Spontaneous ∂erivation

Note: this only applies to people who don’t use Wordpress.com, but have their own hosting and their own Wordpress installations.

Wordpress blogs are notorious for falling prey to massive automated attacks, anywhere from scanning Wordpress versions to exploit known security holes for that version, to scraping error information in dictionary attacks against the login box, to passing specially formulated URLs that cause bad PHP code execution.

If you do nothing else, please install Secure Wordpress, go to its options page, and check a lotta boxes, and click “save changes”. Although I suggest a few more measures at the end of this post.

Here are what the options mean, and whether you want to tick the box or not (usually you do, but not always, such as if you’re using third-party software like MarsEdit, ScribeFire, or Windows Live Writer):

Error-Messages…

This removes the error message WordPress gives on a bad login. You’ll still know if you failed to log in (as in WordPress will simply present you with the login box again), but scripts and hackers won’t know specifically why the log in failed—they don’t know if it’s the user login or the user password that failed.

If a hacker does know, for instance, that the password failed but the user login was valid (because WordPress by default gives very specific login errors), they will know to proceed with dictionary attacks rather than keep attempting to guess logins.

Plus there’s certain kinds of security holes that can be exploited if you know the login of at least one user for sure.

Amusingly, many people put more thought into their user login than their password.

You should tick this box.

WordPress Version…

If you ever do a view-source of your blog page, at the top of the source you will see something like this:

<meta name="generator" content="WordPress 4.8" />

By default, WordPress kindly tells every script and hacker out there its version, the better for them to scan thousands of URLs and generate attacks loving tailored for each WordPress version’s security holes.

If you tick this box, Secure Wordpress will replace the WordPress version in all publicly viewable pages, as well as in your RSS feed (a less popular but as legit place to retrieve your WordPress install’s version) with a random 4-digit number.

Do not listen to WordPress’s plea to leave that line in for stats. Tick this box for your safety.

WordPress Version in Backend…

Only really necessary for installations that have multiple non-administrative users registered, and which don’t trust their users to not, for instance, accidentally leave a completely crackable password which will allow a script access to the WordPress version through non-publicly viewable pages (i.e., the administrative section of WordPress).

I think you should tick this box regardless. A user with admin privileges will still see the WordPress version.

index.php…

Many web hosts already block the listing of directories, because directory listings are a popular way for crackers to discover specific URLs (like CGI scripts) they can use for attacks.

Tick this box regardless, because it’s a good habit to get into.

Really Simple Discovery….

Really Simple Discovery (RSD) is metadata that WordPress generates in the header of every publicly served file that conveniently tells remote programs which special URLs to use when posting/deleting/editing/etc posts. This is used by third-party blogging software, which depend on knowing these URLs in order to allow you to post from outside WordPress.

Of course, it also allows hackers to find the special URLs to use when posting/deleting/editing/etc posts.

If you really love your third-party external editor—and they range from the WordPress iPhone app to ScribeFire and MarsEdit and even more—then you want to keep this box unchecked.

If you always post from inside WordPress anyways, tick this box.

Windows Live Writer…

Windows Live Writer is also a third-party external editor, but it doesn’t use RSD. Instead, Windows Live Writer uses a special link generated by some blogging platforms, like WordPress.

If you don’t use Windows Live Writer, tick this box.

Core Update…

These days, WordPress displays a little message in yellow atop of administrative screens when a new version is available and you should upgrade. Upgrading is dead simple these days, so there’s no excuse.

But if you want to keep the WordPress version extra-hidden from non-administrative users even when an upgrade is needed, tick this box. Administrative users will still see this rather important message.

Plugin Update…

Similar to the “Core Update” option, with similar recommendations as to tick or not.

Theme Update…

Similar to the “Core Update” and the “Plugin Update” options, with similar recommendations as to tick or not.

WP Scanner…

If you tick this box and then follow the directions about editing your theme temporarily, you can use wpscan to find possible exploits in your system. I’ve seen themes revealed to be really stupid about what they allowed in the search box, for instance. WordPress themes are more powerful than themes in most blogging platforms, which can both rock (in the normal case) and suck (in terms of security exploits).

If wpscan runs and mentions anything about search queries, and you don’t know how to fix your WordPress theme to not allow that sort of thing, switch WordPress themes.

Block bad queries…

This helps protect your blog from malformed URLs and queries that exist as exploits whether you seal everything up or not. Jeff Star created this code in the wake of an extremely bad period, quite recent, of a very malicious worm, and Secure Wordpress now incorporates it.

Totally tick this box. There is almost no reason not to. In fact, I can’t think of a reason not to.

There are more recommendations for securing your WordPress install out there, but the Secure Wordpress plugin covers many of the vital ones, though not all of them.

Some More Advice

1. I wish I knew how a plugin like Secure Wordpress would automate this, but it’s probably not possible. And that is to make sure that the ‘admin’ user no longer uses ‘admin’ as their login. It’s a default that WordPress sets up, and one that hackers of course know about.

