1. Keeping Up to Date
Like any software, WordPress is constantly being improved—more features, more efficient code, increased security, and so on—as are themes and plugins. Not having an up-to-date WordPress installation is a common cause of malfunctions and one of the key reasons sites get hacked. You must keep everything up to date. Fortunately, updating is a simple task. In addi- tion to that, you can maintain your WordPress site to keep it running smoothly in other ways.
1.1. Updating WordPress
Following are two types of updates for WordPress:
- Automatic minor updates, for example, 4.0 to 4.0.1
- Major version manual updates, for example, 3.9 to 4.0
The minor updates are for security and minor functionality fixes, whereas the major version updates have key new features, along with some security fixes. As the name suggests, the automatic updates occur without any need for action on your part.
WordPress is clear about the availability of major updates or minor updates that for various reasons cannot be automatically applied. A warning message with a link to perform the update displays at the top of every admin screen until the update is completed, as shown in Figure 32-1.
FIGURE 32-1
If you’re logged in as any role other than Administrator, the message tells you to notify your administrator of the update. Also, an Update button appears on the Dashboard if there’s an update available—displayed next to the name of the version you’re running.
For automated updates, the administrative e-mail is sent a notification that the update has taken place.
1.1.1. Automated Updates
At one time, all updates for WordPress had to be done manually, but to make life easier for users and to ensure that minor updates were applied, because they often involve security fixes, it decided to automate non-major updates.
It was also possible to automate these updates between major new releases because they rarely involve changes that could affect plugins or themes. Nevertheless, you always need a regular backup routine in place just in case something negative happens because of any update.
Although WordPress has tried to make its automated updates work on as many server configura- tions as possible, there may be some situations in which they do not work. In that case, your admin screen can show a message saying an update is available and you need to do it manually.
You can also turn off automatic updates if you prefer to do them manually. Some plugins for that purpose are mentioned at the end of the lesson.
1.1.2. Major Version Updates
When WordPress undergoes significant changes, the update is not automatically applied, but the process is still extremely simple: You press a button.
The trick is to do a full backup of your files and your database prior to pressing the button, and WordPress reminds you of this. Unless your regular backup routine happens to have fallen on the day of the update, you should do a special backup so that you have a snapshot of your site at the moment before the update.
The reason for the caution is that there is a slight chance of something going wrong during a major update. Out of literally thousands of updates to hundreds of site clients over 7 years, I can count on one hand the number of times I’ve had to revert to a backup.
1.1.3. Completely Manual Update
There can be situations in which pressing the Update button does not work, but you’ll know this already because you also won’t be able to upload media files without having to enter your hosting account information.
If your hosting company won’t fix this problem with file ownership and you haven’t bothered to find a new hosting company that will, then you have to do a fully manual update of WordPress.
There isn’t enough room here to go into the details of a manual update because there are a lot of variables. WordPress.org has a handy three-step manual updating process (http://codex.wordpress.org/Upgrading_WordPress), but even with that, it warns you that you may need even more details on its extended upgrade instructions page (http://codex.wordpress.org/ Upgrading_WordPress_Extended).
1.1.4. Troubleshooting WordPress Updates
As mentioned, it’s rare for there to be problems even during major updates, but if you do encounter them, they fall into three main groups:
- WordPress loads but has error messages; weird characters appear at the top of the screen; or certain functions aren’t working.
- Your screen is white except for an error message.
- Your screen is completely blank (white screen of death).
In most of these cases, a plugin is clashing with WordPress. What you should do depends on the state of your screen.
If you can access the WordPress admin screen, the first thing to do is deactivate all your plugins. If you don’t have a lot of them, you can try re-activating them one at a time until you find the culprit.
If you have a lot of plugins, first try activating one-half of them. If you’re still running fine, activate the other one-half. When you know which half caused the problem, you can start deactivating that half one at a time until the site works properly.
If you can’t access the admin screen, but you have an error message, there may be a clue in that message as to which plugin is causing the problem. In that case, you can use an FTP program to go into your plugins directory and change the name of the plugin’s folder. That will cause it to deactivate, and when you refresh the WordPress admin screen, it should be up and running.
