Securing WordPress


I panicked quite a bit when I discovered someone had been repeatedly hitting  xmlrpc.php on my install of WordPress. I didn’t realize it was happening until my host alerted me that I was potentially going to exceed resources for the month.

I wasn’t sure what the cause of the overage was initially, so I had to rely on my host’s reporting and server logs. (Pouring through weeks of logs sucks, by the way.) My host’s reports showed me the files that were being reported most often. I then searched through logs to see which IP addresses were accessing them most often.

My first step in stopping the attack was to block offending IP addresses via .htaccess:

<Files *>
  # 'files *' applies to ALL files.
  order allow,deny
  allow from all
  deny from
  deny from
  deny from
  deny from
  # and so on...

Because I’m not using any apps to publish to my site, I removed xmlrpc.php file from site’s root folder and replaced it with an empty file.

My next step was to install Better WP Security. It tracks failed login attempts and auto-blocks after a set number of failed attempts. It allows you to obfuscate the location of /wp-admin and /wp-login.php. It also walks you through a whole host of other recommended changes to better secure your installation. I’ve tried several other security plugins, and this was my favorite, by far.

Better WP Security emails you whenever there are too many failed login attempts using a particular user name. I deleted the ‘admin’ account long ago, and created a ‘cdharrison’ account instead. I started getting notices that several IPs were trying to login using ‘cdharrison’. (That freaked me out a bit, but was probably a little too predictable of me.) So, I created a new admin account, logged in as it, deleted ‘cdharrison’ and attributed all of the posts to the new account.

I’m also looking into other solutions, like Wordfence and Bulletproof Security and a few others, but Better WP seems to be working fairly well.

So… so far, so good. I’m not going to pretend my site’s completely invulnerable right now, but it’s in much better shape than it was. So, thank you random internet buttholes: Your attempts to compromise my site have made me consider security quite a bit more than I used to.

What’re you doing to keep your WordPress site secure? Have any best practices you’d share that isn’t covered in the Codex: Hardening WordPress?

Tersus Development


Over the next few weeks, the design of this site is going to evolve. I’m working on the first of several child themes for Tersus. Our original plan was to include several “flavors” but they did too much and limit others and their ability to build on top of what we’ve done. If you have any feedback on how you’d like to see things built out, by all means leave feedback here or chime in on Github.

Add a Tweet Button to WordPress Posts


Want to add a Twitter Tweet button to your WordPress posts? It’s super easy:

Horizontal Button:

<a href="" class="twitter-share-button" data-url="<?php echo get_permalink(); ?>" data-count="horizontal" data-text="Check out <?php the_title(); ?> on < ?php bloginfo( 'name' ); ?>" data-via="YOURUSERNAME">Tweet</a><script type="text/javascript" src=""></script>

Vertical Button:

<a href="" class="twitter-share-button" data-url="<?php echo get_permalink(); ?>" data-count="vertical" data-text="Check out <?php the_title(); ?> on < ?php bloginfo( 'name' ); ?>" data-via="YOURUSERNAME">Tweet</a><script type="text/javascript" src=""></script>

Simple, No-Count Button:

<a href="" class="twitter-share-button" data-url="<?php echo get_permalink(); ?>" data-count="none" data-text="Check out <?php the_title(); ?> on < ?php bloginfo( 'name' ); ?>" data-via="YOURUSERNAME">Tweet</a><script type="text/javascript" src=""></script>

Customizing Output:

  • Change out data-via="YOURUSERNAME" to your your own Twitter handle.
  • The inclusion of data-text="Check out < ?php the_title(); ?> on < ?php bloginfo( 'name' ); ?>" isn’t necessary, but it’ll give you greater control over the intial text.
  • I’ve added these to my sidebar.php (and are only displayed on pages using my single.php template) but this can be customized to be included on pages, archive pages, etc.


  • rawurlencode(get_permalink()); isn’t necessary and can actually cause the widget to report incorrectly if placed outside of the loop. Fixed code examples.

