There are some basic steps you can take to help limit your exposure to malicious behavior directed at your WordPress blog. My intention with this article is not to make your website bullet-proof (if such a thing exists) but to cover the most common exploits/weaknesses. File and directory permissions have been discussed elsewhere but I’ll post a reminder about the basic rule-of-thumb: Set files to 644 and directories to 755. If you have to use less secure settings (for /wp-content/uploads/ for example) you don’t have a good host.

Failure to do the following doesn’t mean your blog will be hacked, it just means it’s more likely. So here we go:
..Cover your privates (or: “Nice knickers there!”)…

1. Delete unnecessary files /wp-admin/install.php and /wp-admin/upgrade.php ((Once you are finished with the installation or upgrade these files will not be needed and they will be replaced with your next install/upgrade))
2. Delete default post and comment ((advertises “New Blog! Come SPAM me!”))
3. Make it harder to reveal your SQL login info and help prevent users browsing where they shouldn’t: In your root directory (where wp-config.php resides) make sure there is a .htaccess file containing the following ((Turns off ftp-style browsing;Only recognize index.php index.html as legitimate index files;Don’t allow ANY remote access to wp-config.php)):
   Options -Indexes
DirectoryIndex index.php index.html
Order Deny,Allow
Deny from all

4. Change permissions for wp-config.php to 600 (equivalent to rw——-) if possible ((One of the few exceptions to the standard 644 rule))
5. Prevent browsing of directories not covered by WordPress: Drop an empty (0-byte) file named index.html in /wp-content/plugins/ or /wp-content/uploads/ (for example) ((The reason we use .html instead of .php is in case PHP breaks on the server we’re still covered at the HTTP level))
6. For SPAM prevention, activate Akismet ((Akismet is great at weeding out spam comments)) (comes with WordPress) and install/activate Bad Behavior ((Bad Behavior stops a lot of spam/malicious-activity before it ever hits your site)) These two plugins are the minimum in spam prevention in my opinion, but feel free to experiment on your own.

Other considerations for security are your choice in a host. I recommend a professional:

As always: Feedback welcome!

I was thinking about a way to showcase older posts and happened across the Zazz Post Tickerplugin by Stew Houston.

I thought “Here we go, another chance for me to totally bork my blog with some unknown piece of code…” So I picked up the scissors and blah-blah-blah (you get the idea).

I took a quick look at the instructions (note that for historical purposes) and I didn’t see where I had to re-write my server’s kernel or edit core WordPress components and figured “wot the ‘ell”.

The good points: Easy to install, light-weight and does exactly what it’s supposed to do right out of the box (and that’s with WordPress 2.3-beta3). It’s easy to configure (though it does require editing the zazz-post-ticker.php file, it’s a simple, straight-forward edit), it doesn’t use tables (thank you, I’ve puked enough this week) and the CSS is not convoluted! It allows for changing the duration before fading, the number of posts and even allows for an offset (seems redundant to me to display post information that’s displayed an inch lower on the page so I liked this feature).

The bad point (singular, mind you): The javascript isn’t wrapped so it isn’t valid. But here’s a quick fix:

Open up zazz-post-ticker.php and go to line 30, it should look like this:
echo "<script type=\"text/javascript\">\n";

Create a new line under that one and insert:
echo "//<![CDATA[\n";

And right before line 139 which reads:
echo "</script>\n";

Add:
echo "//]]>\n";

Now you have a light-weight, easy to install/configure post ticker for WordPress that validates as well!

Feedback welcome.

Note: As of 10/29/08 it appears the author’s site is down, here is the v1.1 file: Zazz Post Ticker

Just released the new version (0.94) of the missunderstood theme. Some major changes, lots of clean-up, added functionality:

• Built-in Optimal Title (for SEO)
• Built-in slimbox (faster, lighter Lightbox effect)
• Separate lists for comments and trackbacks
• Fancier blockquotes
• Built-in pullquotes
• Prettier search box
• Code-block style with numbers and zebra striping

A lot of generous people have brought my attention to problems with the earlier releases of missunderstood, and I’ve tried to go through everything with a fine-tooth comb. I tested this version in FireFox, Internet Explorer 6 and 7 as well as Opera. It is valid XHTML strict when used in a modern browser (read: anything other then Internet Explorer and that’s only because M$ couldn’t give a damn ).

