Tag Archives: security

Feb 2017 Q & A: Directories, Security, Languages, and Genesis

There were lots of question at the February 2017 East Bay WordPress meetup. Here they are with their answers.

What’s the Best Directory Structure for WordPress?

If you are planning to have multiple WordPress installs on your hosting account, or to install both WordPress and other apps on a single domain, it’s a good idea to put WordPress in its own directory.

There are also other occasions when you might want to create a separate directory or subdomain. (WordCamps move the previous year’s WordCamp info onto a subdomain so that the main domain always shows the current year’s information.)

And then there’s the question of whether to use a subdomain or subfolder structure for WordPress Multisite.

The WordPress Codex is the best place to start:

Note that we will be having a meetup about WordPress Multisite in May.

What are Some Best Practices for WordPress Security?

There are many posts about this (most of them covering the same points), but again, it’s helpful to start with the WordPress Codex article “Hardening WordPress.”

Among the most fundamental suggestions are

  • Keep WordPress, plugins, and themes updated
  • Use a good username (not “admin”!) and password
  • Don’t re-use passwords across multiple sites
  • Don’t use an admin account to publish content
  • Make sure your user id is not “1”
  • Use an antivirus on your computer to prevent infections spreading to your website.

It’s easy to start using strong passwords by installing a password management app. LastPass is free for 1 device and $12/year to install on all devices. It generates and stores strong passwords and syncs them between your phone(s) and computer(s).

What’s the Best Tool for Publishing a Site in Multiple Languages?

You (or your clients) may have a multi-lingual readership, and sometimes an on-the-fly mechanical translator like GTranslate doesn’t cut it. The most-established (though by no means easiest) plugin is WPML, which Sonja London recommends. Polylang and Weglot are two others.

Note that if one of these plugins doesn’t work with your theme, the problem might be the theme.

Those plugins address the front end of the site (what visitors see). The Polyglots team is in charge of translating the WordPress admin and settings pages for themes and plugins. Plugin and theme authors are encouraged to make their extensions translation-ready. There’s an Admin Language Per User plugin so each author on your site can interact with WordPress in his or her own language.

Where Can I Find a Good Genesis Starter Theme?

If you use (or want to start using) the Genesis Theme Framework, sign up for the GenesisWP Slack team, where you’ll find a large and helpful group of Genesis developers.

StudioPress provides a free Genesis Sample child theme, but it’s not everyone’s ideal starting point. Tonya Mork over at Know the Code will teach you how to build your own Genesis Starter Theme.

Here are a few other options:

Sept 2015: Installing & Configuring Security Plugins

Things change rapidly in the WordPress world. The content in this post is more than a year old and may no longer represent best practices.

What’s the Hardest Thing About WordPress?

Prior to the security plugin demos, we had a discussion about what people find difficult about WordPress, based on our own experience and that of our clients. Here’s what people had to say:

  • Ted—People expect WordPress to be like Wix, with great UI elements you can just drop in. He’s taken to using Shortcodes Ultimate to help with this. Pieter Hartsook recommends Visual Composer (or similar) and front-end editing.
  • Karla—Understanding that you need plugins to do anything. She’s a pretty good searcher, so doesn’t think finding and evaluating plugins is all that hard.
  • Sharihar—In Joomla you can put an extension (plugin) on just a particular page, and he hasn’t seen the ability to do that with WP. Also he found theming for Joomla easier—there’s more separation of the PHP and the HTML/CSS. Widgets also puzzled him.
  • Sallie—clients can be puzzled by the widgetized home pages in Genesis—they expect to be able to go to the home page and edit it.
  • Ted—the way your widgets depend on your theme—they will disappear/move around when you change themes
  • Bill—Trying to simplify the admin and client-proof it.
  • Ted—It really helps clients to have a UI set up where they know what type of content to enter where. Red8 does this via ACF, and it’s easier for clients, but harder to use any of that information on another page because it’s all stored as post_meta.
  • Karla—The whole concept of databases and why WordPress—she finally started to understand about retrieving the information and displaying it in multiple places.
  • Pieter—as consultants we need to take a longer view and think about what the client is going to need in 3 months or 6 months. WP’s extensibility is an advantage and you don’t always want the quickest solution.
  • Ted—Media management. Can you just bulk-upload images and display them in multiple places? Pieter suggests storing them on Flickr and pulling them into WP and elsewhere.

iThemes Security

(Demo’ed by Pieter Hartsook.) The first thing to be sure you do is whitelist your own IP address. After that the plugin will give you a list of top-priority actions. Features include malware scanning, 404 protection, block lists, changed file detection, and brute force protection. They also provide a series of instructional videos in addition to this video overview.


