DiggingIntoWordPress

by Chris Coyier & Jeff Starr

Category: Security

That’s Not Spam: False Positives and Ham

Posted by on

Everyone loves a good comment. Readers benefit from the shared information and authors appreciate the conversation and feedback. But you gotta keep the spam out. Akismet and other anti-spam plugins do an excellent job of automating the process, but it’s a good idea to watch out for false positives: legitimate comments marked as spam. Rescuing ham comments from the spam pile promotes healthy comment threads and improves the quality and reputation of your site. In this DiW post, we explain how WordPress & Akismet deal with spam, discuss anti-spam strategy, and share some ham-saving tips and tricks.

Secure uploads, upgrade and other directories with .htaccess

Posted by on

It sucks, but a lot of plugins require certain directories to be set at CHMOD 777 for its file permissions. Of course, you should not use any plugin that requires 777 directories, but if you absolutely must, you can help protect the folder by adding a thin slice of htaccess. This works great for any directory requiring “loose-ish” permissions (i.e., anything greater than 755), and may also be useful for other key folders as well.

15 Anti-Spam Plugins for WordPress

Posted by on

During the recent book update, we needed to make some room for the new WordPress-3.1 content. The book is already over 400 pages and growing. So we have to make some hard decisions about which content is useful but maybe not needed in the book. And, as useful as long lists of anti-spam plugins might be, moving them from the book to the blog seems like a good way to free up some room while keeping the information available. So without further ado, here is a quick list of 15 anti-spam plugins to help you run a more user-friendly, hassle-free comment system.

Change Your Database Prefix to Improve Security

Posted by on

One of the awesome things about WordPress is that it’s a dynamic publishing system that uses a database to store your site’s information: posts, options, plugin and theme settings – all of this data is stored in your site’s database. It’s like the brain of your WordPress installation. Unfortunately the WordPress database is also a prime target in many website attacks. Spammers and other bad guys target various database tables with automated scripts, SQL injection, and other malicious code. Needless to say it’s critical to protect your database and keep recent backups. One of the smartest ways to protect your site’s database is to change the default table prefix to something obscure and difficult to guess. Sort of like a password.

Media Temple WordPress Hack

Posted by on

It looks like Media Temple WordPress installs have been hit with a WordPress Redirect Exploit (404 link removed 2013/10/11). We got hit here at DigWP.com, but have cleaned things up and are taking steps to prevent it from happening again. Here is what Media Temple knows so far:

WordPress Security Lockdown

Posted by on

This article is split into two parts for ez reference. First some information on the evil WordPress “Pharma Hack”, and then a recipe for protecting your site with a solid security lockdown. Choose your own adventure:

WordPress Defender: 30 Ways to Secure Your Website

Posted by on

Looking for a good book on WordPress security? If so, we’ve got great news! John Hoff’s new security e-book WordPress Defender provides 30 practical ways to secure your website from the evil forces of spam, bad bots, and malicious hackers. The book is packed with practical, common-sense security techniques that virtually any WordPress user can use to protect their site from malicious threats.

Stop Spammers with a Custom Comment Blacklist

Posted by on

I usually reserve most of my blacklisting content for Perishable Press, but after posting about using WordPress’ built-in tools to stop comment spam, several DiW readers have asked about a good custom blacklist that may be used for the “Comment Moderation” and/or “Comment Blacklist” features in the WordPress “Discussion Settings” screen. Over the years, I have built up an extensive custom blacklist of terms that has proven quite effective at keeping spam and other garbage out of the comments section, even without using any anti-spam plugins such as Akismet. It’s strictly plug-n-play, and should help protect your site (and reputation) against all sorts of malicious nonsense. So without further ado..

Media Temple, WordPress, Mass Hacking

Posted by on

Update: Media Temple is saying (404 link removed 2013/10/11) that:

  • They aren’t 100% sure the cause, but yes, it is their fault.
  • About 10% of all (gs) users were affected.
  • It’s not WordPress specific, it’s PHP specific.
  • Definitely change your passwords, definitely don’t change it back to the original password.
Code is poetry