There’s a war going on in the blogosphere, and it has nothing to do with bloggers dissing each other on their respective websites. The war is about control of the blogosphere by several great, many good, and tons of terrible blogging platforms. The average newbie now has “too many” options to choose from, and the battle for blogging supremacy is hotter than ever.

At my website and blogs, I’m always asked the question “Is WordPress better than Blogger?”. The answer, of course, is “Yes”. But to really understand why, it’s important to look at both blogging platforms side-by-side and see which one you really need.

You also need to understand that there are different versions of WordPress, the earliest now termed as “WordPress” at WordPress.org, and the hosted version similar to Blogger now termed “WordPress.com” which is of course available WordPress.com. Only the latter comes with free hosting on a sub-domain account. We’ll discuss this in Part 2.

For Part 1 of this article, we look only at the self-hosted version of WordPress. Here’s the comparison scale:

1) Ease of Set-up And Use

Yes, it’s much easier to set-up a blog with Blogspot.com and get your own Bloggger account. You can be done in 10 minutes flat. Once you’re set-up you can start posting immediately. If you want to add a designer’s touch to your blog, there are also tons of blogger templates available for free.

Installing WordPress however can be a major headache if you don’t know what you’re doing. Since you’re going to host it on your own account, you’ll need to download the installation files, upload them to your server, set-up a database, and run the configuration script.

However, if you know which hosting account to get, you can choose one with Cpanel included. With Cpanel, you can do a one-click installation, upgrade and removal of your WordPress platform.

2) Customization & Advanced Use

Blogger doesn’t allow categories. You can’t sort your articles into different focuses, unless you know how to hack the platform. With WordPress, not only can you add categories, you can also display each category differently on your main page. In fact with the correct plugins you can even turn your WordPress into a magazine-like portal.

Publishing with Blogger can extremely furstrating. It can take forever to post articles, especially if you’re making changes to the entire website. With WordPress, publishing is much faster, although if you load your system with all kinds of bells and whistles it can be just as frustrating.

With a Blogger account, you can get additional features like “Shout Boxes” that improve interaction on your site. You can also get pretty themes and nifty little tools that you can add to the core template files. However, that’s as far as you can go with Blogger.

With WordPress however, the sky is the limit. As cliche as that may sound, not only can you get themes, additional “plugins” and advanced tools, you can also extend WordPress to far beyond just a blogging platform.

The talk today is about using WordPress as a complete, user-friendly Content Management System or CMS. Unlike complicated predecessors like PHPPostNuke, B2, Mambo or even Joomla, WordPress is user friendly. Plus, the availability of source codes in this open-source system coupled with a strong community makes it possible to use WordPress as an article management system, classifieds system, direct-selling site and even a paid membership site.

4) Copyrights and Ownership of Content

I started with Blogger and I won’t say that it’s bad. But after a while I started to get frustrated with Blogger, and here’s why: Google Owns Your Content

Google has the authority to shut down your account without warning if they don’t like what you’re blogging about. You don’t have absolute control over your own blog. With WordPress, you own the domain name and the blog is hosted on your own account. You have full control over your content.

With the self-hosted version of WordPress (not WordPress.com), you’re free to write about anything you want, and use the software in any way you want. Yes, Blogger allows you to publish to your own domain, but they still own the database that holds your content! Don’t forget that!

5) Search Engine Optimization and Traffic

There’s this propaganda that since Google owns Blogger, they tend to favor Blogger accounts. I won’t say that this is illogical, but from my experience, there’s no such favoritism.

I’ve heard as many stories of getting indexed fast and ranking high in search engines from both WordPress and Blogger users. As long as the content is good, the spiders will come.

When you post in Blogger, you can only “ping” a limited amount of sites, whereas with WordPress on your own domain you can ping as many blog directories as you want, and start getting more traffic.

As a conclusion, I would say that WordPress is only slightly ahead in terms of optimization for search engines, and building large amounts of traffic.

6) Money-Making Potential

There’s no doubt that it’s easier to get started with Google Adsense if you have a Blogger account. In fact you can now apply for Adsense from within a Blogger account. Not entirely surprising considering the fact that both are owned by the same company.

With WordPress, it can get tricky. The default installation is not enough. You’ll need a couple of plugins and even a better theme to really maximize the Adsense potential. However, this seems to be getting easier and there’s even “Adsense revenue sharing” plugins around that allow you to share ad revenue with other contributors and writers for your blog.

