Tags Archives: Wordpress

How To Create an HTML Flatfile Instance of a Website

To create an html flatfile replica of the WordPress website https://kevwells.com the challenge was to get the output from the php content files as html.



This problem was resolved in the following way:



Launch an instance of the php webserver process on port 8080



NOTE this has to be executed from the top of the website document folder tree ie in /var/www/html: 



root@gemini:/var/www/html# php -S kevwells.com:8080
[Thu Jan 6 22:36:44 2022] PHP 7.4.3 Development Server (http://kevwells.com:8080) started




Then in another terminal window execute the wget command:



wget -r –mirror –page-requisites –convert-links -U mozilla -F http://kevwells.com:8080



NOTE: We do not use the “span hosts” wget option  – else this will download all the external sites that are linked as well.


this then generates and downloads a static html flatfile instance of the website.


this can then be accessed from a web-browser by using the URL file:///<filesystem location of the wget output>








The location folder must be made available first in NFS for clients to connect to.


Alternatively the html folder tree for the downloaded site can be  copied to any other machine and accessed locally from there.


This displays a file system based instance of the downloaded website.









this method downloads the website as flat html files, you access the site instance via the file:/// reference in the browser URL field.

in other words, it does not convert the internal website links to pages and posts into localhost referenced links.

but it means you do have a local instance of the site containing all the content as flat html files.

Continue Reading

How To Replicate A WordPress Website From Server To Localhost

Replicating Website from https://kevwells.com to http://localhost on laptop.


First install Apache, MySQL/MariaDB and PHP on laptop.


Then create a database with the same name and connection/login credentials as on the kevwells.com server.



Next, install the WordPress Duplicator Plugin on kevwells.com on the server. We are using the Duplicator Lite (free version) not the paid for pro-version.


This has one drawback: the links within the website to https:/kevwells.com cannot be changed using Duplicator, so we have to use other means to do this.


A further problem (not Duplicator related) is the use of https SSL/TLS on the kevwells.com server, while the localhost on the laptop uses http (http://localhost).




We were not able to convert the localhost instance to http.



This meant that when calling up http:/localhost in the web-browser, the link would automatically default to https and connect to the https:/kevwells.com external public url. This also meant we could not access the WordPress admin account on the localhost.


The only way around this problem was to temporarily change the configuration of kevwells.com from https to http, then perform the Duplicator export.



We would then be exporting http://kevwells.com to http:/localhost and not https:/kevwells.com.



This was possible.



This is done by modifying the sites-enabled file /etc/apache2/sites-enabled/kevwells.com.conf on the kevwells.com server:


the lines with double hash sign ie ## have been temporarily commented out for this purpose:

root@gemini:/etc/apache2/sites-enabled# cat kevwells.com.conf


<IfModule mod_ssl.c>
##<VirtualHost *:444>


<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.


ServerName kevwells.com


ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

# Available loglevels: trace8, …, trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn


ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined


# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with “a2disconf”.
#Include conf-available/serve-cgi-bin.conf


##Include /etc/letsencrypt/options-ssl-apache.conf


ServerAlias www.kevwells.com


SSLCertificateFile /etc/letsencrypt/live/kevwells.com/fullchain.pem
##SSLCertificateKeyFile /etc/letsencrypt/live/kevwells.com/privkey.pem




Then execute:


a2dissite kevwells.com.conf
systemctl reload apache2




a2ensite kevwells.com.conf
systemctl reload apache2


The site should now be operating in http mode instead of html.


After exporting the site using Duplicator, return the config to the original state and perform the a2dissite and a2ensite steps again. https service will then be restored.



The export file was 2.4GB in size. There is also an installer.php provided by the plugin specifically for this export file. You manually copy these two files to the laptop destination machine.


From there, these two files are moved to the root document folder of the website on the localhost, in this case /var/www/html.


The installer.php from Duplicator is then executed from a webbrowser:




Then follow the instructions from Duplicator installer.php in the browser display.


The process takes several minutes.



We then still had a problem with the links. Entering http://localhost would only display the home page of the site. All other pages were not accessible.


Further configuration was necessary.


In phpmyadmin we changed the kevwells database table wp_options entries for siteurl and blogname from http://kevwells.com and kevwells.com to http://localhost and localhost respectively.


