SlideShare uma empresa Scribd logo

Beyond the WordPress 5 minute Install

Steve Taylor
Steve Taylor

The document provides tips and best practices for securing and optimizing a WordPress site beyond the basic installation. It discusses .htaccess configuration for redirects, file protection, and permalinks. It also covers hardening wp-config.php by changing passwords and salts, prefixing tables, and configuring database settings for different environments. Additional topics include plugins, revisions, debugging, and discussion settings. The presentation aims to advise beginners and developers on security, performance, and maintenance of WordPress sites.

TecnologiaNegócios
1 de 36
Baixar para ler offline
Beyond the 5-minute Install Steve Taylor http://sltaylor.co.uk steve@sltaylor.co.uk @sltayloresque WordCamp Portsmouth UK 2011
Security & best practices ● .htaccess ● wp-config.php ● robots.txt ● functions.php / “functionality plugin” ● Plugins ● Other issues?
A bit about me ● Custom theme developer ● No themes released ● A few plugins This talk ● Advice for beginners  ● Tips for developers 
.htaccess ● “hypertext access” ●Controls requests to server before any PHP / WordPress processing ● Apache only (IIS?) ● Root of website (sub-directories?) ● Sometimes simple, sometimes complex! http://httpd.apache.org/docs/ http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
www or not www? ● Personal choice / aesthetics ●Both should be accessible; one should redirect (301) to the other ● Tell Google Webmaster Tools!
www or not www? ● Personal choice / aesthetics ●Both should be accessible; one should redirect (301) to the other ● Tell Google Webmaster Tools! # Force no “www” RewriteCond %{HTTP_HOST} ^www.example.com$ [NC] RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]
www or not www? ● Personal choice / aesthetics ●Both should be accessible; one should redirect (301) to the other ● Tell Google Webmaster Tools! # Force no “www” RewriteCond %{HTTP_HOST} ^www.example.com$ [NC] RewriteRule ^(.*)$ http://example.com/$1 [R=301,L] # Force “www” RewriteCond %{HTTP_HOST} ^example.com$ [NC] RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
Protect important files ●# Protect .htaccess files <Files .htaccess> order allow,deny deny from all </Files> ●# Protect wp-config.php <Files wp-config.php> order allow,deny deny from all </FilesMatch>
WordPress pretty permalinks
WordPress pretty permalinks Include at end of .htaccess: ●# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress
WordPress pretty permalinks Really bad idea for big sites:
WordPress pretty permalinks Really bad idea for big sites: Better: http://ottopress.com/2010/category-in-permalinks-considered-harmful/ http://codex.wordpress.org/Using_Permalinks
wp-config.php ● Create your own wp-config-sample.php ●Check the file for new stuff in new versions of WordPress ● Edit and initialize BEFORE installing WordPress! http://codex.wordpress.org/Editing_wp-config.php http://digwp.com/2010/08/pimp-your-wp-config-php/
Server-dependent settings ●// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'database_name_here'); ●/** MySQL database username */ define('DB_USER', 'username_here'); ●/** MySQL database password */ define('DB_PASSWORD', 'password_here'); ●/** MySQL hostname */ define('DB_HOST', 'localhost');
Server-dependent settings ●switch ( $_SERVER['HTTP_HOST'] ) { case 'dev.example.com': { // Dev server define( 'DB_NAME', 'aef4RgX_mysitedev' ); define( 'DB_USER', 'aef4RgX_mysitedev' ); define( 'DB_PASSWORD', 'Jyt6v48jS9frkGgZyS5iIjif6LnosuYr' ); define( 'DB_HOST', 'localhost' ); break; } default: { // Live server define( 'DB_NAME', 'sd6FE2xc_mysitelive' ); define( 'DB_USER', 'sd6FE2xc_mysitelive' ); define( 'DB_PASSWORD', 'as3d56JvDlPisYwU7c1nfZ3Yct0NEiZR' ); define( 'DB_HOST', 'localhost' ); break; } } https://www.grc.com/passwords.htm
Authentication Keys and Salts Change them for every installation! define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); https://api.wordpress.org/secret-key/1.1/salt/
Database table prefix The default: $table_prefix = 'wp_';
Database table prefix The default: $table_prefix = 'wp_'; Much better: $table_prefix = 'a3rfGtQ1_';
Database table prefix When coding database queries, don’t use hard-coded table names!
