As I stated earlier today, I migrated Money-Code.com from a Drupal platform to the WordPress platform. The first steps were to move the data from their old tables to their new tables. Next was to configure tags, categories and add functional plugins. The other areas I wanted to make sure was working was getting my popular posts to be redirected to their new locations here. I went with SEO friendly URLs so had to do some redirects using my .htaccess file.
Along with rewrites, I made some security adjustment to them and thought it would be good talk about those as well.
First to do redirects you can use mod_rewrite or something simple like Redirect. Here is what I did for my redirects of my popular posts:
Here we’re using Redirect 301 which is “Moved Permanently”. It’s looking for the node variable with was Drupal’s page handling and redirecting to the new SEO friendly WordPress URLs.
The next item I always like to include is adding proper 403 and 404 handlers in .htaccess. Basically when a 403 (Client Denied) or 404 (File not found), I like to redirect the user back to the home page instead of giving them a crappy Apache message. You can get fancier by creating custom error pages, but redirect works find for me. Here is what you would add for this:
The other piece that is really important, and often not used is turning OFF indexes. Basically if you go to a directory without a index page (ie: index.php), it will list out the contents of that directory. This is a potential security risk, it can show what items you have installed, or provide files for download that you did not want downloaded. By simply adding this, it will throw a 403 to the user that hits a page without a index file.
I primarily did this since I don’t want people seeing my wp-content/plugins directory, but I see as of 2.8, they’ve added a index.php with nothing in it, causing a white page. This is good, but I think it’s still good practice to prevent directory browsing like this.
The other piece I like to do is restrict administrative access to my IPs. I’m a freak this way. I have static IPs at my office, and I also have VPN access, so I like to restrict access to certain IPs on my network. Basically, I have to be at my office OR VPN’d to my office to edit my pages. This is a pain to many people, and I can understand people not into this, and that’s fine, but it really reduces the risk of brute force attacks to your admin area. If you’re interested in this measure here is the code you would include in the .htaccess file residing wp-admin/:
Obvisouly, xxx.xxx.xxx.xxx would be your static IP or subnet xxx.xxx.xxx.xxx./16 for example.
I’ve always been uneasy with WordPress due to it’s history and potential damage it can cause on the server it lives on. The bottom line is to keep your install up to date, and that includes your plugins. I’ll also be setting a subdomain for testing purposes (only available to my IP) to handle large WP updates.