Category: CMS APP

First WordPress Baltimore Meetup

We held our first Baltimore WordPress Meetup last night at the Beehive in Canton. Here are some notes on the conversation.

Plugins:
Margie shared http://www.wordpress-tips.org, and demoed security plugins mentioned during Brad Williams’ WordCamp MidAtlantic presentation
ServerBuddy – http://wordpress.org/extend/plugins/serverbuddy-by-pluginbuddy/
WP Security Scan – http://wordpress.org/extend/plugins/wp-security-scan/
WP-MalWatch – http://wordpress.org/extend/plugins/wp-malwatch/
WordPress Exploit Scanner – http://wordpress.org/extend/plugins/exploit-scanner/
WordPress File Monitor – http://wordpress.org/extend/plugins/wordpress-file-monitor/

Matt demoed W3TC, which is different, and more configurable than the more commonly known WP Super Cache

We discussed PODS, Custom Post Type UI, and GD Custom Posts and Taxonomy tools. We’ll probably discuss these in further detail at a future meetup.

Jim mentioned three useful plugins, one for events, one for data uploads, and one for helping to troubleshoot .htaccess and permalinks. We’ll look into finding the names of these.
Will mentioned his two websites, murallocator.org, and geoill.com. He’s using a customized version of the GeoMashup plugin for his mural locator. The app clusters points of interest for a zoomed-out view.
Matt mentioned a number of cool projects he’s working on, including presswp.com, and wpmodguide.com
Jason has an interesting game-based captcha alternative plugin in the works.
Gordon is developing a site for the Geek cycling community, bikebmore.com

Troubleshooting:
1. We tossed around several approaches to help Thor with an HTML issue. One was the Raw HTML plugin, another was similar code found on wpmodguide.com for functions.php
2. Will wants to upgrade hosts. Thor mentioned that he’s pleased with a2hosting.com
3. Margie mentioned issues on her new server with permalinks.

UPDATE: Permalinks now work on this site. I needed to run the following two commands on my server:

a2enmod rewrite
/etc/init.d/apache2 restart
(4. Related: Once we can troubleshoot weird timezone post-duplication issues with the p2 theme, we’ll make this site, wordpress-tips.org available to all members of the Baltimore WordPress community.)

Planning:
Audrey, Amanda and Thor are particularly interested in theming
Rich might present on marketing
Jim has an idea for a presentation next month, announcement to follow. He’d like to conduct a WordCamp for the Baltimore area next year.
We’ve invited core team member Andrew Nacin to present.
Other future topics include blogging, widgets, and custom content types

I catered the meetup, with East Indian Curry Lentil Stew, and baked apples with ginger and cashews.
(My catering career will be enhanced, when the propane container doesn’t somehow fall out of the box before arrival. Cold soup was enjoyed by all, okay, some! The apples were organic, and delicious.)

To join the meetup, visit http://www.meetup.com/The-Baltimore-WordPress-Group/

WordPress Security: A Basic Overview

wordpress-security-300x175WordPress Security is something that should be concentrated on during the entire life of your blog, not just when you install WordPress.  WordPress is in a constant state of evolution, being updated on a regular basis, and so are WordPress plugins.  These changes can both increase your WordPress security levels, and can decrease them if you are not careful.  The primary reason for an update, whether it be for WordPress itself, or one of its plugins is that vulnerabilities are discovered, and if you continue to use the older versions of WordPress, or your plugins, you decrease your WordPress security, and open your WordPress blog up to possible attacks.

A WordPress upgrade meant to patch a vulnerability in WordPress security does you no good if you do not take advantage of that upgrade.  Worse, if you do not upgrade, you can possibly create a larger problem, as you are leaving your blog open to the very vulnerability that the upgrade was meant to patch.  Since WordPress documents in their change log why they are doing the upgrade, you are now running a blog with a publically documented vulnerability; a roadmap to possibly compromise your blog. When it comes to WordPress security, there are several basic fields that the topic can be broken down into.  We will cover these basic broad categories, and point you to some additional resources on the site so that you can do further reading.  If you have any questions at all, please feel free to leave us a comment, use our contact form, or drop us a line at security at wordpresspinterestplugin.com.

