In this simple , how-to guide. We would look into how to enable HTTPS for free , provided that you have your own WordPress blog hosted (just like in my case). This would ensure that connection to our WordPress site is secure
Recently my site was down and it appears that my old hosting provider – XenServ , decided to bid farewell to their business and poof there goes my site along with it. I thought I had lost it all , this is because the only cPanel backup , I had was dated somewhere in December 2012. But little did I know that I’ve had installed an addon called WordPress Backup to Dropbox.
It’s a nifty addon that actually backups your wordpress (your whole site including pictures , posts , addons and what-not) along with the database to dropbox and best of all ,I don’t have to worry about running it manually , it runs automatically at a configured. The problem with backup is that you need to take the pro-active step of doing it weekly/monthly or daily but with this – I do not have to worry at all , it just does by itself. The nice thing about this addon is that it uses Dropbox oauth – which means that you authenticate the application and it does not store your username/password – much like how Twitter/Facebook oauth works.
Security is no doubt is important. We have all heard about WordPress/Blogs getting hacked whereby the hacker would compromise someone’s blog. It can be nasty thing , especially if the hacker decides to post explicit pictures or steal valuable information that you may store within your blog , or worst he/she could silently include some sponsored links without you knowing to generate hits to their site. Of course you have heard of the usual security tips such as secure your web-site , use a strong password and things like that.
In this post I would like to explain on two-factor authentication and how it can help to secure your WordPress. Before that , you need to understand to know a thing or two on information security. I am not going to you to bore you with a lecture , but rather give you a simple explanation. ATM (Automated Teller Machine) s a good example , for instance if you want to withdraw money from an ATM, firstly you need an ATM card (duh !) . That alone does not grant you the permission to withdraw , instead you are asked a pin. So if you are a bad guy trying to steal money from ATM , not only you need an ATM card , but you also would need a pin. This is how two-factor authentication works. Its just another layer , first you prove who you are to the server and the server again asks you to enter a generated code or a special pin to validate if it is really you.
Two-factor authentication is not something new , in fact a lot of banks in Europe use it. A prime example in Malaysia would be HSBC . HSBC online banking requires you to carry a small authenticator . When you enter your password you are presented with a “challenge” question (a random number) , you’ll have to key in the “challenge” to your device and it would generate back a response. This is how server verifies it is really you. It makes outsiders to hack password using existing password cracking tools impossible.
Apart from gaming , two-factor authentication is commonly used in MMORPGS an example would be Battle.net authenticator which is used in World of Warcraft
Installing for WordPress
Thankfully Google made their authenticator system public which simply means that it can be used for any application out there. People have used it and adapted it for various different application. One of the examples would be Guild Wars 2 authentication system. Of course some nice soul decided to port it to be used with WordPress as well . So basically all you need is an iPhone/iPad , Android Devices or Blackberry to generate a number for you. You may download the authenticator from here
Just keep in mind that you need a smartphone and as well as WordPress 3.x . I am told that they are physical devices out there that would do the trick , but your best bet is to use a smartphone. Suppose if you do not have a smartphone , Bluestack comes in handy (it allows you to run Android application on top of Windows/OSX). You may want to take a look at that as well , but I do not recommend you to run the authenticator on a PC , it defeats the entire purpose if your PC is compromised.
Oh yes you may download the plug-in from here and install it directly to your WordPress or alternatively install directly within WordPress itself via their plugin section. Thank You Henrik.Schack for creating this awesome plug-in for WordPress !
Configuring Google Authenticator for WordPress
Activating the plug-in will not enforce two-way authentication for every user in your WordPress Blog. Instead you would have to configure per user basis. I highly recommend enabling two-way authentication for accounts with administrator rights
Activate the plug-in and go to the Users -> Profile and Personal options page, in the Google Authenticator section.
You should see a screen something like that. Fill it up and just follow the instructions. Its pretty straight forward. Once you have configured it , you’ll be presented with something like this . All you have to do is scan the QR code using Google’s authenticator application on your Android smartphone/iPhone/Blackberry device.
Once the code is scanned, you’ll see a new entry in your Google Mobile Authenticator. So the next time if you want to sign in , you’ll have to enter your code along with your password as well as shown below.
Discussion & Conclusion
There are few things that you should know before you implementing a two-factor authentication
Your site has to be secured enough (that is your plugin folder is secured , your FTP , SQL , HTTP server). Suppose if it is not , an attacker could compromise your site in many other ways which makes having two-factor authentication pointless
Two-factor authentication protects against brute-force , password-attack against wp-admin page. Together combined with other plugins you can “block” people who have tried to enter your site after too many attempts.
