Six Steps to Secure Your WordPress Site

There’s a great breakdancing move called 6-step. If you’ve seen breakdancing, you’ve probably seen this before, but, like me, didn’t know what to call it. Basically, the dancer supports himself on his arms while moving his feet around in a circle. It’s great for getting momentum and launching other moves.

Why do I bring this up? You may have heard about the ongoing attacks against WordPress sites. It appears someone is using up to 90,000 different IP addresses to launch brute-force attacks against sites built with WordPress and are gaining access to some sites. Stupidly, they are trying to gain access with the username “admin” and trying to figure out the password for said user.

Here’s the WP 6-step, which will help secure your WordPress site against attacks:

1) If you have a username “admin” on your site, create another administrator user with a different name, log in as that user, and delete “admin”. If you don’t have a user named “admin”, they will just waste their time attacking your site. From my first-hand experience, changing this is an extremely important to making your site secure. Attackers always start by using the “admin” username and just having it as a valid account will leave you open.

Don’t stop there though!

2) Beef-up your passwords. While standard practice for a secure password is to use eight digits with a mix of lowercase and uppercase letters, numbers, and symbols – there’s a better way. Create a password from a story. Something memorable to you. Something people can’t easily find out without knowing you personally.

As an example: My band and I played a show in Johnson City, TN at a coffee shop and while we played one song, this guy gets up and starts dancing. He was probably in his late 50’s and he’s doing this wiggly, hippie dancing literally feet from us. We were trying not to die laughing while finishing the song. After the show, we discovered the coffee shop owner also owned the laundromat next door and had to go fix a washer. Did I mention it took an hour longer than normal to get there because a bunch of big rigs crashed on the same stretch of highway?

Some passwords one could glean from this story: DanceWasherBigRigCoffee, CoffeeWasherJohnsonLaundry, HighwayCoffeeDanceHippie, etc. See how easy that is to come up with a secure password? You could then throw in the year and an exclamation point, just to have all the traditional password requirements too. Attackers wouldn’t know the story and the length of the password is over 15 digits, making it’s basically impossible to figure out using a brute-force attack.

3) Limit login attempts. Part of this current attack is trying different passwords over and over again until they get it correct. While its silly WordPress allows this, you don’t have to. There are several great security plugins that allow you to limit login attempts before locking that IP address out of your WordPress site:

I’m sure there are more, but those are three I have experience with. Each have their upsides and shortcomings, but anything you can do to thwart an attacker and secure your site is a good thing.

4) Use some kind of caching plugin. WordPress, by itself, is pretty good, but it still needs to talk to the database to load each page. Caching plugins make copies of everything so your site loads faster. While it doesn’t seem like this can help make your site secure, this can prevent certain types of attacks as well as sudden increases in popularity.

5) This is standard WordPress advice: keep WordPress, plugins, and themes up-to-date. I usually advise people to check once a week. You should be adding content each week anyway, so knock out both at the same time.

6) Delete unused plugins and themes. While this won’t help much with the current attack, these unused items could cause problems in the future. And if you’re not using them, why keep them around?

See? Six simple steps and you’re more secure and don’t need to worry about people attacking your site. Yeah ok, I’m not a comedian and the dance thing was random. But seriously, take steps to secure your site before you have to call someone like to me to fix it.

ArtistDataPress version 0.6 released!

I’ve added some really cool stuff in this release and I’m proud to announce its officially out!

First off, I’ve added feed caching. Let me ‘splain. Before, ADP would go ask ArtistData’s servers for your info every time you reloaded the page. You may have noticed how slow that was. Fortunately, WordPress has a way that I could save the feed data when I fetch it from ArtistData and it makes everything much, much faster! The one trade-off is you’ll need to wait about an hour for new events to show up on your site. If that needs to be changed, please let me know and I’ll alter the timing based on your feedback. But I figure an hour is short enough.

