Josiah Cole

The official blog for Josiah Cole.

New Simple Bootstrap WordPress Theme

bootstrap-wordpress

I didn’t set out to create a Bootstrap theme for WordPress, yet here I am, running just that and proclaiming yet again, that I will resurrect this blog from it’s deathbed (I’ll spare you the overly dramatic “I’m back” post).

First the theme.  I started with a very stripped down, hand-built HTML5 theme.  After battling with CSS for what seemed like too long, I took a break and decided upon return to grab a quick two-column Bootstrap template as my basis.  What I found was The Bootstrap Blog template, and it provided exactly what I needed (responsive two-column) to quickly get back up and running.

All I needed was to insert the WordPress theme code (aided by the Theme Check plugin) and I was on my way.  I’m still revising the theme, but once it’s finally at 1.0 I’ll consider zipping it and providing it here for download.

Features

Not much.  No seriously there are not, and will not be many fancy WordPress features for this theme.  My goal with this blog is simply to create a simple and clean looking platform for my writing.  I don’t have much need for many of the common theme features, but will do my best to cover the bases on functionality (menus, widgets etc.)

Performance

I ran my Bootstrap themed site through GTmetrix’s online performance utility and was pleased to find it scored 91% on Page Speed and 80% on the YSlow scale.  All this without major optimizations.  I’m going to move my DNS to CloudFlare, which will help some of my deficiencies.

gtmetrix-summary

CDN

Not popular with the Theme Check plugin, but an asset (I believe) to the speed and performance of the theme if your host isn’t spectacular is the calling of the Bootstrap components from a CDN.

WordPress Security Best Practices

A long overdue follow up to my immensely popular almost perfect WordPress htaccess file article.  This article of best practices should give you several more tricks up your sleeve to keep your WordPress installation secure and running smooth & below the radar of hackers and spammers.  This guide is not for WP beginners, but I also left out more advanced and obscure techniques, to keep these recommendations to the kind you could feasibly implement even if you’re not a veteran.

1.  Change $table_prefix:   By default WordPress uses a wp_ prefix to create the table names within your MySQL database.  Hackers exploit this default behavior and design their tools to look for this naming convention.  Changing this prefix from the default makes their attack tools less effective.

Ideally prior to your first install, change the prefix value in the /wp-config.php/ file to something else.  If you have already installed WordPress, there are a handful of plugins and tutorials available online to walk you through the process.  Beware! changing your table names after install is dangerous and you should follow thorough backup procedures to minimize possible down time.

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

Helpful Link: http://codex.wordpress.org/Editing_wp-config.php#Advanced_Options

2.  Remove the “admin” username / account:  This is a technique that is simple to execute and one that can be accomplished by almost any user.  By default WordPress creates an administrator account with the username “admin”.  This default behavior is one that is exploited by hackers who use brute force to guess your admin logic credentials.  Knowing one half of your login makes gaining access that much easier for an attacker.

To address this simply create a new account and give it administrator rights.  Then logout of your “admin” account, re-login as this new user, and then delete the old admin account.  When you delete this account, make sure to assign all posts, comments etc. to the new administrator you created. If you’re installing WordPress fresh, the install procedure now allows you to change the username prior to install.

3.  Restrict wp-admin access to certain IPs:  Assuming you manage your WordPress from only a few locations and your IP address does not change frequently, restricting access to WP Admin based on a list of IP addresses can add a very thorough protection from remote attacks.

Create or modify your existing .htaccess file in /wp-admin/ to include the following.  You’ll need to customize to add your own IP

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist
#home
allow from 00.000.000.00
# work
allow from 00.000.000.000

4.  Remove unused themes and plugins:  This advice is incredibly easy to execute and a no-brainer for most who run a blog that has accumulated multiple themes over time.  Old, even inactive themes can present security risks to WordPress.  Removing them is as easy as deleting the theme via FTP from the wp-content/themes/ directory, or using the WP admin (Appearance>Themes>Delete).  If you need to possibly re-activate an older theme download the files and store it locally until needed again.

