12 tips and tricks to enhance Joomla Security

1. Backup data
Take time to make a troubleshooting plan before your site visited by hackers. You always remember: “Backup early and often” to protect your data. This gives you the certainty that if something goes wrong with your Joomla website, you can restore it at any time you want. Then you only need to find vulnerabilities on a website.
2. Update Joomla
If your website is running Joomla 1.0 or 1.5, you should upgrade to Joomla 2.5 or 3.0. In the higher versions, there are many security improvements in the core elements of the application. However, you should do with caution “always backup your Joomla before proceeding with the upgrade”. For more information, you can check Joomla tutorial.
3. Careful management of installed extensions.
The extension of third-party make Joomla extremely popular, but it’s also a way to enter your website. In addition, you need to update regularly for each different extension. So, you should consider that expansion is really necessary.
Make sure the following steps:
– Run code review for any extension used.
– Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.
– Update and patch for extensions when it’s necessary.
Remember that an extension, which isn’t safe, can be harmful to your entire website.
4. Remove unused files.
You install many extensions, but don’t use them? This is not only a weakness but also garbage for your website. Please use the uninstall function to totally get rid of the extension to avoid trouble.
5. Password protection:
The hacker usually attacks on weak passwords. You should regularly change your password and use all: uppercase, lowercase, special characters, numbers.
The database is very important. The SQL injection attack or any other attack on the database can make your effort lost. Make sure that your database access is protected at MySQL.
6. Use URLs search engine friendly:
Always use URLs search engine friendly. This not only improved the website’s Google ranking but also prevent hackers exploit to use Google’s search results.
7. Change URL for administration security.
Standard Joomla address is http://www.yoursite.com/administrator. In order to secure your site against attack, you can rename it to be something like http://www.yoursite.com/administrator?wewroi4459
8. Remove version number, name of extensions.
Most of vulnerabilities only occur in a specific release of a specific extension. This is why you should remove the information about the version number of any extension is installed. Remove the version number may prevent an attack before it can happen.
Showing My Extension version 2.5 is really bad thing. You can modify this message with only the name of the extension by doing the following:
– Retrieve all files of the extension from your server
– Open up Dreamweaver.
– Load any file from the extension that you just downloaded to your local machine
– Use the Search function and set the search to Search through specified folder. Navigate to the folder where you downloaded the exploit.
– Set the search term to “My Extension version 2.5” and press OK.
– When found the correct file, remove the version number.
– Upload the changed file to your server and check if the changes are made.
9. Use the correct CHMOD for each folder and file
Setting files or folders to a CHMOD of 777 or 707 is only necessary when a script needs to write to that file or directory. All other files should have the following configuration:
• PHP files: 644
• Config files: 666
• Other folders: 755
10. Change your .htaccess file:
########## Begin - Rewrite rules to block out some common exploits
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a < script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue)
RewriteCond %{QUERY_STRING} CONFIG_EXT([|%20|%5B).*= [NC,OR]
# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard)
RewriteCond %{QUERY_STRING} sbp(=|%20|%3D) [OR]
RewriteCond %{QUERY_STRING} sb_authorname(=|%20|%3D)
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
########## End - Rewrite rules to block out some common exploits

11. Turn off Register_globals
You should turn off Register_globals, however, you must know that it can disable PHP script to work and maybe affect other programs that you are using on the website.
To make it, you just edit the php.ini file in the root directory of your domain name.
12. Review and action Security Checklist:
These checklists will point you in the right direction and inform you of typical security. So, make sure you went through all of the steps.

Highlight Author’s Comment in wordpress

Have you ever seen this on blogs where author’s comments are distinguished from other comments? Well this is a simple and easy trick.

First you need to open your style.css in your template folder and add the following:

.authorstyle { background-color: #B3FFCC !important; }

This will show you Highlight Comment background color
Then you need to open your comments.php which is also located in your themes folder and find the code that looks some what like this:

<li <?php echo $oddcomment; ?>id="comment-<?php comment_ID() ?>"></li>

Replace it with:

<li class="<?php if ($comment->user_id == 1) $oddcomment = "authorstyle"; echo $oddcomment; ?>"></li>

Note you must change 1 to the user id of the author. Once you do this, your blog comments will have a different background for the author’s comment compared to the rest.

