How to make WordPress secure

Want to make WordPress secure? Then let’s harden it now! OK this is going to be a long article that I’ll add to as “best practice” changes with new releases.  For starters, let’s clear up what I’m trying to teach.  What we are doing here is limiting access by people who are trying to compromise your WordPress installation. And they are out there, believe me.

So first off, the easy stuff….

  1. Keep your WordPress and Plugins updated. You can lock down WP all you want but if you have a dodgy plugin you could be wide open to the world.
  2. Keep your server up to date. Vulnerabilities in older versions of php and various scripts mean that an attacker could get in outside of the WordPress installation.
  3. Shared hosting. I personally don’t use this as it can severely compromise security. Even if you do all the locking down possible, someone else may leave wide-open gaps on the server.  If you want reliable VPS hosting I recommend taking a look at  Servint dedicated and VPS hosting.
  4. Use a decent antivirus and antimalware on your own PC.  The largest amount of compromised servers come from password attacks and if you have malware on your PC that gets your FTP password then it’s ‘Game Over’. Use Kaspersky and MalwareBytes for a great solution.
  5. Choose strong passwords. Never underestimate how easy most passwords are to crack with a computer. Passwords such as “Password”, “abc123”, “Letmein” are crackable in minutes. Pets’ names, people’s names, car names are all easily guessable too. Consider putting non-alphabet characters in there too such as $ or !

 

WordPress file permissions

Now let’s move on to WordPress file permissions.  These are most people’s nightmare but it doesn’t have to be difficult.  All files should be owned by your account and writable only by you. For directories, if you use SuPHP on your server (and I recommend you do) they should all be 755. If not using SuPHP then follow these rules:

  • /wp-content/plugins/ These are the plugin files. All files should be writable only by your user account.
  • /wp-includes/ WordPress’s ‘logic’ files.  All files should be writable only by your user account.
  • /wp-content/themes/ Your theme files. If you want to use the built-in theme editor, all files need to be group writable. If not, all files can be writable just by your user account
  • /wp-admin/ This is the WordPress admin area. All files should be writable only by your user account.
  • /wp-content/ This is for your content which should be writable by everyone (owner/user, group, and public)

For other directories under /wp-content/ you should read the relevant plugin or theme documentation.  Err on the side of caution here though, locking down first and working backwards to release permissions where required.

For novices looking for a quick guide, if you are not using SuPHP then do this:

Set all directories to 755 and all files to 644.  If you are on a shared-server, set your wp-config.php to 750 so no other user will be able to read your database username and password!


From WordPress version 2.7, there has been the facility to automatically update the WordPress installation.  It is remarkably stable and well tested so I recommend this is used.  The great thing is that after the update, all files are set to 644 and all directories to 755  and writable by only the user.  They are still readable by everyone else, including the web server.

This now leads us on to ‘security by obscurity’. In other words, making the default stuff different so attackers spend more time at the first hurdle. Here are my top tips for quick and easy fixes.

  1. Stop showing the WP version you are currently running. Why? Well, if you are running an older WordPress version with a known vulnerability then you effectively display this to the world. There are numerous plugins to do this for you but you can simply add <?php remove_action('wp_head', 'wp_generator'); ?> to your theme’s function.php file. Note that there are other ways of finding out the version that a WP website uses but this works well to hide the obvious.
  2. Rename the admin account. I do this on a new install from within Fantastico but you can also create a new Administrative account from WordPress’s back end and delete the default admin account. You will get prompted to pass ownership of all the deleted user’s posts to the new Admin which is recommended.
  3. Change the WordPress database table prefix. A lot of the  WordPress-specific SQL injection attacks assume that the database table prefix is “wp_” , so changing this blocks many (but nit all) SQL-injection attacks.