However, often the error message relates only to a symptom and not the cause of the problem. In other words, the file mentioned in the error message is one that’s not working because of a problem somewhere else. Fortunately, if the error message doesn’t help or you have a completely blank screen, the process of checking plugins previously described can be done through your FTP program.
Through your FTP program, rename your plugin directory to something such as plugins-old, which has the effect of deactivating all the plugins. You should now have access to the backend of WordPress. Next, you create a new directory called plugins. Then, one at a time you drag a plugin’s folder from one directory to the other until you find the problem plugin.
Whenever you find a broken plugin, simply leave it deactivated while you research what’s happening. Check the plugin’s page on the WordPress Plugin Directory to see if others are having the same issue. It may be a matter of waiting for the author to come up with a fix, or it could be there’s a conflict with an update in another plugin.
If you purchased the plugin, e-mail the company and explain what happened, what version of WordPress you’re running, what version of PHP your server uses, and what other plugins you have.
If it’s vital to have that plugin working immediately, you could consider using a different plugin. Or if that’s not an option, it may be that the previous version will continue to work. You can get earlier versions from the Developer link on the plugins page in the WordPress directory, or if you have a paid plugin, you should have the earlier version on your hard drive. Try reinstalling and see if that works.
1.1.5. WordPress Cleanup
In addition to keeping WordPress up to date, some maintenance tasks can be useful to perform from time to time, depending on the size and activity of your site. Some of the key tasks are described here, and you can find lists of plugins at the end of the lesson, which can help you with each of them:
- Revision Cleanup: By default, WordPress keeps all revisions you make to Posts or Pages. Many of these, particularly as time moves on, probably are not worth There are plugins that can help you clear out old revisions in bulk or change the revision function, so WordPress keeps only the last four or whatever number of revisions you choose.
- Media cleanup: Between uploading different versions of files or uploading ones you never end up using, your media library (and hence your server) can become unnecessarily bloated. Coupled with the multiple images that WordPress creates for each one you upload (and this could be a dozen or more depending on the theme and plugins you use), you can see how stuffed your server can become. Deleting unneeded media files can be a huge help. There are plugins that can make the process easier by tracking down whether a file is used anywhere.
- Trash cleanup: By default, WordPress clears out files in the Trash area 30 days after they’ve been placed there. However, it can be good to go through it after you’ve done any major house cleaning and delete them right away.
- Database Repair: Over time, databases can become filled with unnecessary data, or table information can become corrupted. This can slow down your site. But there are plugins that can help without having to know anything about
Your website is like a big closet. Easy to stuff with lots of unneeded items—and just as easy to keep clean with a bit of effort.
1.2. Updating Plugins
When plugins require updating, the most visible notice from any screen in the admin area is a tiny graphic displayed next to the Plugins link on the main admin menu, as shown in Figure 32-2.
FIGURE 32-2
The number in the circle tells you how many plugins need updating. The admin toolbar also has an update indicator showing total Plugins and Themes needing an update.
Figure 32-2 also shows the Plugins page—plugins needing updating have a color-coded highlight and a notice about a new version. You can also view only the plugins that need updating by clicking the Update Available link on the text menu at the top of the Plugins screen.
Following are two ways to do the actual updating of plugins:
- From the Plugins page you can click the Update Now link for an individual plugin or use the Bulk Action function to update several at once.
- From the Dashboard Updates link on the main admin menu, choose one or more plugins, and click the Update Plugins button.
If you ever experience a problem after updating a plugin, see the section “Troubleshooting WordPress Updates,” earlier in this lesson.
Over time, you may accumulate plugins that have been deactivated and are no longer used. It’s important to delete these.
Even if plugins are not activated, WordPress has to process them to a certain extent for listing on the Plugins page. It may not be much for each plugin, but if you have 10, 20, or more plugins you’re not using, you might as well delete them.
There’s also a security issue involved here. As long as a plugin remains installed, its files are sitting on your server. If a security flaw is discovered by hackers, those files could be used by them to cause problems, despite the plugin not being active.
Remember, plugins are easily reinstalled at any time, whether from the WordPress Plugin Directory or a paid plugin, which you’ll have a copy of on your hard drive (right?).