Database table prefix When coding database queries, don’t use hard-coded table names! A standard WP table: global $wpdb; $custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” );
Database table prefix When coding database queries, don’t use hard-coded table names! A standard WP table: global $wpdb; $custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” ); A custom table: global $wpdb; $custom_query = $wpdb->get_results( “SELECT field FROM ” . $wpdb->prefix . “table” ); http://codex.wordpress.org/Class_Reference/wpdb
Server needs FTP for upgrades? define( "FTP_HOST", "ftp.example.com" ); define( "FTP_USER", "myftpuser" ); define( "FTP_PASS", "hQfsSITtKteo1Ln2FEhHlPkXZ" );
Debugging define( 'WP_DEBUG', true );
Debugging define( 'WP_DEBUG', true ); http://dev.example.com/?debug=1 ●switch ( $_SERVER['HTTP_HOST'] ) { case 'dev.example.com': { // Dev server define( 'WP_DEBUG', isset( $_GET['debug'] ) ); break; } default: { // Live server define( 'WP_DEBUG', false ); break; } }
Control revisions and autosave // Only keep 3 revisions of each post define( 'WP_POST_REVISIONS', 3 );
Control revisions and autosave // Only keep 3 revisions of each post define( 'WP_POST_REVISIONS', 3 ); // Don’t keep revisions of posts define( 'WP_POST_REVISIONS', false );
Control revisions and autosave // Only keep 3 revisions of each post define( 'WP_POST_REVISIONS', 3 ); // Don’t keep revisions of posts define( 'WP_POST_REVISIONS', false ); // Autosave posts interval in seconds define( 'AUTOSAVE_INTERVAL', 60 );
Disable plugin and theme editing define( 'DISALLOW_FILE_EDIT', true );
robots.txt User-agent: * Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /trackback Disallow: /feed Disallow: /comments Disallow: /category/*/* Disallow: */trackback Disallow: */feed Disallow: */comments Disallow: /*?* Disallow: /*? Allow: /wp-content/uploads Sitemap: http://example.com/sitemap.xml http://codex.wordpress.org/Search_Engine_Optimization_for_WordPress#Robots.txt_Optimization
Custom theme functions.php / “functionality” plugin ● Snippets not worth making into a plugin ● Plugin is more portable ● Check out /mu-plugins/ http://justintadlock.com/archives/2011/02/02/creating-a-custom-functions-plugin-for-end-users http://wpcandy.com/teaches/how-to-create-a-functionality-plugin http://codex.wordpress.org/Must_Use_Plugins
Disable upgrade notifications for people who can't do upgrades if ( ! current_user_can( 'update_core' ) ) { add_action( 'init', create_function( '$a', "remove_action( 'init', 'wp_version_check' );" ), 2 ); add_filter( 'pre_option_update_core', create_function( '$a', "return null;" ) ); }
Remove nofollow from comments remove_filter( 'pre_comment_content', 'wp_rel_nofollow' ); add_filter( 'get_comment_author_link', 'slt_dofollow' ); add_filter( 'post_comments_link', 'slt_dofollow' ); add_filter( 'comment_reply_link', 'slt_dofollow' ); add_filter( 'comment_text', 'slt_dofollow' ); function slt_dofollow( $str ) { $str = preg_replace( '~<a ([^>]*)s*(["|']{1}w*)s*nofollow([^>]*)>~U', '<a ${1}${2}${3}>', $str ); return str_replace( array( ' rel=""', " rel=''" ), '', $str ); } } http://digwp.com/2010/04/wordpress-custom-functions-php-template-part-2/
Better default display names add_action( 'user_register', 'slt_default_user_display_name' ); function slt_default_user_display_name( $user_id ) { $first = get_usermeta( $user_id, 'first_name' ); $last = get_usermeta( $user_id, 'last_name' ); $display = $first . " " . $last; wp_update_user( array( "ID" => $user_id, "display_name" => $display ) ); }
Plugins Force Strong Passwords. Copies WordPress's JavaScript password strength meter into PHP and forces “executive” users to have a strong password when updating their profile. http://wordpress.org/extend/plugins/force-strong-passwords/ Google XML Sitemaps (or equivalent). http://wordpress.org/extend/plugins/google-sitemap-generator/ Use Google Libraries. http://wordpress.org/extend/plugins/use-google-libraries/ WordPress Database Backup. http://wordpress.org/extend/plugins/wp-db-backup/
Other issues ● File permissions http://codex.wordpress.org/Hardening_WordPress#File_permissions ● .htpasswd for /wp-admin/ ● Settings > Discussion
Cheers! http://sltaylor.co.uk @sltayloresque

