However, out of the box, WordPress installation can do much better when it comes to WordPress security. I suppose they have to limit the number of options available during installation to avoid confusing their users. The famous 5-minute install would not exist if otherwise.

At the very least, he random password generation for admin user makes your password hard to guess.

If you think about it, to be fair, much of the problem with security is due to lack of understanding on the user part.

Many people leave wp-config.php file world writable after installation. That means if they are on a shared hosting environment, with the wrong permission, their blog may be at risk.

Most bloggers only care about the ease of installation and only seek for help after an incident because there is lack of organized information on how to securely install WordPress or harden existing WordPress installation.

This article strives to fill the gap on the first part, i.e. installing WordPress in a secure manner. I’ll update this document regularly as I find new things. If your blog security is of importance to you, make sure you go through this carefully because security is like a chain. It is only as good as its weakest link.

Note that this setup doesn’t involve auditing or modifying WordPress core. You should think of these tips as workarounds or additional layer of security on top of your blog. Some of them use the principle of security through obscurity, which I recommend against for host-based security, but hopefully that discourages intruders and make them think your blog is not worth their efforts.

Disclaimer: There is no guarantee that by implementing these tips your blog will be immune. If your system is still vulnerable, and if crackers find new exploits through your blog or any other web apps, your blog may still be at risk. This article is written for educational purpose only.

1. Review Your MySQL Server Installation

First and foremost, if at all possible, you should bind your MySQL database only to localhost. Of course, you can’t do that if you have to serve your data outside of local machine.

By binding to loopback interface, only services on localhost will be able to connect to it. Alternatively, you may choose to communicate via UNIX domain socket.

This doesn’t prevent modification of your data through vulnerable web applications. You only prevent direct access to the database.

Shared hosting users won’t be able to modify server configuration used by their hosting company, but if you are on a VPS or dedicated server, this is something you should consider.

To apply this, you need to add or change the following line in my.cnf, specifically in the [mysqld] section. Location varies based on Linux distribution, but in Ubuntu it resides in /etc/mysql/my.cnf.

[mysqld]
bind-address=127.0.0.1

2. Create Your Database and Database User Properly

Let’s start from the beginning. Obviously many bloggers name their WordPress database wordpress or simply ‘wp’.

Although it doesn’t improve security that much, changing this name may obfuscate it a bit, so while you are at this just pick a name that is obvious to you but not to a complete stranger.

After all, you only need to know what it does, not what it is.


$ mysql -u root -p
Password: Enter your password
mysql> CREATE DATABASE example333;


The SQL command above creates a database with the name example333. You may name it to your domain or something else and add random numbers to it.

As part of the database creation process is to create a unique user for WordPress. Only that user (and of course root) is able to access that database with limited privilege to let WordPress operate properly.

The following SQL commands should allow WordPress to function and interact properly with MySQL.


mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER ON example333.* TO 'exuser129'@'localhost' IDENTIFIED BY 'yourpassword';


Note that I add random numbers to the database user and choose a strong password. You don’t have to remember either of these data once you hand them over to wp-config.php.

3. Configure wp-config.php Correctly

WordPress is now able to create and prompt for your database configuration during installation, if it possesses enough permission to do so.

While it is certainly an option, a few variables are leaved untouched, so in my opinion an easier way is to avoid it at all. Out of the box, WordPress includes a sample configuration file named wp-config-sample.php. You may copy or move the file over to wp-config.php and edit that.

This command presumes that your WordPress core files reside in your blog directory.


$ cd /your/path/to/wordpress
$ cp wp-config-sample.php wp-config.php
$ vi wp-config.php


Of course, change vi to your favorite text editor. You may also edit it on your desktop computer and upload it to your web server, or use the editor that comes with your hosting control panel.

The wp-config.php file looks like the following:

// ** MySQL settings ** //
define('DB_NAME', 'example333');    // The name of the database
define('DB_USER', 'exuser129');     // Your MySQL username
define('DB_PASSWORD', 'yourpassword'); // ...and password
define('DB_HOST', 'localhost');    // 99% chance you won't need to change this value
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');
 
// Change each KEY to a different unique phrase.  You won't have to remember the phrases later,
// so make them long and complicated.  You can visit http://api.wordpress.org/secret-key/1.1/
// to get keys generated for you, or just make something up.  Each key should have a different phrase.
define('AUTH_KEY', 't0L3ORtzCQ(JR!hj6H1SWT-2W[>B?bf,)Cxz ]`x`)<j^}qH%Pks]nVbJyPl!miA');
define('SECURE_AUTH_KEY', 'q=\'|)\'GtsM[dE[I5~M3T`Y;xjm?Rhv4Qslkk|zq$r*kk@Z( ^(pha{]pqR(3g=yX');
define('LOGGED_IN_KEY', ')x=cc*FnmUkC;#idXzBFWq.SVSeCua-P||xhCF[fUb&/US6jW$*\"[|Snj31Cw[wI');
 
// You can have multiple installations in one database if you give each a unique prefix
$table_prefix  = 'ex3321j_';   // Only numbers, letters, and underscores please!

I’ve changed a few things there. In the first block, I modified the definition of various constants to match database and user that I created in the second step above. The second configuration block requires that you have three unique phrases. These will be used as salt for your blog cookies. Since WordPress 2.6, there are 3 unique phrases, used in different situations.

You may enter a few simple words here, but randomness may help. You can generate random phrases, including proper syntax for constant definitions by using WordPress secret key generation tool.

Finally, the third block allows you to define table prefix used by this WordPress installation within the database. With this option, you will be able to change the prefix so it is unique to this blog.

Some people have access to only one database and this option lets them have more than one WordPress blog inside a database.

In this demonstration, that is not our purpose though. Public exploits on the Internet often assume that the prefix of your WordPress table is wp_ so changing it may help.

Adding random characters and numbers as suffix is enough. I have purposefully leave ex intact because that is what I use for the database name. You may also use keep wp so you know they are WordPress tables.

4. Change Permission and Ownership for wp-config.php

If you copy wp-config.php, by default the permission of wp-config.php may be different from wp-config-sample.php.

Just to make sure, you should change it to 644 — read and write for owner, read for group, read for the world. Ownership of the file should be your username. In VPS or dedicated server, change it to root.

5. Check Permissions for Files and Directories

Especially if you copy your WordPress files from your other blog installation. Some bloggers may do this to copy the themes and plugins over to the new blog.

Make sure that your directory permission is not group or world writable. Use 755 as the permission for directories and 644 for files. If your web server, like Apache, supports suEXEC or similar, 644 is enough privilege for WordPress to change your files, so .htaccess and theme files may be modifiable already.

Otherwise, change the permission for certain set of files you want to grant write ability to 666. Don’t make this default permission though.

Once you’ve done this, go to your browser and start the installation process.

WordPress installation starts in


http;//example.com/blog/wp-admin/install.php


Of course, change example.com and blog appropriately.

Return to How to Blog for Fun and Profit.

Related posts:

• WordPress Security — Concerns and General Advice for Prevention
• How to Blog — Web Publishing for Fun and Profit
• WordPress 2.6 Released — Check the Compatibility Pages Before Updating!
• WordPress 2.5 vs. Movable Type 4.1: Which One is the Winner?
• Setup Twhirl — a Twitter Client Based on Adobe AIR (Week 3)

Although it is an apple to orange comparison, because WordPress is usually compared head to head with Drupal and Joomla, here is a comparison table showing statistical data of those content management systems:

From the table above, you notice that the more complex CMS solutions have larger number of vulnerabilities in recent years compared to WordPress. However, webmasters who use WordPress still should be worried about the figure.

Switching to Another Web Publishing Tool — A Solution?

I read on a public forum the other day (and on a few blogs too) people recommend against using WordPress for security reason. For them, WordPress is not worth the hassle just because it is vulnerable.

But let’s see it from a few standpoints. If you ask any web developers, they would agree that it can be very hard to make sure a group project of a decent size to be secure 100 percent. Also take into account the fact that WordPress gets very popular in recent years.

Perhaps a better analogy is to compare this situation with Firefox vs IE security debates. While it is believed Firefox is a better and more secure browser, it currently has a larger number of vulnerabilities than IE. The good news is, because Firefox is a community project which includes source code, fixes will be made available soon after exploits were found.

