One of my clients was hacked with the so-called "Cannot redeclare" hack. It seems closely related to the nefarious TimThumb hack, so if you've been hit by either of these hacks, you should check for the other. Apparently these hacks affect shared servers, so if you host multiple WordPress sites, chances are high that they're all infected.
It sucks, but a lot of plugins require certain directories to be set at CHMOD 777 for its file permissions. Of course, you should not use any plugin that requires 777 directories, but if you absolutely must, you can help protect the folder by adding a thin slice of htaccess. This works great for any directory requiring "loose-ish" permissions (i.e., anything greater than 755), and may also be useful for other key folders as well.
In our recent post on pimping the wp-config.php file, we explain that using strong Security Keys is an important part of securing your WordPress installation. In this post, we want to zoom-in on Security Keys and look at what they are, how they work, and how to use them to greatly improve the security of your site.
Easily, the most important file in your WordPress installation is the
wp-config.php file. It serves as your site’s base configuration file, controlling key aspects of WordPress’ functionality and enabling WordPress to do mission-critical stuff like connect to the database. Without
wp-config.php, WordPress simply won’t work. So whenever you install WordPress, one of the first things to do is pimp your
wp-config.php with some custom WP configuration tricks.
Recently, WPRecipes posted an incredibly useful technique that uses a shortcode to add private content to blog posts. This functionality makes it easy to manage leftover data, miscellaneous notes and other communication by keeping everything together with its corresponding post. Consolidating information like this helps to streamline flow and organization into the future.
Looking for a good book on WordPress security? If so, we’ve got great news! John Hoff’s new security e-book WordPress Defender provides 30 practical ways to secure your website from the evil forces of spam, bad bots, and malicious hackers. The book is packed with practical, common-sense security techniques that virtually any WordPress user can use to protect their site from malicious threats.
I usually reserve most of my blacklisting content for Perishable Press, but after posting about using WordPress’ built-in tools to stop comment spam, several DiW readers have asked about a good custom blacklist that may be used for the “Comment Moderation” and/or “Comment Blacklist” features in the WordPress “Discussion Settings” screen. Over the years, I have built up an extensive custom blacklist of terms that has proven quite effective at keeping spam and other garbage out of the comments section, even without using any anti-spam plugins such as Akismet. It’s strictly plug-n-play, and should help protect your site (and reputation) against all sorts of malicious nonsense. So without further ado..
As a dynamic blogging system, WordPress consists of PHP files (the WP core) that interact with a MySQL database to generate the web pages for your website. When everything is working properly, this dynamic interaction keeps WordPress humming along like a champ, but when your database crashes, WordPress can’t operate and will deliver the following message to your visitors:
One of the best ways to ensure strong security for your WordPress-powered site is to secure its foundations during the installation process. Of course these techniques can be implemented at any point during the life of your site, but stetting them before the game starts prevents headaches and saves time. We’ll start with the WordPress database..
As you may recall, there are a ton of configuration tricks available for the WordPress
wp-config.php file. So many in fact, that I think many people may have missed some of the choice definitions aimed at optimizing WordPress performance. In this post, we’ll explore the best ways to improve your site’s performance with WordPress’
Many WordPress users know the
wp-config.php file as the key to the WordPress database. It is where you set the database name, username, password, and location. You know the one:
Located in the
header.php file of most WordPress themes, there is an important hook called
wp_head(). This essential hook enables functions to output content to the browser in the
<head></head> area of the web document 1. In newer versions of WordPress, this hook enables WordPress to output the following three lines to your theme’s
<head></head> section 2: