WordPress Configuration for Security

WordPress security is important. Because of WordPress’ popularity, because it IS A GREAT PRODUCT, it is also targeted more than any other CMS on the web.

What to do? Let’s keep it simple and look at three easy things you can do in less than 5 minutes to increase your security.

  1. Install Jetpack from WordPress https://wordpress.org/plugins/jetpack/ and then remove all of the other individual plugins that overlap with the functionality of Jetpack.
  2. Make sure your wordpress site is set to automatically update to the latest version
  3. DELETE any non-active plug-in and any non-active theme from your site.
secure your wordpress site
3 easy things to secure your wordpress site

To up your game a bit I would add a few more items as “highly recommended”

  1. Test your site now with Securi’s free scanner https://sitecheck.sucuri.net/ and maybe consider purchasing one of their security plans https://sucuri.net/website-antivirus/signup
  2. Install an SSL certificate on your web site. These can be purchased from a number of sources like godaddy, free but short lived ones are available from letsencrypt. Or you can get really serious about it and work with a security professional like my friend Jason Palmer http://www.jasonpalmer.com/ .

Data on why you need to secure your site from the Securi blog at https://sucuri.net/website-security/website-hacked-report . Some graphical excerpts below:

securi-website-hack-report-q1-2016

not-patching-causes-most-infections

Security starts with the basics – use good passwords, use muti-factor authentication, keep your software up to date and have a plan in place to restore backups.

block wordpress page comment spammers

Over the last week the linkback spammers of the universe have started targeting pages on this blog as well as a few friends blogs. So, here is how to stop comment spam on wordpress blog pages.

The issue – many themes don’t have an option to turn off comments on the edit page for “pages” in wordpress. But, using “quick edit” you can turn off comments for a given page. Thus to disable comments on pages you need to:

  1. Log into the admin interface
  2. Select “Pages” from the left hand menu
  3. Hover over the pages shown and select “Quick Edit”
  4. Clear the checkbox on the right hand side the says “Allow Comments” for each page on your site.
  5. Click “Update” to save your changes.

I suppose this is a bigger issue for people using WordPress “Pages” as their CMS rather than as a traditional blog. As for this blog, it required editing just a few pages to turn comments off. Hassle gone.

#goodLuck! #fightTheCommentSpammers

Source: https://wordpress.org/support/topic/disable-comments-on-pages-1

Adding eBook epub and mobi downloads to WordPress

A few technical notes if you want to add ebooks (.epub and .mobi file formats) downloads to your wordpress site. We encountered three obstacles, file size, upload restrictions and file association. Here are the solutions.

WordPress File Size Limits are Too Low

WordPress by default only allows 2 meg uploads and only of particular file types. Unfortunately .epub and .mobi are not among the default file types that are allowed by WordPress.

First the bad news – if you want to increase the allowed file sizes for uploads you have to modify the php.ini file. Depending on your hosting provider this may or may not be easy. See Bill Erickson’s post on increasing allowed file uploads in WordPress.

File Types That can be uploaded in WordPress

Hopefully this will change, but currently .mobi and .epub are obscure. So you have to configure WordPress to allow them on most hosting providers.

We are running the WordPress Thesis theme on this particular site so the solution to add file types for upload was found here and is abbreviated below.

In the Thesis custom_functions.php file add this php code using the WordPress editor. But don’t make a typo as after that you would have to FTP in to fix it. Hypothetically speaking. Here is the function modified from the link above.

function addUploadMimes($mimes) {
    $mimes = array_merge($mimes, array(
        'epub|mobi' => 'application/octet-stream'
    ));
    return $mimes;
}
add_filter('upload_mimes', 'addUploadMimes');

The above example only includes the .epub and .mobi examples, but if you want more just pipe-filetype further where the code says ‘epub|mobi’.

Change the Content-Type for epub Files Served by Apache and WordPress

All fixed, right? Not so fast. WordPress serves unknown files with the content-type of “Content-Type text/plain” in the HTTP header. You can see this using the excellent long-lasting Rex Swain HTTP viewer.

The problem is that while Windows handles the misidentified .epub files fine, Macs freak out and show you the binary. You click it on a Mac and see garbage. Not cool. Must fix.

I found this post in the WebFaction support on adding epub to the .htaccess file to change content-type by file extension. A bit of modification and I found adding this to the application root .htaccess file did the trick

AddType application/epub+zip .epub
AddType application/x-mobipocket-ebook .mobi

A word of caution – BE CAREFUL WITH YOUR HTACCESS file! It probably already exists so be sure to download-backup-modify-upload-via-ssh for maximum security. Or really sFTP is plenty secure as well.

Other epub and mobi pit-falls to look out for

The ePub must be strictly validated. it is really a Zip compressed directory with it’s own MIME type specification. And XML that must be valid. Google “epub validation” if the above list did not solve your problem and go from there.