Episode 2 – Secret Keys and More Space

First, a little FYI – upcoming episodes in this series will be done by either Kreg or me. We have been running in to some scheduling conflicts and rather than hold up the content until we can get together, we’re going to divide and conquer and work to bring you these podcasts in a more timely fashion.

Like the book, this episode has two parts. The first is for WordPress.org users regarding security. The second part is for WordPress.com users about some new hosting options. Regardless of your skill level or how you host your blog, you’ll want to be sure to listen.

First part – all your people who host your own blog and got your software from WordPress.org at some point, I hope you’ve upgraded to the latest software to keep things tight and tidy. Upgrading these days sure is different than the old days when you had to download the software to your local computer, then unzip it, then upload all the files. Now it’s one button from the main dashboard and away you go. I run about seven blogs and it only took a few minutes each to upgrade them. Several took a bit longer because I also had to upgrade my database from an older version of MySQL, still it wasn’t too bad.

Once I got all the software upgraded, I thought i was done until a friend of mine told me that there is a security threat out there and people like me, who have been running WordPress since the 1.x days (several years ago) are particularly vulnerable.

The issue has to do with the wp-config.php file. This is a very sensitive file that tells WordPress where to find your WordPress database, login credentials to do so, among other things . It’s the keys to the castle if you will. Versions of WordPress prior to 2.7 were lacking four lines that enhance the security of the person accessing the system. Without these lines in your wp-config file, you could be open to attack . In April 2010 a large number of blogs hosted on GoDaddy were attacked. Fortunately none of mine were affected. It did wake me up to several security ideas that we’ll pass along in future editions of this podcast. The good news is, it’s very easy to fix.

Step 1 is to download your current wp-config.php file, take a look at it, and make sure you’re covered. Use your FTP client to login to your system and transfer the file wp-config.php to your desktop.

Next, open the flie with a text editor. On Windows, Wordpad or notepad works well. On a Mac, TextEdit is good.

Once you have the file contents in front of you, check to see if there are four lines that look like the following:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');

If these are not there,  copy and paste the ones above to the end of your current wp-config.php file.

The other option is to download a full new installation of WordPress from wordpress.org, extract the files, and copy just those four lines from a brand new wp-config.php file.

Now look at those four lines. If the second part after the key definition says “put your unique phrase here’, you’ve still got some work to do. This is the default and you’ll definitely need to change it. Leaving it with the default value is a bad idea. It’s like leaving your computer with a default password of ‘password’. It’s not too hard to figure out how to break in.

You’ve got two options here. The first is to make up a unique phrase on your own or you can have a system generate one for you. Either is fine. You don’t have to remember this phrase anywhere, the system uses it to generate security information on the fly. If you want to type your own, just remember – just use letters and numbers (no punctuation) and size matters. The longer your security phrase, the more secure it will be. Between 20 and 40 characters is a decent range. The second option is to use this WordPress.org site (https://api.wordpress.org/secret-key/1.1/) to generate random secret keys for you.  That URL does nothing but generate the four lines complete with everything you need to copy and paste them to your wp-config.php file. If you downloaded the latest software and looked at the shiny new wp-config.php file, you’ll see it there too.

Once you’ve got these four lines in your config file with new secret keys, save it and upload it back to your server. That’s it. It took longer to tell you how to fix this and it does to actually do it. Again, just download your current file using FTP, make sure it has those four lines with unique keys, update the file if necessary, and then upload it back to the server.

One of the advantages of using WordPress.com is that this kind of thing is taken care of for you. Of course, there are drawbacks too. Like running out of disk space. If you upload a few photos or audio files, wink wink to you fellow podcasters out there, there’s good news. WordPress has recently announced that they have two new storage options with their hosting plans to allow 50GB and 100GB of storage. You can access this through the Dashboard and click on Upgrades. Pricing is available there. When you’re done, you will be able to upload MP3, M4A, OGG, and WAV files. If you want to do videos, there’s a separate VideoPress option for that.

Since I’m also the co-author of Podcasting for Dummies, I would be remiss in mentioning that 50GB may sound like a lot of storage at first if you want to get in to Podcasting and host your files on WordPress.com, however you should really do some quick math to figure how how long that’s going to last you. If you use the general rule that 1 minute of audio takes about 1MB (if encoded at 128Kbps and 44.1K sample rate) and you do a 1 hour show once a week, you’ll use about 250MB a month. In a year, that’s 3GB so you should be good for a while for the audio files. The key is to think it through what you’ll need and how much space you will consume.

Podcasting can be a lot of fun and very rewarding if you’ve got the time and WordPress can make it very simple to publish the audio to the masses. For more information, just search for my name on Amazon and you’ll find Podcasting for Dummies.






Leave a Reply

Your email address will not be published. Required fields are marked *