Another exciting day for us here at Metronet! Today we released our first plugin on the official WordPress.org plugin repository.

Just a few days after Google released their +1 code for websites, we’ve developed a ‘one click’ solution for any WordPress installation.

Plus One, a Google +1 button for WordPress, can be found and downloaded here. For more information about Google’s +1 button check out my previous post, Google’s +1 Button: Relevant Search Recommendations.

.

Installation and Configuration is Simple

1. Download and activate the Plus One plugin

2. Visit the Plus One options page (Dashboard -> Settings -> Plus One)

Settings Overview

Button Preview – Preview how your +1 button will look

Manual Code Generator – Generate +1 Button Code if you would like to manually add it yourself. (Similar to here.)

Here are the current options for Plus One (version 1.0)

Posts - Whether or not to display the +1 button on posts

Pages – Whether or not to display the +1 button on pages

Location – Whether or not to display the +1 button above, below (or both) the content

Size – Choose the +1 button size. Small, medium, standord or tall

Language - Choose what language to use for the +1 button

Include Count – Whether or not to display the +1 button count

Parse – Render the +1 button «On load» or explicitly via Javascript

JS Callback – The name of a Javascript function to be executed upon clicking +1 button

Now go +1 something!

We wanted to make a simple solution for adding the +1 button to your WordPress site. We hope you find Plus One helpful and would love any feedback (bug reports/criticism) you have. Let us know what you think by leaving a comment below or sending a message to wp@metronet.no. We are looking forward to adding more features, like Google Analytics events, in the near future.

Plus One – A Google +1 Button Plugin for WordPress på Metronet

What is security?

Fundamentally, security is not about perfectly uncrackable systems, which might well be impossible to find and/or maintain. Security has more to do with trust and responsiveness. For example, a trusted host runs a stable, patched branch of their webserver (be it Apache, IIS, or whatever). They should tell you this, test their configuration themselves, and let you determine it for yourself. An untrusted host does not apply patches when they are released and does not tell you what server versions they are running. – via WordPress.org

Most people don’t think about web security until after they have been attacked. Why not take a few precautionary steps that will help prevent your chances of running into problems in the future. The WordPress.org Codex has a great page, titled Hardening WordPress, which is an in depth reference on securing your WordPress installation. Here are a few great WordPress security tips that I have found to be most important over the years.

Keep WordPress and Plugins Up-to-Date!

Upgrades and updates don’t always necessarily mean new features. WordPress has two types of releases, incremental and major. Incremental releases, like 3.0 to 3.0.1, never introduce new features and primarily are bug fixes and security patches. Major releases, like 3.0 to 3.1, are where new features are implemented. In any case, it’s highly recommended you keep your core WordPress files up to date. Also, with each release WordPress.org will release a changelog where you can see what’s changed.

Same goes for plugins. Try to keep your WordPress plugins up to date as the developers will often release new versions for not only new features but bug fixes and security patches as well. Each plugin in the WordPress.org plugin repository usually has a page for changelog where you can see what has changed in each release. Here’s an example from Akismet.

Admin Username & Passwords

Out of the box WordPress will default it’s administrator username to «admin». I highly recommend you use something other than «admin» since that is the first account the bad guys will target. WordPress now allows you to select the admin account during the installation process. Change this to something else.

WordPress will now tell you your password strength as well. Try to use a strong password with a combination of characters, numbers and symbols like «987^%$abcd» instead of «password».

Database Prefix

By default WordPress sets it’s table prefixes to «wp_» but allows you to change this during the installation process. Like the admin account, change this to something custom so it can’t be guessed easily.

Remove WordPress Version Number

WordPress automatically displays the version number you are on when you view your sites source. Usually not a problem if your running the most recent release, but if your not, an attacker can easily target your site and vulnerabilities with that version. Add the following line of code to your theme’s functions.php file to remove this.

remove_action('wp_head', 'wp_generator');

Move Your wp-config.php File

Your wp-config.php file contains information WordPress needs in order to run. From your database credentials to other vital information this is something you don’t want anyone to have access to. By default this file exists in your WordPress root directory but you are actually able to move up one directory and WordPress will find it.

Example: Move ‘/root/wp-config.php’ to ‘/root/folder/wp-config.php’

Remember… Backup, Backup, Backup!

Don’t ever assume you won’t get hacked. Probably the best and most important tip is to take backups of your site. There are numerous plugins and methods to doing this and if you take proper backups you won’t lose your data.

Here are some other great WordPress security resources (Outdated but still useful).

• http://www.smashingmagazine.com/2010/07/01/10-useful-wordpress-security-tweaks/
• http://www.wptavern.com/top-5-wordpress-security-tips-you-most-likely-dont-follow

Please note: These are just a few tips, there are an abundance of other resources out on the web to help you lock down your website. Google is your best friend, see what other people are doing!

A Few Simple Steps to Make Your WordPress Installation More Secure på Metronet

Løsningen fant vi ved å undersøke nærmere hvordan såkalt IDN egentlig fungerer. Det viser seg at domenenavn som inneholder «rare tegn» behandles forskjellig fra vanlige domenenavn.

Når du taster feks metronet.no i nettleseren din, så må domenenavnet metronet.no oversettes til en såkalt IP adresse som datamaskiner bruker for å identifisere seg på nettverket. Dette skjer ved at maskinen din spør en DNS Hvilken IP har metronet.no?, DNSen svarer da 91.207.158.135 og nettleseren henter opp siden den finner på den gitte IP adressen.

Nå er det slik at DNSer kun forstår domenenavn som inneholder tegnene a-z, 0-9 og -, gitt dette hvordan klarer da nettlesere og finne IP adressen til jørgen.no?

Det viser seg at nettleseren oversetter domenenavn med ugyldige tegn til såkalt ACE format før den sender forespørsel til DNSen. Eksempelvis blir jørgen.no oversatt til xn--jrgen-vua.no, som er ACE formatet, og så spør den DNSen Hvilken IP har xn--jrgen-vua.no?.

Dette bringer oss tilbake til WordPress. Når nettleseren ber om å få innhold fra WP så skjer det ved at den kontakter WP installasjonen på IP adressen den fikk fra DNSen og spør ‘kan jeg få innholdet til xn--jrgn-vua.no, siden vi hadde stilt in WP med jørgen.no som domene navn svarer WP Jeg har ikke noe innhold til jørgen.no.

WP er altså ikke smart nok til å skjønne at den må oversette domenenavn med internasjonale tegn til ACE format, svaret er derfor å stille inn WP med ACE formatert domenenavn.

Domenenavn med norske tegn og WordPress på Metronet