10 Popular Security WordPress Plugins for Webmasters

When it comes to security there are two common types of webmasters. The first includes those WordPress admins who cram their blogs with every possible security plugin, while the other type are webmasters that are happily ignorant of the various web dangers including hackers, malicious code, and spam attacks who don’t even imagine why they need any security plugin.

No matter which type of webmaster you are, below we have a list of security plugins any webmaster should consider for their WordPress website:

  1. Simple Backup – This WordPress plugin was developed to create and download backups of your WordPress website. Note: Simple Backup plugin creates a special directory in the root of your WordPress directory – usually its name is ‘simple-backup’ for backup files. Sometimes it’s necessary to create this directory manually (in case you get an error message). Requirements: It requires PHP 5.2 or higher version, WordPress 3.3 or newer version, Linux Style Server, mysqldump (for DB backup) and tar, zip, gzip, or bzip (for compression of files).
  2. Ask Apache Password Protect – This is quite an unusual security plugin. Unlike other similar plugins it works not at the level of application but at the network level and does not use php to prevent attacks as it starts functioning before php. Ask Apache Password Protect was developed to stop attacks before they even reach your blog. Requirements: The plugin requires Apache web server and hosting support for .htaccess files.
  3. Login Dongle – Nobody will be able to log in but you. As simple as a pie! Login Dongle plugin protects your login information with the help of security question as an additional security layer. Note: Your login page stays unchanged, so attackers won’t know how to guess the answer to your security question. And even if someone uses your computer and browser that fills in the login form automatically, still this person will not be able to log in! And you can install it with any other login plugin. Requirements: WordPress 1.0 or newer versions.
  4. Sideways8 Custom Login and Registration – This plugin was designed in such a way that you and your users never see the built-in login option, registration form, and password reset form of your WordPress. Additionally you’ll be able to add some custom content to the login, forgot password, registration and password reset pages. Requirements: WordPress 3.3 or newer versions.
  5. Exploit Scanner – This plugin will look through your WordPress files and database to find any signs of some malicious activity. It also examines your active plugins for unusual filenames. And don’t be afraid – it won’t delete anything! You are the one that will make the decision! Requirements: WordPress 3.3 or higher versions.
  6. WordPress AntiVirus – It’s an easy-to-use plugin that will automatically and regularly monitor any kind of malicious injections and warn you of any possible attacks. What is even more, it has a multilingual support. Requirements: PHP 5.1 and WordPress version 2.8.
  7. WebsiteDefender – WebsiteDefender plugin is another free WordPress plugin that can offer you a list of useful security options. Among them are: scanning your blog for security configuration mistakes, offering easy solutions of security issues, hiding your WP version, checking your files permissions, removing WP Generator META tag from the core code etc. Requirements: WordPress 3.0 or higher version, PHP5.
  8. WordPress HTTPS (SSL) – This plugin was created as an all-in-one solution (includes private and shared SSL, force SSL per page option, admin panel security and ‘partially encrypted’ errors solutions) for your WordPress SSL. Requirements: WordPress 3.0 or higher versions.
  9. Anti-spam plugin – This plugin blocks spam in your posts’ comments automatically and invisibly both for users and for admins. What are its main advantages? First of all, it has no captcha; additionally, it has no moderation queues and no options. So, you can forget about spam forever! Requirements: WordPress 3.0 or newer.
  10. Theme Authenticity Checker – It’s a plugin that can scan all your theme files and let you know if there is any suspicious or unwanted code hidden. That’s a great tool for avoiding non-wanted advertising mostly, but before deleting any piece of code from your theme’s source files we suggest that you contact theme author to obtain some additional information about it. Requirements: WordPress 3.0 or newer versions.

This article was contributed by Diane Parks, a Template Monster representative who is fond of WordPress themes, plugins and tutorials.

