Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 8 of 8
  1. #1
    Senior Member krystof's Avatar
    Join Date
    Jul 2005
    Posts
    155
    Member #
    10668
    Liked
    6 times
    Just about to install my first Wordpress. Want to do it right. Do not want to be the author of another of those messages, "I've been hacked!" Surfing the search results for "security" at Wordpress.org. Thought I would leave my resulting notes here. Any comments or additions are welcome.
    • A. Of incidental interest:

    1. So-called Wordpress MU, to which many references refer, no longer exists. "MU" or "MS" (multi-site) capability has now been integrated with every standard version of Wordpress. ("""Since Version 3.0, WordPress includes new multisite features, meaning that it can run many blogs, even with their own separate domains, on one WordPress installation.""")
    2. Avoid tacky themes which might not remain supported. One good free theme is Weaver. Weaver II comes with numerous sub-designs, also can be modified with <head> inserts for each site, and has special interface options to enable easy tweaking by the end-user.

    • B. Click here for "Plugin Security". I suggest everyone read this page before you install any plug-ins. """"WordPress Plugins can create significant problems... Admin Panel Interaction... Interaction with the Database... Always escape user data.""""


    1. Keep up with the latest WP version... latest plug-ins... latest web server, database, PHP.
    2. Shared server: all likely compromised if one is compromised.
    3. Untrusted networks: avoid internet cafe uploads etc.
    4. Make long strong random passwords--for everything: for WP, for MySQL database, for root website admin, etc., etc.
    5. Limit file permissions. Read the complete details in the "File Permissions" section of this page.
    6. If possible, for multiple blogs use separate databases with separate users.
    7. Disable unnecessary MySQL such as remote TCP. (Read Secure Database Design.)
    8. See "Resources" on this page for properly passwording the WP-Admin Directory.
    9. Move the wp-config.php file to a higher directory. (Usually needs 400 or 440 permission). (Does not seem feasible if WP is in the root directory, which is required for a multi-blog "networking" installation.)
    10. For SSL read "Administration Over SSL".
    11. Use the WP Security Scan Plug-in. (But don't rely on it to make up for weak passwords, contaminated templates, bad plug-ins, etc.) (Firewall plug-ins are also discussed, but seem to me of questionable value, and the fewer plug-ins the better.)
    12. Before using any "write access" plugins check reputation in Support Forums and IRC Channel.
    13. Avoid code execution plugins. (Unless secured with custom templates plus disallowed file editing.)
    14. Security through obscurity helps somewhat. Rename the administrative account. (My own idea: just never name the first member "admin," and never use him except to promote-demote others temporarily to top admin positions. Also display only "nicknames" never log-ins.) Change the table_prefix. The table_prefix is "wp_," by default. ("Hiding Wordpress version" is also discussed, but seems of questionable net value.)
    15. Frequently backup WP files and also backup WP database.
    16. Log $POST variables. Install the OSSEC automatic log monitor.
    17. Also consider a web-based integrity monitor.


    1. Never allow display_errors to show on your site. These errors give away the fact that your site is not well monitored, and also give away half the information needed to hack your database. Phishing hackers will google for these errors and target your website for takeover as a phishing base.
    2. If hacked use Exploit Scanner Plug-in to detect damage.
    3. Usually not necessary but if desired: """"To disable unfiltered HTML for all users, including administrators, you can add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php.""""
    4. Emails saying "Someone has asked to reset the password" may mean someone is trying to hack your site.

    • E. Click here for "FAQ: My site was hacked". """"Then one day, you load up your site in your browser, and find that it's not there, or it redirects to a porn site, or your site is full of adverts for performance-enhancing drugs. What do you do?""""