Original post with more info is here. See a live demo here. Missunderstood has a Support Forum, and it can be downloaded from the original post or directly from here.

Feedback always appreciated…

The info in this post is pretty old but I’m leaving it here for reference, regardless…

I wanted to add a forum to my WordPress blog but everything I came across did not integrate well (design/page continuity, etc.) or was too simple for my tastes… Then I came across a tutorial here (there are a few around, that’s just the one I tripped across). Following the tutorial I had a somewhat more integrated forum…
…where the blood-splatter of our butchery won’t stain anything…
With the lessons learned and the release of PunBB 1.2.15 I decided to see if I could do a better job. Since the first install/integration I had added a css-based navigation menu and some random quotes which did not display when my banner/header was displayed above the PunBB forum.

Annoyed, I picked up the scissors and started running….
Continue reading this post…

Version .95 is out now, with a lot of tweaks done over several months…

Incorporated some plugins into functions.php for convenience:

• Optimal Title
• Hot Dates
• removed ‘sociable’
• Slimbox

Added the Top Post functionality (for a full-width ‘featured’ post). Top Post takes the latest post in a category (category set in the themes options under Presentation), displays it at the top (full-width) and makes sure it is not repeated in either column below.

This theme comes with Slimbox, a lightweight/fast image display system like lightbox. It’s built into Corporate Slave, so there shouldn’t be any need for configuration. It’s automagical, works with any thumbnail-with-link-to-fullimage.

See it in action here.

Original post with much more information. Download there or directly from here: Corporate Slave Theme v0.95

Support Forum for the Corporate Slave Theme is here.

Since domains are often indexed differently (with and without the www prefix), I’m jumping on the no-www bandwagon. For more info visit

Ease of use with WordPress influenced me to use Mark Jaquith’s Enforce www. Preference plugin (which works for ‘enforcing’ either a www or no-www preference).

When I first started a WordPress blog I wanted to add some personal identification to the front page in an effort to promote validity/identity/what-evah. ‘Widgets’ were somewhat new to WP so I thought this was the approach for me. I ended up with a minor struggle using a text widget and got what I wanted.
…my head finally popped out of my sphincter and…
Then masochism got the better of me and in an attempt to self-flagellate I made an About Me widget. My approach was simple; Enter the URL of an image, a blurb about your self/site and a link or two. It worked simply too: On simply about 70% of themes/sites ;’) The problem was that a lot of themes do some pretty screwy stuff and some web hosts are picky about any file/image handling.

So I began a journey that started with meditation… Once I felt loose and unencumbered by the stress of day to day life I asked my Creator: “Are you familiar with WordPress?”
Continue reading this post…

I added a ‘Help Desk’ tech support ‘ticket’ system some time ago (Hesk v0.93.1) and wrote a tutorial for it here.

I don’t use it and haven’t had time to update to the latest version of Hesk (latest version of hesk doesn’t play well with my tutorial), and I may not update it, might even drop it. Seems the forums here are more effective, and my paying customers seem to “damn-sure” want to deal directly with me rather then some ticket system…

So, no new tutorial for Hesk integration…

I am self-employed, but he’s such a jerk I’ve kinda been on strike for 6 months. I’ve still been trying to keep up on forum/support questions, but no new posts.

Had to move, as well. Really move, like furniture and stuff.

Updated back-end to WordPress 2.2.1. Been away from the About Me widget for so long I’ll have to re-introduce myself (it’s for WordPress, right? ;’).

I had an interest in adding a Help Desk to my site where clients could submit ‘tickets’ that would be tracked (and stored in a MySQL database, preferably alongside my current WordPress one) and when changed/updated both the client and I would be notified via email…

I had noticed a reference to Hesk (v0.93.1) in my journeys around the WP support forums, so I took a look and decided it was small and simple, which is what I needed.

Installing Hesk was simple. I chose to install it to /wp-content/hesk, then added a link to my ‘Links’ (or ‘Blogroll’ depending on what version of WP you have). Follow the directions and Boom: Functioning Help Desk.

However, it looked like you had been transported to another world. A world without art, design or beauty. A hellish world void of desirable women (or handsome men, if that blows your skirt up). So, I picked up some scissors, and started running…
Continue reading this post…