Back in 2006 blogging was still in its infancy and I remember searching for a platform to launch my first blog. TypePad and Blogger were both big at that time, WordPress.com was around and growing, and Moveable Type, Joomla, Drupal, and WordPress.org were also good options. In fact there were so many good options that it was difficult to decide what foundation I would use for what I hoped to be my new job.
For my first few months of blogging I actually went with TypePad, but quickly found that it was very limited and wasn’t a good fit for my needs. I went back to the drawing board at that point and knew I needed something that was flexible and was also going to be around for the long haul. At that time open source was really starting to take off in the mainstream and WordPress.org was leading that charge in the blogging niche, so I decided to align myself with the WordPress community and re-launched my first blog. Between the WordPress plugins and both the free and premium WordPress themes available, I knew I had made the right choice and was able to quickly make a custom design with little work on my end. The flexibility and the excellent open source community was the key to creating a great experience for me, and many I talked to felt the same way.
Fast forward 7 years and WordPress continues to meet my needs and validate my early decision. One report I use to determine this is released annually by Royal Pingdom, which has done a study of the Top 100 blogs each year since 2009 and recently published their 2013 report. This report shows WordPress continues to grow as the top choice among the most prominent blogs. Initially back in 2009, WordPress was on 32% of the Top 100 blogs. Last year it was up to 48%. For 2013, WordPress is now on 52% of the Top 100 blogs, and I expect that percentage to continue to grow over the coming years thanks to its flexibility and the fact that it is very user friendly.
According to Wikipedia, WordPress is used by over 14.7% of the top 1 million websites and manages over 22% of all new websites created as of August 2011, boasting a total of over 60 million websites. Its hard to imagine what these numbers will look like next year or several years from now.
WordPress has become a favorite platform for many ecommerce sites: it’s easy to set up a sale button for an ebook or any other file in a matter of minutes. But while WordPress can be a decent ecommerce platform out of the box, there are ways to transform it into a great platform with some relatively simple tweaks.
Update Your WordPress — And Keep It Updated
The downside to using a well-known content management system for your site is that more people will be looking for security flaws to exploit. On the other hand, there are also more people working to resolve any security issues. Provided you keep your WordPress installation current, adding each new update as soon as it rolls out, there’s significantly less risk of something happening to your site. Considering that it only takes one malware issue to destroy any trust you’ve built with potential buyers — no one wants to run the risk of putting their payment information into a compromised site — keeping your site up to date and preventing potential security issues has to be a priority.
You can also prevent security issues by carefully vetting any plugins or themes you add to your site. Even if you aren’t able to evaluate the code on a line-by-line basis, do some research into the problems others may have encountered with anything you’re considering adding to your site. Personally, I have a preference for using premium themes and plugins that are well-known for the simple reason that I’m more likely to have support available.
Set Up Clear Permalinks
Built into the core WordPress settings are options to manage your permalinks. Make sure that you’re using links that aren’t just a bunch of numbers or dates, especially if you’re going to be sharing direct links to your sales page online anywhere. Direct links look more trustworthy to buyers, and they also help eliminate problems when people retype a link into their browser. During a longer sales process, you may be surprised by how many times exactly that will happen. In fact, it can be a good idea to have an individual domain that goes directly to your sales page, particularly if you have a lot of other content on your site.
Make Your Shopping Cart, Payment Processor and Everything Else Match
Depending on the themes and plugins you might use to set up different ecommerce elements on your site, you can wind up with a site that sends people off to far-flung parts of the internet to complete the sale. Even if they stay on your site, pages can wind up looking very different.
With only a few exceptions, though, you can make sure that each step of the purchasing process looks identical. Most payment processors will, at least, allow you to add your own logo to the page, if not add CSS styles or other elements to make offsite pages look the same as those that are actually on your site. The more times you ask a buyer to trust an entirely different website (particularly in terms of visual cues) the more likely that buyer is to stop the purchase process and close the window. You need to prevent that as much as possible.