Recomendados

Vagrant WordCamp Hamilton
Vagrant WordCamp HamiltonVagrant WordCamp Hamilton
Vagrant WordCamp Hamilton
Paul Bearne
 
[Bristol WordPress] Supercharging WordPress Development
[Bristol WordPress] Supercharging WordPress Development[Bristol WordPress] Supercharging WordPress Development
[Bristol WordPress] Supercharging WordPress Development
Adam Tomat
 
Web-Performance
Web-PerformanceWeb-Performance
Web-Performance
Walter Ebert
 
Writing your Third Plugin
Writing your Third PluginWriting your Third Plugin
Writing your Third Plugin
Justin Ryan
 
Transients are good for you - WordCamp London 2016
Transients are good for you - WordCamp London 2016Transients are good for you - WordCamp London 2016
Transients are good for you - WordCamp London 2016
Boiteaweb
 
Optimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Optimising Your Front End Workflow With Symfony, Twig, Bower and GulpOptimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Optimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Matthew Davis
 
深入淺出 MVC
深入淺出 MVC深入淺出 MVC
深入淺出 MVC
Jace Ju
 
Vue 淺談前端建置工具
Vue 淺談前端建置工具Vue 淺談前端建置工具
Vue 淺談前端建置工具
andyyou
 

Recomendados

Vagrant WordCamp Hamilton
Vagrant WordCamp HamiltonVagrant WordCamp Hamilton
Vagrant WordCamp Hamilton
Paul Bearne
 
[Bristol WordPress] Supercharging WordPress Development
[Bristol WordPress] Supercharging WordPress Development[Bristol WordPress] Supercharging WordPress Development
[Bristol WordPress] Supercharging WordPress Development
Adam Tomat
 
Web-Performance
Web-PerformanceWeb-Performance
Web-Performance
Walter Ebert
 
Writing your Third Plugin
Writing your Third PluginWriting your Third Plugin
Writing your Third Plugin
Justin Ryan
 
Transients are good for you - WordCamp London 2016
Transients are good for you - WordCamp London 2016Transients are good for you - WordCamp London 2016
Transients are good for you - WordCamp London 2016
Boiteaweb
 
Optimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Optimising Your Front End Workflow With Symfony, Twig, Bower and GulpOptimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Optimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Matthew Davis
 
深入淺出 MVC
深入淺出 MVC深入淺出 MVC
深入淺出 MVC
Jace Ju
 
Vue 淺談前端建置工具
Vue 淺談前端建置工具Vue 淺談前端建置工具
Vue 淺談前端建置工具
andyyou
 
Head First Zend Framework - Part 1 Project & Application
Head First Zend Framework - Part 1 Project & ApplicationHead First Zend Framework - Part 1 Project & Application
Head First Zend Framework - Part 1 Project & Application
Jace Ju
 
What happens in laravel 4 bootstraping
What happens in laravel 4 bootstrapingWhat happens in laravel 4 bootstraping
What happens in laravel 4 bootstraping
Jace Ju
 
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
Graham Dumpleton
 
Mojolicious - A new hope
Mojolicious - A new hopeMojolicious - A new hope
Mojolicious - A new hope
Marcus Ramberg
 
