I will add my presentations here in a little bit.

You will need to be able to modify your vhosts file in order to do this, but once done you will have a very flexible and powerful server.

This article is written for 3.0 alpha, as of the current build on 19th March 2010.

Multi sites mode

1. Install Wordpress 3.0 and install as a normal Wordpress.
2. Add define(’WP_ALLOW_MULTISITE’, true); near the top of wp-config.php
3. Log into the admin go to the tools/Nertwork menu.
4. If it asks you to deactivate all plug-ins do so otherwise go straight ahead and set up multi sites as sub-domains and fill in the other details as needed as needed.
5. Make a note of the changes needed to wp-config.php and .htaccess and make the changes.
6. You should now be in multi-site mode.

Adding a new domain

1. Now we’re in multisite mode login as admin go to super admin/sites
2. Add a new site – the address can be anything you like just make it unique and make it something you can remember so we can find it easier in the db.
3. Make sure your domain is pointing at the server if not do so and wait for it to propagate.
4. Add Vhost alias to the root domain. So if in the Vhost file you have ServerName mywordpres3root.com you would add ServerAlias mynewwordpress.com beneath it.  Alternatively, you can use a wildcard here, but in our implementations there are good reasons why we prefer to specify the host aliases.
5. Open up the db for editing and add a new row to wp_site table
   1. site_id, domain and path.
      1. i.      site_id, will be a new unique id, remember it
      2. ii.      domain, should be set to the new domain name added above.
      3. iii.      path should be /
6. Change the row in wp_blogs that matches your new site and make a note of the blog_id.
   1. Change site_id to the new site_id created above.
   2. Change domain to our new domain name.
7. Open up wp_[blog_id]_options table.
   1. Change siteurl to the new domain name.
   2. Change home to match the new domain name.
   3. Change the fileupload_url to match the new domain.
8. Your new site should now be ready, you’ll need to go in and set all the options for the domain now. If you wanted a clone of the root sites options you could copy all the rows in wp_sitemeta with a site_id matching the site you wanted to clone and just change the site_id to the new site.

The instructions above are obviously given without any guarantee – use at your own risk, especially if converting your site from single site to multisites.  If you have any feedback or better approaches then do let us know in the comments below.

Slater Street is a characterful place in the middle of Liverpool’s Artistic Quarter. It also has lots of bars and some amazing people. But with that comes noise, occasional mess, and relatively few facilities.

Liverpool Science Park Innovation Centre 2

Liverpool Science Park

So, to celebrate our continued growth, to give us quieter on-site training facilities, conference facilities and a stronger infrastructure, we’ve made the decision to move into Liverpool Science Park, Innovation Centre 2.  This will give us high quality, flexible office infrastructure, access to Liverpool University’s expertise, and much more besides.

The Future

This is all a part of plans for the company.  Interconnect IT has had a successful 2009, with a growth in revenues anticipated to be approximately 75% over 2008 and the same growth for the 2010 financial year.  We have established ourselves firmly in the News & Media sectors with clients such as Informa Group and Telegraph Media Group.  We are also growing our Intranet business and developing new intranet technologies to help business improve their internal communications.

Our success means we need more space, more people and more ancillary services such as a staffed reception, on-site training and conference facilities, modern phone system and more.  Liverpool Science Park provides this, along with excellent business support facilities.  That coupled with being able to work closely with other leading technology companies in Liverpool gives us a very bright outlook even in these difficult times.

– David Coveney, Director.

WordPress is, frankly, very good – the focus on the user experience helps make it so, even if architecturally it has its limitations.  This has led to stellar success for the platform and is a credit to everyone involved.

A WP distro could have a different logo...

However, over the past year or so there have been a number of controversies – there was the pulling of themes from the WordPress.org repository if there was even a hint of its author profiting from non GPL themes – even if the profiting was just from an affiliate link.  Then there’s the airbrushing out of Edublogs’ and WPMU.org’s links from various official WordPress pages.

This has caused some friction in the WordPress based industry.  Folk just don’t know what’s happening.  In part that could be seen as being a problem caused by differences in business needs and approaches.  Ultimately, Matt Mullenweg is the leader of both the open source WordPress application, and the leader of Automattic.  The latter is a commercial company, funded with a significant amount of venture capital.  It has to make money.  It also funds a lot of WP development, releases a lot of code, and evangelises the product.  But what we do all have to accept is that Automattic’s business needs are not necessarily the same as every other business in the WordPress market.