Have you considered Managed WordPress hosting? Managed WordPress hosting is becoming an increasingly popular option among many professional WordPress bloggers and top webmasters these days as these services will often take care of all the technical aspects of WordPress for you, allowing you to focus on creating and sharing great content. As an added bonus, these companies will also typically answer your technical questions, make sure your WordPress content loads quickly, and install your WordPress theme and plugin updates. Examples of popular managed WordPress hosting companies include WPEngine, ZippyKid, Page.ly, and Synthesis. These top companies provide similar services and features but all offer a few extras to try to seperate them from the pack.
So, is a managed WordPress hosting service for you? Deciding whether or not to sign up for one of these services will likely come down to your personal needs. If your website/blog attracts a lot of traffic and you use WordPress frequently, managed hosting could be an attractive option. On the other hand, if you’re just a casual blogger who just wants the basics from WordPress, managed hosting might be an unnecessary expense. Before you start paying for this type of hosting, it’s good to keep in mind that companies like ZippyKid and Synthesis can make your life as a WordPress user easier, but they’re not perfect solutions for everyone.
Here are some of the pros and cons of managed WordPress Hosting:
- Your site and content will load faster. People are a lot more likely to leave your site or spend less time on it if it loads slowly.
- You’ll have someone to turn to when technical issues arise. Trying to call one of the big hosting giants like HostGator or GoDaddy when you’re having WordPress problems won’t get you anywhere. The tech support people at big hosting companies don’t know anything about WordPress. You’re paying managed WordPress hosting companies to know the ins and outs of the popular content management system. So, you get the kind of support you need from companies like WPEngine and ZippyKid.
- Your content and confidential information will be more secure. Managed WordPress hosting means you don’t have to worry as much about malware, vulnerabilities, and other security issues. It also means that your data is backed up regularly to ensure you don’t lose any of it, even if something crashes or a security issue arises.
- You don’t have to spend as much time learning about WordPress. Many WordPress users spend hundreds of hours every year researching WordPress how-to guides and taking free WordPress classes to become better at using the content management system. Since managed WordPress companies take care of all the technical stuff, you don’t have to waste any of your precious time learning how to install a new theme or get a new plugin to work.
- Managed WordPress hosting is costly. It generally ranges in price from about $30 a month to a few hundred dollars a month, depending on how many WordPress installs you need managed. If you’re a perpetually broke college student who blogs for fun, managed WordPress hosting probably isn’t for you.
- You have less control. If someone else is managing all the technical aspects of your WordPress accounts, you don’t decide what gets updated and changed to improve efficiency. Someone else does. If you like to be in control, managed WordPress hosting might not be the best fit.
- You have to pay extra when one of your posts goes viral. Most basic managed WordPress hosting packages, the ones that cost you around $30 a month, only allow a certain number of visitors to your site each month before they charge you extra. Usually the number of visitors allowed is around 25,000. If 1.3 million visitors check out your site one month, you have to fork over quite a bit of extra money to the hosting company. You could avoid this by paying for a more expensive package that allows more visitors per month, but that would just end up costing you more too.
Overall, if you can justify the price of managed WordPress hosting, there’s definitely good reason to look into it, especially if you want to make your life as a WordPress user simpler.
WordPress is installed on so many websites now, the global reach is comparable to a company like Microsoft. Hackers, scammers, and phisherman target Windows because it’s installed on millions of computers all over the world. If you’re going to break into computers with malicious intent, you want the biggest target.
You will find (at times) some proponents of other popular open source CMS software (Joomla, Drupal) may try to say “WordPress isn’t safe, look at all the hacked websites”. WordPress is actually very stable, mature, and secure. But by it’s very nature, being software, it must be maintained (or security holes appear over time). If everyone kept WordPress, plugins, and themes updated, and performed just the slightest bit of preventative maintenance and hardening, the amount of compromised WP websites would probably go down by 90%. In this article we’re going to go over the basic steps of how to protect your WordPress website from malware, virus infections, and malicious code and scripts.
