WordPress

WordPress (WP, WordPress.org) is a PHP-based content management system (CMS) that works for either a MySQL or MariaDB database.

How can I move a WordPress Installation from Local Server to a Live site?

  1. Backup your local WordPress site: Before you start the migration process, make sure to back up your local WordPress site. You can use a plugin like UpdraftPlus or manually back up your site by copying the files and exporting the database.
  2. Export the local database: To export the database, you would need a MySQL application, like:
    • PHPMyAdmin
    • MySQL Workbench
    • Navicat for MySQL

select the database associated with your WordPress site, and click on the Export button. Save the exported file as a .sql file.

  1. Create a new database on your live server: You’ll need to create a new database for your live site. You can do this through your web host’s control panel (such as cPanel or Plesk).
  2. Import the database to the live server: Log in to the phpMyAdmin or your web host’s MySQL manager on your live server and select the newly created database. Click on the Import tab and select the .sql file from your local site to import it to the live database.
  3. Update the WordPress configuration file: You’ll need to update the WordPress configuration file (wp-config.php) with the new database information for your live site.
  4. Upload the files to the live server: Use an FTP client like FileZilla to upload the entire WordPress folder from your local site to your live server. You can either upload the files to the root directory of your domain or a subdirectory, depending on where you want your live site to be accessible.
  5. Update URLs in the database: If you are moving your site to a new domain or URL, you’ll need to update the URLs in the database. You can use a plugin like Better Search Replace or run a SQL query in phpMyAdmin to change the URLs. This is an excellent tool for replacing the URLs https://rudrastyh.com/sql-queries-to-change-wordpress-website-domain.
  6. Test your live site: After completing the above steps, check your live site to make sure everything is working correctly.

Note: Before making any changes to your live site, it’s always a good idea to make a backup of your live site in case you need to revert to the previous version.

How to Limit Access to WordPress Admin by IP Address

There are several ways to limit or restrict WordPress admin access by IP address.

Add some code to your wp-config file to restrict access to the WordPress admin area. Here are the steps:

  1. Log in to your website’s server using an FTP app like Filezilla or the file manager in your hosting control panel.
  2. Locate the wp-config file in the root directory of your WordPress installation.
  3. Download the wp-config.php file to your computer and open it in a text editor.
  4. Add the following code to the wp-config.php file:
/* Add any custom values between this line and the "stop editing" line. */

$ip_allowlist = [
   159.223.78.3,
   193.56.29.113,
   178.62.113.151,
   80.76.51.210,
   193.201.9.202,
   45.227.254.22,
];
$ip =  $_SERVER['REMOTE_ADDR'];

if ( preg_match( '/(wp-login.php)/', $_SERVER['REQUEST_URI'] ) ) {
    $ip_found = in_array( $ip, $ip_allowlist, true );

	if ( ! $ip_found ) {
		// Check if this IP is in CIDR 
		foreach ( $ip_allowlist as $_cidr ) {
			if ( strpos( $_cidr, '/' ) !== false ) {
				$_ip = ip2long( $ip );
				// expand the range of ips.
				list ( $_net, $_mask ) = explode( '/', $_cidr, 2 );
				// subnet.
				$_ip_net  = ip2long( $_net );
				$_ip_mask = ~( ( 1 << ( 32 - $_mask ) ) - 1 );
				if ( ( $_ip & $_ip_mask ) === ( $_ip_net & $_ip_mask ) ) {
					$ip_found = true;
					break;
				}
			}
		}
	}
	if ( ! $ip_found ) {
		header( 'HTTP/1.0 403 Forbidden' );
		exit;
	}
}

Replace xxx.xxx.xxx.xxx with the IP address that you want to allow access to the WordPress admin area. If you have multiple IP addresses, you can add one per line.

  1. Save the changes to the wp-config.php file.
  2. Upload the modified wp-config.php file back to your server, overwriting the original file.

After following these steps, only the specified IP addresses will have access to the WordPress admin area. Any other IP addresses trying to access the admin area will receive a 403 Forbidden error.

Alternatively, you can use the plugin Traffic Jammer that I wrote.