Deploying
DeployingDeploying
Deploying
soon
 
Best Practices in Plugin Development (WordCamp Seattle)
Best Practices in Plugin Development (WordCamp Seattle)Best Practices in Plugin Development (WordCamp Seattle)
Best Practices in Plugin Development (WordCamp Seattle)
andrewnacin
 
SocketStream
SocketStreamSocketStream
SocketStream
Paul Jensen
 
Cool like a Frontend Developer: Grunt, RequireJS, Bower and other Tools
Cool like a Frontend Developer: Grunt, RequireJS, Bower and other ToolsCool like a Frontend Developer: Grunt, RequireJS, Bower and other Tools
Cool like a Frontend Developer: Grunt, RequireJS, Bower and other Tools
Ryan Weaver
 
Front End Performance
Front End PerformanceFront End Performance
Front End Performance
Konstantin Käfer
 
Front end performance optimization
Front end performance optimizationFront end performance optimization
Front end performance optimization
Stevie T
 
Puppet at janrain
Puppet at janrainPuppet at janrain
Puppet at janrain
Puppet
 
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
andrewnacin
 
Front end performance tip
Front end performance tipFront end performance tip
Front end performance tip
Steve Yu
 
Mehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp KölnMehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp Köln
Walter Ebert
 
Extending the WordPress REST API - Josh Pollock
Extending the WordPress REST API - Josh PollockExtending the WordPress REST API - Josh Pollock
Extending the WordPress REST API - Josh Pollock
Caldera Labs
 
You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011
andrewnacin
 
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
DK Lee
 
BP-6 Repository Customization Best Practices
BP-6 Repository Customization Best PracticesBP-6 Repository Customization Best Practices
BP-6 Repository Customization Best Practices
Alfresco Software
 
jQuery Plugin Creation
jQuery Plugin CreationjQuery Plugin Creation
jQuery Plugin Creation
benalman
 
Powershell: Tu nuevo mejor amigo
Powershell: Tu nuevo mejor amigoPowershell: Tu nuevo mejor amigo
Powershell: Tu nuevo mejor amigo
Gonzalo Balladares Rivera
 
A WordPress workshop at Cefalo
A WordPress workshop at Cefalo A WordPress workshop at Cefalo
A WordPress workshop at Cefalo
Beroza Paul
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
WP Engine
 

Mais conteúdo relacionado

Mais procurados

Head First Zend Framework - Part 1 Project & Application
Head First Zend Framework - Part 1 Project & ApplicationHead First Zend Framework - Part 1 Project & Application
Head First Zend Framework - Part 1 Project & Application
Jace Ju
 
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
Graham Dumpleton
 
Deploying
DeployingDeploying
Deploying
soon
 
jQuery Plugin Creation
jQuery Plugin CreationjQuery Plugin Creation
jQuery Plugin Creation
benalman
 

Mais procurados (20)

Head First Zend Framework - Part 1 Project & Application
Head First Zend Framework - Part 1 Project & ApplicationHead First Zend Framework - Part 1 Project & Application
Head First Zend Framework - Part 1 Project & Application
 
What happens in laravel 4 bootstraping
What happens in laravel 4 bootstrapingWhat happens in laravel 4 bootstraping
What happens in laravel 4 bootstraping
 
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
 
Mojolicious - A new hope
Mojolicious - A new hopeMojolicious - A new hope
Mojolicious - A new hope
 
Deploying
DeployingDeploying
Deploying
 
Best Practices in Plugin Development (WordCamp Seattle)
Best Practices in Plugin Development (WordCamp Seattle)Best Practices in Plugin Development (WordCamp Seattle)
Best Practices in Plugin Development (WordCamp Seattle)
 
SocketStream
SocketStreamSocketStream
SocketStream
 
Cool like a Frontend Developer: Grunt, RequireJS, Bower and other Tools
Cool like a Frontend Developer: Grunt, RequireJS, Bower and other ToolsCool like a Frontend Developer: Grunt, RequireJS, Bower and other Tools
Cool like a Frontend Developer: Grunt, RequireJS, Bower and other Tools
 
Front End Performance
Front End PerformanceFront End Performance
Front End Performance
 
Front end performance optimization
Front end performance optimizationFront end performance optimization
Front end performance optimization
 