  • Leave a Comment
  • Google+ Comments for WordPress Plugin

    google-plus-commentsFor many years now Facebook has had a very popular login feature and also offered the ability to easily integrate blog comments using your Facebook account. These options have proven to be very popular with all types of webmasters as they provide several convenient features and also help to discourage spammy or anonymous comments.

    It always surprised me that Google wasn’t in this game, but the introduction of Google+ seems to offer Google the ability to offer these features to webmasters and be the ones collecting this information.  According to reports, apps that support Google’s login are now getting favorable search treatment and Google is starting to really push this feature.  Then last month, Google announced that Google+ comment integration is now available for Blogger users. So, what about WordPress users?

    Not long after the Blogger integration was announced, the necessary code was discovered to do this manually using the following code:


    <script src="https://apis.google.com/js/plusone.js">

    Valid HTML5 version:

    <script src="https://apis.google.com/js/plusone.js">

    Comments counter HTML (replaces < g:comments >):

    <g:commentcount href="[URL]"></g:commentcount>

    Valid HTML5 version (replaces < div >):

    <div data-href="[URL]"></div>

    Replace ‘[URL]’ with the URL of your web page and fit the ‘width’.

    Link your web page to your Google+ profile to verify authorship.

    Dynamic Google+ Comments HTML:

    <div id="comments"></div>
    gapi.comments.render('comments', {
        href: window.location,
        width: '624',
        first_party_property: 'BLOGGER',
        view_type: 'FILTERED_POSTMOD'

    Google+ Comments Counter:

    <div id="commentscounter"></div>
    gapi.commentcount.render('commentscounter', {
        href: window.location

    Google+ Comments for WordPress Plugin

    Fortunately, the WordPress community has already come through with an easier solution, the Google+ Comments for WordPress plugin. This plugin makes the comment section tabbed by seamlessly adding tabs for Google+ Comments, Facebook, Disqus, WordPress Comments, and Trackbacks. Early reviews are promising and I manage this plugin will continue to evolve over time.

    If you decide to give this plugin on your website leave us a comment and let us know how the setup went.

  • Leave a Comment
  • PSA: Massive Botnet Attacks on WordPress Installations

    Over the past 24 hours it has come to our attention that a large network of over 90,000 IP addresses have ramped up their use of a brute force attack to target WordPress blog installations. According to several published reports, the botnet is attempting to gain access to WordPress installations by using the default Admin user name and trying multiple passwords. By default, WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.

    Popular hosting providers CloudFlare and HostGator are reporting that the scale of the current attack is much larger than what they typically experience, with some reports claiming that they are blocking 60 million requests per hour during peak times. After reviewing our logs we’ve already noticed several failed login attempts using the username Admin.

    What can I do to protect my WordPress installation(s)?

    1. If your username is currently set as Admin, change it to something custom. The easiest way is probably by using something like the Better WP Security WordPress plugin.
    2. Change/strengthen your password. Your password should include capital letters and symbols (%+!#)
    3. Install a plugin to limit login requests.  We use the appropriately titled Limit Login Attempts WordPress plugin, but there are several other plugins with similar functionality.

    Once that is done, sit back and hope for the best!

    Update: HostGator has provided additional tips.

  • Leave a Comment
  • How to Handle a Hacked WordPress Install

    WordPress is the most popular Content Management System in the world, and a significant percentage of the sites on the Internet use it. That popularity is well-deserved, but it also makes WordPress an irresistible target for hackers who want to spread malware.

    How to Tell if Your Site’s been Hacked

    Sometimes it is obvious that your site has been hacked. Occasionally hackers will simply redirect the site to a different server, so that visitors to your domain end up at a site infected by malware, a site displaying advertising the hacker can profit from, or a porn site. But often hackers add malware or spam links to a site which they want to remain undetected for as long as possible. Having a hacked site can infect your visitors with malware, and it will almost certainly result in a huge hit to your SERP rankings, or even blocking by search engines, so it’s important to be vigilant. There are a number of tools available to webmasters to determine whether a site is vulnerable and whether it has been hacked.

