Setting up a Wordpress Test Site

If you’re a Wordpress plugin or theme developer like we are, there might be times when you wanted to have a live demo or showcase on the cool stuff your plugin can do. However, most plugins are only configurable by administrators of the blog, and giving out admin permission on your Wordpress blog can be disastrous. Want to let your users have full admin access without compromising security? This post briefly runs through a few quick steps to get you started!

Before you Start

If you would like to have an example to play around with before you start, you can visit CubePoint’s live demo site here:
http://cubepoints.techcube.net/

What you Need

1. A hosting account separate from your main sites (with cron jobs supported)
   (that’s basically all you need!)

A Note of Caution!

In Wordpress, an admin account can potentially upload files with any file type (yes, including PHP). This can be harmful! To secure your set up, you are required to CHMOD all your files to 755. As such, we strongly recommend that you use a separate hosting account (you can use one of the many sites that offer free hosting) solely for this purpose.

Disclaimer: while nothing should go wrong by following this instructions, we are not responsible if anything happens (e.g. server crashes, files gone, site hacked, explosion of server – just kidding).

Getting Started

1. Grab the latest stable copy of Wordpress from here:
   http://wordpress.org/latest.zip
    
2. Unzip, upload and install
   (like you would normally do)

Customising your Install

1. Install your plugin / theme
   (remember to activate them through the admin panel)
    
2. Tweak and configure the site to your liking
   (remember to set a welcome page containing the admin password)
    
3. Allow public signups and grant administrator privileges to all new users *optional
   (if someone changes the admin password, others can still get immediate access by signing up)
    
4. Finalise how you would like your site to appear
   (check that everything is to your liking as changing something after this step would be difficult)

Setting Up

1. Export mySQL Database
   (you can do this from phpMyAdmin, usually found in your host’s control panel)
    
2. CHMOD EVERY file and folder to 755 (including parent directories) *IMPORTANT!
   (this is to prevent anyone from uploading any malicious scripts to your account)

Schedule Automatic Restoration of Site

Although your site should be secure by now, people sometimes try to ruin it by removing all your test accounts or adding rubbish to the homepage of your test site. As such, we would want to restore the site to its original state hourly or daily. All post data are stored in the mySQL database, so restoring your old export would do the trick here.

1. Writing the Script
   A PHP script would be needed to restore the original exported mySQL database. We have saved you the trouble by providing all you need here. All you have to do is change your database settings and upload the file! Upload your database export as well.Note: If possible, upload this in a folder outside your public web root

   <?php
   
   	// Name of the file
   	$filename = 'database.sql';
   	// MySQL host
   	$mysql_host = 'localhost';
   	// MySQL username
   	$mysql_username = '';
   	// MySQL password
   	$mysql_password = '';
   	// Database name
   	$mysql_database = '';
   
   //////////////////////////////////////////////////////////////////////////////////////////////
   
   // Connect to MySQL server
   mysql_connect($mysql_host, $mysql_username, $mysql_password) or die('Error connecting to MySQL server: ' . mysql_error());
   
   $query = 'DROP DATABASE `'.$mysql_database.'`';
   mysql_query($query);
   $query = 'CREATE DATABASE `'.$mysql_database.'`';
   mysql_query($query) or die('Error: ' . mysql_error());
   
   // Select database
   mysql_select_db($mysql_database) or die('Error selecting MySQL database: ' . mysql_error());
   
   // Temporary variable, used to store current query
   $templine = '';
   // Read in entire file
   $lines = file($filename);
   // Loop through each line
   foreach ($lines as $line)
   {
   	// Skip it if it's a comment
   	if (substr($line, 0, 2) == '--' || $line == '')
   		continue;
   
   	// Add this line to the current segment
   	$templine .= $line;
   	// If it has a semicolon at the end, it's the end of the query
   	if (substr(trim($line), -1, 1) == ';')
   	{
   		// Perform the query
   		mysql_query($templine) or print('Error performing query \'<strong>' . $templine . '\': ' . mysql_error() . '<br /><br />');
   		// Reset temp variable to empty
   		$templine = '';
   	}
   }
   
   echo 'Database Restored';
   
   ?>

   Download Source Code

2. Set up cron to execute the script
   Execute: “PHP /full/path/to/script/restore.php”
   (We recommend that you set this to once every hour or every few hours)

Test your Site

Once you done all the above steps, you should do some tests to make sure everything is working as intended.

Tips & Tricks

1. Show a countdown timer to let users know the duration before the next site restore.
    
2. You may temporarily set your cron jobs to every minute to test out if it works. Just remember to change it back after you are done testing.
    
3. You may want to create more than just one account so that people have alternative logins if someone changes the admin password.
    

That’s all! Any better ways to secure these these? Any security flaws?
Do share your feedback / questions or successes in the comments below!