Over the course of the last few weeks I’ve come to the conclusion that I am absolutely terribly bad at designing websites. Which is a problem, because it’s one of my great loves. I spend a great deal of time reading about great web design and think ‘Oh, that’s so obvious. What an easy way to do that’. I am full of ideas but when it comes to mocking them in PhotoShop I fall dead.

I’m not artistic. I’m creative, yes. But arty in anyway? I failed S1 art and design for goodness sakes! I can see in my head exactly how I want a layout (I’m old skool, layout is better than theme) to end up but I just cant turn that thought into graphics.

What I can do however, is code. I can code my heart out for hours on end and my limits are valid XHTML, CSS and basic WordPress template tags. I don’t do other languages, I’ve never learned. Which seems silly now, I’d love to be able to write plugins and things for WordPress but I’ll admit that PHP goes over my head a bit.

So, in a round about way - I know this theme sucks. But I’m working on it.

Last night I found out the hard way why WordPress security is so important. My site got hacked/hijacked and the result was that every single internal link autoforwarded to a pornsite that tried to install toolbars, trojans..the lot.

I know that this has happened to at least one other blog that I visit, and probably lots more. The reasoning is probably down to unsecure file permissions within the wordpress files on my server. (Possibly something to do with the fact that WordPress have released version 2.5.1 with ultra important security fixes?)

So after deleting everything from the server and installing WordPress afresh (which of course came with it’s own problems of trying to remember all the plugins that I had installed etc) and importing a backup I took control of my blog again.

But it got me thinking. I’ve been online for half my life. I’ve had a website of some description for a decade. I should know about and implement security features. I shouldn’t have had to find out the hard way how important it is to keep my files safe from attack.

I’ve compiled a list of all the steps that you should take to protect your WordPress installation from malicious hijacking, after all I’ve been researching it for the past couple of hours to make sure that it never happens again.

File Permissions

Probably the biggest one on the list, and the one that can cause the most problems if you’re used to editing themes and plugins through the WordPress dashboard.

None of your files should be set to 777 (all users read, write and execute). By using the WP Security Scan plugin you can automatically see which folder do not have the correct permissions and fix them with a click. The plugin also points out any other security issues on your site. It’s an essential plugin for your site, and if you ask me it should be included with WordPress rather than Hello Dolly.

User - Admin

Your default user in WordPress is more than likely ‘Admin’. The same goes for the thousands of other WordPress blogs out there. So it’s not that difficult to guess, is it? So the obvious answer is to delete the user ‘Admin’. But WordPress won’t let you delete the default user, so what can you do about it?

This is where phpMyAdmin comes in to play. Don’t worry too much if you’ve never used it before, it’s quite simple as long as you follow these steps.

1. Log into your phpMyAdmin through your cPanel.
2. On the left hand side of the window you’ll see a list of tables like wp_options, wp_users. (the wp_prefix may be different if you’ve set this up as a different value when you installed WordPress).
3. Click on wp_users.
4. A table will load in the right hand frame, select the checkbox shown next to user_login.
5. Select ‘Browse’ from the tabs at the top of the page.
6. This then shows the table with all of your registered users details. You want to select the little pencil next to the name Admin to change this to a name of your choice.
7. Once you’ve changed the name to something else, press Go at the bottom of the screen.
8. That’s it - you’re done. The user ‘Admin’ no longer exists.

robots.txt

The robots.txt file on your server gives instructions to search engine robots (like GoogleBot). Remember that however not all search engine robots are good ones that play by the book, some will completly ignore your robots.txt file. But you can still add the following code to yours to stop all of your wp- folders being indexed by search engines.
Disallow: /wp-*

Passwords

Ok, this one’s a giver. We all know that passwords should be long and contain numbers, letters and symbols. But that’s hard to remember. But the amount of people who use the word ‘password’ as their password is incredible, and again it’s not that hard to guess, is it? Remember the MySpace password exploit? It threw up some interesting data on how people pick passwords, including the word ‘password’.

The easiest thing to remember is that you should keep your FTP and WordPress login password completely different and try and choose a password which is really hard to work out, but means something to you - like an acronym of you and your partners names plus your anniversary date. You could use a random password generator online to create a password, although you’ll probably have to get your browser to remember it for you!

WordPress version

Ok, so the geeks among us get excited when a new version of WordPress is in the pipeline and upgrade straight away, but some people wait a few weeks to ensure that any problems are ironed out amongst other reasons. It may be personal choice, but upgrading to the newest version of WordPress straight
away also protects your blog as there’s always security updates included in the upgrade. Try installing the WordPress Automatic Update Plugin to make upgrading your installation easy as pie.

Similarly, publishing what version of WordPress you are running is a danger in itself. You won’t realise that you’re letting the whole world know which version of WordPress you are running until you yourself check your page source. If there’s a Meta tag showing which version of WordPress you’re running from, remove it from your header.