With the availability of source code, one would argue that it also makes it easier to locate points of attack.

Just like in Firefox, solution for WordPress problem is usually available in minutes, but news would spread weeks after that. Some bloggers are really fast, but most are still interested in the topic long after it appeared the first time.

Switching to another solution is a workaround at this point, in my opinion, because just because there was no report about one CMS doesn’t mean it is secure. Perhaps it has small user base that people have not discovered its vulnerabilities yet.

Add to the fact that it is actually possible to harden a WordPress installation if you take the time to do it. Is it worth it? Yes, I’d say. And if you consider the size of WordPress community, I think working on fixing and auditing security is more of an option than switching.

How to Secure Your WordPress Blog

This is the first of a series of planned articles on how to install WordPress and harden it if you already have a WordPress blog running.

It is not possible to cover the whole thing in one post, but if there are a few suggestions to keep you on the safe side, it would be:

• Increase your awareness. Subscribe to WordPress Development Blog. It should be on your list of feed so you are updated about recent development, including security issues.
• Update. WordPress takes only a few minutes to update, so spend some time at the end of the day to do so. I prefer to allocate some time in the weekend though. With update, I don’t mean just the core WordPress code, but also the plugins.
• Use supported themes. If you are not a theme designer, make sure you use a theme that is well supported so if there are problems you know who to run to for a solution.
• Backup often. There is no reason not to do so because you can easily schedule backups of your WordPress database and files. Be safe rather than sorry.

Even with these approaches, there is no guarantee you will never experience security breach related to your WordPress blog because there are always possibilities in finding new exploits. Hopefully, crackers who find your site more updated than other blogs will choose not to spend their time on your blog.

But if you have a fresh backup off-site, you can always update and restore your data.

Other articles:

• How to Install WordPress Securely

Return to How to Blog for Fun and Profit.

Related posts:

• WordPress Security — How to Install WordPress Securely
• WordPress 2.5 vs. Movable Type 4.1: Which One is the Winner?
• WordPress How-to — Tips and Tricks to Work with WordPress
• How to Blog — Web Publishing for Fun and Profit
• WordPress Plugins and Localizations

Trackback, pingback and refback are types of linkback. A linkback is a method for web authors and bloggers to obtain notifications when other bloggers link to one of their documents — and for the linking blogs to notify the linked blogs.

Basically, what they do is to let a blog notifies other blogs that it is linking to them. For the linked blogs, this allows them to track who is linking to them. As blogging is also communication tool, besides publishing, this feature lets bloggers establish a conversation with other bloggers beyond the comment form.

A blogger may extend a conversation to his/her blog and still the linked blogger will notice the conversation if s/he decides to click and check the linked blogs out — which s/he should.

A linked blog may choose to display the linking blogs in the comments area of the blog, hence producing a backlink to the originating blog too.

Trackbacks

A trackback is a mean to connect a post you made on your blog to a post on another blog. This keeps a link between both posts so people are able to refer back and forth between the documents.

This is like reciprocal linking, just that the linked page will display the link to the linking blog automatically in the comment area of the blog.

It used to be that a blogger has to enter the trackback link specific to the blog post in order for the linking blog software to send trackback ping to the destination. This is no longer necessary since Trackback specification version 1.1, which was released in October 2002.

Read the latest version of trackback specification.

Trackbacks is now capable of detecting specific tracback URL for a blog post automatically (called auto-discovery), but the destination blog should have support for that in each document. Each blog post has different trackback URL.

Pingbacks

Like trackbacks, pingbacks function the same but using an entirely different protocol. A pingback notifies the linked blog(s) that the originating blog is linking to it/them.

A pingback is essentially an XML-RPC request sent from one blog to another. Pingback is less prone to spam than trackback because when a blog receives a pingaback from another blog, it goes out and check the originating blog for the existence of a live incoming link.

That doesn’t mean it is impossible to send sping (spam ping) packet using pingback though because a forgery or page cloaking can be done on the fly.

Unlike trackback, pingback uses the blog’s XML-RPC URL to send pingback. This means it is the same every time.

You can view the pingback specification for complete information, but they are technical.

Refbacks

Refback is rarely used, but for the sake of completeness, I’ll include it on this post.

A refeback also allows a blogger to keep track of who is linking to, or referring to their articles. Instead of using a new protocol, refback uses HTTP referrer header to discover incoming links.

Referrer header is automatic with compliant web browsers. If you are on page A, click on a link on that page, the browser will request that page and put the URI to page A in the Referrer header.

As refbacks rely on the Referrer header information, the linked blog will not receive information unless someone actually clicks on the link to go to the linked page.

The linked blog may go out and extract relevant information such as the title, meta information and link text on the linking blog and alternatively displays the link on the page.

A check is usually necessary before this is done to avoid displaying links to web-based email and other URLs that is not publicly accessible.

Trackbacks vs. Pingbacks

Although they are very similar, both trackback and pingback use entirely different protocols. You may send trackback pings by inserting a trackback link in the trackbacks area in your blog software.

Pingback is done automatically by the supported blog software. If you have a link to another blog, it will send the pingback to the linked blog if you enable that option in your blog.

Pingback has simpler autodiscovery feature than trackback.

With trackback, the linking blog has to download the linked page and check for the RDF section that contains auto-discovery information. On the other hand, pingback discovers the URL to send pingbacks to in the HTTP header (the X-Pingback header) and in the header section of a HTML document.

The latter appears as:

How to Use Trackbacks and Pingbacks with WordPress

You can specify the trackback link of the post you lik to in the Trackbacks section on the new post page. WordPress will automatically send trackback ping to the specified URL.

If you choose to enable trackbacks and pingbacks, WordPress will auto-discover and send pingbacks to all blogs that are mentioned in your blog post. You can toggle this option by going to Settings → Discussion.

The option is named: Attempt to notify any blogs linked to from the article (slows down posting.)

You need to do nothing else besides that. I recommend you enable this option to encourage participation. Trackbacks and pingbacks are direct ways to let people know about links. They are not only useful to extend conversation but also build your network.

Even though I chose not to enable comments, I still enable this option so other bloggers may still notify me about their linking blog pages and discuss posted topics.

The Challenge: Pingback and Tracback Spam

Software are available that try to forge pingback and trackback pings so the linked blog believes the issuing blog actually links to the blog.

Because most blogs display the title and linking page, blog spammers may benefit from the direct referral traffic and/or search engine juice. The latter is true if the blog enables dofollow for tracbacks.

Just because your blog uses nofollow for comments and trackbacks doesn’t mean you will not get trackback spams though because such software run automatically, it cost nothing to send pingbacka and trackbacks to as many blogs as possible.

Fortunately, blog plugin such as Akismet filters most of these spam into the moderation queue and let the bloggers decide if they want to approve or delete those spam. It isn’t perfect but at least in my experience, it catches most trackback spam.

Here are a list of WordPress plugins that can help you control trackback and comment spam:

• Simple Trackback Validation. This plugin performs two checks to make sure a trackback is valid. First, it checks if the IP address of the trackback sender is equal to the IP address of the webserver the trackback URL is referring to. It also retrieves the page located at the URL included in the trackback to see if it links to your blog.
• Simple Spam Filter. This plugin examines trackback data. If it contains 5 or more links, bbcode style links, or spam words, and if the comment is very similar to previous comments, it will filter out the tracback.
• WP_PingPreserver. If you are annoyed with WordPress for losing pings because WordPress discards pings that come in too fast, this plugin can be of help.

Return to Blog Promotion — Tips to Get Traffic and Increase Readership.

Related posts:

• Blog Promotion — Tips to Get Traffic and Increase Readership
• Blog Marketing — Strategies That Will Change Your Business
• How to Start a Blog
• Thirty Day Challenge 2008 Action List
• Blog Scam — New Breed of Business Opportunity and Internet Scam

The idea of using plugin is a good one. If WordPress is about to include every single thing in its core, it would be a bloated piece of software, not to mention that it takes a lot of human resources and time to test it.

With the right design, plugin developers are able to write plugins to implement things that they expect WordPress to have.

Over the years of using WordPress, I’ve used hundreds of plugins in my various blogs and sites. Some of them were buggy while others were good. A few of them were excellent. Those that didn’t work as promised were uninstalled in a snap while at the same time I kept seeking for new plugins that were able to accomplish what I wanted.

