WordPress security… again

Over the past week there has been a major upsurge in attacks on WordPress sites. It appears they are trying the ‘admin’ username and a dictionary password attack. As I have said before, changing the admin username to something else is a really important thing to do. More info on The Register.

Personally I will make sure I never use ‘admin’ as the administrator account username. I will also consider installing the Google Authenticator plugin and link it to  the administrator account.


So I’m building a website at the moment and of course it’s responsive. It features a full-width content/image slider (http://www.woothemes.com/flexslider/) that goes from 1060px wide down to 320px (iPhone 3/4 size).

To start with I was just going to use display:none to show/hide the different image sizes using CSS3 media queries. Then I read that just hiding the images doesn’t mean that they don’t get downloaded still. Which sucks for the user on their mobile with a poor signal, or with a limited data contract.

So I needed to serve ‘adaptive’ images somehow. Being a WordPress site I delved into the plugins world, as well as looking at other solutions.  After trying a LOT of different solutions I went with a WordPress plugin called Mobble.

Mobble allows you to wrap your template code in if statements to detect the device being used to view the site.

Such as:

/* image size a */
} else if(is_mobile()){
/* image size b */
} else {
/* original image size */

It’s worked out pretty well. I ended up using 3 image sizes (using custom image sizes in WordPress), one for mobiles, one for tablet size down to mobile size and one for desktop down to tablet size. Sure, I could have used a lot more different sized images, but I think these 3 sizes will work pretty well.

Once the site is finished and live I’ll put a link to it on here.


I’ve recently had trouble getting WordPress to update locally (Mac OSX Lion). It kept asking for FTP details. I tried changing permissions and ownership (I never ever use 777 as a rule, that’s a bad habit to get into).

Anyway, after a LOT of Googling I found a solution. Just add this to your wp-config.php file:
Note: Do not add this to a WordPress site installed on a server, as this setting can open up security vulnerabilities on poorly configured hosting environments. As a rule I only use this setting locally.


WordPress has potential security issues just like any other software. There are some steps that can be taken to help prevent your site being attacked.

The most common attacks usually fall into one of two categories:
- Sending specially-crafted HTTP requests to your server with specific exploit payloads for specific vulnerabilities. These include old/outdated plugins and software.
- Attempting to gain access to your blog by using “brute-force” password guessing.

  1. Keep WordPress up to date. Security vulnerabilities are always being looked at and fixed, so keeping up to date is very important.
  2. Make sure the web server your WordPress site is being hosted on is running secure stable versions of it’s software, or use a trusted web host that takes care of this for you.
  3. Find out if your web host makes regular backups of your site and database. You have to consider how you would restore your site if it was attacked. Personally I store all my sites on a Git server (Github is also a good choice for this if you don’t have your own server), meaning that I would just need a backup of the live database if I wanted to restore a site.
  4. Use strong passwords for all WordPress users, and make sure the Administrator user is not called ‘admin’.
  5. Use SFTP when connecting to your site, so that all data and passwords are encrypted.
  6. Lock down file permissions as much as possible. See the codex for more info on this.
  7. Keep plugins updated, and delete any that aren’t being used. Plugins that need write access to the WordPress files and directories should be used with caution. Make sure these are plugins from a trusted source.
  8. Block some SQL injection attacks by changing the database table prefix to something other than ‘wp_’.

This information was taken from the WordPress Codex, but common sense can also be applied. WordPress itself is pretty secure, it’s often the web hosting itself that can allow attacks to happen so make sure you use a reputable hosting company that doesn’t cut corners.


I recently got my own VPS, and decided to start using it as a Git server. It’s a Linux server running Centos 6. This tutorial assumes some knowledge of basic Linux commands.

As root or a user with sudo permissions, first thing is to install the dependencies Git will need:
$ yum -y install zlib-devel openssl-devel cpio expat-devel gettext-devel

Then change directories ready to wget Git:
$ cd /usr/local/src

Download Git:
$ wget http://git-core.googlecode.com/files/git-1.7.9.tar.gz

Untar it and change directory:
$ tar xvzf git-1.7.9.tar.gz
$ cd git-1.7.9

Configure a make file, then install Git:
$ ./configure
$ make
$ make install

That’s it, Git is installed!
Next you will need to add a user called git, and give them a password:
$ adduser git
$ passwd git

Now switch to your local machine and check if you have a public SSH key:
$ ls ~/.ssh/id_rsa.pub

If you don’t, run
$ ssh-keygen
to generate a public/private key pair. Then copy it to the git users home directory on your server:
$ scp ~/.ssh/id_rsa.pub git@yourservername.com:

Connect to your server via ssh again, and copy the key to the Git users authorised keys:
$ cd /home/git/
$ mkdir -p .ssh
$ cat id_rsa.pub >> .ssh/authorized_keys

The restrict the permissions for .ssh and it’s contents:

$ chmod 700 .ssh
$ chmod 400 .ssh/authorized_keys

Passwordless SSH is now setup. You should be able to connect from your local machine like this:
$ ssh git@[your server name]

Once connected as the git user, you can setup your first Git repo:
$ mkdir testproject.git
$ cd testproject.git
$ git init --bare

‘Bare’ means that the repo will be initialised in the current directory, rather than making a new one.

Next go back to your local environment and go into the directory of the repo you want to push to your remote server. Add the remote location, and push:
$ git remote add origin git@[yourserver]:testproject.git
$ git status
$ git add .
$ git commit -m "initial commit"
$ git push origin master

That’s it! I did all of the above following these 2 tutorials:
Setting up Git on Centos
Running a simple git server using SSH

Comments welcome for anything I’ve missed/overlooked.


I’ve decided to start version controlling my projects. At my previous job we used GIT alongside Beanstalk. This worked really well, the way Beanstalk handled deployments was great.

Now that I’m freelancing I’ve been looking into other options too. It seems the Github is a very popular choice, and their prices are very competitive compared to Beanstalk, especially as it’s likely it will just be me needing access to the repositories.

Now, one difference between Github and Beanstalk is that Github doesn’t have an interface for deploying. This is not a problem though! I found a great guide to using service hooks with github to automatically deploy. I’ll definitely be setting myself up with github and this approach to deployments.



New Year – time to blog more

Well, I’ve not posted on here for over a year. It’s time I started writing more posts.

I am full time freelancing again, so expect to see more about my work and what I’ve been learning.

Happy New Year!


Today I was looking for a plugin to allow an image to be associated with a post. Turns out that it is a built in feature in WordPress 2.9 and newer (thanks to Mark on WordPress).

By simply adding these 2 lines to the themes function.php file, an image can become a ‘Featured Image’ on a post or page:

add_theme_support( 'post-thumbnails', array( 'post' ) );

set_post_thumbnail_size( 50, 50 ); // 50 pixels wide by 50 pixels tall, box resize mode;

Then the following code can be used to show the image:
$thumb = get_the_post_thumbnail( $page->ID );


jQuery tip

I was scratching my head today trying to work out how to stop a rollover dissapearing when the mouse went over a nested element.

The answer was simple: use mouseenter and mouseleave instead of hover, mouseover/mouseout.
//do whatever
//do whatever


I started to have a play with Augmented Reality today, using Flash. I tried out one of the examples from this ActiveTuts tutorial. There’s so much potential with this type of user interaction, I already have tons of ideas I want to try out. The user just needs a webcam and a print out of a ‘marker’.

This video is a cool example of what can be done:

.fla 2 / 14 Desktop Rainbow from Saqoosha on Vimeo.

I hope to make my own AR Flash app soon, as this topic really interests me.