: Web safety for child's website I'm building a Wordpress site for a parent of an 11 year old that wanted something to memorialize her daughters athletic, academic and personal achievements. The

@Radia820

First this is really a WP question. I have wrote 20+ sites that do what you need so this is pretty easy.

1 You make everyone login to view every page.

2 You lock the uploads folder via script and .htaccess. There are scripts that will check for user login before allowing them to view media.

If you want to do anything in between this and having your site wide open - it is a lot of work. The easiest way to do it is have two uploads folders - one with security and one for everything else if you want to have some pages wide open to the public and some not.

As for what others are saying about content - can't find it if your pages are locked... that is not really true. I have robot scripts that will search the crap out of a folder for file names.

All the google and robots talk is nonsense. That stuff only matters if you want to half-ass it. If you do then take advice from some of the upvoted questions above.

Vote Up Vote Down

@Murray432

The only appropriate answer is to password protect the whole thing. HTTP BASIC_AUTH is probably the simplest to set up, as it will not interact with WordPress in any way. That on its own will be enough to deter all scrapers, but if you want proper security you should also use HTTPS.

(Sidenote: With many systems, a HTTP page will redirect to HTTPS. However, with HTTP BASIC_AUTH, that redirect can be after the prompt for your password. The HTTPS page will then prompt for password again. This means that your password has been entered twice, once in cleartext and once over a secure channel. It is in principle possible to have different passwords for the HTTP and HTTPS versions, or to have no password for the HTTP version: all it does is redirect to the HTTPS version, which then asks for your password. How easy this is to set up depends on which tools you are using to manage your website hosting preferences. Alternatively, simply ensure that you always navigate directly to the HTTPS page, bypassing the insecure version. If you use a password system other than HTTP BASIC_AUTH, then probably none of this sidenote will apply.)

Vote Up Vote Down

@Ogunnowo487

I'm probably being paranoid


Maybe I'm being paranoid, but this sounds like it should be an entirely private blog/website. ie. password protected. Who exactly is the target audience?

Apart from the security aspect (preventing the unscrupulous from finding and using the content), this sort of content sounds like it would be ripe for bullying from other school "friends". Content which might be OK at first - to an 11 year old - might just become embarrassing in a few years.


I'm not adding them to Google console


This would seem to be backward? The way you hide content from Google (ie. a "good" bot) is to use the robots meta tag (or X-Robots-Tag header) and maybe robots.txt. Omitting it from Google Search Console will not help in this respect.

At least if you add it to Google Search Console you can monitor things like backlinks, check robots.txt, etc. If indeed you do go public.

Vote Up Vote Down

@LarsenBagley505

First, I'll make a grand apology to all the professional webmasters out there, but for this OP, I have one golden suggestion:

Violate search engine guidelines

And I mean do it to the point where the important content is in complex javascript and the content robots can crawl is not in proper HTML. This includes a bad description tag, a bad title tag, etc. Heck, maybe turn the entire content into just a video made in flash, or show the entire content as just one image. That would really make the search engine crawler cringe.

I'll show by example in code:

Here's a way to get something indexed:

<!DOCTYPE html>
<html>
<head>
<title>Web page</title>
<meta name="description" content="This is a wonderful web page">
</head>
<body>
<h1>A wonderful web page</h1>
<h2>By John Smith</h2>
<p>This is a wonderful page. ya de ya de ya de ya de ya de ya de</p>
<p>This is wonderful. ya de ya de ya de ya de ya de ya de</p>
</body>
</html>


Ok, I admit, the text isn't perfect, but you understand what I mean.

Now if you want to hide it from crawlers and do it the simple way, you can try this:

<!DOCTYPE html>
<html>
<head>
<title>Private</title>
</head>
<body>
<img src="mywebsite.jpg" width=1024 height=768>
</body>
</html>


then make an image named mywebsite.jpg and include all the text in that, not in the html shown above. Then you need to protect mywebsite.jpg by making a watermarked version of it to the users who are unauthorized to see the real thing. Simply compare user agent strings or ip addresses against those you allow/disallow for the image. This type of thing can be done in .htaccess with some rewrite rules.

For example, to force googlebot to see the watermarked image instead of the real thing, use these rules:

RewriteCond %{HTTP_USER_AGENT} ^googlebot$ [NC]
RewriteRule ^mywebsite.jpg$ specialrobotimage.jpg [L]


I'm assuming here that mywebsite.jpg is your real website as an image and specialrobotimage.jpg is the watermark or the image as a message stating only real users are allowed to see the information. Also, the rules assume everything is in the same folder.

Vote Up Vote Down