2. When you download a WordPress theme, please check its source code for anything suspicious looking before you install it. This is so important, as if you install a hacked WordPress theme, you’ve undermined all your security regardless of what you’ve done.

   Fortunately, many if not all hacks are obvious even to the non-technical eye. Here is a post from Chaos Laboratory that covers what hacked themes look like.

3. Always update your WordPress version. For serious. These days WordPress will, if you tell it to, automatically download and install a new version of itself. It will even tell you when to do this, which is a much better state of affairs than things used to be.

4. Always make sure your plugins are up-to-date, for they are also a source of many security exploits in the past—some plugins, like some themes, are that powerful.

   In fact, WordPress as of version 2.9 provides a very easy way to upgrade multiple plugins at the same time—under “Tools”, click on “Upgrade”, and you’ll see a section full of ticky boxes. Once you select which plugins to upgrade (usually ticking All), and hit the submit button, your site will automatically be taken into maintenance mode (people reading your blog will only see a maintenance message), all your plugins upgraded, and then your site taken back out of maintenance mode.

If you’ve decided to work with your own Wordpress installation, rather than Wordpress.com, there are some simple plugins and steps it would be wise to take care of.

I’m going to focus on the few plugins you’ll actually need (and that will probably end up in a version of Wordpress some day, but at the moment they aren’t). These suggestions tend to be (a) simple and (b) extremely stable. They’re least likely of most comparable plugin selections to break on Wordpress upgrades due to their very direct (yet adequate) approaches to the jobs they do.

Note: This article isn’t for Wordpress.com users, since Wordpress.com has fixed plugins.

WP-DBManager

This is the simplest and least problematic of the various WordPress backup plugins out there. It’s never gone wrong for me and has never eaten up all the space at my hosting provider, and it always reliably emails me an archive of the backup to GMail, thus giving me a reliably backed up list of archives.¹

While WP-DBManager is limited to a backup of the database, and doesn’t include all your Wordpress files (such as plugin files or theme files), nevertheless this is the most important part of backing up, since plugins can be reinstalled but plugin settings, which are part of your database, will already be saved.

You’ll find its settings in its own Database menu item (not part of the normal Settings group).

You’re most interested in the DB Options sub-menu item.

On the DB Options page, the default settings for Paths is likely good, because most hosting providers provide sane default paths for the various executables, and the plugin will create directories it needs.

At the bottom of the DB Options page is the Automatic Scheduling section. You’re most interested in the frequency of automated backups (I suggest: Every 1 days, GZip yes) and the email address to send them to.

Simple Feed Copyright

This results in a copyright notice being added to each entry in your RSS feed. It’s hardcoded to say “Copyright © [current year] [Blog name]“, which is usually enough. It has no options to configure, and pretty much just works.

Secure Wordpress

This will harden your Wordpress installation somewhat, provide you with a few suggestions, and also can add a token for a Wordpress scanner to scan your installation and add even more suggestions, although the latter currently requires you to edit your theme file’s header.php.

Its settings are available under the Settings menu, with menu item name “Secure WP”.

Its directions are very clear, which is nice. My suggestions for ticked items are below.

Explanations:

Error-Messages

This helps fight brute-force password crackers that rely on error messages to tell whether they’ve gotten in or not, and whether it’s the user name or the password that’s wrong.

WordPress Version

Many Wordpress attacks look for specific Wordpress versions in order to efficiently apply their cracking/hacking. This hides your Wordpress version, providing it as simply a random number—by default, the version of your installation appears both in your blog’s HTML code AND in your RSS feed. “Not in admin” simply means that there isn’t a way to turn it off in the normal admin section of a Wordpress blog.

index.html

Hides what plugins you’re specifically using from attackers. Again, helps prevent targeted attacks.

Really Simple Discovery

Wordpress inserts extra information, by default, into the HTML of your blog, so that external blogging tools (MarsEdit, Ecto, Windows Live Writer, ScribeFire, etc) can determine your blog type.

If you’re not using these tools, check the box to turn to turn this off. (I use these tools right now, so it’s not off for me.)

Windows Live Writer

Windows Live Writer likes a special link that Wordpress automatically generates, which allows it to know how to access your blog so that it can, for instance, add new posts, edit categories, delete posts, etc.

If you’re not using Windows Live Writer, check the box to turn this off.

Core Update, Plugin Update, Theme Update

For non-admin users, turns off access to these pretty much admin-level features. Really only useful if you have non-admin accounts for some reason.

WP Scanner

Allows you to temporarily add information to your blog, if you edit your theme, so that the wpscan tool has permission to scan your blog and find exploits.

General Headers and Footers

Easily injects additional HTML code in your header and footer of your entire blog. In other words, useful for tracking Javascript code, such as for Mint (add to Header section) or Google Analytics (add to Footer section).

Once installed, settings are available under Settings &rarrow; General Header, even though it does both headers and footers.