When you start using WordPress to build your Adsense websites, you’ll soon discover what I mean. It’s something you need to experience for yourself. I can tell you one thing though – when you go WordPress, you don’t go back.

Common Errors

We all make mistakes. The word “typo” wasn’t invented without reason. Here are some of the most common problems that creep up with CSS.

Missed Spellings

Just so you know, leftt is not the same as left and this could be the reason something is on the right instead of the left side of your page. Putting a 30ps for a margin won’t get much of a result, but 30px will. Missed spelling errors are common and easy to overlook. Luckily, CSS validators can often catch these tiny mistakes for us.

Forgotten Details

As creative as you can be with CSS, there are some ground rules you have to follow. Every selector must be identified as an ID or CLASS unless it is a HTML TAG. It must be laid out as selector { property: value; property: value; } and the braces, colon and semi-colon must be there. Miss one of these little details and nothing will happen, or strange things might. CSS validators will usually catch these little forgotten details for you.

Wrong Selector

Putting all your wonderful designs in #content when they were supposed to be in #context-text doesn’t help your layout. Luckily, you can usually see these immediately upon viewing the page, so just cut and paste them in the right tag…and then remember what you deleted from #content. Of course, you can refer to your frequently backed-up file to get the lost code. Hint-Hint!

Wrong Template Module

As useful as WordPress’ new modular templates are, many a time a user has made a modification in comments.php instead of comments-popup.php or other similarly named files by mistake. Double check which modular section you are supposed to be working on all the time. And if you mess one up by accident, there is always that faithful backup file to make things new again.

Multiple Choice

CSS can’t read your mind. If there are two references to the same selector with conflicting information, it has to decide which one it will use. This is very common if you are bringing your original style sheet in on top of a new one. If you are fighting with a selector for, say, the h1 heading, and nothing is changing, search through the style sheet to see if there is another reference to that selector.

Pest Control – Watching Out For Browser Bugs

No matter how hard we try to make our web pages beautiful, it can take the viewing of the web page in a different browser to totally screw up our lovely design.

Different browsers view web pages differently. Older browsers won’t recognize new CSS standards, while newer ones often “see” things differently from their brethren. The results are often not pretty, causing blinking, jumping, or missing design elements, shifting layouts, and distorted positions.

How do you know it’s the browser and not your design causing the problem? You often don’t. If you play with CSS a lot, you will learn to recognize the symptoms. In general, here are the clues:

• Text jumps around or blinks as you scroll down the page.
• Links and text jump around as you move the mouse over a link.
• Lists with links jump around and move as you move your mouse over them.
• Layouts look different. Columns are wider or narrower between browsers.
• Graphics overlap the text or lists.
• Special effects such as filters don’t look the same or aren’t there.

Hardening WordPress

Security is an interesting topic, with a lot of shades of gray. WordPress developers take security very seriously, but as with any other system, there are potential security issues that may arise and there are always trade offs when balancing security and convenience. We will go through some common things you can do to keep your WordPress installation secure.

What is security? Fundamentally, security is not about perfectly uncrackable systems, which might well be impossible to find and/or maintain. Security has more to do with trust and responsiveness. For example, a trusted host runs a stable, patched branch of their webserver (be it Apache, IIS, or whatever). They should tell you this, test their configuration themselves, and let you determine it for yourself. An untrusted host does not apply patches when they are released and does not tell you what server versions they are running.

Several themes run through this guide:

1. Limiting access: Making smart choices that effectively lower the possible entry points available to a malicious person.
2. Containment: If a weak point in your installation is found by a malicious person, your system should be configured to minimize the amount of damage that can be done once inside your system.
3. Knowledge: Keeping backups, knowing the state of your WordPress installation at regular time intervals, documenting your modifications all help you understand your WordPress installation.

Contents [hide] 1 Vulnerabilities on your computer 2 Vulnerabilities in the WordPress package itself 3 Server vulnerabilities 4 Network vulnerabilities 5 Passwords 6 File permissions 6.1 Regarding automatic upgrade 7 Database security 8 Securing wp-admin 9 Securing wp-config.php 10 SSL Encryption Security 11 Plugins 11.1 Security Plugins 11.2 Firewall Plugins 11.3 Plugins that need write access 11.4 Code execution plugins 12 Security through obscurity 13 Data backups 14 Logging 15 Monitoring 15.1 Monitoring your logs 15.2 Monitoring your files for changes 15.3 Monitoring your web server externally for malware and changes 16 Resources 17 See Also

Vulnerabilities on your computer

Make sure the computers you use to post to WordPress are free of spyware, malware, adware, and virus infections; and are running secure, stable versions of your applications. For example, none of the following makes the slightest difference if there is a keylogger on your PC.

