Move wp-config.php

The first thing I do is change the location of my wp-config.php. By default, it’s installed in the WordPress parent directory. If the config file is in the parent directory, it can be viewed and accessed by Apache, so I move it out of web/root. Because you’re changing the default location of a pretty significant file, you need to tell WordPress how to find it in wp-load.php. Let’s say my WordPress runs out of /webroot on my host … I’d need to make a change around Line 26:

if ( file_exists( ABSPATH . 'wp-config.php') ) {
 
        /** The config file resides in ABSPATH */
        require_once( ABSPATH . 'wp-config.php' );
 
} elseif ( file_exists( dirname(ABSPATH) . '/wp-config.php' ) && ! file_exists( dirname(ABSPATH) . '/wp-settings.php' ) ) {
 
        /** The config file resides one level above ABSPATH but is not part of another install*/
        require_once( dirname(ABSPATH) . '/wp-config.php' );

The code above is the default setup, and the code below is the version with my subtle update incorporated.

if ( file_exists( ABSPATH . 'wp-config.php') ) {
 
        /** The config file resides in ABSPATH */
        require_once( ABSPATH . '../wp-config.php' );
 
} elseif ( file_exists( dirname(ABSPATH) . '..//wp-config.php' ) && ! file_exists( dirname(ABSPATH) . '/wp-settings.php' ) ) {
 
        /** The config file resides one level above ABSPATH but is not part of another install*/
        require_once( dirname(ABSPATH) . '../wp-config.php' );

All we’re doing is telling the application that the wp-config.php file is one directory higher. By making this simple change, you ensure that only the application can see your wp-config.php script.

Turn Down Access to /wp-admin

After I make that change, I want to turn down access to /wp-admin. I allow users to contribute on some of my blogs, but I don’t want them to do so from /wp-admin; only users with admin rights should be able to access that panel. To limit access to /wp-admin, I recommend the plugin uCan Post. This plugin creates a page that allows users to write posts and submit them within your theme.

But won’t a user just be able to navigate to http://site.com/wp-admin? Yes … Until we add a simple function to our theme’s functions.php file to limit that access. At the bottom of your functions.php file, add this:

############ Disable admin access for users ############

add_action('admin_init', 'no_more_dashboard');
function no_more_dashboard() {
  if (!current_user_can('manage_options') && $_SERVER['DOING_AJAX'] != '/wp-admin/admin-ajax.php') {
  wp_redirect(site_url()); exit;
  }
}
 
###########################################################

Log in as a non-admin user, and you’ll get redirected to the blog’s home page if you try to access the admin panel. Voila!

Start Securing the WordPress Database

Before you go any further, you need to look at WordPress database security. This is the most important piece in my opinion, and it’s not just because I’m a DBA. WordPress never needs all permissions. The only permissions WordPress needs to function are ALTER, CREATE, CREATE TEMPORARY TABLES, DELETE, DROP, INDEX, INSERT, LOCK TABLES, SELECT and UPDATE.

If you run WordPress and MySQL on the same server the permissions grant would look something like:

GRANT ALTER, CREATE, CREATE TEMPORARY TABLES, DELETE, DROP, INDEX, INSERT, LOCK TABLES, SELECT, UPDATE ON <DATABASE>.* TO <USER>@'localhost' IDENTIFIED BY '<PASSWORD>';

If you have a separate database server, make sure the host of the webserver is allowed to connect to the database server:

GRANT ALTER, CREATE, CREATE TEMPORARY TABLES, DELETE, DROP, INDEX, INSERT, LOCK TABLES, SELECT, UPDATE ON <DATABASE>.* TO <USER>@'<ip of web server' IDENTIFIED BY '<PASSWORD>';

The password you use should be random, and you should not need to change this. DO NOT USE THE SAME PASSWORD AS YOUR ADMIN ACCOUNT.

By taking those quick steps, we’re able to go a long way to securing a default WordPress installation. There are other plugins out there that are great tools to enhance your blog’s security, and once you’ve got the fundamental security updates in place, you might want to check some of them out. Login LockDown is designed to stop brute force login attempts, and Secure WordPress has some great additional features.

What else do you do to secure your WordPress sites?

-Lee

The goal was simple: Take our already amazing documentation software infrastructure and make it better. A large part of this was to collapse our multi-site approach down into a single unified user experience. Somewhere along the way, “When is the proposal going to be ready?” became “When is the site going to be ready?”, at this point I realized that all of the hurdles I had been trampling over in my cerebral site building were now still there, standing, waiting for me on my second lap.

I recently had the honor to present our ideas, philosophy and share some insight into the technical details of the site at OSCON 2011, and KHazzy had the forethought to record it for all of you!

It’s a difficult balance to provide details and not bore the audience with tech specs, so I tried to keep the presentation relatively light to encourage attendees (and now viewers) to ask questions about areas they want a little more information about. If you’re looking at a similar project in the future, feel free to bounce ideas off me, and I’ll steer you clear of a few land mines I happened upon.

-Phil

SoftLayer customers were given two internal tickets notifying them if they were to be affected, and when those tickets were created, the ticket system would have then sent an email to the admin user on that account. Additionally, our portal notification system was updated to show details about the window, and we created new threads in our customer forums to provide regular, centralized updates. We went as far as taking a few calls and meetings with customers to talk about their concerns with the maintenance timing and length because we know that any downtime is bad downtime in the world of hosting.

Saturday night, we had extra support on staff online, and our social media ninja was awake and letting the world know step by step what we were doing with real time status alerts. We wanted to be extremely transparent during the entire process. This was not a maintenance we could avoid, and we tried to roll as many different things that needed work into this maintenance without making a roll back impossible.

The maintenance itself went well, and as planned, most items that were taken down were back online well before the window ended. We ran into a few snags in bringing all of the CloudLayer CCIs back online, but even with those delays for a few customers, the work was completed by the time we committed to.

Now for the customer experience aspect. From reading various tweets from our customers, it seems like we should/could have done a few things even better: Been more proactive, sent standard email, attempted phone calls, etc.

While some of these options may be considered, not all are feasible. If you are one of the customers that tweeted, has blogged, is planning on tweeting, is planning on blogging or believes we’re being anything less than genuine and transparent on our social media platforms, I want to hear from you.

Please comment on this blog, tweet me @skinman454, email me skinman@softlayer.com, call me at 214.442.0592, come by our office and visit.

Whatever it takes, just contact me. I can’t put myself in your shoes and feel your pain on things like this unless we have a chance to talk about it. I look forward to our conversation.

-Skinman