347 • Secure WordPress - http://digwp.com/u/489 Provides many important security measures, including protection against bad queries and complete removal of sensitive, auto-generated information. • WP Security Scan - http://digwp.com/u/9 Scans your WordPress installation for known security vulnerabilities and suggests corrective actions. Features include passwords, permissions, and more. • WP File Monitor - http://digwp.com/u/487 Scans your WordPress files for malicious code and notifies you with the results. When files are changed, moved, added or removed, this plugin lets you know. • Ultimate Security Check - http://digwp.com/u/488 Scans for “hundreds of known threats” and grades security performance. Provides a great overview of your site’s security. And it’s incredibly easy to use. • BlogSecurity’s WPIDS plugin - http://digwp.com/u/8 Detects attacks and blocks them. Each intrusion is clearly visible and an error is displayed, making administration easier than in previous versions. • AskApache Password Protect - http://digwp.com/u/5 Protects your site by blocking automated attacks, spam, and other nonsense. Helps to secure wp-admin, wp-includes, wp-content, and plugins as well. • WordPress Firewall - http://digwp.com/u/10 Blocks potential attacks based on a list of potentially suspicious parameters. • Login Lockdown - http://digwp.com/u/7 Blocks the IP address of any user with too many failed login attempts. • Stealth Login - http://digwp.com/u/12 Enables creation of custom URLs for logging in and other administrative tasks. • Exploit Scanner - http://digwp.com/u/490 Searches your site’s files, plugins, and database for suspicious business. • Safer Cookies - http://digwp.com/u/13 Prevents unauthorized Admin access by making your cookies IP-specific. SSL Security Plugins Here are two excellent plugins that secure your site via SSL: Force SSL - Establish secure SSL connections by redirecting HTTP requests to HTTPS. http://digwp.com/u/17 Admin SSL - Secure your site’s sensitive areas with private or shared SSL goodness. http://digwp.com/u/14 Lockdown Collection Underlined titles indicate plugins used in the DigWP Security Lockdown: http://digwp.com/u/501 348 • Block Bad Queries (BBQ) - http://digwp.com/u/492 Blocks excessively long request strings and other bad strings in the request URI. • InspectorWordpress - http://digwp.com/u/16 Monitors and logs requests to your WordPress-powered site. 9.2.1 Stopping Comment Spam While we’re discussing security methods, it is important to take a look at different ways to stop comment spam. Comment spam plagues just about every comment- enabled or forum site on the Web, and WordPress-powered sites are no exception. Fortunately, there are many top-notch developers contributing plugins, scripts and strategies to help fight the war against spam. Here are some of the best: • Akismet - http://digwp.com/u/298 King of anti-spam plugins. Bundled with WordPress. Must-have. • Defensio - http://digwp.com/u/299 Excellent anti-spam plugin. Great alternative to Akismet. Many features. • Typepad Antispam - http://digwp.com/u/300 Developed by Six Apart. Reported to work as well as Akismet. • Bad Behavior - http://digwp.com/u/301 Anti-spam protection plus additional security features. • Comment Guard Pro - http://digwp.com/u/302 Provides multiple layers of protection against all types of spam. • Simple Spam Filter Plugin - http://digwp.com/u/303 Captcha-based. Designed to work with existing anti-spam plugins. • WP-SpamFree - http://digwp.com/u/304 Virtually eliminates automated comment spam. No captchas. No false positives. • NoSpamNX - http://digwp.com/u/305 Adds extra hidden fields to your comment form to catch bad bots. 349 • Invisible Defender - http://digwp.com/u/306 Another good way to add hidden fields to your comment form to stop bad bots. In addition to these incredible plugins, there are a few other helpful tricks that you may want to try. Let’s take a look at some choice techniques in the next few sections of this chapter. 9.2.2 Configuring Your WordPress Admin Options Configuring your Admin options with the most restrictive comment settings is a much underrated method of reducing and preventing a great deal of comment spam. In the Admin > Settings > Discussion options page, there are several options that enable you to take strong action against spam. The most restrictive option would be of course to simply require moderation of all comments. This would theoretically prevent all spam, since you would be filtering them out manually. This really isn’t an option for sites that feature a lot of comments, so the next most restrictive setting would be to only allow comments from people who have already had a comment approved. By requiring the commentator to have a previously approved comment, you drastically reduce the chances that a spam comment will appear on your site. 9.2.3 Using the Built-In Comment Moderation Also, under Admin > Settings > Discussion you will find three powerful anti-spam options. The first is a link-filtering option that automatically holds comments in the moderation queue if they contain “x” number of links. Since links are frequently the payload of spam comments, moderating any comments containing, say, two or more links is a great strategy. Anti-Spam Cornucopia For even more excellent anti- spam plugins for WordPress, check out Chapter 7.6.3. 