    WP  Security Scan

    The WP Security Scan extension won’t tell you whether your site has been hacked, but it will check for possible attack vectors and vulnerabilities, and offer suggestions for fixes. Of course, often the vulnerabilities will not be in WordPress itself, but in some other part of the software stack. The best way to ensure that there are no known exploits that hackers can use is to keep your software as up-to-date as possible.

    Google’s Safe Browsing Diagnostic

    Google has a service that enables webmasters to see whether they consider a site to be dangerous to visit. Copy the following URL into your browser address bar and replace the part following ‘?site=’ with your site’s URL.



    Sucuri offers a free site scanning service that will catch major problems, and a paid for monitoring and cleanup service that can help if you are hacked.

    Using these tools together can help you ensure that your site remains safe.

    What Should You do If You’ve Been Hacked

    Unless you are an experienced and expert developer or website administrator, cleaning a site with any level of confidence by yourself is almost impossible. Even if you think you have found all the malicious files and removed all the spam links, the files that make up WordPress itself may have been altered so that they reinfect a site after an attempted cleanup.

    Contact your hosting provider and let them know you’ve been hacked. You might not be the only victim and the host provider’s sysadmins may already be taking action.

    Securi, as mentioned above is an excellent tool, and it will attempt to auto-clean your WordPress installation. Should you choose not to use Securi, or hire a professional to clean your site, then the next best option is to delete the site and restore it from backups.

    Hopefully, your site is hosted with a provider that offers a comprehensive backup service, in which case restoring the site to a previous version should be very simple. If not, we are going to assume that you have been making regular backups of your WordPress database.

    Download a fresh install file from WordPress.org, to replace any files that may have been altered during the attack. Do not use the same passwords on the new install as you used on the hacked site.

    After you have installed a fresh version of WordPress you can restore the WordPress database from a backup that you know to be clean.

    Since you know that your site has been hacked once, and that there were vulnerabilities that malicious parties were able to exploit, if possible, it may be best to completely reinstall the server and restore from backups. At the least very scan the server with an anti-malware tool. If you are reasonably sure that the infection was limited to WordPress, then you should update all of your software to the most recent versions, to close vulnerabilities. If you’re using shared hosting your provider should take care of this for you.

    If you haven’t been taking database backups, it may be possible that the WordPress database has not been breached, and that a fresh install of WordPress using the existing database is enough, but in that case be extra vigilant of alterations, follow the rest of the above advice, and start taking regular backups!

    About Daniel Page — Daniel is the Director of Business Developement for ASEOhosting, a leading provider in SEO hosting and multiple IP hosting. Follow ASEOhosting on Twitter at @aseohosting.

  • Leave a Comment
  • How to Protect WordPress from Malware Infections

    WordPress is installed on so many websites now, the global reach is comparable to a company like Microsoft. Hackers, scammers, and phisherman target Windows because it’s installed on millions of computers all over the world. If you’re going to break into computers with malicious intent, you want the biggest target.

    You will find (at times) some proponents of other popular open source CMS software (Joomla, Drupal) may try to say “WordPress isn’t safe, look at all the hacked websites”. WordPress is actually very stable, mature, and secure. But by it’s very nature, being software, it must be maintained (or security holes appear over time). If everyone kept WordPress, plugins, and themes updated, and performed just the slightest bit of preventative maintenance and hardening, the amount of compromised WP websites would probably go down by 90%. In this article we’re going to go over the basic steps of how to protect your WordPress website from malware, virus infections, and malicious code and scripts.

    First let’s talk about some basics you should know…

    What is (website) malware?

    You probably already know the word “malware” from PC’s and computers. Computer viruses have been around a long time, as well as virus scanning software. With the Internet age came “spyware” (programs that spy on what you do and send the details to a remove computer), as well as “anti-spyware” computer software. You might also have hard about trojans, and key-logging software as types of computer virii. The term “malware” in conjunction with a computer means something installed on your PC in order to deliver a payload. Like installing a browser toolbar, and having it (on the backend) install a script, program, or trojan without your knowledge as the payload.

