Comments on: WordPress Security from WordCamp Montreal

By: Keeping WordPress Safe and Secure | Xumulus

Keeping WordPress Safe and Secure | Xumulus — Fri, 27 Nov 2009 18:50:29 +0000

[...] in running WordPress. The meeting and the workshop presentation were both heavily based on an original presentation given by Brad Williams (WebDevStudios.com) aptly named WordPress Security. Keeping WordPress Safe [...]

By: Wolf

Wolf — Thu, 03 Sep 2009 18:51:26 +0000

I really appreciate these slides, so I decided to implement your wp-config.php point. I hope you visit my blog (in sign), read the article, and express your opinion leaving me a comment.

By: Matt

Matt — Tue, 14 Jul 2009 23:50:03 +0000

Thanks, I like the keyword list idea. I might try to work that in.

Appreciate it.

By: Brad

Brad — Tue, 14 Jul 2009 20:00:27 +0000

I like that idea, but I would set it to only block search engines based on a keyword list, so if the word “cialis” pops up in a file it would lockdown. That is not an option you want a false positive on like you said.

I think the HTTP status code should be a 503.

By: Matt

Matt — Tue, 14 Jul 2009 16:57:35 +0000

Actually, you’re probably a good person to ask this question. I’m not an SEO expert, but one of the suggestions for the plugin has been this — If there is an active alert, block the search engines from scanning the site. Once the admin has cleared the alert, allow search engines to crawl again.

Obviously if I added it, this would be an option that the admin could turn on or off.

My real question here though is, do you think something like this could be useful? It is basically going after the idea that if the search engines were being held at bay while an attack had occurred, you might miss some of the damage done from them dropping you from results, etc.

If it would be useful in this way, do you know the safest header to return to a crawler that says, “hey, nothing here to see, but check back in a little bit!”

(I have some ideas on the headers that could be sent, but since it looks like Search Engines were included in your presentation, I’m interested to hear your thoughts)

A fear of mine is causing damage from a false positive. I have my exclude directories set pretty intelligently, but still, if I modify my theme or something, I get an alert from it (as I should), do I really want my site to not be crawled while it waits for me to clear it? Maybe the idea, completely, is overkill.

By: Brad

Brad — Tue, 14 Jul 2009 15:20:45 +0000

thanks for the awesome plugin Matt! Everyone really liked it! It’s a standard weapon in our arsenal now

By: Matt

Matt — Tue, 14 Jul 2009 00:40:37 +0000

Thanks for mentioning WordPress File Monitor in your presentation. Please let me know if you think of any enhancements that would improve it.