WordPress user, admin, and host

Since it appears that I am becoming a WordPress user, admin, and host, I am trying to establish a workflow for starting a new WordPress site on my servers. There are features/plugins that all sites should have.

They are

A Theme
Whether it be free or paid for, all WordPress sites require a theme to present the content. For this site (more personal than anything), I have chosen a paid-for theme called “ContentBerg” which utilizes the Guttenberg features. It has many of the tools cooked into the theme so I don’t have to add those features individually. There is a bit of a learning curve to each theme, it just takes time and practice to get to know the ins and outs of each theme.

Stats
All web publishers want to know how famous they are. A good web publisher wants to know a lot more such as where traffic is coming from, what pages are most/least popular, and even demographics, user platforms and more. I will be utilizing the tried and true Google Analytics for my sites.

Monetization
All (okay most) web publishers would like to be famous, but everyone I know, want to make money from their efforts. With a starting blog like this one, the easiest way to generate revenue is to use an existing Google Adsense account. As the site grows, I can add affiliate links and direct-sold ads, but for now, especially for this site, I am not anticipating a large amount of traffic and so… not much revenue.

Back up and recovery plan
In the past (since 1995), I have always published locally and then transferred the articles and files manually to the online server. This has been my way of protecting myself from hackers (yes, I’ve had sites hacked through shared hosting issues) and also from the sudden disappearance of a hosting company (yes, I’ve had that happen twice over the last 20+ years).

With WordPress websites, there is the added complexity of the relational database which is near impossible to host locally and mirror live. I’m sure there are ways to do this but it is not my intent to create a handshake schema between local and live content. I will copy all files to a backup location and will back up the database at set intervals just in case of the worst.

I have yet to develop and establish my disaster protection and recovery plan for WordPress websites, but suffice to say that the files and database/s will be stored locally on a schedule and a written recovery checklist will be printed.

(Future link to disaster protection and recovery plan for WordPress websites here.)

More to come… I have to get the August issue finished now.

ColorMag “free” WordPress Theme a NO GO

ColorMag free theme by ThemeGrill screen shot

I’ve spent a few hours today (Sunday, May 26, 2019) installing and configuring the free ColorMag WordPress theme only to discover that I cannot add a top banner AdSense block to monetize the site.

I liked everything I saw about the theme, especially the categories since I hope to diversify this site in many ways. But my brief experience with the theme reveals that any effort to place advertisements is not possible, at least not without editing the files directly. Editing files is problematic because if (when) there is an update to the theme, any manual modifications are overwritten by the update. I’ve already experienced that with the default.

Oh well… live and learn! It’s possible that many of the free themes available will limit my ability to monetize, which I guess makes sense.

First: WordPress Security

One of the reasons I have shied away from WordPress is the fact it is “open source” and widely used. In my opinion (based on 24+ years in the web making business), open source is the first issue because the WordPress code is open and available to the public — including open to those with less than reputable motives. For some reason, there are people who want to break the code and attack websites for no other reason than “they can.” Others will (do) attack websites to steal information, infect visitors or even redirect readers to other websites for nefarious reasons.

To me, another security risk factor is that WordPress is — by far — the most used blogging/web-publishing platform on the internet today. The fact that so many websites use the open source coding is a huge motivator to those who seek to do harm. By cracking one program, a “hacker” can affect millions of unprotected websites around the world, which is/was kind of a deal breaker for me.

When I decided that I was going to use WordPress for my websites, I also decided that I would do everything I could to make it as secure as possible. I know I’ll never underestimate the brilliance of the dedicated coder — but I can do what I can to keep my site safe from the hack-bots and creepy crawlers of the world-wide-web.

I am hosting my own WordPress files, code, and database. For MOST users who use a service like WordPress.com, GoDaddy, or other hosted services, the security is built in at the host level and most of my concerns are addressed. Folks who use hosting services should look into methods of backing up all files including photos and other media and even the database, which I will get into later. For me, I’ll be keeping a local (on my own computer) version of all files, folders, and database at all times. This way, if my hosting service should wake up dead one morning (which has happened to me twice), I can easily deploy everything on a new server in a few hours.

After I installed WordPress and the associated database, I immediately changed all my passwords to ones that are difficult to figure out, using a combination of capital letters, numbers and special characters. I allowed my browser to remember these passwords on my computer since it too is password protected.

After I configured my email to work properly, I tested the site by logging onto it online (no errors) and posted my first test post (no errors). I went back into the WordPress settings and checked “auto update.” This is very important!

Up To Date WordPress & Plugins

The most common hacks or injections on WordPress happen because of outdated software, themes or plugins. Your trusted software developers are constantly updating the software to keep it safe and counteract the efforts of would-be hackers. You should always keep everything up to date and current. The latest version of WordPress is always available on the main website at http://wordpress.org and your plugin developers should have the same. WordPress is set to auto update by default. You can check the status by logging onto your dashboard and clicking the update tab on the left ({yoursite}/wp-admin/update-core.php).