Puppet at janrain
Puppet at janrainPuppet at janrain
Puppet at janrain
 
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
 
Front end performance tip
Front end performance tipFront end performance tip
Front end performance tip
 
Mehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp KölnMehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp Köln
 
Extending the WordPress REST API - Josh Pollock
Extending the WordPress REST API - Josh PollockExtending the WordPress REST API - Josh Pollock
Extending the WordPress REST API - Josh Pollock
 
You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011
 
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
 
BP-6 Repository Customization Best Practices
BP-6 Repository Customization Best PracticesBP-6 Repository Customization Best Practices
BP-6 Repository Customization Best Practices
 
jQuery Plugin Creation
jQuery Plugin CreationjQuery Plugin Creation
jQuery Plugin Creation
 
Powershell: Tu nuevo mejor amigo
Powershell: Tu nuevo mejor amigoPowershell: Tu nuevo mejor amigo
Powershell: Tu nuevo mejor amigo
 

Semelhante a Beyond the WordPress 5 minute Install

10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
arcware
 
Laying the proper foundation for plugin and theme development
Laying the proper foundation for plugin and theme developmentLaying the proper foundation for plugin and theme development
Laying the proper foundation for plugin and theme development
Tammy Hart
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 

Semelhante a Beyond the WordPress 5 minute Install (20)

A WordPress workshop at Cefalo
A WordPress workshop at Cefalo A WordPress workshop at Cefalo
A WordPress workshop at Cefalo
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
 
Making WordPress Your CMS and Automatically Updating a Self Hosted WordPress ...
Making WordPress Your CMS and Automatically Updating a Self Hosted WordPress ...Making WordPress Your CMS and Automatically Updating a Self Hosted WordPress ...
Making WordPress Your CMS and Automatically Updating a Self Hosted WordPress ...
 
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
 
Manage WordPress with Awesome using wp cli
Manage WordPress with Awesome using wp cliManage WordPress with Awesome using wp cli
Manage WordPress with Awesome using wp cli
 
WordCamp Vancouver 2012 - Manage WordPress with Awesome using wp-cli
WordCamp Vancouver 2012 - Manage WordPress with Awesome using wp-cliWordCamp Vancouver 2012 - Manage WordPress with Awesome using wp-cli
WordCamp Vancouver 2012 - Manage WordPress with Awesome using wp-cli
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!
 
Laying the proper foundation for plugin and theme development
Laying the proper foundation for plugin and theme developmentLaying the proper foundation for plugin and theme development
Laying the proper foundation for plugin and theme development
 
WordPress Plugin development
WordPress Plugin developmentWordPress Plugin development
WordPress Plugin development
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress Plugin
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
Using Geeklog as a Web Application Framework
Using Geeklog as a Web Application FrameworkUsing Geeklog as a Web Application Framework
Using Geeklog as a Web Application Framework
 
Childthemes ottawa-word camp-1919
Childthemes ottawa-word camp-1919Childthemes ottawa-word camp-1919
Childthemes ottawa-word camp-1919
 
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
Hardcore URL Routing for WordPress - WordCamp Atlanta 2014 (PPT)
 
Getting to The Loop - London Wordpress Meetup July 28th
Getting to The Loop - London Wordpress Meetup July 28thGetting to The Loop - London Wordpress Meetup July 28th
Getting to The Loop - London Wordpress Meetup July 28th
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
 
WordPress Configuration tips
WordPress Configuration tipsWordPress Configuration tips
WordPress Configuration tips
 

Último

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Beyond the WordPress 5 minute Install