Finally, 3 words I can’t stress the importance of……Backup, Backup and Backup.  Don’t hesitate to make this a priority. For a complete backup AND a brilliant way to clone your entire site check out the excellent WP-Twin WordPress Clone Software. This not only creates a FULL backup of WordPress’s database, but it backs up all other files and folders for you. It will enable you to move your installation across servers too, something most backup software won’t do. Most blogs can be completely cloned and backed up in a few minutes without any technical knowledge.

Good luck and hope this helps you to make WordPress secure.

 


Online backup and coupon code for 20% off Mozy

Mozy online backup discount coupon codeOnline backup just got a whole lot cheaper with the latest coupon code from Mozy.   Click the link below and type in the coupon code ENCRYPTION for 20% discount:

Mozy online backup coupon code

Note: Enter the code into the promotional code box at signup to get the full discount.

 

Other recent contenders for our recommended backup software:

Crash Plan


Could not start the Task Scheduler service Error 1717: The interface is unknown

This error occurs when the event log service is turned off (set to manual or disabled).  To correct, do the following:

Start, Run and type in “services.msc”

Go to the “Event log” service and double click on it.

Set it to “Automatic” and click on OK.

Now you should be able to set the “Task Scheduler” service to automatic without error.  OK your way out of all boxes and close the services window.

 

 


Bootmgr is missing

Windows 7 BootMGR fix

If you get the error BootMGR is missing when trying to load a Windows based PC then you need to follow some logical steps to find the solution.

First and foremost, I would try a startup repair using the Windows installation CD/DVD.

How to Boot to the System Recovery Options in Windows 7

Insert the Windows 7 installation DVD or System Repair Disc into the DVD drive and restart the computer

Check to make sure that you set the BIOS to have the DVD drive listed first in the boot sequence

If prompted, press any key to boot from the Windows 7 installation DVD

Select your language preferences and click on Next. (See screeshot below).

Click on Repair your computer

Select which operating system you want to restore (your own Windows 7 should be listed) and then click on Next

NOTE: If Windows 7 is not listed here or it is blank, then it is ok to proceed. In this case, still click on “Next”

Select the system recovery option you want to do. Those listed are:

  • Startup Repair
  • System Restore
  • System Image Recovery
  • Windows Memory Diagnostic
  • Command Prompt

We want “Startup Repair”. Allow Windows to find the issue and restart the PC.


Do the above without a disk, using the manufacturer’s system recovery partition

If your computer has a system recovery partition then follow these instructions.

Start the PC and tap the F8 key on your keyboard about every half a second. You should see a boot menu, if not try to do this again.

Select the Advanced Boot Options screen (if you dual-boot) otherwise ignore this line.

Using the cursor keys (arrows), select “Repair your computer” then press Enter

Select your keyboard and language preferences then click on “Next”

Select your user name and type in your password, and then click on OK.

Select “Startup Repair”

Allow Windows to find the issue and restart the PC.

 

If you want to find out more about the system recovery options in Windows 7, take a look at this Microsoft article:
https://windows.microsoft.com/en-us/windows7/What-are-the-system-recovery-options-in-Windows-7

If this helped you to fix your PC then please click on one of the social buttons below to help others too.

 


Setting up shared folders in virtual box

Here’s how to setup shared folders on a VirtualBox installation. I’ll take it one step further and map it to a drive that reconnects on logon, forcing it to be a persistent share.

First, setup guest additions with “Devices”, “Install guest additions”

Now share a folder on your host PC or Mac. Do this by creating a folder anywhere you like (let’s call it “vbshared”) and giving it at least read permissions. Read/write is fine too.
On Windows boxes, make sure that everyone has access, this can be locked down later if required.

Now we go back to VirtualBox and do “Devices”, “Shared folders” and under machine folders we add the one we just setup (vbshared). Tick “Make permanent” and OK both windows.

Now we’re going to restart the host PC, restart the VirtualBox (don’t just fire up a snapshot) and if the image is a Windows one, open up Explorer. In the address bar at the top, type in:

\\VBOXSVR\vbshared

Press enter and you should see it pop up. Now we can map it to a drive by “Tools”, “Map network drive”, select a drive (eg z:) and retype the \\VBOXSVR\vbshared
Tick “Reconnect at logon” and there you have it, a working shared folder that maps to a drive and reconnects at logon!

