Password protect a subsite in a WordPress network with .htaccess

A wordpress network / multisite setup uses virtual directories.

When you have a wordpress network setup on www.yourdomain.com, you can have multiple blogs with only one WordPress installation, for example:

www.yourdomain.com
www.yourdomain.com/johndoe
www.yourdomain.com/janedoe

Suppose you want to password protect only one subsite e.g. ‘janedoe’, you can’t just create a ‘janedoe’ folder on your webserver with a particular .htaccess in it.

You need to create a secured environment for the virtual folder in your main .htaccess (where all other WordPress rules reside) using the following code:

SetEnvIfNoCase Request_URI "^/janedoe/" SECURED
AuthType Basic
AuthName "restricted area"
AuthUserFile /home/mydomain/.htpasswd
require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=SECURED

WordPress Admin Running Slow? Here’s How To Fix It!

I update my WordPress Network quite often. Especially to prevent security issues. Load time for typical WordPress pages is as good as perfect. However, I discovered on some of my WordPress Network setups the wp-admin pages suddenly took forever to load. I was waiting 2 minutes to load any wp-admin page. After a long search I discovered the problem was a faulty db_version value in the wp_options table.

wordpress-logo-stacked-rgb

I usually auto update my sites and found out this value was not updated (or could not be updated automatically).

WordPress Codex pages (http://codex.wordpress.org/Version_3.6) list this value for every WordPress version. For example: Version 3.6 has database version 24448. Thus, you should update this value manually in your mySQL database: change db_version (option_name) in wp_options to 24448 (for version 3.6). You should repeat this for every site in your wordpress network (wp_2_options, wp_3_options, …).

It’s as ‘simple’ as that!

Remove ‘thepinktheme.org’ / ‘rozekleur.com’ from your wordpress blog?

So you’ve been breaking your head why multiple posts on your blog contain a hidden (javascript) link to the domain www.thepinktheme.org?

Example:

<script type="text/javascript" src="http://thepinktheme.info/dfi823hs.js?0.048378094101036107"></script>

You removed all references in your database, and searched your entire wordpress installation, themes and plugins for infected files? Even searched for PHP eval(); functions etc…

And still it’s returning? Look no further, here’s the solution. You or one of the people who has been using your computer, or who has access to your blog and post rights, installed an extension in Mozilla Firefox called ‘pink theme’ (‘roze kleur thema’). It got installed by clicking on malicious Facebook posts.

This extension is adding url’s linking back to the pinktheme.org (and other associated) domains when you add new posts on WordPress.

Remove the extension in Firefox. Remove all references in your WordPress database and start hunting down that user who’s been clicking on obscure Facebook links.

WordPress 3.x

Bij het vernieuwen van mijn hosting en domeinnaam, heb ik mijn WordPress even aangepast naar versie 3. Ook de website van de dochter is bij deze weer up to date. Voor beveiligde fotopagina’s waren er problemen met sommige browsers. Hopelijk zijn deze nu verholpen.

Vanaf WordPress 3.0 is er ook de mogelijkheid om netwerken op te stellen voor multi-user blog. Helaas staat dit nog niet volledig op punt, dus wacht ik nog even af om beide blogs te integreren in dezelfde WordPress-installatie.

Ere wie ere toekomt: WordPress met theme Atahualpa. De header-image is van van eigen makelij.

WordPress: installatie, beveiliging, upgrades

(update augustus 2013)

WordPress installeren en beveiligen

WordPress gehacked?

WordPress plugins manueel upgraden?

  • Plugin deactiveren in beheer
  • Plugin map verwijderen van de server
  • Nieuwe Plugin uploaden
  • Plugin terug activeren: plugin detecteert zelf of database-aanpassingen nodig zijn

Nuttige plugins

WordPress hacked…

The past three weeks my WordPress blog got hacked two times. As a regular visitor nothing seemed out of the ordinary, but if you searched Google my blog seemed as a the best drugstore in town (Generic cialis – We Always Have The Cheapest Offers In Our Online-Drugstore). Each and everyone of my blog-pages had corrupted html-title tags or title-id’s (only when viewed through search engines!). Thanks to Google Alerts I found out there was something strange going on.

After a lot of searching (nothing mentioned on the web), finally found the problem. Seemed like my WordPress plugins got edited without my knowledge into base64_encoded hidden code which was then parsed with the php eval() function.

This is what it looks like…

@eval(base64_decode("JGFjdD0iaW1nIjsgZ2xvYmFsICRhcnJfdG...")); ?>

I found different entries in the following plugins: wp-spamfree / rss-import / syntaxhighlighter and so on. I changed all passwords to my site (webspace and databases) and deleted the infected files. Many of those files had changed permissions! I found unknown references to *.bak.php files inside the wp_options database table autoloading various scripts.

Fingers crossed that this won’t happen again. I will keep my eyes on Google / Bing and other search engines to see if my site keeps attracting unwanted visitors.

Google Labs was the only place giving me on the fly information of my cleanup-progress. Unfortunately Google Labs has a request limit on a week to week basis. I haven’t found a similar functionality in BING. So if you reach the request limit, you’re out for the next 7 days…

To give your wordpress some additional security you can password protect the wp-admin directory with .htaccess and .passwd.

If your WordPress gets hacked too, leave me a message if you encounter similar problems. I still don’t know how these files got changed in the first place.