BarCampCHS2: WordPress Setup & Security

Presenter: Michael Carnell
@carnellm |

(dot org is what we’re talking about, folks)

Hosted: blogger,, etc.
Big Boys: drupal, joomla, dotnetnuke, custom programmed – custom db programming, integration, etc.

Best of Both words

  • – 36% of blog platforms, 2007;
  • moveable type
  • your web host
  • control! ownership! – Blogger, etc.  you don’t control the use of your info.
  • Think about your hosting
Why WP?
  • ease of use for admin & content publishers
  • control of content – BRANDING!  Look & feel!  These are very important.
  • can move it
  • plugins, themes, experts galore
Dirty Details…
Install Correctly!
  • While installing (most servers will use OneClick)
  • Consider your directory?  Do you use standard?  If you use standard, random hackers can tell what you installed if you use standard.  So no, call it something different from the standard
  • Consider changing the db name if your install allows
  • Make db password long & cryptic.  You will personally never need it.  The software uses it not you.  Use crap characters & generators, etc.  Longer & weirder the better
  • Check the file directory privileges – make sure people can’t get into directories, upload files & execute them.
  • Demo time!  On a Mac!
Double Check the Install
  • File level tasks to be done via FTP
  • go into directories & delete “wp-admin\install.php”
  • add security keys to wp-config.php, add the optional security keys hijacking of sessions
  • can change table prefix when you’re doing install, so hackers can’t find your table
  • install a blank index.php file in every directory so people can’t see what plugins you have installed = newest WP does this automatically
  • check file directory privileges
Post Install Setup
  • create new admin user with strong password. You want to use a new admin to give admin priviledges to
  • change Admin password and make a subscriber (why? hackers spend time hacking an account with no rights. This is called a honeypot – you get them to go here & you’ll find out about them)
  • make your main admin’s display name different from login name
  • Change setting to allow editing by outside packages if wanted
  • change permalink structure
  • demo time again
[sorry…lost the track here.  Not feeling well suddenly. The slides will be up on one of @carnellm ‘s websites. Again, sorry.  -A]
[permalink structure – he likes just post name, not structure that keeps date, month, year.]
After setup before live
  • Themes – another session
  • Plugins you must have:
    • Askimet – (antispam) must turn it on & activate it.  Get API key by having account & get it there
    • All-in-one SEO Pack (helps with tagging, etc.)
    • Search Meter – what are your visitors looking for? – can let you see what they’re looking for on your site.  What are the ones with 0 results that people are looking for?  What is popular with your visitors you can do more of?
  • Stats
    • ShortStat
    • WP-Stats
    • Google Analytics
  • Updates & backup
  • Demo Again!
Simple Backup for WP
  • Your content is your responsibility. Your host will make the blog work.  YOU have to restore the content
  • Make a gmail account or use your current one.
    • ex:
  • Email backups to this account & use filters to file them away
  • Database – WP-DB-Backup plugin – schedule backup weekly & emails to that addy
  • Images & themes – – plugin to save these
Questions! – his results of a nonscientific survey of ppl on hosting opinions.  Don’t use godaddy.  That’s all.  Domain Registration, fab!  For their web hosting, um NO! Poor support, overloaded web servers. Bad!  No no!

Comments are closed.