    1. Virus and spyware scan your local computer.
    2. Ask your webhost if there have been other hackings--or maybe you have not been hacked, it is only a service outage...?
    3. Change passwords for blog users, FTP, MySQL.
    4. Click here for the WP new key generator and then click here to overwrite old security keys.
    5. Backup hacked files and database for later investigation but be sure to label as "Hacked!".
    6. Read in-depth blogposts: "Did your WP get hacked?" -- "Completely clean your hacked WP" -- "Removing malware from WP" (NOTICE: AVAST gave me a false alarm for a trojan on this page. This also happend to others and is discussed in the blog "comments" as caused by samples of malware code. This seems to be a highly reputable site.)
    7. Check .htaccess for hacks.
    8. Consider deleting everything--restoring a previous backup--and implementing more measures from "Hardening Wordpress" above.
    9. Change passwords twice, before and after cleaning.
    10. Determine hack method by analyzing site logs using OSSEC.

    • F. Custom PHP modification. Here in the WDF forum, I have read about expert programmers improving security for Open Source software by making unique custom modifications. To be on my list if you are such an expert, or if you would like my current list of possible experts: Click here to start a private conversation. Thank you.

    (Thank you TheGAME for your clarification below. I had the "keep latest WP" but perhaps was not clear enough. Hopefully this is more clear with the new 1-2-3 list format. Any more suggestions welcome, anyone!)

  2.  

  3. #2
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    Nicely done, Krystof.

    One missing entry: ensure that WP is always kept up-to-date with the latest release. Most hackers tend to go after older versions.
    krystof likes this.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  4. #3
    Senior Member krystof's Avatar
    Join Date
    Jul 2005
    Posts
    155
    Member #
    10668
    Liked
    6 times
    I am still using this thread as a handy reference. I am now trying to figure out if a "simple" Wordress Theme is significantly better than one of those "kitchen sinks" like Thesis Theme in terms of CPU usage? Especially for dozens of sites within a single multisite installation?

    My Googling has not found much information on CPU usage by Themes. But for future reference, I thought this would be a convenient place to list the interesting Google results I have found.

    Of course, older references are obsolete but have things worth knowing. I don't have time to read these properly. I will not bother to discuss here the most frequent advice: always update and use cache plug-ins. But I will list some of the "less usual" tips, both probably good and questionable.

    Webhostingtalk 2008: How to reduce my crazy Wordpress CPU usage?
    Bytesforall.com 2009: CPU usage getting worse with each usage.
    Reduce RSS and number of titles per RSS.
    Use a Category Only RSS feed.
    Geckoandfly.com 2010: 7 methods to reduce Wordpress CPU without upgrading webhosting.
    :unsure: Call all your images from offsite, even from Flickr.
    Also I didn't see this today, but in the past I have read:
    turn off or turn down the "save draft."

  5. #4
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    You probably wouldn't find anything on CPU usage by theme, since the themes would be customized (if a designer/developer is any good) and since the content and traffic (among other things) would influence CPU usage as well.

    The only way to get the result that you'd want would be to set up an apples-to-apples comparison of say 100 blogs running simple themes and 100 blogs running Thesis under some sort of stress/benchmark test. I'm not sure anyone has the interest and the time required to do that. Not that it's a bad idea, but I just don't see it being something people would really study.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  6. #5
    WDF Staff AlphaMare's Avatar
    Join Date
    Oct 2009
    Location
    Montreal, Canada
    Posts
    4,570
    Member #
    20277
    Liked
    878 times
    Quote Originally Posted by krystof, post: 224545
    I am still using this thread as a handy reference. I am now trying to figure out if a "simple" Wordress Theme is significantly better than one of those "kitchen sinks" like Thesis Theme in terms of CPU usage? Especially for dozens of sites within a single multisite installation?...
    Ron and Andrea might have some info on this.
    Good design should never say "Look at me!"
    It should say "Look at this." ~ David Craib


    http://digitalinsite.ca ~ my current site . . info@digitalinsite.ca ~ my email

    If you feel that someone's post helped you fix your problem, answered your question, or just made you feel better, feel free to "Like" their post. The "Like" link is at the bottom right of each post, along side the "reply" link. And if you are being helped here, try to help someone else - pass it on!

  7. #6
    Senior Member krystof's Avatar
    Join Date
    Jul 2005
    Posts
    155
    Member #
    10668
    Liked
    6 times
    Thank you friends.