    Google started tracking malware in websites a few years back as part of Google webmaster tools. Malware (at that time) was known mostly as something installed in your website designed to deliver a payload unknowingly to the website visitor (also like a virus, trojan, program, script, etc.). Now, the term is used to cover nearly any compromised website wither it delivers an actual payload, redirects the user to a rogue website, or just plain contains simple SEO spam.

    How do websites get infected with malware?

    If you think about the amount of WordPress websites online (more than 73 million and counting), when reports come out that say “10,000 websites hacked from ABC vulnerability” it’s a small percentage in comparison to the whole. Then again, that’s 10,000 broken websites that are either down, redirected, or infested with spam.

    Often people have a perception that there are actual people (or hackers) trying to break into websites. That’s not really the case, it’s an automated process. Hackers, spammers, and criminals write scripts to seek out and search for websites with specific vulnerabilities they can use to break in. They watch the latest security holes patched in WordPress itself, as well as themes and plugins. They also look for other software with holes, such as Joomla, Mambo, Drupal, phpBulletin, Simple Machines forum, phpBB, and anything else they can find. Often scripts are written to break in through one hole, and then just infect all PHP files, all sites in a hosting account, or just all WordPress installations at once.

    So think about the home you live in and it’s security. You have locks on the doors and windows, and if someone were trying to get in – you’d know about it right away. The bulk of websites online are in shared hosting accounts. Unless you have some alerting or monitoring installed for your website (and even if you do), the only place break-in and hack attempts are stored is the server logs. You don’t know it but your website is being “attacked” night and day 24/7 hundreds (if not thousands) of times. You have no idea that something is constantly trying to break into your website. If you did – you’d actually beef up the security a bit.

    Back to how the websites get infected. These automated scripts look for security holes in WordPress itself, themes, and plugins. If your website (or themes or plugins) are out of date – you might be open to one of these attacks looking for a way in. But this isn’t the only way.

    Another way websites can be compromised (any website, not just WordPress) is by using an insecure connection to either login to FTP, your wp-admin dashboard, or your web hosting account. Remember when we talked about computer viruses and malware? If your PC is compromised and you connect to your WordPress website, your connection information could be sent to a remove PC by a keylogger or trojan. Even is your PC is clean, if you connect to any of these by an insecure connection such as Starbucks connection, public wifi in a hotel or airport, the same thing could happen (same if your home wireless router isn’t secured).

    Yet another way your WP website can be infected is through your webhost itself. Maybe your account is managed with cpanel or Plesk control panel and your webhost hasn’t applied the latest patches for that software. Hackers can get in through those security holes. What if an exiting employee from a webhost steals the password files (which has actually happened) – you could be compromised. What if someone external breaks into your webhost and steals your login information (which has also happened at multiple webhosts multiple times), you can also be broken into.

    More often than not what we do see, are large webhosts with shared webservers where hackers break into as many sites as they can on one box at once (bad neighborhood or guilt by association break-ins). Hosts that do stupid things like leave directory indexing on by default – don’t help matters much.

    How to Protect WordPress from malware?

    Now that you know what malware is, and how websites get infected, it’s time to find out how to protect your own website from malware (infections). While we can’t give you complete step by step instructions, we can give you some great points to follow which will make your website more secure and hardened than it ever has been.