Automattic are Good for Us

Yes, they are.  All of us running businesses based around WP benefit from their input.  Automattic also benefits when we contribute themes, plugins and so on.

Thing is, it’s not their job to run our business for us.  The relationship between your WordPress business and Automattic is actually pretty loose.  They’re happy for you to run whatever business you like around the product – and if they like you, they may even promote you a little.  Their choice.  If they stop promoting you, then that’s actually just tough.  I whinged about this when it happened a year ago, but after quite a long e-mail exchange with Matt himself, and then even meeting him in person, I started to realise that I had no particular right to expect favours from him or his company. If I wanted promotion from him, I had to make him happy. We changed approach, he promoted us. Simple.

Add Value to Extract Value

In developing an awesome theme or plugin, whether GPL or not, you add some value to the WordPress ecosystem.  Just a little, but it’s there.  But you’ve probably extracted at least as much already.  So don’t pat yourself on the back too hard.

What you need to do is to do things that Automattic won’t or can’t do.  And for that, I’m thinking distributions.  Bundled up, pre-configured editions of WordPress that have all the plugins and configurations that are required for specific purposes.

Some of what we’ve developed is very specific to the News & Media industry.  If we release a suite of plugins to the WordPress.org repository and people download them individually they may not work in a way that would be expected.  Instructions could help, but in effect you’re asking a user to build up their own site.  People don’t want to do that.  It’s complicated and demands a good understanding of the system, the plugins, and the dependent themes.

It’s About Making it Easy

In Linux, there is still something of a perception that it’s a DIY system.  And really, that was the case in the early days – you took the Kernel, added whatever bits you needed, and you were off.  It was basic, a little clunky, but very flexible.  However, most people’s needs are generally fairly similar.  Corporates have one set of needs, people with old machines another, private users another again and so on.

What happened to address this, and where the real value in Linux came, was when other companies started to build businesses around specialist distributions.  RedHat has their distributions, which do well in the corporate and web serving sphere.  Ubuntu is doing fabulously well on the smaller user desktop.

These distributions make life easier for users and clients because they know their needs, and then it’s just a case of finding the nearest match.  Linux is not the answer to their problems – the bundled up solutions are the answer.  You can then issue packages of software designed for those distributions.

It’s About Business

Ultimately, we all need to succeed in order to invest in our businesses and feed ourselves.  We can enjoy coding for pleasure, but you can’t enjoy it if your house is unheated and your children going out in bare feet.  There’s a myth in some sectors of the GPL industry that it’s all about giving stuff away.  It’s not – a lot about the GPL is actually about helping fellow developers to run their businesses.  Coders have shared code freely for years – the GPL is just a formalisation of the developer’s mindset.

How it Could Work With WordPress

With WordPress, there isn’t much money to be made in plugins right now.  Themes have done a little bit better, but they’re a more consumer oriented product which suit certain purposes.  Sometimes the themes bundle plugins to help things along.  Sometimes they don’t.  But the business behind all of these is based purely on supporting the theme.  For everything else, the consumer is on their own.  Worse still, if they use a suite of plugins (premium or otherwise) they may have to deal with various entities in order to get support.  It’s a nightmare for a company where complexity in products is undesirable.

What many companies really just want is simplicity.  Money isn’t necessarily the problem.  They’re running businesses worth millions or even billions.  If a core component of that business (a website, an intranet, whatever) fails or leaves them stranded then they have big big problems.

Create Confidence

So what I believe will come is a marketplace where some companies will offer WordPress distributions suited to particular tasks.  Some will be for heavy marketing, others high-profile bloggers, and so on.  Each will have different minimum server specifications, come with support packages, and will provide a one-stop-shop.  Each plugin will have been tested in that combination, and they will all be supported by the distributor.

Plugin authors will benefit too – a company using a plugin as a core part of their business will gain from keeping that plugin developer happy.  Money will flow (trust me on this!) and when new requirements are identified they will pass this on to the plugin developer, along with the funds to pay for it.

Theme developers will be mixed – the best developers will simply create frameworks, with a base styling, for given purposes.  Designers will then be freed of almost all coding needs and will simply put together a nice child theme.  I anticipate that there will be three or four frameworks coming to the fore, with three or fore distributions offering different variations of framework – all carefully selected for the job.

Costs

These distributions and their support packs won’t be cheap (although for some the downloads could be free).  But they will be dependable.  You will find distributions of WordPress for high security blogs, brochure sites, news sites, membership sites and so on.  No more worrying about plugin interactions, and upgrades will be simpler because all plugins, frameworks and the distribution will upgrade all at the same time.  Your life will become easier.