Don’t get me wrong, until now I’m still testing out cool plugins but my adventure is far less bumpy than it used to be. Not that what I picked is best of the breed, but at least it does what it claims very well.

There are still many things WordPress can improve upon and if time permits I will even develop a few plugins in near future, but…

What this means is that you benefit from it.

If you have to setup a blog from scratch, at the very least you don’t have to be as adventurous as I was.

So without further ado, here is the list of plugins I use actively on my niche web sites.

(The list is sorted alphabetically, it has nothing to do with the importance of the plugins.)

© Feed

The ©Feed plugin extends the feed of your blog. You may include a digital fingerprint so you could detect content theft, display a report of stolen content on the dashboard, add comments in the feed, and show related posts.

Even if you don’t plan to use the other features, you should at least implement related posts in your feed to attract more visitors back to your blog.

Add Link Attribute

Blog, specifically a WordPress blog, is search engine friendly because of the way it links your posts and pages together. Search engines are able to crawl your pages easily and that increases your visibility in search engines.

The thing is, it is still not optimized to maximize PageRank flow on your web site.

Add Link Attribute plugin solves this problem. It lets you insert your own HTML tag attribute into any template function-generated links without having to rewrite those functions directly.

In other words, you could avoid having to edit the core source code just to modify certain tag and add an attribute.

“How is this useful?” I heard you ask.

Well, if you implement silos on your blog / site, you probably know it. For instance if you want to display and link to category pages but prevent PageRank to flow to those pages, you may add rel=nofollow attribute to the_category function so WordPress displays and links the categories accordingly but add nofollow too.

Add Signature

Add Sig plugin extends WordPress to allows you to add custom signature at the bottom of your posts.

If you’ve ever noticed the call to action at the end of every of my blog post, you didn’t think I add it to every post of mine manually, did you?

I like this idea because it allows me to change the call to action — or any signature content you want — without having to edit all the posts or modify the database.

The good thing is, you can even use HTML and CSS in your signatures. You may also use various variables to customize your signature to include login name, email address, and so on.

Advanced Excerpt

If you display excerpts on your category or search pages, you should know how it looks like by default. In certain WordPress themes, it seems like WP churns out junk.

The Advanced Excerpt comes to the rescue. This plugin adds several improvements to WordPress, especially on how it creates excerpts by default.

With it, you can keep HTML markup in the excerpt, trim the excerpt to a given length using character or word count, and customize the ellipsis character used for trimming. The result is neat-looking excerpt that enhances readability.

Akismet

Some people pronounce this as Askimet, but Akismet is a plugin that comes out of the box with every WordPress installation. It is not activated by default but if you use comments feature it should be.

Activation requires an API key, which you can obtain through WordPress.com. Although it sometimes has glitches and false negatives, I couldn’t be happier with such a free service.

Note: Commercial API keys are available at $5/month. It gives better priority and performance, among others. Consider that if your blog handles a lot of comment spam.

Another WordPress Meta Plugin

The Another WordPress Meta Plugin is considered obsolete, but I still prefer this to All in One SEO Pack because how I implement WordPress on BBU.

What I want from this plugin is the ability to add custom meta description to every post, which it does very well.

Broken Link Checker

This is one of those plugins that is a major time saver. Broken Link Checker notifies you — through a neat report in the Dashboard — when you have made a typo on your links, or when a page is deleted or moved.

Cleaning up your blog post from dead links not only enhances user experience but also overall site quality. While it is not proven that broken links may impact your search engine rankings negatively, if you think it from user experience standpoint, it could mean something.

Compact Monthly Archive

I have a mixed feeling about monthly and yearly archives. Unless your blog is a news site, I personally don’t think there is any value at all in time-based archives.

Readers who find an evergreen piece of content don’t care the time the post is done as long as it is there. I bet a few people remember when it was written, either. This is quite different for timely information though.

For people who want to keep it, or put it up just for the sake of keeping the blog tradition… here is a problem.

For blog who has been around for quite some time and the blogger posts to the blog actively, you may notice the list of archive pages gets way too long. Drop down menu to the rescue, but it is still less elegant that expected.

Compact Monthly Archive lets you customize your monthly archive so it is compact and consumes much less space.

Contact Form 7

Contact Form 7 manages multiple contact forms. You may customize the form and the mail contents flexibly with simple markup.

I’ve tested several contact form before. For simplicity and functionality, nothing beats Contact Form 7 and this is what I use for BBU.

Exec PHP

Simply put, the Exec-PHP executes PHP code in posts, pages and text widgets.

If you’d like to extend WordPress through custom programming, this plugin is an easy way for you to do exactly that. For instance, if you want the link in the sidebar widget to appear differently for current page, simple PHP command lets you do that.

Of course, you have to enable PHP with this plugin before you are able to execute code. In WordPress, this is disabled by default for security reason.

FeedBurner FeedSmith

Although I prefer this implementation on the web server side as redirects instead of at the plugin level, FeedBurner FeedSmith plugin provides a way to let you keep your feed URL while still using FeedBurner to get additional stats.

Why do you want to keep your feed URL? Because that means you don’t have to modify your theme to display the new FeedBurner feed and if you decide you want to switch to another feed service, you are able to do that easily.

Google XML Sitemaps

This plugin generates a XML-Sitemap compliant sitemap of your WordPress blog. The format generated is supported by Ask.com, Google, Yahoo and MSN Search.

The XML Sitemap format was introduced by Gogle in 2005 and was adopted by Yahoo, MSN Search and Ask in 2006. Although it is often referred to as Google Sitemaps, actually it is useful for other search engines as well.

If you use Google’s Webmaster console, this helps you generate XML-Sitemaps automatically.

No Self Pings

I find this plugin very helpful to keep my blog sane. No Self Pings prevents your WordPress blog from sending pings if you link to your other blog posts in the same blog.

Without this, it clutters your blog posts tremendously, especially if you aggressively link from one page to another. Personally, I think there is little value in knowing which posts from the same blog actually link to a post.

Permalink Redirect

Permalink Redirect plugin replies a 301 permanent redirect, if requested URI is different from the entry’s (or archive’s) permalink.

This is used to ensure there is only one URL associated with each blog entry.

I used to 301 redirect a post if it contains a trailing forward slash in the server redirect configuration, but it appears to me later that WordPress also shows a page for other incomplete URL as long as it knows which post specifically the browser wants.

In order to prevent duplicate content, this plugin is the answer. By permanently redirect it, you also take advantage of links other bloggers have mistakenly used to point to your blog post.

Related Posts

Out of the various RelatedPosts plugin out there, this is my favorite because it lets you display related posts as a sidebar widget.

Due to how my other blogs work, this is what I want, at least at the time I did research this was the only plugin that allows me to do that.

Search Everything

Using WordPress as content management often means pages are also flagship content. You want them to be included in search too when they are related to a search query.

Unfortunately, WordPress doesn’t provide this function, but Search Everything solves this problem. It increases the ability of the default WordPress Search, including options to search for pages, tags, categories, comments, excerpts, and more.

Simple Yearly Archive

If you’ve ever wanted to create a sitemap (not XML Sitemaps) out of your blog, this is the plugin that will help you do it.

With a bit of modification, I was able to create a custom page that display posts only from a specific year without creating a new template with the right PHP command. Combined with Exec-PHP, you don’t need to do that though because there are functions to support yearly archives already.

Simple Yearly Archive, while simple, is my preferred way to display blog archives.

Wikipedia nofollow

As you probably know, Wikipedia decides to add rel=”nofollow” attributes to every external web site. It stops transferring authorities to other web sites but at the same time keep all those good links for itself.

Link equity has to flow or otherwise search engines will not be able to calculate relevance objectively. And Wikipedia causes a dead end of the link flow. For that reason, I now implement Wikipedia nofollow plugin across all my blogs and sites.

WordPress Reports

If you’ve ever wanted to have a summary of Google Analytics report right in your Dashboard without having to log into your GA account, this is a neat plugin you should consider seriously.

WordPress Reports also includes the number of subscribers from FeedBurner so you are able to take a glance over the stats of your blog in one place.

