테스트
We all agree that having a secure wordpress weblog should be our first priorities when keeping a successful blog. In this post we’d like you to share your knowledge and help us create the Wordpress Security guide to keep the bad guys out.
Below are 10 security tips that you can easily implement on your WordPress blog. Please share one or more life-savers you use permanently to help protect yourself from WordPress security issues.
1) Nobody should be allowed to search your entire server.
2) Directories should not be left open for public browsing
There is a potential problem letting people know what plugins you have, or what versions they are. If there is some known exploit that is linked to a plugin, it could be easy enough for someone to use it to their advantage. Make an empty wp-content/plugins/index.html file or just add this line in your .htaccess file in your root:
Options All -Indexes
3) Drop the version string in your Meta Tags
A large number of WordPress themes have the WordPress Meta Tag that show the version of WordPress that is running on your blog which is an easy way to get your blog prone to hackers if you didn’t upgrade to the security-enhanced file permissions on both which is pointed out by Matt Cutts. Another solution involves a plugin that sets up a secondary new version.
This tag is in the header.php file that displays your current version of wordpress.
- <meta content=”WordPress <?php bloginfo(’version’); ? />” name=”generator” />
4) Protecting your Wordpress wp-admin folder
테스트
Attackers can use bots for a brute force style of attack that simply guesses the admin password until they come up with the correct one and login. There are a couple of solutions out there, we will highlight each below.
- Limit access to wp-admin folder by IP address- This solution is to restrict which IP’s can access the wp-admin folder via .htaccess. This has one drawback is you may have to update your .htaccess folder if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations.
- AskApache Password Protect- The plugin is simple, it adds a 2nd layer of security to your blog by requiring a username and password to access anything in the /wp-admin/ folder. All you have to do is choose a username and password and you are done. It writes the .htaccess file, without messing it up. It also encrypts your password and creates the .htpasswd file, as well as setting the correct security-enhanced file permissions on both.
- Login Lockdown plugin- records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
5) Stay up to date
You need to keep your on your plugin/widget, theme, and Wordpress versions updated. Also, subscribing to the plugin/widget/theme Author’s RSS feeds makes keeping up with them much easier.
6) Take regular backups of your site and Database
You always have to take regular backups of your file directories as well as the database. WordPress Database Backup plugin creates backups of your core WordPress tables as well as other tables of your choice in the same database.
7) Update your wordpress to latest version
Probably the first thing you should do! Install the Instant Upgrade Plugin or the Wordpress Automatic Upgrade Plugin. Make sure you back everything up before performing the upgrades.
8 ) Use SSH/Shell Access instead of FTP
It is one of the best tips i found here.If someone gets a hold of your FTP login information (which is usually not encrypted and easy to get), they can manipulate your files and add spam to your site without you even knowing about it! Using SSH, everything is encrypted including the transfer of files, etc.
9)Stop worrying about your wp-config.php file
Keep your database username and password Safe by adding the following to the .htaccess file at the top level of your WordPress install:
<FilesMatch ^wp-config.php$>deny from all</FilesMatch>
This will make it harder for your database username and password to fall into the wrong hands in the event of a server problem.
Protect Your Blog With a Solid Password
Creating a strong password that is also memorable is one of the easiest defenses against being hacked. There are a lot of online password strength checker that you could check.
Also you might check lorelle’s article on blogherald called Protect Your Blog With a Solid Password, offering tips and tricks to help create a strong password that is also memorable, and how to deal with all the myriad passwords we seem to accumulate online.
WordPress is a good CMS solution and even better blogging platform, but most sites using WordPress are not maximizing its potential. Performance is one of the important factor of a successful website. In this article we have compiled a list of useful tips, tricks, hacks, and plugins that can be used to speed up WordPress and boost it’s performance.
These tricks are for different skill levels and some might even seem very obvious to you, but please bare with us as we want to satisfy the needs of users on all skill levels. These tricks are very easy to implement, so you should start now.
1. Cache Complete Generated Pages
WordPress is a PHP script, so everything is dynamic, which means every time a page is loaded, WordPress must execute the queries hence making the site load slow and even crash due to the server load if you experience high traffic. The best solution to this problem is by using static pages. A plugin called WP Super Cache cache complete generated pages and serve those to your users instead of processing the heavy dynamic queries. Once you have installed this plugin, you will see significant decrease in your site load time and much more efficiency in the usage of server resources.