How to Display Relative Dates in WordPress

posted on June 30th 2013 (10 minutes ago)

Have you ever seen this in blog posts and comments and wondered how did this blogger manage to do this? Actually it is pretty easy.

You would need to download a plugin called WP-Relative Date

Once you have downloaded and activated the plugin, look in your single.php, index.php, and page.php for this code:

<?php the_date(); ?>

Replace it with:

<?php relative_post_the_date(); ?>

How to Create a Page that Displays Random Posts

Have you ever been to a site and saw this cool feature? They have a link in their top navigation to something like Stumbe! or Read Random Articles, or some other creative text. When you click on that link, it takes you to a page that displays one random page. Each time you refresh, you are delivered with a new post. Well this trick is just for you then.
create a custom page template. And simply paste this code in there:

query_posts(array('orderby' => 'rand', 'showposts' => 1));
if (have_posts()) :
while (have_posts()) : the_post(); ?>

<h1><a href="<?php the_permalink() ?>"><?php the_title(); ?></a></h1>

<?php the_content(); ?>

<?php endwhile;
endif; ?>

Now create new page and your page name from right side
This is a simple WordPress Loop that is running a query to display random posts and the number 1 in there is telling WordPress to only show 1 post. You can change that number, but most of the time people do it one post a time.

5 Essential WordPress Tips for Beginners


1. Schedule Blog Posts for the Future

The majority of bloggers try to follow a publishing schedule. They post once a month, once a week or once a day. In WordPress, you can schedule posts to go live at a particular time and date, so you don’t need to be at your computer (or even awake) when the post goes live. Here’s how.

In the WordPress backend, go to the Edit screen for the post you wish to schedule.

1. In the top-right of the page, look for a box titled “Publish,” where you’ll find an option that reads “Publish immediately.”
2. Click the blue “Edit” text next to “Publish immediately” and choose the month, date, year and time you want your post to be published. Remember to use military time (3:00 p.m. would be 15:00).
3. Click the gray “OK” button.
4. The “Publish immediately” text should now change to “Schedule for,” with whatever date and time you have chosen.
5. If you’re ready to go, click the blue “Schedule” button (formerly “Publish”). Your post is set to go.

2. Change Your Page and Blog Post URLs

WordPress generally does a good job creating URLs for your pages or posts, but sometimes you’ll need to adjust.  Here are the most common instances you’ll want to change URLs.

1. Your page or post URL contains special characters like %, &, $, @, or *. These characters make it difficult for search engines to read and can be problematic for browsers, potentially preventing some of your pages from loading.
2. Your post or page title is really long and contains words not optimized for search.  For example, if we write a post called “Helping Kids Find a Home or Shelter in St. Louis, Missouri,” WordPress may automatically generate this URL: “helping-kids-find-a-home-or-shelter-in-st-louis-missouri.”  Search engines prefer shorter URLs, so it’s worth removing words that won’t help the post’s or page’s ranking.  Search engines also prefer that high-ranking keywords appear at the beginning of URLs.  In the example above, if we want to rank for the phrase “homes for kids in St. Louis” we may want to adjust the URL to read “kids-find-homes-st-louis”.

If you notice that your new page or post URL doesn’t match one of the two cases listed above, here’s how to change it.

1. In the WordPress backend, go to the Edit screen for the post or page you wish to edit.
2. Just below the title, click the gray “Edit” button next to the permalink. If instead of “Edit,” you see a button that says “Change Permalinks,” Click that button and click the “Post name” radio button on the “Permalink Settings” page. Then click the blue “Save Changes” button. Go back to the post or page you wish to edit and you should see the “Edit” button.
3. When you click “Edit,”, the URL will change to a text box, ready for you to alter. Remove special characters and any words that could hurt your search engine rankings.  That means generic words like “a,” “or,” “in” and “the.”  As mentioned above, we might change “helping-kids-find-a-home-or-shelter-in-st-louis-missouri” to “kids-find-homes-st-louis”.  Make sure you also separate each word with a dash (-).
4. Click the gray “OK” button.
5. Click the blue “Publish” or “Update” button to save your changes.

Note: it’s not good practice to change permalinks after the post or page has already been published. Once your page or post is live, people might share it, link to it, email it or even write it down. WordPress usually excels at forwarding links, but it isn’t always 100% effective, and forwarding can hurt your search rankings.

