Wordpress - build your own website - howto, tips & links - beginners to advanced

[AdamBrunt]

Quote:

Originally Posted by ljp

Robots are trying to brute force attack your site. I would install this:

https://en-gb.wordpress.org/plugins/wordfence/

Also check the website logs to see where the traffic is coming from and block it if possible.

You may also want to check your site to check it is correctly updated and hasn't been hacked already.

Thanks.

Will check that out later.

In terms of checking it hasn't been hacked already ... as I say, it only has the "hello world" post on it anyway so I am not sure there is anything worth hacking

UPDATE:

Wordpress has been updated (from within the dashboard)
Wordfence has been installed, left it with the default options and ran a "scan". It found issues with 2 out of date themes (and the log trace mentioned the files didn't match the repo versions ???) which I updated. Running 2 second scan found no new issues.

Hopefully that will stop them

I might even get back to doing something with the site now I have been reminded that it exists.

[Chris Locke]

Also make sure its up to date. The latest version is 4.7.3. Also ensure any plugins are also up to date. Lastly (obviously) ensure the templates are up to date. Some use their own versions of javascript tools or plugins, and could therefore be out of date.

An alternative (probably no better, so jyust an alternative) is iThemes Security. It'lll hide the logon page, block common attacks, block IPs, lock down the logon screen for only certain hours (so you can't use the admin panel at 3am for example), etc, do site backups, etc. Not bad for free.

[Chris Locke]

Quote:

Originally Posted by AdamBrunt

it only has the "hello world" post on it anyway so I am not sure there is anything worth hacking

Once the little scrotes are in, they have quite a bit of control - using it to send out emails, host illegal files, attack other sites, etc.

[AdamBrunt]

Quote:

Originally Posted by Chris Locke

Also make sure its up to date. The latest version is 4.7.3. Also ensure any plugins are also up to date.

All done.

Quote:

Originally Posted by Chris Locke

Lastly (obviously) ensure the templates are up to date. Some use their own versions of javascript tools or plugins, and could therefore be out of date.

Not sure what this means - it was pretty much the out-of-box version with no custom / 3rd party templates IIRC.

Quote:

Originally Posted by Chris Locke

An alternative (probably no better, so jyust an alternative) is iThemes Security. It'lll hide the logon page, block common attacks, block IPs, lock down the logon screen for only certain hours (so you can't use the admin panel at 3am for example), etc, do site backups, etc. Not bad for free.

Will also check that out as well.

[Ste7en]

No pre-installed themes?

[AdamBrunt]

Still getting the occasional site lockout notification but (a) nowhere near as frequently as previously and (b) the emails are now branded with 'iThemes Security'.

Not sure if that is a good thing or not

[ljp]

Quote:

Originally Posted by AdamBrunt

Still getting the occasional site lockout notification but (a) nowhere near as frequently as previously and (b) the emails are now branded with 'iThemes Security'.

Not sure if that is a good thing or not

If you are with Vidahost you should be able to find a log file that shows you what IP's are trying to brute force your login. It may be an idea to install a plugin that moves the login screen URL to stop you getting locked out.

[Chris Locke]

Quote:

Originally Posted by AdamBrunt

Still getting the occasional site lockout notification ... Not sure if that is a good thing or not

The site lockout notification should also say why the lockout occurred - tried using 'admin' user, too many login attempts, etc.

On my sites, a bad login attempt is quite rare, so I've set iThemes to permanently ban any bad login after 3 attempts. People can use VPNs to get around IP blocking, but it stops the common bots.
iThemes also allows you to change the 'admin' user. Set up a new user and use that login as the administrator - the hacker has to guess the user as well as the password then. If your site has an 'admin' user, they just have to guess a password.

The default install of WP has default salt values. This means hashes of passwords of all WP websites are the same. iThemes allows you to quickly and easily change the salt values, meaning your hashes aren't the same as everyone elses. This greatly increases your security by magnitudes.
https://ithemes.com/2015/01/21/easil...curity-plugin/

I'd say the notifications are a good thing - always handy to know when your site is getting poked, so you can keep an eye on it.
Don't forget, someone else can get their email hacked, and if they're an admin on your site, your site then is wide open, regardless of what security measures you've got in place. Always good to keep an eye on your sites...