2. Disable Hotlinking and Prevent Leeching
Hotlinking is also known as bandwidth theft. It is when other sites direct link to the images on your site from their articles making your server load increasingly high. If one site does it, it might not make a significant difference, but there are too many spammers that will do this and that is something your server cannot hold specially if they copy your article with a lot of images. No matter how good your web host is, it will be slowed down if hotlinking is not prevented. There are a few ways you can disable hotlinking. First way we will share is through your root .htaccess file where you will place this code below:
1
| #disable hotlinking of images with forbidden or custom image option |
3
| RewriteCond %{HTTP_REFERER} !^$ |
4
| RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC] |
5
| #RewriteRule \.(gif|jpg)$ %u2013 [F] |
6
| #RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L] |
You can make an image that will replace all hot linked image that will say Stealing is bad or something so it makes the spammer look stupid. Another way to do is through the cPanel. If you are using cPanel hosting this is much easier because you don’t have to get your hands dirty by editing the codes. In your cPanel find an option called Hotlink Protection. Select that and follow the settings like shown in the image below:
Remember you must allow your feed otherwise your feed readers would not see any images.
Source: Josiahcole
3. Choose a Good Web Host
This might seem like a very obvious one, but a lot of the times people try to save a few bucks and compromise quality. It is not worth it. Pay the extra few dollars and get a better web host. One that is reliable and have strong servers. We have a beginners guide at WPBeginner where we help you choose the web host for WordPress.
Some good and affordable web hosts:
4. Split Long Posts in Several Pages
If you are making a mega resource which will require you to list about 100+ resources and you will have 100+ image on the post. It is best that you split the post into multiple pages, so each page loads much faster, and you increase your pageviews. This is very easy and it is doable from the WordPress admin panel if your theme already has this function. When writing the post you just have to enter the following code when you want to split pages:
<!--nextpage-->
You must make sure that your template has the function. Check out the Template tags in the Codex.
5. Use Excerpts and Limit the Count of Posts Displayed on Blog Page
You should never show full posts in the main blog page because you have 5 or 10 total posts on the same page. If each of your post is a list post and it is displayed in full text mode, then it will be very inconvenient for your users because the page will take immense amount of time and server resources to load. Therefore you must use excerpts and limit the count on how many posts are displayed.
In order to display excerpt, you must visit your index.php and find:
<?php the_content(__(’(more…)’)); ?>
Then replace this with:
<?php the_excerpt(__(’(more…)’)); ?>
Now the second step is to limit the number of posts being displayed on your blog page. You can do that through the WordPress admin panel under the tabs Settings > Reading:
6. Optimize Your MySQL Database
Optimizing your MySQL Database can make a difference in your load time. There are two ways of doing this. One way is manual hard core way. Another way is a plugin. To do it manually, you need to go to phpMyAdmin and select your database. Then towards the bottom, click check all to select all tables and then towards the center of the screen, there is a drop down menu, click optimize tables there.
If you don’t want to do it manually then Joost De Valk has a plugin for you. It is called Optimize DB, this plugin does exactly what we mentioned above except you don’t have to mess with phpMyAdmin.
7. Reduce the Use of External Websites and Scripts
Try to avoid relying on external scripts whether it is directly or through the plugin. Some plugins like MyBlogLog and others can take a lot of time to load depending on the server connection. They can often be the reason for page not loading properly if you are experiencing high traffic. To display widgets from top directories, alexa and others in your sidebar only slows your site down. Try to avoid it as much as you can.
8. Add Expires Header to Static Resources
An Expires header is a way to specify a time far enough in the future so that the clients (browsers) don’t have to re-fetch any static content (such as css file, javascript, images etc). This way can cut your load time significantly for your regular users.
You need to copy and paste the following code in your root .htaccess file:
ExpiresActive On
ExpiresByType image/gif A2592000
ExpiresByType image/png A2592000
ExpiresByType image/jpg A2592000
ExpiresByType image/jpeg A2592000
The number 2592000 stands for the number of seconds in a month. You can change that number to anything you desire.
9. Use WP-CSS
WP-CSS is a plugin that uses shorthand technique. It GZIP and strip whitespace from your CSS files. It allows you to confidently use @import inside a CSS file and not worry about what happens on the user’s end. It will look through your style.css file and put any @import files into it. Using shorthand technique can make a difference in your site load time because it makes the file size smaller.
10. Compress JavaScript Files
JavaScript files are loaded in almost every page and sometimes they can be large files. Even if it is a small file, being repeatedly loaded can eat your resources and have an impact on your load time. You can use the compressors to compress the JavaScript and save resources as well as increase the speed of your WordPress site.