First let’s talk about some basics you should know…
What is (website) malware?
You probably already know the word “malware” from PC’s and computers. Computer viruses have been around a long time, as well as virus scanning software. With the Internet age came “spyware” (programs that spy on what you do and send the details to a remove computer), as well as “anti-spyware” computer software. You might also have hard about trojans, and key-logging software as types of computer virii. The term “malware” in conjunction with a computer means something installed on your PC in order to deliver a payload. Like installing a browser toolbar, and having it (on the backend) install a script, program, or trojan without your knowledge as the payload.
Google started tracking malware in websites a few years back as part of Google webmaster tools. Malware (at that time) was known mostly as something installed in your website designed to deliver a payload unknowingly to the website visitor (also like a virus, trojan, program, script, etc.). Now, the term is used to cover nearly any compromised website wither it delivers an actual payload, redirects the user to a rogue website, or just plain contains simple SEO spam.
How do websites get infected with malware?
If you think about the amount of WordPress websites online (more than 73 million and counting), when reports come out that say “10,000 websites hacked from ABC vulnerability” it’s a small percentage in comparison to the whole. Then again, that’s 10,000 broken websites that are either down, redirected, or infested with spam.
Often people have a perception that there are actual people (or hackers) trying to break into websites. That’s not really the case, it’s an automated process. Hackers, spammers, and criminals write scripts to seek out and search for websites with specific vulnerabilities they can use to break in. They watch the latest security holes patched in WordPress itself, as well as themes and plugins. They also look for other software with holes, such as Joomla, Mambo, Drupal, phpBulletin, Simple Machines forum, phpBB, and anything else they can find. Often scripts are written to break in through one hole, and then just infect all PHP files, all sites in a hosting account, or just all WordPress installations at once.
So think about the home you live in and it’s security. You have locks on the doors and windows, and if someone were trying to get in – you’d know about it right away. The bulk of websites online are in shared hosting accounts. Unless you have some alerting or monitoring installed for your website (and even if you do), the only place break-in and hack attempts are stored is the server logs. You don’t know it but your website is being “attacked” night and day 24/7 hundreds (if not thousands) of times. You have no idea that something is constantly trying to break into your website. If you did – you’d actually beef up the security a bit.
Back to how the websites get infected. These automated scripts look for security holes in WordPress itself, themes, and plugins. If your website (or themes or plugins) are out of date – you might be open to one of these attacks looking for a way in. But this isn’t the only way.
Another way websites can be compromised (any website, not just WordPress) is by using an insecure connection to either login to FTP, your wp-admin dashboard, or your web hosting account. Remember when we talked about computer viruses and malware? If your PC is compromised and you connect to your WordPress website, your connection information could be sent to a remove PC by a keylogger or trojan. Even is your PC is clean, if you connect to any of these by an insecure connection such as Starbucks connection, public wifi in a hotel or airport, the same thing could happen (same if your home wireless router isn’t secured).
Yet another way your WP website can be infected is through your webhost itself. Maybe your account is managed with cpanel or Plesk control panel and your webhost hasn’t applied the latest patches for that software. Hackers can get in through those security holes. What if an exiting employee from a webhost steals the password files (which has actually happened) – you could be compromised. What if someone external breaks into your webhost and steals your login information (which has also happened at multiple webhosts multiple times), you can also be broken into.
More often than not what we do see, are large webhosts with shared webservers where hackers break into as many sites as they can on one box at once (bad neighborhood or guilt by association break-ins). Hosts that do stupid things like leave directory indexing on by default – don’t help matters much.
How to Protect WordPress from malware?
Now that you know what malware is, and how websites get infected, it’s time to find out how to protect your own website from malware (infections). While we can’t give you complete step by step instructions, we can give you some great points to follow which will make your website more secure and hardened than it ever has been.