Vulnerabilities in the WordPress package itself

WordPress could have vulnerabilities as a result of how the program is written that allow an attacker to pass HTTP arguments, bad URI strings, form input, etc, that could cause Bad Things to happen.

There are two ways to deal with this problem:

1. Keep up to date with the latest WP version: The WordPress developers do not maintain security patches for older WordPress versions. Once a new version has been released or the vulnerability has been fixed then the information required to exploit the vulnerability is almost certainly in the public domain making any old versions more open to attack by a simple script kiddie. If you are an administrator in charge of more than one WordPress installation, consider checking out all copies of WordPress via Subversion Installing/Updating_WordPress_with_Subversion, and using an accompanying script to keep all checkouts up to date en mass [[1]].
2. Report bugs: If you find what you think is a bug, report it — See Submitting_Bugs. You might have uncovered a vulnerability, or a bug that could lead to one. If you think you have found a serious security flaw see the Security FAQ for information on how to report the flaw.

Server vulnerabilities

The webserver running WordPress, the database with the WordPress data, PHP and any other scripting/programming language used for plugins or helper apps could have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server, database, scripting interpreter, or make sure you are using a trusted host that takes care of these things for you.

It should also be mentioned that if you’re on a shared server (one that hosts other people besides yourself) if someone else is compromised, then it’s very likely you could be compromised too even if you follow everything in this guide. Be sure to ask your web host what security precautions they take.

Network vulnerabilities

The network on both ends — the WordPress server side and the client network side — should be trusted. That means updating firewall rules on your home router and being careful about what networks you work from. A busy Internet cafe where you are sending passwords in cleartext over an unencrypted wireless connection is not a trusted network, for example. Your host should be making sure that their network is not poisoned by hackers, and you should do the same. Network vulnerabilities allow passwords to be intercepted via sniffers and other sorts of havoc (such as man-in-the-middle attacks) to happen.

Passwords

Some vulnerabilities can be avoided by good security habits. An important element of this are passwords: do not use your own name for your password, do not use a dictionary word (from any language) for your password, do not use a 4 character string of numbers as your password. Your goal with your password is to make the search space as large as possible, so using numbers and varying capitalization all make it more difficult, statistically, to brute force a password. This is particularly important if you do not rename the administrator account. In that case half the puzzle is already solved for malicious users as they know what username will give them significant privileges to edit files and databases. Many automatic password generators can be found on the internet and used to create secure passwords.

File permissions

Some of WordPress’ cool features come from allowing some files to be writable by web server. However, letting an application have write access to your files is a dangerous thing, particularly in a public environment.

It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images.

Here is one possible permission scheme.

All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be group-owned by the user account used by the webserver.

• / — the root WordPress directory: all files should be writable only by your user account.
  • EXCEPT .htaccess if you want WordPress to automatically generate rewrite rules for you
• /wp-admin/ — the WordPress administration area: all files should be writable only by your user account.
• /wp-includes/ — the bulk of WordPress application logic: all files should be writable only by your user account.
• /wp-images/ — image files used by WordPress: all files should be writable only by your user account.
• /wp-content/ — variable user-supplied content: intended by Developers to be completely writable by all (owner/user, group, and public).
  • /wp-content/themes/ — theme files. If you want to use the built-in theme editor, all files need to be group writable. If you do not want to use the built-in theme editor, all files can be writable only by your user account
  • /wp-content/plugins/ — plugin files: all files should be writable only by your user account.
  • other directories under /wp-content/ should be documented by whatever plugin / theme requires them. Permissions may vary.

• If you have shell access to your server, you can change file permissions recursively with the following command:

For Directories
find [your path here] -type d -exec chmod 755 {} \;
For Files
find [your path here] -type f -exec chmod 644 {} \;
You have to omit to use this command for /wp-includes/.

Note that if you are on a shared-server the permissions of your wp-config.php should be 750. It means that no other user will be able to read your database username and password. If you have FTP or shell access, do the following:
chmod 750 wp-config.php

Regarding automatic upgrade

Beginning with Version 2.7 WordPress can perform an automatic upgrade. As such, all file operations are performed as the user that owns the files, not as the web server’s user. All files are set to 0644 and all directories are set to 0755, and writable by only the user and readable by everyone else, including the web server.