1.3. Updating Themes
Like plugins, themes may need updating for various reasons. It could be that they have a special functionality that relied on something in WordPress that has now changed. Or the new version of the theme takes advantage of new features in WordPress. In either case, you need to perform an update.
Theme updates are included in the number that appears beside Dashboard Updates on the main admin menu. That’s why after having updated all your plugins, you may still see a number listed.
You can do theme updates from the Updates page, just as with Plugins, or from the theme library where you can see a clear notification on the theme’s thumbnail, as shown in Figure 32-3.
FIGURE 32-3
Some premium or commercial themes may have their own methods for updating. Following are some examples:
- Log in to the company website, download the new version as a zip file, install it through the WordPress theme upload function, and delete the old version.
- Log in to the company website, download the new version, manually upload the folder via FTP, and overwrite the old version.
- Load a special plugin that handles the updating.
In any case, you should receive some sort of notification, perhaps through the WordPress Updates area of the menu, with instructions on how to perform the update.
Just as with plugins, it’s not good to keep more than a few themes in your theme library at any one time. In particular, there can be security issues with outdated themes.
Some automated WordPress installers include dozens and dozens of themes from the WordPress.org site. There’s no good reason for this, when it’s so simple to preview and then install a theme at any time. Get rid of all these extra themes.
Or if you’re working on a site redesign and you’ve been loading several possible themes, make sure you delete them after you’ve made your choice.
2. Keeping Backups
Back up or die. It should already be your mantra for your home devices; now do the same for your website. Without a backup of your data, you face disaster if something happens; it rarely does, but the key word is “rarely.” Because it’s even remotely possible for your server to crash or a hacker to mess up your files, you must keep backups.
And for backing up WordPress, there is only one course of action: Automate your backups. I’ve tried many different ways over the years to educate clients and readers about how to back up WordPress, how often to do it, and how to get into a routine of doing backups. Almost without exception, it doesn’t happen. We get busy, we forget, we get intimidated by the process; whatever the cause, people do not take the time to back up their sites.
The good news is that it has become so easy to do automated backups with free and paid plugins, or third-party services, that there’s no point in even trying to develop a manual backup routine. Whatever method you use, make it an automated one that’s easy to restore.
2.1. The Elements Of Backing Up
After being blunt about the “why” of doing backups, I’ll now briefly consider the what, where, when, and who, followed by some details on the how.
2.1.1. What to Back Up
Following are two elements to a WordPress backup:
- Site files (WordPress, themes, plugins, and your media files)
- Site database (settings and all your text content)
You need to understand that these are completely separate on the server and require differ- ent methods of backing up. Check that a plugin is doing both, or understand which plugin is doing what, so that you’re covering the other backup by some other means.
2.1.2. Where to Keep Backups
The golden rule of backing up, whether for your home devices or website, is to store the backup somewhere else. Even better is to have two backups, each in a different location. I remember years ago storing a backup hard drive for my computer at my parent’s place. Luckily I never had to wake them in the middle of the night to access my data. These days there are better options.
When you’re looking into backup options for your WordPress site, you need to make sure the backup is not being stored on your server. The whole point of the backup is to restore it if something happens to your server.
One solution is to get a hosting account with a different host and store your backups on that account. An advantage of this method is that if your current site crashes and you decide it’s time to switch hosts, your files are already at the new location, speeding up the switchover.
The cloud is a popular choice for backups these days, because it’s somewhere other than your server and services like Amazon S3, Google Drive, Dropox and many others are usually very cost effective. If you have a large site, storing even just a few backup versions can add up, so you want a low-cost storage solution.
Another location for backup storage, depending on the size of your site, is an e-mail account such as Gmail with plenty of storage. If you’re backing up your database separately from your site files, this can be an ideal method for storing the database file, which is typically quite small when zipped up.
And, of course, storing a copy of your website on an external hard drive is another simple and cost-effective solution. Notice I didn’t say “stored on your computer’s hard drive,” because you won’t want to be worrying about computer crashes just when you need to restore a backup.