5.  Secure /wp-admin/ directory:  For most, this can be accomplished via your hosting control panel, most likely some version of cPanel, or Plesk.  For unfortunate Windows users, this type of directory protection isn’t quite as simple so you’re mostly SOL.  Simply choose the /wp-admin/ directory to protect, and assign a new user to this directory.  When you visit yourdomain.com/wp-admin you’ll be prompted with an additional username and password dialog.  If you don’t have a hosting control panel capable of creating this type of protection for you, the process can be done by hand but it involves a few more (but IMHO worthwhile) steps to complete.

Pro Tip:  Some of you may experience a 404 Page Not Found when attempting to access you newly protected admin direction.  To fix this you’ll need to add “ErrorDocument 401 default” to the top of your /wp-admin/ .htaccess file.

Helpful Link: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-admin

Your resulting .htaccess file should look something like this assuming you have nothing else custom present.  The AuthUserFile path should differ on your server, the AuthName can  read what ever you’d like.

ErrorDocument 401 default

AuthType Basic
AuthName "Go Away"
AuthUserFile "/home/username/.htpasswds/public_html/wp-admin/passwd"
require valid-user

6.  Lock down file permissions:  File permissions are many times loosened to make certain plugins work, or diagnose problems with a WordPress install.  Many times, they are simply wrong or too loose out of the gate.  Changing file and directory permissions however can be tricky, and can cause a multitude of problems.  The best technique is to change them slowly and test often.  Also, if you run secured permissions, don’t be surprised if your have troubles with newly installed plugins don’t work quite right without some adjustments.

Helpful Link: http://codex.wordpress.org/Changing_File_Permissions

Helpful Link:  http://codex.wordpress.org/Hardening_WordPress#File_Permissions

7.  Hide WordPress signature:  This is another “security through obscurity” technique similar to removing the admin account or changing your table prefixes.  By default, WordPress will report a “signature” identifying the website as powered by WP and displaying the version number in the code.  Knowing that you use WP, and what specific version gives a would-be hacker an advantage.

There are three ways to address this:

a.  Remove the following (actual format may vary) from your header code:


b. Add the following to your theme/functions.php file:

remove_action('wp_head', 'wp_generator');

c. Add the following to remove this signature from the blog *and* the RSS feed.

function wpbeginner_remove_version() {
return '';
}
add_filter('the_generator', 'wpbeginner_remove_version');

8.  Turn WP DB errors off.  Since version 2.3.1 WordPress has by default turned this value off.  The debug feature gives you the developer lots of helpful information if things aren’t quite right, but they should be disabled when you’re not actively diagnosing issues.

Helpful Link: http://codex.wordpress.org/Editing_wp-config.php#Debug

9. Strong passwords. An oldie but a goody.  Make sure every user has a strong password.   There are a whole host of WordPress plugins that enforce strict passwords on all users if you don’t have the option of creating the accounts yourself.

Helpful Link: http://codex.wordpress.org/Hardening_WordPress#Passwords

10. Monitor or disable user registration/comments.  User registration and participation via comments while great for your blog’s community and traffic, is bad for security.  Opening your WordPress blog to user registrations allows a hacker to gain access to your site that regular users don’t have, potentially revealing vital information about your blog they can use to gain access.  Monitoring user registrations and activity are key to minimizing this threat.  If things get very bad, disabling user registration can be done via the Admin> Settings > General control panel.

11. Secure FTP.  Sometimes security isn’t about trying to stop someone across the globe but rather someone much closer.  This intruder or snooper could be sniffing network traffic and could intercept your username and/or password.  Secure FTP or SFTP encrypts the connection between you and your web server, ensuring know one in between can sniff your logic credentials.

Helpful Link: http://codex.wordpress.org/Hardening_WordPress#FTP

12. Administration over SSL.  Likewise the advice for FTP, it is wise to use the WordPress admin interface over a secure connection.  Forcing SSL with the WP Admin is a little more involved than most admins will tolerate, but it should not be ignored when attempting a comprehensive security plan.

