Getting Started with WordPress

What to expect:

In tonight’s meetup, we will discuss the basic functionality of WordPress:

  • The differences between WordPress.com and WordPress.org
  • How to log into your site (typically, http://www.yoursite.com/wp-admin )
  • How to create new content
  • The differences between pages & posts
  • Adding media files (images, video, etc.) and accessing the media library
  • How to modify your website/blog’s appearance
  • Choosing and installing a theme
  • Widgets
  • Plugins (see previous posts at WP Austin for lots of plugin ideas, or ask us!)
  • Settings, including privacy and permalinks

Installing WordPress

Every server/hosting company will have a different process to install WordPress. The folks at WordPress.org recommend a number of companies that optimize for WordPress and make installation simple (see http://wordpress.org/hosting/). For those who need to install WordPress on their own server, visit http://codex.wordpress.org/Installing_WordPress.

Future reference:

 

After the presentation, we will have members available to help with installing WordPress or getting your site set up.

Photos from SxSW

Photos from the WordPress party and the WordPress/Automattic booth at the SxSW Trade Show, March 2012.

Photos taken by WordPress Austin members Debra Schmidt and Jackie Dana.

 

How to connect with WordPress Austin

If you’re new to our group, we have lots of ways to connect with us.

  1. Of course, the WP Austin website (where you are right now!). Here we post notes from our meetings and other information that we think may be of interest to local WordPress users and developers.
  2. Our WordPress Austin meetings, on the first and fourth Tuesdays of the month, held at 7pm at Cospace in north Austin. To learn about upcoming meetings and add yourself to the RSVP list, join the Austin WordPress meetup group.
  3. We have an active WordPress Austin google group which is a great resource for questions, job postings, feedback and pretty much anything you could want to know about WordPress and Austin happenings.
  4. On May 19th 2012 we will be hosting an all-day WordCamp in Austin. Read more about the event, as well as how to volunteer, offer a session pitch or contribute as a sponsor, on the official Austin WordCamp website.

4 Simple Ways to Secure (and Maintain) Your WordPress Website

This article was written by Dre Armeda and originally posted on the StudioPress Blog

 Brian Gardner shared it on Google +  this morning.

As WordPress security is an often raised topic at out meetups I thought to share the post with our members.

4 Simple Ways to Secure (and Maintain) Your WordPress Website

With the wind in my face and long stretches of open road before me, life is very good when I’m on my Harley.

I ride a lot, and as freeing as it can be, a good rider is always keenly aware of the high risks of being on a motorcycle. A good rider plans — as much as he or she can — for all kinds of contingencies.

The key to being a safe rider is the acceptance of risk.

I have to consider a lot of variables, but ultimately I’ve decided that I want to ride, and I’ve accepted that there will always be a certain level of risk to that activity.

Running a website site is not unlike motorcycle riding when it comes to risk acceptance and overall risk management.

A Responsibility to Your Audience

Though WordPress allows a site creator to go a step above what most website software offers regarding security, it is still Internet based software, and there are inherent risks for you, your data, and your users.

The security of visitors on your site should be a priority, ensuring their visit is free from harmful content. Your website does you no good if it’s harming visitors, or your reputation.

Just like hopping on a bike, you need to be taking a strategic approach to WordPress risk management.

Here are four simple risk reduction approaches you should consider and implement …

1. Clean Your Garage

The paint on a Harley-Davidson is engineered to last 50 plus years — even in extreme heat or cold.

It isn’t designed to withstand that ladder currently leaning up against your garage wall falling on it. Before I brought my precious bike home, I decided to pick up a few things and create a proper parking spot.

We’re extremely fortunate as WordPress users. The WordPress core team does a great job of cleaning up and optimizing the WordPress core on an ongoing basis.

They are committed to the identification and patching of security vulernabilites. Anytime you see a minor release (3.2.x), it’s for bug fixes and security patches.

Here’s a few things to consider with each WordPress update:

Update your core: The most important advice I can give anyone who manages websites is to ensure they are updating their software. When you’re done updating, check everything again, and update some more!

One of the biggest contributors to malware attacks is running outdated software. In fact, it accounts for more than 70% of all the cases we see at Sucuri. This includes various web based software titles, not just WordPress. There are various ways to accomplish this, and it usually takes mere minutes to update the WordPress core.

Have you tried the automatic update feature in WordPress? It works great, and is conveniently located within your WordPress admin panel.

