Recently I have been doing a lot of testing on a couple of my web sites that run WordPress and realized that securing your site takes a bit of effort. There are some plugins that do a great job at certain things however I wasn’t able to find any that did a great job of securing everything that I would prefer be secured. Below I describe a multi-pronged approach to securing your WordPress site from hacking attempts using multiple WordPress plugins as well as performing a couple manual steps that ensure the WordPress details exposed to the world are minimal.
I was hired to install some ZenCart plugins recently one of which included the Simple SEO URL add on. The installation was fairly easy besides a dependency that was missing which I will describe in a future email. After the installation was complete I got excited when I was ready to test but was let down when I got a 500 Internal Server Error back from the Apache web server. The virtual host that the client was using didn’t have Error Logs enabled so I had to enable them and wait until they started archiving. Below is a description of the errors in the Apache Error Logs and how I resolved the issue.
I have been using a WordPress plugin for awhile called Pretty Link Pro which provides a ton of awesome features including a link shortener such as tinyurl.com. When using the URL shortener you can actually configure Pretty Link Pro to use a different domain which would be a benefit if your URL is long similar to www.question-defense.com. I have been using link.as so instead of providing shortened links such as http://www.question-defense.com/1ce I can provide links such as http://link.as/1ce which you can see is a lot more user friendly when providing links to others. One thing I wanted to ensure was the fact that Google was not crawling content on the http://link.as URL which is possible simply by Google finding the shortened links on places like Twitter. Below I describe a .htaccess modification that will redirect any traffic to one URL to another while including any trailing text.
This seems to be the week of the Rewrite Engine for me as this is the second semi unique modification I have needed to make to one of our servers rewrite rule sets. This time we have a site where all traffic destined for HTTP is redirected to HTTPS via the LiteSpeed Rewrite Engine. Currently there are no exceptions to this rule on the server except if you are already visiting HTTPS you obviously do not get redirected to HTTPS. So a description of the project along with the necessary syntax to exclude certain ports from your rewrite rule set are below.
LiteSpeed web server uses the same Rewrite engine that Apache uses so most of the information you will find on the Internet relates to Apache and not LiteSpeed. One of the projects I am working on redirects all web traffic that hits each virtual host from HTTP to HTTPS without exception. Recently it came up that we needed to do some API testing with a company that wanted to test on a development server to HTTP and not HTTPS. So I needed to figure out how to exclude a specific directory from our HTTPS Redirect Rule on one specific virtual host which turns out is really easy. Below I describe how to send all traffic except one directory to HTTPS via the LiteSpeed web admin.