- Reset your password(s): regularly reset your WordPress admin, FTP, and web hosting control panel passwords every 30-60 days. Be sure to use a 12+ character strong password from somewhere like strongpasswordgenerator.com. Never use the same password at multiple websites or for multiple accounts.
- Update everything: as previously mentioned, be sure to keep WordPress itself updated, and all plugins and your theme as well at all times. Check to see if your theme has an update available if you purchased it from a developer or a theme house. Have it reviewed by a competent WordPress developer once per year for vulnerabilities if it was custom coded.
- Remove unused and outdated items: The worst security holes are the ones that you forget about. Always remove all themes and plugins that are unused and inactive. In addition be sure to remove (or at least have an expert check out) any plugins that haven’t had an update in 12-18+ months or more.
- Get rid of common WordPress elements: Your WordPress installation shows what version you are running in the meta generator tag of every HTML page it displays sitewide. Use a security plugin like Secure WordPress or Better WP Security to suppress this from being displayed in your public pages. You can also remove, hide, or limit access files like readme.txt which also display WP version information.
- Limit Access: Limit and give admin access to only those with a “need to know” basis within your WordPress website. You should be able to count full site admins on one hand (preferable one or two fingers). Give the rest lesser user roles as needed.
- Setup alerting and monitoring: There are all kinds of free services (some by web hosting companies) that will alert or monitor you if your website is down (or if certain pages have changed in content)
- Register with Google Webmaster Tools: If you register with Google Webmaster Tools and they find malware in your website, they will notify you via email. Keep in mind (in our experience) by the time they notify you, your website could have been infected for days or weeks (or longer)
- Monitor changed files: There are many free plugins that will monitor your website for changed files, Better WP Security is one of them.
- Update wp-config security salts: Since before version 3.0 the wp-config.php file of every WP installation has contained “security salts” and a URL to get random ones to update the file with. Be sure to update your wp-config file.
- Install and configure a security plugin: Setup and configure an all-inclusive security plugin, something like Better WP Security or Secure WordPress
- Setup and test a backup solution: By all means, make sure that in the event something does happen you have a disaster recovery plan. You can use a free plugin, premium solution, or web based service to backup your website to an offsite location for recovery in case you are hacked, or something at your web host goes down. This is even protection against issues if you upgrade WordPress or plugins and a conflict takes your website down. At least with an option like this, if you are taking regular versioned backups, you can easily revert to the last known good version
With just these few bullet points, your website security can be improved by nearly 95% (or more).
Based upon the emails we get each month from readers who are trying to find our Twitter feed, I feel this post is probably long overdue, but I wanted to point out to our readership that we do in fact have a Twitter page! If you’d like to follow WPHacks.com on Twitter, you can get our updates here (@HackWordPress).
Our Twitter feed includes notification each time we publish a post here on WPHacks.com, but as an added bonus, you will also get some retweets of our favorite WordPress-related content published by others.
Note: If you’d like to follow my personal tweets also, you can do so here. (@KyleEslick)
In his “State of the Word” addresses at recent WordCamps, it is my understanding that Matt Mullenweg (the co-founder of WordPress) has often made mention of the growth of WordPress and the growing number of professionals and businesses which are earning a full time income using WordPress. As someone who makes a majority of his income online, this is something that I’ve spent some time working towards as well.
I’m sure upon hearing about these numbers, many people’s initial reactions may be that Matt is referring to the many premium theme authors who earn their livings creating professional themes which are in turn sold to the WordPress community, but what people may not know is that there is also a huge market for WordPress freelance work that designers and developers are making a large income from. These freelance jobs can range from building a custom plugin for someone, custom coding work, or even completely custom theme designs!
I know we have a lot of readers who are very talented developers and designers. If you are looking for freelance work as a WordPress designer or developer, here are a couple of great places to find potential clients:
- WordPress Jobs – This is the official job board and includes a feed so you can easily keep updated on what jobs are needed.