Impacts

WordPress.org will continue to be the central point for the project, and it will be the reference point.  Distributions will most certainly contribute to the product to help keep their businesses going.  A fork is unlikely happen – not unless the differences in need between the source project and the distributions diverge dramatically.

Companies will be able to base their businesses on distributions which best suit their needs.  If you’re specialising in Intranets, then use the WP Intranet distro.  If you specialise in hardened sites for governments, use the WP Ultra-Secure distro.  This will help companies.

Similarly, if you’re a theme developer, you may wish to actively support distributions that are particularly suited to your style.  And you’ll know what plugins and widgets will be included by default, so you can included styling for those too.

And different distributions will have different cultures and attitudes.  Some will be more favourable to non-GPL publishers, and others much more hardline.  Some will create courses, certifications, books and support infrastructures while others will be more casual.

In the long run, WordPress has great potential as a publishing and communication tool – it does some things so right, so easily, that so long as this principle of simplicity is adhered to then there will be business opportunities surrounding it.  There’s no point getting into arguments with Automattic or Matt – just get on with it and find places to add value.  The risks may be higher, but that will mean the rewards will grow too.  Think about it.

What Do You Think?

Is this likely to be the way forward for WordPress based businesses?  Will it confuse users?  Could it make things better?  Comments, please!

This is a real-life burglar... still easier to identify than a hacker, sadly. Creative Commons Share-Alike Attribution Picture by Jofus.

There’s been a big fuss lately over the latest WordPress hacks that have targetted older versions of WordPress.

And in my view, they show the less pretty side of WordPress and some people in the community… but not all of them.  The attitude has been a straight “upgrade your blog and you’ll be secure.”

Well, I have news for you.  They’re wrong.

You’re Never Secure

Even if you have the very latest version of everything there are, out there, what are known as zero day exploits.  These are vulnerabilities which are kept secret by the hackers who have found them.  They cease to be secret if they become widely used in a large scale attack.  Like the current one against WordPress.

Now, if there are vulnerabilities out there that nobody knows about then your high profile WordPress site or blog could be targetted in a way that you, I, or the (great and lovely) WordPress developers out there don’t know about.

Not Everyone Can Upgrade Immediately

Quite frankly, I find the glib assertion that staying up to date is all you need to be secure to be… terrifying.  It’s bad advice because it leaves people with the feeling that all they need to do is to stay up to date and all is well.  Not only that, but it sidesteps the whole issue that WordPress should really consider running security updates on older versions of WordPress – not all sites can quickly change from one version to another.  When WordPress 2.8 came out it broke multi-use widgets – you could recode them, but then settings could be lost.  There are sites out there that run hundreds of widgets, and re-configuring them will be a big job.  If a new vulnerability comes out in WordPress it may not even be relevant to some sites because they may be doing everything else correctly.

In fact, in a critical environment you absolutely do not update your software without running a full suite of tests to make sure the updates won’t bring down your site.  This is a major problem for sites which, in some cases, are turning over tens of thousands of pounds a month.  Yes, they can throw money at the problem, but it still takes time – and when there’s a vulnerability the one thing you don’t have is a lot of time.  So a site needs to rely on more than just WordPress for security.

How Does That Work Then?

One of the key things about security is to think about what happens when the first line of defence is breached.  In the real physical world, we tend to take multi-part approaches – often based on the risk.  My house has locks on the doors and windows – that’s the first level of security.  But hey, everyone has that, so to make double sure I have an alarm system so that if anyone gets in, an alarm goes off – alerting me if I’m here, or letting neighbours know.

My next level of protection is that of not having much you’d want to steal.  I even used to have a car like that – I didn’t lock it, even, in the hope that somebody would take it out of my life for ever.

But, back to the subject matter… WordPress security is, frankly, just like a front door lock and nothing else.  That’s OK, but you’re not really protecting yourself properly – if someone gets past WordPress then you may have some serious problems.

I’m not going to aim this guide at experts – I’m trying to pitch this to help people who aren’t experts to understand how their WordPress blog can be hacked, and how it can be secured even if a hacker gets through the first layer of protection.

Let’s go through them:

1. Editing of Themes and Plugins Through the Admin Interface

We’re going to do a test.  I want you to log in to your installation, and go to Appearance, then Editor.  Generally, you should see the stylesheet first, with comments at the top.  At the bottom of the box you should see this:

You need to make this file writable before you can save your changes. See the Codex for more information.