WordPress Database Backup

I no longer use this plugin, but it can still be very useful for many bloggers out there. Basically WordPress Database Backup plugin allows you to backup your core WordPress database tables easily.

This is a best practice for every blogger who can’t afford to lose their work. Backup often. With this plugin, you don’t have a reason not to do that.

WP-Syntax

WP-Syntax uses GeSHI to support syntax highlighting in a wide range of popular languages. I use it in BBU not only to display nicely formatted code blocks in colors, but it also causes the blocks to display in the content column nicely.

Other useful features including the capability to start the first line at any number so you may create a representation of the code you quote precisely.

WP Super Cache

This plugin is able to save you when you have sudden surge of traffic, such as when your post is featured in Digg or Slashdot. WP Super Cache is an enhancement over the WP Cache plugin that efficiently returns static pages without executing any PHP code at all.

This plugin is smart enough to serve static page only to users who are not logged in, have not left a comment on the blog or who have not viewed a password protected post.

Return to WordPress How-to — Tips and Tricks to Work with WordPress.

Related posts:

• WordPress Plugins and Localizations
• WordPress How-to — Tips and Tricks to Work with WordPress
• WordPress 2.6 Released — Check the Compatibility Pages Before Updating!
• 6 Free Advertising Server Plugins for WordPress — Setup, Manage and Track Banner Ads
• Search Everything — A WordPress Plugin to Search Pages, Comments, and More

It seems like for everyone who tries to make money online, there is no fast track method to learn how to do it. Everyone has to go through the same process and learn the hard way. At least most people that I spoke to in the past have more or less the same experience.

Heck, I was in the same shoes not so long ago…

The thing is, no matter how much good information available, people have a tendency to move toward an easier solution, at least for the first time.

If you think about it, that just makes sense. Given a choice to start a business from scratch, work very hard for at least one year before seeing any kind of good result, or do it the fun, easy, and from-the-beach way, most people will choose the latter rather than the former.

With no surprise at all, people fall into the so called blog scams and basically any other get rich quick (GRQ) business opportunity because let’s face it. Even if you have failed a few times, you want to believe there is a golden key that will open the floodgates of Internet money windfall.

I recall a few years ago when I finally had to give the dream up. I felt more disappointed than angry, this GRQ biz opps didn’t work in reality. If only it was true…

(You know, still a bit of hope that it would eventually work out of magic, just for once again, but I decided to throw the idea out of the window…)

GRQ Scams Get a Makeover… Blog Scams!

With the advent of blog software that is able to do magic when it comes to getting any kind of content online, GRQ scams has just got a makeover.

I bet you have seen a bunch of hype about making millions building a network of blogs.

How do they work?

Blog scams take advantage of the fact that a blog is easy to update and you could get any piece of content up within seconds, not to mention that it can potentially be automated.

This means if you have access to scripted web application that may scour the Internet for free articles or generate junk content, you will be able to setup blogs that update automatically.

Building hundreds, if not thousands of these blogs, is a no brainer if you have the right software.

With such a model, the scheme can be labeled as creating useful blogs with solid content, although the truth is, it involves publishing repetitive — or random spin off of existing — content.

What Makes Blog Scams Scam?

You may look at blogging scams from two standpoints. As a visitor who is interested with the content the Web has to offer, usually such a blog provides little or no value at all, wasting the visitor quite a lot of time.

Usually, that is not the main intention of the blog owner. What s/he wants to accomplish often times is because of greed — to make money from the visitors through one way or another.

According to Federal Trade Commission (FTC):

The scam artists lure would-be entrepreneurs with false promises of big earnings for little effort. They pitch their fraudulent offerings on the Web; in e-mail solicitations; through infomercials, classified ads and newspaper and magazine “advertorials”; and in flyers, telemarketing pitches, seminars, and direct-mail solicitations.

Note: I’m not saying there is no way to make money online. Once you set it up properly, it may involve very little work on your part, but still you have to work hard to reach that level. There is no such thing as autopilot income from the start.

There is no doubt that a blog can be a very powerful tool for business and marketing. As a blog evangelist, I encourage the use of a blog as a tool to sell products or services or build business brand online. The fact is, there are unlimited ways to use a blog nowadays.

However, there are some models that are presented in a way that turns a blog into more of a fraud than legitimate business.

The thought of easy money is very appealing, but the truth is making money and building long term success usually requires hard work. This has always been the case for both offline and online business.

Heck if you approach it with the same mindset, you are going to increase your chance to succeed online.

Because many of the blog scams revolve around using a blog as a web publishing tool, let’s talk about that. Building a legitimate online publishing business is not only possible but could bring many of the luxury of having a web business.

Some of the benefits include working from home or wherever place you wish. You become your own boss and set your own working schedule. The Internet doesn’t have business hours. It is always on whenever you want to access it.

As to the potential, Weblogs Inc. sold a blog network to AOL for $25 million in 2005. That certainly is not a fad. And a smaller scale of success is certainly possible if you have the right combination of mind set, work ethic, business strategy, and marketing.

So, what makes a blog model scam?

• It promises little to no work. Once installed, the system will work day and night automatically without fail. Before long, you will see results. It will start churning out endless stream of cash in a week or less.
• High earning claims. Hundreds of dollars per day is not uncommon with such system. It becomes a numbers game. If one site / blog earned $1 per day, then 1,000 blogs would earn you $1,000 a day. Afterall, it is effortless to setup.
• Incredibly easy system and steps to follow. No technical skill required. The system works on auto-pilot without the need to learn a thing. Just buy it and make yourself a cup of coffee. If you know how to browse the Web, or point and click, you can operate it.
• Speed. People are naturally impatient. Blog scammers know it so they offer something very unrealistic, but still people buy into it. Seven figure in six months… or something very similar.

For example, an ad that I saw a while ago offered people an opportunity to make $31,000 per month blogging with an easy to follow and step-by-step guide, which was sold for $49.95. While it is possible to make that kind of money by blogging, it doesn’t come easily.

Before your blog takes off, in order to get traffic you have to work your “you-know-what” off. It also requires persistent. If you don’t have the necessary skills, you have to learn what it takes to make it work.

What Makes Blog Scams Possible?

A blog is a great publishing tool. The technology has improved to a point that it can be used as content management system (CMS) for small and medium sites. With the underlying infrastructure and the blogosphere, a blog is suitable for anyone who have a passion to get their thoughts out and be found.

A blog allows the readers to interact with the blogger, something most conventional CMS can’t do, at least not as easily as a blog.

It is not uncommon that a blog gets traffic the same day it was started. Search engine spiders are known to crawl blogs within 24-48 hours since the first entry is published. It may take longer, but still it is a shortcut to getting listed in major search engines like Google, Yahoo and MSN Search.

Just as a comparison, if you submit your site to search engines, it may take a few months before the search engine spiders actually come.

One-click publishing and instant search engine crawling are only two compelling benefits of blogging. Blog scams take advantage of those benefits to offer software package or guides that promise unrealistic income.

To understand it further, you need to grasp a few fundamental concepts or principles.

1. Online users are searching for information. They are always in need for information before they actually make a purchase.
2. A lot of people start the search in search engines.
3. There are many untapped keywords, especially long tail keywords — low search volume per keyword but there are lots of them.
4. A blog lets anyone publish content quickly.
5. Setup correctly, a publisher will get the blog crawled in record time by search engine spiders.
6. Frequently updated blog tends to rank high in search engines.
7. A blog lets people find you in many ways.
8. There are some advertising networks that allow any publisher to cash in on their content almost immediately.

Depends on how you’d see it, you are likely to notice a real business opportunity, or potential scam by unscrupulous scam artists.

Common Techniques Used by Blog Scammers

It doesn’t take long time of research to realize patterns used by common blog scammers.

The systems are more or less the same, with a few twists here and there. Of course, a product may be slightly improved over the predecessors.

If you think about it, such system usually fills in a demand too, exactly like what a legitimate model does. People are looking for information. If you are able to provide that, with the right promotion, your blog will be found.

Just that with a scam, but they do it by spamming the search engines. That is a very common model. It used to be that you could be able to make good money easily with this method but as search engines become smarter they know enough to sift pages better. And they are only going to get better.

Relying your business upon such a model, with the wrong expectation to earn an unrealistic figure, is not what most people want.

