Jak nastavit WordPress z HTTP na HTTPS/SSL

Jak možná víte Google prohlásil, že jedním z faktorů pozice webu ve výsledcích vyhledání bude i to, zda běží nebo neběží na HTTPS. Další výhodou využití SSL je určitě větší důvěryhodnost webu. HTTPS (Hypertext Transfer Protocol Secure) je v informatice nadstavba síťového protokolu HTTP, která umožňuje zabezpečit spojení mezi webovým prohlížečem a webovým serverem před odposloucháváním, podvržením […]

Braňte se proti útoku hrubou silou s BruteProtect

BruteProtect je plugin, který vás přidá do společné sítě 120 000 stránek a pomůže vám s obranou proti útoku hrubou silou (brute force attack). Útok hrubou silou se často používá pro uhádnutí dvojice uživatel a heslo. Je možné používat náhodná (resp. generická) přihlašovací jména a hesla při pokusech o autentizaci, případně možné varianty omezit. Například získat seznam […]

Vypnutí XML-RPC

XML-RPC is a Remote Procedure Call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. XML-RPC is used to do something remotely to your blog such as posting, viewing comments, etc.
By default, WordPress enables XML-RPC automatically!

Disable XML-RPC Pingback
https://wordpress.org/…pc-pingback/

This is more friendly than disabling totally XML-RPC, that it's needed by some plugins and apps (I.e. Mobile apps or some Jetpack's modules).

Vypnutí pingbacků ve functions.php (totéž jako výše uvedený plugin)

function remove_xmlrpc_pingback_ping( $methods ) {
   unset( $methods['pingback.ping'] );
   return $methods;
}
add_filter( 'xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );

How to disable XML-RPC manually:

  1. turn off XML-RPC in functions.php
add_filter('xmlrpc_enabled', '__return_false');
  1. hide xmlrpc.php in HTTP response headers in functions.php
function disable_x_pingback($headers)
{
  unset( $headers['X-Pingback'] );
  return $headers;
}
add_filter('wp_headers', 'disable_x_pingback');
  1. deny request to xmlrpc.php in .htaccess
<IfModule mod_alias.c>
RedirectMatch 403 /xmlrpc.php
</IfModule>

or

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

Zdroj »

Ochrana e-mailu před roboty

CryptX
http://wordpress.org/plugins/cryptx/

No more SPAM by spiders scanning you site for email adresses. With CryptX you can hide all your email adresses, with and without a mailto-link, by converting them using javascript or UNICODE. You can choose to add a mailto-link to all unlinked email adresses with only one klick at the settings.

*

There is also a core WordPress function for it: antispambot().
The usage of the function is pretty simple:

<?php
$my_email_address = "my.secret.email.address@gmail.com";
$my_email_address_cloaked = antispambot( $my_email_address );
echo $my_email_address_cloaked;
?>

But you can't use PHP in your content (unless you're using a plugin for that purpose). To use this function in your content, you can utilize a cool little shortcode like the one below. By using the shortcode above, you can cloak email addresses anywhere in your posts.

<?php
function antispambot_sc( $atts ) {
    extract( shortcode_atts( array(
        'email' => ''
    ), $atts ) );
    return antispambot( $email );
}
add_shortcode( 'antispambot', 'antispambot_sc' );
// Usage: [antispambot email="my.cloaked.email.address@gmail.com"]
?>

*

případně

function cwc_mail_shortcode( $atts , $content=null ) {
    for ($i = 0; $i < strlen($content); $i++) $encodedmail .= "&#" . ord($content[$i]) . ';';
    return '<a href="mailto:'.$encodedmail.'">'.$encodedmail.'</a>';
}
add_shortcode('mailto', 'cwc_mail_shortcode');

Použití shortcode:

[mailto]email@y­ourdomain.com[/ma­ilto]

Spammer Blocker je na světě již celý rok

Před rokem, dne 27. 5. 2010, jsem do repozitáře WordPressu nahrál první verzi svého pluginu Spammer Blocker. SB byl již třetím pluginem v pořadí, na kterém jsem tehdy pracoval a tříbil si své znalosti PHP. Na rozdíl od mých prvních dvou pluginů, jejichž vývoj jsem dávno pozastavil (Validation Helper a Extra Security), se Spammer Blocker [...]

Kontrola a ochrana šablon (témat)

Zdroj: WordPress Theme Malware Prevention and Protection

Aktualizace hashtagů pro plugin Exploit Scannerjak je implementovat.

Související článek: Anatomy of a Theme Malware

Ottův dekodér enkryptovaného textuještě jeden podobný od stejného autora.

Ochrana proti odkazovému spamu

Bad Behavior
http://wordpress.org/…ad-behavior/

Bad Behavior complements other link spam solutions by acting as a gatekeeper, preventing spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place. This keeps your site's load down, makes your site logs cleaner, and can help prevent denial of service conditions caused by spammers.

Bad Behavior also transcends other link spam solutions by working in a completely different, unique way. Instead of merely looking at the content of potential spam, Bad Behavior analyzes the delivery method as well as the software the spammer is using. In this way, Bad Behavior can stop spam attacks even when nobody has ever seen the particular spam before.

Bad Behavior is designed to work alongside existing spam prevention services to increase their effectiveness and efficiency. Whenever possible, you should run it in combination with a more traditional spam prevention service.

Bad Behavior works on, or can be adapted to, virtually any PHP-based Web software package. Bad Behavior is available natively for WordPress, MediaWiki, Drupal, ExpressionEngine, and LifeType, and people have successfully made it work with Movable Type, phpBB, and many other packages.

Inpsyde AntiSpam
http://wordpress.org/…js-antispam/

Simple antispam solution. Scrambles a word and pieces it together automatically via JavaScript. Users with JavaScript enabled won't notice anything. Those who have JavaScript disabled have to type the word into a textfield. This plugin won't help against a targeted spam attack but should prevent a lot of random spam.

No remote service needed. Does not send or retrieve data from third party services.

Ochrana mediálních souborů (obrázků apod.) proti komentářovému spamu

Globální zákaz komentářů se překvapivě netýká mediálních souborů. Řešení je jednoduché:

add_filter( 'comments_open', 'noMediaComments', 10, 2 );

function noMediaComments( $open, $post_id ) {
$post = get_post( $post_id );
if ( 'attachment' == $post->post_type )
$open = false;
return $open;
}
?>
code

Zdroj »

Zabezpečení WordPressu

Tipy sitepoint.com pro zabezpečení WordPressu.

iThemes Security (formerly Better WP Security)
http://wordpress.org/…wp-security/

iThemes Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.

A Guide on Using the iThemes Security Plugin »
iThemes Security Tutorial for WordPress »

Alternativy

Secure WordPress
http://wordpress.org/…e-wordpress/
http://www.sitesecuritymonitor.com/…press-plugin

Little help to secure your WordPress installation: Remove Error information on login page; adds index.html to plugin directory; removes the wp-version, except in admin area.

1. removes error-information on login-page
2. adds index.php plugin-directory (virtual)
3. removes the wp-version, except in admin-area
4. removes Really Simple Discovery
5. removes Windows Live Writer
6. remove core update information for non-admins
7. remove plugin-update information for non-admins
8. remove theme-update informationfor non-admins (only WP 2.8 and higher)
9. hide wp-version in backend-dashboard for non-admins
10. Add string for use WP Scanner
11. Block bad queries
12. Validate your site with a free malware and vulnerabilities scan with SiteSecurityMo­nitor.com

Wordfence Security
http://wordpress.org/…s/wordfence/

Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don't have backups.

Wordfence is now Multi-Site compatible.