If you lose your phone , you are pretty much dead (and you would have to manually disable the addon via phpMyAdmin and edit a few things)
You’ll have to configure for each and every user for your WordPress if you like to fully secure it. It becomes troublesome – This is why I highly recommend on doing it for Administrators only !
Certainly there are advantages of using two-factor authentication , mainly to make it much more secure and to scare script-kiddies away , to determine if this is the right thing for you or not – I recommend you to try it out first
First of all , we all do know that WordPress just kicks-butt. Its one of the coolest blogging software that I’ve ever used. One thing that most of us wouldn’t take it for granted is WordPress does include a nifty feature which is also known as XML-RPC Ping. I know it sounds too geeky and technical , but its a great tool.
Trust me on that one , it would seriously get you a couple of visitors and readers for your blog if you do have good content in it or if you have something that you would like to share it with other folks . Its a nice way to get traffic without doing anything. All you have to do is just post and then forget about it. Well , its not like you have to click advertisements or register through some sites and get referral to get traffic. Its just for lazy folks such as myself and it doesn’t even hurt your blog at all.
Well what are you waiting for then – Just click on read more and do get some information about it !
I’ve just found out today that by default wordpress installation doesn’t protect the plug-ins and themes folder. Which enables script-kiddies to explore and steal your theme and your works as well and claim its theirs. Especially if you have purchased a theme. Anyway , there are couple of methods to protect your wordpress plugins and theme folder. I am sure you have heard of the 403 Forbidden method whereby you’ll restrict access to the folder when there is no index file. Alternatively you may place a blank index.html or php file in these sites to prevent the directory to be listed.
Anyhow , those methods are ‘old skool’ style and there will never do anything. To teach these script-kiddies a lesson , we must use their same method and use it against them. Get the point ? Its by rick rolling them. I created a simple php script that redirects them to this site (WARNING : Don’t click it , Trust me you don’t want to get rick rolled). You may download this simple php script by clicking here. Place them in /wp-contents/plugins and /wp-content/themes folder. Alternatively you may place in /wp-contents/ folder as well just to be extra safe. Now , whenever they try to access your plugins/themes folder , they will be redirected to another site and voila -rick rolled. Two things in one. Next time i am trying to make it to open mutiple windows so that it sucks more RAM out of their PC and it will teach these script kiddies a lesson not to mess with someone’s site. Oh it works for everything , not only word press. If you want to protect a directory properly I would suggest you to use hta access , but if you want to teach these people a lesson then the best method would be by rick rolling them. Imagine , using their own tricks against them ! Now you don’t have to worry about those pests (Well not really , but at least it would stop some of them)
Repel Spray , It just works – Yeah , even for script kiddies !
For those of you who do not know what is a Rick Roll , I would suggest you to read this article over at Wikipedia
Finally , I’ve managed to scarp off my old look and upgraded my blog with a better looking theme. Customizing CSS was pain in the butt. Imagine that it does take some time for you to tweak with it till you get the prefect layout that you want. Anyhow , I hope that you do enjoy this new theme as opposed to my old messy theme. Its organized now , and well it looks way better then last time. Here is the changelog
Chat Box – Its easier for me to rick roll blog roll you guys as opposed to last time. If you think that you would like to exchange links , go ahead and post it there. I would certainly add you and I would be stalking you as well (Nah , I’ll just visit your blog from time to time or your site)
Cleaner Layout – Last time it used to be soo messy but now everything has been cleaned , now my site looks better and its much more presentable
New Plugin – Commentluv I found this plug-in over at Jessica’s blog. While lurking around , I found that this is the plug-in that I’ve been looking for a long time. Its a nifty plug-in that when a user replies it just states on whats their latest blog post entry. Its nifty and I think it would attract more people to post comments here as well (Hence making it lively)
Fixed Footer – Phew that took a long time to correct it. Made it more elegant and I’ve included my copyright information as well so that leechers don’t leech away. I guess i need to scout for a copyright protection thingy or something like that
I am not sastified yet but there are lots of things that I should do to make this blog more attractive especially in content wise. I guess I’ll be blogging back on real life issues
There are lots of other things for me to do as well. Mainly in optimising the site layout and writing a better guide and as well as explaining on things that are going along. Its been ages since I’ve talked on the current issues. So for now , do enjoy my new site layout !
Just to let you guys know that the upgrade went smoothly thanks to this very plug-in , that made it possible. All i’ve to do is answer a few questions and it does upgrade for me without worrying about anything WordPress Automatic Upgrade . You should give it a shot. Anyhow I am going to review on this plug-in very soon and even a post a step-by- step tutorial on how to use it.