    AlphaMare: after reading your message, I realized I should have posted my questions in the WP "multisite" subforum. I posted in the "Theme" subforum which seldom gets discussion replies. (Mainly for support requests tagged to a specific theme.) But I have made progress at a webhostingTalk discussion. Basically, CPU usage can be affected by improper code, or by heavy usage of plugins or plugin-type features, but not by simply enabling a complex but well-coded theme. Also, according to Woo customer support, ""...out of the box Canvas is very lightweight.""

    Therefore, it seems worth-a-try getting a "kitchen sink" parent theme and also worth-a-try learning more about child themes. I am still rather fuzzy about what is the effect of Parent Theme updates on Child Themes. Nonetheless the important thing seems to be, by creating a "child theme" FROM A PROFESSIONALLY DESIGNED PARENT THEME (not from a questionable starting point)--I believe that I can streamline my 36-360 sites with just those necessary features. Also AlphaMare has supplied the tip of simply BE SURE TO GIVE A DIFFERENT NAME TO CHILD THEME UPDATES. (Thus not forcing any sub-site to use the updates.) And also in future, if more features are needed, I can copy them safely from the expert-designed parent theme.

    (I would be years ahead on this project if someone had just told me how to achieve what I want. :frantic: However thanks to the help received in forums like this, my internet odyssey has been easy compared to most things in life. :throwball: )

    P.S. However... note that there is one problem with premium super-themes: possibly less choice of plug-ins. Premium super-themes like Thesis and Canvas have their own "framework." They are designed to do most things without needing plug-ins. But the downside is that they are less likely to be compatible with "typical" plug-ins designed for "typical" frameworks. Of course, this might not matter if you are are unlikely to need unusual functionalities.

  8. #7
    WDF Staff AlphaMare's Avatar
    Join Date
    Oct 2009
    Location
    Montreal, Canada
    Posts
    4,570
    Member #
    20277
    Liked
    878 times
    Krystoff - although your journey has been a long one, I think you may well have reaped a benefit that you would not have if you had simply been told how to achieve what you wanted to do. You are starting to have a better understanding of how the whole WP thing works - how the various parts work together and how there are sometimes several ways to get the result you are looking for.

    When I was a kid, and got my first car, (an old 4 cyl. beater) I decided to change the distributor cap myself to save some money. I could not get it to start afterwards. I finally discovered after much frustration and asking around, that there was such a thing as a firing order and I had not re-attached the wires from the spark plugs in the right order. That led me to reading and researching how internal combustion engines work, and eventually to my rebuilding one (for my motorcyle) on my own.

    You may never want to build a whole "engine", but with what you have learned from this experience,if there are problems in the future you probably will at least be able to diagnose what they are and most likely pinpoint where you need to start tinkering to fix them.

    When the site is up and running, will you please post it so we can see the end result of your journey?
    Good design should never say "Look at me!"
    It should say "Look at this." ~ David Craib


    http://digitalinsite.ca ~ my current site . . info@digitalinsite.ca ~ my email

    If you feel that someone's post helped you fix your problem, answered your question, or just made you feel better, feel free to "Like" their post. The "Like" link is at the bottom right of each post, along side the "reply" link. And if you are being helped here, try to help someone else - pass it on!

  9. #8
    Senior Member krystof's Avatar
    Join Date
    Jul 2005
    Posts
    155
    Member #
    10668
    Liked
    6 times
    I have edited my message above for brevity, and also done a lot of surfing about Wordpress frameworks. This has narrowed me down to the following options.

    ThemeHybrid.
    • I especially like: the support system: a well-designed and permanent OS community which makes it easy for clients and developers to interact.
    • User-friendly for everyone.
    • The most popular framework, you can be sure it will always work and that most plug-ins will work.
    • Downside: No advanced features or designs available in the standard sub-frameworks, nor do I like any of the basic designs. Although I could make a functional child theme, I could also make a child theme from Woo Canvas which would have a built-in advanced admin panel and ecommerce options.
    • P.S. The Genesis Framework is a newer alternative that seems to be similarly well-supported and well-recommended as Hybrid. The Genesis admin panel offers a few more built-in theme options than Hybrid, although not nearly as many as Weaver or Canvas. The Genesis framework is not OS and usage requires a paid subscription. However I would suggest that anyone considering to make their own theme should browse the Genesis Developer Tutorials.