The ideal scenario: one backup in the cloud and another on an external hard drive. Whatever the plan, make sure you choose a plugin or service that can handle it.
2.1.3. When to Do Backups
How often should you do a backup? As often as necessary.
I don’t say that to be funny or cryptic. It simply means that the frequency of backups will vary for different sites or for the same site over time.
For example, say you spend 3 weeks getting ready to launch your site. You should set your backup for every day or even twice a day depending on how much you’re doing each day. A weekly backup would miss a lot of material. After the site is launched and you’re adding a new Post once a week, say, then a weekly backup would be reasonable.
2.1.4. Who Should Do Backups?
Everyone. Whether you run a personal blog, a site for your soccer team, or an online store, you need backups. Your content is valuable and you need to protect it. Besides, backup solutions cost nothing or very little, and when they’re automated they don’t require your time.
Following are some excuses I’ve heard for not backing up, all of which are just wrong:
- I have a very reliable host.
- I update my content only a couple of times a year (!).
- I have all my original Word docs and images on my hard drive.
These people are delusional: Accidents happen to any host. Even if your content isn’t changing, WordPress and plugins are, and the point of a backup is so that you don’t have to reconstruct your crashed site from scratch.
2.1.5. How to Do Backups
The two choices previously mentioned were: plugins or third-party services. Now we’ll consider the latter, and end with plugins in general. Then a list of some plugins is provided.
Third-Party Backup Services
Although you may store your backups with a third party, such as Amazon S3 or Dropbox, this section discusses third parties that actually handle the backup software as well as the storage.
Your hosting company is actually a backup service you should consider first because it already takes care of your website files. However, you need to keep the following in mind: Do not rely on your hosting company’s default backup system.
Most hosting companies regularly make backups of their servers, but those are rarely kept longer than the next backup, and these are typically images of the entire server. For them to extract your particular site’s data is not worth their time. And if you read the fine print of most hosting companies, they do not guarantee a backup of your files.
Currently, more and more hosting companies advertise individual site backups as part of certain hosting plans. So it’s definitely worth looking into what your hosting package includes.
Most hosting companies do offer a backup service for an additional fee, but here’s an important question to ask: Where do they store the backups? If it’s on your hosting account or even on the same server where your account is located, that’s a problem. If the entire server goes down, not only is your site inaccessible, but also are your backups.
In addition to your hosting company, you can also check with other hosting companies to see if they have accounts for backing up sites. That way your backups are stored on a completely different server system, and if you need to switch hosting companies, you’re already set up with one.
Another type of third-party backup service is one such as VaultPress, which is run by the folks who make WordPress. Many other backup services are available, such as blogVault, Codeguard, BackBlaze, and DropMySite; search for website backup services.
Free and Paid Plugins
With the advent of the cloud and inexpensive hard-drive storage, along with the development of sophisticated automated plugins, you don’t need a third-party service to get great backup protection.
Some plugins back up only the WordPress database. You do not want these plugins. If there were plugins that just automated the backing up of site files, then I might say, get both plugins, but there aren’t any files-only backup plugins that I know of. Even if there are, I know from experience that average site owners are not going to manually do FTP backups of site files every time they get an e-mail saying their database has been automatically backed up.
Don’t set yourself up to fail: Just get a plugin that backs up both your files and your database.
What about plugins for moving websites? Although these do create complete copies of your database and files, their primary purpose is to take a snapshot of a site and re-create it immediately on a subdomain or elsewhere. If the plugin has the capability to schedule automated copying, it might work for backups.
Some plugins do full automated backups but do not have the capability to tie into cloud or other storage services, such as Amazon S3 or Google Drive. For some people, this could work, but in my experience, the average website owner would benefit from the simplicity of a paid storage service.
For example, consider home data storage. For years there have been ways to link all your home devices to a central data storage location, whether on one of those devices or a stand-alone network drive. Yet how widespread has this practice actually become? Not very. But along comes cloud storage with a simple set up, and you hear grandmothers talking about backing up photos of the grandkids.
You should use an automated backup plugin that has the capability to tie into several different storage solutions.
Remember, if a plugin is saving only a full backup to your own hosting account, you’re responsible for downloading that backup so that it’s stored somewhere else (preferably two other places).