    • Reset your password(s): regularly reset your WordPress admin, FTP, and web hosting control panel passwords every 30-60 days. Be sure to use a 12+ character strong password from somewhere like strongpasswordgenerator.com. Never use the same password at multiple websites or for multiple accounts.
    • Update everything: as previously mentioned, be sure to keep WordPress itself updated, and all plugins and your theme as well at all times. Check to see if your theme has an update available if you purchased it from a developer or a theme house. Have it reviewed by a competent WordPress developer once per year for vulnerabilities if it was custom coded.
    • Remove unused and outdated items: The worst security holes are the ones that you forget about. Always remove all themes and plugins that are unused and inactive. In addition be sure to remove (or at least have an expert check out) any plugins that haven’t had an update in 12-18+ months or more.
    • Get rid of common WordPress elements: Your WordPress installation shows what version you are running in the meta generator tag of every HTML page it displays sitewide. Use a security plugin like Secure WordPress or Better WP Security to suppress this from being displayed in your public pages. You can also remove, hide, or limit access files like readme.txt which also display WP version information.
    • Limit Access: Limit and give admin access to only those with a “need to know” basis within your WordPress website. You should be able to count full site admins on one hand (preferable one or two fingers). Give the rest lesser user roles as needed.
    • Setup alerting and monitoring: There are all kinds of free services (some by web hosting companies) that will alert or monitor you if your website is down (or if certain pages have changed in content)
    • Register with Google Webmaster Tools: If you register with Google Webmaster Tools and they find malware in your website, they will notify you via email. Keep in mind (in our experience) by the time they notify you, your website could have been infected for days or weeks (or longer)
    • Monitor changed files: There are many free plugins that will monitor your website for changed files, Better WP Security is one of them.
    • Update wp-config security salts: Since before version 3.0 the wp-config.php file of every WP installation has contained “security salts” and a URL to get random ones to update the file with. Be sure to update your wp-config file.
    • Install and configure a security plugin: Setup and configure an all-inclusive security plugin, something like Better WP Security or Secure WordPress
    • Setup and test a backup solution: By all means, make sure that in the event something does happen you have a disaster recovery plan. You can use a free plugin, premium solution, or web based service to backup your website to an offsite location for recovery in case you are hacked, or something at your web host goes down. This is even protection against issues if you upgrade WordPress or plugins and a conflict takes your website down. At least with an option like this, if you are taking regular versioned backups, you can easily revert to the last known good version

    With just these few bullet points, your website security can be improved by nearly 95% (or more). While much of this can be done by any website owner with a small amount of effort and little technical knowledge, if you need help quickly for a compromised website JTPratt Media does remove malware and secure WordPress websites.

  • Leave a Comment
  • CRON Jobs Give WordPress Users Peace of Mind

    If you’ve never had a website go missing, then you’re very lucky. Your host can have a network error or hardware failure that loses your site’s files. A malicious hacker can penetrate your FTP server and replace your site with files of his choice. You might get curious about a new plugin, install it, and break your site to pieces in the process. No words really describe the panic you feel when you realize your website is gone!

    If your host allows you to use CRON jobs, you can protect yourself from all those things by running a daily backup of your database and web site files. If you lose your site for any reason, you can put it right back in a few minutes.

    A CRON job is script that your web server executes at a specified time. CRON comes from the word chronograph, and it is a time-based job scheduler for LINUX based operating systems. Most WordPress sites are running on such an operating system. If you have access to a CRON scheduler through your hosting control panel or have command-line access to your hosting server, you should be able to write a shell script to back up your database and site files.

    The first thing you will need is a shell script. The script will connect to your database, export the whole thing to a file, and zip the file up so you can store it safely somewhere. Then, it will zip up all your website files.

    If you have a host panel where you can create and edit a file, you can do this there. Otherwise, open any non WYSIWYG text editor and create a file called daily_backups.sh. The .sh file extension indicates this is a shell script file.

    export TERM
    NOWDATE=`date +%a` # Sets the date variable format for zipped file: Sun
    clear # clears terminal window
    echo "Hi, $USER!"
    mysqldump --opt -Q -h your-website-host-name --user=your-db-user-name --password=your-db-password your-database-name | gzip -v9 - > /www/public_html/backups/MySQL-$NOWDATE-yourwebsite.sql.gz

    The first line is an indicator to the server for which shell processing language to use. Your server might require

    #!/bin/bash or something else there. Use echo $SHELL from the command prompt to determine your shell type if you have command line access.

    The TERM instruction tells the server what terminal type it is communicating with; in this case, a text terminal.

