New to WordPress

I didn’t have any experience with WordPress till now, and all I can say that is great CMS. Concept of one man band and simplicity are keys of success. With my background of LAMP (especailly PHP) there wasn’t any problem in little customization I have done. This article should be a small cookbook of tips and tricks to do before publishing Wordpress site.

Add essential plugins

google-syntax-highlighter
Syntax highlighter plugin needed if you want to write about programming, scripts, etc., otherwise you don’t need it.
all-in-one-seo-pack
This plugin adds meta data like keywords and description on every page you write. Process is automated and you only have to describe page with tags and excerpt. This meta data are used by search engines to better understand page. Please, have in mind that content is #1, and this meta data is nice to have.
sitemap-generator
With sitemap-generator plugin, Wordpress will have possibility to create site map page. I thought that it will have option to creation XML site map too, but unfortunately you will have to install another plugin for that purpose.
google-sitemap-generator
With this plugin, your site will beis able to serve sitemap.xml needed by Google to easier find and index your pages.

Some of these plugins come in multilingual form - that is nice and welcome, but in almoust 98%, you will write posts in 1 language. That means you can delete other language files and make your Wordpress pack smaller.
google-syntax-highlighter plugin have brushes for painting PHP, Python, JavaScript, Ruby, Java … In my case, I deleted all brushes except those I will need. I also created new brush for apache configuration files. Please look shBrushApache.js. It is not completed but it satisfied me for now. Someone can say - we don’t care about disk space. OK, but what about speed? Brushes are JavaScripts files and your browser have to download all of them even if you will never write article about VB. So open google_syntax_highlighter.php from plugins directory and left only brushes you will need.

<script class="javascript" src="<?= $current_path ?>Scripts/shCore.js"></script>
<script class="javascript" src="<?= $current_path ?>Scripts/shBrushPhp.js"></script>
<script class="javascript" src="<?= $current_path ?>Scripts/shBrushJScript.js"></script>
<script class="javascript" src="<?= $current_path ?>Scripts/shBrushSql.js"></script>
<script class="javascript" src="<?= $current_path ?>Scripts/shBrushXml.js"></script>
<script class="javascript" src="<?= $current_path ?>Scripts/shBrushCss.js"></script>

That way you will save bandwidth and your page will be loaded faster. This plugin can be improved even more and if you are interested how I did it, please read Google syntax highlighter.

Before you publish your site, you have to think about format of links that will point to your site. But more import is, when your link format is defined, search engines will retrieve and remember them. In worst case scenario you didn’t care at the beginning and after some time you want to turn on permalinks. Why? Because search engines love nice links and that leads to better ranking. After changing link format, you will be in little trouble because Google and Yahoo will point to old non existing links to your site. I read about tools/plugins that can help you in that case, but be smarter and turn on permalinks before go live.

Hide version and generator metadata

As a webmaster, I will advice you to hide version and generator from your meta data. You site will not became unbreakable, but your chance to be attacked will be smaller. Worms and other monsters need suitable hosts to spread, and how to find suitable host - read/find generator and version in HTML source, so don’t make them easy.

In directory /wp-content/themes/default/ you will find header.php and footer.php. Open and remove HTML regarding generator and version. In /wp-includes/general-template.php at the end you will find get_the_generator function and before return line, put $gen = ”;

// function in /wp-includes/general-template.php

function get_the_generator ( $type ) {
switch ($type) {
case 'html':

// ...
// [cut]
// …
break;
}
$gen = ”; // quiet please
return apply_filters( “get_the_generator_{$type}”, $gen, $type );
}

If you are satisfied with one theme, other themes can be deleted  - save space.

In sitemap.xml I also found comment about generator and version - grrrr. Open sitemap-core.php of google-sitemap-generator plugin, find “generator=” and comment out.

// $this->AddElement(new GoogleSitemapGeneratorDebugEntry("generator=\"wordpress/" . get_bloginfo('version') . "\""));
// $this->AddElement(new GoogleSitemapGeneratorDebugEntry("sitemap-generator-url=\"http://www.arnebrachhold.de\" sitemap-generator-version=\"" . $this->GetVersion() . "\""));

Create robots.txt

When search engines visit your site, they look for robots.txt in document root. In general, robots.txt will describe sections of your site where not to go. Why? Because of intention to focus search engines only to content and to leave Wordpress system and include folders. Another point in creation of robots.txt is: “Search engines do not love repeated content.” That means, when you write article, it will be accessible through nice permalinks, but also from archive, category, trackback … That will be explained not to visit for bots in robots.txt:

Disallow: /archive/
Disallow: /category/
Disallow: /trackback

Better robots.txt, search engines will better process your site and that means better ranking You can see my http://www.redips.net/robots.txt or navigate to your favour Wordpress site and explore theirs (if they have).

