If you’re not comfortable delving under the hood of WordPress then this post might not be of great interest to you, but I’d suggest reading it anyway. Who know you might just pick up something that will help later on.
I’ve been using the WordPress as the Content Management System (CMS) for this blog since 2006 and have been pleased with it. However, during that extended “relationship” there were a few bumps in the road, a few things I’ve learned through reading and some I’ve experienced from outright attacks on this site.
Security
Rename the default WordPress “Admin” user. In September 2008, someone tried to take over administrative privileges of the Meandering Passage WordPress installation by exploiting an at-that-time WordPress weakness and using the default WP Admin user account. Luckily WordPress has since been patched and I renamed the Admin user.
Protect your the WordPress logon page. Doing this can prevent brute force attacks targeted specifically to wp-login.php. Not too long ago I received an email from my host provider telling me they had to disable my WordPress Logon page due to it being the target of a brute force bot attack. They recommended modifying my root .htaccess file so Apache Web Server would require a user and password before serving the logon page up — meaning it would take a password to get to the logon page and then a password to sign on to WordPress. A brute force attack robot would get the first password request and be rejected. You can rename the logon (wp-login.php) page — there is even at least one Rename wp-long.php Plugin which claims to make the process much simpler (Disclaimer: I don’t use this plugin and cannot testify to how well it works.)
There are also security plugins for WordPress. I’m currently trying one named “All In One WP Security,” which seems to work well and provide some nice capabilities for making a WordPress site more secure.
Host Resources
If your website host provides some type of site statistics package spend a little time getting to understand the information it provides. In October 2012, my hosts contacted me saying they were going to have to restrict or remove the Meandering Passage site because it was using too much CPU time on the host server. I’d made no recent changes to the site and the visitor levels were about the same as always. Only after spending several hours of carefully reviewing the detailed traffic statistics did I identify a rogue search bot (80legs) which was crawling my site daily at a high rate causing this problem. You’re suppose to be able to designate which robots can index your site in a “robot.txt” file located in your root directory but this bot was ignoring those instructions — bad bot! It also didn’t leave much trace of it being there, probably by design, making it hard to find. Once I had the source of the problem my host support staff helped me deny access to this bot at the .htaccess file/Apache Server level.
Usability
For a couple of years now I’ve been running the current “Shaken Grid” theme for Meandering Passage. I like this theme but it’s older and no longer supported or being developed. That’s not a problem as long as it keeps working and at this point I’ve made enough modifications to make it more of a custom theme anyway.
The one issue I’ve struggling with since early on is the presentation of photos/images on Meandering Passage — single photos or images in a post were displayed using a java-script lightbox plugin and a gallery of images could be displayed using either a WordPress gallery with the default WordPress display or via the built in Shaken Grid theme gallery template using it’s adaptation of a “Fancybox” display. In each case the images when clicked upon displayed differently with different user interface and controls. Not a good situation.
Well, I believe I’ve found a solution in the form of a plugin which easily enables the FancyBox jQuery extension on all image, SWF, PDF, YouTube, Dailymotion and Vimeo links, it also supports iFrame and inline content. No matter my choice for how to insert photos into my posts they all display via the same method and with the same look and feel.
Easy Fancybox come in a free “lite” version with a premium Pro Extension which brings additional function. Try the free version first and decide if you need the features of the Pro version — I did.
Note: I’m in no way affiliated or in a position to gain from anyone’s use of Easy Fancybox. I tried it and like it, period.
Utilities
When I originally set up Meandering Passage on WordPress in 2006 I for some reason went against the default settings and designated my upload folder at the root level rather then inside the wp-content folder. I’ve moved hosts twice since 2006 and each time I’ve left this non-standard structure as it was.
While I was having the CPU resource problems I discussed under resources above. I implement a WordPress cache to improve the performance of this site and lessen the load on my host. This cache allows the web server to provide static content for those parts of this site that have not recently changed instead of generating on the fly dynamic content each time. This has worked well except it was having some issues with the image media being at root level rather then inside wp-content, where it normally is.
