Tag Archives: wordpress

7 Tips for Setting WordPress User Roles

First, a brief introduction to WordPress user roles. There are 5 basic user roles on WordPress. Here’s a very basic breakdown of what each role has access to:

Administrator – Has access to all administrative options and features.
Editor – Can add/edit/delete posts.
Author – Can add/edit/delete their own posts, but not the posts of others. Can upload media.
Contributor – Can write and edit posts and submit them for review. Cannot publish posts and cannot upload media.
Subscriber – Can change their own profile and leave comments, but generally has no other capabilities.

7 Tips for Setting WordPress User Roles

Here are my top 7 tips for setting WordPress user roles for your website.

  1. There must always be at least one admin user. When WordPress is installed, an admin account will be automatically created through the installation process.
    Do not use a user name like ‘admin’ or ‘user’ or ‘wordpress’ for the sake of keeping your website secure. You should use a strong user name, and even stronger password. I like to use random.org/passwords to generate a password, and I add in a few random special characters to make it even stronger. Don’t use your birthday or your dog’s name. Read my article about choosing a secure password you can actually remember.
  2. Use your admin account for admin tasks only! Set up a separate editor account for writing posts and pages if you’ll be doing some of your own writing.
  3. Beware of too many chefs. Keep the number of admins as low as possible. If you are the site owner, you may want to limit your site to 2 admin roles – one for you, and one for your webmaster.
  4. When adding a new writer to your staff, start them out as a Contributor and have a more seasoned editor reviewing their content before posting.
  5. Be aware that editors can publish pages and posts, so only hand out this role when you trust the content a user is writing is going to represent your business well. Graduate your writers from Contributor to Author. Only your top writers should be Editors.
  6. Grant non-technical support staff the level of Editor as the highest level of access.
  7. Remember that admins have equal power over your website, and even the best intentioned people, when inexperienced, can cause harm to your site. Think of your admin account like the keys to your office.

I hope these tips have helped you to better understand WordPress user roles, and have given you some helpful tips on how to most effectively set user roles on your WordPress website.

Questions? Leave a comment or drop me a note to let me know how I can help.

Security Plugins Every WordPress Website Should Have Installed

If you run a website, then website security is probably on your mind regularly. As technology becomes more integrated with our lives, news about security breeches, DOS attacks and hacks has become more frequent. The need for being proactive about protecting your website has never been stronger. Here are some of my favorite security plugins, most of which are free, even if the free version is limited is definitely something every WordPress website should have installed. Check back as I’ll keep this list updated as things change, plugins are added or in the case any are sadly removed!

A Simple Captcha Can Help Deter Attacks.

Brute Force Attacks occur no matter what host you’re with, and no matter how strong your password is. The first step to protecting your website from a successful brute force attack is setting up a strong user name and password.
(Helpful articles: Is my password strong enough? and How to Create a Strong Password You Can Remember)

Step two in protecting your website from brute force attacks is adding an extra layer of difficulty to the bot attempts at cracking your login is adding a Captcha, which can be as simple as a basic math question (or not so simple if it’s before coffee). I recommend the Captcha by BWS plugin, which will add a simple captcha form to your login page. You can learn more about it here: BWS Captcha plugin and download from WordPress repository, here.

Secure your Login.

Adding a captcha to your login page is good, but what’s even better is limiting the number of login attempts anyone tries making to get into your WordPress admin area. For this I highly recommend Login Security Solution. This plugin logs IP addresses of attempted logins, and will systematically slow down the login process to those IPs. The delay is a ‘survival of the fittest’ method, meant to deter attackers, steering them away from your site to move on to the next one that may be an easier target. The beauty of this plugin is, if they DO manage to break in, the plugin recognizes the user as a miscreant and kicks them out, anyway!

Stay in Control of Your Site Security.

As an added measure of security, I also recommend using the WordFence plugin. It works well especially if you set it up to work in conjunction with Login Security Solution. This plugin offers lots of options, and while it has some great pro-active features, some features come in very handy during an attack.

Proactive features I’ve found most useful are the ability to block aggressive search engine spiders like Baidu and Sogou, which can be resource hogs.

There is a live traffic tab that will allow you to see current activity on the site, and if you’re undergoing a brute force attack, you’ll be able to see the IP addresses of the attackers. Combined with the tab to manually block an IP or IP range, you can do something about it.

Scan your site for Potential Problems.

If you’re running a free theme and want to check for possible exploits in the code, you should definitely install and run the “Exploit Scanner” plugin, written and maintained by Donncha Ó Caoimh, a highly respected WordPress developer. This plugin runs a deep scan of your database and will give you a lot of detail about anything suspicious. It can be overwhelming and not every warning is an indication that you have malicious code, and may require a more trained eye to work with, but is a great and powerful tool.

