Hackosis.com just added Gravatars to the comments section! In light of the situation I decided to tell you how to add Gravatars to your custom Wordpress theme’s comment section if not already done. Most old themes won’t have this.
Gravatars can be used in Wordpress 2.5+ and must be enabled in the Wordpress settings under discussion.
From the Gravatar site:
What is a gravatar?
A gravatar, or globally recognized avatar, is quite simply an avatar image that follows you from weblog to weblog appearing beside your name when you comment on gravatar enabled sites. Avatars help identify your posts on web forums, so why not on weblogs?
To add Gravatars I simply added the following to my Wordpress theme’s comments.php file right before “<cite><?php comment_author_link() ?></cite> Says:”. Of course you do need to include the PHP opening and closing tags. Change the size variable to one suitable:
echo get_avatar( $comment, $size = '50' );
-
echo get_avatar
( $comment,
$size =
‘50′ );
You can also change the default avatar by specifying it’s location like below :
echo get_avatar( $comment, $size = '50', $default="/path/to/url.jpg" );
-
echo get_avatar
( $comment,
$size =
‘50′,
$default=
"/path/to/url.jpg" );
I did also add a bit of styling to float it to the right and add a border, but I’ll let you be creative and do it yourself.
Let me know how it goes and if you have any questions I’ll do my best!
Feel free to test the Gravatars by commenting below (this is your one chance for free-for-all commenting). Happy Gravataring.
![[Slashdot]](http://slashdot.org/favicon.ico)
![[Digg]](http://digg.com/favicon.ico)
![[Reddit]](http://reddit.com/favicon.ico)
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif)
![[Facebook]](http://www.facebook.com/favicon.ico)
![[Technorati]](http://technorati.com/favicon.ico)
![[Google]](http://www.google.com/favicon.ico)
![[StumbleUpon]](http://www.stumbleupon.com/favicon.ico)
Getting your site hacked is a major humiliation and can leave you feeling violated. There are several ways that you can help secure your Wordpress installation. I recommend that anyone running Wordpress follow these steps when possible to avoid potential security breaches against your blog.
WARNING: Before making any changes be sure to backup!
Thanks for most of the tips from Blog Security.
- Use captcha whenever possible:
I have yet to hunt down a captcha solution for the comments, but I do have captcha in place for logins with Raz-Captcha and my contact form with Contact Form 7. This keeps bots from spamming and trying to crack your login. If anyone knows of a captcha system for the comments, please let me know.
- Limit access to your wp-admin directory:
There are two ways you can achieve this. Limiting access to your wp-admin directory by IP address (this may not be a good solution if you have a dynamic IP) and password protecting the wp-admin directory. Both of these methods require an implementation of an .htaccess file.
- Protect wp-admin directory by IP address:
- Create a file within your wp-admin directory named “.htaccess” if there isn’t already one.
- Append the following contents where XXX.XXX.XXX.XXX = your outside IP address. Append multiple “Allow from” lines for multiple IPs:
Order Deny,Allow
Deny from all
Allow from XXX.XXX.XXX.XXX
- Password protect the wp-admin directory:
- Create a file within your wp-admin directory named “.htaccess” if there isn’t already one.
- Create a file ABOVE YOUR PUBLIC_HTML directory named “.htpasswd”. Make sure you put this outside the web accessible directory or someone could read your password! Usually this is where you go when you first login to your FTP.
- Append the following contents to the “.htpasswd” file where xxxx = your username and yyyy = your password:
xxxx:yyyy
remember, the more complex the better.
- Append the following to your “.htaccess” file inside of your wp-admin directory. Make sure you use the absolute path to the “.htaccess” file. If you don’t know, ask your ISP. xxxx = the username that you entered in your “.htpasswd” directory:
AuthUserFile /home/username/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require user xxxx
- Restrict access to your wp-config.php:
I have seen cases on web servers where the PHP install gets broken and all PHP files become readable. This is bad because your wp-config.php file contains your database username and password.
- Create a file within your Wordpress root install directory named “.htaccess” if there isn’t already one.
- Append the following to your “.htaccess” file inside of your wp-admin directory:
<Files wp-config.php>
Order Deny,Allow
Deny from All
</Files>
- Restrict access to the wp-content and wp-includes directories:
- Create a file within your wp-content and wp-includes directory named “.htaccess” if there isn’t already one.
- Append the following to the “.htaccess” file. NOTE: you may have trouble with some plugins with this method:
Order Allow,Deny
Deny from all
<Files ~ “.(css|jpe?g|png|gif|js)$”>
Allow from all
</Files>
- Keep your Wordpress install and plugins up to date:
The newest versions of Wordpress automatically notify you if there is an update for your Wordpress and your plugins. Keeping these up to date will keep black hats from using known vulnerabilities to gain access where they shouldn’t be.
- Use the wordpress online security scanner.
This plugin along with a CGI script at Blog Security will perform version checks, XSS checks on your template and look at your plugins for vulnerabilities.
- Change your Wordpress database table prefix:
- If you are installing you can just choose the option during installation.
- If you have already installed, follow these steps outlined here. There is also a plugin here.
- Change your ‘admin’ username:
All wordpress installs have a default ‘admin’ account. This is a security risk. Basically this entails creating a new user with administrative privileges, logging in with that user, and then deleting the old ‘admin’ account. There should be an option to transfer all the posts to the new account automatically.
- Create a unprivileged user for posting:
Not only does this protect your Wordpress blog from black hats, it also protects it from you. Kind of a similar concept of why you shouldn’t login as root to your Linux box.
- Implement Mod Security:
Append the following to your “.htaccess” file within the root of your Wordpress install. This is not specific to Wordpress, but are general rules to prevent some malicious attacks on your site as a whole (You may have to do some reformatting because of word-wrap):
EDIT - SEE: BlogSecurity Wordpress Modsecurity White Paper
I hope you enjoyed and implemented these security tips and maybe you can have some peace of mind knowing that you are more secure than before you read this article. If you have any more suggestions, please leave some in the comments.
Want to do tagging on your Wordpress 2.0.10 or higher installation? The Simple Tagging plugin got the job done for me, but not without a couple of “hacks”. I kept getting 404 errors when a tag was clicked inside of a post and had no tag cloud on my front page.
I am running Wordpress v2.2.3 and had a couple of milestones to cross before I had a 100% working installation.
Here are the steps I took to get it working:
Read the rest of this entry …
This is my new blog and I have heard many great things about Wordpress. However I did have one problem with 403 errors in the admin interface. This fixed it for me:
1. Create a file named “.htaccess” in the root of your Wordpress installation.
2. Edit the .htaccess file with the following contents:
Read the rest of this entry …