For Linux machines, reinstalling Guest Additions often makes the share work afterwards.


Cheap freelance work on Friskk

Gigs for a fiverrIf you are looking for cheap freelance work then one site stands out above all others. Friskk has high quality services by freelancers from around the world. Starting from a ridiculously low $5 ( 3.17 GB Pounds at today’s exchange rates! ) Friskk users offer services in many different sectors.

Want a WordPress site cloning then moving to another server? $10

Want a new logo for your website, designed and built to a high standard? $15

See the PCRepairMan up top? He was designed and built using services found on Friskk.com.

Other cheap freelance work includes video intros, cheap website backlinks, zombie transformations to photos of your friends, singing birthday videos….sky’s the limit really.  Some of the imagination is incredible and for gift ideas this site is really top notch.  Each service offered is for a fixed price and these are called ‘gigs’. On completion of the gig you pay the service provider an agreed fee. You pay nothing to register, and no fees to the website. How cool is that?  If you want to sell a service then you would pay a small commission on the final sale price.  If you don’t see the service you need, then you can request a service using the instant suggestion box.

Cheap freelance work by professionals

Many of the users on Friskk are professionals in their field, looking to earn extra money with small projects. This means that they often finish the project in very good time and can deliver excellent results.

So have a look around, see what’s on offer and get something unique for less than the price of a Starbucks!    www.friskk.com

 

 


External 1TB hard drives at discount prices

Seagate external hard drive review

Seagate 1tb external hard drive review. You can get these 1 TeraByte (1TB) hard drives at incredible prices this month:

Seagate Expansions 1TB

This is a super slick USB2.0 drive that has good transfer rates and nice packaging.  It sits on rubber feet so suffers no vibration problems and looks good on any desk.  Easy ‘plug and go’ setup and Seagate reliability.  Highly recommended.

Best price on Seagate 1TB hard drive

Western Digital Elements 1TB

With USB 2.0 and 7200rpm this drive is very keenly priced.  The gloss case means it sits nicely on your desk, ready to backup your docs, photos etc.  Performance is pretty good and we only noticed a small hum when searching for and copying files.   Quiet, cool and comes with a 2 year warranty.  Currently on free delivery via Amazon.

Best price on Western Digital Elements hard drive


MalwareBytes cannot schedule scans using limited user accounts

Many people are finding that MalwareBytes cannot schedule scans using limited user accounts. Well this is not completely accurate as it can be done but it’s a little convoluted.  Imagine the scenario where you have an administrator account and one or more limited accounts setup. This is very common in households with kids (or flippin’ well should be anyway!).

You’ll need to logon as an administrator and do the following:

  • Remove all scheduled scans and updates if existing
  • Create a scheduled update and select “Perform scheduled update silently from the System account”.
  • Create a scheduled quick scan, 10 minutes after the update above, again ticking the “Perform scheduled update silently from the System account” option
  • Create a scheduled quick scan, 10 minutes after the ones above, but now don’t select the System account option.

Be aware that while scans can run from the limited account, they will not have admin privileges. This means that there is a drastic limit as to what can be removed as the limited account can’t access things like system folders and HKLM registry hive branches etc.


How to open an ISO file using free Windows software

I’m often asked by customers how to burn ISO images onto DVDs. Seems lots of people are downloading them and are then unable to write them onto discs.

The answer is quite simple, download free software that will do it for you.  It’s called VirtualCloneDrive and it comes from Slysoft the manufacturers of Clone CD,  a great utility I was using way back in 2003!  Things have changed now and their website boasts some of the finest burning, cloning and image writing software going.

