WordPress Wednesday: Extra Login Security with .htpasswd

Geek Factor: 4

We’ve written before about various ways to tighten up your WordPress security; in this week’s WordPress Wednesday, we’re going to cover how to add another layer of security to the WordPress login screen using .htpasswd.

.htpasswd can be used to create basic authentication on Apache servers by storing usernames and encrypted passwords. By using .htpasswd and .htaccess, we can require users to enter a basic username and password combination before they can access WordPress’s login screen. This may seem a bit redundant, but it prevents bots from being able to access the WordPress login screen, making brute-force attacks near impossible. As most browsers remember .htpasswd authentication for a period of time, it also means users shouldn’t have to log in twice every time they access the site.

Each WordPress install should already include an .htaccess file, but you will need to create a .htpasswd file to add to your site.

There are many ways to add .htpasswd to your server; we’re going to go through a basic set-up manually creating the files and adding them to the site using FTP.

First, create a text file and name it htpasswd.txt. As .htaccess and .htpasswd files are invisible files, you will need to have invisible files set to visible on your computer to see them. Creating the files in the .txt format ensures we won’t lose track of the file before uploading it to the site.

Next, select a username and password. The password will need to be encrypted — this can be done using an .htpasswd generator tool to format the password correctly. For the below example, we’re using username/password as our username and password:

The generator will create a string of text in a format similar to this, with the username and encrypted password separated by a colon:


Copy the generated line of text into your htpasswd.txt file and save it. It’s recommended that you record your username and password combination somewhere safe.

Next, upload the htpasswd.txt file to the root of your WordPress installation, which will be the same location as your .htaccess file. Rename the file to ‘.htpasswd‘.

Now the .htaccess fill will need to be edited. It is necessary to set your FTP software to view invisible files so you can find the .htaccess file.

First, make a backup of your .htaccess file, just to be on the safe side. Next, copy and paste the below code to your .htaccess file, underneath the line that says # END WordPress:

[php] AuthType Basic AuthName "Please enter your username and password:" AuthUserFile /path/from/server/root/public_html/.htpasswd [/php]

You will need to update the AuthUserFile value to match the path from your server root to the .htpasswd file.

Optionally, you can also update the AuthName value — this is the text that will appear in the login prompt.

Next, we’ll need to specify what files or folders the .htpasswd file applies to. In our case, we want to make the file wp-login.php password protected. The following code goes below the AuthUserFile path in your .htaccess file:

[php] Require valid-user [/php]

You may have additional code in your .htaccess file, but the end result will look something like this:

[php] # BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress AuthType Basic AuthName "Please enter your username and password:" AuthUserFile /path/from/server/root/public_html/.htpasswd Require valid-user [/php]

Now test the .htpasswd file by going to your website’s login screen — you can access it by going right to /wp-login.php, or using /wp-admin. Each browser will render the password prompt differently, but what you will see should be similar to the following:

It is possible to create multiple username and password combinations in your .htpasswd file; you just need to put each entry on a separate line. As WordPress users will already each have their own accounts, it’s probably not necessary for this kind of set up.

Of course, this is just scratching the surface of what you can do with .htpasswd and .htaccess. Do you use .htaccess to enhance your WordPress installation in any way? Share your set-up in the comments below!

‘GIF’ is the American Oxford Dictionary Word of the Year

As we posted earlier this year on the Greenhouse, the term GIF (or graphic interchange format) just celebrated its 25th anniversary, and has now been named the American Oxford Dictionary’s Word of the Year for 2012. Although the term has been around for quite a while, its transition to being used as a verb (‘to gif’) was why the word ended up on this year’s shortlist.

Other words from the shortlist include Higgs boson, nomophobia (“anxiety caused by being without one’s mobile phone”), and YOLO (“you only live once; typically used as rationale or endorsement for impulsive or irresponsible behaviour”).

Here’s to the GIF, for the second time this year!

A Welcome Invasion

Amanda Lee Smith of web agency Domain7 recently shared a great list of seven web trends that the company’s design, development and strategy teams have on their radar:

  1. Content marketing completes invasion of SEO
  2. Responsive goes mainstream
  3. Content lives beyond design
  4. From “mobile first” to “mobile only”
  5. HTML integration takes down “walled gardens”
  6. Tradesies! Surveywalls get info for content
  7. Quietly offline

I was particularly glad to read #1. If this is an invasion, it’s a welcome one. Amanda describes how the days of keyword-stuffing SEO tactics are effectively over, and that:

“It’s all about relevant, frequent, curated content. Smart marketers are shifting web ownership from the IT department to audience-researching, cultural-savvy communicators, and reaping the rewards through quality online leads.”

