9.2.2 Configuring Your WordPress Admin Options Configuring your Admin options with the most restrictive comment settings is a much underrated method of reducing and preventing a great de
Trang 1• Secure WordPress - http://digwp.com/u/489
Provides many important security measures, including protection against bad
queries and complete removal of sensitive, auto-generated information
• WP Security Scan - http://digwp.com/u/9
Scans your WordPress installation for known security vulnerabilities and
suggests corrective actions Features include passwords, permissions, and more
• WP File Monitor - http://digwp.com/u/487
Scans your WordPress files for malicious code and notifies you with the results
When files are changed, moved, added or removed, this plugin lets you know
• Ultimate Security Check - http://digwp.com/u/488
Scans for “hundreds of known threats” and grades security performance
Provides a great overview of your site’s security And it’s incredibly easy to use
• BlogSecurity’s WPIDS plugin - http://digwp.com/u/8
Detects attacks and blocks them Each intrusion is clearly visible and an error is
displayed, making administration easier than in previous versions
• AskApache Password Protect - http://digwp.com/u/5
Protects your site by blocking automated attacks, spam, and other nonsense
Helps to secure wp-admin, wp-includes, wp-content, and plugins as well
• WordPress Firewall - http://digwp.com/u/10
Blocks potential attacks based on a list of potentially suspicious parameters
• Login Lockdown - http://digwp.com/u/7
Blocks the IP address of any user with too many failed login attempts
• Stealth Login - http://digwp.com/u/12
Enables creation of custom URLs for logging in and other administrative tasks
• Exploit Scanner - http://digwp.com/u/490
Searches your site’s files, plugins, and database for suspicious business
• Safer Cookies - http://digwp.com/u/13
Prevents unauthorized Admin access by making your cookies IP-specific
SSL Security Plugins
Here are two excellent plugins that secure your site via SSL: Force SSL - Establish secure SSL connections by redirecting HTTP requests to HTTPS.
http://digwp.com/u/17
Admin SSL - Secure your site’s sensitive areas with private or shared SSL goodness.
http://digwp.com/u/14
Lockdown Collection
Underlined titles indicate plugins used in the DigWP Security Lockdown:
http://digwp.com/u/501
Trang 2• Block Bad Queries (BBQ) - http://digwp.com/u/492
Blocks excessively long request strings and other bad strings in the request URI
• InspectorWordpress - http://digwp.com/u/16
Monitors and logs requests to your WordPress-powered site
9.2.1 Stopping Comment Spam While we’re discussing security methods, it is important to take a look at different ways to stop comment spam Comment spam plagues just about every comment-enabled or forum site on the Web, and WordPress-powered sites are no exception Fortunately, there are many top-notch developers contributing plugins, scripts and strategies to help fight the war against spam Here are some of the best:
• Akismet - http://digwp.com/u/298
King of anti-spam plugins Bundled with WordPress Must-have
• Defensio - http://digwp.com/u/299
Excellent anti-spam plugin Great alternative to Akismet Many features
• Typepad Antispam - http://digwp.com/u/300
Developed by Six Apart Reported to work as well as Akismet
• Bad Behavior - http://digwp.com/u/301
Anti-spam protection plus additional security features
• Comment Guard Pro - http://digwp.com/u/302
Provides multiple layers of protection against all types of spam
• Simple Spam Filter Plugin - http://digwp.com/u/303
Captcha-based Designed to work with existing anti-spam plugins
• WP-SpamFree - http://digwp.com/u/304
Virtually eliminates automated comment spam No captchas No false positives
• NoSpamNX - http://digwp.com/u/305
Adds extra hidden fields to your comment form to catch bad bots
Trang 3• Invisible Defender - http://digwp.com/u/306
Another good way to add hidden fields to your comment form to stop bad bots
In addition to these incredible plugins, there are a few other helpful tricks that
you may want to try Let’s take a look at some choice techniques in the next few
sections of this chapter
9.2.2 Configuring Your WordPress Admin Options
Configuring your Admin options with the most restrictive comment settings is a
much underrated method of reducing and preventing a great deal of comment
spam In the Admin > Settings > Discussion options page, there are several options
that enable you to take strong action against spam The most restrictive option
would be of course to simply require moderation of all comments This would
theoretically prevent all spam, since you would be filtering them out manually
This really isn’t an option for sites that feature a lot of comments, so the next most
restrictive setting would be to only allow comments from people who have already
had a comment approved By requiring the commentator to have a previously
approved comment, you drastically reduce the chances that a spam comment will
appear on your site
9.2.3 Using the Built-In Comment Moderation
Also, under Admin > Settings > Discussion you will find three powerful anti-spam
options The first is a link-filtering option that automatically holds comments in the
moderation queue if they contain “x” number of links Since links are frequently
the payload of spam comments, moderating any comments containing, say, two or
more links is a great strategy
Anti-Spam Cornucopia
For even more excellent anti-spam plugins for WordPress, check out Chapter 7.6.3.