  • 1. Beyond the 5-minute Install Steve Taylor http://sltaylor.co.uk steve@sltaylor.co.uk @sltayloresque WordCamp Portsmouth UK 2011
  • 2. Security & best practices ● .htaccess ● wp-config.php ● robots.txt ● functions.php / “functionality plugin” ● Plugins ● Other issues?
  • 3. A bit about me ● Custom theme developer ● No themes released ● A few plugins This talk ● Advice for beginners  ● Tips for developers 
  • 4. .htaccess ● “hypertext access” ●Controls requests to server before any PHP / WordPress processing ● Apache only (IIS?) ● Root of website (sub-directories?) ● Sometimes simple, sometimes complex! http://httpd.apache.org/docs/ http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
  • 5. www or not www? ● Personal choice / aesthetics ●Both should be accessible; one should redirect (301) to the other ● Tell Google Webmaster Tools!
  • 6. www or not www? ● Personal choice / aesthetics ●Both should be accessible; one should redirect (301) to the other ● Tell Google Webmaster Tools! # Force no “www” RewriteCond %{HTTP_HOST} ^www.example.com$ [NC] RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]
  • 7. www or not www? ● Personal choice / aesthetics ●Both should be accessible; one should redirect (301) to the other ● Tell Google Webmaster Tools! # Force no “www” RewriteCond %{HTTP_HOST} ^www.example.com$ [NC] RewriteRule ^(.*)$ http://example.com/$1 [R=301,L] # Force “www” RewriteCond %{HTTP_HOST} ^example.com$ [NC] RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
  • 8. Protect important files ●# Protect .htaccess files <Files .htaccess> order allow,deny deny from all </Files> ●# Protect wp-config.php <Files wp-config.php> order allow,deny deny from all </FilesMatch>
  • 10. WordPress pretty permalinks Include at end of .htaccess: ●# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress
  • 11. WordPress pretty permalinks Really bad idea for big sites:
  • 12. WordPress pretty permalinks Really bad idea for big sites: Better: http://ottopress.com/2010/category-in-permalinks-considered-harmful/ http://codex.wordpress.org/Using_Permalinks
  • 13. wp-config.php ● Create your own wp-config-sample.php ●Check the file for new stuff in new versions of WordPress ● Edit and initialize BEFORE installing WordPress! http://codex.wordpress.org/Editing_wp-config.php http://digwp.com/2010/08/pimp-your-wp-config-php/
  • 14. Server-dependent settings ●// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'database_name_here'); ●/** MySQL database username */ define('DB_USER', 'username_here'); ●/** MySQL database password */ define('DB_PASSWORD', 'password_here'); ●/** MySQL hostname */ define('DB_HOST', 'localhost');
  • 15. Server-dependent settings ●switch ( $_SERVER['HTTP_HOST'] ) { case 'dev.example.com': { // Dev server define( 'DB_NAME', 'aef4RgX_mysitedev' ); define( 'DB_USER', 'aef4RgX_mysitedev' ); define( 'DB_PASSWORD', 'Jyt6v48jS9frkGgZyS5iIjif6LnosuYr' ); define( 'DB_HOST', 'localhost' ); break; } default: { // Live server define( 'DB_NAME', 'sd6FE2xc_mysitelive' ); define( 'DB_USER', 'sd6FE2xc_mysitelive' ); define( 'DB_PASSWORD', 'as3d56JvDlPisYwU7c1nfZ3Yct0NEiZR' ); define( 'DB_HOST', 'localhost' ); break; } } https://www.grc.com/passwords.htm
  • 16. Authentication Keys and Salts Change them for every installation! define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); https://api.wordpress.org/secret-key/1.1/salt/
  • 17. Database table prefix The default: $table_prefix = 'wp_';
  • 18. Database table prefix The default: $table_prefix = 'wp_'; Much better: $table_prefix = 'a3rfGtQ1_';
  • 19. Database table prefix When coding database queries, don’t use hard-coded table names!
  • 20. Database table prefix When coding database queries, don’t use hard-coded table names! A standard WP table: global $wpdb; $custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” );
