Using WordPress is nice and many websites use it. The advantage of course that there are many tips, additional plugins etc. are available. But on the other hand there is a big disadvantage. Hackers attack WordPress sitse due to many many sites use it. I found an article and video from Matt Cutts an employee from Google.
He recommends to protect your wp-admin area using the Apache .htaccess file. Here in detail access is only allowed from IP addresses from where you are logging in. It’s definitely a good way to protect you blog, but often people don’t have a fixed IP address. The DSL provider assigns a different IP address on every dial in. Unfortunately there is no easy way to obtain the network addresses of your DSL provider which can be entered in your .htaccess file.
Another important recommendation: Always keep your server software and WordPress software up to date!
Also remove the following line from your header.php which will show hackers your WordPress version:
<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /> <!-– leave this for stats please -->
So let’s concentrate on the restricted access in the wp-admin area. It’s a little bit tricky to get the address list of your DSL provider. I’ll explain and show an example script below. First let’s have a look at the video from Matt Cutts.
As step one you have to find out your own IP address. Let’s assume your IP address assigned from your provider is 213.168.95.20 (this is just an example!). Next do a whois lookup:
Have a look at the netname NC-DIAL-IN-POOL. Usually provider assign a common name for all DSL dynamic address. But we want to add all IP addresses or better all network ranges into our .htaccess file. Ok now we need to get all address ranges with this netname. This can be achieved using the Linux whois tool:
Fine we get a list with all network ranges from our provider now, but still not the correct netmask format and a lot of other output which we don’t need. Basically it’s possible to manually generate the .htaccess file now. Not big fun… So I’ve created a small perl script which does the job. As small bonus it creates the needed format for .htaccess file which means you are able to directly add the output to your .htaccess file in the wp-admin folder.
Important: Before usage you have to add the netname of the dial-in pool of your provider. How to find it out is described above. Below is only an example. The output will look like:
server:~# ./gethtaccessranges.sh
allow from 194.8.209.0/24
allow from 194.8.205.0/24
allow from 195.14.226.0/24
Finally generate a .htaccess file in your wp-admin/ folder with the content:
order deny,allow
deny from all
and add the output of the script gethtaccessranges.sh below the two lines. That’s it! Now access to wp-admin is only allowed from dynamic IP address from your provider. Sure it’s not the perfect solution but I’ll prevent you from many other hack attempts from all over the world.
At the end of the script there is also an example in case providers use number in their netnames.
#!/usr/bin/perl -w
# gethtaccessranges.sh
# Harald Kraemer 08.08.2010
# www.technnitip.net
#
# NET::CIDR and NET::Whois is need to run this script.
# On debian you can install using apt-get:
# apt-get install libnet-cidr-perl libnet-whois-perl
#
# Important: Replace the netname "NC-DIAL-IN-POOL" at the end of the
# script with the dial-in netname of your provider! Use the command
# whois <my-ip-address> to find out the netname.
use Net::CIDR;
use Net::CIDR ':all';
use Net::Whois::Raw;
use strict;
sub getRanges
{
my($netname) = @_;
my $whois;
my @whois_array;
my @ranges;
$whois = whois( $netname, 'whois.ripe.net' );
@whois_array = split( "\n", $whois );
@ranges = grep( /inetnum:/, @whois_array );
foreach ( @ranges )
{
s/inetnum://g;
s/ //g;
s/ - /-/g;
foreach my $item ( Net::CIDR::range2cidr( $_ ) )
{
print "allow from " . $item . "\n";
}
}
}
getRanges('NC-DIAL-IN-POOL');
#for( my $i=1; $i <= 30; $i++)
#{
# getRanges('DTAG-DIAL' . $i);
#}
A few days WordPress 3.0 called “Thelonious” has been released. I’ve used the automatic update feature for two blog installations without problems.
For security reasons you should add four new keys to your wp-config.php in the root directory of your WordPress installation. The easiest way to generate the keys is to use the key generator from wordpress.org. Copy the generated keys to your wp-config.php and finally log in again to wp-admin. As a result you will recognize the update wp-admin skin.
I’ve used the automatic upgrade within the administration panel on two blogs with different plugins installed. On both blogs I could not detect a problem after the automatic upgrade.
WP 2.8 comes with many changes, but I could not detect one which is important for me.
June 7th, 2009 Category: Wordpress
Missing the favicon in your WordPress blog? Then you should install the MaxBlogPress Favicion plugin. It’s easy to use and comes with 100 pre installed icons. Or you are able to upload you own icon.
Problems
After installation the MaxBlogPress Favicion on the TechniTip.Net blog all pages were returned empty to the browser. I don’t know exactly what did cause this issue, but could solve it by changing the plugin code injecting mode:
Enter Settings->MBP Favicon->Advanced Options and checked [x] wp_head() instead of Buffer Caching.
An incredible cool plugin for WordPress and all mobile devices like iPhone, iPod, Android or Blackberry is “WPtouch“. It automatically generates pages for perfect display on mobile devices from your WordPress blog. Installation is totally easy and the result is looking great!
See the difference:
The single post view:
Installation
If you have WordPress 2.7 or newer installed, the installation can be done with a few clicks:
Enter the admin page and select “Plugins”
Scroll down to the section “Get More Plugins”
Select “Plugin Browser/Installer”
Search for “WPtouch” and install
Otherwise you have to go the manual way.
Problems with WP Super Cache
If you are using WPtouch together with the WP Super Cache plugin you may run into trouble, I solved it with the following steps:
In Settings->WP Super Cache add the following Recected User Agents:
iPhone
iPod
aspen
dream
incognito
webmate
BlackBerry9500
BlackBerry9530
Add the following line in your .htaccess RewriteCond %{HTTP_USER_AGENT} !^.+(iPhone|iPod|aspen|dream|incognito|webmate|BlackBerry9500|BlackBerry9530)
This line should be inserted above the following existing line: RewriteCond %{DOCUMENT_ROOT}/wp-content/cache/supercache/%{HTTP_HOST}/$1/index.html -f
Google sitemap generator plugin This plugin generates a XML-Sitemap compliant sitemap of your WordPress blog. This format is supported by Ask.com, Google, YAHOO and MSN Search.
All in One SEO pack plugin Automatic Search Engine Optimization (SEO) out of the box for your wordpress blog.
Askmet plugin
Akismet checks your comments against the Akismet web service to see if they look like spam or not and lets you review the spam it catches under your blog’s “Comments” admin screen.
Google Analytics plugin
The Google Analytics for WordPress plugin automatically tracks and segments all outbound links from within posts, comment author links, links within comments, blogroll links and downloads. It also allows you to track AdSense clicks, add extra search engines, track image search queries and it will even work together with Urchin.
Cross-references plugin
Useful plugin for manually setting a reference to another post or page. It will generate backward references automatically.
WP Super Cache
This plugin generates static html files from your dynamic WordPress blog. After a html file is generated your webserver will serve that file instead of processing the comparatively heavier and more expensive WordPress PHP scripts.