WordPress Security: Basic Topics

  1. WordPress Installation
  2. WordPress Database Security
  3. WordPress File Security and WordPress Directory Security
  4. WordPress Information Security
  5. WordPress Security Maintenance and WordPress Security Upkeep

WordPress Security: WordPress Installation

As with the installation of any script that you do on your hosting account or server, there are a number of items that can be done at installation time to increase WordPress security.  These items range anywhere from simple things like picking a strong password for your administrator account, to changing file permissions on vital files, to moving files out of web accessable locations.  All of these can assist with WordPress security.  Remember that WordPress security begins with the initial foundation that you lay during your installation.  In addition, especially with WordPress, it can be difficult to return to these foundational steps once you have your blog installed.  WordPress security begins with your installation, and we have a number of articles on WordPress installation to help you with this.

wordpress-security-tips-300x150

The database is the heart and soul of your blog, and a good place to look to when you are concerned with WordPress security.  All of your posts, tags, categories, and anything else that is related to your personalized blog is stored in your database.  Without the database, WordPress has no way to store any of the information that you put into it, and as such, should be a prime target for your WordPress security efforts.

WordPress Security: Backing Up Your WordPress Database

WordPress security when it comes to your database can be as simple as backing up your database, and as advanced as changing the structure of the database to make it harder for hackers to make database injection attempts against it.  Most hosting companies now days do regular backups of your hosting account, but you should never, ever rely on a backup made by your hosting company.  Not only do most hosting companies’ Terms of Service state that these are courtesy backups, and should not be relied on, when it comes to WordPress Security, you should be taking matters into your own hands.  Regular database backups are vital to a WordPress security plan.  We cover a number of methods for this in our articles on WordPress database backups.
Controlling access to vital files is an important part of WordPress security.  Just like a database is the central repository of all information for your blog, the files are the very engine that makes your blog function properly.  Files like your wp-config.php file contain information that is central to WordPress security, and if breached, can have effects from your blog simply going offline with an error, all the way to your blog being completely defaced and destroyed by a hacker.  WordPress file security ranges from simply changing file permissions to moving files out of web accessable locations.  In our WordPress file security section, we discuss several methods for accomplishing this important facet of WordPress security.

WordPress Security: WordPress File Security

Whether you know it or not, your blog is sending out information that could possibly compromise your WordPress security and the safety of your blog.  Do you know that WordPress, with its default settings, sends out the version of WordPress that you are running everytime it generates a page?  If a WordPress security update has been released, and for whatever reason you have not upgraded yet, a hacker looking to penetrate your blog will know that you are running an older, vulnerable version of WordPress.  Let us help you patch some of those WordPress security holes with our articles on WordPress security.

WordPress Security: Reducing Public Information

The final step to a good WordPress security plan is regular maintenance.  When you first install your blog, even following all of our tips, your blog could become vulnerable without regular maintenance.  Would you run your car for a year without performing basic maintenance on it and expect it to be in tip top shape at the end of that time?  The same rules apply to your blog.  Doing regular maintenance on your blog such as backing up your WordPress database, keeping your WordPress installation up to date, and more will keep your WordPress security at the top of its game.

 

Change Your Default WordPress Database Prefix

A solid WordPress security practice is to change the prefix of the WordPress database tables when you are installing WordPress.  The goal here is that WordPress security is heightened by changing the default WordPress database table prefix from wp_ to something different.  This changes the default WordPress database table names, and helps to block those hackers seeking to penetrate WordPress security by performing database injection attempts.

For example, a hacker has decided that he is going to deface your corporate blog, and will know that your user table should be wp_users, but if you have changed the database prefix from wp_ to perhaps four_ then the injection attempt against wp_users will automatically fail, as that table does not exist.  Your hacker does not know this, just that his attempt failed, and your WordPress security is intact.  The hacker is none the wiser, and may move on to easier hunting grounds.

Changing the prefix to your WordPress database tables during the installation of your blog is simple.  The installation process will ask you not only for the database name, user, and password, but also the database prefix that you wish to use for your tables.  To increase WordPress Security, simply alter the default database prefix “wp_” to something else.  This prefix can be anything, such as a shortened version of your blog name, or something completely random.  Many times, when I am installing a blog, I will use a prefix like “greengrass_” or something else completely unrelated to the blog.  This increases WordPress security even more.WordPress Security: Changing Your Database Prefix During an Install.

wordpress-database-prefix-run-sql-to-rename-tables

Changing the Default WordPress Database Prefix After Installing WordPress

Now you may be asking, “What if I have already installed my blog?  Can I change the prefix of my WordPress database now to increase my WordPress security?”  Yes, even though this a bit more difficult than doing it when you first set your blog up, it is quite possible to make this change after you blog is installed.  To do this WordPress security upgrade, you are going to need to set aside approximately 10 minutes to make the changes.  During this period of time, your blog is going to be down, so you may wish to put up a maintenance page until you are through.

1. As always, before making any type of changes to your WordPress database, you should do a database backup.  The method to actually back your database up is going to vary from hosting company to hosting company, and from control panel to control panel, therefore, I do not intend to cover those specifics here.

