WordPress MU

Hi,

I installed WordPress MU a few days ago, and got the innstallation up and running after some chmod 777 operations on a few directories.

### Why do I have to chmod 777 these direcories for the innstallation to work. Doesn't this make the installation vulnerable?

### Another thing: the main page and admin area seems to work ok. Creating another blog from the frontpage also works fine. But when I later try and access the newly created blog, I get this error:

===========================
Forbidden
You do not have permission to access this document.
-----------------------
Web Server at bigpassiveincome.com
===========================

I use shared hosting with edatarack.

Let me know if you need more info to point me in a direction in order to get this issue resolved.

PS!: I just found out that the name of my testblog "test" might be a bad pick as I have registered 2 more blogs named "aaaaa" and "bbbbb", and they seem to have worked. I will do a couple more tests and see and report back.

Thanks a bunch,
~Olav!

Me again,

It appears that having a blog named "test" did not work very well. I just registered a new email address on my own domain, logged out of the admin area, registered a new blog with my new email address, and everything seems fine.

Hmm, wonder why I cant use "test" as a name on a blog...

Anyway, I am glad I now seem to be up and running. I would like an answer to the chmod 777 questions though :-)

~Olav!

You may set the permission of your rootfolder to (correct me if I'm wrong) 755 after you've finished the installation.

wp-content has to be 777 or else your users will be unable to upload images.

Thanks KK!

That will secure things alittle. I have a couple more questions...

1 - Where can I learn more about securing a WordPress MU installation?

2 - How can I avoid blog spam and false blog creations without paying a bucketload of money for an Akismet enterprise key?

Thanks :-)

~Olav!

"2 - How can I avoid blog spam and false blog creations without paying a bucketload of money for an Akismet enterprise key?"

For comments, SK2 will do just fine, and you could probably add bad behavior as well. The two combined shouldn't have a problem.

For creations, that's a tough one. I've looked through the forums here for suggestions, but that appears to be the weaker link.

Bad Behavior "may" help on that, but I can't say for sure.

The option I'm going with, for now, will be canning auto-creation all together.

I'm going to set up my own registration form, which will in return send an email on the backend to a specified address. Between the admins of the site, we'll review the submission and then add the blog ourselves.

I'll also have an array of common spam related words, probably use the one from the wp codex, and simply drop requests that have one of them in the requested username.

Just the fact that there isn't auto-creation should deter most spammers. As they know fooling an actual human verification isn't worth it.

I think buried here in the forum some people have managed to add a captcha to the sign-up page (which *is* a two-step prcess that deters the bulk of splogs).

There's also feilds in the Site Admin where you can specify blocked usernames and domains to allow or disallow signups to come from.

Andrea, can you use wildcards in the domain field? Like *.de, *.jp, *.ru, etc?

So whatever.net.de would be blocked?

Dunno, could try it.