Update themes and plugins: Everything is working just fine, why should I touch plugins? The same reason you’d updating any other software — even more so with themes and plugins — because they don’t necessarily go through the same vetting and testing as WordPress core (unless you’re using StudioPress themes and plugins).

Remove disabled plugins and inactive themes: In August of 2011, there was a public disclosure that the popular TimThumb script included in popular WordPress plugins and themes was vulnerable. Within days we were seeing attackers exploiting the vulnerability with everything from SEO spam to website redirects to infecting every single PHP file on the server with nonsense characters.

As we started to see more and more of these cases we came to realize that most site owners didn’t even realize the script (and resulting malware) was on their server. In other cases, site owners were disabling the vulnerable plugin or theme, but were leaving it on the server. This vulnerability didn’t mind that the theme or plugin wasn’t enabled in WordPress. Attackers started scanning sites looking for Tim Thumb and when they found it, they would arbitrarily execute PHP on the server. When a plugin or theme is inactive, WordPress does not load it.

However, it is still accessible and executable on the web server. This is one of the most overlooked vulnerabilities on a WordPress install and one of the first avenues hackers cruise when looking for ways to exploit a site. If you aren’t using the plugin or theme, remove it from your site! That goes for all software really, if you’re not using it, remove it from the server. There is no sense in storing it there if it’s not being leveraged.

There’s nothing worse than leaving it there, forgetting about it, then getting infected through something that you don’t even need. In the end, by removing all unneeded software, files, and data from your server, you’re reducing your risk of future vulnerabilities being exploited, and it’s less you have to update or maintain.

Update your server: If you’re being held accountable, your web host should be as well. Are they keeping the server software update? Are you running the latest web server software? If you’re not sure, ask them! If that doesn’t net the results you’re looking for, you can scan your site at Sucuri and it will tell you.

2. Close Your Garage Door

As obvious as this may sound, one of the things I seriously considered when buying my bike was the state of my own home.

Where was I going to park my new ride? How would I ensure that it would be protected when I was away from it?

How does this apply to WordPress?

Making sure your local infrastructure is as safe as possible is the starting point for most everything you will do online.

Here are a few areas that will help reduce your risk from the beginning:

Keep your computer up-to-date: Ensure you’re patching or installing updates regularly. Automatic Updates are good. Most OS vendors are patching security issues often, it’s important to stay updated.

Install an anti-virus solution: AV solutions don’t only protect you from computer viruses, they are also helpful to detect malicious software that may try to attack your web properties.

Software firewalls: Yes, they are still relevant.

Safe Browsing: Just because your website is a super ninja doesn’t mean others are too. Most desktop viruses and malware these days are passed via infected websites. If it doesn’t look right, it probably isn’t. If you’re a Firefox user check out theNoScript Extension, It allows you to manage the scripts being loaded by websites so that the latest drive-by doesn’t catch you with a funny pop-up.

3. Don’t Leave Your Keys in the Ignition

I was having a great day at the office a few days back.

When I left to head home, I realized that my bike’s key was in the ignition — in the on position — which had drained my battery. I was lucky though.

What if someone with malicious intent realized the key to my ride was sitting in the ignition? I’d be dealing with my insurance company right now.

The simplest forms of authentication use some type of keying mechanism. This is one of the quickest ways for attackers to gain access to your site, and ride off into the sunset.

Let me ask you this, are your passwords strong enough to ward off an attack long enough to disinterest an attacker?

Did you know that the most stolen password in 2011 was “password”?

Here are the top 5 worst passwords:

  1. Password
  2. 123456
  3. 12345678
  4. qwerty
  5. abc123

Hackers aren’t sitting around all afternoon randomly typing passwords. They automate attacks using a technique called the dictionary attack. They create a large list of common passwords and automate an attack trying each one until they find what they’re looking for.

Here are a few things to help you fight password attacks:

Change your passwords often: The longer you use the same password, the more time you’re giving hackers to try and crack it. If you change it frequently, you shorten the window of attack.

Don’t share passwords: Passwords are like toothbrushes, you should keep them to yourself. And discard them, and get a new one, if they have been used by others.

Don’t write your passwords down: This is as bad as me leaving my key in my bike. Anyone can take it, and run with it. Alternatively look at using a password management tool like KeePass or LastPass

Use Passphrases: Passphrases are basically long passwords, something with a meaning. For example: F0urScoR3&s3v3NYeAr$aG0Now – this passphrase is pretty complex, but you’ll see that it contains 3-4 words, uppercase, lowercase, numbers and symbols. I am fond of Abraham Lincoln and the Gettysburg Address so this would be fairly easy for me to remember. You don’t have to go crazy like the example, but the idea is to use a more complex set of characters that would be very difficult to guess.