Login Lockout

Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
Login Lockdown plugin

That says it all really, doesn’t it?

Directory Listings

By default anybody can access your plugins by going to www.yourblog.com/wp-content/plugins/ and viewing every plugin that you currently have installed. By either including a blank html file in your /plugins/ directory or switching off directory listings via your cPanel users will not be able to view these folders and files, and possibly any security risks that they have.

Don’t use FTP

Use SSH/Shell Access instead. It’s possibly not the easiest thing to do in the world but it’s one of the best moves you can make. If you can, disable FTP completely.

If you’ve got anything else to add, please feel free to leave a comment.

Nope, not forgotten about being online I’ve just not had a minute to think for myself over the past week or so. It doesn’t look like much has been going on online anyway!

In case you hadn’t noticed there’s a new theme up - it’s based on the previous theme since I loved that one so much and I’m still working on wee bits here and there but I love it so much I had to make it live. I’ve also had a bit of a clean up and am fixing pages and plugins as I type.

A better post next time, just proving that I’m still alive.

So, my favourite sporting event ever is coming soon - the Grand National is at the start of April and I can’t wait for it, because every single year since I was 5 years old I’ve won money betting on it. Don’t get me wrong, I didn’t personally walk into Ladbrokes and put a bet on when I was 5 - my grandad did it for me. I had the best way of picking out a winner and it still works for me now, even if it’s maybe not the best way to do it.

What did I do? I picked the jockey with the best jumper! Green with red stripes, black with orange dots…whatever jumper jumped out at me from the back of the paper I chose that horse and my grandad would go and place a bet on that horse for me. If I couldn’t find a jumper that I liked I just picked out the horse with the coolest name - who remembers “Earth Summit” and “Monty’s Pass”?

This year however, I think I might try a better way of choosing a winner.
Read the rest of this entry »

I’m just about to upgrade to WordPress 2.3, even although I never upgrade on release days. I trust WordPress this time. Although I’m prepared for non working plugins.

Just remember if you’re doing the same today backup your database. Just in case!

[edit] Done! With the use the the automatic-upgrade plugin I upgraded in a few minutes. Looking good so far, the only error I can see is the footer on my dashboard theme has shifted 100px right and 30px up the way. No biggie! Oh, and my category plugin has stopped working. I didn’t like that anyway.

Everybody loves a good gossip, wither it’s about the next door neighbours nightly visits from a strange young man (ie.. my happy-married-mother-of-5-neighbour!!!) or the latest scandal about Britney’s custody battle. It’s human nature, really. Hell I know that I’ve spread gossip on my blogs before…mostly about celebrities and their scandalous lives mind you, not about my neighbours. Don’t think that’d go down to well if they ever found my website. When I come to think about it, every single magazine that I read is full of celebrity gossip.

That’s why I can’t wait to see the new TV show from the creator of The OC, Gossip Girl on The CW. It premieres tonight in the USA so I’ll probably need to wait for ever to see it over here in Scotland. Still it looks awesome, it’s based on the books by the same name and is about extra privileged teenagers who live in Manhatten’s Upper East Side. They find out that the local party girl is back in town via the blog of an unknown, going by the name of ‘Gossip Girl’. She relays all the town’s gossip via her blog, where every body logs onto to find out who’s fallen out with who and who’s asking who out!!

Sounds like an awesome idea for a blog, it’d be cool to find one based on my town…as long as I was never mentioned!

Since it’s the middle of the month, it’s time for my oh-so-awesome playlist suggestions. If you’ve missed this before on either of my other blogs (hell, you think I’m giving out the links? Go find them!) it’s simply me posting my top songs that I’ve been listening to this month with a short reason why I think you should check them out. They could be old songs, new songs, album songs, b-sides. Whatever. I love my music and I love sharing.

Oh-So-Awesome Playlist August 2007

Calvin Harris – Acceptable in the 80’s
This song is wonderfully electro and..well, 80s. I have a liking for Calvin Harris just because he’s also Scottish but man that guy makes good music. He’s been linked with Kylie Minogue, so that just shows how good he is in bed at music making.
Acceptable In The 80’s is a feel good dancing song, guaranteed to get you up on the dance floor! Written and produced by Harris, before he slapped in to BMG Records to stick their name to it, it’s proof that there are still great musicians out there in the chaos of manufactured bands who all bring out the same sort of tracks. A definite Friday night song.

Mika - Big Girl (you are beuatiful)
I don’t care what anybody says, when a Mika song comes on you sing along, even if you don’t like him. This has to be my favourite Mika song by miles. Don’t ask me why, it’s probably because it’s not old enough to be as overplayed as ‘Grace Kelly’ or ‘Love Today’. It’s a real feel-good song, and not just for ‘big girls’. At last, a famous person who embraces the non-size 0 world - even if he is as skinny as a lolly pop!

