Recently, you may have noticed that Facebook has allowed users to pick usernames.  Upon learning this news, I immediately thought, “How convenient will this make it for people to find  me!?  This is fantastic news!  Now, I will be able to rapidly expand my internet empire with a eponymously chosen username!”

I was looking forward to June 12 at 10:01 pm when I would finally claim http://www.facebook.com/bradkovach.  But I had to work at 5:00 am the next day.  So I loaded my ears with foam plugs and went to bed at 9:10.  This is now my biggest regret.  I, being fully able to conveniently register ‘bradkovach’ as my username at every other site on the entire internet, assumed that I could go to bed, and work my formidable nine-hour shift, come home and register my name.

It might surprise you then, considering my previous luck registering ‘bradkovach’ on EVERY OTHER WEBSITE, that I was unable to register http://www.facebook.com/bradkovach for use in my Internet empire.

Well then, who did?

This guy:

Another Brad Kovach

So now, I must write a letter to Brad Kovach.  From Brad Kovach.

Dear Brad Kovach,

You might know me from the first four results when you Google your (our) name.  I am Brad Kovach.  Not only am I Brad Kovach, but I am the most important and most accomplished Brad Kovach on the Internet–until now.

You see, Brad Kovach, you have damaged my ego.  I have successfully been building my Internet empire from a very young age.  I have been signing up for websites using “bradkovach” as my username successfully for years now.  Today, however, you ruined me.  You STOLE my username on Facebook.  While this is a small victory for you, you will not win this name war.  You see, while you have taken a highly coveted username on a very prestigious site, you cannot outdo me.  Let’s check the scoreboard.

Brad Kovach (me)	Brad Kovach (you)
MySpace (which I cancelled–taking the username with me.) Twitter Google (yeah–GOOGLE) Digg Reddit YouTube WordPress.com Flickr bradkovach.com (checkmate)	Facebook LinkedIn?
At least 9…	1… maybe 2?

I suppose it’s normal to be a celebrity and have imposters and doppelgangers. I can live with these side-effects of fame.

Sincerely,
(the real) Brad Kovach

So here is the happy ending: I picked an equally awesome username for Facebook. You may now check out my profile at http://www.facebook.com/thebradkovach.

Also, since I am a jerk that WILL kick a horse while they are down, I have redirected all of the bradkovach.com/site urls to their respective site.  For example, http://www.bradkovach.com/facebook will take you to my Facebook profile.

WordPress is the blogging CMS platform of choice for millions of websites.  Learn to tame it, and you’ll learn to love it.  Here’s a small todo-list I compiled that is guaranteed to make WordPress, faster, safer and better.

1. Cache until you can’t!

Optimize WordPress: Optimize until you can't

WordPress generates all content from a database connection, which is a weak link in a traffic-heavy environment. Fortunately, WordPress was built with very thorough hooks into its infrastructure to allow easy implementation of caching plugins.  I have tried each of these plugins.

3 excellent caching plugins

1. wp-cache. Very basic caching system that prevents excessive trips to the database.  Unfortunately, wp-cache doesn’t pre-render PHP code, so the PHP interpreter is still called into play every time a page is loaded.  It’ll definately save you some CPU overhead, though.
2. wp-super-cache. Advanced caching system that saves hard copies of every generated page to the database.  wp-super-cache will retrieve a hard copy of the page without making calls to the database or initiating the PHP interpreter–every time.  It will not, however, serve cached copies of pages to logged-in users.  If you have a heavy base of commenters, this plugin serves no significant benefit.
3. 1blogcacher. My favorite caching system saves hard copies of each generated page for both anonymous AND logged in users.  1blogcacher will create a cache for each authenticated user, if it must.  Another pleasant feature: hard-coded settings.  It’s a little geekier to program, but since the settings are hard-coded, 1blogcacher doesn’t have to use the database to save your personal settings.  This is the fastest plugin I have found.

Cache your outside resources

If your site is pulling XML data from sites to generate content, make sure it is saving copies so that it doesn’t have to waste bandwidth every time it polls the page.