If you don’t, and if you can indeed edit this file, then you have a major security flaw right from the start.  A cross site scripting error (XSS) could easily start to make changes to your theme and plugin files.  Once your theme and plugins can be modified, the hacker has complete, 100% control of your server and its database.

2. Poor Passwords

This is really before you even think about WordPress security.  Simply put, do not use a word that can be found on your blog, or in a dictionary.  Learn to use PasswordMaker and its Firefox plugin or similar.  It will make security on various sites much stronger, much more quickly.  If you or any of your users are using dictionary words, then the chances of getting in are far higher.

3. Poor mySQL Server Security

Your mySQL database should be reasonably secure.  But many times I’ve found that you can connect to a database remotely.  For this, try using something like mySQL Administrator and connect to your database using the same logonid and password that WordPress uses.  If you can easily reach your DB from any internet connection then again, you have a potential security hole.  All access of this type should either be IP limited, or over an SSH tunnel.  Setting this up is beyond the scope of this feature but your hosts could help, or we can.

4. Use of FTP Isn’t Terrible, But…

Now, I make no secret that using FTP isn’t generally that bad, but if you have a site that’s likely to be targetted then you shouldn’t have any form of FTP access.  You should be using SSH and SCP.  At the very least, use SFTP if you can sort out certificates – they don’t have to be paid for, expensive certificates, but can be generated.  Again, getting this working is beyond the scope of this, but hosts and good WordPress consultants can help you with making this happen.

5. Allowing User Registration

Sometimes you need or want this – in which case, make damn sure you can keep bang up to date on your WP installs.  But if there isn’t a strong business case for having user registration (and I personally don’t believe there is in 95% of cases) then don’t bother.  If you do have it switched on you’ll notice lots of registrations from around the world.

6. XMLRCP Support

A high proportion of attacks on WordPress have come through or made use of the XMLRPC protocol – this is used by many exploits as it helps to automate the process of posting content to a website.  Mostly the protocol is used for pingbacks and remote publishing to a site.  If you don’t need or want those two features then you can safely remove the file xmlrpc.php from your WordPress’s root folder.  Pingbacks are less useful than they used to be, so it’s not an eccentric thing to get rid of.

7. Firewalls

Putting your server behind an appropriate firewall can help with certain types of attack.  This is something to talk about with your hosts.  And they do cost money.  A lot of things I’m talking about can be done more cheaply, but for a high profile site a firewall is an absolute must.

8. Server Permissions

Apache and the user used to upload files to the server should be kept in separate groups.  This really helps to protect against attacks that get through various layers of protection.  Something could attack your Apache web server and still fail to make updates because it doesn’t have rights.

9. All the Other Code

One thing many folk forget about with WP installations is that it depends on a huge range of code and modules.  Are you running an up to date release of PHP?  How about mySQL?  GDLib?  Apache?  There’s a lot of components to a website – although WP makes it look simple you’re actually dealing with a very sophisticated machine.  If you’re running outdated versions of server software there may be significant non-WP vulnerabilities.  Check with your hosts if possible.

10. Shared Hosting

Some shared hosting plans are, I can confirm without hesitation, absolutely dreadfully configured.  You may have 800 websites on one cheap old server – none particularly active and none set up or configured by experts.  If one gets hacked, the whole machine becomes vulnerable, and every other site can be hacked.  Often when this happens the host will blame you in various ways.  Sometimes the host may simply find it’s all too much trouble and disappear, along with your website.

Don’t let that happen to you.

11. Always Log Out When Finished

If you log out when you finish your work in the back end of your site, you’ll be much less likely to fall victim to a cross site scripting vulnerability.  So make a habit of it.  Alternatively, have a browser that you only use for WordPress.  Some people may choose to use Firefox for general browsing, and Google Chrome for WordPress work.

12. Consider Using Real Hosting

I mean, don’t go for the cheap, commodity hosting that costs £7.95 a month.  Is your online business really that weak that spending on something more serious and carefully managed is a problem?  You have a number of choices.  You could go for a Virtual Private Server or even Dedicated Server from someone like Namesco in the UK, or if your business is really serious talk to the excellent chaps (and our partners when we build big sites) at Kumina in the Netherlands.  There are US equivalents, but I don’t know them, sorry.  By spending more you will generally enjoy a more proactive approach to your site’s security at a server level.  Same goes for spending money on WordPress consultants like, erm, us, to take the worry out of it.  Worth thinking about.