Rhianna - Umbrella (Sensation White version)
Again, I don’t like Sensation White (dance festival-thingy) but this version of Umbrella is the best one that I’ve heard. Somehow, making the ‘Ella, ella, ella’ bit last long works bloody well and gets your feet tapping. Dude, if you only listen to one other version of ‘Umbrella’, make it this one.

Reverand & the Makers - He Said He Loved Me
Classic Brit-Indie. I was convinced the first time that I heard this song that it was somehow interrelated to Franz Ferdinand. Alas, no. Reverend is from Sheffield, England. And is actually boringly called Jon McClure. I can’t explain this song very well, you’ll just have to listen to it. Especially if you like Franz Ferdinand, Artic Monkeys or anyother Brit-Indie band.

Newton Faulkner - People Should Smile More
If you haven’t heard of Newton Faulkner, what rock have you been under? Granted his music maybe a bit folky, but it’s amazing. This is my favourite song off of his album because it reminds me of an advert for ‘Orange’ mobile phones. Total chill out music. Great for Sunday mornings.

Groove Armada ft Mutya Beuna - Song for Mutya
Ex-Sugababes stunner, Mutya Buena, has teamed up with Groove Armada to come up with one of the best songs of the summer. Question is, is the song directed at the Sugababes or an ex-boyfriend? Great for the pop-lover you know you really are.

Have I missed a great song? What have you been listening to this month?

I’ve just swapped computers with my mother, since mine just doesn’t have enough hard drive space and she was sitting with a 400GB hard drive and all she does it check her emails and play online scrabble.

Once I’d swapped them over I realized that the computer that I’m now using was running slower than a donkey trekking along Blackpool Promenade. Not good. On my quest to fine-tune this lovely piece of Compaq crap hardware I found some really great tools and tips for decluttering and optimizing your PC. By doing all of these, I got a massive 7.9GB ‘extra’ on my hard drive and increased my computer’s performance by 11%. It took me less than an hour.

1. Empty your Recycle Bin.
2. Clear your internet history and cached pages. Remember to save any addresses you require to your bookmarks and/or del.icio.us first! When I did this I cleared nearly 1GB of data.
3. Delete temporary files. This can be done via ‘C:\Documents and Settings\Default User\Local Settings\Temp’ or your computer’s ‘Disk Cleanup’ program. Again, when I did this I removed 1.79GB of data.
4. Uninstall any programs you no longer use, any trial software which has run out of free time, plugins for FireFox that you no longer use…any piece of of software you’ve not used in the past month can probably be uninstalled and free up some hard drive space.
5. Defragment your hard drives. I aim to do this at least once a month, as well as checking my disks for errors using Auslogics Disk Defrag, which I downloaded from download.com.
6. Go through your My Documents with a fine tooth comb and delete anything you no longer require or use. I had hundreds of folders full of half-finished .psds and notepad files full of random bits of information which I couldn’t remember why I’d saved it… I also sorted my My Documents folder into an easier to manage hierarchy, with separate folders for Web Design, Open Office documents, Coursework and Random Stuff
7. I can now see my desktop again, since I deleted all but the essentials (My Computer, My Documents, shortcuts to PhotoShop, FireFox and Opera) from the desktop. Takes seconds, makes you feel a whole lot better.
8. If all else fails, look out your OS reinstall disk and start again!

Up until about half an hour ago I was running WordPress 2.0. *shock* I hear you gasp. Why hadn’t I updated to the newest version of WP? Two simple reasons, really.

1. I wanted to wait until a more stable version of 2.2 was released to safe having to update again a week, month, whatever after release, and;
2. I’ve had bad experience with upgrading various otherCMS in the past, and didn’t fancy either loosing everything or spending ages backing up all my databases

To be honest though, there’s only one reason that I’ve updated tonight. WordPress Automatic Update Plugin. I found it via a quick google search for an other plugin I was looking for and liked the blurb;

Wordpress Automatic Upgrade Plugin saves you all the headaches and efforts while upgrading your wordpress installation. Here is what the Wordpress Automatic Upgrade does.

1. Backs up the files and makes available a link to download it.
2. Backs up the database and makes available a link to download it.
3. Downloads the latest files from http://wordpress.org/latest.zip and unzips it.
4. Puts the site in maintenance mode.
5. De-activates all active plugins and remembers it.
6. Upgrades wordpress files.
7. Gives you a link to run the database upgrade.
8. Re-activates the plugins.
9. Gives you a link to clean up the installation after completion.
10. Shows you the upgrade log.

You can also run the Automatic version which will run all the processes automatically.

This plugin will let you upgrade from any version to the latest version provided by Wordpress. I have tested the plugin with version 1.5+.

Within ten minutes I’d downloaded the plugin, uploaded it, backed up my entire database and upgraded to version 2.2.1. It really was that easy! I’ve not lost a single byte of data, with the only issue being that some of my plugins didn’t re-activate themselves but that wasn’t much of a hassle to do myself.

A brilliant plugin, everybody should install it!