Using *nix’s extremely handy CRON task scheduler, I set a download script to run every 5 minutes.  By pre-fetching these XML sources, the homepage’s load time went from roughly 2.5 seconds to ~0.3 seconds.  That’s a significant savings of load time for users, and a significant savings of processing power for your server when it has to serve a page.

Please note that MOST plugins will automatically cache the resources that they pull.

Make your users cache your resources

Every browser built since the beginning of the Internet saves copies of the resources it downloads since the beginning of the Internet.  Many people do not know that their server can be configured to fine-tune the process–and it’s easy to do!

Most commercially available webservers come preconfigured with mod_expires, but it’s easy to enable if you don’t have it. If you have apache 2, tap this into a command line: “a2enmod expires” and hit enter, then “apache2ctl graceful”.  If the commands return a bunch of errors, try them by typing “sudo” before each command.

At this point, you can head to your web directory and, if you need to, create a file named “.htaccess”.  Paste this into the .htaccess file:

<IfModule mod_expires.c>
 ExpiresActive On
 ExpiresByType text/html "access plus 3 hours"
 ExpiresByType image/gif "access plus 72 hours"
 ExpiresByType image/jpeg "access plus 72 hours"

 ExpiresByType image/png "access plus 72 hours"
 ExpiresByType application/x-javascript "access plus 72 hours"
</IfModule>

Check your HTTP headers to see if the changes have had an effect. You should notice a line that reads Expires => Tue, 15 Jul 2008 18:29:53 GMT, or very similarly. This will let any competent browser know that the file will not change until the date listed, and it doesn’t even need to check until that point.

Accelerate with Google Gears

Starting in WordPress version 2.6, support for Google Gears has been integrated.  In effect, another powerful cache can be enabled for your site’s administrators.  At the top-right of any administration page, click “Turbo,” sync the files and you’re done!  Google Gears also provides offline capabilities, but I haven’t been able to use them with WordPress.

2. Lock down your permissions!

Optimize Wordpress: Secure your files

If you are on a shared hosting account, ask your hosting provider to move you to a phpSuExec enabled server if you are not.  WordPress is not designed to run in an insecure environment, and will be very prone to exploit if it is not in a SuExec environment.  If you are in a non-SuExec environment, and you cannot change out of it, you should reconsider your hosting company!  Your website is VERY prone to attack!

Every .php file should be at a maximum chmod value of 544.
Directories should be at 555, with the exception of wp-content/uploads, which should, unfortunately, be set at 755.

Since I try to be as helpful as possible, I created a script that will automatically lock down your WordPress installation.  IMPORTANT: This only works with phpSuExec installations of WordPress.  It will absolutely MURDER an installation on a standard shared-hosting account.  Please backup your files before you run this script!

Introducing wp-harden. The all-in-one security hardener for WordPress.  Please set the variable WPDIR at the beginning of the file before execution.  I recommend NOT running wp-harden inside the WordPress directory.

Before running wp-harden:

• Make sure that you can read and write to all of your files, and make sure you own ALL FILES in the WordPress directory.
• Make 100% positive that you are running in a phpSuExec environment.  This script will lock out non-phpSuExec webservers, causing server configuration errors.

If wp-harden breaks your installation, please check the following:

1. Does wp-content/plugins need to be writable?  Try `chmod -R 755 wp-content/plugins` if things stop working.
2. Make sure your user owns the files before running wp-harden!  If you lock yourself out, you will need your host/administrator to set the ownership back.
3. Is .htaccess corrupt?  wp-harden shouldn’t make any changes to .htaccess, but it does change its permissions.
4. If you aren’t in a phpSuExec environment you should move everything back to 755 and contact your webhost.
5. Leave other found issues in the comments.

3. Use security-audit plugins

Some plugins allow you to keep tabs on your WordPress installation.

I highly recommend

1. AskApache Password Protect – Modifies your server’s configuration to create a comprehensive attack firewall.  chmod to 777 before using and then use wp-harden to lock down the changes.  Very safe to use, but it can cause problems.  Backup your .htaccess and your wp-admin/.htaccess files. If a problem should occur, modify the .htaccess files to create a usable environment once again.
2. LoginLockdown – Logs login attempts and blocks attackers if too many username/password failures occur.

(more…)