We then added






to wp-config.php


this file also has to contain the definitions for the database connections:


// ** MySQL settings – You can get this info from your web host ** //

/** The name of the database for WordPress */

define( ‘DB_NAME’, “kevwells” );

/** MySQL database username */

define( ‘DB_USER’, “wordpressuser” );

/** MySQL database password */

define( ‘DB_PASSWORD’, “*****” );

/* password is commented out here for security reasons */

/** MySQL hostname */

define( ‘DB_HOST’, “localhost” );



the .htaccess file is empty:


kevin@asus:/var/www/html$ cat .htaccess
# BEGIN WordPress
# The directives (lines) between “BEGIN WordPress” and “END WordPress” are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.

# END WordPresskevin@asus:/var/www/html$



We then installed a further WordPress plugin: Go Live Update Urls


this is to change the Url site references within the website from http://kevwells.com to http://localhost


However the content would still not display, although we could open the WordPress Admin for localhost successfully.


The solution was to execute the Permalinks settings in WordPress Admin, changing them from custom to plain, saving the settings.


The website then displayed correctly.


The only part of the content which gives a not found error are the pages (eg terms and conditions, disclaimer etc), posts are ok.


We now have a static replica of the http://kevwells.com instance running on the laptop as http://localhost


Continue Reading

How To Secure WordPress Against Brute Force Password Attacks

There’s a worldwide hacker attack going on against many WordPress websites.

The attack is a so-called “brute force attack” which aims to test different password and admin user id combinations to try and gain access to your WordPress administration dashboard.

Then the attack installs a bot which is then used to launch attacks on other servers or else perform other illicit activity.

How To Secure WordPress Against Brute Force Password Attacks

To help protect your site against this attack, you can add a secondary layer of administrator login security to WordPress sites.

To do this you basically create a .wpadmin file in the top home directory of your server system or in your server account home user area if you are on a shared server.

You then add a username and password pair, encrypt the password and then activate the security in the .htaccess file in your server space.

Here are the steps in detail:

(The following instructions are for server accounts that use cPanel, which is the most commonly used web-hosting account admin interface).
1. Create the .wpadmin file

Create a file with the name .wpadmin in your home directory. It’s important to name the file with the . (dot) before the file name, ie: .wpadmin.

eg. /home/username/.wpadmin
(“username” is your cPanel admin account username)

2. Create an encrypted password for a new user name/password combination.

The easiest way to do this is to use the htpassword generator at htaccesstools.

Go to www.htaccesstools.com/htpasswd-generator and enter the user name you wish to use and the password.

Note this combination should NOT be the same as the ones you currently use, neither for your cPanel login, nor for any of your WordPress sites. It should be a totally new user name and password combination.

Make sure you note down temporarily (and securely) or at least don’t forget what you have entered. You’ll need to know this in order to login each time later.

The password generator will then output an encrypted version of the password you entered for the user name that you entered. Copy and paste this into the .wpadmin file you have just created. That’s you need in the .wpadmin file.

Note that the .wpadmin file ONLY contains the user name (non-encrypted) and the encrypted version of your password. You do not add the non-encrypted version of the password.

Make sure you don’t forget the non-encrypted version of the password, else you won’t be able to log in!

For example:

user name: steve
non-encrypted password: abcdefg (by the way, a very poor password, so don’t ever use it. I’m just using it for the sake of this example)

The htpassword generator will create something like this:


The field after the colon, in this case: gjodWDQ8944qfr is the encrypted version of the password abcdefg.

You enter this line into the .wpadmin.php file. Then save and close the file.

3. Finally, update the .htaccess file

Cut and paste the following lines into your /home/username/.htaccess file.
ErrorDocument 401 “Unauthorized Access”
ErrorDocument 403 “Forbidden”
<FilesMatch “wp-login.php”>
AuthName “Authorized Only”
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user

Make sure you substitute your own username int the line AuthUserFile /home/username/.wpadmin.

Your secondary login wall of defence is now complete.

From now on, when you want to access a WordPress Admin dashboard on your web server, it will first prompt you for the username and the (non-encrypted) password combination that you configured as above.

For example, in this case, that will be:

login: steve
password: abcdefg

It will then let you pass and direct you to the normal standard admin login for the WordPress site you requested. You then log yourself in on the WordPress dashboard as normal.

Note that if you have WordPress pages that are password-secured using the standard WordPress password protect functionality, then the above procedure will require you to perform the double login using your secondary username/password for these pages as well.

This may be a feature you are happy to live with – or it might be an irritation and complication that you’d rather not have.

In this case, you’ll have to weigh up the pros and cons of implementing this additional security versus the extra login overhead involved.



Continue Reading

A Practical Guide To Basic WordPress Security

If you have a website for your business, then there’s a good chance it will be a WordPress website.

WordPress is a mature and secure Website Content Management System or CMS which is used by millions of websites all around the world.
But like all websites and webservers, WordPress can also be hacked and compromised by intruders if you don’t pay attention to basic security aspects. 

