Archive for the ‘wordpress.ord’ tag
For anyone who is considering starting your very own WordPress site, make sure you read up, research and get your crap together. This isn’t for novices. For those who have visited — or tried to visit — this site in the last week or so, probably have a hunch the site was compromised. You would be right. It was apparently compromised months ago, but not until recently, did it raise much ire with Google. But when it did, the gauntlet was thrown down. Due to malicious code somewhere in the main directory (my guess is a subdirectory that didn’t even involve WordPress), Google red-flagged my site and Safari and Firefox prevented anyone from visiting the site without first displaying a “malware” warning. This, of course, was of no use to me and inhibited folks from enjoying (or not) the opinions that were forthcoming, for I had no clue what was wrong,as I manually sifted through a gazillion lines of code in my directory.
So, with that said, here are the steps I took to correct similar problems you may encounter with your WordPress, after much wrangling and hair-pulling on my part.
- First, get your crap together. If you know nothing about Web design, PHP, viruses, hosting, Web site security, databases and the like, this isn’t for you. Visit wordpress.com and set up a free blog without the hassle. If you like a good challenge, by all means, proceed.
- Obviously, wordpress.org has all you need to get up and running. Well, you will need a Web server through a host, but I’m assuming you know this (See step 1).
- Before anything else, make sure your local machine is virus and malware free. Second, make sure you are dealing with a reputable host. I use ixwebhosting and they seem pretty solid to me. My maladies were probably totally self-induced, so I don’t blame them at all for the compromises I experienced. Unlike godaddy.com, ixwebhosting has a toll-free number and even a 24/7 live chat, which I have personally found to be very helpful and convenient. I would not recommend godaddy.com, as their customer service is lacking and transferring domains away from them is like pulling teeth (Just my experience). Not to mention the long distance calls and no 24/7 live chat for customer service.
- After uploading the files and setting up the database, etc, go get the AskApache Password Protect plugin and lock that crap up tighter than a drum. Also, make sure your file permissions are at 644 and your folders at 755. Be careful with the AskApache. Some of the settings could make your blog inaccessible. If this happens, delete the .htaccess file the plugin creates in both the root and the wp-admin directory. Try to remember which setting screwed you up and work around it.
- Don’t name your database table prefixes “wp_anything.” Change the prefix to hy_ or pq_ or whatever. Just something other than wp_
- Make your user name something other than admin. This is easily guessable by someone attempting to get into your site. Change the user name to something else AND I would suggest making your password the most convoluted series of letters and characters one could imagine. WordPress has a tool that can generate one for you. That’s cool, but you should probably change it every month or two. I previously didn’t use one of these generated passwords because I couldn’t remember them, but now, I simply cut and paste it. I have them saved in an e-mail folder and just pull them up when I want to log in and post. Also, AskApache has a second layer of protection for your blog, which includes an additional password just to access the wp-admin page. Use this too with the cut and paste deal.
- Once you are up and running, I would suggest not putting anything in your WordPress directory other than the actual files needed to run the site. For instance, I had a subfolder in my WordPress blog that I found was causing problems. It’s not recommended putting anything else in the WordPress folder unless you are well-adept at securing those as well.
- Backup your files often. I try to backup my entire database AND the WordPress site, using the internal WordPress “Export” tool. It’s possible that your database itself could be hacked, so at the bare minimum, use the WordPress Export to make sure you have backups of your posts and, worse comes to worse, if the database gets hacked, you can create a new one and point WordPress to it.
- Use Askimet, Spam-Free and other common plugins to keep the gunk out of your trunk.
- I know some spend hours and hours tweaking and customizing their templates. Cool, indeed. But this can get wrecked as well. Save ”clean” templates on your harddrive whenever you can, so if something screwy happens, you can simply open the header.php, sidebar.php or stlye.css files and cut and paste the pieces of code you customized. Templates can be compromised, so I wouldn’t assume these files were safe. Make backups, and if things go haywire, check your local files against the files on the server and cut and paste as needed.
Again, this is a bunch of stuff, but maintaining a WordPress site is not for the weak at heart, and I’ve learned this the hard way. If you don’t want to bother with it, just check out wordpress.com and you can have a blog in minutes. But if you like the customization level, at all levels, that running your own WordPress site offers, go for it!