PART ONE: wp-security-scan plugin

Download: WP Security Scan

Author: Semper Fi Web design

Cost: Free

Once you have downloaded and unzipped the plugin upload it to you plugins fold and activate it in your plugins menu in the admin area of your blog.

When the plugin is active you will get a new tab in the top menu like this:

Here is what each tab will tell you

Security Tab

This tab is a ‘dashboard’ for the plugin, it reports to you all of its findings. One of the plugins features is to help you rename the ‘admin’ user and it will report to you here in red if the admin user exists. The way to rename this user is listed on a page called Change WordPress Admin Username. The other items it reports on are:

• WordPress version: 2.6.2 You have the latest stable version of WordPress.
• Your table prefix is not wp_. Your WordPress version is successfully hidden.
• WordPress DB Errors turned off.
• WP ID META tag removed form WordPress core
• “admin” user exists.
• The file .htaccess does not exist in wp-admin/.

Further down the page is a table reporting more system level information which includes:

• Operating System
• Server
• Memory usage
• MYSQL Version
• SQL Mode
• PHP Version
• PHP Safe Mode
• PHP Allow URL fopen
• PHP Memory Limit
• PHP Max Upload Size
• PHP Max Post Size
• PHP Max Script Execute Time
• PHP Exif support
• PHP IPTC support
• PHP XML support

Scanner Tab

Clicking on this tab brings up a list of files and directories which it checks that they all have the correct permissions state. If it’s correct the line is highlighted in green – if it’s incorrect then it is highlighted in red. The correct permission status is displayed so you can change the permissions accordingly.

Password Tool Tab

This is a neat facility which it gives you the ability to check the strength of your passwords. A field is displayed on screen and you are invited to type in a password, a graphical bar indicator progresses as you type, alongside words telling you the strength of the password.

Another nice touch is it automatically generates a random strong password which you can just copy and use.

Database Tab

It seems there are two major vulnerabilities in WordPress the first is the auto-generated ‘admin’ user – this is a security issue because every WordPress blog will probably have this user, therefore a potential hacker already knows half of a Username and Password pair. The second issue is the name of your tables in your database. By default when you install WordPress it auto prompts you with a table prefix of ‘WP_’ if you leave it as this then a hacker also now knows all your table names. This is a simple one to combat because all you need to do when you install is change the prefix to something else then install. This won’t prevent a hacker from getting in but it will make it more difficult.

If you have already installed your blog the Database Tab has the answer. Clicking on the tab presents you with a field populated with your current table prefix. Here you can now change it to something else, but as the big, bold, italic letters say:

Make a backup of your database before using this tool

Support Tab

The support tab is under construction but is a place where you can link back to the publishers changelog and documentation.

Conclusion

My conclusion of this plugin is it highlights the two most over looked vulnerabilities in WordPress – the admin username and the table prefix. Both vulnerabilities are fixable and this plugin shows you how to do it. What’s more having these highlighted to you will teach you to install more securely in the future. Some of the info that the plugin reports will go right over most bloggers heads but so long as you don’t get bogged down with the unimportant stuff you should be OK.

[rating:3.5]

Overall I would give this plugin 3.5/5

Killer feature: the ability to change the table prefix in one go.

1. Write at least two posts

Promoting your site is a given, no promotion, no traffic. But the traffic will only flow one way and never return if all your readers see is stale content. You need to write at least two articles a week, more if you can (if you can’t try and get guest articles from your peers) and post them a day or so apart. TIP: better traffic spikes will come from posts that appear at the beginning of the week – there is an assumption that news is ‘freshest’ at the start of the week. A great resource of tips and how to’s to help you improve your writing is www.copyblogger.com

2. Check for broken links

Links that end in a 404 page will lose you traffic so fix any incoming or internal links that are broken. A good plugin for checking your posts is Broken Link Checker. An awesome plugin for managing incoming broken links is Redirection it allows you to take an incoming URL and map it to a new post via 301 redirects. It’s the only way to preserve traffic to your posts when you change a site structure.

3. Check your Webstats

You know in the movies where you see the big macho hero choosing his weapons before he goes off and does something amazing, and he picks up a big gun, looks at it lovingly… then puts it back and picks up an enormous gun, snorts a laugh and nods his head in approval? Well your website statistics are that enormous gun. Your site stats are where you find out who is linking to you, how much traffic you are getting and what pages your visitors are looking at. The stats can tell you your most popular pages and therefore you will know what kind of content your audience is hungry for. There are many stats packages around, your hosting will come with some and there is of course Google Analytics. I’m currently using WordPress.com Stats which is a great plugin because it causes no extra load on your server and hey, who else but WP knows enough about WordPress to produce good accurate stats? A word of warning: only check your stats once a week, checking stats is like weighing yourself when you are on a diet, check to often and you don’t see any progression. Check once on a regular basis and you get to see the movement.

4. Plan future posts

Doing step three will make this step a breeze. While you are checking your stats, look out for your busiest pages or notice when your busiest times are (and note what you did to produce the extra traffic) and plan your next posts to extend your popular content. If you find your popular posts aren’t really where you thought your blog was going, don’t dismiss them and blindly push on, be sensible about it and let the market lead you, as they are the only experts in all this.

5. Don’t give up!

In every bloggers life there are moments of despair, moments where you think “Argh F**k It! This is going nowhere” if you are like this then you are probably checking your stats too often! Everyone is in the same boat here, don’t assume that others are getting more success than you, some might be, but others definitely won’t be. Just keep going and don’t give up. If you feel isolated then join a community, I’m in the Blog MasterMind coaching program and there are forums and communities to help keep me going – you can join too and I strongly recommend that you check it out.

6. Do Back up!

I will continue to harp on about this for probably the life of this blog, and even beyond, I might even have it etched on my Tomb Stone:

RIP
Ian Blackford
Blogging Rocket Webmaster
(*Snigger* I can RIP – I backed up!)

Get a back-up plugin, set it on a schedule to back up at least once a week and then forget it – job done. A great plugin for this is WordPress Database Backup

7. Take a break!

There is a lot to blogging, a lot more than people realise and if you do all the above every week along with your blog promotion and digesting information from others you are going to need a break. So don’t beat yourself up for a taking a little time off, switch off your computer turn on the TV – go on, I bet there is a good film on!

Well… when I say ‘I’ back up, I really mean I have bought some software, a second drive and I have configured it on a schedule to back up every day, so in reality I don’t actually do anything but my data is backed up nonetheless.

Well that’s fine for my local data, but what about my beloved blog and those MySQL tables with their ‘Bits’ all exposed? Well that’s a little more tricky because you don’t have full control of a remote computer.

Help is at hand I have found with a great plugin called wp-db-backup it’s really easy to use and offers multiple back up options like:

• additional tables (core tables included by default)
• back up and saved to a folder on your server
• back up and download the SQL file
• back up and email the SQL file to yourself
• schedule a backup with four time options (hourly, daily etc)

I would recommend everybody get this plugin, your blog should become one of your treasured possessions and you need to look after it.

Another excellent source of back up advice is of course WordPress.org themselves here is a backup article from their codex