    Weaver II.
    • I especially like: the numerous no-nonsense design presets and a full-featured custom admin panel.
    • User-friendly for everyone.
    • Built-in options for mobile viewing.
    • Likely to be compatible with any good plug-in.
    • Downsides: Weaver is quite flexible but is not designed to be a framework. Has limited child templates and no built-in ecommerce options.

    Themify.me.
    • I especialy like: their several "Responsive" designs, using flexible design that enables the visitor greatly to enlarge the text without sidescrolling, and possibly to view the original site design in a mobile browser.
    • User-friendly for everyone.
    • Does offer a true framework with built-in advanced admin options and minimal branding.
    • Numerous popular design styles available for reasonable fees. The free "Koi" child design claims to be the most popular design used at Wordpress.COM. Koi is a very pleasant diary-style design for personal blogs, with a "white skin" option suitable for professional blogs.
    • Themify is a small company but is founded by two young programmers, is advertising for additional personnel and seems likely to continue.
    • Downsides: No ecommerce options. Some of their site's main pages do not adapt well to my Firefox browser, which kind of makes me wonder. Unlike Weaver, they do not have any child designs that I especially like. More user options than the Hybrid core but not as many options as Weaver.

    Woo Canvas.
    • I especially like: Canvas is a well-established framework with probably the most advanced built-in user options of any GPL or OS theme.
    • Readily available ecommerce child themes, including ecommerce themes that adjust automatically for mobile browsing.
    • Downsides: Heavily branded source code. Admin panel may be imposing and confusing to unskilled webmasters. Currently no readily available "flexible" or "mobile viewing" in non-ecommerce themes. Reduced choices of compatible plug-ins--perhaps mildly reduced or perhaps extremely reduced, I don't know. However I asked about one popular plug-in, and Woo customer services replied that they make no effort to test or record plug-in compatability. Woo brags that their themes have so many features that they seldom need plug-ins, which is probably true. However the downside is that I would not feel confident that any plug-in which I might want would be compatible.

    It is a difficult decision.

    What I am doing. I will primarily use Weaver II for now. I like the Weaver admin panel and feel most certain that my sub-site clients will find Weaver user-friendly. I feel confident that Weaver will serve most needs well and will handle any necessary plug-ins.

    If Woo Canvas had "preset sub-themes" similar to Weaver, then I might prefer Canvas, but it doesn't. I do not like any of the Woo child themes and even though these are readily tweaked, to achieve what I want requires substantially more tweaking than for Weaver. Therefore, it seems that it would unnecessarily take up my time to use Woo themes myself, or to encourage their use for clients, except when building an ecommerce site. Woo Canvas and a Woo ecommerce theme can meanwhile be enabled for customers with advanced needs and abilities, who may wish to take the initiative to use them, or to hire a professional webdesigner to create a truly distinctive design.

    Koi is free, is a popular and tasteful design and is not complicated to use. Therefore with no added trouble, Koi can also be enabled for the additional option of an elegant diary-style website.

    What I would like to do. Eventually, I would like to partner with a webdesigner to create a Hybrid or Genesis child theme that is unbranded, multi-purpose and highly user-friendly. I have an idea for an ultra-friendly "custom CSS" admin panel, that would not require any CSS knowledge from the end user. Although Weaver and Themify do this to some extent, their designs are not 100% intuitive. I have an idea for a 100% know-nothing interface, and yet which would be relatively easy to create. Also, since this primarily just changes the default CSS, it might be minimally affected by PHP updates. Perhaps in a year or two, I will have the promotional capability to initiate such a project. Until then, this is above my head. (However I would be interested in collaboration if some webdesigner contacts me, who wishes to spearhead such a project.)


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 08:50 AM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com