Keys and Salts

Posted on by

change my WP keys and saltsWordPress uses a cookie to keep track of my login state. While the technical details are a bit out of my comfort zone, if an attacker gets his or her hands on or forges my admin authentication cookie, he or she could take over my admin role and cause a great deal of mischief.

I can easily make my authentication cookie much more secure using keys and salts stored in my wp-config.php file. Google can easily find details and instructions in a number of articles, including All You Need To Know On the WordPress Unique Authentication Keys and Salts.

Read more Keys and Salts

Cloudflare Speed Settings

Posted on by

miscellaneous Cloudflare speed settingsIn another post I cover a Cloudflare page rule for blazing site speed. This post discusses miscellaneous Cloudflare speed settings. Cloudflare, even at the free tier, offers a plethora of speed and security settings that seem daunting at first. Most of them work fine using the default setting, and I can adjust settings at my own pace as I am able to make time to learn and optimize.

Read more Cloudflare Speed Settings

Passwords

Posted on by

importance of a strong admin passwordThe importance of a strong admin password seems well known – if not universally practiced – by most WP users. It seems less well known that the strong password rule applies equally to every account associated with administering my WP site. This includes my cPanel account, SFTP, Cloudflare, email, web host, and domain registrar. If I lock down my WP admin account but someone hacks into my cPanel, for example – game over.

There are various methods of generating a strong password, including …

Read more Passwords

Cloudflare Security Settings

Posted on by

miscellaneous Cloudflare security settingsIn another post I cover Cloudflare page rules for login security. This post discusses miscellaneous Cloudflare security settings. Cloudflare, even at the free tier, offers a plethora of speed and security settings that seem daunting at first. Most of them work fine using the default setting, and I can adjust settings at my own pace as I am able to make time to learn and optimize.

Read more Cloudflare Security Settings

WP Backups

Posted on by

#1 most important WP security and maintenance practiceMy #1 most important WP security and maintenance practice: Always have an up-to-date backup, stored off my site. If I irreparably mess up my site, or it gets hacked in spite of my precautions, I can delete everything and restore from backup. If my host provider doesn’t love me anymore and locks me out, or goes bankrupt and disappears, I can restore to a new host provider.

Read more WP Backups

Caching Plugin

Posted on by

LiteSpeed cache logoI chose my web host carefully. My sites are hosted on a LiteSpeed web server, so I am able to use the remarkable free LiteSpeed Cache (LSC) plugin. LSC provides much more than just lightning-fast server-side caching. In also includes a suite of optimization tools such as: Database optimization; Image optimization – which seems to be equal to or better than the paid/premium versions of competing plugins; Connection to Cloudflare so I can put CF in development mode or purge the CF cache; and Miscellaneous settings like ‘Remove query strings from static resources’.

Using my two favorite website speed checkers, WebPageTest.org and GiftOfSpeed.com

Read more Caching Plugin

Very little advice on WP themes

Posted on by

little advice on WP themesI really cannot offer much advice at all on WP themes. I just don’t have experience with many themes. I find one that works well for me and stick with it. I want a theme that provides a framework and does not get in my way. Also – a personal preference – I want users to immediately see content, not a ginormous image that takes up the entire landing page above the scroll.  Initially I used Twenty Ten, which I liked quite a bit, but eventually it became obvious that a modern website must be responsive. I switched to Responsive Mobile from CyberChimps, and have used it ever since. It meets my needs and offers a simple but powerful set of Theme Options that make it easy for me to add custom CSS styles and header/footer scripts. It seems lean. A comparison of file sizes to the current default theme:

Responsive Mobile Twenty Seventeen
functions.php 2.6 K 17.7 K
styles.css 1.8 K 79.9 K

With the huge number of high quality free themes available in the official WP themes directory, I see no reason to consider themes from other sources, including ‘Pro’, ‘Premium’ or otherwise ‘Pay’ themes. If I were to try a theme from a source other than the official WP directory, I would want to be very, very sure it is a reliable source. How to be sure? I have no idea, I only consider free themes from the official WP directory.

For most WP users, the current default theme – Twenty Seventeen at the time of this post – seems a good place to start.

My Wordfence quibble

Posted on by

As I said in another post, I believe the very popular Wordfence Security plugin to be an excellent security solution for most WP users. Even if Wordfence isn’t the right solution for you, I recommend subscribing to their excellent email list, for timely and informative updates on WP security issues.

Wordfence quibble

My Wordfence quibble: I installed and it and tried it out for awhile, decided in spite of its ample merits it is not for me, deactivated it. I promptly received an email from the Wordfence mother ship, alerting me in somewhat inflammatory language that Wordfence had been deactivated from my site by – my secret admin user name! I keep my admin user name private, and use a public nickname – a minor but sensible security precaution, I think. Wordfence not only harvested my secret admin user name, it reported my admin name to the mother ship, presumably stored it, shared it with – who knows? – and sent it to me in a plain text email. I have no way to know what other private information, if any, Wordfence stole.

Read more My Wordfence quibble

Domain Registrar

Posted on by

I use NameSilo as my domain registrar, and recommend it without reservation. I believe it provides by far the best value among registrars. Not that there is anything horribly wrong with GoDaddy or NameCheap – I’ve used both in the past – or any of the other major registrars. It’s just that with NameSilo I get: Lower cost; free-forever whois privacy; free domain protection; no hidden fees; and no BS marketing games. I am not affiliated with NameSilo, by the way, just a customer. I can’t offer you a coupon or other discount, and if I did you shouldn’t trust me. best value among registrars

Read more Domain Registrar

WP hosting

Posted on by

In discussions of web hosting, I frequently encounter the advice to use the best hosting you can afford; after all “You get what you pay for.” Well … While that can sometimes be true, to put it on a pedestal as unquestionable dogma is just silly. It is in fact easy to overpay for most anything, including hosting. My preference is to use the most affordable WP hosting that meets my requirements.

affordable WP hosting that meets my requirements

Read more WP hosting

Custom security plugin

Posted on by

custom WP security pluginWhen researching WP security, I come across a number of suggested additions to my child theme’s functions.php file. Examples include code to disable login hints, and to remove WordPress version information from metadata. These are helpful suggestions, but … is the functions.php file really the best place for these changes? My child theme should address theme-related changes, not general security issues. If I put these changes into functions.php, then at some point switch to a new theme, the changes would be lost.

Better to implement these changes in a custom WP security plugin.

Read more Custom security plugin

6G Firewall

Posted on by

There are a number of comprehensive security solutions available for WP, notably including the very popular Wordfence Security plugin. I have a Wordfence quibble, which I whine about in another post, but to the best of my knowledge, Wordfence is an excellent choice for most WP users. My preference though is for light, fast, specific solutions as opposed to a single, relatively heavy, Swiss-army-knife style tool.
6G Firewall runs in htaccess
One such light, fast, specific solution is the 6G Firewall from Perishable Press.

Read more 6G Firewall

Cloudflare page rule for blazing site speed

Posted on by

Cloudflare page rule for blazing site speedCloudflare, even the free tier, improves my site speed and security – so much so that I use it for all my sites. The default settings boost site speed by global distributed caching of static content. Static content, by Cloudflare’s definition, excludes HTML. This makes sense for dynamic sites with frequent new posts and user comments. For my sites like this one, that have less frequent new posts and do not allow user comments or other dynamic content, I can dramatically increase site speed using a page rule.

Read more Cloudflare page rule for blazing site speed