4. Find a Good Mechanic

I don’t trust my bike with just anyone.

I have poured my heart into upgrading, and customizing it. I have spent countless hours architecting the ride, the look, the feel. Sound familiar?

In a lot of ways I approach my websites the same way, and when choosing a web host I research considerably before giving over the keys to the kingdom. Anytime you install a plugin or let a designer make changes to your site, you are handing them the keys to your kingdom. Your hosting provider always has the keys to your kingdom.

Do your research, get recommendations, and choose wisely. Here’s a few things to consider when using thrid-party offerings:

Plugins: Not all plugins are created equally. Unintentionally, an inexperienced plugin designer can open up all kinds of security vulnerabilities in your site or simply tank its performance. Read the reviews of plugins you select and try and stick to ones that have shown a history of updating and evolving their code on a regular basis.

Designers: The WordPress design community has grown significantly and there are lots of great resources to choose from. Make sure and get recommendations for a qualified designer and consider having them implement their design on top of a reputable framework like Genesis. A framework really helps to keep your designer in design and configuration mode versus coding. Unless a designer is an experienced WordPress developer as well, coding can often lead to security and performance issues.  Even if they are an experienced WordPress designer, it doesn’t hurt to stress to them that security is important and ask them to keep it in mind by adhereing to some of the advice in this post as well as the basics ofWordPress hardening from the Codex .

Hosting: Most hosting platforms are designed to be everything to everyone. If you select a hosting provider that specializes in WordPress and is proactive in its approaches to security, your chances of having performance, operational, or security issues will lessen. Copyblogger Media’s Synthesis Managed WordPress Hosting, for example, combines a minimalist, locked down stack with proactive PHP scanning software to prevent hackers from accessing its customer’s sites, or even gaining information about them. It’s also safe to say that the folks at Copyblogger understand WordPress, SEO, and hosting and integrate that knowledge into their customer support.

I hope this helps in your travels down the WordPress highway.

As you can see, a few simple plans can go a long way in heading off disaster, and bringing you peace-of-mind.

Filed Under: WordPress Tips Tagged With: 
About Dre Armeda
Dre Armeda is the CEO and co-founder of Sucuri, an Internet security software and services firm. Sucuri has partnered with Copyblogger Media’s Synthesis Hosting to provide site dehacking, proactive scanning, and site cleanup professional services.

WordPress & Git – A Quick Look

Announcements:

Austin WordCamp will be May 19th. We need speakers, sponsors and volunteers! Learn more and sign up at http://2012.austin.wordcamp.org/

WordPress SxSW party has been announced. Space is limited, so RSVP soon! [Edit: RSVPs are closed. Sorry!]

 

Main topic: git and github

git: software for developers to handle revision control. (You can read more about git on wikipedia.)

github: an online way to collaborate on code with others; a social codebase/code repository. It’s available at github.com.

gist: lets you create public snippets of code that you can share publicly. If someone asks for some code, you can share it with them through gist.

 

github is a great way to develop open source code projects, learn what others are working on, and get new code to try out for yourself. It’s free to use if all code is open source and available; you can pay monthly fees for private workspace on github.

Pat explained that he and Nick were working on a project together, and needed a way to work collaboratively without overwriting each other’s code. They created a repository of all the files they were going to be working on so that they could check out files that represented the most recent version. github will mark all changes in the history, compare versions, and update the files to reflect the changes. When you view a file you can see what has been added or deleted from a file. You have control over what gets updated, so you can choose to merge just added lines of a file.

In addition to collaborative work, you can follow different users/developers as well as follow projects under development.

The development community tends to police projects so if someone posts malicious or bad code, someone else will likely correct it.

github: distributed version control system/repository; you have a local version of the repository that you can commit and make sure it’s working properly before you commit to the main repository

Subversion/SVN: nondistributed version control

You can use gist to post code, browse other gists, and even use the code on your WordPress site (there are plugins you can install to do this). There are no private gists. For an example, check out Bill Erickson’s gist for a popular posts widget.

The Non-Breaking Space show just published a podcast that discusses git and github. Check it out!

Bitbucket is another git hosting service.

If you use git/github/gist in your WordPress development process, please post in the comments how you’ve found it useful.

Cultivating Community – meetup 2/28/12

I was absent from Tuesday night’s meetup, but fortunately Clark posted notes from his presentation on his website. Go check it out!

Cultivating Community