam posts or comments your WordPress installation might be compromised already. I ran the scan on my test blog:

As you see in the image, I didn’t have any suspicious plugins installed, and I had only one post listed to check out (which turned out to be fine). This plugin is more for making sure you haven’t already somehow been hacked. If the results indicated your WordPress blog was compromised – you need to take action (which will also be covered shortly).

WP Antivirus

After that last plugin, you’re probably wondering if there is plugin out there that could monitor your site and alert you if it was compromised. Another wordpress security scan plugin to consider is WP Antivirus. Once installed it will automatically scan your wordpress theme files to make sure they haven’t been hacked or compromised by a virus. It doesn’t do anything else, but it DOES send the admin an email if a “virus” is found in your theme files. You can also run a manual check to check your theme files if you don’t want to enable email notification:

All my files were fine in my test blog theme except for one, and there was no virus – but there was a potential problem with one section of my functions file. As you can see safe files are in green, potential problems are red. It would be nice if this plugin did the same type of database scan as WordPress Exploit Scanner as well, maybe it will in a future version.

Secure WordPress

Unlike some of the previous plugins that look for problems, Secure WordPress actually takes care of some of them by setting options in plugin admin in your dashboard.

As you can see in the images above, it’s as easy as clicking a checkbox to remove the version of WordPress in all areas, remove update links for non-admins, and it can even create an index file in your plugins directory to keep people from “directory browsing”. The last thing it can do is add a comment to your html code while enable you to use the next tool we’ll talk about “WP Scanner”.

BlogSecurify WP Scanner

WordPress Exploit Scanner checks your blog via the web. Before they do that, they want to ensure that you’re actually the owner (and not scanning someone else’s blog!), so a simple comment has to be added to your html code. They offer a free plugin that adds it automatically if you don’t want to edit your theme files, or you can add the code by checking an option in the previously mentioned plugin “Secure WordPress”.

Once you enable the plugin, you Visit the WP Scanner web site to start a scan. The image above shows what the results look like from the WP Scanner web report. It assigns a risk factor to items it finds, but does not give much additional information. It did come up with results for me that the other plugins did not, like some readme files that could clue a hacker in to what version of WordPress or plugins I’m using.

I hope that you learned some valuable and free ways today to find exploits in your WordPress blog. Stay tuned, because in Part 3 of our WordPress Security Guide we’re going to learn how to limit access to your WP sites. In Part 5 we’re going to talk about how to stop spambots and hackers dead in their tracks from trying to break in through through exploits.

Visit the WordPress Security Guide home to skip to other sections

Need Help Quick? Just Hire Me.

I’ve created a new WordPress Theme called “My Online Office”. I wrote a post earlier about How to Create a WordPress Theme in Minutes that’s been very popular – and it shows how I quickly create WordPress themes using the Artisteer Software as a visual editor. In about 15 minutes I created an original WP Theme design in both 2 and 3 column versions – and now I offer both version of the theme to you for free download! Check them out:

Wordpress Theme My Online Office: 2 Column Version

[drain file 6 url Download-My-Online-Office-2-Column] [drain file 6 icon]

Wordpress Theme: My Online Office – 3 Column Version

[drain file 5 url Download-My-Online-Office-3-Column] [drain file 5 icon]

It’s so easy to quickly create WordPress Themes now, I’ll more than likely put out a lot more in the future! You could Purchase Artisteer and create some yourself , just as easily as I have! It’s a great way to create backlinks, build content on your site, and even create your own custom themes for your own WordPress powered sites if you can’t find exactly the WP themes you were looking for!

My WordPress Security Guide will help you to protect your WP blog from hackers. I have lots of clients that pay me to work on their WordPress powered sites and the work is usually SEO, setting up an affiliate store, or working on plugins or hacks. I’ve yet to come across a client site that had WordPress security plugins installed. I’ve yet to see a client with a “strong” password. Nobody I’ve worked for actually had a backup of their web site or database.

Do you Know What You’re Risking?

Maybe you feel safe because none of your sites has ever been hacked, but honestly – is it worth the risk of losing all or even part of your work? Spammers want to load up your blog with comments linked to online casino and male enhancement web sites. Malware hackers want to inject your blog with redirects to hijack your traffic to their domain. You are risking anything from thousands of spam comments to having every PHP file on your web site “injected” with a javascript redirect to a foreign address. A really nasty virus might even chew through your entire mySQL database and destroy all your content. If you lost your entire web site tomorrow, how old would your latest backup be? How much work would you lose? Do you even take regular backups of your web site? If your web site generates income you could actually lose money during your down time, and your search engine rankings could be compromised – costing your traffic and even more money.

Do You Know What Could Happen?

The world is filled with skeptics who fail to believe this can’t happen to them. Let me explain why it’s more important than ever to secure your WordPress powered site, because there are literally armies of online villains ready to attack you!

