Optimizing your blog – part 5: Security and Miscellaneous

>> Introduction
>> Part 1: Caching
>> Part 2: CDNs
>> Part 3: Asynchronous Loading
>> Part 4: Image Optimization
>> Part 5: Security
>> Round-up and acknowledgements

Welcome to the final part of my WordPress blog optimization series. I’ll be writing a summary, round-up and acknowledgements later but I wanted to use this final part to talk about site security and other miscellaneous settings. These may not necessarily be directly related to site performance, but I mentioned in my introduction post that this series would help you make your site more robust, so now we’re going to work on that.

I’ll address four overall points below, with tips on improving your site installation in each one.

Ready? Let’s go…

Securing your WordPress installation

So, you’ve worked long and hard on your blog, you have it just the way you want it, but what’s this? You read articles online about less than scrupulous individuals who would just love to gain access to your blog and generally deface it, or cover it with their spammy advertising for pharmaceuticals. A common way hackers will attempt to gain access to your blog is by a brute-force attack on your WordPress Admin page. There are various methods which can be employed to extract your username, and then all they need to do is set up a script to hammer your login page with the username and different passwords. Hopefully they will fail, but sometimes they may succeed. A good password is key to good site security and I’ll discuss this in greater detail below but you can also take steps to ensure that attempts to brute-force your password are unsuccessful.

Securing your logins

Image courtesy of cooldesign / FreeDigitalPhotos.net

Plugins like Login LockDown will limit the number of login attempts from a given IP range within a certain time period. This means that if someone tries to unsuccessfully guess your password, say, five times, then they’ll be locked out from trying again until the specified time period has expired.

WordPress also offer their own advice on securing blogs in their codex which I strongly recommend you read, but I’ve detailed an important change you can easily make below. This modification will help you secure the folders in your WordPress installation by ensuring that certain types of harmful script cannot be run inside them.

[tabs slidertype=”left tabs”] [tabcontainer]
[tabtext]Identifying the .htaccess file[/tabtext]
[tabtext]Inserting the changes[/tabtext] [/tabcontainer]
Identifying your .htaccess fileUsing your FTP client of choice, or your host’s online file manager, navigate to the root directory of your site, where all the WordPress files sit. Make a backup of the file called “.htaccess” and then open the current, live file for editing. If you’re using a caching plugin you’ll probably see a whole load of text in here, but right at the bottom you should see a block with WordPress configuration.[/tab]
[tab]Modifying your .htaccess filePlease note, this modification will not work if you are using WordPress Multisite.

Insert the code snippet below outside (above or below) of the WordPress configuration block (the text block starting with # BEGIN WordPress and ending with # END WordPress.) and once you’re done simply save the file and you’re all finished!

# Block the include-only files.

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]

[/tab] [/tabcontent] [/tabs]

Best practices with your passwords

Hopefully not your password

Image courtesy of artemisphoto / FreeDigitalPhotos.net

What’s your password? No, no – don’t tell me, but I hope it’s a good one and I hope it’s not the name of your little, fuzzy-wuzzy-kitty-cat. Public knowledge of the importance of a strong password is slowly improving but the number of people who still use the name of their child or their cat as their password is still staggeringly high. And no – adding a “1” at the end doesn’t really improve it. It makes it marginally more secure but it’s still an unacceptable password.

A good password should contain upper and lower case letters, numbers and punctuation or characters. Something like, say, this: N&f9u?6Wqs@p;XIe!+BeMl

You should also never use the same password for multiple sites. This is all well and dandy in theory you might think, but in practice who is going to remember forty different randomized passwords like this? Well, I don’t. I don’t actually know any of my passwords because I store them all in a password database. Numerous options exist – my favourite is KeePass. It’s free, it’s secure, and it’s open-source, meaning anyone can take a peek at the code to check that all your passwords aren’t being secretly emailed to some hackers somewhere.

You can organise all your passwords in here, as well as generating new ones and your password database is stored in an encrypted form on your computer. You can unlock the database by using a password, a keyfile stored on your PC or a USB stick, or your computer user account (or a combination of all 3).

Don’t forget your mobile visitors

I had a shock recently. For a long time I’ve felt that visitors from mobile devices did not make up a significant percentage of my traffic and then one day I finally got to investigating and found that almost 40% of my traffic was people using mobile phones and tablets. I immediately set to work on a mobile theme and hope that the one I have in place now is acceptable to visitors.

Having a site which loads poorly on a mobile device is not only bad for SEO, but it’s also bad for the user, which is ultimately bad for you, the blogger. My takeaway for you from this brief section is as follows:

Make sure your site is mobile friendly. A responsive theme which changes depending on the user’s screen size is ideal. Additionally (though people will have differing opinions on this), if you make money from advertising on your website, don’t be a slave to revenue. It’s far better to provide the visitor with a sleek experience at the cost of a hit in earnings than it is to only serve the desktop version of a site to everyone simply because you don’t want to lose out on ad revenue.