350 There is also a large input field that may be used to list any characters, phrases, or even IP addresses that you would like to pre-approve if found in the comment. For example, if you want to moderate any comments containing the phrase “Viagra,” or that come from an IP address of 123.456.789.0, then you would list these items as shown in this screenshot: 9.2.4 Using the Built-In Comment Blacklist And, even better than WordPress’ Comment Moderation is the built-in “Comment Blacklist.” Also located on the Discussion Settings page, the Comment Blacklist works exactly like the moderation list, only instead of being held for moderation, any comments containing blacklisted phrases will be immediately marked as spam and discarded. Be mindful when using this technique – all terms and phrases are treated as regular expressions, such that you may be inadvertently dumping legitimate comments. 9.2.5 Disabling Comments on Old Posts Spammers frequently target old posts because they have been indexed in the search engines and have had more time to accumulate page rank. So, as the number of posts in your archives increases, you will inevitably find yourself dealing with lots of spam and other nonsense on older posts. Careful with that Axe When conguring your Comment Blacklist, choose phrases that will not appear as parts of “legitimate” words. We're dealing with regular expressions here, so make sure that you aren’t unintentionally trashing any legitimate comments. Fortunately, many drug names are very unique. 351 An easy solution to this is to simply disable comments on all posts that are older than “x” number of days. For example, digwp.com automatically closes comments after 90 days. Any reasonable amount of time should work fine. For more information on manually disabling comments on old posts, refer to Chapter 7.3.7. 9.2.6 Deny Access to No-Referrer Requests Many spambots target WordPress’ comment script directly, bypassing your comment form entirely. An easy way to circumvent this behavior is to deny all requests for the comment script that do not originate from your domain. This is another HTAccess trick that we may write like this: # DENY ACCESS TO NO-REFERRER REQUESTS <IfModule mod_rewrite.c> RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post\. [NC] RewriteCond %{HTTP_REFERER} !.*digwp\. [OR,NC] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) - [F,L] </IfModule> Edit this code so that the domain name (“digwp”) matches your own. As is, this code will simply deny access to the requested comment script. To redirect the spammers instead, replace the RewriteRule with this: RewriteRule ^(.*)$ http://%{REMOTE_ADDR}/ [R=301,L] 352 This will bounce the spammers back to where they came from. Nice, but you may prefer to send them someplace else. To do so, simply edit the URL (i.e., the “http://%{REMOTE_ADDR}/” portion) to whatever you wish. By blocking all requests for the comments-processing script (wp-comments-post.php) that are not sent directly from your domain (via comments.php), you immediately eliminate a large portion of blog spam. For more information on this technique, check out the Perishable Press article at http://digwp.com/u/307. 9.3.1 Monitoring and Fixing Errors As you set up and run your site, it is a good idea to keep an eye on any errors that pop up. There are several ways to do this, depending on your familiarity with your server logs and how they work. Many hosts provide access to automatically generated server access logs. These are useful for diagnosing patterns relating to spam, broken URLs, and malicious attacks. Additionally, many servers make available error logs or will automatically generate PHP error les that appear in the root directory of the site. Keeping an eye on these access and error logs is good practice as it will often enlighten you about broken scripts, plugins, links, and much more. Especially important is keeping a close eye on 404 Not Found errors. If your site has too many broken links and missing pages, your site’s pages may suffer in the search-engine listings. The bad news is that large sites with thousands of pages are difficult to check by hand in a thorough manner. The good news is that there are several great methods for accomplishing this in an easy, automated way. Let’s examine a few of the best. 9.3.2 Alex King’s 404 Notifier Plugin Alex King’s 404 Notifier is an excellent plugin by one of the top WordPress 353 developers. Logs all 404 Not Found errors with the option of automatically notifying the site owner of each 404 incident via email or RSS. Requires permalinks to be enabled. Check it out at http://digwp.com/u/309. 9.3.3 Broken Link Checker Plugin Keeping an eye on your site’s links can be a seriously daunting task, especially as your site continues to grow in size and complexity. Over time, your outgoing links may break or end up pointing to something unintended. Good, solid links are the cornerstone of the Web; broken links fail to help your visitors and may cause the search engines to consider your page or site less favorably, especially if many broken links are present. To prevent this scenario, there is an awesome plugin called Broken Link Checker http://digwp.com/u/310 that monitors your site and helps you manage broken links. Once installed, Broken Link Checker works quietly in the background, testing your links and reporting any that are broken or redirected. The plugin monitors all parts of your site, including custom fields (optional). Also detects missing images. Link- checking intervals are completely configurable. Provides options for broken links, including unlinking, editing, and deleting. Truly an awesome plugin. The one shortcoming of using an automated method for checking your links, however, is the case where a linked page has been changed or redirected to include undesirable content. Because the link resolves to a working page, it will be assumed as valid and thus will not be included in the broken-link report. Beyond this scenario, automating the process of checking broken links can be a tremendous