Need Help Securing the Privacy of a Wordpress Blog
June 2, 2011 9:21 AM Subscribe
Wordpress (ver 3.1.3) help! Looking for plugins or advice to require a login and to disable the RSS feed.
Details if they matter:
My SO and I have been role playing for as long as I've known him (that's actually how I met him). We have this huge universe all with it's own mythos and a large cast of characters with different degrees of relationships with each other. This has evolved over years.
We kind of reached the point where we could no longer remember the little details.. and for some things, we never had details because it would be too much to remember.
So I finally decided to throw up a wordpress blog where we could write down all the information we needed (We also rp in a blog + comments format with a different group of friends, and thus why I went with the blog instead of a wiki format). I was kind of skeptical at first that the SO would see any use in it, but man did he take the reigns and start writing up all sorts of stuff.. fleshing out details that we let languish.
This world is very private for us. right now we are using the zBench theme and I've gone in and coded a required login to see the content. This works great, except I have to do it every time the theme is updated.. which means an hour of web-searching to remember how to do it. What also sucks is that nothing prevents you from reading what we write there just by subscribing to the RSS feeds.
I'm very skiddish about using just random plugins and themes found on the internet, and I always always update the themes and wordpress to keep the hackers at bay.
dear mefites, do you know of anything - even if I have to modify code - that will let me disable the rss feed.. and perhaps an easy way to require a login?
If it's helpful, this is running on a personal domain and hosting service.. not on wordpress.com.
Details if they matter:
My SO and I have been role playing for as long as I've known him (that's actually how I met him). We have this huge universe all with it's own mythos and a large cast of characters with different degrees of relationships with each other. This has evolved over years.
We kind of reached the point where we could no longer remember the little details.. and for some things, we never had details because it would be too much to remember.
So I finally decided to throw up a wordpress blog where we could write down all the information we needed (We also rp in a blog + comments format with a different group of friends, and thus why I went with the blog instead of a wiki format). I was kind of skeptical at first that the SO would see any use in it, but man did he take the reigns and start writing up all sorts of stuff.. fleshing out details that we let languish.
This world is very private for us. right now we are using the zBench theme and I've gone in and coded a required login to see the content. This works great, except I have to do it every time the theme is updated.. which means an hour of web-searching to remember how to do it. What also sucks is that nothing prevents you from reading what we write there just by subscribing to the RSS feeds.
I'm very skiddish about using just random plugins and themes found on the internet, and I always always update the themes and wordpress to keep the hackers at bay.
dear mefites, do you know of anything - even if I have to modify code - that will let me disable the rss feed.. and perhaps an easy way to require a login?
If it's helpful, this is running on a personal domain and hosting service.. not on wordpress.com.
If you set the Visibility of a post to Private, you have to be logged in to wordpress to view it. Make sure to make all the logins yourself and only let in people you trust. That also removes it from the RSS feed.
So yeah, set every post to Private.
posted by deezil at 9:37 AM on June 2, 2011
So yeah, set every post to Private.
posted by deezil at 9:37 AM on June 2, 2011
Remove the RSS feed files from the root wordpress directory. I did this, and there's no way anyone can find an RSS feed. Delete wp-rss2.php, wp-rss.php, wp-feed.php, wp-feed.php, wp-commentsrss2.php & wp-atom.php. This way, even if someone correctly formats the blog URL, like www.blogname.com/wordpress/feed/rss (or something like that), there's no feed to be found.
You'll need to do this every time you update wordpress, but it's a simple enough thing to do. Make sure to check this method, obviously.
I also use Network Privacy to make the blog login only. Of course, use a 20+ character username and strong password, not something like Admin with password for the password.
posted by Solomon at 9:39 AM on June 2, 2011
You'll need to do this every time you update wordpress, but it's a simple enough thing to do. Make sure to check this method, obviously.
I also use Network Privacy to make the blog login only. Of course, use a 20+ character username and strong password, not something like Admin with password for the password.
posted by Solomon at 9:39 AM on June 2, 2011
This works great, except I have to do it every time the theme is updated.You should look into creating a child theme instead. That way your modifications generally survive updates.
Controlling and customising RSS feeds in WordPress will walk you through killing the various automatic feed stuff WordPress injects. Solomon's suggestion of deleting stuff is roughly equivalent to hacking core files. Which unless you know precisely what you're doing, just don't.
posted by Su at 9:44 AM on June 2, 2011
Seconding Su; the one thing the Drupal and Wordpress communities can agree on is "Don't Hack Core."
posted by verb at 10:05 AM on June 2, 2011
posted by verb at 10:05 AM on June 2, 2011
Came in to say what COD said: do this using .htaccess, that way hackers won't even be able to compromise WordPress.
