Finally I’ve settled on a theme for the site, which is exactly what I was aiming for but couldn’t get it right myself. All hail Tarski.

When it gets to this time on a work night (2.41am) and I’m still awake I know there is no point trying to get some sleep in before I need to get up for work. I’ll feel worse after just 3 hours sleep than if I just stay awake and drink some coffee before heading out the door.

So, what can I do for three hours instead of sleeping? I’ve re-tagged every single music file on my computer and hard drives, I’ve synced my iPod with the updates and now I’m at a loss. There’s not much happening on the message boards that I frequent and StumbleUpon is getting a bit repeatative.

How can I have the world at my fingertips and be so damn bored?

Last night I found out the hard way why WordPress security is so important. My site got hacked/hijacked and the result was that every single internal link autoforwarded to a pornsite that tried to install toolbars, trojans..the lot.

I know that this has happened to at least one other blog that I visit, and probably lots more. The reasoning is probably down to unsecure file permissions within the wordpress files on my server. (Possibly something to do with the fact that WordPress have released version 2.5.1 with ultra important security fixes?)

So after deleting everything from the server and installing WordPress afresh (which of course came with it’s own problems of trying to remember all the plugins that I had installed etc) and importing a backup I took control of my blog again.

But it got me thinking. I’ve been online for half my life. I’ve had a website of some description for a decade. I should know about and implement security features. I shouldn’t have had to find out the hard way how important it is to keep my files safe from attack.

I’ve compiled a list of all the steps that you should take to protect your WordPress installation from malicious hijacking, after all I’ve been researching it for the past couple of hours to make sure that it never happens again.

File Permissions

Probably the biggest one on the list, and the one that can cause the most problems if you’re used to editing themes and plugins through the WordPress dashboard.

None of your files should be set to 777 (all users read, write and execute). By using the WP Security Scan plugin you can automatically see which folder do not have the correct permissions and fix them with a click. The plugin also points out any other security issues on your site. It’s an essential plugin for your site, and if you ask me it should be included with WordPress rather than Hello Dolly.

User - Admin

Your default user in WordPress is more than likely ‘Admin’. The same goes for the thousands of other WordPress blogs out there. So it’s not that difficult to guess, is it? So the obvious answer is to delete the user ‘Admin’. But WordPress won’t let you delete the default user, so what can you do about it?

This is where phpMyAdmin comes in to play. Don’t worry too much if you’ve never used it before, it’s quite simple as long as you follow these steps.

1. Log into your phpMyAdmin through your cPanel.
2. On the left hand side of the window you’ll see a list of tables like wp_options, wp_users. (the wp_prefix may be different if you’ve set this up as a different value when you installed WordPress).
3. Click on wp_users.
4. A table will load in the right hand frame, select the checkbox shown next to user_login.
5. Select ‘Browse’ from the tabs at the top of the page.
6. This then shows the table with all of your registered users details. You want to select the little pencil next to the name Admin to change this to a name of your choice.
7. Once you’ve changed the name to something else, press Go at the bottom of the screen.
8. That’s it - you’re done. The user ‘Admin’ no longer exists.

robots.txt

The robots.txt file on your server gives instructions to search engine robots (like GoogleBot). Remember that however not all search engine robots are good ones that play by the book, some will completly ignore your robots.txt file. But you can still add the following code to yours to stop all of your wp- folders being indexed by search engines.
Disallow: /wp-*

Passwords

Ok, this one’s a giver. We all know that passwords should be long and contain numbers, letters and symbols. But that’s hard to remember. But the amount of people who use the word ‘password’ as their password is incredible, and again it’s not that hard to guess, is it? Remember the MySpace password exploit? It threw up some interesting data on how people pick passwords, including the word ‘password’.

The easiest thing to remember is that you should keep your FTP and WordPress login password completely different and try and choose a password which is really hard to work out, but means something to you - like an acronym of you and your partners names plus your anniversary date. You could use a random password generator online to create a password, although you’ll probably have to get your browser to remember it for you!

WordPress version

Ok, so the geeks among us get excited when a new version of WordPress is in the pipeline and upgrade straight away, but some people wait a few weeks to ensure that any problems are ironed out amongst other reasons. It may be personal choice, but upgrading to the newest version of WordPress straight
away also protects your blog as there’s always security updates included in the upgrade. Try installing the WordPress Automatic Update Plugin to make upgrading your installation easy as pie.

Similarly, publishing what version of WordPress you are running is a danger in itself. You won’t realise that you’re letting the whole world know which version of WordPress you are running until you yourself check your page source. If there’s a Meta tag showing which version of WordPress you’re running from, remove it from your header.

Login Lockout

Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
Login Lockdown plugin

That says it all really, doesn’t it?

Directory Listings

By default anybody can access your plugins by going to www.yourblog.com/wp-content/plugins/ and viewing every plugin that you currently have installed. By either including a blank html file in your /plugins/ directory or switching off directory listings via your cPanel users will not be able to view these folders and files, and possibly any security risks that they have.

Don’t use FTP

Use SSH/Shell Access instead. It’s possibly not the easiest thing to do in the world but it’s one of the best moves you can make. If you can, disable FTP completely.

If you’ve got anything else to add, please feel free to leave a comment.