Database security

If you run multiple blogs on the same server, it is wise to consider keeping them in separate databases each managed by a different user. This is best accomplished when performing the initial WordPress installation. This is a containment strategy: if an intruder successfully cracks one of WordPress installation, this makes it that much harder to alter your other blogs.

If you administer MySQL yourself, ensure that you understand your MySQL configuration and that unneeded features (such as accepting remote TCP connections) are disabled. See Secure MySQL Database Design for a nice introduction.

Securing wp-admin

Adding server-side password protection to /wp-admin/ adds a 2nd layer of protection around your blog’s admin area, login, and files. This forces an attacker or bot to attack this 2nd layer of protection instead of your actual admin files. Most of the time WordPress attacks are carried out autonomously by a malicious software bot. But simply securing the wp-admin/ directory might also break some WordPress functionality, because the Ajax handler wp-admin/ajax-admin.php can’t be accessed without the password. See the #Resources section for more documentation on how to password protect your wp-admin/ directory properly.

The most common attacks against a WordPress blog usually fall into 2 categories.

1. Sending specially-crafted HTTP requests to your server with specific exploit payloads for specific vulnerabilities. These include old/outdated plugins and software.
2. Attempting to gain access to your blog by using “brute-force” password guessing.

By adding a 2nd layer of protection around these important files you force the attackers to have to break through that before they can even attempt to attack your main /wp-admin/. This protection uses Basic HTTP Authentication, the password is passed over the network uuencoded as plain text, not encrypted. The main benefit of this protection is in denying access to your servers files and alerting you to an attack against your blog before the attack reaches your /wp-admin/ doorstep.

The ultimate implementation of this “2nd layer” password protection is to require an HTTPS SSL encrypted connection for your /wp-admin/ directory, so that all communications and sensitive data is encrypted.

Securing wp-config.php

You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder. Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 750 permission).

SSL Encryption Security

WordPress 2.6 and later has greatly improved support for Administration Over SSL out of the box.

Plugins

First of all, make sure your plugins are always updated. Also, if you are not using a specific plugin, make sure to delete it from the system.

Security Plugins

The WP Security Scan Plugin can be downloaded at WP Security Scan. While this helps tremendously to protect your WordPress installation, you still need to maintain good passwords, check plugins and themes before installing them, and keep good backups of your files and database in the event that you do get hacked.

Firewall Plugins

There are a few plugins that purport to screen out suspicious-looking requests based on rule databases and/or whitelists. BlogSecurity’s WPIDS plugin installs PHPIDS, a generic security layer for PHP applications, while WordPress Firewall uses some WordPress-tuned pre-configured rules along with a whitelist to screen out attacks without much configuration.

Plugins that need write access

If a plugin wants write access to your WordPress files and directories, please read the code to make sure it is legit or check with someone you trust. Possible places to check are the Support Forums and IRC Channel.

Code execution plugins

As we said, part of the goal of hardening WordPress is containing the damage done if there is a successful attack. Plugins which allow arbitrary PHP or other code to execute from entries in a database effectively magnify the possibility of damage in the event of a successful attack.

A way to avoid using such a plugin is to use custom page templates that call the function. Part of the security this affords is active only when you disallow file editing within WordPress.

Security through obscurity

Security through obscurity is typically thought to be an unsound primary strategy. However, there are areas in WordPress where obscuring information might help with security:

1. Rename the administrative account: On a new install you can simply create a new Administrative account and delete the default admin account. On an existing WordPress install you may rename the existing account in the MySQL command-line client with a command like update tableprefix_users set user_login='newuser' where user_login='admin';, or by using a MySQL frontend like phpMyAdmin.
2. Change the table_prefix: Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is “wp_,” the default. Changing this probably amounts to security by obscurity, but will block at least some SQL-injection attacks.
3. Do not advertise the WordPress version you are running: If you are running an old WordPress version with known vulnerabilities, it is unwise to display this information to the public. Why not simply hide the WordPress version entirely? Even if you update packages as quickly as you can, there will be lag between the version release and your deployment, potentially enough time for a malicious person to carry out an attack. However, editing out all the places where WordPress advertises its version string (e.g., <meta name=”generator” content=”WordPress 2.9″ /> in every page) in your theme can be a pain. It is still best to make sure you are running the latest WordPress version. An easier way to do this is with the Replace WP-Version, Secure WordPress, or WP-Secure Remove WordPress Version plugins. If you want to remove this line without a plugin, you can simply add <?php remove_action('wp_head', 'wp_generator'); ?> to your theme’s function.php file. Please Note: This does NOT prevent WordPress exploits being attempted against your site, as modern worms ignore the version in their exploit attempts (Note: There are many ways of determining the WordPress version a site uses, the “generator” is a rarely used method.)