Here’s the link to the freeware, it works on all Windows version from 2000 up to Win7:

VirtualCloneDrive

If you like this, check out their other products:

  • AnyDVD – A utility for copy protection removal
  • CloneDVD – Clone any type of DVD, great for backing up movies
  • CloneDVD Mobile – Clone movies into formats for mobile media players like iPod, Zen etc. Also makes and converts to XviD, mp4, DivX, avi
  • CloneCD – Copy CDs and DVDs perfectly
  • GameJackal – Copy your game CD to hard drive for ultra-fast loading and playing

Remove Adobe Flash Player from Windows and reinstall

Removing Adobe Flash Player from Windows is required generally because it will not install correctly.  In all cases here is the logical method I use to remove and reinstall corrupted installations.

  • Backup current registry settings
  • Uninstall all previously installed versions of Adobe Flash Player
  • Verify that Internet Explorer has the correct ActiveX and security settings
  • Reboot and clean the Windows registry
  • Download the latest Adobe Flash Player from the official website

 

First off a few checks for the obvious stuff:

  • Make sure you are logged in as an administrator (not a “Standard or Limited user”)
  • You have no Pop-up or Ad Blocking software, notorious for killing Flash installations
  • You have accepted any ActiveX or Add-on warnings that popped up
  • JavaScript is enabled

All OK so far? Let’s go a bit further then…..  Perhaps print this off or bookmark the page in your favorites folder so you can return to it as we’ll be restarting the PC and closing the browser window.

 

Backup the current registry settings.

Close all open programs. Create a Windows System Restore point. This will help us to get back to this point in time if anything untoward happens.

 

Attempt to remove Flash Player via Control Panel

Close all programs INCLUDING ANY MESSENGER PROGRAMS LIKE WINDOWS LIVE MESSENGER. “File”, “Exit” or “Quit” usually does the trick for messenger programs.

Drop into Control Panel and open Add/Remove Programs (Windows XP, 2003) or Programs and Features (Windows Vista and 7).  Remove any entries for Adobe Flash Player and Adobe ActiveX.

Restart your PC

 

Modify any ActiveX and Security settings within Internet Explorer

Make sure that Internet Explorer security is set to the Medium: Default level, which allows viewing ActiveX controls.

  1. Open Internet Explorer
  2. Choose Tools, Internet Options
  3. Select the Security tab
  4. Select Medium: Default level

Alternatively, and a better way to do it for this purpose, is to configure the Custom level to view ActiveX controls with the next steps.

Select the Custom Level instead of the Default Level and do the following.

  1. Navigate to the section marked “ActiveX controls and plug-ins.”
  2. Set “Download Signed ActiveX Controls” to “Prompt”.
  3. Set “Run ActiveX Controls And Plug-ins” to “Prompt”.

OK your way out and close Internet Explorer

 

Clean out the registry

Download the free CCleaner program from here.  Install it and opt out of the free Google toolbar install by unticking the selection (it’s your choice but I don’t like the toolbar).  Run it and click on “Run Cleaner”.  This will remove all your temporary Internet files and Cookies along with your Internet history and lots of other clutter.  Now select “Registry” from the left side, “Scan for Issues” and when finished, “Fix selected issues”.  Save a backup if prompted.

Now restart your spring-cleaned computer!

 

Download and install Adobe Flash Player

Download and run this  ‘Standalone Executable Installer’ for Flash Player (Internet Explorer only) Basically, if you run Internet Explorer you will need this.

Download and run this Flash Player standalone plugin if you use another browser such as Firefox, Safari etc If you don’t run another type of browser and just use Internet Explorer then you don’t need this.

 

If you are still struggling, then it may be a problem within Internet Explorer. Taking it back to ‘factory settings’ sometimes helps.  If you don’t already have it, install Firefox and run the Flash Player Standalone Plugin, then restart Firefox.  Visit youtube.com and if you can see the videos you have Flash installed (and I would definitely recommend using Firefox over IE any day)!

Leave me a comment (or buy me a coffee) if this has solved your problem!