How to display total number of Custom Posts on a WordPress site


Based on this quick tip from WPRecipes, I was able to quickly figure out how to count and display the number of Custom Posts (of a particular type) that I had on a site.

	$numposts = $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->posts WHERE (post_status = 'publish' AND post_type = 'listing')");
	if (0 < $numposts) $numposts = number_format($numposts);

Simply replace post_type = 'listing' with whatever you’ve named your custom post type. Then, to get the number to display somewhere on your page, simply insert the following code where appropriate:

<?php echo $numposts ?>

Post Thumbnails in RSS feeds


the_post_thumbnail is one of my favorite additions to WordPress 2.9, but I recently ran into a problem… the images I had set as my post thumbnails weren’t being included in my RSS feed. Assuming you’ve already added support for thumbnails to your theme, you should be able to add this snippet to your theme’s functions.php file to display them along with the rest of your feed content:

function insertThumbnailRSS($content) {
    $content = '<p>' .the_post_thumbnail('medium'). '</p>' .$content;  
    return $content;  

add_filter('the_excerpt_rss', 'insertThumbnailRSS');  
add_filter('the_content_feed', 'insertThumbnailRSS');

Thanks to Dougal Campbell for pointing me in the right direction!

Thanks to Sébastien Méric here’s an event better approach:

function insertThumbnailRSS($content) {
   global $post;
   if ( has_post_thumbnail( $post->ID ) ){
       $content = '<p>' . get_the_post_thumbnail( $post->ID, 'medium' ) . '</p>' . $content;
   return $content;

add_filter('the_excerpt_rss', 'insertThumbnailRSS');
add_filter('the_content_feed', 'insertThumbnailRSS');

WordPress 2.8 beta1 Released


Wordpress Stacked LogoWordPress 2.8 beta1 was just released.What’s new? Lots, apparently.

If you’re using WordPress 2.7.1 and want to upgrade using Tools > Upgrade all you have to do is open /wp-includes/version.php and change the version number from 2.7.1 to 2.8. Then run Tools > Upgrade. The latest development version will be installed when you upgrade.

Note, before upgrading it’s usually a good idea to backup your files and database. Development versions of WordPress may have problems.

WordPress 2.7 Comments Not Threading


Wordpress Stacked LogoHaving problems getting WordPress 2.7 Comment Threading to work on your site? Unless you’re using one of the default themes provided with each version of WordPress, chances are your theme isn’t ready for comment threading when you upgrade to WordPress 2.7. To enable comment threading, you need to do the following:

  • Enable comment threads in your admin. Go to Settings > Discussion. Check the box next to Enable threaded (nested) comments __ levels deep. Save the changes and your blog can now support threaded comments.
  • Update your comments.php by replacing it with the one provided with the Default theme that comes with WordPress 2.7 (/wp-content/themes/default/comments.php) OR follow Otto’s instructions to add threading AND inline replies. (Obviously, before you go about changing any files in your theme, make a backup of your files before making any changes to your files. It’s possible that the comments.php file bundled with your theme could have been customized. Overwriting the file will cause you to lose any customizations.)
  • Once you’ve done the first 2 things, you’re pretty much ready to go. The only thing left is to update the styles to support nesting. I’ve done some of the heavy lifting for you… with my Wordpress 2.7 Comment Style Starters (#1, #2). Simply use the provided code in your theme’s stylesheet. If you’re more hands on, consider looking over this post on Stylizing WordPress 2.7 Nested/Threaded Comments to see the structure of the CSS.

If you’re still having problems, let me know. I’m happy to help others as time permits. If you’d prefer not to do any of this yourself, and would like me to take care of it for you, I am available for a small fee ($15 via PayPal) to make the upgrade for you. All it would require is temporary Admin access to your site. If you’re unable to use the Theme Editor to modify files through your backend, FTP access would be required. Send an email to if you’re interested.