There is more than one way to do it though. For instance, when it comes to content, the system may go through different ways to process source of content such as directory listings, free article directories or datafeeds from affiliate merchants.

Here are some common blog scam techniques:

Blog Content Generation Tools

• Auto RSS feeds to blog posting. Source one or more RSS feeds and post each entry as standalone content on the new spam blog (splog). Not only they add no value to existing content but often they fail to credit the source.
• Auto keyword stuffing content. Get content from random places, including search engine results and directory listings (they usually are keyword focused) before injecting it to the blog.
• Datafeed processing tool. Process product data from affiliate merchant’s datafeed and post them as content to the blog, complete with affiliate links.
• Free article directories scraper. Search article directories for free articles related to the topic you want to post.
• Private label content spinner. Private label content is a cheap way to get huge amount of content. Rather than manually rewrite the content, the author could use the tool to spin paragraphs, words and bits of contents to make them unique. The result is often not as natural as writing a piece of content from scratch, unless you spend a lot of time on it, which defeats the purpose of such software.

Inbound Link Tools

• Blog and ping. Ping as many services as possible. Some of the services will index the pages in those blog services, which in lead to the blog. Others will let real users find the post when searching for information. However, these tools usually focus on the benefit of getting strong link popularity instead of real visitors because people detect fishy content relatively fast.

Tag and ping. Use tagging such as Technorati tags so the blog is found for popular search terms.

• Auto reciprocal link request. It is surprising that people are actually linking to splogs, but it happens especially between splogs to boost link popularity.
• Auto site submission tools. Submit to millions of directories and search engines, also sites that allow adding links.
• Blog comment and trackback spamming. Automatically post blog comments that link back to the blog. Some of the comment spam get into the blogs, for each which doesn’t include a nofollow attribute, it is a boost for their link popularity.
• Auto submission to social bookmarking sites. Submit to as many social bookmarking sites with the right keyword as tag so the content is found by interested users.

Other Tools

• Auto blog creation tool. Create hundreds, if not thousands of blogs automatically from one interface.
• Keyword research tool. While not exactly a scam, they are used by black hat publishers who make money from AdSense arbitrage method or others, but directing traffic to spam sites/splogs.
• Search engine cloaking. Returning different content pages for search engines and human visitors for the sake of cheating the search engine spiders.

I am sure there are many tools either publicly sold or created for personal use by many sploggers, but those lists above are very common.

The Thin Line Between Legitimate Blog Models and Scams

The line that separates between a blog scam and legitimate blog model is often very thin.

In fact, some techniques used by blog scams take advantage of the benefits of blogging. The problem is, often they are used in ways that are destructive.

For example, “blog and ping” is a great tool to notify blog search engines about new entries or changes on your blog. Used properly, it tracks every single conversation that is currently happening on the blogosphere.

Aggressive blog and ping with spammy content turns the services into something less useful because of the volume of spam. It pollutes the blogosphere.

Some site generation tools claim to be legitimate and concentrate on building solid content based on sophisticated methods. Although the content generated are based on good information, still they lack personality and more or less repetition of the same content.

Bloggers who care to automate the whole publishing process usually don’t care much about the quality of content. They often use content from other people’s feed or article directories. That doesn’t add any value to the Internet.

Another technique utilizes mass submission tool for social bookmarking sites. This tool defeats the entire purpose of social bookmarking which is collection of really useful sites submitted and collected manually by human beings.

Of course, there are huge differences between real blog with splogs but sometimes the line is so thin even some bloggers fail to realize what they use is actually cheesy.

Your mileage may vary, but with a basic understanding of what is a blog and how it works, you soon will realize that every tool that tries to automate things to the extreme will either get you nowhere or even bring bad things to your business.

The last thing you want is to be banned by search engines, deleted from blog search engines or simply being avoided by readers, who are one of the most important currency for your blog.

Really, if you understand how these tools work and instead take the time to write your own content, network with other bloggers, build solid inbound links, post comments to other blogs, you are going to get some real exposure and build a legitimate blog that you are going to be proud of. The laziness and automation parts are what make them harmful for long term business.

The analogy is, people who keep polluting the Web and blogosphere with spammy content, it is like peeing into the pond they are going to drink from. Make the Web a better place by contributing solid content. After all, we are going to make use of it too. Plus you are going to build a sustainable business out of it.

The choice is yours.

Return to Make Money Blogging — A Few Considerations and Advices.

Related posts:

• Make Money Blogging — A Few Considerations and Advices

Installing Ubuntu as a guest operating system for experimenting with various blog software, theme or any script is a good idea because a virtual machine is independent of your host operating system. Even if you accidentally delete something, it will not affect the host machine you are running on.

Note: For people who are interested in installing Ubuntu as a virtual machine, there was a version of Ubuntu created specifically for virtual machine. Ubuntu JeOS (pronounced “Juice”) stands for Just enough Operating System. It is an efficient variant of Ubuntu server operating system, configured specifically for virtual appliances. The kernel, for instance, only contains the base elements needed to run within a virtualized environment. However, in Ubuntu 8.10 Intrepid Ibex, you may install a minimal virtual machine from the Ubuntu Server Edition Installation CD by pressing F4. Alternatively, you may also use Ubuntu’s vmbuilder. As of this writing, I’ve tested vmbuilder but it is just a bit too complex for average users at this stage. A simple test to generate a virtual machine for VMware Player ended in opening three bug reports. For that reason, this guide will show you how to install Ubuntu minimally instead of using vmbuilder.

Although for the sake of demonstration, this tutorial series will use Ubuntu, by no means VMware is limited to this Linux distro only. Note that I’ve been running RedHat, CentOS and even compile my own Linux distribution from scratch using VMware without any problem.

As VMware Player is available for both Windows and Linux platforms, you can follow along the tutorial as long as you run Windows and Linux as the host operating system. Mac users are out of luck, but they can still purchase VMware Fusion and install virtual machines.

Choosing Your Virtual Machine Installation Method

There are at least two ways to produce virtual machine optimized for Ubuntu installation:

1. By acquiring (downloading) Ubuntu Server Edition ISO. Ubuntu 8.04 (Hardy) has JEOS ISO image which is only about 100Mb with less than 300Mb installed footprint. However, if you want Ubuntu 8.10 (Intrepid), you must download full ISO, but pick minimal installation. Minimal Ubuntu Installation CD is available for Ubuntu too. If you have a fast Internet connection, you may download this version and let Ubuntu grab packages during installation.
2. Using standard Ubuntu Server installation, but optimize it for virtualization with JeOSVMBuilder. The new vmbuilder is updated for Ubuntu 8.10, which is very close to the launch date as of this writing. vmbuilder sounds promising, I will test it again some time in the future.

Of course, if you want to install Ubuntu for a server, the first choice is the only viable option.

For this tutorial, I’m going to use Ubuntu Intrepid Ibex v8.10. Because the process also shows you how to install Linux Ubuntu, you should be able to adapt this tutorial even if you choose to install using JeOS ISO (v8.04).

It is recommended that you have an active, unlimited and fast Internet connection because after minimal installation, we will set Ubuntu to fetch various packages from the Internet.

For those who are interested to test various blog software, blog themes or blog plugins, you may proceed with the blog installation easily.

Acquiring Ubuntu Linux CD-ROM or ISO Image

ISO image is just raw CD-ROM data stored in a file. That means you can download a .iso image and write to CD or use it directly as a virtual CD-ROM.

VMware supports virtual device so you don’t have to write the data into a CD. As it is raw data, the size can be quite enormous. Ubuntu 8.10 Server Edition is about 600MB. After installation, if you want to install additional packages, you should be connected to the Internet to download the necessary packages.

Here is the download link for Ubuntu. Please choose a mirror near you for a better and faster download experience.

If Ubuntu 8.04 LTS, which is supported until 2013 sounds great for you, just for exercise, you may go ahead and install Ubuntu 8.04. The difference in installation — but not with the vmbuilder tool — should be minimal that you still could follow along very well.

If you have a quite decent machine, running a full Ubuntu distribution is not an entirely bad idea either. In all cases, the virtual machine will outperform a native Windows machine in performance, especially when installing a web server for experimenting with blog software.