2. Next, in your wp-config.php file, you are going to edit your database prefix from “wp_” to something more secure.  The line to actually edit is line 65, and will read $table_prefix  = ‘wp_’;.  You can change this to an abbreviated form of the name of your blog, such as “tbr_”, or you could do something completely random, such as “wp_kG^#18Uh”.  The more randomness you add here, of course, the better your WordPress security is increased.

3. Now you will need to make some edits to your database itself, changing the prefix to match the one that you came up with in Step 2.  Using PHPMyAdmin, or whatever program that your hosting company has for you to manage your database, you will need to run the following SQL commands to change the WordPress database prefix to the one that you changed it to in wp-config.php.  In the example below, you will change “new_prefix_” to whatever new database prefix it is that you have decided to use.

RENAME table `wp_commentmeta` TO `new_prefix__commentmeta`;
RENAME table `wp_comments` TO `new_prefix__comments`;
RENAME table `wp_links` TO `new_prefix__links`;
RENAME table `wp_options` TO `new_prefix__options`;
RENAME table `wp_postmeta` TO `new_prefix__postmeta`;
RENAME table `wp_posts` TO `new_prefix__posts`;
RENAME table `wp_terms` TO `new_prefix__terms`;
RENAME table `wp_term_relationships` TO `new_prefix__term_relationships`;
RENAME table `wp_term_taxonomy` TO `new_prefix__term_taxonomy`;
RENAME table `wp_usermeta` TO `new_prefix__usermeta`;
RENAME table `wp_users` TO `new_prefix__users`;

Please note at this point that if you have installed additional plugins after the installation of your blog, you may have additional tables besides the ones listed above that need their prefix changed.  Just follow the syntax that I have used above, and run additional SQL commands to rename the database pefixes on those tables also.  If you happen to be using PHPMyAdmin, or some other database administration script, you will be able to run multiple lines of SQL commands at once (note that a “;” terminates a MySQL command).

4. The next step in this WordPress security process is to edit the wp_options table to reflect the new WordPress database prefix.  If this is not done, your blog will not function.  Using the method described above, run the following MySQL command, once again changing “new_prefix_” to your newly chosen database prefix.  This MySQL command will search the wp_options table, returning the wp_user_roles option, along with any other plugin-created options, custom scripts, or other entries.  The goal here is to rename any entries in the wp_options table that begin with “wp_” to the newly chosen database prefix.

SELECT * FROM wp_new_prefix_options WHERE option_name LIKE ‘ %wp_%’;

5. The final edit that we will need to make is in the usermeta table.  We are going to be looking for any instances of the old “wp_” database prefix so that we can edit that prefix to our newly chosen one. Once again, we are going to run a MySQL command to find these instances.  When you run the following command, it will reveal those rows that have the instances of the old prefix so that they can be altered.

SELECT * FROM new_prefix_usermeta WHERE meta_key LIKE ‘wp_%’;

To show an example of this, running this MySQL query on a newly installed WordPress install returned the following results from the usermeta table.

The number of fields that you will need to alter is going to depend on a number of different factors: the number of plugins that you have, as well as a few other variables.  The important thing to keep in mind is that you need to change any entry returned by this search from the default “wp_” prefix to the new one that you have chosen.

Finishing Up: Testing Functionality

When you have finished this last step, this WordPress security upgrade should be complete.  All entries of the old “wp_” prefix in the wordpress database should be gone, and replaced with the new wordpress database prefix that we selected in Step 2.  Now comes the moment of truth: disable your maintenance page, if any, and test the functionality of your blog.  Do this by going through your blog, checking links and posts, and assuring yourself that everything is functioning properly.  If the blog appears to be functioning properly, then it would appear that your WordPress security upgrade has been a success.  Now, make an additional backup of your WordPress database for good measure: WordPress security should never be stopped.

HDW Player Installation In WordPress

Installing HDW Player plugin can be achieved in three easy methods:

  1. Finding and Install via WordPress Admin.
  2. Uploading Manually via WordPress Admin.
  3. Uploading Manually via FTP.

Finding and Install via WordPress Admin:

  1. From the WordPress plugin menu click on Add New.
  2. Search “HDW Player” on search box, then install HDW Player Plugin (Video Player & Video Gallery) from searching result.

Uploading Manually via WordPress Admin :

  1. Download the latest package.
  2. From the WordPress plugin menu click on Add New.
  3. Under the Upload menu, Use the Browse button to select the plugin zip file that was downloaded, then click on Install Now. The plugin will be uploaded to your site and installed. It can then be activated.

Uploading Manually via FTP :

  1. Download the latest package and unzip the plugin.
  2. Now you will need to upload the plugin to your site’s wp-content/plugins/ directory using FTP.
  3. Congrats! You have installed the Plugin. It can then be activated.