Strong Password

The next most common way hackers find their way into your website is by figuring out your password. They have little programs that run through thousands of possibilities to attempt to gain access to your beloved files. A strong password in an important aspect of securing your application from would-be wrongdoers. A strong password is not only necessary to protect your blog content, but it also prevents hackers from installing malicious code and scripts that can potentially compromise the entire server.

Things to avoid when choosing a password.
   Any permutation of your own real name, username, company name, or name of your website.
    A word from a dictionary, in any language.
    A short password.
    Any numeric-only or alphabetic-only password (a mixture of both is best). 

As I said, I prefer passwords that are difficult to figure out, using a combination of capital letters, numbers and special characters.

File and Folder Permissions

IF there is no need to install any plugins, no need to use the theme editor, nor install any WordPress updates, the ONLY folder that required write permissions is the /wp-content/uploads/ folder (for images/media). Everything else should have read access only.

If you want/need to allow plugin install/updates, you need to allow write permissions to the /wp-content/plugins/ folder.

If you want/need to allow the use of the theme editor — including theme updates — then you also have to allow write permissions on the /wp-content/themes/ folder. Note: If you only edit/add themes and plugins rarely, it is good practice to remove the write edit permissions once you are finished making your changes.

All said; if you want to allow that “auto-update” feature of WordPress to keep everything up to date at all times, you will need to give read/write permissions on the root folder. This is the least secure option but also the most common way to install it — mostly for convenience. Alternatively, you can edit the permissions for all of the above back to write only (except the uploads folder) if you wish to achieve the highest level of security possible.

All said: The above applies to outside attacks – if your password is compromised, then none of the efforts above will make any difference at all.

Note: I will be working on a schema using Adobe Dreamweaver to modify my installation and only upload the modified files, eliminating the need to continually modify folder permission on the live server. More to come on that — link when it’s complete.

Hide the wp-config.php file

This is a hacker magnet, a file that holds a lot of very sensitive information about the installation of WordPress on your server. Up to and including your database password (YIPES). I found a great article about how to move this to another location for safe keeping… “Harden WordPress Security By Moving wp-config.php to a Non-public Folder” By Jack Busch

Disable File Editing

Speaking of the wp-config.php file, you are able to use this file (now in a top secret location) to prevent people from editing the pages in your folder/website. See, the WordPress dashboard allows administrators to edit PHP files directly from the dashboard and this is often a tool an attacker will use should they gain access to your login (not possible because you have an incredibly strong password). This gets a little tricky but all you have to do is edit the wp-config.php by adding this line and is equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:

define('DISALLOW_FILE_EDIT', true);

This will not prevent an attacker from uploading malicious files to your site but might stop some attacks.

Delete the default “admin” account

When your WordPress website is created, by default, the first account created is the admin account (which has FULL access to all settings).

On a brand new install, you can simply create a new Administrative account and delete the one created by default.

On an existing WordPress installation, you may rename the existing account in the MySQL command-line client with a command like UPDATE wp_users SET user_login = ‘newuser’ WHERE user_login = ‘admin’;,  — or by using a MySQL frontend like phpMyAdmin.

Change the table_prefix

Since every installation of WordPress is exactly the same, intruders know what the table names are in your database. They all have a prefix of “wp_” by default. By changing the prefix of the tables, you are making it much more difficult for attackers to exploit some SQL injection attacks. It is best to do this during the initial installation.

Backup everything regularly!

Backup your entire website, including the folder structure using your favorite FTP program. You also want to keep a complete backup of your database. In high-value situations, especially with many contributors, you’re going to want to backup very often, once or more per day. For the casual blogger, once a month should be fine but the more often the better.

Keep your backups organized. For example, if you are backing up every day, create a folder with the structure…

/wp-backups/
/2019-04-20/
/2019-04-21/
/2019-04-22/
/2019-04-23/

This way you will always know what the latest backup is and make it easier to clean up the folder periodically.

That said, if you are administering a large WordPress website, you should look into automating the backup process for both the FTP and database elements of your site.

Be wary of Phishing expeditions…

Since everyone knows you’re using WordPress, and most installations are exactly the same, it’s very easy for a bad actor to compose an email that looks like it legitimately came from your own website. Be wary of urgent messages, especially with links from “your server.” When in doubt, don’t click on anything on the email, go directly to your dashboard and check everything out on your own. It may be confusing because there’s nothing wrong, but of course there’s not, the email likely came from another country, completely unrelated to your installation of WordPress.

Conclusion

The time to think about security at the beginning, but also in the middle and end. Setting a great security foundation from which to build your creative outlet will pay off in the long run. Protect yourself, your server, and even your readers and subscribers by instituting a tangible website protection policy from the moment it is deployed.