A Practical Guide To Basic WordPress Security

Website security is a complex area and to discuss all the aspects of web server security I would end up filling a whole book (perhaps I’ll write it one day).
What I’m going to do here is provide you with the essential and most important basics of WordPress security which will go a long way in providing you with an acceptable level of security for your website and which involve relatively low overhead from yourself to implement. 

The most common problem websites around the world face are attacks launched by so-called “script kiddies”. 

Script kiddies are the most common – and fortunately also the least competent, types of computer hackers. Script kiddies are people – they may indeed be “kids”, but are actually often adults, who rely on running freely available hacking tools and program scripts to try and identify and break into websites which have lax basic security.
These scripts and hacker tools look for websites which have weak administrator accounts and especially passwords, unpatched, bug-ridden or outdated WordPress plugins or databases, or web-hosting providers that have security holes in their systems.
The majority of successful break-ins occur simply through script-kiddie hackers finding and exploiting these weaknesses. 

So, what you need to do first of all is to make sure you eliminate these weaknesses from your website. 

Take A Look At Your Web-Hosting

First of all, take a look at your web-hosting. 

Make sure you are hosting your site with a web-hosting provider who takes web server security seriously. They should ensure that proper security measures are taken at all times and that their system and those of their customers are backed up properly and are properly protected against intruders. 

It’s especially important that operating system and web server system software is updated whenever new versions are released. This can usually close most security holes straight away.
The good news is that most web-hosting providers do look after their systems fairly well, but there are still some out there who are lax in this area.
The best advice is to check the reviews of your web-hosting provider to gauge what their level of reliability is like in practice. 

WordPress and Web-Hosting User Accounts

Always use secure passwords for both your Web-Hosting and your WordPress accounts.
There’s a lot that can be said about what makes for a secure password.
But basically a secure password follows these fundamental rules: 

  • The longer the password the better.
  • Use a combination of lower and uppercase letters, alphanumeric, and other characters such as hyphens, dots, dollar, hash, percentage signs and so on.
  • Use “nonsense” words – NEVER use a word from a dictionary.
  • Never reuse a password.
  • Never use the same password on more than one site.
  • Never write your passwords down on paper – and be careful about where you store them on your computer or online. DON’T store passwords in an email inbox.
  • Never use any password obviously based on some aspect of yourself or your business. That’s too easy to guess.
  • Use separate editor and administrator accounts for WordPress – with different passwords and user names for each.
  • Do not use obvious login names for your WordPress user accounts. Do not use “admin” or “administrator” names for your root or admin accounts for WordPress.
  • You can randomize your WordPress user account names for both administrator and editor accounts just as you can with the passwords. You can set the displayed editor name in your pages and posts to the one you want the public to see. Make sure your chosen randomized user names are not displayed as page or post authors.
  • Use a password storage and retrieval tool such as LastPass or Roboform. These tools also generate random, long and complex passwords for you on demand which are then encrypted and stored for you. They provide a local and an online instance of your own password database. Make sure you always remember your master password for your password database – and keep it safe.
  • If you can accept the extra inconvenience involved, add two-factor authentication to your login systems. These tend to involve an email or mobile phone check – sometimes even both.


WordPress Security Plugins

Install a couple of reputable WordPress security plugins on your site. There are a number of these available, but it’s best to stick to the most popular, proven, tried and tested security plugins. 

The two security plugins I recommend in most cases for WordPress websites are Bulletproof Security and WordFence. 

You can also install the Stealth Login Page Plugin which will add a second tier of security to your login procedure, requiring you to enter a previously set Authentication Code along with your user name and password when you want to login to your WordPress Dashboard. 

WordPress Themes

Only install WordPress themes from reliable theme design providers. I recommend taking a look at Woo Themes but there are also many other quality theme publishers. . 

Make sure you apply updates to the themes promptly as and when they become available.

WordPress Core Updates

Make sure that you also apply all WordPress Core Platform version updates immediately they become available. This can be crucial in ensuring that any new security exploit is prevented. 

WordPress Plugin Policy

Be careful when choosing your WordPress plugins. Plugins can contain bugs and vulnerabilities. It’s important that the plugin should be actively maintained by the developer so that bugs and security weaknesses can be resolved quickly. 

The best rule to follow with plugins is to use only as many as necessary and as few as possible. 

Access Policy

It’s best not to access your website’s WordPress dashboard through a public wi-fi system, because your user name and password can be intercepted by anyone using Internet sniffer software. A safer way to do this on a public wi-fi network is to use a trusted VPN service. 

