it checks the security of your wordpress installation.

WPScan is a vulnerability scanner which checks the security of WordPress installations using a black box approach.

Details
Username enumeration (from author querystring and location header)
Weak password cracking (multithreaded)
Version enumeration (from generator meta tag)
Vulnerability enumeration (based on version)
Plugin enumeration (2220 most popular by default)
Plugin vulnerability enumeration (based on version) (todo)
Plugin enumeration list generation
Other misc WordPress checks (theme name, dir listing, …)

http://code.google.com/p/wpscan/

wpscan is included in backtrack5 r1
if you dont have it then you can do

sudo apt-get install wpscan

to install it

COMMANDS

–url (The WordPress URL/domain to scan.)

–version (Only do version enumeration.)

–wordlist (Supply a wordlist for the password bruter and do the brute.)

–threads (The number of threads to use when multi-threading requests.)

–username (Only brute force the supplied username.)

–generate_plugin_list (Generate a new data/plugins.txt file.)

-v (Verbose output.)

EXAMPLES

Do ‘non-intrusive’ checks…

ruby wpscan.rb –url www.example.com

Only do version enumeration…

ruby wpscan.rb –url www.example.com –version

Do wordlist password brute force on enumerated users using 50 threads…

ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –threads 50

Do wordlist password brute force on the ‘admin’ username only…

ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –username admin

Generate a new ‘most popular’ plugin list… ruby ./wpscan.rb –generate_plugin_list 150

go to your self hosted wordpress admin
goto plugins > add new
search for ‘jetpack’
install it.

you have to connect it to a wordpress.com account [it will let you register a new one if you need to]
once its connected then your site stats will be saved on wordpress.com servers, so it doesnt bog down your database

if you use the iOS apps for ipad and iphone then you will be able to see site stats on your iOS device too :)

you will need to add in the following meta tag

facebook will then use the appropriate image.

there are plenty of open graph meta tags to use

see this page on facebook for more

you need to install the ‘Syntax Highlighter MT 2.0′ plugin

• goto the wp-admin
• goto plugins > install new
• search for ‘Syntax Highlighter MT 2.0′
• install it.

to highlight code in the front end you can use a

or a

tag

tags are the prefered way, as they degrade nicely

just use class=”brush:html” for html code and class=”brush:php” for php code, etc

see full instructions here

http://www.megatome.com/syntaxhighlighter/

1) you can enable key only logins.
2) you dont need to type [or remember] passwords

you will need two machines:

• yourhost.com – the remote machine that you want to log in to
• yourmachine – your local machine that you want to log into yourhost.com from

on yourmachine

• in a terminal type: ssh-keygen

it will ask you a few questions and will ask for a password. you could enter one, or you could leave it blank. if you are on a mac it will remember what ever you use, so its probably best to use a password..

once it has generated a key you need to

• add to the file ~/.ssh/config

• Host yourhost.com
  User username
  IdentityFile ~/.ssh/id_rsa
  

• the last line should be the name of the file you created above.

at this point you are done with yourmanchine.

• log into yourhost.com
• copy the content of the file id_rsa.pub from yourmachine to the .ssh/authorized_keys file on yourmachine.com

you should now be able to log into yourhost.com without entering the passwords!

ssh yourhost.com

if you run into problems then try

ssh -v yourhost.com

to see debug info

basically, it wont generate a comment when someone links to your article, and it wont tell anyone when you link to theirs, but by doing that it removes all the communication involved, and that makes your site go faster!

• goto settings -> discussion
• untick ‘Attempt to notify any blogs linked to from the article.’
• untick ‘Allow link notifications from other blogs (pingbacks and trackbacks.)’

done.

removing unused css will help your stylesheets load faster which, in turn will help your site load faster.

there are several ways to do this.

one way is to use a firefox extension : dust me selectors it can take a sitemap.xml and can scan your entire site. it will show you all the unused css from your stylesheet.

there are other ways:

unused-css.com will take your url and will scan it and will output the css file with the unused css already removed! – by default it only scans the homepage, but if you provide it with an email address then it will scan your entire site and will mail you the results and the clean css file!

html source is already highlighted if you right click and view source, but this adds another dimension

Syntaxtic! by andrew.j.matheny

bounce rate is a tricky one – if you have an ecommerce site, then bounce is when people dont go to your checkout, or if they do go to your checkout then dont complete it.

for a blog its a different thing.

generally people will find your site and will read one page. then they will go away.
google counts this as a bounce because they dont go to more than one page, but if they have read your article then its not a bounce, thats what you need to fix.

once you have analytics installed on your blog and you can track visitors then you will notice that bounce rates are very high.

the way to fix this is:

at the very bottom of your footer code add the following javascript

setTimeout(
    '_gaq.push(
         [\'_trackEvent\',
          \'NoBounce\',
          \'Over 10 seconds\']
     )',
    10000
);

inside a script tag.

this will tell google after 10 seconds not to count the page as a bounce.
basically it will show bounces as ‘people who leave before ten seconds’ which is a much better and more meaningful metric for a blog.

but i wanted a way to stop the bots being able to register.
I also wanted a way to remove all of the old [inactive spambot] accounts.

so here are two wordpress recommendations

wordpress user spam remover
- automatically deletes inactive [never used] accounts older than the specified number of days
it removed 14000 accounts from my site :|
and

wordpress reCaptcha
it adds a recaptcha to the signup, comment and login boxes.
it might make real people less willing to comment, but it also makes spambots bork.