WordPress is definitely the best free and open source blogging and content management software presently, it’s easy to get started, super flexible and entirely customizable. It can be installed on both Windows OSes and Linux OSes, whether you are looking for a webware for blogging or a program for personal information management, it can satisfy you.
There are thousands of WordPress plugins and WordPress themes online, however, some popular ones which are using by millions of people are not always the best ones, I don’t mean that they are bad designed or bad coded, sometimes, there is usually a better way to get the job done.
1, Block spam comments “physically” and effectively
When talking about this topic, you might think of Akismet first, or a captcha plugin, or a plugin like Math Comment Spam Protection. But they are either not user friendly or will consume unnecessary resources, and they do not succeed every time. I’ve abandoned them for a long time. There are 4 different ways to block the spam comments, you can use an arbitrary one of them.
Method 1, Change the form action url
Suppose that the address of your blog is “http://example.com”, then the default action url of the comment form should be “http://example.com/wp-comments-post.php”, you can change it to something else, for example, “http://example.com/cd1d628231.php”, then rename the file “wp-comments-post.php” to “cd1d628231.php”.
To do this, simple replace the string “wp-comments-post.php” in the file “http://example.com/wp-content/themes/YOUR-THEME-FOLDER/comments.php”( or “http://example.com/wp-includes/comment-template.php” depend on the theme you are using ) with the string “cd1d628231.php”, and rename the file “wp-comments-post.php” which is under the root directory of your WordPress folder to “cd1d628231.php” subsequently. When a spam bot try to post comments through the url “http://example.com/wp-comments-post.php”, it will not find it and can not leave a comment successfully.
Method 2, Change the form action url on the fly
Method 3, Add a hidden field
The new added field is invisible to human visitors, so they will not fill it in with any words, but the spam bot will do, so we can kill the comment directly and do not send it to the database if it has filled the hidden field.
You can modify your WordPress files manually or use a plugin like NoSpamNX to perform the modification.
Method 4, Rename the comment field
The theory is very simple, but it works and works well. Antispam Bee is a plugin developed for this purpose.
2, Move WordPress to a dedicated directory
If you are using a shared hosting, and have installed WordPress to your root domain, then there will be tens of files in the root directory of the “public_html” folder, this makes it looks very messy and difficult to backup your php files if you do not want to backup all the files in the “public_html” folder( for instance, some folder are very large and do not need to be backed up ).
In this cases, your can move WordPress to a new folder with this method. Another benefit of doing this way is that the bad guys will not know the path of your “wp-admin”, “wp-content” and “wp-includes” folders anymore.
3, Prevent unauthorized modification to your php files
One day when my blog was hosted on Go*****.com, every php files was injected and a string like “eval(base64_decode(“aWYoZnVuY3R…” was inserted to the header of them, the script will redirect every page to a malicious website.
I recovered the php files with the backed up ones, but they were infected again after a few days later. So I changed the permission of every file and folder to 505, which means that any of them is read only and can not be modified, this trick works well.
4, Prevent your WordPress installation path from being leaked
Suppose that the address of your WordPress based blog is “http://www.yourblog.com”, in most cases( over 90 percent ), the installation path of it can be found by browsing this url: “http://www.yourblog.com/wp-includes/rss.php”, or other similar ones, a message like “Fatal error: Call to undefined function _deprecated_file() in … wp-includes/rss.php on line 18″ will appear, which will present the absolute path of your WordPress directory to the visitor, if this visitor is a bad guy, probably you will encounter a trouble soon.
There are two ways to fix this problem, you can choose either one of them:
Method 1, Do not allow to visit the theme’s php files straightforwardly
You can achieve this objective easily, simply add the following code to every php files of you theme( header.php, index.php, footer.php…, etc. ), put this code at the top of other lines.
Method 2, Do not let php to output errors
Turn off the “display_errors” option in your “php.ini” or “php5.ini” file, if there does not exist this file, simply create a new one.
5, Add a fixed toolbar at the bottom of every post
Adding the FaceBook/Twitter/Google+1 button to your blog is easy, but if the buttons are placed just on top of or at bottom of the content area of the article, they will disappear as the reader stroll up or down the page. Furthermore, if you want to let Facebook/Google/Twitter to render the shared amount of this page, it will significantly slow down the load process of the rest of content of the page.
If a fixed toolbar which contains all the code of FaceBook/Twitter/Google+1 button is added at the bottom of the page, all the problems will be resolved, if you do it manually instead of using a third-party toolbar, you can customize the toolbar with your favorite color style, add or remove any button with ease, plus, your website stats will not be revealed to other people.
6, Limit access to the “wp-admin” directory
You can restrict access to the “wp-admin” directory with a .htaccess file, create a file which contains the following contents, replace “184.108.40.206″ with your own IP address, upload the file to the “wp-admin” directory, and rename it to .htaccess.
7, Login your WordPress dashboard and cPanel with HTTPS connection
If you login your WordPress or cPanel with HTTP connection, the usename and password can be easily captured with Wireshark – the best free network protocol analyzer for Windows, that is to say, anyone in the local area network has the chance to get your passwords with a LAN sniffer.
If you want to avoid this from happening, you should setup SSL( Secure Sockets Layer ) on your host and login with HTTPS connection, for example, https://yourblog.com/9fJw2Md/wp-admin/. Your can visit my previous post “5 Password Security Tips and Strategies” to get more relevant information.
If you like this article, don’t hesitate to share it with your friends via FaceBook, Twitter or Google+, or leave a comment below.