After download, you need to change ide0:0.fileName in the configuration file (.vmx) to full path where the image file resides. This is necessary for the machine to boot the installation CD when you turn on the machine.

Installing Ubuntu Server Edition with VMware Player

Launch VMware Player either by running the program or double click on the VMware configuration file (.vmx).

The machine will start automatically. Because the virtual disk contains no operating system yet, VMware is smart enough to boot from the ISO image file during boot-up. There is no need to adjust the BIOS setting.

The first screen lists over 50 languages to choose from. I believe this has started to amaze you. Ubuntu is indeed a powerful operating system that I personally use for production environment. I’ve just read recently Wikipedia adopted Ubuntu for its server infrastructure.

Well, I digress but that’s how your customer will react if they love your product, I suppose…

After you choose the language, you will be able to see a menu like the following. You may check CD for defects, test memory, boot from first hard disk or even use this CD to rescue a broken system.

On this screen, it is important that you press F4 - Modes to only install a minimal system — which is the package selection equivalent to JeOS. In Ubuntu 8.10 release, you will be able to install minimal for virtual machine. Pick that if you install it in VMware Player.

Pick Install Ubuntu Server to start the installation process.

In the next screen, you will be asked again for a language. This one will be used for the installation process and as the default language for the final system.

If you choose English, which is what I do, you should be prompted to choose a country, territory or area. As always hit Enter to proceed with your selection.

Ubuntu installation process will then detect your keyboard layout through a series of questions. In this case, it successfully detects my keyword layout as “us,” so let’s Continue to the next step.

Type in the hostname for the system. A hostname is a single word that identifies your system to the network. ubuntu is not a bad name for identity, unless of course, you have multiple Ubuntu servers installed or running at a time. For server, you may use your domain name.

The process will continue by setting the clock based on a time server and let you pick a timezone. After that, it will detect various storage device (virtual hard drives) and prompt you to partition your disk.

For people who want more flexibility, Manual method is the way to go. For most people, Guided - use entire disk is a pretty safe answer. Using LVM (Linux Volume Manager) is out of the scope of this tutorial though.

The next screen warns you that all the data on the disk will be erased if you choose to proceed. Remember this is the blank disk image that you’ve downloaded or created before, so it is still blank. Now you are ready to format and load it with Ubuntu server.

If you confirm that, Ubuntu starts to divide your disk into two partitions. One partition is for the system files and the other is for swap files (extended memory on disk drives).

Proceed to the next step by choosing Yes to write changes to the disks.

Ubuntu installation process will now format your virtual hard disk and installing the base system into the newly created disk.

The installation process may take some time, depends on your computer speed and other factors. When it finally finishes, you will be asked to set up users and passwords. Follow the instructions and create one account that you will use for login later.

Ubuntu lets you setup encrypted private directory to protect your files, but this is not necessary especially in a test environment, so pick No.

You could enter your HTTP proxy information if you use one to access the Internet. This is necessary to configure the package manager and install additional packages later. Leave this blank for none.

Based on your input, Ubuntu installation will go out, scan the mirror and configure package manager (apt) for you. Don’t worry though, Ubuntu won’t try to update anything unless you let it to. In the next screen, you will be able to choose if you want to install security updates automatically or other options.

You may also manage the system with Landscape, which is a web-based system management service by Canonical, the company behind Ubuntu. For this demonstration, I’ll pick No automatic updates.

The next screen allows you to tune the system to your needs. You may pick various software options to install. If you are going with Linux, Apache, MySQL and PHP, LAMP is an option for you to pick.

However, in this case you are going to install either LEMP (nginx) or LLMP (lighttpd). As I’ll show you how to do this from scratch, you can skip this step without picking a thing.

Wait for the system to install software packages for you. When it is done, you have completed the installation process. Now it is not as difficult as you may think, isn’t it?

Let the system reboot and start the newly installed system for you. If you are new to Linux, chances are most of the message on the screen look like gobbledygook. It doesn’t matter at all.

Once you’ve seen the login prompt, enter the user name and password you’ve created above to login.

Once you’re logged in, use the following command to check disk space.

df -h

A minimal system takes about 517M with no additional packages installed, which may seem like a lot to some users. However, even with 4GB virtual hard drive, you still have ample of room to play.

Note: If you pick the minimal for virtual machine mode during installation, the disk space used is only 300-400MB.

Let’s check for the amount of memory used by this system.

free -m

Ubuntu uses only about 39MB, including the buffers and cached data. Suddenly 256MB seems like a lot for this kind of setup, so depends on the final system you may adjust the memory allocate for your virtual machine.

Return to How to Make a Server — Building High Performance Server

Related posts:

• How to Make a Server — Building High Performance Server
• Using VMware Player to Create Images for New Virtual Machines
• WordPress Security — How to Install WordPress Securely
• What is a Blog?
• Setup Twhirl — a Twitter Client Based on Adobe AIR (Week 3)

The most obvious reason is server compatibility for which code will be deployed on. While the WLMP and WEMP are much like running your own server, there are issues like file and directory permissions that are not compatible between Linux and Windows.

The former is more widely used because of its efficiency and performance as a web server.

With current technology, it is possible for you to run different types of operating system, even at the same time if you have the resources, on a desktop machine.

So, that saves quite a bit on power and server cost.

Another great thing is that nowadays virtualization software are available for free. While there are more advanced versions that require payment, for starters the free version is more than enough.

VMware Player is one example. It is based on the lines of products released by VMware, including VMware Workstation and VMware Server. For blog designers and developers, VMware Player is more likely the choice. VMware Server is also free but more suitable for server environment.

Download VMware Player

You should at least read the overview and various documentations before downloading and running VMware Player, if this is your first time to install it.

For many people, including bloggers, virtualization is a relatively new concept. It is important to understand at least the basic before you try to run it.

Although the software is straightforward to install and run, it still involves some learning curve. You should be prepared for this, but not to the level that you resist it. This is something that will benefit you more as you get familiar with it.

With that said, here is the link that leads you to the overview page for VMware Player. The download button is above the fold, but please read the overview first!

Problems with VMware Player and Possible Solutions

VMware Player, as the name implies, runs virtual machines on your Windows or Linux desktop created by VMware Workstation, VMware Fusion, VMWare Server of VMware ESX. It is also capable of running Microsoft Virtual Server and VIrtual PC virtual machines.

The limitation is, you can’t create a new virtual machine from scratch with it. VMware Workstation is the product line that supports that. Currently, VMware provides a lot of ready-made virtual appliances for you to use.

Fortunately, there are hacks that allow you to bypass that limitation in VMware Player.

In this tutorial, I’m going to show you how to create your own virtual machine using VMware Player so you can install your chosen operating system, such as Windows, Linux or even BSD on top of it from scratch.

You may also pick the Linux distribution to install so you may experience different Operating Systems (OS) before deploying on your production server or virtual private server.

A VMware’s virtual machine consists of two main parts:

1. A virtual machine image / disk (.vmdk)
2. A virtual machine configuration file (.vmx)

Let’s solve these problems, one at a time.

Note: There is a solution that allows you to generate both VMware configuration file (.vmx) and disk images from the Web. Think of it as a Web-based wizard. Although still missing some options, it is still one-stop solution for VMware Player users for VM creation.

Download Empty VMware Player Images

Although not as flexible as other options, this is the fastest way to get you started. VMware’s configuration file is in plain text, so you should have no problem in editing it at all.

For instance, you may modify the CD-ROM drive to read from an ISO image in your hard drive. Ubuntu and other linux distributions provide free download of .iso image. This is the raw file that could be burned into a physical CD.

These empty disk images come in different sizes: 1GB, 4GB, 8GB and 15GB. Note these virtual disks have sparse files support. That means when you uncompress these files, you will see much smaller files. VMware will grow these files as you use them, so it is a good idea to have enough disk space, as much as what you plan to use.

• 1GB VMware virtual disk image (1KB compressed, 196KB uncompressed)
• 4GB VMware virtual disk image (1.6KB compressed, 589KB uncompressed)
• 8GB VMware virtual disk image (2.5KB compressed, 1.1MB uncompressed)
• 15GB VMware virtual disk image (4KB compressed, 2MB uncompressed)

While you can’t boot a thing yet with this image, they have ample of space for you to play. You can boot from CD and install operating system onto the image and make it bootable.

