Stop Users using Stupid Passwords

Been some discussion recently on the WPUK mailing list after some recent mass attacks on WordPress Sites. Lots of good advice from people.

  • Do you need to to allow access from all IP’s
  • Do you need to be able to login all the time or can you say they never login a 2am in the morning so we can stop login at that time.
  • Keep up to date obviously
  • Changing default locations of login pages, wp-admin etc
  • using two factor authentication (yubikey mentioned)
  • captchas on login screen
  • blacklisting of visitors by IP address
  • renaming the default ‘admin’ user

All suggestions worth considering depending on your circumstances.
Someone mentioned about a user with a password of ‘password’, I wondered if there was a way of preventing users injuring themselves by using such a password. By default my current WordPress 3.5 allows a user to do pretty stupid stuff like create a user with a username of ‘e’ and a password of ‘password’.

Not added in list popular passwords that would pass as secure should do that. Could probably extend to exclude dictionary words not sure if its worth doing that.

Dave of mentioned a plugin called ‘better-wp-security’ which does quite a few other things as well, seems worth looking at, Dave had had it recommended to him. There are also a few similar plugins with more restricted scope that just stick to the password ‘force-strong-passwords’ and
I’ve not tried these so I can’t recommend them, I bashed out my own because I was interested. Its probably not quite so client friendly as its called ‘Stop users using stupid passwords’, might have to rename that.

Seems something worth checking on especially as you create a new site. If the password isn’t towards the top of the list of ones a bot attacker might try, it will at least take them longer. Will also stop a human guessing it quite so easily as well.

Ripped Off Britain

Built this site a while ago for someone who was annoyed by being ripped off on car parts in the UK compared to international prices. Its not really being used much at the moment, what is surprising is how well it does in search for a site that has very little content. Other sites with very similar titles/subjects but with a lot more content come up beneath it in google searches.

Ripped Off Britain

Technically its a quite plain vanilla wordpress site with a custom theme to differentiate it. We made up a dog logo illustration as well, to give the site some more character, doing pictures made a nice change from my normal ‘code view’.

Simple Blog for TLC Live

Note: 2014/06/30 This blog was replaced as part of a larger site rebuild in mid 2013.

TLC are online tutors based in the UK. We recently added a simple blog to their site to allow anyone in the company to add content to the site. They can use it to trumpet company announcements and extol the virtues of their learning platform.

TLC Live blog

We added a few plugins in that the client requested from an earlier system they had used. Other than that its pretty plain vanilla WordPress with some adaptions.

We wrote a custom excerpts function so we could finish the excerpt at the end of the first paragraph. The client also wanted the excerpts to keep their formatting and links which are often removed by default.

Also wrote a couple of widgets to emulate the behaviour of some links on their main site.

They also have a more useful than standard 404 page which lists recent articles if you mistype an address.

You can see the site at

Comment Spam

bluerghh comment spam. Seem to be getting a fair bit of spam recently never sure if its some clever bot or a human.
Some comments are obvious spam, people whose mother called them ‘lean mean griller’ was obviously destined to have a website selling grillers. This is spam simples. Although its a bit dumb why would my site have any authority on that at all someones just wasting there own time as well as mine.

Often though the content seems generated by a machine they pick key words out of post. I was reading about markov chains sounds like that would be the way to go if you were trying to generate human sounding content. Perhaps if I read a bit more I can reverse engineer them as a sort of spam detector.

Often though I wonder if the commenter is actually a human its just that they are writing in their second language. So they phrase things a bit oddly which is fine/dandy I’m sure I would if I was trying to comment on someones blog in something other than my first language.

So I try to be positive towards them. I know some people just delete all comments but I’m happy to talk to anyone just not bots or people whose parents named them after seo terms, products or dating sites (1).

Anyway I’ve written a really simple WordPress plugin to represent the percentage of comments that are Pending, Approved, Spam or Trash. It’s output will update as more comments come in. I cleared a load of trashed ones out so the results seem a bit off at the moment.

Incidentally it will be quite fun to see how much spam I get on this post :D, how smart are the bots?

ps: if you want a name for your child here are some neat ones for boys: ichabod, octavius, titus, elastic, borin for girls: cornelia, precious.

Swimming School Website

Just made Janes swim school website live. Its a small simple site built in WordPress for her swimming school in St.Albans, Hertfordshire. Hopefully it will help her business attract more learner swimmers. She wanted to stand out from other swimming schools and look professional yet friendly.

Jane started off with nothing so we worked out a structure together and what she wanted to feature and what parts of the site she wanted to change. Jane wanted to feature testimonials from her customers so I’ve added in the ability to add more testimonials as and when she gets them and the will appear scattered throughout the site. She can edit all the pages so it should keep her costs under control and let her phrase things as she wants. Its a starting point we will see how the site moves on in the future.

As well as print style sheets it has some pretty simple mobile styles so that it is moving towards responsive design in a small way.

It uses my sitemap plugin to create her sitemap.xml dynamically so it will be updated everytime a page is updated or new content is added.

Its also mildly minimized with my minify plugin it doesn’t go all the way and remove all the line breaks but it cleans up a lot of the white space so it should reduce the amount of data transferred when you request the page thereby making the pages load faster.

I’m monitoring for errors so we should sort out any issues that visitors bring up.

Make WordPress site faster (part 2)

This post carries on from a previous one make wordpress site faster. In that post I did the easiest stuff to do from now on it gets slightly more difficult. At some point if your not a geek it gets to be too much hassle. I’ll let you decide when that is.

After I finished writing that post I enabled mod page speed on my site. On my hosting its a yes/no thing but there are lots of options if you can fiddle. I had to do some testing but nothing was actually broken at least as far as I’ve discovered so far.
So now I have

  • Google pagespeed tool : Page Speed Score of 86 (out of 100)
  • Yslow Overall performance score 83

Which is quite weird because Yslow hasn’t really changed where as mod page speed upped the google page speed score by 20. But yslow contains some pointers on where I’m going wrong
This page has 7 external Javascript scripts. Try combining them into one.
This page has 3 external stylesheets. Try combining them into one.
So thats what to do next……