13. Use Google Alerts as a Final Alarm

Google Alerts are incredibly useful for many reasons.  One of the uses I make of it is to have searches set up for my primary sites for words such as ’sex’, ‘phentermine’, ‘viagra’, ‘casino’ and so on.  Then, if anyone gets in and leaves dodgy links on the site then there’s a bigger chance of finding out about it.  If it happens, you’re kind of late, but at least you’re aware of it quickly and have a chance to fix the problem before there’s ranking damage to your site.

Read on for some links to practical tips for securing your WordPress install…

There’s several handy resources out there for you if you want to understand more practical information on improving your site’s security:

Hardening WordPress in the codex – a useful guide, from the people who brought you WordPress.

Hardening WordPress with mod rewrite and htaccess – an alternative and useful approach that’s not for everybody, but works for many.

Noupe’s guide to WordPress security – always useful site has some good ideas.

Richard Scoble on why he doesn’t feel safe with WordPress now.

Discussion about this post over at WPTavern.

A post by Matt Mullenweg about this hack on the WordPress Development Blog – I think the advice could be a little more rounded and pragmatic, personally.  Not everyone can be 100% up to date.  Upgrades need testing, and folk go offline for weeks at a time…

I don’t necessarily recommend all of the linked tips in securing a site, and some are really for experts to deal with, but this is a starting point to understanding.  However, in almost all guides I think they assume that you can’t do much about the security of your web server.  That’s really down to your hosts having a genuine understanding of web security.  Good hosts do, and you can tweak things on bad hosts, but if the host isn’t great you have to look after yourself as much you can – and that, really, means that if you’re managing your own site you have to become a security expert.

Ultimately, if you’re not comfortable in dealing with security issues, let someone else who is skilled and knowledgeable do it for you.  If you’re running a basic blog and don’t really need a custom or distinctive visual design, get an account at WordPress.com.  If you need something more but without the fine control given by custom shops you can have a WordPress VIP account, and if you want real control you can use a company like us who deal with WordPress on a daily basis and who will do the worrying for you.

As seen on my local WP development environment

Sometimes you’ve created a site with WordPress standard (not single user), but have had allow the site owners or users to have full admin access to it.  You have plugin and theme dependencies, and if the site owner disables that plugin, you have problems.

For example, you’ve written a plugin that carries out a certain range of syndication functions for your client.  If the client accidentally disables it he will lose money, and you will have a call-out, potentially an angry one, when he finds out.  He wants admin access, but you know he’s dangerous with it.

So, since WordPress 2.8 you’ve had the facility to create a folder in wp-content called mu-plugins.  It will work just like the mu-plugins folder in WordPress MU – as in, any plugin placed there, will run automatically.  Activation code won’t fire off, but apart from that, so long as the plugin is correctly written, everything will work.

I’m not sure if this change is a part of allowing ‘must-use’ plugins support, as suggested in http://core.trac.wordpress.org/changeset/10737 or if it’s also planned as part of the move towards merging WP single user and WP-MU.  Either way, it’s an incredibly useful tool for those of us who set up and configure sites for clients who are a little prone to fiddling.

Watch out for plugin updates – you can’t auto-update anything in mu-plugins, and you won’t receive any notifications.  Be aware that you have to stay on top of this by yourself, just like in the old days!

Slightly broken code, now fixed.

Those who follow WordPress closely will understand that a vulnerability has been found that, whilst not being especially dangerous, could be very annoying for some – especially for high-profile blogs.

By using a specially crafted URL, it’s possible for an attacker to force a reset of the admin password.  The attacker can’t know this admin password, it will be a random string, and this password will be e-mailed to the administrator of the blog.  However, there’s no denying that this could be annoying to the administrator.  More specifically, an administrator could be locked out of a block while some other exploits are tried, simply by resetting the password at short intervals.

So, it’s not the end of the world, but it’s an annoyance and in a few rare cases a potentially dangerous one.

To fix this vulnerability in older versions of WordPress, such as 2.7, you can manually change wp-login.php using the code shown in the Changeset on the WordPress Trac: http://core.trac.wordpress.org/changeset/11798 – ideally, you should upgrade to the just released WordPress 2.8.4 but if you have legacy reasons for staying with 2.7 (and many have, for example problems with widgets) then you may need to delay this.

If you need to view the slide notes (primarily for me, to be honest, but you may see some points that got cut during the presentation) you’ll have to visit the Slideshare site.