In other words, the first problem was solved.

Using Qemu to Create Virtual Disk Images

This is another option for disk image creation. Qemu is an emulator for various CPUs, but it also includes an executable called qemu-img.exe that allows you to create VMware disk image, among others.

The command syntax for qemu-img.exe is as follow:

qemu-img.exe create -f vmdk Linux.vmdk 4GB

In the same directory it will create a disk image ready to be used for your new virtual machine.

Download/Make VMware Configuration File

VMware’s configuration file (.vmx) is just plain text with a specific extension so Windows’ users may double click and run it from Windows Explorer.

Linux users may have #!/usr/bin/vmware on top of the configuration so they may set the file executable and the system knows which program to run.

Unlike disk image, this means you may change options easily, especially for values that are more obvious, such as the path to ISO image, etc.

Here is a VMware configuration file template that you can use for VMware Player. It should works for VMware Player 2.5 and above. It is always a good idea to upgrade to the latest and newest version though.

Download Virtual Machine Configuration File (VMX)

I have grouped the configuration options together so when you open the file you should see editable options on top.

This configuration file is created for people who want to follow along with me to install Ubuntu (Linux) and setup WordPress / Movable Type after it. However, if you want to run Windows Vista, edit the (.vmx) file to read as follow.

displayName = "Windows"
guestOS = "winVista"

A list of supported guest Operating Systems is available below at the end of the article. Note that even if the guest OS you plan to install is not here, that doesn’t mean you can’t install it. The list shows systems that can be tweaked to perform better in virtual environment.

If you choose the right option, that means VMware will be virtualizing it better than if you choose a generic OS.

Here are a few other adjustable options:

# Common values are 32, 64, 128, 256, 512 and 1024
memsize = "256"
 
# The path to the hard disk image (has to be in the right format)
scsi0:0.fileName = "Linux.vmdk"
 
# The path to Ubuntu CD-ROM image
ide1:0.fileName = "C:\data\ubuntu-8.10-server-i386.iso"

All in One Solution for VMware Disk Image/Configuration File

Alternatively, you may use EasyVMX! to create virtual machine configuration for VMware. It is much like a web version of the VMware virtual machine creation wizard.

Let’s go through EasyVMX! one step at a time.

First off, you should choose a name that clearly identify the new virtual machine. If “Ubuntu Linux” is too generic, feel free to name it “Ubuntu 8.10″ or anything more specific. Also pick the right entry in the Select GuestOS dropdown list.

Leaving the Power ON / Power OFF options as is is usually a good idea unless you know what you are doing. If you intend to run this VM just for experiment, you certainly don’t need to adjust anything here.

You may give your VM a more descriptive name in the Virtual Machine Description section.

You should leave the Network Interface Cards options as is, unless you have specific requirements to have those features set to different values.

Floppy disk drive can be a nice option to have because with it you may be able to boot from floppy disk or a floppy image. For installation of Linux, you probably don’t need this though.

You should have at least one CD-ROM in EasyVMX! configuration. As the second drive, specify the path to Ubuntu JEOS image file. You may edit the .vmx file later if you haven’t downloaded the image file yet.

Set the hard disk drive to the size you want. In this case, we set it to 4GB, using virtual SCSI controller. This new version of Easy VMX also includes the capability to setup shared folder but that is optional. Only the first disk should be there.

As our goal is to setup a server machine without any graphical interface with minimal memory usage, you should uncheck all the other options unless you really want them.

Hit the Create Virtual Machine button to generate configuration file and hard disk image as you’ve selected above. The next screen allows you to download all the files in one compressed .zip file.

Download that file and save to your hard drive.

Unpack Your Files and Customize

Whichever route you take, you are now set. Unpack all the files into one folder. You are ready to install the guest operating system on your newly created virtual machine.

Open the (.vmx) file with Notepad or any other text editor. The following are the variables that you may want to adjust:

• displayName. The name of this virtual machine as displayed on the screen.
• guestOS. Guest operating system name. You should set this to the right OS for VMware to tweak the system so it performs better in virtualization.
• memsize. Memory size allocated for the virtual machine.
• scsi0:0.fileName. Point the value of this variable to the virtual machine image file (.vmdk).
• ide1:0.fileName. This one should point to the installation CD (raw image, .iso). If you already have CD of the guest OS, you may not need this.

VMware Supported Virtual Machine Operating Systems

I’ve tested running VMware using generic setting for an operating system. It works because VMware is just a virtual machine. However, if you want to take advantage of certain tweaks and optimization for virtualization, you should choose the right operating system. VMware may give you certain performance improvement for that.

For newer operating system, it is only officially supported by new versions of VMware. However, if you are running popular operating system, you should have no problem with it. Just look for one from the list below and substitute the VMware configuration file (.vmx) with the right value.

Here is the list of supported value for guestOS variable for VMware Workstation 6.5.x. If you don’t want to go through the whole process again just to change the value, this list can speed things up. You only need to edit the guestOS value in the .vmx file.

Microsoft Windows

Windows 3.1 = win31
Windows 95 = win95
Windows 98 = win98
Windows Me = winme
Windows NT = winnt
Windows 2000 Professional = win2000pro
Windows 2000 Server = win2000serv
Windows 2000 Advanced Server = win2000advserv
Windows XP Home Edition = winxphome
Windows XP Professional = winxppro
Windows XP Professional x64 Edition = winxppro-64
Windows Vista = winvista
Windows Vista x64 Edition = winvista-64
Windows Server 2003 Web Edition = winnetweb
Windows Server 2003 Standard Edition = winnetstandard
Windows Server 2003 Enterprise Edition = winnetenterprise
Windows Server 2003 Small Business = winnetbusiness
Windows Server 2003 Standard x64 Edition = winnetstandard-64
Windows Server 2003 Enterprise x64 Edition = winnetenterprise-64
Windows Server 2008 = longhorn
Windows Server 2008 x64 Edition = longhorn-64

Linux

Red Hat Linux = redhat
Red Hat Enterprise Linux 2 = rhel2
Red Hat Enterprise Linux 3 = rhel3
Red Hat Enterprise Linux 3 64-bit = rhel3-64
Red Hat Enterprise Linux 4 = rhel4
Red Hat Enterprise Linux 4 64-bit = rhel4-64
Red Hat Enterprise Linux 5 = rhel5
Red Hat Enterprise Linux 5 64-bit = rhel5-64
Asianux 3 = asianux3
Asianux 3 64-bit = asianux3-64
SUSE Linux = suse
SUSE Linux 64-bit = suse-64
SUSE Linux Enterprise Server = sles
SUSE Linux Enterprise Server 64-bit = sles-64
SUSE Linux Enterprise Server 10 = sles10
SUSE Linux Enterprise Server 10 64-bit = sles10-64
Novell Linux Desktop 9 = nld9
Sun Java Desktop System = sjds
Mandrake Linux = mandrake
Mandriva Linux = mandriva
Mandriva Linux 64-bit = mandriva-64
Turbolinux = turbolinux
Turbolinux 64-bit = turbolinux-64
Ubuntu = ubuntu
Ubuntu 64-bit = ubuntu-64
Other Linux 2.2.x kernel = otherlinux
Other Linux 2.4.x kernel = other24xlinux
Other Linux 2.4.x kernel 64-bit = other24xlinux-64
Other Linux 2.6.x kernel = other26xlinux
Other Linux 2.6.x kernel 64-bit = other26xlinux-64
Other Linux 64-bit = otherlinux-64

Novell Netware

NetWare 5 = netware5
NetWare 6 = netware6

Sun Solaris

Solaris 8 (experimental) = solaris8
Solaris 9 (experimental) = solaris9
Solaris 10 = solaris10
Solaris 10 64-bit = solaris10-64

Other

MS-DOS = dos
FreeBSD = freebsd
FreeBSD 64-bit = freebsd-64
Other = other
Other 64-bit = other-64

Return to How to Make a Server — Building High Performance Server.

Related posts:

• How to Make a Server — Building High Performance Server
• Ubuntu Installation Guide for Guest OS (and Server)
• Tips for Watching the Videos — TDC Preseason Week 8
• Building a Long-Term Blogging Business: Creating Strategic Content Plan and a Few Content Creation Tips (Part 2)
• Whitehat SEO Tips for Bloggers by Matt Cutts

Fortunately there are more convenient approaches to this. Existing solutions are sub-optimal because it uses WAMP (Windows, Apache, MySQL, and PHP).

