WordPress 3.8.1 – things to do

So, this will be my little guide, mostly for myself (if I did smth wront please let me know 🙂 ), to have a better control over some usual wordpress, not bugs, but let’s say things to do to make it better, more SEO friendly and secure…

First of all, I ussually remove meta generator tag, rsd link, wlwmanifest link and all rss rel and feed links from header. To do this I found out that the best way is to edit your child theme functions.php file, if you dont have child theme you will need to create it yourself. Follow this tutorial to create a child theme and start cleaning up the mess by adding this code to your child template functions.php… This functions will work from main template functions.php also, but it will be deleted after theme update. Same thing can be achieved using WP Clean Head plugin.

// Remove meta generator (WP version) from site and feed
if ( ! function_exists( 'mywp_remove_version' ) ) {
 
function mywp_remove_version() {
		return '';
}
add_filter('the_generator', 'mywp_remove_version');
}
 
// Clean header from unneeded links
if ( ! function_exists( 'mywp_head_cleanup' ) ) {
 
function mywp_head_cleanup() {
		remove_action('wp_head', 'feed_links', 2);  // Remove Post and Comment Feeds
		remove_action('wp_head', 'feed_links_extra', 3);  // Remove category feeds
		remove_action('wp_head', 'rsd_link'); // Disable link to Really Simple Discovery service
		remove_action('wp_head', 'wlwmanifest_link'); // Remove link to the Windows Live Writer manifest file.
		/*remove_action( 'wp_head', 'index_rel_link' ); */ // canonic link
		remove_action( 'wp_head', 'parent_post_rel_link', 10, 0 ); // prev link
		remove_action( 'wp_head', 'start_post_rel_link', 10, 0 ); // start link
		remove_action('wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0);  // Remove relation links for the posts adjacent to the current post.
		remove_action('wp_head', 'wp_shortlink_wp_head', 10, 0);
 
global $wp_widget_factory;
		remove_action('wp_head', array($wp_widget_factory->widgets['WP_Widget_Recent_Comments'], 'recent_comments_style'));
add_filter('use_default_gallery_style', '__return_null');
}
add_action('init', 'mywp_head_cleanup');
}

In WordPress – Settings – Permalinks select Custom Structure and add /%category%/%postname% or just /%postname% in textbox …
In WordPress – Settings – More to come

Security issues

This days wordpress blogs are constantly under brute force atacks from different botnets, randomly trying different passwords and crawling pages… to deal with it consider to:

– on installation, change your database prefix, select strong username / password. If allready installed with default “wp_” database prefix than use “Change Database Prefix” plugin to rename them.

– don’t use “admin” name for account, and also delete that first account wich was created automatically with id=1 (befor deletion create new super user account with strong password)

– under users / user profile dont use the same “nickname” and “username”. Also change “Display name publicly” as your “nickname”. Your log in will need username and your comments etc. will show your nickname. This way you won’t reveal your log in username to public.

– install plugins: Akismet, WP Super Cache, Limit login attempts, Captcha by BestWebSoft…

– if you are the only user create .htaccess file in wp-admin folder to block access to anyone except you (if you have static adress asigned by your ISP), or your ip-block (if dynamic adress by ISP) …

Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
Allow from xxx.0.0.0/8
Allow from xxx.xxx.0.0/16
Allow from xxx.xxx.xxx.0/24

– You should consider block direct access to folders and if you are the only user protect wp-login.php or any other file. Open main (root) .htaccess file from wp root folder, or create one if you don’t have it allready and add

# if for security reason, Option all cannot be overridden than comment it out and use Options ExecCGI Includes...
#Options All -Indexes
Options ExecCGI Includes IncludesNOEXEC SymLinksIfOwnerMatch -Indexes
 
SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots
 
AuthType Basic
AuthName "log in"
AuthUserFile "/home/xxxx/.htpasswds/passwd"
<Files "wp-login.php">
  require valid-user
</Files>
 
AuthType Basic
AuthName "name you select"
AuthUserFile "/home/xxxx/.htpasswds/passwd"
<Files "anyfile you want to protect">
  require valid-user
</Files>

First option will block direct access to folders, use “Options All -Indexes” or “Options ExecCGI Includes” (depends on your server settings).

Second option (block_bad_bots) will block libwww-perl (LWP) which is a WWW client/server library for Perl and it can help hackers, spammers and bots to perform attacks on your site.

Than, you will need to create your own AuthUserFile, use cpanel for that, it should be under smth like password protect directory in your hosting cpanel. Don’t forget to change path of AuthUserFile to your own ( AuthUserFile “/home/xxxx/.htpasswds/passwd” )

– change permissions of wp-config.php to CHMOD 600 (read and write only by user).

– disable online theme and plugin editor (you will be able to edit your files via FTP), open wp-config.php and add (put it right before /* That’s all, stop editing! Happy blogging. */):

define('DISALLOW_FILE_EDIT', true);

– in WordPress – Settings – Discussion disable Pingbacks and Trackbacks option (if not needed) (xmlrpc.php – WordPress pingback Vulnerability, for extra security protect this file via .htaccess)

More to come, I will update this tutorial as time pass, this is not all but I think it’s good a start…

One thought on “WordPress 3.8.1 – things to do

  1. What’s up to every one, thе contents existing at this
    ѕite are truly amazing for peoplе knowledge, well, keep up
    the good work fellows.

Comments are closed.