July 11, 2009
Brad Williams talks about how to keep your WordPress-powered website secure from hackers and exploits.
Slides from the presentation are available here.
Video Production by Arthur Cormon of TV McGill.
WordCamp Montreal 2009 8
Brad Williams 10
sshing and chmod-ing files right now!
Thanks a whole heap – very useful information!
really great talk, thank you Brad for very important information about security.
Lots of good suggestions that I intend to look into further. Thanks Brad.
One glaring error in the wp-config.php stuff though. The file should really be in the directory above public_html/, not in public_html/ itself. If WordPress is installed directly in public_html/ then you’re all set.
But if, like me, you’re using a folder like wordpress/ to organize things, you need WordPress to look 2 levels up. The simple solution is to modify wp-config.php with something like this: require_once(ABSPATH . ‘../../secret.php’); just before the require for wp-settings.php. Put secret.php above your public_html folder and move all the password stuff to there.
Nathan, would you mind fleshing that out a bit with a pseudo example?
Thanks for dealing with the case of sub folder which WP seems to have neglected.
@mugger I’ve been meaning to do a blog post about my particular setup. Actually I’m planning to setup a new blog on WordPress coding, just need to make the time to do it. When I do, I’ll post here again.
Thanks for the kind words everybody! Actually the wp-config.php file can exist in one of two places by default: either the root WordPress directory or one level above that directory. WordPress will look in both spots before throwing an error.
@mugger I’m prepping a base setup that can be readily cloned… http://hg.nathany.com/wp-base/src/ It has an my wp-config as well as secret-sample as a template for creating ../secret.php (up a level).
An accompanying blog post should be up in a few days. Right now I’m waiting for DNS for vogsphere.org.
I’d also like to review Brad’s video and get those suggestions into my base setup.
@Brad Maybe something is different between our configs, but for me, ABSPATH points to the /wordpress/ folder inside public_html (webroot, htdocs, you get the idea ). WordPress looks in the ABSPATH folder and one directory up, which in my case is the public_html/wordpress/ folder and the public_html/ folder. Hence, my little workaround to drop a file two levels up from ABSPATH so its not inside public_html.
If ABSPATH is defined differently for you, as the actual public_html/ folder, I’d sure like to understand what I’m doing differently.
Fill in your details below or click an icon to log in:
You are commenting using your WordPress.com account. ( Log Out / Change )
You are commenting using your Twitter account. ( Log Out / Change )
You are commenting using your Facebook account. ( Log Out / Change )
You are commenting using your Google+ account. ( Log Out / Change )
Connecting to %s
Notify me of follow-up comments via email.
Notify me of new posts via email.
Blog at WordPress.com •
Contact Us •
Powered by VideoPress
Get every new post delivered to your Inbox.
Join 9,820 other followers