help. 9.3.4 Other Error-Logging Techniques Logging errors and activities for your site is critical for better control over your website. Here are some plugins that can help get the job done: 354 • WordPress to Syslog (WPsyslog2) - http://digwp.com/u/311 WPsyslog2 is a global logging plugin that tracks all system events and logs them to syslog for your analytical use. Tracks new posts, new profiles, new users, failed logins, successful logins, logouts, and much more. • Mod_Security - http://digwp.com/u/312 An open-source web-application firewall for Apache that logs activity and protects your site in real-time. • Post Logger plugin - http://digwp.com/u/313 Reveals the intimate details of the $POST variable for each request, enabling you to keep a better eye on what’s happening behind the scenes with your comments. • TTC WordPress Tripwire Tool - http://digwp.com/u/314 Provides you with a list of all files changed on your WordPress site within the specified period of time. • Sucuri - http://digwp.com/u/315 Sucuri is an online network monitoring service that notifies you immediately after changes have been to your website, DNS records, WHOIS information, SSL certificate, or blacklist status. 9.3.5 Online Monitoring Services An important part of developing and running a successful, well-optimized site is making sure it is always available to your visitors. In a perfect world, your site’s uptime would be 100%. But thanks to server issues, software conflicts, malicious scripts, and cracker exploits, it is virtually inevitable that your site will go down from time to time. While you can’t prevent periods of unexpected downtime, you can increase your ability to respond in a timely manner by using an online monitoring service. Monitoring services basically keep any eye on your site and notify you when they become unavailable. There are many monitoring services available, both free and otherwise, each with their own way of tracking your site and reporting statistics. 355 Here are some of the best: • Are My Sites Up? - http://digwp.com/u/316 Fast, easy, and reliable site monitoring service that provides free monitoring of up to five sites 25 times per day. Premium service also available with tons more features. iPhone application available. Highly recommended :) • Pingdom - http://digwp.com/u/317 Provides email and SMS alerts when your site is unavailable. Monitors uptime and overall performance. • Mon.itor.us - http://digwp.com/u/318 Free website monitoring services with email alerting. Provides uptime and response-time reports. Alert formats include email, IM, SMS, and RSS. • Montastic - http://digwp.com/u/319 Free monitoring service with email and RSS alerts. Monitors up to 100 URLs every 10 minutes. Notifies you when your site’s availability has been restored. • Service Uptime - http://digwp.com/u/320 Free monitoring for one URL at 30-minute intervals. Alerts sent via email or SMS. Uptime reports available. Get Automatic Upgrade Emails The alert messages provided in the WordPress Admin are great, but they don’t work if you never log in to your website’s admin area. Fortunately, the Update Notifier plugin http://digwp.com/u/329 takes care of this by sending you daily email notices whenever new versions are available. This makes it easy to keep an eye on large numbers of sites without having to log in or subscribe to any RSS feeds. Simply install and forget about it. As soon as it’s time for action, you’ll get an email letting you know. 356 • Site Uptime - http://digwp.com/u/321 Free monitoring for one URL at 30-minute intervals. Premium services include shorter monitoring intervals and more reporting features. • BasicState - http://digwp.com/u/322 Free website uptime monitoring service that checks unlimited sites every 15 minutes. Provides instant trouble alerts by email or SMS. Recommended. • Site 24X7 - http://digwp.com/u/323 Free monitoring for two URLs at 60-minute intervals. Monitors your site from multiple geographical locations. Alerts via email and SMS. • Binary Canary - http://digwp.com/u/324 Free website and device monitoring featuring 15-minute intervals for up to five URLs. Supports both HTTP and HTTPS. Paid accounts include 1-minute monitoring of nearly any device. • Dotcom-Monitor - http://digwp.com/u/325 Robust monitoring featuring multiple users, user-permissions, data reports, and user-specific alerts. • Webmetrics GlobalWatch - http://digwp.com/u/326 Monitors websites, applications, and services. Diagnoses downtime and provides performance reports and flexible alerts. Supports Flash, Java, and Ajax. And that’s just the tip of the iceberg! For a huge list of server monitoring services & website monitoring software, check out this valuable resource: http://digwp.com/u/327. 9.4.1 Staying Current with WordPress Of course, one of the best ways to keep your site secure is to stay current with WordPress. While working in the WordPress Admin, keep an eye out for any alert messages informing you of available updates, either for the WordPress core or for individual plugins. Staying current with the latest versions of WordPress ensures that your site receives . some of the best: • Akismet - http://digwp.com/u/298 King of anti-spam plugins. Bundled with WordPress. Must-have. • Defensio - http://digwp.com/u/299 Excellent anti-spam plugin. Great alternative. Protect - http://digwp.com/u/5 Protects your site by blocking automated attacks, spam, and other nonsense. Helps to secure wp-admin, wp-includes, wp-content, and plugins as well. • WordPress. more. • Mod_Security - http://digwp.com/u/312 An open-source web-application firewall for Apache that logs activity and protects your site in real-time. • Post Logger plugin - http://digwp.com/u/313