Restoring Backups
It’s one thing to have complete backups stored in safe locations, but if you can’t easily restore a backup, the value is lost to some extent. Yes, you can pay someone to do a restoration or maybe your hosting company can help, but for many people, the goal should be to have the same plugin do the restoration.
To sum up, following is the ideal backup plugin solution:
- Full backup of files and database
- Scheduled, automatic backups
- Storage to at least one location different from your server
- Simple restoration of backups
Although there are a couple free plugins that meet these requirements, you’re more likely going to need a paid plugin, including paid versions of some free plugins mentioned next.
3. Keeping Your Site Secure
Every piece of software on the Internet is threatened by hackers. Because of its tremendous popularity, WordPress is a regular target. The good news is that protecting yourself is not nearly as daunting as it might seem.
Two of the most important elements of WordPress security have previously been covered: staying up to date with all aspects of your site’s software, and having a backup if something happens.
This lesson shows you six additional steps you can take to increase the security of your WordPress installation. Although these are not exhaustive, if you do all or most of these steps, you’re much better off (sadly) than a great many users. Some other issues you need to be aware of in the constant effort to ward off hackers are also covered.
3.1. Six Steps To Greater WordPress Security
None of the following steps are difficult to do; the hard part is remembering to do them or getting in the habit of doing them.
3.1.1. Strong Passwords
Every security expert will tell you that weak passwords are the leading cause of software breaches. As you saw when first setting up WordPress, you need to pay attention to the password strength indicator and use only passwords that trigger a reading of Strong.
Following are the six criteria for a strong password:
- At least eight characters in length
- Some lowercase letters
- Some uppercase letters
- Some numbers
- Some characters such as #&!
- No actual words
And just so it’s driven home visually, following are some examples:
- Bad—Harp78
- Good—k7Te%w8Xq
I know, you’re thinking to yourself the good password is hard to memorize, but that’s part of what makes it good. Use a password manager program to store these hard-to-memorize passwords.
While random is best, it is possible to have a password you can memorize yet is still pretty strong. Take a random phrase, such as “The 4 cats drive a Lexus through Dallas each morning at 9” and use the first letter of each word to create this password: T4cdaLtDema9. This is the minimum length for creating a password this way; the longer the better.
Randomness is crucial; don’t use a phrase from books, movies, songs, and so on. The more visually memorable the random phrase is to you, the easier it will be to remember.
And do not rely on substitution methods like this: p@ssw0rd, r@nd0miz3, and so on. Hackers easily incorporate these substitutions into the dictionaries they use.
Another approach is to memorize a random set of at least 6 symbols and numbers, such as “7%$9#4.” Then take a word of at least 6 letters and add two numbers at the end, such as “debate24.” The first number tells you which letter to capitalize and the second tells you the point at which to inject your random symbols and numbers, so the resulting password would be: dEba7%$9#4te. One of the advantages here is that you only memorize one thing, yet you can generate any number of passwords.
Two-Factor Authentication
The hot topic in security these days is two-factor authentication, which means requiring two components for logging in. Typically, the components consist of something the user knows (a pin number) and something the user carries with them (a bank card).
Obviously, a physical component is not practical for things such as logging into WordPress, so a second piece of knowledge makes sense, but it needs to be knowledge accessible only by the user at the moment of login. If a temporary second password generated for that transaction could be transmitted to the user, that would be equivalent to possessing a physical object. Enter the mobile phone. A temporary password is simply texted to the phone.
The way it works is you have a plugin on WordPress which, when you sign in with your username and password, immediately triggers a code to be sent to the phone you’ve already registered. You have to enter this code before you can get into WordPress. At the end of this lesson some plugins that enable this kind of stronger login process are mentioned.
3.1.2. Use Reputable Themes and Plugins
Corrupted or unsecure themes and plugins are one of the leading causes of hackers worming their way into websites. And these themes and plugins tend to come from unreliable sources.
Free themes and plugins should be downloaded from one of only two places:
- org
- A well-known commercial theme or plugin maker’s site
Go anywhere else and you could be leaving yourself open to problems. Ask yourself this: If it’s free, why isn’t it in the WordPress.org directories? Anyone can submit his work, which is then given a thorough check, not just for viruses and malware, but also for coding compliance and other standards.
