Optimizing your blog – part 5: Security and Miscellaneous
Welcome to the final part of my WordPress blog optimization series. I’ll be writing a summary, round-up and acknowledgements later but I wanted to use this final part to talk about site security and other miscellaneous settings. These may not necessarily be directly related to site performance, but I mentioned in my introduction post that this series would help you make your site more robust, so now we’re going to work on that.
I’ll address four overall points below, with tips on improving your site installation in each one.
Ready? Let’s go…
Securing your WordPress installation
So, you’ve worked long and hard on your blog, you have it just the way you want it, but what’s this? You read articles online about less than scrupulous individuals who would just love to gain access to your blog and generally deface it, or cover it with their spammy advertising for pharmaceuticals. A common way hackers will attempt to gain access to your blog is by a brute-force attack on your WordPress Admin page. There are various methods which can be employed to extract your username, and then all they need to do is set up a script to hammer your login page with the username and different passwords. Hopefully they will fail, but sometimes they may succeed. A good password is key to good site security and I’ll discuss this in greater detail below but you can also take steps to ensure that attempts to brute-force your password are unsuccessful.
Image courtesy of cooldesign / FreeDigitalPhotos.net
Plugins like Login LockDown will limit the number of login attempts from a given IP range within a certain time period. This means that if someone tries to unsuccessfully guess your password, say, five times, then they’ll be locked out from trying again until the specified time period has expired.
WordPress also offer their own advice on securing blogs in their codex which I strongly recommend you read, but I’ve detailed an important change you can easily make below. This modification will help you secure the folders in your WordPress installation by ensuring that certain types of harmful script cannot be run inside them.
Insert the code snippet below outside (above or below) of the WordPress configuration block (the text block starting with
# BEGIN WordPress and ending with
# END WordPress.) and once you’re done simply save the file and you’re all finished!
# Block the include-only files.
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
Best practices with your passwords
Image courtesy of artemisphoto / FreeDigitalPhotos.net
What’s your password? No, no – don’t tell me, but I hope it’s a good one and I hope it’s not the name of your little, fuzzy-wuzzy-kitty-cat. Public knowledge of the importance of a strong password is slowly improving but the number of people who still use the name of their child or their cat as their password is still staggeringly high. And no – adding a “1″ at the end doesn’t really improve it. It makes it marginally more secure but it’s still an unacceptable password.
A good password should contain upper and lower case letters, numbers and punctuation or characters. Something like, say, this: N&f9u?6Wqs@p;XIe!+BeMl
You should also never use the same password for multiple sites. This is all well and dandy in theory you might think, but in practice who is going to remember forty different randomized passwords like this? Well, I don’t. I don’t actually know any of my passwords because I store them all in a password database. Numerous options exist – my favourite is KeePass. It’s free, it’s secure, and it’s open-source, meaning anyone can take a peek at the code to check that all your passwords aren’t being secretly emailed to some hackers somewhere.
You can organise all your passwords in here, as well as generating new ones and your password database is stored in an encrypted form on your computer. You can unlock the database by using a password, a keyfile stored on your PC or a USB stick, or your computer user account (or a combination of all 3).
Don’t forget your mobile visitors
I had a shock recently. For a long time I’ve felt that visitors from mobile devices did not make up a significant percentage of my traffic and then one day I finally got to investigating and found that almost 40% of my traffic was people using mobile phones and tablets. I immediately set to work on a mobile theme and hope that the one I have in place now is acceptable to visitors.
Having a site which loads poorly on a mobile device is not only bad for SEO, but it’s also bad for the user, which is ultimately bad for you, the blogger. My takeaway for you from this brief section is as follows:
Make sure your site is mobile friendly. A responsive theme which changes depending on the user’s screen size is ideal. Additionally (though people will have differing opinions on this), if you make money from advertising on your website, don’t be a slave to revenue. It’s far better to provide the visitor with a sleek experience at the cost of a hit in earnings than it is to only serve the desktop version of a site to everyone simply because you don’t want to lose out on ad revenue.
ElegantThemes is a great source of themes for WordPress. They have a number of responsive themes to choose from and you get access to all themes for one low cost. Both my mobile and my desktop theme are from them right now and I’ve always been very happy with their support and performance.
Last but not least – the host
Where your site is hosted can have a big impact on the performance of your site. Badly configured or overcrowded servers, low network speeds, or generally poor customer service can turn blogging from a pleasure into a nightmare so you want to make sure that the company hosting your site are up to the task, regardless of whether your site is large or small.
I’ve previously used HostGator for 2 years and have found their services and support very good.
I’m currently with HostDime and would also definitely recommend them to anyone looking for a new host.