Add sidebar to single post pages

I use default Kubrick theme and in case of single post page, layout was without sidebar. That means if someone uses Google, and Google used your sitemap.xml (site page list), visitor will be pointed to single post page and there will not be sidebar. In case of single post layout, sidebar should be displayed. To achieve this, please, go to /wp-content/themes/default directory, and open single.php for editing. In case of Kubrick’s theme I made following modification:

<!-- comment original line (change class name) -->
<!-- <div id="content" class="widecolumn"> -->
<div id="content" class="narrowcolumn">

and before last line with footer inclusion I added:

<?php get_sidebar(); ?>

That was easy, isn’t it?

Secure wp-admin

It is good to make wp-admin even more secured and raise up one fence more to prevent direct access to your Wordpress administration files. I’m not saying that built in PHP authorization and security aren’t good enough, but this will not hurt and it could only help. In my webmaster practise I had to heal defaced phpBB site. Next step in forum’s resurrection was to improve /admin section security. We used apache Auth directives. In case of Wordpress, inside wp-admin directory create two .ht* files:

# .htaccess file
AuthUserFile /path/to/document/root/wp-admin/.htpasswd
AuthName "Restricted Area"
AuthType Basic
require user mike

and create .htpasswd file

# .htpasswd file
mike:teZphNj2fKlrN

If you are familiar with Linux, .htpasswd can be created with htpasswd which come in httpd tools.

htpasswd -nb username password > .htpasswd

Default apache configuration prevents access of any .htaccess file so if you can access .htaccess with browser, you should write few more lines in .htaccess placed in document root.

# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.

    Order allow,deny
    Deny from all

I had a little problem with securing wp-admin directory and Wordpress installed to the document root. After putting htaccess file to wp-admin, I got Page not found instead of admin page?! Fix was to place definition of 401 and 403 error pages/messages to the root htaccess file. Here is complete root htaccess file:

# no directory indexing
Options -Indexes

# define error messages
ErrorDocument 401 "401 Error"
ErrorDocument 403 "403 Error"

# permalinks
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Spam

To communicate with visitors, Wordpress has comments. Visitor can leave comment, administrator can approve it and comment is shown on the bottom of the article - simple and nice. Nothing is free and spam machines will try to use it maximum they can. One of the first options that should be turned on (checked) is:

Settings -> Discussion -> An administrator must always approve the comment

This option will turn off automatic comment publishing. Administrator will have to manually review/publish every comment. Not suitable for sites with high traffic because of growing queue of comments waiting for human scan. But for starting with Wordpress - quite enough. I also found nice trick for spambots written by Lee Robertson and it can be read at Keep the Comment Bots at Bay. Spambots aren’t smart enough and they can’t understand JavaScript that well. Eventually they will, but now let it be our advance. Trick is to use form event onSubmit and point form action to hidden PHP page. Event onSubmit will fire JavaScript function placed in external js file. Spambots will be stopped, and visitors with turned off JavaScript too - so be careful.

Create favicon.ico

This is not “a must” but you will fill error_log with 404 requests. When user visit site, browser asks for this 16×16 (or it can be 32×32 or 48×48) icon in document root and displays it before URL or in bookmark list. Most simple method is to create favicon.ico and place it to your document root. Preferred method is to put favicon.ico where ever you want and add HTML in head section to explain browser where to look.

<link rel="shortcut icon" href="/path/favicon.ico" type="image/vnd.microsoft.icon"/>
<link rel="icon" href="/path/favicon.ico" type="image/"/>

Creating favicon.ico wasn’t so hard. I used GIMP, existing ico file and played, but testing was another story. I learned that IE6 will not display favicon.ico by default (!?) but when you add page to the bookmark, or sometimes when you drag to the right default IE icon near URL, or when you drag and drop default IE icon to you desktop … IE6 was driving me crazy because he cached previous ico file and you couldn’t tell him to go and look for new one. I cleared cache (and offline content), cleared history, restart IE, delete everything in Windows\Temp\Temporary Internet Files. Nothing! I read somewhere that favicon.ico should be renamed / page refresh / name back and then IE will conclude to refresh favicon.ico. I also tried to clear all the cache and history, then log out and log in. In that case new icon was showed in browser - voila! But when I drag it and drop to the desktop, old icon was showed instead. I stopped here and move on. Very, very dogged browser. On the other hand, Firefox works like a charm. Nothing specially to perform - I saved new favicon.ico, FF was pointed to favicon.ico like http://www.redips..net/favicon.ico and new icon was shown. Thank you! I tried that in IE6 too, but with no luck - maybe it works in IE7 and it will be in newcomer IE8.

This entry was posted on Thursday, 17.07.2008. at 13:04 and is filed under WordPress. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.