Ever since I wrote the post a few weeks back about our internal micro blogging system (see Using WordPress to Make a Secure Twitter for Business) I’ve been bothered by the fact that it isn’t really as secure as it should be. Following the steps I provided, there is still one unprotected RSS feed that – given the URL of your blog – almost anyone can find. My suggestion when I wrote that post was simply not to give away your URL since it’s an internal system. Obviously that’s not sufficient, and someone in the comments said as much.
Every few days I’ve tried a different fix that hasn’t worked. Then today I went back and tried something super simple that I thought I had already tried – password protecting the entire blog directory on the server level – and it worked. My order of operations must’ve been out of whack when I developed the thing, because clearly this is the most simple and secure solution.
While the majority of the info on the original post is still useful/valid, here are an abbreviated version of the new steps, with the changes in bold:
- Install WordPress and turn off pinging
- Install and customize a simple WordPress theme
- Create user accounts for all potential users and modify WordPress to display who posted in the title
- Password protect the entire WordPress directory at the server level. This can be accomplished in your hosting control panel, usually under a setting called “password protected directories”. For example if your micro blog URL is www.yoursite.com/micro-blog/ you should password protect the entire micro-blog folder. This prevents anyone without the password from viewing the blog or the feed.
- Use FreeMyFeed to create a secure feed that can be put in feed readers that do not support password protection.
- Add the feed to the feed reader of your choice. For us, we installed the CustomRSS Google Gadget on our Pure Adapt Personalized Start Page that we all use as our start page in our browsers.
Now, for all reasonable uses, this is a secure system that can only be accessed by the people you give permission to.