Posts Tagged ‘users’

As a hobby, I dabble in WordPress, so I thought I’d share a few security features I use to secure my WordPress blogs as soon as they’re installed. Nothing in this blog will be earth-shattering, but because security is such a priority, I have no doubt that it will be useful to many of our customers. Often, the answer to the question, “How much security do I need on my site?” is simply, “More,” so even if you have a solid foundation of security, you might learn a new trick or two that you can incorporate into your next (or current) WordPress site.

Move wp-config.php

The first thing I do is change the location of my wp-config.php. By default, it’s installed in the WordPress parent directory. If the config file is in the parent directory, it can be viewed and accessed by Apache, so I move it out of web/root. Because you’re changing the default location of a pretty significant file, you need to tell WordPress how to find it in wp-load.php. Let’s say my WordPress runs out of /webroot on my host … I’d need to make a change around Line 26:

if ( file_exists( ABSPATH . 'wp-config.php') ) {
 
        /** The config file resides in ABSPATH */
        require_once( ABSPATH . 'wp-config.php' );
 
} elseif ( file_exists( dirname(ABSPATH) . '/wp-config.php' ) && ! file_exists( dirname(ABSPATH) . '/wp-settings.php' ) ) {
 
        /** The config file resides one level above ABSPATH but is not part of another install*/
        require_once( dirname(ABSPATH) . '/wp-config.php' );

The code above is the default setup, and the code below is the version with my subtle update incorporated.

if ( file_exists( ABSPATH . 'wp-config.php') ) {
 
        /** The config file resides in ABSPATH */
        require_once( ABSPATH . '../wp-config.php' );
 
} elseif ( file_exists( dirname(ABSPATH) . '..//wp-config.php' ) && ! file_exists( dirname(ABSPATH) . '/wp-settings.php' ) ) {
 
        /** The config file resides one level above ABSPATH but is not part of another install*/
        require_once( dirname(ABSPATH) . '../wp-config.php' );

All we’re doing is telling the application that the wp-config.php file is one directory higher. By making this simple change, you ensure that only the application can see your wp-config.php script.

Turn Down Access to /wp-admin

After I make that change, I want to turn down access to /wp-admin. I allow users to contribute on some of my blogs, but I don’t want them to do so from /wp-admin; only users with admin rights should be able to access that panel. To limit access to /wp-admin, I recommend the plugin uCan Post. This plugin creates a page that allows users to write posts and submit them within your theme.

But won’t a user just be able to navigate to http://site.com/wp-admin? Yes … Until we add a simple function to our theme’s functions.php file to limit that access. At the bottom of your functions.php file, add this:

############ Disable admin access for users ############

add_action('admin_init', 'no_more_dashboard');
function no_more_dashboard() {
  if (!current_user_can('manage_options') && $_SERVER['DOING_AJAX'] != '/wp-admin/admin-ajax.php') {
  wp_redirect(site_url()); exit;
  }
}
 
###########################################################

Log in as a non-admin user, and you’ll get redirected to the blog’s home page if you try to access the admin panel. Voila!

Start Securing the WordPress Database

Before you go any further, you need to look at WordPress database security. This is the most important piece in my opinion, and it’s not just because I’m a DBA. WordPress never needs all permissions. The only permissions WordPress needs to function are ALTER, CREATE, CREATE TEMPORARY TABLES, DELETE, DROP, INDEX, INSERT, LOCK TABLES, SELECT and UPDATE.

If you run WordPress and MySQL on the same server the permissions grant would look something like:

GRANT ALTER, CREATE, CREATE TEMPORARY TABLES, DELETE, DROP, INDEX, INSERT, LOCK TABLES, SELECT, UPDATE ON <DATABASE>.* TO <USER>@'localhost' IDENTIFIED BY '<PASSWORD>';

If you have a separate database server, make sure the host of the webserver is allowed to connect to the database server:

GRANT ALTER, CREATE, CREATE TEMPORARY TABLES, DELETE, DROP, INDEX, INSERT, LOCK TABLES, SELECT, UPDATE ON <DATABASE>.* TO <USER>@'<ip of web server' IDENTIFIED BY '<PASSWORD>';

The password you use should be random, and you should not need to change this. DO NOT USE THE SAME PASSWORD AS YOUR ADMIN ACCOUNT.

By taking those quick steps, we’re able to go a long way to securing a default WordPress installation. There are other plugins out there that are great tools to enhance your blog’s security, and once you’ve got the fundamental security updates in place, you might want to check some of them out. Login LockDown is designed to stop brute force login attempts, and Secure WordPress has some great additional features.

What else do you do to secure your WordPress sites?

-Lee

This is a guest blog from UserVoice CEO Richard White. UserVoice offers a complete customer engagement solution that gives businesses a simple process for managing customer feedback and support functions all from a single, easy-to-use environment.

What NOT to Do in Support

The fact that you’re reading this blog post means you probably understand social media. You probably also understand why providing great customer service is important, so I’ll spare you that as well. What you may not know is that there are much better tools to provide outstanding customer service than the ones you’re already using. Here are four big tips for you as you’re planning your support channels:

1. Don’t build a custom contact form.
Building a custom contact form on your website takes valuable time and resources away from your core business. Instead, sign up and get a widget from UserVoice (or one of our competitors) and in less than 30 seconds you’ll have a contact form that supports any number of custom fields you want to add, allows you to append your own customer-specific metadata, supports attachments and, most importantly, will auto-suggest relevant FAQ articles even before the customer submits the form.

2. Don’t use shared email for customer support.
It’s true that you can take managing customer support via a shared email inbox pretty far. You won’t really feel the pain until a couple of issues slip through the digital crack because it wasn’t clear who on your team was responsible for following up with the customer. But why go through that? These days you can choose from a number of inexpensive, purpose-built tools, like UserVoice, targeted at companies that want to provide better customer service. Starting at $5/mo you can have a complete support solution that will grow with your business when you are finally ready to add that 2nd or 3rd support rep to your team.

Read the rest of UserVoice’s Guest Blog! »

This is a guest blog from Shmuli Goldberg of ClickTale, an industry leader in customer experience analytics, providing businesses with revolutionary insights into their customers’ online behavior.

Understanding the User Experience with In-Page Analytics

Since ClickTale’s start back in 2006, we understood that engaging visitors on a website is the first step to increase conversions. Although traditional web analytics are great for delivering general statistics such as number of visitors or pages per visit, they leave a big black hole when it comes to understanding what happens inside the pages themselves.

ClickTale’s In-Page Analytics feature set enables you to identify, observe, aggregate and analyze visitors’ actual interaction inside your site, so you know exactly what page elements work, what to optimize and how to increase visitor engagement.

Our wide range of web optimization tools include Mouse Tracking, Heatmap Suite and Conversion Analytics solutions, but was our Visitor Recordings feature that started it all. Giving you a front row seat to your visitors’ browsing sessions and delivering a thorough, in-depth view into what your visitors are focusing on and interacting with inside the pages themselves. All you need to do is grab the popcorn.

Our Heat maps are aggregated reports that visually display what parts of a webpage are looked at, clicked on, focused on and interacted with by your online visitors. See exactly what images, text and call to action buttons your visitors’ think are hot and what’s not!

Both these features allow you to instantly see how to go about optimizing your website instantly so you don’t have to guess.

As a fully hosted subscription service, ClickTale is quick and easy to set up. We believe our wide range of heatmaps, behavioral analytics and full video playback make ClickTale the perfect way to round out your traditional web analytics suite. For more information, please visit www.clicktale.com.

- Shmuli Goldberg, ClickTale