For those of you who are geeky and would like to read the changelog (aka the upgrades) , you may want to click here (WordPress 2.6.2 Release)
Just upgraded my WordPress installation from 2.6.0 to 2.6.1. According to the folks over at WordPress.org , they have fixed over 60 bugs , exploits and other things in their code. In other words , it just makes your WordPress installation even more secure. The upgrade process was a breeze to me honest , they have made it easier for folks to upgrade from one version to another. Do take note , its recommended for you to backup your wp-content. What I basically did was to rename the folder to wp-content1 and then copy it over to my desktop via FTP (precautionary steps of course – Its better to take’em) . Then I uploaded the whole installation files and removed the original wp-content and renamed back my old wp-content1 to wp-content. Guess what – It did the trick. Of course I had to enable my plug-ins and reconfigure some of my plugins. at the same time , I did update most of my plugins to the newest and greatest version.Â
Verdict : Overall , I would recommend you to upgrade your WordPress Installation from 2.6.0 to 2.6.1 as its safer for your blog. The installation was a breeze for me and there weren’t any hiccups along the way (knock on wood). Imagine if there were hiccups – I would be dead by now or worst – crying in a corner whole day long. True , you may call me emo but how do you feel if you have just lost your whole blog because of yourÂ sillyÂ mistake(s). Anyhow , kudos to the WordPress team for enabling average bloggers such as me to upgrade the software without any problem or playing around with the settings. Do keep up the good job. Â Although its not a major update but still its something better then nothing. Bug fixes are important for me compared toÂ featuresÂ !
Reporting for you guys,Â
Psst – i promise to post more real life pics , more informative articles and other things. I promise but I’m just toooÂ excitedÂ on this new WordPress 2.6.1 ,Â
As a new user of WordPress , there are many things that we can do. This thing is highlyÂ customisableÂ – you could pretty much as you like – This is what that i am looking for in any services (including softwares). TheÂ abilityÂ toÂ customiseÂ things. Here are some of the plugins that I use (I’ve managed to get some of it by myself , and others contributed by folks in lowyat.net and on the Internet. I’ve included the credits as well)Â
All in One SEO PackÂ (Recommended byÂ vkeong) – What it does basically that it optimises the header , keyword and everything for search engines , meaning that spybotsÂ spiders can easily can track your site. As the old style typing goes by :-
Â Â Â Â Â Â 1. Install All In One SEO Pack
Â Â Â Â Â Â 2. Configure it
Â Â Â Â Â Â 3. ??????
Â Â Â Â Â Â 4. Profit !
ShareThisÂ – As the name suggests , it allows you to share your blog posts via digg , facebook , e-mail and a lot of other choices. You can even bookmark it to any online bookmark storage system. This is a neat tool. I just find it useful , who knows – maybe someone out there that may be interested in digging my articleÂ
Youtube BracketsÂ (ThanksÂ Caroline) – A must have addon if you want to link youtube videos. It makes it even easier then embedding the video using youTube’s code. This is installed in WordPress hosted blogs but then if you are hosting your own blog like me. then you’ll find that this Addon handy , especially if you want to rick roll someone or include some video for the lulz.Â
WordPress PDA & iPhoneÂ – It is a must have especially if you want mobile users or those who are on PDA/iPhone/iPod Touch to view your site. Is it annoying when you view a site such as this on a mobile phone (especially Mobile Internet Explorer) as it sucks. Another reason is that if you are on EDGE/GPRS/3G/HSPDA then you’ll have to pay a lot of data charges as there are lots of images , text , ads , flash animation that you’ll have to downloading. This is a must have if you have lots of mobile users or if your site is catered for mobile users. I’ll describe/blog more about this plug-in. I find it very useful
Akismet Â – I think this is the one that you can’t live without . Â It keeps spams at bay and at under control tooÂ which is useful to protect your blog against spambots which willÂ occasionallyÂ spam your boards comments with links to pornography websites ,Â gamblingÂ sites and all those unwanted sites. You’ll have to get an API key from wordpress in order for you to activate this , which requires a freeÂ registrationÂ over at WordPress.comÂ . Oh one more thing , do not share your API key , its meant for your account only – its just like your password
Â WP Super Cache Â Â – Recommended to save bandwidth and cut down usage of bandwidth as it caches your blog. Hence no new content has to be downloaded to your readers pc. This is true when you have limited bandwidth and if your blog is really popular. I would recommend you to install
There you go , this is all that I have for now. If I do have time , I will certainly updated this page with the plug-ins that I use and to share it with you guys. After all sharing is caringÂ
There we go , some of the wordpress plugins that I am using right now. I think I did i left out couple of other plugins. But fear not , I’ll include them tomorrow. For now , my eyes are getting tired and it is too heavy to open my eyes. If you excuse me , I’ll have to hit the slumberland .Â Here is something for you to ponder around in the meantime :-