While this has always been Stem’s attitude, I love seeing it emphasized here. The thing is, there just aren’t any SEO shortcuts that will pay off longterm. Be sure to also check out the post that Amanda cites, 4 Lessons from Content Strategy – some excellent reminders there, especially #3 and #4.

The Quietly offline trend (“Industry leaders are increasingly suggesting boundaries for everyday tech usage—encouraging a return to the intimacy of un-tweeted social gatherings”) also piqued my interest. It’ll be interesting to see whether this trend takes hold.

In my own use of Twitter, I’ve noticed a lot more folks live-tweeting all sorts of events and have mixed feelings about it. On one hand, it’s kind of fun to live vicariously. For example, my husband (a music manager) was out of town at an awards show with his client, who had been nominated in several categories. I wasn’t able to attend, but was very anxious to see if he would win. I followed the event’s hashtag and when the client did win, I found out within a few minutes. And I did all this from the comfort of my pyjamas, with my iPad in bed!

On the flip side, I have frequently felt the urge to tweet something but then immediately wondered, “why? Why do I feel the need to share this?” Even with the world’s best smartphone, you’re still taking yourself out of the present for a few moments to tweet about it. So personally, I would be fine with “no tweeting” request at any event I was at.

What are your thoughts on Domain7’s list of web trends to watch? Are you seeing them in your own work?

WordPress Wednesday: Uploading More MIME Types to the Media Library

Geek Factor: 3

In this week’s WordPress Wednesday, we’re going to cover how to change the file types that you can upload to WordPress’s media library, allowing the addition of some file types that WordPress does not allow by default (like .eps files), or the restriction of file types that can be uploaded.

Extending and Limiting MIME Types with Plugins

The Manage Upload Types plugin gives site administrators the ability to view and edit the list of file types that can be uploaded to the Media Library. It is possible to add additional files with this plugin, as well as remove any of the default file types.

There is also a plugin developed specifically for WordPress MultiSite called AP Extend MIME Types that allows you to set allowed MIME types on a site-by-site basis.

WP Engineer also has a very simple plugin, Restrict MIME Type, that can just be used to restrict the file types that users can upload.

Extending and Limiting MIME Types Through Functions.php

The MIME types that can be uploaded to the Media Library can also be changed in your theme’s functions.php file. Just remember, any changes made to the functions.php file will only be applied to the theme you are using; if the theme is changed, these edits will need to be moved over.

In the below example, we’ll be adding the ability to upload .eps files to WordPress:

[php] // create and apply function to add mime types add_filter('upload_mimes', 'custom_upload_mimes'); function custom_upload_mimes ( $existing_mimes=array() ) { // Allows .eps files to be uploaded $existing_mimes['eps'] = 'application/postscript'; } [/php]

You can find an extensive list of MIME types and their extensions here.

Limiting MIME types can also be done using this code snippet from WPSnipp.com:

[php] add_filter('upload_mimes','restrict_mime'); function restrict_mime($mimes) { $mimes = array( // Lists the allowed MIME types; all others are excluded 'jpg|jpeg|jpe' => 'image/jpeg', 'gif' => 'image/gif', ); return $mimes; } [/php]

Does anyone else have a good solution to changing WordPress’s default MIME types? Please share in the comments!

Get Exactly What You Searched For With Google Verbatim

One of my favourite information professionals, Mary Ellen Bates, recently tweeted a short tip for more accurate searching in Google:


Although this feature has been around for almost a year, it was new to me too, and I love it. Sometimes I am a horribly sloppy typist, but because Google is getting so good at interpreting what my mangled words were intended to be, it almost doesn’t matter. But I pride myself on being a lean, mean, searching machine (when I want to be), so there are times that I want to get results that are based on exactly what I’ve searched for. Verbatim is perfect for that.

According to Google’s announcement, when you search in Verbatim, they will not make any of the following “normal improvements” to your query:

  • making automatic spelling corrections
  • personalizing your search by using information such as sites you’ve visited before
  • including synonyms of your search terms (matching “car” when you search [automotive])
  • finding results that match similar terms to those in your query (finding results related to “floral delivery” when you search [flower shops])
  • searching for words with the same stem like “running” when you’ve typed [run]
  • making some of your terms optional, like “circa” in [the scarecrow circa 1963]

To search in Verbatim mode, when in your search results, click “Show search tools”, then click “Verbatim” under “All results”.

