This will not be a terribly interesting blog post, but I made a number of customizations to WordPress, which I am going to document in case I ever need to install WordPress again. Maybe even someone else will stumble upon this and find this information useful.
In some cases I’ll be vague about what I did, and this is intentional. Obviously security through obscurity is a flawed practice, but at the same time, given the security track record of WordPress, I don’t want to share too much, as I don’t want to make an attacker’s life any easier than it already is.
Installation Directory
To make installing additional web applications as simple as possible:
- I wanted WordPress installed in /var/www/blog
- I wanted my DocumentRoot to be /var/www
At the same time, if someone goes to jsaxton.com, I wanted them to see my blog, and I didn’t want to deal with any silly redirects to jsaxton.com/blog.
It turns out this is a common request with a well-documented solution.
Fixing Authentication
I’m not going to bother setting up https for my personal blog, which is fine unless someone wants to log in to comment, in which case their authentication credentials can be intercepted if they are on an insecure network. Also, I don’t really want the responsibility of storing their login credentials on my server. To solve this problem, I decided to install the Disqus plugin, as described here.
One of the primary reasons I host my own blog is because I want to have complete ownership of the content. For example, I don’t want to lose my comments if Disqus ceases to exist or gets hacked. Unfortunately, comments created with Disqus are not written to the WordPress comments table. With that said, Disqus provides a way to export your comments as an XML file, which is sufficient for me.
Installing a better theme
I’m currently running a theme called Codium Extend. I like the simplicity and responsiveness of the design, and they claim proper mobile and tablet support, which were my primary requirements.
Fixing the Menu
I wanted the menu on my site to have a “Blog” link, which it didn’t by default. This is really easy: log into the Administration panel, select “Appearance->Menus”, then create your own menu. In my case, I added a custom link to https://jsaxton.com/ with a navigation label of “Blog”.
Fixing Security
WordPress vulnerabilities are somewhat common, so doing some common sense things to harden WordPress was a priority for me. I’m not going to describe everything I did, but for starters, I read Hardening WordPress and implemented most of their suggestions. I installed the Better WP Security plugin, which I would highly recommend. Since I’m not handling user authentication anymore, I disabled account creation. There’s probably a lot more I could do, but this seemed like a good start.
Syntax Highlighting
I could not get syntax highlighting to work out of the box, at least not following the instructions here. Installing the SyntaxHighlighter Evolved plugin resolved my issues, and I now have proper syntax highlighting support.