Data backups

Backup your data regularly, including your MySQL databases (see Backing Up Your Database). Data integrity is critical for trusted backups. Encrypting the backup, keeping an independent record of MD5 hashes for each backup file, and/or placing backups on read-only media (such as CD-R) increases your confidence that your data has not been tampered with.

A sound backup strategy could include keeping a set of regularly-timed snapshots of your entire WordPress installation (including WordPress core files and your database) in a trusted location. Imagine a site that makes weekly snapshots. Such a strategy means that if a site is compromised on May 1st but the compromise is not detected until May 12th, the site owner will have pre-compromise backups that can help in rebuilding the site and possibly even post-compromise backups which will aid in determining how the site was compromised.

Logging

It is possible to log all $POST variables sent to WordPress. Standard Apache logs do not offer much help with dealing with security forensics.

• Mod_Security – Logs and Prevents using Apache

Monitoring

Sometimes prevention is not enough and you may still be hacked. That’s why intrusion detection/monitoring is very important. It will allow you to react faster, find out what happened and recover your blog back in place.

Monitoring your logs

If you are on a private server (where you have admin access), you have to watch your logs to detect password guessing attempts, web attacks, etc. A good open source solution to monitor your logs in real time and block the attacker is OSSEC.

Monitoring your files for changes

When an attack happens, it always leave traces. Either on the logs or on the file system (new files, files modified, etc). If you are using http://www.ossec.net OSSEC] that we recommended above, it will monitor your files and alert when they change as well. You can also use the open sourceTripwire to alert on file changes.

Monitoring your web server externally for malware and changes

If the attacker tries to deface your site or add malware, you can also detect these changes by using a web-based integrity monitor solution.

SOURCE – http://codex.wordpress.org/Hardening_WordPress

Arm your vuvuzelas: WordPress 3.0, the thirteenth major release of WordPress and the culmination of half a year of work by 218 contributors, is now available for download (or upgrade within your dashboard). Major new features in this release include a sexy new default theme called Twenty Ten. Theme developers have new APIs that allow them to easily implement custom backgrounds, headers, shortlinks, menus (no more file editing), post types, and taxonomies. Developers and network admins will appreciate the long-awaited merge of MU and WordPress, creating the new multi-site functionality which makes it possible to run one blog or ten million from the same installation. As a user, you will love the new lighter interface, the contextual help on every screen, the 1,217 bug fixes and feature enhancements, bulk updates so you can upgrade 15 plugins at once with a single click, and blah blah blah just watch the video. (In HD, if you can, so you can to catch the Easter eggs.)

If you’d like to embed the WordPress 3.0 video tour in your blog, copy and paste this code for the high quality version:
view plaincopy to clipboardprint?

For a more comprehensive look at everything that has improved in 3.0 check out 3.0’s Codex page or the long list of issues in Trac. (We’re trying to keep these announcement posts shorter.) Whew! That’s a lot packed into one release. I can’t think of a better way to kick off the 3.X cycle we’ll be in for the next two and a half years.
The Future

Normally this is where I’d say we’re about to start work on 3.1, but we’re actually not. We’re going to take a release cycle off to focus on all of the things around WordPress. The growth of the community has been breathtaking, including over 10.3 million downloads of version 2.9, but so much of our effort has been focused on the core software it hasn’t left much time for anything else. Over the next three months we’re going to split into ninja/pirate teams focused on different areas of the around-WordPress experience, including the showcase, Codex, forums, profiles, update and compatibility APIs, theme directory, plugin directory, mailing lists, core plugins, wordcamp.org… the possibilities are endless. The goal of the teams isn’t going to be to make things perfect all at once, just better than they are today. We think this investment of time will give us a much stronger infrastructure to grow WordPress.org for the many tens of millions of users that will join us during the 3.X release cycle.

WordPress is the preferred platform for any kind of site, including online business sites. It is true that there are special ecommerce platforms, such as osCommerce but even for ecommerce sites many people prefer WordPress. WordPress is extremely reliable and this is one of the reasons to why so many web masters prefer to have their online business on it.

However, reliability is just one of the many reasons as to why WordPress is the best platform for your online business. If you choose a reliable WordPress hosting plan, it is, of course, even better. There are many web hosting guides, for instance Web Hosting Search, where you can find the latest information about which WordPress hosts that are the most reliable and which aren’t. (more…)