• Tweet This!
• Stumble upon something good? Share it on StumbleUpon
• Share this on del.icio.us
• Digg this!
• Post this on Diigo
• Post on Google Buzz
• Add this to Mister Wong
• Share this on Mixx
• Share this on Reddit
• Share this on Technorati

WordPress does not, by default, allow sessions. In a recent project, I needed to use sessions. So how do you use sessions in WordPress?

Simple. Add the following line to your functions.php file within the open and close php tags, and you can then use sessions as needed.

if ( !session_id() )
add_action( 'init', 'session_start' );

• Tweet This!
• Stumble upon something good? Share it on StumbleUpon
• Share this on del.icio.us
• Digg this!
• Post this on Diigo
• Post on Google Buzz
• Add this to Mister Wong
• Share this on Mixx
• Share this on Reddit
• Share this on Technorati

I just want to say, WordPress 3.0 is finally released!

Yeah!

• Tweet This!
• Stumble upon something good? Share it on StumbleUpon
• Share this on del.icio.us
• Digg this!
• Post this on Diigo
• Post on Google Buzz
• Add this to Mister Wong
• Share this on Mixx
• Share this on Reddit
• Share this on Technorati

Recently, WordPress 3.0 RC-1 became available. I normally don’t mess with release canidate versions as you never know what you are getting, but I happened to have a great project that seemed fitting to try this. Since 3.0 is now allowing Custom Post Types along with the new Custom Menu feature, this was the right fit.

This will be a short posting, but so far I LIKE! It seems as though I have already been able to replace a number of plugins. As plugins tend to use up resources and provide additional security concerns, this is a great thing.

Most of the documentation is still very lacking, so you will need to do some Googling to find more information. If you are new to WordPress, stick with the current 2.9.2 version that is out, until the final 3.0 version is released. You won’t find enough info to take advantage of the new features.

I will try to get back to some of the new features, and what I do / do not like about them (not everything is perfect). However, work is busy, so this will come when I find the time to do so. Just know, I am digging the new WP 3.0 and will be using a lot of its potential for clients going forward!

• Tweet This!
• Stumble upon something good? Share it on StumbleUpon
• Share this on del.icio.us
• Digg this!
• Post this on Diigo
• Post on Google Buzz
• Add this to Mister Wong
• Share this on Mixx
• Share this on Reddit
• Share this on Technorati

Recently, a client of the company I am working for contacted me because their WordPress based website was “messed up.” This website was developed prior to me joining the firm, but I was happy to take a look. After reviewing the website, it was apparent that the website had been hacked.

Avoid the website hacker with simple security changes

It appears at first glance that this was an Admin Brute Force Password hack, which is not an uncommon hack that affects WordPress websites. As a matter of fact, this is a common attack on a number of CMS platforms. Any CMS platform that has a master user account with the login name of “admin” is vulnerable to this kind of attack.

The hack is a rather simple one, which is why it isn’t all that uncommon. Since a majority of WordPress and other CMS installations typically create the first and main administrator user with the user name of “admin”, all a hacker must then do is guess at the password. With a typical password (6-8 characters), this can be pretty easy. As a matter of fact, a leading newspaper recently published a report that showed that a high number of people use a simple password, the most common was actually 123456.

Hackers will use simple programs that will continually guess at the password until they get in. This is known as brute force, as they just keep up until they win. And since they already have the user name (“admin”) their job is simply to guess the password.

How to secure yourself against this attack

Securing your website against this type of attack is rather easy. Most people don’t do it simply because they don’t know to do it.

First, log in under the admin user name and click over to edit your user profile (in WordPress, you can click on your user name in the top right corner to get to your profile quickly.) Once on the profile page, change your email address to something generic. Since most CMS programs do not allow multiple users to share an email address, this is how we will be able to use our real email address when we set up the new user. Once you have made the email change, update your profile.

Next, you will add a new user. In WordPress, click on “Users” and then “Add New.” Here you will add your new administrative user. Think of something unique for the admin, not just “admin1″ or something simple. Maybe “superadmin24″ or “webmastersurpreme” would be good for you! No matter what it is, make it different that just “admin,” enter your real email address for this user, and create a good password (8-12 characters, with a combination of upper and lower case letters, numbers and special characters such as * _ – @ #.) Make sure you assign this new user the role of “administrator” – this is very important! One final thing… make sure your new admin name is not disclosed on the website. In WordPress, you can change the “public display” name to anything you wish. If you don’t change how the name is displayed publicly, all your work is in vain, as you just gave away the user login name! Once you have added this new user, log out of the CMS.

Finally, log back in to the CMS with your new user and password, return to the “Users” page and delete the “admin” user. In WordPress, you will be given the option of assigning all posts and pages to the new user. Make sure you do so or you will lose all that content!

There you have it! You have removed the “admin” user and replaced it with something more unique and more secure. Now a hacker will have to guess at the user name and password to gain entry this way, which most will give up after a few tries and move on to easier prey!

I hope this helps you secure your websites a bit more. Fixing hacked websites can be a messy thing to do, and inevitably, you end up losing some content… sometimes all of it. So until the CMS systems offer you an option during installation, you can help protect yourself from this attack.

PS. It is worth noting that this website was developed prior to my employment with Creative Services. WordPress / CMS websites that I develop are not released with the “admin” user in place. So hackers, I can save you the trouble of even trying!

• Tweet This!
• Stumble upon something good? Share it on StumbleUpon
• Share this on del.icio.us
• Digg this!
• Post this on Diigo
• Post on Google Buzz
• Add this to Mister Wong
• Share this on Mixx
• Share this on Reddit
• Share this on Technorati

Ok, so I could not get Twitter Tools to work on my WordPress website. Not sure why as I am using the most up to date version of both WP and the plugin, but I got errors and could not even verify my account settings with Twitter. So I am trying something new… WP Twit Box. It seems to have less options, but for my use I am just seeking something that will auto post my posts here to my Twitter account. We will see what happens and go from there! Wish me luck!