Second, all the layouts, including widgets, are now responsive, which means they look good on mobile and tablets, as well as your laptop. This is just the way things are going in the web development world and I’m still surprised I hadn’t already built this in before.

The rest of the changes are fairly minor. I altered the way some layouts were done in the CSS to name things more consistently, and make them easier to read. I also lightened up the code a bunch by getting rid of stuff I didn’t need.

Hope you all enjoy the update, let me know of any bugs and/or suggestions.

Announcing the ArtistDataPress plugin for WordPress

ArtistDataPress shows your shows calendar on your WordPress blog and automatically matches your theme!

If you’ve been using ArtistData and didn’t care for their iFrame calendar widget, I’ve got the solution for you: ArtistDataPress!  I wanted a way to display my band’s calendar on their site and on mine, but the AD iframe widget could only be styled once, which left my site with a calendar that didn’t match the rest of my theme.  ArtistDataPress takes the raw XML shows feed and makes it into an easy to style calendar for any page or post.  There’s even a sidebar widget!  You can choose what parts of the show information you want people to see through both the page and widget options.  You can download it from the WordPress Plugin Directory. You can read up on the plugin, it’s features, and get the FAQ on the plugin’s page.

Announcing the BP Profile Gallery Widget for BuddyPress

Slushman publishes the BP Profile Gallery Widget plugin, which displays either a Flickr, Picasa, or Photobucket slideshow.

I recently published a new BuddyPress plugin in the WordPress directory: BP Profile Gallery Widget. While working on the Towermix Network for Belmont University‘s Curb College, they wanted a way for the users to show off their work, specifically, photos they’ve taken or had taken of them. I put together this widget that displays a slideshow from either Flickr, Picasa, or Photobucket. You can download it from the WordPress Plugin Directory. You can read up on the plugin, it’s features, and get the FAQ on the plugin’s page.

Announcing the BP Profile Video Widget for BuddyPress

Slushman publishes the BP Profile Video Widget plugin, which displays a YouTube or Vimeo video on your BuddyPress profile.

I recently published a new BuddyPress plugin in the WordPress directory: BP Profile Video Widget. While working on the Towermix Network for Belmont University‘s Curb College, they wanted a way for the users to show off their work, specifically, videos they’ve made or been in. I put together this widget that displays a video from either YouTube or Vimeo. You can download it from the WordPress Plugin Directory. You can read up on the plugin, it’s features, and get the FAQ on the plugin’s page.

Announcing the BP Profile Music Widget for BuddyPress

Slushman publishes the BP Profile Music Widget plugin, which creates a player from either Bandcamp, Tunecore, Reverbnation, NoiseTrade, or SoundCloud.

I recently published a new BuddyPress plugin in the WordPress directory: BP Profile Music Widget. While working on the Towermix Network for Belmont University‘s Curb College, they wanted a way for the users to show off their work, specifically, music they’ve recorded or played on.  I put together this widget that displays one of the following music players: Bandcamp, Tunecore, Reverbnation, NoiseTrade, or SoundCloud.  You can download it from the WordPress Plugin Directory. You can read up on the plugin, it’s features, and get the FAQ on the plugin’s page.

Announcing the BuddyBar Widget for BuddyPress

Slushman publishes his first plugin, the BuddyBar Widget for BuddyPress. The widget places all the links on BuddyPress’s BuddyBar in a sidebar widget.

My first WordPress plugin was recently published in the WordPress directory: BuddyBar Widget. While working on the Towermix Network for Belmont University‘s Curb College, they asked about getting rid of the Admin Bar across the top of the page, which is part of the default installation of BuddyPress. Since the BuddyBar (as some call it) contains all the links necessary for managing one’s account, this posed a problem. After some hacking and research, I found out how those links were structured and put them all into a nice little sidebar widget. I’ve called it the BuddyBar Widget and you can download it from the WordPress Plugin Directory.  You can read up on the plugin, it’s features, and get the FAQ on the plugin’s page.