Welcome to WebmasterWorld Guest from 18.104.22.168
Forum Moderators: ergophobe
How will this affect future plugins? Will they know about the new prefix?
Are there any other gotchas to look out for?
I have removed all the very obvious signs that it is a wordpress blog and left it at that.
Instead, I installed .htpasswd protection for the wp admin so that a potential hacker has to know two login ids and two passwords in order to hack the blog. Allowing updates from only specific IP addresses via .htaccess is an additional layer. Also, via .htaccess, limiting the file types than can be updated in wp-content to images is adequate for this blog so i've done that as well. Another suggestion to limit file types in wp-includes disabled adding links to a post so i didn't go that route. Once I've figured out how to fix this, I will add this limitation as well.
Also, reading the thread you so helpfully provided, and links from it, it becomes clear that the best additional protection is to:
regularly back up the blog
so I installed an automatically scheduled back up plugin
be choosy about plugins especially avoiding those allowing php execution in posts
be sure that wordpress and all plugins are latest versions
dont hack your system so that it is difficult to upgrade - i always use the KISS approach!
use strong passwords: the ones generated by the password tool are excellent
Good idea. I don't know why that isn't mentioned more often.
Like I said in the thread, I fugure eventually, you get hacked, so I wrote a small shell script that runs as a cron job every night and emails a backup to a gmail account. I mirror all the media files on two computers. So if hacker succeeds, I lose one day. Not ideal, but it saves me a lot of worry.
I suppose the plugin does a "poorman's cron" and every time a page it loaded it takes a timestamp and compares it to the last backup timestamp, and then fires the DB backup.
The downside to that is that unless my guess is wrong, it's going to fire the backup job while, by definition, someone is at your blog.
Of course the downside of the cron job is that it fires at 1am Texas time whether it's busy or not (but since most 90% traffic is US it's not usually busy) at those hours.
Yup, but you understand that if nobody visits the site between midnight and 8am, the backup will occur at 8am, right?
Of course, to a large extent, it's academic because if nobody visits during those hours, no harm done.
If you want your cron tasks to occur at a specific time, whether there's a page request or not, and your host allows cron jobs, you can create a true cron job that will fire every day at 4am. All you need to do is point a cron task at you wp-cron.php file (that's according to the documentation, I use the native MySQL commands, so I've never tried that).
Your posts got me thinking about it, though, and the same is true if you want a future schedule post to go live a precise time and you get very little overnight traffic.