Gospel. Culture. Technology. Music.

Tag: wordpress


Security Mashup: Four Steps to Secure WordPress

After working through a number of WordPress sites over the years and either preventing hack attempts or intervening in cleaning up hacked sites, I’ve “engineered” a free way to keep your site secure with the use of these plugins in conjunction:

  1. iQ Block Country: This plugin will prevent certain countries that you set from accessing either the front-end of your site, or (in the cases I use it for almost exclusively) the back-end. For the purposes of the sites I manage, I block all except the United States on the back-end and leave the front-end open to all.
  2. Jetpack: this is a great plugin to utilize anyway just for stats collection, image/CDN offloading, but included within this plugin is the ability to turn on brute force login protection. Another very helpful prevent if these other tools don’t catch something.
  3. WordFence: this free tool (that actually does have a subscription service for even better protection) is a web application firewall for use directly within WordPress. One of the big things it prevents are brute force login attacks, XSS attacks and SQL injection attacks, amongst others. Now, a web app firewall (like ModSecurity or some other hardware appliance like a Barricuda or Cisco firewall) in front of the application itself would work even better at preventing attacks before they even got to your WordPress site (if setup correctly), but can be quite advanced to install and configure. Regardless, this plugin is a great way to keep those kinds of attacks at bay.
  4. Invisible reCaptcha: this utilizes the newer version 3 of Google’s reCaptcha to prevent automated bots from either spamming the comment sections of your posts or pages or from brute force attempts to login to your site as admin.

None of these methods are fool proof from attacks getting through some other threat vector, but I’ve found this to catch quite a bit of junk on all the sites I’ve set them up on.

And one last thing: make sure and secure your site with SSL?!? 🙂

And Here Come the WordPress Spam Bots

POST /wp-comments-post.php 302

It sure doesn’t take long for the automated comment spam sentinels to get their tentacles out there and start prodding a new system to see where they can post their annoying overseas mail-order Viagra/Cialis ads. Good thing I have the ModSecurity web app firewall running and captcha protection. Otherwise, there would already be a lot of these things. Doesn’t mean I’m fool-proof, but it certainly does help with a majority of the junk data out there from landing on my site.

WordPress, User IP’s and Reverse Proxies

Apparently there is no code yet in WordPress to get a users’ IP address when running the web server behind a web proxy. So I hacked my own in. This seems to be a not-too-common problem, but it may help some people. I have a solution that works, but it requires some extra code and changes to the existing code. It differentiates between a web user hitting the web server directly (as in most hosting situations, or through a transparent proxy) or hitting the web server through a reverse proxy (as in my situation). I wrote this code a year ago for another site I own that runs behind an Apache reverse proxy I run at home.

The Annoyance of WordPress Revisions – And the Fix

After getting this new blog up and running, I noticed one of the features that was added in version 2.5 of WordPress: revisions. It got me to thinking about how the database was impacted after moving all of those entries over. After running a query in the DB, the result came back with 1723 rows, yet I only have 684 entries. The rest (minus pages and attachments) were all revisions of blog posts and pages. Each revision is a full blog entry. Over time, that could add up to a lot of data, depending on how often you post entries and how many revisions you create in the process of each post.

Welcome to the New Blog!

After hours of tedious work moving blogs over from the old platform and customizing the look and feel, here’s the new blog. Hope you enjoy it. The search function works way better than the last one as well, so check it out!

For those of you who connected via the RSS feed on the old site, you will need to use the new one instead, located here: http://feeds.feedburner.com/DavidWesterfield?format=xml

If you linked to my site from another page, the article still exists in the archive here, but you will need to search for it and then update the link with the new permalink URL.

Powered by WordPress & Theme by Anders Norén