WordPress Update: WP 3.4.2 Has Been Released

This isn’t a Wednesday, but it’s time to talk WordPress anyway: WordPress 3.4.2 has just been released, and it’s time to do some upgrades!

WP 3.4.2 is a maintenance and security update, so although it won’t add any nifty new features to your site, it’s important as it fixes a bunch of issues that have been identified since the release of 3.4.1.

If you’re interested, you can find out more details about the new version on the WordPress blog. Happy upgrading!

Twitter Embeddable Timelines. Just Testing.

This is a test of the new twitter widget. Unfortunately this wasn’t displaying in WordPress preview mode. So fingers crossed.

This should display the hashtag from the recent #ilta2012 conference:

UPDATE: It actually does display once published; but failed to render when trying to preview the post via the WP post edit screen. Hopefully Twitter gets this resolved; but lesson learned (and now shared).

The First Hour

I enjoyed Kevin Purdy’s Fast Company piece on “What Successful People Do With the First Hour of Their Work Day“. Purdy had me from the first paragraph:

“Remember when you used to have a period at the beginning of every day to think about your schedule, catch up with friends, maybe knock out a few tasks? It was called home room, and it went away after high school. But many successful people schedule themselves a kind of grown-up home room every day. You should too.”

Although homeroom was never a highlight of my day when I was in school, my last in-person boss and I had an unspoken homeroom date basically every morning. We’d have coffee in her office and catch up on last night’s TV, whatever the hot gossip around the office was, and yes, actual work-related things too, like what projects were on the go for that day, or whether either of us needed help from the other with anything. Often, a lawyer or student would wander in and join us, but lots of times it was just the two of us. On days when one or the other of us had to forego coffee and get straight to work, I often felt kind of out of sorts, ungrounded, and like I needed to touch base. I really believe this ritual made a huge and positive impact on our working relationship, through building trust, maintaining communitcation, and just plain having fun!

Purdy’s article outlines what some of the world’s most successful people choose to do first thing in the morning (sometimes even before the workday has begun), such as:

  • NOT checking email before arriving at the office
  • A trio of mindful activities: light exercise, motivational incantations, and brainstorming things you’re grateful for
  • Eating the frog (getting the thing you least want to do done first)
  • Ask yourself if you’re doing what you really want to be doing
  • Paying close attention to customer service, in whatever way that anchors you

Side note: as with many articles that profile wealthy, self-made tech giants, there are more than a few comments of the “these people don’t live in the real world” variety, where the commenter says there’s no way he could fit those things into his life because he’s not a millionaire and actually has to be at work at 8am. Frankly, I’m tired of seeing this sort of remark. Every tech giant was a mere mortal at one point, and it’s likely that some of these habits, especially the ones that are seemingly unrelated to actual work, have contributed greatly to that person’s success. I personally find that kind of discipline and drive pretty interesting!

How To Get E-Mail Alerts When Your Website Is Mentioned on Google+

Geek Factor: 1

Jesse Stay (author of Google+ for Dummies and the forthcoming Google+ Marketing For Dummies) recently wrote a helpful post on how to get notified when someone mentions or links to your website on Google+

This is a great guide on how to setup your Google Analytics account to send email alerts when your social sources activity stream is updated. Check out Jesse’s post for step-by-step instructions.

FWIW, the social data you see in Analytics also comes from Blogger, Delicious, Disqus, Livefyre and a bunch of other web commentary platforms.

WordPress Wednesday: Customizing Comment Output

Geek Factor: 3

The output for WordPress comments is generated by using the wp_list_comments() function, but actually editing the markup used by the comments is a little tricky. If you needed to add, say, an extra <div> to get your design to work, you’ll find that there isn’t actually a theme file you can edit.

Here is a handy snippet I ran across on the WordPress Support Forum when trying to solve this issue on a recent project.

First, in your functions.php you will need to write out the code you’d like to use as your comment output. The example below just adds a couple containing elements to the original code, but you can add anything you need:

[php] //custom comment layout function custom_comment($comment, $args, $depth) { $GLOBALS['comment'] = $comment; ?>
  • id="li-comment-">
    comment_author_email, 48 ); ?> %s'), get_comment_author_link()) ?>
    $depth, 'max_depth' => $args['max_depth']))) ?>
    comment_approved == '0') : ?>

  • Then when generating the output, edit the wp_list_comments() function to reference the name of your function:


    Because it’s necessary to specify the name of your custom comment function each time you use it, you can make more than one should you need it.

    Legal FAQ Collections