Moving this “upload/media” folder back into wp-content as a fix for the cache issues was potentially a very large problem. Every post (1900+) with an image or linked file had the link pointing to the image file at the root location. Luckily someone designed a WordPress Plugin to help fix all those links — Velvet Blue Update URLs.
I copied the upload folder into the “wp-content” folder and then using the Velvet Blue Update URLs plugin I specified the old location URL “http://mp.com/uploads” and the new location URL “http://mp.com/wp-content/uploads” and the plugin went through all posts and pages making the changes. I only had to make a couple of changes where a URL was hard coded in my theme.
This would also be a life saver plug-in if you were changing you directory structure during a domain or host move.
This is only a few of the things I can remember I’ve experienced while using WordPress for the last eight years. Why have I and Meandering Passage been the target of a number of attacks when most WordPress blogs exists for years without being touched — I don’t know. Perhaps because I’ve published technical posts on this blog it’s been exposed to a different segment of the Internet or perhaps at some point it was simply added to a list…not a good list. The point is if you run any type of blog and feel it’s safe and secure because you’ve never had any problem you might be living in a dream world on borrowed time. Just be aware.
Posts like this make me wish I knew more about what goes on under the hood/behind the scenes of all things web. Fortunately my website is pretty user friendly, and my annual fee includes a WordPress account, which I use for my blog. I had a password issue once but my hosting company handled it and I didn’t even know what they did.
That’s also what bothers me about the Hackintosh – I love the computer, it works great and gives me great satisfaction to use a machine that I “built.” I just end up feeling helpless/useless when something comes along that I can’t fix. I guess that’s why I like cameras – I don’t generally need to take them apart! ;)
Tom, I’ve always been one to enjoy to tinker around under the hood…be it a car, motorcycle or web site. Sometimes it’s gotten me in trouble but as I’ve grown older, and hopefully wiser, instead of lessening the desire to tinker I’ve learned to plan beforehand better and have a Plan B ready in case things go wrong. ;-)
We need to find a day when maybe we can do some photography in the morning and then take a look at your Hackintosh to see if we can address any issues you’re having. I’ll get with you soon to see about a date/photo location!
You have probably guessed that most of this was way over my head. Still I quite enjoyed the read. You write about technical matter so clearly that I almost start to believe that I “get it”. Usually, I don’t read articles like this, but yours are an exception.
Hi Anita, I appreciate just the fact that you waded through the technobabble! :-)
There’s been any number of times I’ve found myself struggling with a technical problem and after a search ended up being saved by someone’s simple blog post about the same problem and solution.
I posted this in the chance something in it may help someone someday.
Thanks for your vista and comment! I’ve been enjoying following you on Facebook recently.
First off Earl, love the photo. Not quite sure what it is in reality, and not sure I want to know, because I think the Other Worldly caption is perfect.
I turned on a security setting on my blog recently to block anyone that tries to login using the Admin ID. Seems to happen quite often as now I am getting so many emails about host lockouts. I have a few security items running, all of them seem to pick up stuff. I want to check out more of what you list here.
Mark, thanks on the photo. I’ll leave what it is to your imagination but the actuality is probably not as bad as you imagine. :-)
I think WordPress sites are getting attacked or at least probed more often then people realize. It was my hosting support staff that alerted me to two of the attacks mentioned above — there was no visible evidence from my end except for slow site performance.
Let me know if you find any good WordPress PlugIns/Solutions…
Well written and a good read, even though most of it was above my head. I also am one of those who needs to implement some of your suggestions. Not sure what the image is, either. Do I want to know?
Monte, thanks. Yeah, we all think we’re pretty secure until we’re not! There are many articles out there on improving security on a WordPress site as well as some capable plug-ins that don’t require a great deal of technical knowledge.
Thanks on the image. I’ll leave what it is same way I did for Mark — “the actuality is probably not as bad as you imagine.” :-)
Thanks for the writeup, Earl. Though I’ve not had any issues, it can’t hurt to be a bit proactive. I’ve downloaded and installed the WP Better Security plugin, now named, iThemes Security.
Paul, that’s the plugin that I use, too. And when I look through the logs of the various abuse attempts undertaken by hackers from all over the world, I admire wordpress’s stability even more.
I hope you continue to not have any issues, Paul!