    Next we create a variable named NOWDATE and use a little script magic to set it to be equal to the abbreviation for the current day of the week e.g. Sun, Mon, Tue, etc.

    The mysqldump command will “dump” the entire database including create procedures and insert procedures for all the current data.

    Replace your-website-host-name with your website host name for your database. You can find this in your wp-config file if you don’t know it.

    Replace your-db-user-name, your-db-password, your-db-name with actual values. Again, these values are likely exactly what they are in your wp-config file.

    Replace /www/public_html/ with whatever your hosting account’s root path is.

    Replace yourwebsite with some meaningful name.

    Now, save the file. You need to set the permissions on the file so that it is executable. If your cpanel has a cron scheduler, just add this file to the list of files it runs. If you need to edit your crontab from command line, see this tutorial.

    To back up your site files, as well as your database, add a few more lines to your script.

    echo "Zipping wordpress directory structure..."
    tar -czf $HOME/backups/$NOWDATE.mywebsite.tar.gz $HOME/public_html/*

    Hopefully, you do have a directory outside your public web root so that your backup files are stored in a location that is not accessible via the internet.

    The tar command will pack the files up into a tarball for you (like a zip archive).

    This article was contributed by Jennifer Nodwell, who worked as a systems analyst and developer on large-scale scale systems at EDS and Nortel where she wrote over 2 million lines of code. She has been building websites since 1997, and after realizing there was life beyond the cubicle, chucked the corporate life for free-lancing as a web developer in 2005. Now, she works almost exclusively with open source CMS applications like WordPress.

  • Leave a Comment
  • How To: Add Google Rich Snippets to WordPress (Without Editing Your Theme)

    When searching the web with Google, have you ever noticed that certain webpages with product reviews have a little star-rating and additional info that appears underneath the title?

    For example…

    Notice the additions under the hyperlinked title. These eye-catching additions are called “rich snippets.” Rich snippets give additional prominence to your review pages when they appear in search results and could help garner additional search engine traffic for your site.

    You can ask Google to show this sort of data for your review posts by adding hReview code to your WordPress blog. This process has been covered in other tutorials before, but previous methods required you to edit your theme’s code and fiddle with custom fields to get it to work. Not anymore — here’s the easier, plugin-only method:

    1. Install the SEO Ultimate plugin. (You can download the zip file here or you can go to the SEO Ultimate homepage and enter your blog’s URL in the Auto Installer field.) Activate the plugin once it’s installed. SEO Ultimate has many other SEO features besides rich snippets, but if you just want to use the rich snippet functionality, you can disable everything else under the “Modules” section of the plugin’s “SEO” menu.
    2. In the WordPress administration interface, find a post that you’d like to mark as a review and open it in the WordPress editor.
    3. In the “SEO Settings” box under the content editor, select “Review” from the “Rich Snippet Type” drop-down. (If your post has a category or tag called “Review” or “Reviews,” SEO Ultimate will pre-select the “Review” option automatically.)
    4. If you gave a rating to the product you reviewed in your post, select the most-applicable star rating from the drop-down.
    5. Click “Save Changes” to save your post. All done! If you want, you can put your post URL through Google’s testing tool to see a preview of your new rich snippets.

    Following these steps will tell SEO Ultimate to add the hReview code to your reviews. (Obviously, only add the code to posts in which you actually review something.)

    Note that according to Google’s FAQ, adding the code by itself won’t guarantee that Google will show rich snippets for your site. However, you can request that Google display rich snippets for your site using this form. Even if Google doesn’t show your rich snippets right away, having the code on your site ahead of time will help ensure you’re ahead of the game if/when Google rolls out rich snippets on a wider scale.

    Enjoy your rich snippets!

  • Leave a Comment
  • How To: Add a Twitter Link to Your WordPress Blog

    Twitter is all the rage these days and it doesn’t seem like it will be going anywhere any time soon.  With that said, it often surprises me that many WordPress blog owners  don’t offer a convenient way for their readers to retweet their content.  Anyone can grab a Twitter WordPress plugin to tweet their new content as it is published, but what about your older content?