3. WordPress Editor Tips

If you manage a blog or write content, you’ve probably used the WordPress editor a fair amount. But many people haven’t realized its full potential.  Try out the tips below to speed up your workflow and eliminate misspellings and website styling issues.

Spellcheck in the WordPress Editor

This is a simple step that many people miss.  If you want to spellcheck your content while you work or just before publishing, click the button that has a checkmark with the letters “ABC” at the top.  If you aren’t writing in English, you can choose your language using the drop-down arrow next to “ABC.”

Remove Formatting from Copied Text

Sometimes you copy text from Microsoft Word and, even though you’re using the “Paste from Word” button (a clipboard with a “W” on it), the text still doesn’t look quite right. It might be the wrong color or size. In any case, a button exists specifically for removing formatting from outside sources. To use it, follow these steps:

1. The “Show/Hide Kitchen Sink” button pictures boxes with different-colored squares and rectangles. Click it to show a second row of buttons.
2. Highlight the incorrectly formatted text.
3. Click the “Remove Formatting” button. This button features a white eraser that turns pink when you hover over it. That should do the trick.

Shift + Return Creates a Line Break

Sometimes when you’re working in the WordPress editor, you want to create a single line break — not a paragraph break with a gap between the two lines, but a single line break in which the lines are closer together. To do that, just hold the Shift key and hit Return. That’s it. Adding your organization’s address to your contact page just got a lot easier.

Use WordPress Keyboard Shortcuts

I’m sure you use Control + C and Control + V to copy and paste all the time. But most people don’t know the WordPress editor also has shortcut keys, and if you’re working in the editor a fair amount, they can save you a lot of time. Here are some of the best shortcuts to try out. (Mac users: Use the Command key instead of the Control key.)

Bold: Control + B
Underline: Control + U
Italic: Control + I
Heading 1: Control + 1
Heading 2: Control + 2
Heading 3: Control + 3
Heading 4: Control + 4

For a full list of WordPress “Hotkeys,” click the “Help” button with the question mark on the WordPress editor, then click the “Hotkeys” tab.

4. Easily Embed Videos, Tweets and Other Media

Many people don’t know WordPress can easily embed content from popular websites like YouTube, Vimeo, Twitter, Hulu, Flickr and Viddler.  Read on to find out how.

1. Put your cursor wherever you want to insert the video, image, tweet or other type of media.  The media will insert wherever you place the cursor.
2. Go to the media’s source site and copy the URL for the media you’d like to insert. For instance, I might go to this YouTube video and just copy the URL from the top of my browser.


3. Now go back to the WordPress editor and paste the URL into the main content area of the page.  Make sure it’s on its own line and don’t try to right- or center-align it. This will cause it to display incorrectly. The editor will only show you the URL, but when you view the post, WordPress embeds the media.
4. If the URL you pasted appears in the main content area of the editor as a blue link, you need to unlink it. Click within the URL text, then click the broken link icon at the top of the main content area. The text should unlink.
5. Click the gray “Preview Changes” button on the top-right of the page to make sure the media has embedded correctly. You’ll see the YouTube video we embedded now displays within our content.
6. If your media shows up correctly during your preview, go back to the editor and click the blue “Update” or “Publish” button to make the media live on your website.  If the sizing of the embedded media looks off, you may need to adjust the media settings.

If you’re not sure you can embed from a specific site, check out the WordPress Embeds page for a full list.

5. Change Blog Post Authors Simply

If multiple people write for your site, but you’re the only one publishing, you’ll notice your username shows as the author for every post. For a lot of WordPress users, the ability to change post authors is hidden by default. Follow these simple steps to change authors for your WordPress posts.

1. Go to the Edit screen for the blog post that need an author change.
2. In the top-right of the page, click the “Screen Options” tab and a list of options will drop down.
3. Check the box that says “Author.”  A new box on the page should display, titled “Author” and containing a drop-down box to choose the author of the post.
4. Select the author from the drop-down list.  If she isn’t listed, you may need to add her as a user.
5. Click the blue “Publish” or “Update” button to save the post under the new author.