There are specific things you need to protect yourself against:

• Malware, Trojans, and Viruses – oh my! Believe it or not, your web site or blog can be hacked by a virus. Usually you think of a virus as something that attacks your personal computer. There are viruses and trojans that are designed to steal your FTP or login info and gain entry to web sites. Once inside they can chew through your PHP files like a mouse eating cheese. These types of attacks normally originate from a Windows based computer.
• Hackers, Spam-bots, and automated software – When you’re sleeping your web site is being bombarded night and day by online attackers. Some of these are from real live people, but most of them are completely automated by hackers using bots and automated software. Software doesn’t sleep, and it’s designed to find web sites that have potential exploits. The most common targets are sites with older versions of WordPress or plugins that have known security holes. These types of attacks happen as often on your web site as real visitors, and you don’t even know they’re happening because more than likely you have no way of tracking them.
• Bad Web Hosts – Would you purposely buy a home in a bad neighborhood you didn’t feel safe in? When you build a web site online it’s like building a real brick and mortar home, the safety of your new “web home” depends on your web neighbohood. What if the the great $9.95 per month deal you got on web hosting means that your shiny new blog is now parked in an online ghetto? Your site is only as safe as the server you’re hosted on, and you might be more succeptible to attacks if their server security isn’t very good, and depending on their setup you could even be at risk from the other customer’s sites hosted next door to you! Maybe you never thought about your web site being attacked by neighboring accounts or lax web host security until now.
• Your own computer – Believe it or not, you are your own worst enemy. You are 80% more likely to infect your own web site or give you FTP login info away unwittingly through a trojan than you are being attacked by other means. This is mainly because the majority of people have Windows based computers, and a great percentage of them are infected with some type of malware, virus, or trojan. Even if you are the most careful person on earth, other people using your computer (or children) may not be. Your virus program could be out of date, or you could have an older version of Windows without current updates.
• Internet Security – Even if you’ve thought of everything to secure your own computer, what good does it make if you’re still connecting to your web site in regular FTP? Are you using a wireless router at home that’s not encrypted? Do you use public wifi connections and check your email and use the admin functions of your blog? Are you still logging into your WordPress blog unsecured? All or any of these could compromise you site.

Where Do You Begin?

If you want to secure and harden you WordPress powered site there are some very simple steps you can take to protect yourself:

1. Upgrade WordPress and all plugins to the latest versions available
2. Examine your site for potential exploits and security holes
3. Limit access to your site through permissions, robots.txt, and .htaccess file
4. Examine the security of your web host
5. Make all usernames, passwords, and logins more secure
6. Don’t encourage bad behaviour by allowing spammy accounts or comments
7. Consider tracking attack attempts against your site to keep aware of potential problems
8. Use secure connections at all times
9. Keep your personal computer up to date and protected

This guide will explain in easy to understand steps how to do all those things and more. By the end of this tutorial you will be able educate other bloggers about WordPress security and potential online attacks.

Backup Now!

Before you make any changes at all the first thing you need to do is backup your web site and database. If you’re not doing that already, now is the time to start! There are all kinds of plugins that will do this for you, but to be honest I’m not a very big fan of that technique. Mainly because at some point in time the database file will probably be too large to manipulate via WordPress plugin – especially if you have an active blog. The WordPress Backup plugin can help you with that if that’s the route you choose.

Manually downloading all your wordpress files to a directory on your computer is as easy as it was to upload a theme or plugin. Download everything, so you have a current working version of all wordpress files, themes, and plugins. Nearly all web hosts provide you with a web control panel to manage your web site. Login and find the section for managing your databases. You should have access to a web tool called “phpMyAdmin” which allows you to administer your database via web page. Find this tool, select your database from the drop down menu, and then export!

The WordPress Codex has a page about phpMyAdmin, as well as a page about Restoring Your Database from Backup if you have to need to.

Upgrade WordPress and Plugins

Now that you have backups of everything in your current version of WordPress, it’s safe to upgrade everything! Since version 2.8 of WordPress, it’s been possible to upgrade your WordPress installation from your admin dashboard, as well as updated versions of your plugins (as they become available). If you’re not up to version 2.7 of WordPress, you’ll need to update by downloading the lastest version from wordpress.org first, and the uploading the files via FTP. Then you’ll be able to update your plugins via the admin dashboard plugin page. This may be the first step, but it’s one of the most important, because exploits in outdated versions of WordPress and plugins are exactly what hackers are looking for. Staying up to date is your best defense against issues like this.

The following images show how easy it is to updating both WordPress and plugins in version 2.7x and above by simply clicking a link to do it live in your WordPress dashboard admin.

Releases of WordPress are pretty solid, but when new versions become available sometimes themes and plugins get broken until they are updated. It always pays to view the latest plugin compatibility list BEFORE UPGRADING, in case something you rely on might be immediately broken. It doesn’t mean to never upgrade in fear of breaking things, but rather be more aware of conflicts that might need fixing once you do. Just google wordpress x.x compatibility for the lastest official list (replace x.x with the version number you’re searching for in google).

Stay tuned to the next part in this series to learn how to examine your WordPress powered site for exploits!

Visit the WordPress Security Guide home to skip to other sections

Need Help Quick? Just Hire Me.