Since I’ve got the week off from work I’m trying to iron out every last little irk that I have with this site, including editing the theme to this darker version. I’ve always been drawn to dark themes but never usually put them on my site, but I quite like what I’ve done with this one.

I’ve also got some content to upload that’s been sitting about on my external hard drive for months. All I need to do is update it where needed and fix any mistakes before I add them to the site.

I keep getting distracted watching The Tudor’s though, so it might take me a while to finish.

[EDIT] Added a guestbook, how retro of me!

Up until about half an hour ago I was running WordPress 2.0. *shock* I hear you gasp. Why hadn’t I updated to the newest version of WP? Two simple reasons, really.

1. I wanted to wait until a more stable version of 2.2 was released to safe having to update again a week, month, whatever after release, and;
2. I’ve had bad experience with upgrading various otherCMS in the past, and didn’t fancy either loosing everything or spending ages backing up all my databases

To be honest though, there’s only one reason that I’ve updated tonight. WordPress Automatic Update Plugin. I found it via a quick google search for an other plugin I was looking for and liked the blurb;

Wordpress Automatic Upgrade Plugin saves you all the headaches and efforts while upgrading your wordpress installation. Here is what the Wordpress Automatic Upgrade does.

1. Backs up the files and makes available a link to download it.
2. Backs up the database and makes available a link to download it.
3. Downloads the latest files from http://wordpress.org/latest.zip and unzips it.
4. Puts the site in maintenance mode.
5. De-activates all active plugins and remembers it.
6. Upgrades wordpress files.
7. Gives you a link to run the database upgrade.
8. Re-activates the plugins.
9. Gives you a link to clean up the installation after completion.
10. Shows you the upgrade log.

You can also run the Automatic version which will run all the processes automatically.

This plugin will let you upgrade from any version to the latest version provided by Wordpress. I have tested the plugin with version 1.5+.

Within ten minutes I’d downloaded the plugin, uploaded it, backed up my entire database and upgraded to version 2.2.1. It really was that easy! I’ve not lost a single byte of data, with the only issue being that some of my plugins didn’t re-activate themselves but that wasn’t much of a hassle to do myself.

A brilliant plugin, everybody should install it!

For most of the weekend (when I’ve not been reading), I’ve been working on this site a lot, in case you hadn’t noticed. There’s a new layout, some new content and I’ve deleted some stuff too. Since I’ve been at the boyfriend’s all weekend (I work when he’s sleeping, I’ve gotten it down to survining on about 4hrs sleep a night these days), everything that I’d done was saved to his computer which I obviously can’t access when I’m at home on the other side of town.

As I didn’t have my external HDD with me, there was only two ways that I could make sure I could use the files that I’d created over the course of the weekend - ZIP them like nobody’s business and email them to myself, thus taking time and effort on my part. Plus, I wasn’t too sure if I’d have enough room in my email inbox for this to work. The second way of getting the files was using an Online Storage facilty, like IBackup. I’m currently trying them out on their free 15 day trial, but so far the service they offer has been great so I’ll probably go with their 5GB per month for $9.99 price plan. Since I have bad experience with laptops and drives dying on me, knowing that I have a backup online of all my important documents and files is worth the small price!

Within about 10 minutes I’d uploaded the files to their server via a really easy to use program, knowing that I could access my files from home and download them to my laptop here. Since I’ve gotten home I’ve uploaded a bunch of important files that I really cannot afford to loose if my laptop drives ever decide to die (ie my CV, a collective list of all the CDs I own (starting from 11 years ago - trust me I don’t want to loose this!), a list of business contacts I’ve made through web designing and a bunch of other stuff.) I love the fact that you can organize a backup of selected files to automatically happen - it means I can backup important files once a week without having to remember to do it, which is a must when I’m working on new projects!

So now I’m sitting here, instead of sleeping, working on more updates for the site - which I wouldn’t have been able to do without online storage solutions! I’d recommend this to anyone who wants to keep backups of important files.

…and decided to work on the site. It’s amazing what only having access to the internet on the weekends does to me. I forget about this place and concentrate on my Bebo or something because it’s easier to keep in touch with people.

To be quite honest I haven’t been up to much recently, working mostly. I feel that it’s dragging me down because I take my job too seriously and I’m stressed to my eyeballs at the moment. So much going on which I can’t really talk about - but my mum’s not talking to me and I’d give anything to move out again.

I’m doing some updates around this place today while the boy’s watching Tank Overhaul on UKTV History. He’s such a WWII geek! I hope he realises that I’ll be changing the channel at 7pm when Who’s on. One more week and Cptn. Jack’s back….

Oh and best news ever - StarBucks is coming to East Kilbride! No more having to go into town for a frappe, yas!

So, I’ve been a bit busy between work and designing. God I forgot how much I adore coding. I’ve added a few things here and there. most noticeably the Get Reviewed section since I have such an obsession with reviewing websites.

I also realised that IE hates my themes. Uh, dude how did that happen? I’m gonna sort it all out over the course of the next few hours,as well as reply to all the comments made here.

Oh, and am I the only one diggin’ Britney’s shaved head?? I think it looks sort of cool. Okay it was a cry for help (apparently) but she has proved time and time again that she doesn’t care what people say or think about her and to be honest it looks better than that scraggly trailer trash extension thing she had going on!