It also means that you can save your password in the browser and likely not have to use it again.
If your host has CPanel, this is dead easy. If you *don't* have cpanel, it's a little harder, but still not that tough.
posted by toomuchpete at 10:15 AM on June 2, 2011
It also means that you can save your password in the browser and likely not have to use it again.
If your host has CPanel, this is dead easy. If you *don't* have cpanel, it's a little harder, but still not that tough.
posted by toomuchpete at 10:15 AM on June 2, 2011
Yep, use .htaccess for the password protection.
Enter a username and password on this form. Copy-and-paste the results, and save them in a file named ".htpasswd". (Yes, that's a period with nothing before it, followed by an "htpasswd" extension. If Windows complains about that, just fire up a DOS window and use the "rename" command.)
Put this file on your Web server, ideally in a location outside of your webroot (so people can't view it by browsing
...but could be any number of things, depending on your server configuration.
Next: there's already a file in your webroot named ".htaccess"; Wordpress created it at installation time. Make a backup in case you break something, and then open that file in a text editor. Add the following (being careful not to touch any of the code that's already in there):
...where
Replace the .htaccess file on the server with this updated version. Now your browser will prompt you for a password whenever you try to view the site. (You can tell your browser to remember the password, so you only have to log in once.)
If you get a 500 error when trying to view your site, you (or I) messed something up. Revert the .htaccess file to the backup version.
posted by ixohoxi at 2:54 PM on June 2, 2011
Enter a username and password on this form. Copy-and-paste the results, and save them in a file named ".htpasswd". (Yes, that's a period with nothing before it, followed by an "htpasswd" extension. If Windows complains about that, just fire up a DOS window and use the "rename" command.)
Put this file on your Web server, ideally in a location outside of your webroot (so people can't view it by browsing
http://yourdomain.com/.htpasswd). That location could be something like:/var/www/vhosts/yourdomain.com/...but could be any number of things, depending on your server configuration.
Next: there's already a file in your webroot named ".htaccess"; Wordpress created it at installation time. Make a backup in case you break something, and then open that file in a text editor. Add the following (being careful not to touch any of the code that's already in there):
AuthUserFile /the/path/to/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require user username...where
/the/path/to/ is the actual location of your .htpasswd file, and username is the username you entered in the form in the first step.Replace the .htaccess file on the server with this updated version. Now your browser will prompt you for a password whenever you try to view the site. (You can tell your browser to remember the password, so you only have to log in once.)
If you get a 500 error when trying to view your site, you (or I) messed something up. Revert the .htaccess file to the backup version.
posted by ixohoxi at 2:54 PM on June 2, 2011
Members Only works great. Use Feed Key to enable private-ish feeds (it adds a hash to feeds so they are not discoverable).
posted by artlung at 3:52 PM on June 2, 2011
posted by artlung at 3:52 PM on June 2, 2011
Best answer: At the agency we just use the Password Protect plugin for client development sites that we don't want non-users poking around in. Sure, the .htaccess method is more secure, but we're just trying to keep random surfers out, not hackers.
It's pretty low on frills: you install it, you activate it, and (optionally) you can pick a message to display to people not logged in. I believe it has a setting to block feeds as well, but I could be wrong.
(Don't forget to block search engines at Dashboard: Settings: Privacy.)
posted by Ian A.T. at 8:43 AM on June 3, 2011
It's pretty low on frills: you install it, you activate it, and (optionally) you can pick a message to display to people not logged in. I believe it has a setting to block feeds as well, but I could be wrong.
(Don't forget to block search engines at Dashboard: Settings: Privacy.)
posted by Ian A.T. at 8:43 AM on June 3, 2011
I recommend against using a plugin for this because if that plugin is disabled for any reason -- accident, file corruption, wordpress vulnerability, etc. your security disappears.
.htaccess is easier, safer, and won't slow down your WP install.
posted by toomuchpete at 7:47 AM on June 6, 2011
.htaccess is easier, safer, and won't slow down your WP install.
posted by toomuchpete at 7:47 AM on June 6, 2011
This thread is closed to new comments.
posted by COD at 9:32 AM on June 2, 2011