WPTouch

With this plugin installed, your iPhone visitors (and, I think Android) will have a very nice, iPhone-orientated interface to your website. Given that the iPhone can save bookmarks to the Home Screen as app-like items, this more or less eliminates the need for an iPhone app specific to your web serial.²

The options are long, but very simple and illustrated and explained (!) which is something of a rarity in the Wordpress plugin world.

I suggest adding an icon of your own, and selecting particular pages for the iPhone readers to see (they all default to off), and then the rest generally takes care of itself automatically.

While WPTouch is generally very stable, and the plugin authors handle upgrades relatively well for a complex plugin, it’s less stable than the rest. But I think it’s nice enough for a mention as a very-nice-to-have plugin for a web serial.

1. And with GMail filters, I can just reroute them into a folder and have them skip the inbox, although I like simply seeing them in my inbox and manually archiving them myself, just to make sure that a backup was made at all. [↩]
2. A nasty detail of the iPhone App Store is that it randomly censors applications that can display naughty words. An iPhone-friendly website view, on the other hand, avoids the App Store. This is the main reason why there are so many ebook reading apps in the App Store that are hard-coded for specific books, with words censored as appropriate. [↩]

I cleared out all the widget caches¹ and reloaded the page to regenerate them all.

Total load time for the front page, all widgets, and also the WP Widget Cache writing them to disk:

86 queries. 1.314 seconds.

Total load time for the front page and just WP Widget Cache reading the widgets from disk (no individual widget cache has yet expired:

45 queries. 0.191 seconds.

The queries have pretty much been cut in half, and the load time cut down in much more than that. Sometimes the number of queries/load time increases a little, because some of the widgets have expired their cache and thus must be regenerated, but otherwise the page just loads quickly.

WP Widget Cache: made of win.

1. I’d added the new widget from Twitscoop. It’s in an iframe, and thus the executing Javascript inside doesn’t add to the load time of my page. That’s different from straight Javascript widgets, like Google Reader or the Twitter badge; the naked Javascript executes and blocks your page load. In other words, iframes rock with respect to this kind of thing—unless you need the generated HTML to match your theme, in which case, not so much. [↩]

Speeding Up Your Blog

Because it’s been annoying me more than usual, I want to keep this theme because I don’t need to waste time trying to get another one up to speed, and I’m going to be on a shared host for some time to come (thank you, economic downturn).

You might not need to do this (I personally am obsessive). Indeed, it takes some time and knowledge to do some of the more serious items on this list.

General Approach

1. I killed every plugin I didn’t absolutely need, especially the ones that add more filtering execution time to my posts. They’re usually the ones with special tags/short codes.

2. I learned how to use page templates and built-in WordPress capabilities to remove more plugins and filtering.

3. WP Widget Cache is awesome. I can include some of the more expensively queried widgets (blogroll and categories) and automatically achieve caching on my RSS widgets. That cuts the number of queries my front page needs in half while keeping interesting parts around.

4. Since my RSS widgets are now cached with the WP Widget Cache, I killed every widget containing Javascript, which always hit some service remotely and never cache.

5. I removed as many plugins as possible that require cron jobs (e.g. regular executions of something or other), especially if they hit my site often (which is how WordPress cron jobs usually work).

6. I used to have redundant website metrics trackers for my site (they all tell you different things). No more; I’ve settled on Mint.¹

Below the cut: stuff I kept, stuff I dropped, detailed reasons why, and replacements if applicable. This list is long, but there are some interesting plugins listed down there.

Click here to read more »

1. For people interested in free, and who wouldn’t be, yet still want live statistics rather than Google Analytics‘ delayed statistics, look into Woopra or WordPress.com Stats (which also work for independent sites). [↩]

Some plugins don’t make the most of the new hierarchical categories in WordPress (well… new since 2.1 anyways). Most plugins that fashion their own SQL queries take only a single level of a category hierarchy into account.

For example: my blog Spontaneous Derivation, has this partial category hierarchy underneath Fantasy and SF category:

Fantasy and SF [id 1]
+-- Awards     [id 2]
+-- News       [id 3]
+-- Reviews    [id 4]

Most plugins, when asked to work on category 1, will neglect to include the posts under ids 2, 3, and 4; yet all posts in the child categories implicitly belong to the parent category 1.

Here’s how to add hierarchical category support to these plugins, under the cut.

Click here to read more »

Photography: .parker.

Life is short, and blogging takes time.

Say you’re oncall (like I am currently). Do you really want to spend your two hours of free internet time a day doing annoying blog odd jobs and maintenance that ought to just be easy—or do you want to spend it doing research and writing? I know what any sane blogger would say.

Here are five WordPress plugins that are giving me more time now, during a couple weeks when I shall be very short on time indeed.

Click here to read more »

Out of the box, a Wordpress install is missing key features that even Beta Blogger had. Things like comment previews. Tag editing. Being able to redirect your site feed to Feedburner. Little things like that.

You could spend hours trying to find all the right plugins.

To keep you from spending time like I did, so that you can get down to the business of blogging in comfort, here’s my suggested list of:

• 6 Plugins you need
• 6 Plugins that show off Wordpress
• 6 More plugins

Click here to read more »