cmarshall - 12:23 pm on Jul 30, 2008 (gmt 0)

WP CLUB RULE #1: DON'T MESS WITH ANYTHING OUTSIDE OF WP-CONTENT!

You want to upgrade? You'll have to live with what WP has given you.

I normally upgrade in 5 minutes, and I have several VERY heavily modified WP sites. One of them is barely recognizable as a WP site. I do everything by the book. I have several -very complex- custom plugins that totally subvert the standard WP user experience, and several standard ones that I keep up to date. If you do it right, you can customize almost anything in WP from the wp-content directory.

By the way, this means NOT renaming all your directories. Any hacker worth their salt would figure out it's WP in about 30 seconds. The only people you'll fool by renaming directories will be the silliest of script k1661e5, and, if they can hack you, well, maybe you need to learn the hard way (like I did).

If you mess with the standard WP install, you make upgrading more difficult. What happens when upgrades become difficult? That's right, upgrades become less frequent. Sometimes those X.X.1 upgrades are emergency fixes to gaping flaws. You need to be able to upgrade quickly and easily.

I have had CMS sites pwn3d because I hacked the core, and was reluctant to upgrade. That was a very hard lesson, and one I took to heart.

I have not always gotten along with the folks at WP, but I have to hand it to them, they have created a system that works, and works well. That's why I continue to use it. They have API hooks to just about every element of the system. I haven't found a place yet that can't be reached by a hook. However, the docs are a typical wiki mess, and I often have to trace through the code to find it.

I also drop a .htaccess file in the root of the wp-content directory that has a few lines that look like this:

AddType text/plain .smarty .txt .php .php3 .php4 .htm
.html .shtm .shtml .cgi .pl .pm .py .php5 .jar .asp
.jsp .js .rb .rhtml .ruby .cf .cfm .cfml
DirectoryIndex index.html
Options None
Order allow,deny
Allow from all
IndexIgnore *

I sometimes need to let certain PHP files be executable in the plugins, but I do this on a one-at-a-time basis.

I throw in a blank index.html file (I think one comes in the standard install anyway), and I have any password/login information stored outside the HTTP tree. The wp-config imports this file, as opposed to having the info hardcoded into it.

Not perfect, but it keeps someone from executing code in the wp-content directory (like the uploads folder). 90% of WP is includes that run as elements of the index.php file, so you could get REAL tinfoil, and declare a .htaccess file that only allows that file (and the admin one) to run.

Also, don't go plugin-happy. Just use ones that you REALLY NEED for the operation of the site, and carefully vet every one.

There are some REALLY DANGEROUS plugins that do things like let site authors write executable PHP in any post. If you add these plugins, prepare to be pwn3d.

[edited by: ergophobe at 4:06 pm (utc) on July 30, 2008]
[edit reason] fixed sidescroll [/edit]