Trang 4There is also a large input field that may be used to list any characters, phrases, or even IP addresses that you would like to pre-approve
if found in the comment
For example, if you want to moderate any comments containing the phrase “Viagra,” or that come from an IP address of 123.456.789.0, then you would list these items as shown in this screenshot:
9.2.4 Using the Built-In Comment Blacklist And, even better than WordPress’ Comment
Moderation is the built-in “Comment Blacklist.” Also located on the Discussion Settings page, the Comment Blacklist works exactly like the moderation list, only instead
of being held for moderation, any comments containing blacklisted phrases will be
immediately marked as spam and discarded
Be mindful when using this technique – all terms and phrases are treated as regular expressions, such that you may be inadvertently dumping legitimate comments
9.2.5 Disabling Comments on Old Posts Spammers frequently target old posts because they have been indexed in the search engines and have had more time to accumulate page rank So, as the number of posts in your archives increases, you will inevitably find yourself dealing with lots of spam and other nonsense on older posts
Careful with that Axe
When configuring your
Comment Blacklist, choose
phrases that will not appear as
parts of “legitimate” words
We're dealing with regular
expressions here, so make sure
that you aren’t unintentionally
trashing any legitimate
comments Fortunately, many
drug names are very unique.
Trang 5An easy solution to this is to simply disable comments on all posts that are older
than “x” number of days For example, digwp.com automatically closes comments
after 90 days
Any reasonable amount of time should work fine For more information on
manually disabling comments on old posts, refer to Chapter 7.3.7
9.2.6 Deny Access to No-Referrer Requests
Many spambots target WordPress’ comment script directly, bypassing your
comment form entirely An easy way to circumvent this behavior is to deny all
requests for the comment script that do not originate from your domain This is
another HTAccess trick that we may write like this:
# DENY ACCESS TO NO-REFERRER REQUESTS
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} wp-comments-post\ [NC]
RewriteCond %{HTTP_REFERER} !.*digwp\ [OR,NC]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) - [F,L]
</IfModule>
Edit this code so that the domain name (“digwp”) matches your own As is, this
code will simply deny access to the requested comment script To redirect the
spammers instead, replace the RewriteRule with this:
RewriteRule ^(.*)$ http://%{REMOTE_ADDR}/ [R=301,L]
Trang 6This will bounce the spammers back to where they came from Nice, but you may prefer to send them someplace else To do so, simply edit the URL (i.e., the
“http://%{REMOTE_ADDR}/” portion) to whatever you wish
By blocking all requests for the comments-processing script (wp-comments-post.php) that are not sent directly from your domain (via comments.php), you immediately eliminate a large portion of blog spam For more information on this technique, check out the Perishable Press article at http://digwp.com/u/307
9.3.1 Monitoring and Fixing Errors
As you set up and run your site, it is a good idea to keep an eye on any errors that pop up There are several ways to do this, depending on your familiarity with your server logs and how they work Many hosts provide access to automatically
generated server access logs These are useful for diagnosing patterns relating to
spam, broken URLs, and malicious attacks
Additionally, many servers make available error logs or will automatically generate PHP error files that appear in the root directory of the site Keeping an eye on these access and error logs is good practice as it will often enlighten you about broken scripts, plugins, links, and much more
Especially important is keeping a close eye on 404 Not Found errors If your site
has too many broken links and missing pages, your site’s pages may suffer in the search-engine listings The bad news is that large sites with thousands of pages are difficult to check by hand in a thorough manner The good news is that there are several great methods for accomplishing this in an easy, automated way Let’s examine a few of the best
9.3.2 Alex King’s 404 Notifier Plugin
Alex King’s 404 Notifier is an excellent plugin by one of the top WordPress
Trang 7developers Logs all 404 Not Found errors with the option of automatically
notifying the site owner of each 404 incident via email or RSS Requires permalinks
to be enabled Check it out at http://digwp.com/u/309
9.3.3 Broken Link Checker Plugin
Keeping an eye on your site’s links can be a seriously daunting task, especially as
your site continues to grow in size and complexity Over time, your outgoing links
may break or end up pointing to something unintended Good, solid links are
the cornerstone of the Web; broken links fail to help your visitors and may cause
the search engines to consider your page or site less favorably, especially if many
broken links are present
To prevent this scenario, there is an awesome plugin called Broken Link Checker
http://digwp.com/u/310 that monitors your site and helps you manage broken links
Once installed, Broken Link Checker works quietly in the background, testing your
links and reporting any that are broken or redirected The plugin monitors all parts
of your site, including custom fields (optional) Also detects missing images
Link-checking intervals are completely configurable Provides options for broken links,
including unlinking, editing, and deleting Truly an awesome plugin
The one shortcoming of using an automated method for checking your links,
however, is the case where a linked page has been changed or redirected to
include undesirable content Because the link resolves to a working page, it will
be assumed as valid and thus will not be included in the broken-link report
Beyond this scenario, automating the process of checking broken links can be a
tremendous help.