Helpful Link: http://codex.wordpress.org/Administration_Over_SSL

13. Secure wp-config.php with htaccess.  Most don’t know this but you can actually move the all important wp-config.php file one directory above the WP install.  This gives you another level of obscurity from attackers looking to nab that file.  Even if you don’t move wp-config.php, you should protect it with an .htaccess file.

Here’s what you add to your root directory .htaccess file:

order allow,deny
deny from all

Helpful Link: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php

——

If you made it this far congratulations, you now have a good primer on WordPress security.  Not all of these best practices are required to run a secure WordPress site, but the more important your website becomes, the more essential these types of defenses become.

Other things to worry about:

Plugins.  Even if you prune old plugins, existing even up-to-date plugins can present security risks.  Keep them to a minimum.

Flash:  Flash can be hacked.  I’ve had personal experience bailing our website owners with compromised Flash galleries.  Drop the flash and use Javascript.

Your computer:  Your computer could be compromised.  Scan often and with different software.

Edits:

Twitter user @BoiteAWeb reminded me that the WP version number is stored in your root directory readme.html file. Delete it to further obscure this useful information.

And the love kickstarts again

red sketched heart

A couple weekends ago I decided this blog … my blog and official home on the web needed a redesign, rebuild and re…. well everything.  Not wanting to get bogged down in the details of design, I installed an excellent theme from Elegant Themes and set to work making it feel like home.  A simple theme, but one that I can mangle and modify to suite my needs.  The next task will be the publishing of real content, and the trimming of old/lame content as I see fit.

Edit:  Just trashed 6 of my least popular articles with such stellar topics as; web 2.0 (*shudder*), Mahalo (I feel dirty), and SEO (a D effort of my part but a good idea).

 

19 Things A Business Owner Can Do to Torpedo Their Website Project

Sink that well intentioned website project!


In my 10 years of professional website design and development experience I have seen and heard it all when it comes to client and business owner web project dysfunction. (more…)

I’m Stuck – Random Design Idea Generator

I'm Stuck - Random Design Idea Generator

I fashion myself a bit of a web designer, and sometimes after slaving away on a client’s web design proof for hours, I run into a wall of uncreative energy or as I call it “shit out of ideas”.   I have found that many times the path around or through this wall is not always that complicated and can sometimes be as simple as a random one-line suggestion.

So as usual I had an idea for a very simple web application that web designers could bookmark, and when completely out of ideas they could visit and get a quick suggestion that they could could then apply to their design proof.

The humor in this comes in two areas: the web application has no idea what the designer is working on, nor does it care.  It’s simply pre-loaded with canned/design specific suggestions that may or not apply to the designer.  The point is that sometimes this may be enough, or the suggestion may re-enforce an idea you were already considering in your head or on the screen/paper.  The other humor angle is the suggestions themselves which can be as simple and benign as “It needs more red” to as wacky and insulting as “Throw it out and start over you idiot” or whatever else we (or you, see below) may think up.

Check out the demo version of this web app we call I’m Stuck over at josefresco.com/imstuck.

But wait, there’s more …

The demo I whipped up at josefresco.com is simple, ugly, took less than an hour to make and really is just the basis for a site that could be much more fun.  Here are some ways that someone could expand on the idea and provide more functionality and humor:

1.  Social Rating: Give users the ability to rate the suggestions and allow the user to filter to show top rated suggestions.

2.  User Participation:  Allow users to submit their own (crazy) suggestions and give them a weblink as an inventive.

3.  Filters:  Categorize the suggestions and give the users a filter to further tailor the now less-random suggestion to their project.

Those ideas are fun, but what if we took it further:

4.  Community:  Allows users to upload proofs of their work and have other users give their own customized suggestions.  Integrate a way for authors to thank users (PayPal/badges etc.)

5.  Mobile: All the cool kid are doing it, and I could see a I’m Stuck mobile app being useful for those designers on the go needing inspiration.

6.  Beyond Design:  This idea and web application could be expanded beyond just design to encompass other subjects such as; Pick Up Lines, Economic Policy, Sitcom Plots.

So there you have it.  Not only a working proof of concept but some basic ideas for 2 or more generations of a web application and service just begging to be made.

In case you missed it above check out the demo of I’m Stuck and leave me your feedback.