leslie g stewart

Setting up the Google Authenticator app and plugin on WordPress

In my previous blog post Protecting Your Site From the WordPress-attacking Botnet, I mentioned adding the Google Authenticator plugin to your WordPress site. I’ve gotten some questions about what it is, what it does, and how to make it work with a WordPress site. In this screencast, I answer those three questions, and show you how to configure the Google Authenticator app on your device. Both the plugin and the app are free.

Continue reading: Setting up the Google Authenticator app and plugin on WordPress

Protecting your site from the WordPress-attacking botnet

You may have read about the “lovely” botnet that’s been targeting WordPress sites (self-hosted, NOT those on wordpress.com) with lots of attempts to bruteforce your admin login. No? Read about it.

Continue reading: Protecting your site from the WordPress-attacking botnet

Update to: secure your wordpress installations, really

A while back I posted “secure your WordPress installations. really.” and since that time, I’ve been making additional recommendations to the list of WP security plugins I listed in that post, so it’s time for an update.

In that post, I recommended, the following plugins: Login LockDown, Secure WordPress, WP-Malwatch, and WP Security Scan. Ditch Login LockDown, keep the rest. Why get rid of Login LockDown? It hasn’t been updated since 2009, and it’s only reported by its creator to work up until version 2.8.4 of WordPress.

A better replacement, with a lot more features is Login Lock. It still lets you set the number of incorrect login attempts prior to locking out an IP address, but it gives more options like enforcing strong password policies, forcing a password change every 30 days, disallowing the use of old passwords once they’ve been changed, and more.

I addition to the 3 recommended plugins above, I recommend adding the following:
Bad Behavior: This, along with Akismet, can help keep your comments link spam free.

Block Bad Queries (BBQ): This plugin helps protect WordPress against malicious URL requests. It just quietly does its job.

Ultimate Security Checker: This is a very extensive plugin that will alert you to potential issues, and provide you with the info you need to fix them.

A heads-up, that Ultimate Security Checker doesn’t seem to recognize when you have Block Bad Queries installed, and will recommend that you install it, or rather copy the BBQ code it will provide, and create a file with it. The code it provides is identical to the code in the BBQ plugin file, so I suspect that it can’t read the folder the BBQ plugin is in. It’s a minor inconvenience, but not a serious conflict.

WordPress Firewall 2: This plugin is sort of like a visual version of BBQ, in that it identifies and blocks certain types of attacks. Unlike BBQ, it actually notifies you when an attack has been detected and blocked, and tells what type of attack it was. It also provides the IP address the attack originated from, so you can take additional steps to deal with it.

None of these plugins is a substitute for keeping your WordPress core, plugins, and themes up-to-date.

WordPress plugins ahoy!

WordPress plugins

Last week I attended a Biznik WordPress Chatter event hosted by Bob Dunn. One of the questions thrown out to the group was about must-have plugins. If you’re using WordPress, you’ve probably noticed there are seemingly endless amounts of plugins to do a wide variety of things from pulling in your Twitter feed to backing up your WP database (a REALLY good idea to do regularly) to making your coffee in the morning. Okay, there is no plugin to make you coffee, but you get the idea.

Here’s a short list of what I think would be necessary and very helpful plugins to have. Not every user needs every plugin, and you don’t want to go full tilt boogie installing plugins just because you can. Install only what you need, keep up with any updates made to them, be very mindful about updating your general WP installation and how that relates to any installed plugins (deactivate your plugins BEFORE updating WP!), deactivate plugins not in use, and delete what you don’t need. In other words, keep it clean, yo!

The necessities:

  • Akismet – This comes pre-installed, but you need to activate it. Activation requires acquiring a WordPress API key. Don’t share the key, it’s user-specific. If you’re developing WP sites for other people, they each need their own key.
  • All in One SEO Pack – Optimizes your WP website/blog for robots, and gives you control over page titles, meta tags, etc. SEO is a hot-button topic, and my 2 cents is that first and foremost, your website/blog should be optimized for human beings, not robots. Feel free to argue amongst yourselves ;)
  • Contact Form 7 – Allows you to create multiple contact forms, complete with CAPTCHA.
  • Google Analytics – Track visitors, where they come from, links, downloads, and AdSense clicks.
  • Google XML Sitemaps – Creates a Google, Yahoo, MSN, and Ask-compliant XML sitemap that updates itself every time you create a new page or post.
  • Login Lockdown – Logs all failed login attempts to your WP admin area, and can be configured to block IP addresses if a certain number of failed attempts happen in a specified period of time.
  • WordPress Database Backup – You REALLY need to backup your database frequently, especially if you’re prolific. If you’re cranking out the posts on a daily basis, back that thang up weekly. If you’re posting infrequently, back it up every couple of weeks or monthly, but do it. This nifty-swell plugin will email you a copy of your database, which you should tuck away in a safe place. Please, please, please, DO NOT store your database backup on your server, it’s just asking for trouble.
  • WordPress DBManager – For more control over your WP database, including repairing and restoring, running queries, as well as creating backups, this plugin is the one to install.

Stream your life:

  • Flickpress – Pull in a designated number of photos from your Flickr account. Super easy to configure, and has a bit of flexibility with thumbnail layout and arrangement.
  • Reliable Twitter – Your tweets, now on your blog/website! If your sidebar is widgetized, adding your Twitter feed is as simple as drag and drop.

While I’ve provided links to each of these plugins, it more efficient to search for, and install them within your WP installation.