9.3.4 Other Error-Logging Techniques
Logging errors and activities for your site is critical for better control over your
website Here are some plugins that can help get the job done:
Trang 8• WordPress to Syslog (WPsyslog2) - http://digwp.com/u/311
WPsyslog2 is a global logging plugin that tracks all system events and logs them
to syslog for your analytical use Tracks new posts, new profiles, new users, failed logins, successful logins, logouts, and much more
• Mod_Security - http://digwp.com/u/312
An open-source web-application firewall for Apache that logs activity and protects your site in real-time
• Post Logger plugin - http://digwp.com/u/313
Reveals the intimate details of the $POST variable for each request, enabling you to keep a better eye on what’s happening behind the scenes with your comments
• TTC WordPress Tripwire Tool - http://digwp.com/u/314
Provides you with a list of all files changed on your WordPress site within the specified period of time
• Sucuri - http://digwp.com/u/315
Sucuri is an online network monitoring service that notifies you immediately after changes have been to your website, DNS records, WHOIS information, SSL certificate, or blacklist status
9.3.5 Online Monitoring Services
An important part of developing and running a successful, well-optimized site is making sure it is always available to your visitors In a perfect world, your site’s uptime would be 100% But thanks to server issues, software conflicts, malicious scripts, and cracker exploits, it is virtually inevitable that your site will go down from time to time
While you can’t prevent periods of unexpected downtime, you can increase your
ability to respond in a timely manner by using an online monitoring service
Monitoring services basically keep any eye on your site and notify you when they become unavailable There are many monitoring services available, both free and otherwise, each with their own way of tracking your site and reporting statistics
Trang 9Here are some of the best:
• Are My Sites Up? - http://digwp.com/u/316
Fast, easy, and reliable site monitoring service that provides free
monitoring of up to five sites 25 times per day Premium service also
available with tons more features iPhone application available
Highly recommended :)
• Pingdom - http://digwp.com/u/317
Provides email and SMS alerts when your site is unavailable Monitors
uptime and overall performance
• Mon.itor.us - http://digwp.com/u/318
Free website monitoring services with email alerting Provides uptime
and response-time reports Alert formats include email, IM, SMS,
and RSS
• Montastic - http://digwp.com/u/319
Free monitoring service with email and RSS alerts Monitors up to 100
URLs every 10 minutes Notifies you when your site’s availability has
been restored
• Service Uptime - http://digwp.com/u/320
Free monitoring for one URL at 30-minute intervals Alerts sent via email
or SMS Uptime reports available
Get Automatic Upgrade Emails
The alert messages provided in the WordPress Admin are great, but they don’t work if you never log in
to your website’s admin area
Fortunately, the Update Notifier plugin http://digwp.com/u/329 takes care of this by sending you daily
email notices whenever new versions are available
This makes it easy to keep an eye on large numbers of sites without having to log in or subscribe to any
RSS feeds Simply install and forget about it As soon as it’s time for action, you’ll get an email letting
you know.
Trang 10• Site Uptime - http://digwp.com/u/321
Free monitoring for one URL at 30-minute intervals Premium services include shorter monitoring intervals and more reporting features
• BasicState - http://digwp.com/u/322
Free website uptime monitoring service that checks unlimited sites every 15 minutes Provides instant trouble alerts by email or SMS Recommended
• Site 24X7 - http://digwp.com/u/323
Free monitoring for two URLs at 60-minute intervals Monitors your site from multiple geographical locations Alerts via email and SMS
• Binary Canary - http://digwp.com/u/324
Free website and device monitoring featuring 15-minute intervals for up to five URLs Supports both HTTP and HTTPS Paid accounts include 1-minute monitoring of nearly any device
• Dotcom-Monitor - http://digwp.com/u/325
Robust monitoring featuring multiple users, user-permissions, data reports, and user-specific alerts
• Webmetrics GlobalWatch - http://digwp.com/u/326
Monitors websites, applications, and services Diagnoses downtime and provides performance reports and flexible alerts Supports Flash, Java, and Ajax
And that’s just the tip of the iceberg! For a huge list of server monitoring services & website monitoring software, check out this valuable resource: http://digwp.com/u/327
9.4.1 Staying Current with WordPress
Of course, one of the best ways to keep your site secure is to stay current with
WordPress While working in the WordPress Admin, keep an eye out for any alert messages informing you of available updates, either for the WordPress core or for individual plugins
Staying current with the latest versions of WordPress ensures that your site receives