Compromised Website? Get Help Sooner Rather Than Later.

Sometimes you don’t need to run a scan – you notice things like advertisements for the latest variety of Viagra or similar being prominently displayed on your site, or maybe just the mobile version of your site. If you want to run a test to be sure, here’s a site that will let you run a scan of your site to check for malicious activity or malware. Be patient, it takes awhile to complete. (It took about 5 minutes for my test to run).

Viruses, especially database injection viruses, can get evil and messy very quickly. If you suspect your site has been compromised and you don’t have the technical know-how to fix it, it’s better to get help from someone who does sooner rather than later. Every moment your site exists with a virus allows that virus to propagate through your site and make it harder to clean later on, so consider it important to treat this as an urgent matter.

To get help from TrekVisual for an infected website, visit our webmaster services page or contact us.

WordPress Security Tip: Don’t Install THAT Plugin!

One of the many ways you can contribute to the safety of your website is by refraining from installing that plugin – you know, the one that does that neat little thing you need it to do, but might have been developed in 1983? Just say no.

When we took a cruise this past spring, the toilet lid had a sign that asked ‘You want to flush WHAT?’ The little sign went on to explain how your thing-that-doesn’t-belong-in-a-flushing-toilet could stop up toilets for many people on the ship, including yourself…and toilet-less vacations do not make for a happy situation. (Only *I* could possibly create an analogy between flushing and website security.) That reminded me of how a ‘simple little plugin’ could cause damage on a much larger scale than might seem possible.

Just like in any profession, there are many levels of expertise in the world of PHP and WordPress developers. Even a plugin by a good-willed developer can cause major harm to a website if it’s written badly, includes outdated methods, has security holes, or all of the above by exposing your website to security vulnerabilities. It seems so small, so innocent, this nifty little plugin. It just does this one cool thing – how could it hurt? Believe me, just like a little virtual q-tip, one bad little plugin – harmless as it might seem – can quickly give you the ‘wish I hadn’t done that’ feeling.  Not only can it break your website and make it behave badly like curly hair on a rainy day, it can leave your website vulnerable to security issues. Did I forget to mention it can also make your webmaster a little richer? Yeah, that too.

TrekVisual website plugins have either been built by us, or have been purchased from reputable sources that we’ve worked with and trusted our business to for years. You won’t have to worry about finding plugins that are safe, because we take care of all that niggly stuff for you. (I decided today I love the word ‘niggly’ – it’s so much fun to say). If the plugin isn’t built by us, the TrekVisual team carefully evaluates plugins sourced from other companies, long before we make them available to you. We kick the virtual tires, if you will, so you can just enjoy the ride. If you’re building a custom website with us and will be using our website monthly plan, we’ve got you covered. You won’t have to worry about unsafe plugins.

How do you know if a Plugin is safe? That’s a difficult question to answer, in a way that would be helpful to someone who’s not a coder. The short answer is, you don’t.

You might expect a plugin listed in the WordPress repository would be safe. You might expect a plugin you have to pay for would be safe. You might expect a plugin that’s been around for a long time and has a lot of great reviews is safe. None of the above are always going to be the case.

There was a very popular script (called “TimThumb”) a number of years ago. A security hole was found and exploited, causing major havoc in the industry. The script was SO widely used by WordPress users that, as a result of the vulnerability attack, caused many people to question the security of building WordPress websites. The script itself was not malicious, by far, but an exploit was found and taken advantage of by hackers, making the script a major security risk to anyone who used it. Though it had a long history and a solid reputation, one vulnerability made it insecure.

Soon I’ll be writing about our favorite plugins here in the TrekVisual blog, so stay tuned for more!

Adding stylesheets and js to WordPress

Sometimes you want to call a separate css stylesheet, or more importantly, extra js libraries you might be using for special functionality in your theme. To do this, add the following bit of code to your functions.php file

* Register with hook 'wp_enqueue_scripts', which can be used for front end CSS and JavaScript
add_action( 'wp_enqueue_scripts', 'stylesheets' );
add_action( 'wp_enqueue_scripts', 'scripts' );

* Enqueue stylesheets
* In this case, I'm including a stylesheet for FlexSlider.
* When you view the source of your rendered site, you'll see the stylesheet with id='flexslider-css'
function stylesheets() {
wp_register_style( 'flexslider-css', get_template_directory_uri() .'/flexslider.css' );
wp_enqueue_style( 'flexslider-css' );

* Enqueue scripts
* ... and here I'm including the js for FlexSlider.
function scripts() {
wp_register_script( 'flexslider-js', get_template_directory_uri() .'/jquery.flexslider.js' );
wp_enqueue_script( 'flexslider-js' );