WordPress has tons of other great features you might not know about, but people constantly miss the ones above. Do any of these features stand out?  Are there any tips you think should have been included here?  Share your expertise in the comments.

WordPress Theme Frameworks And Starting Resources

1.Thematic, A WordPress Theme Framework

Thematic is a free, open-source, highly extensible, search-engine optimized WordPress Theme Framework featuring 13 widget-ready areas, grid-based layout samples, styling for popular plugins, and a whole community behind it. It’s perfect for beginner bloggers and WordPress development professionals.


Live Demo

2. Whiteboard

This is one of the oldest WordPress frameworks, which has been prolonging the life of designers around the world since 2008. It boasts a clean, well-structured, as well as standards compliant code base, and offers more dynamic classes and IDs than most other free and commercial frameworks. Whiteboard includes the Less CSS adaptive grid system which allows creating mobile-ready websites in a snap.

Whiteboard features:

Widest choice of dynamic classes and IDs
HTML5 and CSS3 with seamless degradation
Lightweight and well-structured code
Supports menu, background, and header management, several widget areas, etc
Easy to remove unneeded parts
Built-in Less framework for full mobile support

Compliant with WordPress development standards
Compatible with older ( – Cross-browser compatible
Search engine optimized
Supports multi-lingual capabilities
Open source

Whiteboard weaker points:

Available documentation is quite shallow

Especially recommended for:

Experienced ones who like to feel independent.

whiteboardLive Demo

3. Underscores

Based on the popular Toolbox theme, the Underscores, or _s framework is the product of 1000+ hours of testing plus the collective experience of the Automattic team – the guys behind the WordPress software itself. Underscores comes with a multitude of neat features such as sample theme options panel, custom template tags, several pre-formatted layouts, custom header implementation, and useful add-ons called “tweaks” that can be activated easily through the functions.php file.

Underscores features:

  • Backed by the experience of the WordPress creators
  • Minimalist and well-commented templates
  • Standards-compliant HTML5 and CSS3 code
  • Easy to add and remove capabilities
  • Custom header implementation
  • Custom template tags to optimize your code and prevent duplication
  • Sample theme options panel
  • Custom add-on functions, or “tweaks”
  • 5 ready-made CSS-based layouts
  • Mobile-friendly, with smartphone-optimized drop-down menus
  • Open source
  • Theme creator and showcase at Underscores.me

Underscores weaker points:

  • Not recommended to use as a parent theme

Especially recommended for:

Fans of Automatic who like to showcase  their creations

underscoreLive Demo

4. Theme Hybrid

hybredLive Demo

5.Gantry Framework

gantryLive Demo

How to create new widget area in wordpress

Examples of multiple widget-capable areas:


if (function_exists('register_sidebar')) {
		'name'=> 'Top Tabs',
		'id' => 'top_tabs',
		'before_widget' => '<li id="%1$s" class="widget %2$s">',
		'after_widget' => '</li>',
		'before_title' => '<h2 class="offscreen">',
		'after_title' => '</h2>',
		'name'=> 'Top Sidebar',
		'id' => 'top_sidebar',
		'before_widget' => '<li id="%1$s" class="widget %2$s">',
		'after_widget' => '</li>',
		'before_title' => '<h3>',
		'after_title' => '</h3>',
		'name'=> 'Left Sidebar',
		'id' => 'left_sidebar',
		'before_widget' => '<li id="%1$s" class="widget %2$s">',
		'after_widget' => '</li>',
		'before_title' => '<h3>',
		'after_title' => '</h3>',
		'name'=> 'Right Sidebar',
		'id' => 'right_sidebar',
		'before_widget' => '<li id="%1$s" class="widget %2$s">',
		'after_widget' => '</li>',
		'before_title' => '<h3>',
		'after_title' => '</h3>',


<!--?<span class="hiddenSpellError" pre=""-->php if (!function_exists('dynamic_sidebar') || !dynamic_sidebar('Right Sidebar')) : ?>
[ do default stuff if no widgets ]
<!--?<span class="hiddenSpellError" pre=""-->php endif; ?>


<?php if (!function_exists('dynamic_sidebar') || !dynamic_sidebar('Left Sidebar')) : ?>
[ do default stuff if no widgets ]
<!--?php <span class="hiddenSpellError" pre="php "-->endif; ?>