Some commercial theme or plugin makers put free items on their sites to give you a taste of their work. If they’re reliable, that’s fine. This is particularly true of themes. If you’re not sure of the theme maker’s reputation, you can always run the theme through the Theme Check plugin, mentioned in Lesson 27, “Overview of WordPress Themes.” There are also plugins that scan all your site files for possible malware, as mentioned at the end of this lesson.
3.1.3. Do Not Use “Admin” for a Username
WordPress no longer automatically gives the first user on the system the username “admin.” However, many people continue to enter that as their choice when first installing WordPress. Don’t do it.
If you set up a security plugin that monitors access to your site, you would not believe how many people will try to get into your WordPress by entering “admin” as the username. These hackers know that eventually they’ll strike a site that’s using it, and then they’re part way toward getting in.
If you have an account with the username “admin” you need to get rid of it right now!
All you have to do is create a new administrator account with a username unique to yourself. Then log out and log in as the new user. Delete the “admin” account, assigning all its Posts to you.
3.1.4. Change the Database Prefix
When you install WordPress, you’re given the option of choosing the prefix for the names of the database tables. The default is wp_ but you can use any prefix you want.
Although I’m not completely convinced that this offers much protection, all installations have the same table names following the prefix—it’s an easy step when you’re installing WordPress, so you might as well do it.
3.1.5. Vigilance
You can protect yourself in a number of ways by keeping an eye on certain elements of WordPress. Regularly check your list of users. Filter for administrators and editors. Make sure there are no unknown users suddenly appearing, which could mean that hackers have set themselves up with control over your site and access to your files through the theme and plugin editors.
Delete temporary administrators. If you hire someone to work on your site, create a temporary administrator for the task, and when they’re through, erase it.
Delete the accounts or change the passwords of any former administrators, editors, or authors. And there are plugins which will automatically force current users to reset their password after a certain amount of time; see the end of the lesson for some examples.
Make sure no backups of your wp-config file exist. Neglectful developers may make a temporary backup of this crucial file. If they leave it on the server, it won’t be protected, and depending on how they saved it, it may be a plain text file. Figure 34-1 shows a backup of a config file exposed on the Internet and how easily it can be opened as a text file, revealing all the database login information:
FIGURE 34-1
By the way, I found this file (and thousands more like it) with a simple search using Google. Don’t make things this easy for hackers. And just so you know, these kinds of vulnerabilities have been pointed out on the Internet for more than a decade, so there’s no excuse for leaving backed-up copies of config files on the server.
You can look for these files on your hosting account using an FTP program or the File Manager of your hosting Control Panel. Look for things such as wp-config.txt or wp-config.php.bak. Any variation other than wp-config.php is vulnerable. Simply delete them, but, of course, don’t delete wp-config.php.
3.1.6. Limit Login Attempts
Hackers don’t actually have to break into WordPress to cause you problems. They could simply flood your login page with attempted logins. When I say flood, I mean hundreds or even thousands of attempts in a short period. On shared hosting, this can often have you shut down as the hosting company works to prevent the server from being overloaded and all other sites suffer.
There are plugins that limit how many times a single user can try to log in before being blocked; a few are mentioned at the end of the lesson.
3.2. Dealing With Sensitive Data
Some hackers just want to break in for the fun of it or to use WordPress as a tool for larger acts, but others are after data, such as personal or credit card information.
Following are two security elements relating to sensitive data:
- Collection
- Storage
Common solutions exist for both, in addition to specific steps you should take.
3.2.1. Collecting Sensitive Data
Suppose you have a form on your WordPress site where you need to collect data such as a person’s address, insurance policy number, or Social Security number. Unless the page containing the form is protected by secure browsing (an HT TPS in the URL), the data can be stolen as users enter the information.
With an SSL certificate for your site, you can use a WordPress plugin to designate that form page as HTTPS. Actually, you can make your entire site secure that way, including your administrative area.