WordPress and Server Backups

Finally, make sure you backup your website regularly. Both your web server and your WordPress website, including the database should all be separately backed up on a regular basis. 

Always maintain more than one copy of your backups – and keep these backups on a separate machine and location to your web server. 

By following these basic security rules you will be able to thwart many of the attempts of hackers to attack and compromise your web server and your website. 


Continue Reading

How To Install WordPress Plugins On Your Website

seogoogleipad-605440_960_720WordPress plugins are add-on modules which provide functions and features for your website.

Plugins are easy to install and most of them are free of charge.

How To Install WordPress Plugins On Your Website

Installing WordPress plugins is simple. Once you’ve downloaded your plugin, login to your WordPress Dashboard and click on the Plug-in -> Add New

The plugin then uploads to your site. For most plugins you also need to click on “activate” to switch on the plugin.

However, it’s very easy to get carried away and install a whole load of plugins, not all of which actually add much value to your site.

I recommend you don’t install too many plugins because this can lead to configuration conflicts and strange effects on your site which can be time-consuming and troublesome to debug.

In practice, there’s probably only a couple of dozen or so plugins at most that you will really need.

If you have problems with your site’s display or strange effects as a result of installing a plugin, then you may need to disable the plugin or remove it completely.

The best advice is to install the plugins one by one and check everything is working ok before you go on to install the next one.

Here Are Some Great “Must Have” WordPress Plugins

So, here’s a list of some of the plugins I use, some of which you you might also find useful for your site.

All of these plugins are available free of charge via the WordPress.org site.

Akismet This is a comment spam protector that comes already built into WordPress. To activate it you need to obtain an “API key” from the WordPress.com site.

About Me 3000 This displays an info bio box on your sidebar with a photo.

AdRotate If your site carries advertising, then Adrotate is a really useful plugin which helps you manage and rotate your display and banner ads.

Bad Behavior This plugin denies automated spambots access to your site.

BulletProof Security This is a very robust plugin which protects your website against literally thousands of different hacking attempts.

Colorful Text Widgets This plugin displays a text box on your sidebar which you can use for whatever purpose you wish. To display an ad, a newsletter sign up box, information about your business, whatever.

EU Cookie Law This is a very useful plugin for websites based in the EU. It displays a popup bar on your site to inform users about the EU cookie law and so ensures that your website is compliant with EU cookie law

Fast Secure Contact Form This is a very powerful form builder that enables your readers to send you email.

Find Me On The Find Me On sidebar widget displays icons for all of your social network profiles.

Google XML Sitemaps This plugin will generate a special XML sitemap which will help search engines to better index your site.

Open Web Analytics This is a traffic statistics plugin which is a viable alternative to using Google Analytics.

Permalinks Moved Permanently When permalink isn’t found, this checks if a post with the requested slug exists somewhere else on your site.

Select Post Ender A simple plugin to allow you to add a message footer at the end of every post.

Select Posts in Sidebar This plugin displays a list of posts in your sidebar

ShareThis This plugin enables your visitors to share a post or page with others via e-mail and social media sites.

Select Smart Youtube PRO This plugin enables you to insert YouTube videos in your posts and pages.

Select Table of Contents Plus This plugin automatically creates a table of contents at the top of each of your posts.

Select TinyMCE Advanced Enables advanced features and plugins in TinyMCE, the visual editor in WordPress.

Select TinyMCE Spellcheck This adds a contextual spell, style, and grammar checker to WordPress

Social Networks Auto-Poster This plugin automatically publishes posts from your site to your accounts on Facebook, Twitter, and Google+ profiles

W3 Total Cache This plugin dramatically improve the speed and user experience of your site.

WordPress Database Backup This creates an on-demand backup of your WordPress database.

WordPress Editorial Calendar This plugin displays your posts in a calendar for easy management of your publishing schedule.

WordPress SEO This is about the best all-in-one SEO plugin for WordPress.

WP-SpamFree An extremely powerful anti-spam plugin that virtually eliminates comment spam.

WP125 This plugin enables you to manage 125×125 size ads from your WordPress Dashboard.

wp Time Machine (for Backups) Creates an archive of all your WordPress Data & Files and then stores them on Dropbox, Amazon S3, or your FTP host.

Yet Another Related Posts Plugin Adds related posts to your site and in RSS feeds, based on a powerful, customizable algorithm.

Where To Find WordPress Plugins

You can find all the plugins I’ve listed above at the official WordPress plugins page at wordpress.org/extend/plugins.

All the WordPress plugins mentioned are available free of charge.


Continue Reading