    Rather than passing up all that potential traffic, I’ve found that offering a link somewhere within your post (optimally at the bottom of each post) is a great way to help your readers and incoming search engine traffic to promote your content for you.  When people find great content they like to share it with others, so why not make it easy for them?

    Not only is adding a “Tweet This!” link a great choice, but it is really easy to do.  Chances are if you do a search on Google for code to use you’ll find something like the following:

    <a href="http://twitter.com/home?status=Currently reading <?php the_permalink(); ?>" title="Click to send this page to Twitter!" target="_blank">Tweet This!</a>

    This code works just fine, but is not the most optimal solution in my opinion.  Depending on the permalink structure your WordPress blog uses, combined with the length of your domain name, it may be difficult to fit the link into a 140 character tweet.  It also doesn’t leave room for the person to add their own comments to the tweet.

    As a proposed solution, I recommend using some WordPress code like the following:

    <a href="http://twitter.com/home?status=RT @HackWordPress <?php the_title ();?> <?php echo get_settings('home'); ?>/?p=<?php the_ID(); ?>">Tweet This</a>

    This code will automatically insert the “RT” and your Twitter account name (the above example uses our Twitter account, @HackWordPress) then use the ID form of your post with the tweet.  When people click the link in the tweet, they will then be redirected to the actual post using your blog’s selected permalink structure, making a convenient and typically short URL.

    Have you integrated Twitter into your WordPress blog? Share your strategies in the comments!

  • Leave a Comment
  • Page Sensitive Multi-Level Navigation

    While most sites don’t need incredibly deep page navigation there are situations that justify a hierarchy beyond the typical 2 – 3 levels.  Unfortunately that can be cumbersome for top navigation drop-downs (more than 1 level of drop down is too much IMHO) so another solution needs to be found.  I ran into just such a situation for a client and while I”m also not a fan of left hand navigation it was the decision of the client to utilize it in conjunction with their top navigation, and in retrospect it made sense for them. To keep things easily navigable we also implemented breadcrumbs (which is a good practice anyway).

    The mission was to display sub-pages of the current page you are on in the left nav and once you hit the bottom of the hierarchy to show pages which are parallel to that page within the same branch of the hierarchy.

    After some digging and experimentation I came up with the following which executes perfectly in only a few lines of code.

    $children = wp_list_pages("title_li=&child_of=".$post->ID."&echo=0&depth=1");
    if ($children == "")
    $children = wp_list_pages("title_li=&child_of=".$post->post_parent."&echo=0&depth=1");
    <?php echo $children; ?>
    <?php endif; ?>

    Of course you style to taste…

    That’s it! Used in conjunction with a standard WordPress top-navigation and breadcrumbs you can easily display page sensitive multi-level navigation for your super-complex multi-level site!

  • Leave a Comment
  • Security Reminder: Upgrading Your WordPress Blogs

    While I was away over the weekend, it appears that a large number of bloggers who use WordPress have been hacked and a lot of damage has been done.  It seems this problem has shown up for a large number of people, including some very high profile bloggers.  Among them was Robert Scoble, whose blog was among those websites which were hacked.   Damages on Scoble’s site included porn information being placed in old posts, 2 entire months of content being deleted, and more.  Of course the porn then led to his blog being completely banned from Google!   Scoble is not the only one having these problems, however, and even lesser known bloggers have been attacked.  You can read more in this WordPress support forum thread.

    If you are wondering what the one thing all of these WordPress sites have in common, the problem is they were all using old versions of WordPress.   As someone that owns and operates well over 100 WordPress installations, I certainly understand the pain it can be to upgrade to the latest version of WordPress every time a new release happens, but I hope this goes to show why it is so important to take the time to upgrade all of your WordPress installations be using the most recent version of WordPress.

  • Leave a Comment