There is also a wp-cli command that is included in the plugin, here are the commands:

wp jam trust <IP> – add IP to the allowed list

wp jam untrust <IP> – remove IP from the allowed list

wp jam trustall – clear all limits

This plugin can also be used on the Pantheon terminus command, the plugin is very compatible with Pantheon no need to assume write access or symlinks to properly install the plugin.

terminus wp <sitename>.<env> -- jam <commands>

Basic WordPress Security

I attended the WordPress User Group Philippines meetup last January hosted by our friends at pantheon.io. I was one of the speakers discussing Basic WordPress Security, so I decided to post it here on my blog.

The need for Security

  • 90% of all Hacked Sites are in WordPress
  • 97% came from plugins
  • 2.4% came from themes
  • .05% came from WordPress Core

Several Basic things you can do to secure a WordPress Site

  1. Use a strong and unique password for your WordPress administrator account, and use two-factor authentication if possible. Here are the top WordPress plugins that implement and manage 2FA that can be used on your site:
  2. Keep your WordPress core, all plugins, and themes up to date, as new versions often include security fixes. Some hosts/platforms offer managed update services:
  3. Use a security plugin to scan your site for malware and vulnerabilities, and to block malicious traffic. Some popular security plugins include:
  4. Use SSL/TLS to encrypt traffic to and from your site. You can get an SSL certificate for free through Let’s Encrypt or some web hosts included in their service.
  5. Use a security service or CDN to block malicious traffic and protect against DDoS attack example are Cloudflare and Fastly. Some web hosts like WP Engine include Cloudflare while Pantheon.io includes Fastly.
  6. Restrict file permissions so only necessary users and processes can read, write, and execute files on your server.  The standard would be to make all writable permissions on the wp-content/uploads folder and deny PHP execution.
  7. Regularly make a backup of the site, so that you can restore it in the event that it is hacked or otherwise becomes unavailable.

Caching 404 pages in WordPress

This is to stop WordPress in handling 404, using headers to manage cache expiry. This code should be added to the theme’s functions.php file.

function template_slug_404_cache() {
	if( is_404() ){
		header( 'Cache-Control: max-age=30000, must-revalidate' );
		header( 'Expires: ' . date( 'D, d M Y H:i:s', strtotime( '+5000 minutes' ) ) . 'UTC' );
		header( 'Last-Modified: ' . date( 'D, d M Y H:i:s', strtotime( '-5000 minutes' ) ) . 'UTC' );        
	}
}

/**
 * Redirect a 404 to a cache page
 *
 * @return void
 */
function template_slug_404_redirect() {
	if ( is_404() ) {
		header( 'Location:' . site_url( '/404' ) );
		exit();
	}
}
add_action( 'template_redirect', 'template_slug_404_cache' );

Be sure that there is a 404.php file on the template directory.

Add a help tab to a WordPress Plugin

This is a help tab that can be found on the WordPress admin dashboard, a custom plugin can have also contextual help that can be found on the rightmost part of the admin screen.

Ever since WordPress Version 3.0, every built-in Administration Panel has contained a contextual help section providing additional information to the user on how to navigate the various settings displayed in that admin panel. This helps WordPress keep the main part of the admin panel clear and concise by eliminating unnecessary text that regular users don’t need to see on a regular basis.

https://codex.wordpress.org/Adding_Contextual_Help_to_Administration_Menus

We should use the Screen class to achieve adding the help tab.

This is a concrete class that is instantiated in the WordPress $screen global. It is primarily used to create and customize WordPress admin screens (as of WordPress 3.3).

https://developer.wordpress.org/reference/classes/wp_screen/

An example function to add a help tab using the WP_Screen class.

function my_add_help_tab() {
	$screen = get_current_screen();
	$screen->add_help_tab(
		array(
			'id' => 'hello_dolly',
			'title' => __( 'Hello Dolly' ),
			'content' => '<p>' . Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly . '</p>',
		)
	);
	$screen->set_help_sidebar( __( 'Hello Dolly' ) );
}

There are two methods that are used add_help_tab and the set_help_sidebar. The add_help_tab would add the tab button on the screen and also the left-side title and the content.

The set_help_side_bar would add an additional third column.

Upon activation of an Options page or Menu page, use an action hook and use the callback function.

function my_options_page() {
	$my_menu_page = add_menu_page(
		'Hello_Dolly',
		'Hello Dolly',
		'manage_options',
		'wpl',
		'wpl_options_page_html'  // callback function to display the page
	);
	// Add help bar.
	add_action( 'load-' . $my_menu_page, 'my_add_help_tab' );
}

add_action( 'admin_menu', 'my_options_page' );

That’s all to it.