Why WLMP? An Overview

Don’t get me wrong, Apache is well-established and most widely used server software throughout the Internet. It is able to handle almost any load and setup, but at the same time the cost in terms of memory consumption and processing cycle are also huge.

Lighttpd is a better alternative for this reason. For WordPress hosting, it has more than enough features to support all the necessary operations. Tests upon tests show that the performance in lightty is significantly better even with limited resources.

This is an extra bonus, especially for people who have scarce resources on their workstation — which is most likely the case.

Note: Albeit using the same name, this setup is independent from the WLMP project, except that the lighttpd software package is taken from the project. Other than that, we are going to install and slightly optimize MySQL and PHP separately.

System Requirements

For this tutorial, I’m going to use Windows Vista. There is no specific requirement as far as I know of. This setup has also been tested in Windows XP Service Pack 2.

The installation process is pretty simple. When starting the various servers, they may consume less memory and as they serve more data and pages, they will need more memory.

mysqld, for instance, requires only a bit more than 1MB when you start it for the first time. The php-cgi occupies around 5MB at first.

However, after running WordPress for some time…

• LightTPD still occupies only less than 1.5MB. You’re going to like this, aren’t you?
• PHP running in FastCGI is about 6.5MB.
• MySQLd takes around 11MB.

The total memory consumption is ~ 19MB. Of course, that depends on how you optimize MySQL or how much data do you have in the database. The point is, you probably have known about PHP and MySQL, but isn’t the figure for LightTPD encouraging?

Compare this to Apache. Memory consumption of 50 - 300MB per process is not unheard of, and in fact it is quite common. Note that I’m not comparing apple to apple, but you don’t need the extra features in Apache. Another thing worth considering is CPU load.

In short, life with WLMP is much lightier, better, and faster.

Get Started with WLMP Installation

I presume that the “W” part, which is Windows, is already done. Unless you are viewing this page through another computer, chances are you have already had a Windows installation on your desktop computer or laptop.

So let’s go ahead and proceed with lighty. Download a copy of the newest version of lighttpd from WLMP project web site. For demonstration purpose, the version I’m using is 1.4.20, but it should work with other versions as well.

Installation of lighttpd is straightforward. You only need to choose the directory to install the software and proceed. In this case, C:\Program Files\Lighttpd is fine.

Configuring and Running Lighttpd

The lighttpd installation includes a script that allows you to test and make sure that your installation is working fine before configuring the server.

This can be done simply by running the TestMode.bat, found in your lighty installation directory. When you double-click it, a command prompt window will appear. Don’t press Ctrl+C yet. If you see it, that means lighttpd is currently running.

In fact, the server may display message such as the following:

yyyy-mm-dd hh:mm:ss: (log.c.97) server started

Note: If you are running Windows Firewall, a dialog may appear, warning you that lighttpd is trying to accept incoming network connections. It is important that you press the Unblock button to make exception to the http port (port 80) for lighty only if you want to allow remote connections. Otherwise, keeping it blocked still allows you to access from your desktop.

This dialog box will only be displayed once so you don’t have to keep allowing the connection each time you start the server.

In case you are wondering, the exception added to Windows Firewall is named A fast, secure and flexible webserver, NOT LightTPD.

The next step is to fire up a browser and type in:

http://localhost

in the address bar of your browser. A screen similar to the following should appear right before you.

This page also tells you what to do. For instance, you may put your web site in C:\Program Files\Lighttpd\htdocs. You will do that later when installing WordPress.

You may also make changes to configuration file, which is C:\Program Files\Lighttpd\conf\lighttpd-inc.conf. This file also includes other files in the same directory if you enable that.

Now that you have it running properly, go to the command prompt window and press Ctrl+C to stop lighttpd.

A message will show about the status of the shutdown process. You may need to press any key after that to get rid of the window.

Configuring Lighttpd to Interact with PHP

In short, Lighttpd is able to run PHP-based files via one of these two methods:

1. Running PHP as CGI (Common Gateway Interface). This requires the CGI module (mod_cgi). Whenever a request for .php file is being made, lighty will invoke an instance of php-cgi.exe and let it process the script before returning the result.
2. Running PHP in FastCGI mode. As the name implies this method is faster because a predetermined amount of children processes have been invoked and run in the background. Lighty interacts with PHP’s FastCGI by using hostname:port pair (TCP protocol) or via the UNIX sockets or named pipes. This requires the mod_fastcgi module.

I personally prefer the FastCGI method mainly because it is more flexible. For instance, if I happen to have a desktop and laptop on the same local network, I could install the PHP running in FastCGI mode on my laptop. The lighty and MySQL could just reside on the desktop.

It certainly make it even lighter…

Up until now, we haven’t installed PHP yet, but there are several things you should do to make lighttpd ready to send queries for PHP files to FastCGI.

You need to open the file in C:\Program Files\Lighttpd\conf\lighttpd-inc.conf, then do the following:

1. Activate the mod_fastcgi module by deleting the hash sign (’#') at the beginning of the line.
2. Change the server.document-root variable to “c:/program files/lighttpd/htdocs” instead of just “htdocs/”. This is necessary to make FastCGI work flawlessly. You may need to scroll down a bit to find this configuration line.
3. Finally, scroll down again to the fastcgi module section and change the fastcgi.server configuration block to read like below.

fastcgi.server = ( ".php" =>
                   ( "localhost" =>
                     (
                       "host" => "127.0.0.1",
                       "port" => 10000,
                       "broken-scriptfilename" => "enable"
                      )
                    )
                  )

In previous section, you have tested lighttpd, and you are seeing the error messages right on the command prompt window (console). The console, in this case, is the error log destination.

When running as a server on the background, you wouldn’t be able to see the console so the error messages should be directed to a file. The same thing applies to the http access file.

You only need to add two lines to make this happen:

accesslog.filename = "c:/program files/lighttpd/logs/access.log"
server.errorlog = "c:/program files/lighttpd/logs/error.log"

Also make sure the upload directory is set to full path…

server.upload-dirs = "c:/program files/lighttpd/TMP"

Running and Stopping Lighttpd, MySQL and PHP FastCGI with Batch File

The Windows installation of lighttpd includes programs to install and remove lighttpd as Windows service but for one reason or another it is not working.

Anyway, I still prefer the batch script executable though because I could start and stop all lighty, mysqld and php-cgi at the same time.

Here is the content for start-lighttpd.bat:

1
2
3
4
5
6
7
8
9

@ECHO OFF
ECHO Starting PHP FastCGI...
RunHiddenConsole.exe C:\Program Files\PHP\php-cgi.exe -b 127.0.0.1:10000
ECHO Starting LightTPD...
lighttpd.exe -f conf\lighttpd-inc.conf -m lib
ECHO Starting MySQL...
RunHiddenConsole.exe "C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="C:\Program Files\MySQL\MySQL Server 5.0\my.ini"
SLEEP 1
EXIT

Copy and paste the text above and save it as start-lighttpd.bat in C:\Program Files\LightTPD. Alternatively download start-lighttpd.bat here.

The script to stop lighttpd, mysqld and php-cgi is properly named stop-lighttpd.bat. The content is as follow:

1
2
3
4
5
6
7
8
9

@ECHO OFF
ECHO Stopping MySQL...
bin\process.exe -k mysqld-nt.exe >nul
ECHO Stopping LightTPD...
bin\process.exe -k lighttpd.exe >nul
ECHO Stopping PHP FastCGI...
bin\process.exe -k php-cgi.exe >nul
SLEEP 1
EXIT

Again copy, paste and save to the text above or download stop-lighttpd.bat here.

With both this script, you can run and stop lighttpd, mysqld and php-cgi as you wish. Turn it on when you are working and remove them to gain more memory afterwards.

Don’t run the batch file yet. You need to install PHP and MySQL first… which the following steps are exactly about.

Installing PHP on Windows

PHP installation is pretty simple. Just go to PHP download page and download PHP x.x.x installer. The PHP version used for this demonstration is 5.2.6.

Run the installer