Other Worldly
Other Worldly

If you’re not comfortable delving under the hood of WordPress then this post might not be of great interest to you, but I’d suggest reading it anyway. Who know you might just pick up something that will help later on. 

I’ve been using the WordPress as the Content Management System (CMS) for this blog since 2006 and have been pleased with it.  However, during that extended “relationship” there were a few bumps in the road, a few things I’ve learned through reading and some I’ve experienced from outright attacks on this site.

Security

Rename the default WordPress “Admin” user. In September 2008, someone tried to take over administrative privileges of the Meandering Passage WordPress installation by exploiting an at-that-time WordPress weakness and using the default WP Admin user account.  Luckily WordPress has since been patched and I renamed the Admin user.

Protect your the WordPress logon page. Doing this can prevent brute force attacks  targeted specifically to wp-login.php.  Not too long ago I received an email from my host provider telling me they had to disable my WordPress Logon page due to it being the target of a brute force bot attack.  They recommended modifying my root .htaccess file so Apache Web Server would require a user and password before serving the logon page up — meaning it would take a password to get to the logon page and then a password to sign on to WordPress.  A brute force attack robot would get the first password request and be rejected.  You can rename the logon (wp-login.php) page — there is even at least one Rename wp-long.php Plugin which claims to make the process much simpler (Disclaimer: I don’t use this plugin and cannot testify to how well it works.)

There are also security plugins for WordPress.  I’m currently trying one named “All In One WP Security,” which seems to work well and provide some nice capabilities for making a WordPress site more secure.

Host Resources

If your website host provides some type of site statistics package spend a little time getting to understand the information it provides.  In October 2012, my hosts contacted me saying they were going to have to restrict or remove the Meandering Passage site because it was using too much CPU time on the host server.  I’d made no recent changes to the site and the visitor levels were about the same as always. Only after spending several hours of carefully reviewing the detailed traffic statistics did I identify a rogue search bot (80legs) which was crawling my site daily at a high rate causing this problem.  You’re suppose to be able to designate which robots can index your site in a “robot.txt” file located in your root directory but this bot was ignoring those instructions — bad bot!  It also didn’t leave much trace of it being there, probably by design, making it hard to find.  Once I had the source of the problem my host support staff helped me deny access to this bot at the .htaccess file/Apache Server level.

Usability

For a couple of years now I’ve been running the current “Shaken Grid” theme for Meandering Passage.  I like this theme but it’s older and no longer supported or being developed.  That’s not a problem as long as it keeps working and at this point I’ve made enough  modifications to make it more of a custom theme anyway.

The one issue I’ve struggling with since early on is the presentation of photos/images on Meandering Passage — single photos or images in a post were displayed using a java-script lightbox plugin and a gallery of images could be displayed using either a WordPress gallery with the default WordPress display or via the built in Shaken Grid theme gallery template using it’s adaptation of a “Fancybox” display. In each case the images when clicked upon displayed differently with different user interface and controls.  Not a good situation.

Well, I believe I’ve found a solution in the form of a plugin which easily enables the FancyBox jQuery extension on all image, SWF, PDF, YouTube, Dailymotion and Vimeo links, it also supports iFrame and inline content. No matter my choice for how to insert photos into my posts they all display via the same method and with the same look and feel.

Easy Fancybox come in a free “lite” version with a premium Pro Extension which brings additional function.  Try the free version first and decide if you need the features of the Pro version — I did.

Note: I’m in no way affiliated or in a position to gain from anyone’s use of Easy Fancybox.  I tried it and like it, period. 

Utilities

When I originally set up Meandering Passage on WordPress in 2006 I for some reason went against the default settings and designated my upload folder at the root level rather then inside the wp-content folder.  I’ve moved hosts twice since 2006 and each time I’ve left this non-standard structure as it was.

While I was having the CPU resource problems I discussed under resources above. I implement a WordPress cache to improve the performance of this site and lessen the load on my host.  This cache allows the web server to provide static content for those parts of this site that have not recently changed instead of generating on the fly dynamic content each time. This has worked well except it was having some issues with the image media being at root level rather then inside wp-content, where it normally is.

Moving this “upload/media” folder back into wp-content as a fix for the cache issues was potentially a very large problem.  Every post (1900+) with an image or linked file had the link pointing to the image file at the root location. Luckily someone designed a WordPress Plugin to help fix all those links — Velvet Blue Update URLs.

I copied the upload folder into the “wp-content” folder and then using the Velvet Blue Update URLs plugin I specified the old location URL “http://mp.com/uploads” and the new location URL  “http://mp.com/wp-content/uploads” and the plugin went through all posts and pages making the changes.  I only had to make a couple of changes where a URL was hard coded in my theme.

This would also be a life saver plug-in if you were changing you directory structure during a domain or host move.

This is only a few of the things I can remember I’ve experienced while using WordPress for the last eight years. Why have I and Meandering Passage been the target of a number of attacks when most WordPress blogs exists for years without being touched — I don’t know. Perhaps because I’ve published technical posts on this blog it’s been exposed to a different segment of  the Internet or perhaps at some point it was simply added to a list…not a good list.  The point is if you run any type of blog and feel it’s safe and secure because you’ve never had any problem you might be living in a dream world on borrowed time.  Just be aware. 

11 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Tom Dills
10 years ago

Posts like this make me wish I knew more about what goes on under the hood/behind the scenes of all things web. Fortunately my website is pretty user friendly, and my annual fee includes a WordPress account, which I use for my blog. I had a password issue once but my hosting company handled it and I didn’t even know what they did.

That’s also what bothers me about the Hackintosh – I love the computer, it works great and gives me great satisfaction to use a machine that I “built.” I just end up feeling helpless/useless when something comes along that I can’t fix. I guess that’s why I like cameras – I don’t generally need to take them apart! ;)

Anita Jesse
10 years ago

You have probably guessed that most of this was way over my head. Still I quite enjoyed the read. You write about technical matter so clearly that I almost start to believe that I “get it”. Usually, I don’t read articles like this, but yours are an exception.

Mark
10 years ago

First off Earl, love the photo. Not quite sure what it is in reality, and not sure I want to know, because I think the Other Worldly caption is perfect.

I turned on a security setting on my blog recently to block anyone that tries to login using the Admin ID. Seems to happen quite often as now I am getting so many emails about host lockouts. I have a few security items running, all of them seem to pick up stuff. I want to check out more of what you list here.

Monte Stevens
10 years ago

Well written and a good read, even though most of it was above my head. I also am one of those who needs to implement some of your suggestions. Not sure what the image is, either. Do I want to know?

Paul
10 years ago

Thanks for the writeup, Earl. Though I’ve not had any issues, it can’t hurt to be a bit proactive. I’ve downloaded and installed the WP Better Security plugin, now named, iThemes Security.

Markus
10 years ago
Reply to  Paul

Paul, that’s the plugin that I use, too. And when I look through the logs of the various abuse attempts undertaken by hackers from all over the world, I admire wordpress’s stability even more.