By OCI
Recently one of our clients needed a secure website put up pretty quickly, and the features they needed on the site made it sound like it should be built as a WordPress blog. But WordPress was built for sharing, not keeping things secret! Keep reading to see how we took a social blogging platform and turned it into a highly secure, members-only website!
Step One.
The first step, of course, is to install WordPress. When installing WordPress to make it secure, take care to not place it in the root directory. Instead, “hide” it in a subdirectory. I chose a hard-to-guess name, just as an added layer of security. If you don’t know how to set up WordPress on your web server there are some really great resources online here, here and here. We’re going to assume you’ve gotten WordPress up and running and are now ready to get it locked-down.
Step Two.
Now that you’ve gotten your WordPress site up and running, the first thing you need to do is set up the system that will grant user access based on permissions that you can set. Luckily there is a plugin that makes this very, very easy! ‘Members Only’ is a great little tool that’ll do most of the work for you. Install this little guy and activate it and your entire blog is only accessible by logged-in users. This plugin also allows you to choose where an unlogged-in user is redirected to. Another nice feature, which really makes this an amazing plugin, is that it also grants all users ‘Feed Access Keys’ so you can keep the RSS Feed, but readers can only view it by entering the Feed Access Key provided by the site.
Members Only Plugin Control Panel
Step Three
After you’ve installed Members Only, it is time to add your users. You can of course choose the permission level of Subscriber, Contributor, Author, Editor or Administrator. Most of your users will be Subscribers. For more information in user roles in WordPress, visit this link. Once this is completed you’ve got a pretty secure site for the most part. Everything else we’ll talk about is just going the extra step to lock it down even further.
Step Four
One thing you will probably want to do is hide the site from the search engines and this can be easily accomplished by using a robots.txt file. You will just need to create a file named “robots.txt” and save it in your root directory. The file should contain the following code:
User-agent: *
Disallow: /
User-agent is asking which user-agents (or robots) this is for. The asterisk means all. So this rule will apply to all robots from all search engines. We are then saying what they are disallowed to index and the forward slash represents the root directory. In theory then, this is basically saying, “All search engine robots are not allowed to index the root directory (or subsequent directories) of this website.” Keeping the search engines away from your top secret site will just add an extra layer of security by helping keep your select audience as the only ones who know about the site.
Step 5
The next thing we will want to do is prevent the contents of our directories from being listed. We’re going to assume you’re on an Apache server to do this. What you’ll need to do is find the .htaccess file in your root web directory. It’s usually a hidden file, so you may need to choose an option to “Show Hidden Files” in your FTP client. All we need to do once the file is located (and downloaded, if you need to do that to edit it) is add this line at the top and save:
Options -Indexes
After doing this, all of your directories will be safe from having their contents listed to anyone attempting to view them.
Step 6
Even though Members Only provides Feed Keys, there might be times where you need to disable the RSS feeds altogether. To do this, simply locate the “functions.php” file in your WordPress theme or go to Appearance > Themes > Theme Editor > and find the “functions.php” file there. Now add the following code to the end of the document:
function disable_our_feeds() {
wp_die( __(‘Error: No RSS Feed Available, Please visit our homepage.’) );
}add_action(‘do_feed’, ‘disable_our_feeds’, 1);
add_action(‘do_feed_rdf’, ‘disable_our_feeds’, 1);
add_action(‘do_feed_rss’, ‘disable_our_feeds’, 1);
add_action(‘do_feed_rss2′, ‘disable_our_feeds’, 1);
add_action(‘do_feed_atom’, ‘disable_our_feeds’, 1);
This will deactivate all feeds on the site and prevent any of your posts from being broadcast in any manner.
Step 7
At this point I would suggest installing Google Analytics. It should be installed on every website, but especially when you’re concerned about who’s coming and going. This enables you to keep an eye on your visitors. Learn more about Google Analytics here.
Step 8
Now that things are locked down fairly securely we’ll also want to create some kind of a dummy index page for your root directory. This isn’t mandatory, but it is a nice touch for any user you might have that can’t remember the full URL plus directory of the blog. Since our site was for a client, I just placed their logo centered on the page and a link to their homepage. Just a blank index.html would do well, though. It’s up to your preference.
Step 9
This step is completely unnecessary but is a very nice finishing touch and that is to create a custom login for your new site. Since all of your users will have to log in to view your content you will probably not want to have the WordPress logo on the login and would rather have your own. Luckily this is very easy with the BM Custom Login plug-in. Go and get it here. It’s very easy to implement and has very clear instructions on creating your own custom login.
And that’s it! You’ve now got a really quick, super secure website to share all your secrets! There’s maybe even more that can be done to secure it, though. What have you done to secure your WordPress blogs?
Share this:
Tags: brandon, Google Analytics, htaccess, members only, online marketing, robots.txt, secure website, web design, Wordpress, wordpress plugins