ElegantThemes is a great source of themes for WordPress. They have a number of responsive themes to choose from and you get access to all themes for one low cost. Both my mobile and my desktop theme are from them right now and I’ve always been very happy with their support and performance.

Last but not least – the host

Where your site is hosted can have a big impact on the performance of your site. Badly configured or overcrowded servers, low network speeds, or generally poor customer service can turn blogging from a pleasure into a nightmare so you want to make sure that the company hosting your site are up to the task, regardless of whether your site is large or small.

I’ve previously used HostGator for 2 years and have found their services and support very good.

I’m currently with HostDime and would also definitely recommend them to anyone looking for a new host.

Shared Web Hosting by HostDime

Featured image courtesy of David Castillo Dominici / FreeDigitalPhotos.net

>> Introduction
>> Part 1: Caching
>> Part 2: CDNs
>> Part 3: Asynchronous Loading
>> Part 4: Image Optimization
>> Part 5: Security
>> Round-up and acknowledgements


  1. says

    What an incredibly helpful post Charles, I know I shall be referring to all your posts when I decide to take my blog off free WordPress. Do you know if WordPress offers backups to their hosted blogs? I’m a little worried with my 650+ posts!

    • says

      Hi Eva, I’d be happy to help you out if/when you decide to move. It’s usually a very pain-free experience and the liberty you feel with a self-hosted blog is fantastic.

      WordPress most certainly “back up” the blogs hosted on their servers, if that’s what you mean. As for if they can provide you personally with a singular backup file of all the data… I’m not entirely sure. I never used the WordPress.com platform, but I believe they do have migration possibilities.

  2. says

    Guilty with the page loading time here. =/
    I am using wp touch plugins for mobile devices, not that pretty but it works.
    I never dare to play around with the .htaccess file.
    Awesome knowledge Charles. I missed all the previous once but I am going to catch up Sunday. Thanks again for all the info!

    • says

      Hi Helene, I stopped using WP Touch – I didn’t like the way it listed all site pages in one huge unordered list. Wasn’t pretty at all.

      Don’t worry about adjusting the .htaccess file – if you mess it up you can just delete it and WordPress will recreate a new one, although that’s why it’s good to make a backup of it. If your changes don’t work then you can just restore it from backup, no problem.

  3. says

    I am with Hostgator and am really pleased with them. Great Post as usual Charles and I need to look into that Kee Pass. THis has been a very helpful series and I thank you because I learnt a lot of new things.


  4. says

    Thank you, Charles, for this very important (maybe the most important) post of the whole series. I don’t know if you were aware but several months ago there were multiple attacks on WordPress websites, which led hosts to close partially access to certain sub-pages, but I still remember the articles I read about passwords and being so surprised to learn how many people put “password” as a password in their computers or mailboxes, thinking this is a smart idea 😉
    I cross my fingers for my passwords to be safe enough…
    I once started to work on my website’s mobile version and then stopped because it never worked the way I wanted… I must start experimenting once more.

    • says

      I just checked a password “similar” to my WordPress password and apparently it would take a minimum of 2.28 trillion centuries to brute-force, assuming one can make one hundred trillion guesses per second… I’d say that’s not bad :D.

  5. says

    Great article and help again. I’ll have to find time and continue where I stopped the last time. My host is bluehost and don’t change host because I fear I may do something wrong. I haven’t thought of having a theme for mobile as I have no clue what to do :)

    • says

      Hi Ivy, migrating to a new host is quite easy, but I can understand your fears! Maybe I should start a service offering low-price site optimization and migration services :D.

  6. says

    Great Advise Charles. New trustworthy Hosting companies is always something that I like to learn more about. I used to have the issue of being in Asia and have had problems with my host being in the UK (half way point) and now on my own VPS in the US and its lots faster. In addition this last week, I switched to 300mb speed through my internet supplier and it is lightening fast. Life is really good! Internet speed makes all the difference in the world from enjoying what we are doing to making it a chore. Have a super week and looking forward to more pictures of your little man. I bet he is growing up so fast! Take care, BAM

    • says

      Hi Bam, I’m glad you could resolve your issues – it’s always much easier when you have a good server and a fast, stable internet connection isn’t it?!

  7. says

    I do have a trick to make your wordpress site look better on phones, especially iphones and androids. I insert this meta tag code in the head tag. It works wonders for all my clients! Did I tell you that I design websites now? Been doing it for a year or more. Anyway- your post is very informative- great job!

  8. says

    I’m reading on my mobile now. :) Another good summary and tutorial. I’m now even more amazed of everyone that self-hosts. There is A LOT that goes into it. You’re very good at this stuff Charles.

Leave a Reply

Your email address will not be published. Required fields are marked *