The document provides tips and best practices for securing and optimizing a WordPress site beyond the basic installation. It discusses .htaccess configuration for redirects, file protection, and permalinks. It also covers hardening wp-config.php by changing passwords and salts, prefixing tables, and configuring database settings for different environments. Additional topics include plugins, revisions, debugging, and discussion settings. The presentation aims to advise beginners and developers on security, performance, and maintenance of WordPress sites.
3. A bit about me
● Custom theme developer
● No themes released
● A few plugins
This talk
● Advice for beginners
● Tips for developers
4. .htaccess
● “hypertext access”
●Controls requests to server before any PHP /
WordPress processing
● Apache only (IIS?)
● Root of website (sub-directories?)
● Sometimes simple, sometimes complex!
http://httpd.apache.org/docs/
http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
5. www or not www?
● Personal choice / aesthetics
●Both should be accessible; one should redirect (301)
to the other
● Tell Google Webmaster Tools!
6. www or not www?
● Personal choice / aesthetics
●Both should be accessible; one should redirect (301)
to the other
● Tell Google Webmaster Tools!
# Force no “www”
RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]
RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]
7. www or not www?
● Personal choice / aesthetics
●Both should be accessible; one should redirect (301)
to the other
● Tell Google Webmaster Tools!
# Force no “www”
RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]
RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]
# Force “www”
RewriteCond %{HTTP_HOST} ^example.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
8. Protect important files
●# Protect .htaccess files
<Files .htaccess>
order allow,deny
deny from all
</Files>
●# Protect wp-config.php
<Files wp-config.php>
order allow,deny
deny from all
</FilesMatch>
10. WordPress pretty permalinks
Include at end of .htaccess:
●# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
12. WordPress pretty permalinks
Really bad idea for big sites:
Better:
http://ottopress.com/2010/category-in-permalinks-considered-harmful/
http://codex.wordpress.org/Using_Permalinks
13. wp-config.php
● Create your own wp-config-sample.php
●Check the file for new stuff in new versions of
WordPress
● Edit and initialize BEFORE installing WordPress!
http://codex.wordpress.org/Editing_wp-config.php
http://digwp.com/2010/08/pimp-your-wp-config-php/
14. Server-dependent settings
●// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');
●/** MySQL database username */
define('DB_USER', 'username_here');
●/** MySQL database password */
define('DB_PASSWORD', 'password_here');
●/** MySQL hostname */
define('DB_HOST', 'localhost');
16. Authentication Keys and Salts
Change them for every installation!
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
https://api.wordpress.org/secret-key/1.1/salt/
20. Database table prefix
When coding database queries, don’t use hard-coded
table names!
A standard WP table:
global $wpdb;
$custom_query = $wpdb->get_results( “SELECT ID, post_title FROM
$wpdb->posts” );
21. Database table prefix
When coding database queries, don’t use hard-coded
table names!
A standard WP table:
global $wpdb;
$custom_query = $wpdb->get_results( “SELECT ID, post_title FROM
$wpdb->posts” );
A custom table:
global $wpdb;
$custom_query = $wpdb->get_results( “SELECT field FROM ” .
$wpdb->prefix . “table” );
http://codex.wordpress.org/Class_Reference/wpdb
22. Server needs FTP for upgrades?
define( "FTP_HOST", "ftp.example.com" );
define( "FTP_USER", "myftpuser" );
define( "FTP_PASS", "hQfsSITtKteo1Ln2FEhHlPkXZ" );
24. Debugging
define( 'WP_DEBUG', true );
http://dev.example.com/?debug=1
●switch ( $_SERVER['HTTP_HOST'] ) {
case 'dev.example.com': {
// Dev server
define( 'WP_DEBUG', isset( $_GET['debug'] ) );
break;
}
default: {
// Live server
define( 'WP_DEBUG', false );
break;
}
}
25. Control revisions and autosave
// Only keep 3 revisions of each post
define( 'WP_POST_REVISIONS', 3 );
26. Control revisions and autosave
// Only keep 3 revisions of each post
define( 'WP_POST_REVISIONS', 3 );
// Don’t keep revisions of posts
define( 'WP_POST_REVISIONS', false );
27. Control revisions and autosave
// Only keep 3 revisions of each post
define( 'WP_POST_REVISIONS', 3 );
// Don’t keep revisions of posts
define( 'WP_POST_REVISIONS', false );
// Autosave posts interval in seconds
define( 'AUTOSAVE_INTERVAL', 60 );
30. Custom theme functions.php /
“functionality” plugin
● Snippets not worth making into a plugin
● Plugin is more portable
● Check out /mu-plugins/
http://justintadlock.com/archives/2011/02/02/creating-a-custom-functions-plugin-for-end-users
http://wpcandy.com/teaches/how-to-create-a-functionality-plugin
http://codex.wordpress.org/Must_Use_Plugins
31. Disable upgrade notifications for
people who can't do upgrades
if ( ! current_user_can( 'update_core' ) ) {
add_action( 'init', create_function( '$a', "remove_action( 'init',
'wp_version_check' );" ), 2 );
add_filter( 'pre_option_update_core', create_function( '$a', "return
null;" ) );
}
34. Plugins
Force Strong Passwords. Copies WordPress's JavaScript
password strength meter into PHP and forces “executive” users
to have a strong password when updating their profile.
http://wordpress.org/extend/plugins/force-strong-passwords/
Google XML Sitemaps (or equivalent).
http://wordpress.org/extend/plugins/google-sitemap-generator/
Use Google Libraries.
http://wordpress.org/extend/plugins/use-google-libraries/
WordPress Database Backup.
http://wordpress.org/extend/plugins/wp-db-backup/
35. Other issues
● File permissions
http://codex.wordpress.org/Hardening_WordPress#File_permissions
● .htpasswd for /wp-admin/
● Settings > Discussion