June 21, 2008, 6:09 pm
Peter Westwood, a WordPress developer, recently announced a planned change that will disable Atom and XML-RPC publishing by default. I’m thrilled at this direction: many of my corporate and professional installations of WordPress require significant tweaking to disable remote publishing.
In the meantime, I’ve actually had no ill effects from removing xmlrpc.php from the default WordPress installation.
Another tweak I usually employ is applying a .htaccess file to the wp-admin directory. Using a set of Allow/Deny directives, you can restrict access to your administration panel to local machines only. For example, creating a new file /wp-admin/.htaccess:
Order allow,deny
Allow from 192.168.1
Deny from all
This example file ensures that only users coming from 192.168.1.x addresses can access the administration dashboard. It’s very useful because regardless of password compromise, only internal users will ever be able to access the login prompt.
Another solution that would still allow remote access by trusted users would include a dual-layered authentication system. Using the htpasswd utility and the .htaccess tutorial from Apache, create a separate login to access the administration panel. This prompt will appear before the default WordPress login. Roaming web spiders and malicious bots will have a more difficult time accessing the wp-admin directory with appropriate access restrictions in place.
April 25, 2008, 3:13 am
A WordPress plugin that actually does what it advertises? Sign me up for Dean Lee’s Permalinks Migration Plugin, which properly 301 redirects your old permalink (example.com/year/month/day/postname) structure after it’s been updated. (I’ve swapped this site to use just a jakebillo.com/postname structure, so consider this my seal of approval.)
February 5, 2008, 12:40 am
As per the main WordPress site, another upgrade has hit. The security fix refers to our wonderful friend, xmlrpc.php. I highly suggest disabling this file (just delete it from your WordPress directory) if you’re maintaining a locked down installation of WordPress. This file seems to be present in every security issue lately, and a brief scan of the source seems to indicate that it offers support for pinging update services, sending pingbacks and allowing remote control of the service - none of these features are generally critical for sites valuing security more than blogosphere wankery.
DreamHost doesn’t seem to be offering the official upgrade yet, so I’m just downloading the fixed xmlrpc.php file for my installations requiring it, and replacing the file until the one-click install option comes online.
July 10, 2007, 12:14 am
My good friend Phil has joined the ranks of the whiny bloggers union and installed WordPress. He will likely complain about things even more vocally than I, perhaps in a more emo-tastic way. Go visit him and convince him to keep things online, since he gives things up quickly if not encouraged. 
March 5, 2007, 1:32 am
If you own one or more of the 350K domains hosted with Dreamhost, you may be interested in using their statistics tracking system. However, if you have WordPress installed at the root of your domain, the /stats/ URL is inaccessible and only results in a 404 error, as WordPress tries to parse /stats/ as a permalink to a post or page. This is due to the .htaccess directives that WordPress employs.
The solution is on the DreamHost wiki and can be added to the top of your .htaccess file fairly quickly:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^/(stats|failed_auth\.html)/?(.*)$ [NC]
RewriteRule ^.*$ - [L]
</IfModule>
This code comes before the WordPress commented line:
# BEGIN WordPress
Alternatively, if you’re concerned about people possibly bruteforcing your statistics username and password (since it uses simple HTTP authentication), you can deny public access to /stats/ and access the logfiles from an SSH session. Keep in mind that this will be a text-based view of your statistics.
ssh user@yourdomain.com
cd logs/yourdomain.com/http/html
links index.html
The logs directory is accessible under your home directory (~). You could also always run a tar/gzip command on the ~/logs/yourdomain.com/http/html directory and SFTP/FTP the file, then view the stats locally.
For more information, such as performing the same operation with Ruby on Rails apps or TextPattern, check the wiki.
January 21, 2007, 7:11 pm
After yet another cycle of WordPress updates, minor things tend to irk me. Unfortunately, I haven’t had much time to sit down and devote completely to Aerosol development or Ethanol bugfixes, and as a result I’m beholden to the development and bugfix schedule of others.
I have, however, managed to get the site installation wizard for Ethanol up and running; this means that a test installation is now available at http://jakebillo.com/e3/. This site should be considered unstable - it’s running on a MySQL 5.x host, whereas Ethanol was specifically designed for MySQL 4 installations. Any database errors that appear while using this test installation are due to these incompatibilities.