[Chris Locke]

Just a note that Wordpress has been updated to 4.7.4, so if your sites have automatically updated (which some of mine have... while others are 'stuck' on older versions) just cast an eye over them to ensure the plugins/themes still work, and haven't broken.

[driver8]

Facebook Messenger for WordPress - Envato monthly freebie looks interesting.

Quote:

Based on Facebook Messenger, this plugin runs like an instant messaging system. After 2 mins setup, the blue badge of Facebook Messenger and the button Message Us on Facebook will appear on your pages.

[pico_uk]

Quote:

Originally Posted by driver8

I tried ManageWP some years ago, but found it more trouble (and expense) than it was worth. However, I've been running it for a few weeks now and it's much much better - I'd highly recommend to anyone with more than one website.

The biggest improvement is that it's now totally free for an unlimited number of sites for the basic set of features - update all themes and plugins centrally, view visitor stats, clear post revisions, scans for performance/vulnerabilities, and even a free monthly backup (alone, making it worth the effort).

It's a very user-friendly dashboard, and seems rock solid (no crashes, timeouts or errors so far). Recommended.

I've now started to use this more for my clients and looking at using the paid feature but can't seem to find an answer for a very simple question and just wondering if you or anyone had any idea.

The prices show as $/pcm for the pro features but is it possible to be charged in Ł? If in dollars only then I'm gonna be hit with additional fees etc.

[driver8]

It's not unusual for US-based companies to only offer payment in US$, is it ? If you've looked, then it's probably not an option.

A few ideas -

- PayPal ?
- use a CC with good exchange rates (MSE), or a pre-loaded card, or Revolut.
- pay via Godaddy, although you may need to host (something) with them.

[pico_uk]

I managed to get hold of their sales department today and as expected they only bill US$.

Their only method of payment is via Stripe, I did think about the GoDaddy option as I have a few domains through them but all the above still applies despite the GoDaddy website mentioning GBP values.

[Chris Locke]

Just a 'heads up' that Wordpress 4.8 has been released, so your site may or may not auto-update. Beware too of plugins that may or may not be compatible with this version.
UpdraftPlus is a good free plugin to backup both the files and plugins of your site, as well as the database.

Quote:

Today there is a new release of the core WordPress open source software, version 4.8 "Evans", named in honor of the great jazz pianist Bill Evans.

https://wordpress.org/news/2017/06/evans/

On the dashboard the news section now lets you know of meetups and WordCamps in your area, so you can get involved in your local community. There are several new widgets for images, video, audio, and the text widget now has visual editing, making editing sidebars much more accessible for non-coding folks and setting the path for our plans with the Gutenberg editor. There's a change to the visual WYSIWYG editor that's hard to describe but hopefully is a joy for you to experience.

[douglasb]

Should I be worried about Gutenberg?

I've had an email from the developers of my theme and it sounds pretty dramatic.

But then this seems OK:

https://kinsta.com/blog/gutenberg-wordpress-editor/

Seems to be the main issue - at the time of this article - is plug-in compatability?

[driver8]

If it does get forced on us in WP core, I imagine all the WP and theme authors will be working flat out to ensure compatibility. Might be particularly tricky for page builders ?

It seems a strange area to focus on, when there are many other frustrating areas of WP that actually need fixing; top of my head -
- plugins disappearing from the repository,
- insecure plugins still freely available,
- plugins adding their settings page and buttons anywhere they like,
- default image compression,
- so many unwanted blog features,
- lack of automated backups, especially at upgrade time.

[driver8]

Free for a week from Envato - despite the weird name,
it looks to be a decent theme from a creative team -

Seriously - Business Multi-Purpose WordPress Website Builder

[Psycho]

I was just wondering if I should be looking to move any WordPress websites that I have to https?

If so, is that an easy thing to do?

Thanks,

Psycho

[Chris Locke]

This link may be useful.
https://designmodo.com/wordpress-https/

HTTPS sites will (eventually) have greater SEO-ness (??!) than non-HTTPS. Guess it depends on whether you're fighting for that #1 position...

[Psycho]

Thanks!

I'll probably leave things as they are for now but will have a read up on it.

Psycho