Pieter Hartsook showed us the new, attractive interface of Wordfence Security. Wordfence scans for malware and also compares your themes and plugins to the WordPress repository.  Here’s an overview video with a feature tour:

All in One WP Security and Firewall

Ted Curran did a demo of All in One WP Security and Firewall. It has a straightforward dashboard that shows you critical issues and your security points grade. In addition to the usual sorts of security features, AIO WP Security includes comment spam protection and text copy protection.

Security Plugins and Your Database

Security plugins log activity. The logs normally get stored in your database. iThemes Security creates three tables: _itsec_lockouts, _itsec_log, and _itsec_temp. You can tell the plugin how long to store the logs in order to keep them from taking up too much space.

iThemes Security Log Settings

Wordfence, on the other hand, creates 18 tables, which can amount to quite a bit of database clutter.


All in One WP Security and Firewall creates 5 database tables, for events, failed logins, global meta, login activity, and login lockdown.

All in One WP Security and Firewall database tables

All three plugins have free and paid versions. If you don’t have a favorite yet, try them out and pick one. Any of them should give you good protection.


One very important factor in good security–not just with WordPress but anywhere on the Internet–is using strong passwords. Sallie just started using Dashlane, which lets you sync passwords between devices for $40/year. Ted uses LastPass, which has a $12/year premium version to allow use on and syncing across unlimited devices. 1Password offers sync via Dropbox, iCloud, or Wi-Fi, all of which seems a little clumsy, and you have to buy a license for each device. (Plus it’s just kind of annoying.)

In addition to passwords, utilities like these can also store credit card information, personal information, and license keys. Using them makes it possible to use long random passwords (the most secure kind) without having to try to remember them.

Dec 2011 Slides: How to Save Your Hacked WordPress Site

Things change rapidly in the WordPress world. The content in this post is more than a year old and may no longer represent best practices.

Adria Richards gave a great presentation on what to do if your site has already been hacked. I’m embedding the slides here, but you should read her complete post, because it contains links to other resources mentioned in the presentation.

June 2010 Handout: WordPress Security Basics

Things change rapidly in the WordPress world. The content in this post is more than a year old and may no longer represent best practices.

Sources for the Presentation

Sallie’s Security Bookmarks (updated regularly)

Protecting WordPress from the Inside Out (a brilliant presentation by Syed Balkhi)

Hardening WordPress (the original Codex article)

WordPress Security Presentation by Brad Williams (from WordCamp Montreal 2009)

Top 5 WordPress Security Tips You Probably Don’t Follow (WordPress Tavern Guest Post)

Keeping Your Self-Hosted WordPress Blog Secure (by Marcelo Lewin)

How to Improve Basic Security on a Fresh WordPress Install (Weblog Tools Collection)

More Plugins for Securing Your WordPress Install (Weblog Tools Collection)

WordPress Security Monitoring and Diagnosis (Weblog Tools Collection)

Latest WordPress Hacks: It’s Your Responsibility (Mark.Watero.us)

Security Plugins

AntiVirus (An A-V program just for WordPress)

Automatic WordPress Backup (Backs your WP files and DB to Amazon S3)

Secure WordPress (Conflicts with WordPress Firewall)

ServerBuddy by PluginBuddy (Checks for security flaws and plugin compatibility)

Theme Authenticity Checker (Checks for spam links in your themes)

WordPress Database Backup (Scheduled or manual backups of your WP database)

WordPress Exploit Scanner (Checks for signs that you’ve been hacked. Results can be confusing to non-geeks)

WordPress File Monitor (E-mails you every time a file has been changed)

WordPress Firewall (Blocks suspected attacks; conflicts with Secure WordPress)

WordPress Security Scan (Scans for file permissions; lets you change WP table prefix)