Tri-Account Security
as accounts, how-to, security, WordPress
I seem to keep coming across various and sundry tweets, posts, and other references to security issues and attempts to “brute-force” access to self-hosted WordPress installations. The following is something I recommend if you have any concerns … or maybe just feeling a bit paranoid.
I call it Tri-Account Security ™. The idea is actually very simple and quite easy to implement. All it really requires is forming the habit of using three (3) separate accounts, each with their own specific purposes.
Let me break them down for you:
- The Primary Administrator
- The Primary Editor
- The Primary Contributor
Actually you can have as many contributor accounts as you like with this system, but you should have at least one for this to work best. Let me explain how I recommend using these accounts.
The first account, The Primary Administrator, is the installation account. This account is just for the purpose of doing the installation. This account is also the one to use for upgrading; adding new themes; or, adding new plugins. Make the name relatively obscure; and, make the password very, very strong (not too strong to forget, but very difficult to guess … by human or machine). Also, never post with this account … ever!
The second account, The Primary Editor, is your publishing account. I would suggest a more common user name with a strong password; this account will be used to actually post content to your site. Although you shouldn’t normally need to actually post with the account it’s generally fine to do so.
The third account, The Primary Contributor, is your public facing account. Use a simple username, one that makes sense to see in the post meta details, such as the commonly used “posted by …” text. Also note this username, like all usernames in a default installation will appear as part of the author URL in a browser’s address bar. The password for this account can be simple, but should still be “strong” … but if someone breaks into it they really will not have that much access to anything so you can feel secure in making it very easy to remember.
Aside from the “strength” of the passwords recommended for each account above, I will not be going any further into their creation in this post (but maybe I’ll write one down the road) except to make one final suggestion for creating a strong password: use an appropriate amount of common words, or phrase, (without spaces) perhaps five (5) for the Administrator, four (4) for the Editor, and three (3) for the Contributor.
Now that we have the three accounts with a basic premise for each set out, let’s have a look at actually putting them to use in a couple of examples.
Example 1
Log in with your Contributor account and write the greatest post ever written … no really, go for it! I’ll wait …
OK, now that we have the post written, and you have clicked the “Submit for Review” button (notice how it does not say “Publish”); log out and log back in with your Editor account. Once logged in with your editor account, navigate to the Posts > All Posts Administration Panel and locate your greatest post ever (it should be at or near the top of the list, remember it’s great; you would expect it to be lost at the bottom of the page?!)
Now either using “Edit” or “Quick Edit” you can change the post from “pending review” to “published”… and now the greatest post ever written is available for the world of the Internet to read. Congratulations!
You may also notice the only author information readily available will be your Contributor ID; or in other words, your pen name … and therefore protecting the identity of both your Administrator account and your Editor account.
Example 2
You are about to write the second greatest post ever written (you did follow Example 1, right?) but notice there is an update that needs to be addressed. As a Contributor you really have no control whatsoever over the WordPress installation, its management, or its administration.
Oh, administration … we have an account for that. Simply log out of your Contributor (or Editor) account, and log back in with your Administrator account. Perform any updates and/or maintenance. Log out. Done!
Now, log back into your Contributor account and get back to writing the second greatest post ever written …
Add A Custom Font
in Tips, Typography
as CSS, fonts, how-to
Using @font-face …
- Find the font you like
- Make sure the font license allows you to use it!
- Upload the font to your site / include with your theme package.
- Write the CSS.
OK … that seems simple enough, four relatively easy steps to follow. Let’s give it a run.
Step 1, I went to Google Web Fonts and browsed for something I liked; I chose “Glass Antiqua” by Denis Masharov1.
Step 2, the font is licensed under the SIL Open Font License, Version 1.1, which is compatible with the GNU GPLv2 License (something I strive to release all projects under).
Step 3, I uploaded the font and license text to my current theme’s font folder.
Step 4, I made the necessary CSS modifications to, in this case, change the site’s title font.
@font-face {
font-family: 'Glass Antiqua';
src: url('fonts/GlassAntiqua-Regular.ttf') format('truetype');
}
#blog-title {
/* font-family: "Copperplate Gothic Bold", Arial, sans-serif; */
/* font-size: 30px; */
font-family: "Glass Antiqua", cursive;
font-size: 70px;
...
… and with a tweak to the `font-size` value, we’re done!
Very easy, and points for not having to worry about being behind a firewall, intranet or local test environment as this method will work in those cases as well.
1. Please note the original design for Glass Antiqua, as noted by Denis Masharov, should be accredited to Franz Paul Glass. The Doctor
Filtering WP Title
as add_filter, get_bloginfo, how-to, is_frontpage, is_home, WordPress, wp_title
A recent recommendation, starting with WordPress 3.3, from the WordPress Theme Review Team reads: Themes are REQUIRED to use wp_title filter to filter wp_title() (RECOMMENDED), or pass argument to wp_title() (OPTIONALLY), in order to modify document title content This has been discussed, worked through, and for the most part sorted out … but there doesn’t [...]
Enqueue Plugin Custom Stylesheet
in Tips
as add_action, how-to, is_readable, plugin_dir_path, plugin_dir_url, WordPress, wp_enqueue_scripts, wp_enqueue_styles
Now that is a bit of a handful to grab onto … but the code and concept is relatively straight forward and easy to implement. As I was recently updating some of my plugins in preparation for WordPress 3.3 I decided to better implement the style elements being used in these plugins. The current best-practice [...]
Start Using WordPress Beta
as beta, how-to, WordPress
The basics, as a general guideline, on how to start using the latest WordPress beta version.
Do Not Display Comments HTML Tags
in Functions
as comment_form, how-to, WordPress
A standard function found in many themes is the comment_form. This is a core function of WordPress that produces a standard comment form generally consisting of text fields for the name and email address and a textarea for the actual comment. You will also find there are some standard text outputs produced by this function [...]
WordPress Child-Themes
as child-theme, how-to
Let’s start with a definition for a Child-Theme: A WordPress child theme is a theme that inherits the functionality of another theme, called the parent theme, and allows you to modify, or add to, the functionality of that parent theme. the WordPress Codex Child-Themes are also: … the recommended way of making modifications to a [...]
Reset Your WordPress Test Site
as how-to, installation, reset, WordPress
How to reset your WordPress test site in three easy steps.
Remove Comment Form Website Section
in Functions, Tips
as add_filter, comment_form, how-to, WordPress
From time to time an interesting Five-Minute-FixTM comes along that sparks a great reason to add another WordPress Tips post. The idea for this tip started with this comment at BuyNowShop.com: … how to remove the website section when leaving a reply/comment … The solution may be obvious to some and can be readily derived [...]