  • 21. Database table prefix When coding database queries, don’t use hard-coded table names! A standard WP table: global $wpdb; $custom_query = $wpdb->get_results( “SELECT ID, post_title FROM $wpdb->posts” ); A custom table: global $wpdb; $custom_query = $wpdb->get_results( “SELECT field FROM ” . $wpdb->prefix . “table” ); http://codex.wordpress.org/Class_Reference/wpdb
  • 22. Server needs FTP for upgrades? define( "FTP_HOST", "ftp.example.com" ); define( "FTP_USER", "myftpuser" ); define( "FTP_PASS", "hQfsSITtKteo1Ln2FEhHlPkXZ" );
  • 24. Debugging define( 'WP_DEBUG', true ); http://dev.example.com/?debug=1 ●switch ( $_SERVER['HTTP_HOST'] ) { case 'dev.example.com': { // Dev server define( 'WP_DEBUG', isset( $_GET['debug'] ) ); break; } default: { // Live server define( 'WP_DEBUG', false ); break; } }
  • 25. Control revisions and autosave // Only keep 3 revisions of each post define( 'WP_POST_REVISIONS', 3 );
  • 26. Control revisions and autosave // Only keep 3 revisions of each post define( 'WP_POST_REVISIONS', 3 ); // Don’t keep revisions of posts define( 'WP_POST_REVISIONS', false );
  • 27. Control revisions and autosave // Only keep 3 revisions of each post define( 'WP_POST_REVISIONS', 3 ); // Don’t keep revisions of posts define( 'WP_POST_REVISIONS', false ); // Autosave posts interval in seconds define( 'AUTOSAVE_INTERVAL', 60 );
  • 28. Disable plugin and theme editing define( 'DISALLOW_FILE_EDIT', true );
  • 29. robots.txt User-agent: * Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /trackback Disallow: /feed Disallow: /comments Disallow: /category/*/* Disallow: */trackback Disallow: */feed Disallow: */comments Disallow: /*?* Disallow: /*? Allow: /wp-content/uploads Sitemap: http://example.com/sitemap.xml http://codex.wordpress.org/Search_Engine_Optimization_for_WordPress#Robots.txt_Optimization
  • 30. Custom theme functions.php / “functionality” plugin ● Snippets not worth making into a plugin ● Plugin is more portable ● Check out /mu-plugins/ http://justintadlock.com/archives/2011/02/02/creating-a-custom-functions-plugin-for-end-users http://wpcandy.com/teaches/how-to-create-a-functionality-plugin http://codex.wordpress.org/Must_Use_Plugins
  • 31. Disable upgrade notifications for people who can't do upgrades if ( ! current_user_can( 'update_core' ) ) { add_action( 'init', create_function( '$a', "remove_action( 'init', 'wp_version_check' );" ), 2 ); add_filter( 'pre_option_update_core', create_function( '$a', "return null;" ) ); }
  • 32. Remove nofollow from comments remove_filter( 'pre_comment_content', 'wp_rel_nofollow' ); add_filter( 'get_comment_author_link', 'slt_dofollow' ); add_filter( 'post_comments_link', 'slt_dofollow' ); add_filter( 'comment_reply_link', 'slt_dofollow' ); add_filter( 'comment_text', 'slt_dofollow' ); function slt_dofollow( $str ) { $str = preg_replace( '~<a ([^>]*)s*(["|']{1}w*)s*nofollow([^>]*)>~U', '<a ${1}${2}${3}>', $str ); return str_replace( array( ' rel=""', " rel=''" ), '', $str ); } } http://digwp.com/2010/04/wordpress-custom-functions-php-template-part-2/
  • 33. Better default display names add_action( 'user_register', 'slt_default_user_display_name' ); function slt_default_user_display_name( $user_id ) { $first = get_usermeta( $user_id, 'first_name' ); $last = get_usermeta( $user_id, 'last_name' ); $display = $first . " " . $last; wp_update_user( array( "ID" => $user_id, "display_name" => $display ) ); }
  • 34. Plugins Force Strong Passwords. Copies WordPress's JavaScript password strength meter into PHP and forces “executive” users to have a strong password when updating their profile. http://wordpress.org/extend/plugins/force-strong-passwords/ Google XML Sitemaps (or equivalent). http://wordpress.org/extend/plugins/google-sitemap-generator/ Use Google Libraries. http://wordpress.org/extend/plugins/use-google-libraries/ WordPress Database Backup. http://wordpress.org/extend/plugins/wp-db-backup/
  • 35. Other issues ● File permissions http://codex.wordpress.org/Hardening_WordPress#File_permissions ● .htpasswd for /wp-admin/ ● Settings > Discussion