The other important element in all this is retrieving the sensitive data. The normal action for any form is to have it e-mailed to you; however, regular e-mail is also susceptible to hacking. You can use plugins to have WordPress send your e-mail through a secure mail server. (One is mentioned at the end of the lesson.)
3.2.2. Storing Sensitive Data
The short answer to the problem of storing sensitive data in WordPress is: Don’t do it!
For data from web forms, plugins exist that write the information to your WordPress database and e-mail it to you. Typically, the reason for doing this is to allow the exporting of gathered data all at one time to be imported into a spreadsheet or an offline database.
If that’s the case, you need to retrieve the data every day, or even more frequently if a lot of data exists, and then delete it from WordPress. Do not keep the data stored online.
Better still: find a plugin that offers an automated method for securely transferring the data to a safe location.
Remember: There are no good reasons for storing sensitive data in WordPress. It’s that simple.
3.3. Secure Hosting
One aspect of security that sometimes is overlooked is your choice of hosting companies. Although the services offered are almost identical, including the software used to provide those services, important differences can exist in how that software is set up.
3.3.1. Account Firewalls
Most individuals and small businesses have their sites hosted on a shared server. That is, their account is just one of hundreds or possibly even thousands of other accounts on the server. It’s an efficient and cost-effective way of providing inexpensive hosting, but it poses an important security problem: keeping those accounts separate.
You could take every security step discussed so far, but if your neighbors on the shared server aren’t vigilant and a hacker gets into one of their accounts, that can leave you vulnerable, unless the hosting company has properly insulated accounts from one another. There have been several well-publicized security breaches over the years, in which literally thousands of websites were hacked or brought down because the hackers wormed their way in to others’ accounts through the server system after hacking one account.
The most you can do is research this before using hosting companies. Ask what steps they take, check forum postings for signs it has happened before, and Google the company name and security breach, and so on.
The ultimate defense you have is a good backup routine. If a server breach occurs, just take your backup and move to a new hosting company. The switch is often faster than waiting for the problem to be fixed.
3.3.2. Visible Directories
Earlier in the lesson you saw a screen shot of someone’s file directory where there was a backup of the wp-config.php file (refer to Figure 34-1). Well, it wasn’t just the readable backup file that was a problem: You should not have been able to view a list of all the files in that directory!
When you browse a domain name, you’re actually browsing the home directory on the server. And when you try to browse a directory, the server looks for certain types of files: default. html, index.html, index.php, and so on. If it doesn’t find one, the server may, depending on the hosting company’s settings, simply display a list of the files in the directory, with a link to each file, as shown in Figure 34-2.
FIGURE 34-2
You can see how a simple search turns up visible directories, and from a directory, you can download a wp-config.php file. Notice that I’m not accessing the file through a browser, which would have processed the php file and nothing would happen. What I did was right-click a file and download it to my computer, and that’s only possible if the directory is visible.
WordPress protects itself from hosts who leave directories visible by placing blank index.php files into all directories that shouldn’t be open. You can see this at work by adding the following to the end of your domain name: /wp-content/themes/.
If you try to view that URL, you should get a blank white screen; that’s the index.php file at work. If it weren’t there and your host allowed visible directories, you’d see a list of all your theme folders.
If for some reason a WordPress directory is visible, you can solve the problem in the same way, by uploading a plain text file called index.php, containing only <?php //Silence is golden ?>
Make sure you don’t have anything after the closing bracket, not even a space.
You can do the same for any folder you create on the web that does not have an index.php file (or other type of default file).
3.3.3. File Permissions
Sometimes, someone in a forum advises others to change the permissions on a folder or file to 777. That means anyone can read the file, edit the file, or delete the file. The advice is usually meant to solve some issue a person has with WordPress or a plugin.
Never change a permission level to 777.
Your problem might temporarily be solved, but you’re opening yourself up to much larger ones. No proper fix for a problem should involve changing permissions to that level of openness.
Although different hosting companies have different approaches to file permissions and ownership, at WordPress.org, you can find a good discussion about the recommended types of file permissions you should see in a WordPress installation—and none of them are 777, not even upload directories. Here’s the URL:
http://codex.wordpress.org/Changing_File_Permissions