Security

[vangogh]

IP blocking through .htaccess is actually one of the things mentioned in the video. I think he even called it his favorite tip. Maybe I'll have to rethink things.

Let me know what you think of the video. The wordpress.tv site has a lot of other good videos too.

[billbenson]

Nothing terribly surprising, but good info. The plugin that looks for changes in your website (if thats what it does) is interesting. It would be particularly helpful if it looks at all the file names, size, and dates on your site and keeps that as a benchmark. Then uses that benchmark to look for file additions or changes. I wonder if there is a generic script for that out there that works for any site?

Changing the table name seems to make sense, although I was told by someone pretty knowledgeable that the name change isn't terribly effective.

Moving or renaming the config files makes a lot of sense to me. It would be nice to put them above root, which is where you should also put a htaccess password if you have one (I do).

I always use a password generator and generate complicated passwords including punctuation 12 characters long. I keep them in an excel file.

I did a quick search for security saving passwords in FF. The biggest problem there appears to be people prying into your pc locally. You can apply a password to keep out people trying to look at your password list. I also saw something that said potentially someone could remotely get into your firefox list. Unless I see something that really says "don't save passwords in FF" I'm going to continue to do that. Just to much of a pain otherwise. There is a FF plugin for saving them more easily as well.

And to me, I like the htaccess IP blocking.

While it depends on your application, how you work etc., I think it makes sense to implement some or all of these. With the ease of use and popularity of WP comes a lot more hacking attempts. The day you forget to do a backup is the day you will get hacked. Probably should do that in a cron job, but I never have. There are some scripts that will email you the backups as well.

I've been hacked twice. Once they got credit card info. I quit storing that on the site. Early versions of oscommerce allowed that and I didn't know any better at the time.

The other time I was hacked, they hacked the entire server. Every index page on the server was changed to a Sadam Husien arabic thing. I couldn't have prevented that one, but I had to reload a bunch of sites. The host said they got in through a site on the server that had weak passwords. They started mandating the use of a password generator after that. I'm sure they made other changes as well.

Oh, as a footnote, you really should use use security on a wireless router if you have one. If you don't have visitors connecting from their laptops, MAC address filtering is the best.

[vangogh]

We had pretty much the same impression of the video. Nothing too surprising, but some good info and new tips nonetheless. I liked the mention of that same plugin and need to install it and see what it does. It doesn't exactly prevent anything, but it does make for a good early detection system.

[billbenson]

I tried moving wp-config up a level and:
include("../wp-config.inc"); for the config file.

It found the config and connected, but gave me a "headers already sent" error. If I looked at the source it had a <br /> at the top of the page before the error. Any idea why moving it and putting it in an include would do that? The config file isn't echo ing anything.

[vangogh]

I don't think you needed the include. Why did you add or change that? From what I understood WP will look for wp-config where expected and if it doesn't find it then it will look one directory up on it's own. I think everything else would work as usual.

With the headers it's not necessarily that the file needs to echo something. The headers in the error message aren't something that needs to be printed to the screen. However the header info usually needs to be the very first thing in the file. In order for the file to send the html for the <br /> I believe it needs to send header information.

[billbenson]

I wanted to do it via the include to put it up two levels - above the root directory. That is only accessible via ftp. I don't think it is necessary, I was just trying it.

Your correct, the headers are the first thing to be sent to a page. If you try to send after that you will get that error. What I don't understand is why moving the file and accessing via an include would cause the error. The file would be accessed and acted on at the same time whether it is in an include or in the config file in its default location.

Again, I'm just curious as to why, I'm really not going to try to do this, its overkill.

If you are putting it above root and your blog is in a subdirectory, you are going up two levels, not one. The idea of putting passwords etc above root is because it's not accessible from the site.

[vangogh]

I'm guessing that wp-config sends out headers and by having the <br /> before the include you were then sending out html headers. When wp-config tried to send out headers they had already been sent.

I understand now what you were doing with the include. Moving wp-config up a level makes sense if you installed WP in root, but if you installed it in a subdirectory I guess you lose much of the benefit of moving wp-config.