The First WordPress Security Things To Do

First and foremost:

Block the main User Agents that are behind a lot of bad traffic, User-Agent libwww-perl and Microsoft-WebDAV-MiniRedir. If your using a Linux server, be sure to add the following lines in your .htaccess file:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
RewriteRule .* – [F,L]

or you can also block it this way:

SetEnvIf User-Agent ^Microsoft-WebDAV-MiniRedir BadWebDav
Order Allow,Deny
Deny from env=BadWebDav

Be aware that this will block all User Agents both good and bad, of libwww-perl and Microsoft-WebDAV-MiniRedir. The majority of this traffic is bad however, so its a necessary fix.

Second:

Install the plugin Statpress or another hit tracking plugin to allow you to see the interactions of all IPs on your site. This includes 404 hits which you will find being a goldmine in the aspect of seeing what pages these script kids are trying to use to get in your backend. Not all tracking plugins are made the same, so test them out.

Third:

Make a backup. This is huge!!! A backup of every database and file should be done weekly at a minimum, daily if possible...

Full Post Here

To Validate HTML, CSS, RSS, Or Not?

I am writing this article after spending a week or so dealing with plugins and getting failed validation through W3C constantly with many of them.  Validation is ensuring your HTML, CSS, RSS, and other aspects of your site meet the accepted standards discussed at W3C.  Why is this so important to a good site?  Is a attribute tag of data- used in XHTML good coding when it is specifically used in HTML5?  There are several views that one could have about validation, most notably: “The big sites don’t validate,” “Google says it does not require validation,” “Validation ensures that as many web viewers as possible are able to see your site correctly.”

Lets look over one of the biggest web traffic sites, Facebook.  So a W3C Unicorn validation of the HTML and other site properties lists 37 HTML errors, 35 CSS errors, 2 RSS errors, and the Internationalization standard validates.  Are they worried about this?  Most definitely not, they are established with millions of unique visitors a month, well known by all Search Engine Spiders(SES), and actually help establish some attributes due to the demand of their developer tools...

Full Post Here

Website Security

You built a site or are thinking about building a site using the latest and greatest web design software. Be it WordPress, phpBB, or one of the many others currently available, everything is up to date and you start dealing with the content and getting visitors. What comes next, are the spam bots, the scanners for a specific vulnerability, or another type of security threat. In no way is any site fully secure, look at Chase, Target, and Home Depot. Much like an operating system that has software added in, a website that has plugins, mods, or other forms of 3rd party software installed can open up new loopholes and cracks in the existing secure files. For example, this updated site has been up less than a month, and already I can see a steady stream of exploit attempts using plugins that I do not have installed. I will post some of the links just to give a better understanding of what I am referring to.

  • /wp-content/plugins/fb-infiltrator/formsubmit.php
  • /wp-content/218.php
  • /wp-content/themes/archin/hades_framework/option_panel/ajax.php
  • /wp-content/plugins/Lead-Octopus-Power/css/popup.css
  • /ckeditor/ckfinder/core/connector/aspx/connector.aspx
  • /ckeditor/ckfinder/core/connector/php/conn...
Full Post Here