11. Reduce Image Sizes
This one is a gimme, but it must be reiterated here. Images help make your blog posts lively, but you do not have to put extremely high resolution images in your blog posts and even in your web design. The bigger your image, the slower your site will load and the more server resources you will use. If an article with images gets popular in social media and you get tons of traffic, you can even get suspended from your web hosts if you exceed the limits. Therefore it is best if you have low image sizes. You can obtain this by using a plugin called WP Smush.it. This plugin reduces the image size with minimum quality loss. You can also use this directly from the site Smush.it.
12. Do a Plugin Check and Remove Inactive Plugins
If you are using more than 15 plugins on your blog then you need to check to see if you really need all of those. If you don’t then you need to delete them. Also remove the inactivate plugins from the site. While checking for plugins, make sure that you use the proper format when including the plugin in your template files. Instead of including the code like this:
<?php refer_thanks(); ?>
You should add it like this:
<?php if (function_exists(’refer_thanks’)) { refer_thanks(); } ?>
Having it this way ensures that WordPress will only pull that code on the page if this plugin is active. If you use the first way of coding, and you inactivate the plugin, your page will load with error and sometimes it even displays on the page that there is an error.
Source: Yoast
13. Cache Your Database
WordPress is fully integrated with MySQL therefore when a page is loading, multiple database queries are being executed which takes time. A plugin called DB Cache caches the database query and make the site load much faster.
14. Split Comments into Pages
Every site has few articles that went viral. These article generates tons of comments and they can consume enormous amount of server resource upon each visitor loading the page. Or maybe your blog is already popular and you are getting a good discussion going in your posts, then it is recommended that you paginate the comments to increase your site loading speed and save server resources. This can be done by going into Settings > Discussion in your WordPress Admin Panel.
15. Reduce the Number of Database Calls
Database calls make WordPress so dynamic, but sometimes you can live without it. By replacing simple text, you will be able to increase your WordPress speed. To give an example look at your header.php code which looks something similar:
<html xmlns=”http://www.w3.org/1999/xhtml” <?php language_attributes(); ?>>
<head profile=”http://gmpg.org/xfn/11″>
<meta http-equiv=”Content-Type” content=”
<?php bloginfo(’html_type’); ?>;
charset=<?php bloginfo(’charset’); ?>” />
This code above is calling useless database queries which you can simply put in as text. Like in the example below:
<html xmlns=”http://www.w3.org/1999/xhtml” dir=”ltr”>
<head profile=”http://gmpg.org/xfn/11″>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″ />
By making it slightly less dynamic, you have saved yourself some load time. If you get a custom theme designed for a specific WordPress site then there is nothing wrong with removing these because it will only be used by you.
You can also reduce database calls by doing the following:
- make your stylesheet URL’s static
- make your pingback URL static
- make your feed URL’s static
- you can remove the blog’s WordPress version
Source: Yoast
16. Cutting Down the Size of MySQL Database
When writing posts, now WordPress actually autosave which even after the post is saved, the revision articles stay in the MySQL Database. Bigger database also bring the site load time down. If you are not using Revisions then you can remove them by adding the following code to your wp-config.php
<?php define(’WP_POST_REVISIONS’,false); ?>
You can also delete unnecessary tables from the Database like:
DELETE FROM wp_posts WHERE post_type = “revision”;
Note: Only do this if you don’t use revisions. If you like to have revision in WordPress then do not take this action.
17. Stay Updated with the Latest WordPress Version
Ofcourse this is a must. You should always stay updated with the latest stable release of WordPress in order to boost performance of your site. If you don’t do this, you are also putting your site in security risks.
18. Display Page Loading Time and Queries
In order for you to track how well your site is doing, it is wise to add this code in the footer. If it is a low number then it means your site is at its potential. Just paste this code in order to display page loading time and queries:
<?php echo get_num_queries(); ?> queries in <?php timer_stop(1); ?> seconds.
What tricks do you use to speed up WordPress? Share it with us in the comments. We will add it in the post, so everyone else can use it as well.
WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability. WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with your blogging software, not fight it.
New to blogging? Learn more about WordPress, then follow the three easy steps below to start blogging in minutes. Or, for the ultimate in ease of use, get a free blog on WordPress.com.
PHP 프레임워크 중에서 CakePHP가 많이 사용되어지는 것 같다.