- eLance – eLance is a website which is used by all types of freelance designers and coders, but includes a very busy WordPress section where people can post their needs and freelancers can bid on them. You can also review rankings, earnings, and other information about the freelancers.
These sites were designed specifically with the intention of helping freelancers find clients, and I’m sure there are many others available as well. To our readers that do commissioned freelance work professionally, what have you found are the best ways to find work?
Finding a good web host for your websites or WordPress blogs can sometimes be difficult. In the past I’ve had a lot of success with HostGator, but sometimes found that working with a large web hosting company can sometimes leave some gaps, as their service wasn’t designed specifically for the needs of a WordPress blogger.
Recently I came across a web hosting service called WP Web Host, which is web hosting designed with WordPress bloggers in mind! Their servers were designed to support one click WordPress installation and their support is also focused completely on WordPress. They also recently added support for WordPressMU (for running multiple WordPress installations).
Some additional information about WP Web Host:
Fast & Stable Server and Network
We invest heavily in ensuring our servers are not overloaded, have the fastest network connections, and guarantee 99.9% of network uptime (and 99.5% of server uptime) to all of our customers.
100 Days Money Back Guarantee
We take pride in making sure our customers are equally satisfied and happy. If you are not, within 100 days from when your initial order was placed, you’ll get your money back.
If you are worried about WP Web Host being a new service, let me ease your worries. They currently have over 20,000 different satisfied users and a couple of years experience under their belts. They also have the guarantee quoted above, showing they are a reputable business.
Probably my favorite part about WP Web Host is the price! Your hosting is only $5.00 a month and includes up to 50 domain names, 50GBs of web space, and 500GBs of monthly bandwidth, which should be plenty for most WordPress bloggers.
If you’d like to give WP Web Host a try, we were given permission to give a special offer to our readers. If you use the coupon code WPHACKS, you’ll receive a one-time 30% discount on all hosting plan (and all billing cycle). Click here to take advantage of this offer!
A lot of us are do-it-yourselfers when it comes to WordPress and even if we are only slightly technical WP makes is pretty easy. However, WordPress can, and often is, used for sites which are much more complex than the average blog and many individuals or small-to-medium businesses don’t have the time or the in-house expertise to make it work the way they want. Many more don’t even know that WordPress is an option for them, so whether you are already set on using WordPress for your site, looking for someone to enhance an existing WordPress instance, considering WordPress among other options or just looking for a CMS that won’t blow the budget out of the water but is flexible enough to meet your needs, hiring a WordPress expert can be a good way to go. But before you hire someone there are a few things you should consider to help you get the most out of the money you are going to spend. This is by no means comprehensive but should give you a good start.
Finding a good WP Consultant:Their are many of them out there so consider your needs and find one that matches. Are you comfortable with a freelance consultant or do you prefer an company? Good Places to look are the list of WordPress consultants on the Automattic website or the WordPress Pro Mailing list.
Cost:This topic can be a bit sticky because prices can be all over the place depending on the services you need. When you are comparing consultants/companies some things to consider are:
- Do they have a track record
- Established processes
- Do they provide references if asked
- Do they ask you a lot of questions and go through a requirements gathering phase?
- Do they provide you an education and training?
- Are they accessible and do they have a service level agreement to support that (24 hour response time for example)?
- Do they utilize contracts or statements of work outlining payment requirements, deliverable, requirements,etc….
If any of those things are missing you might be opening yourself up for a more difficult project than necessary. The more professional they are the better off you will be. Keep in mind that cheaper is not always better and price will likely rise with professionalism. But it’s all WordPress work right? Yes, but even if the base application doesn’t change (WordPress) how someone implements it for you can vary there is more to a project than installing applications and plugins. If price is your only consideration or professionalism is ignored, then you might end up not getting what you expect, need or want and could easily end up doing it over and paying again.
Budget: Do you have an established budget? It’s important to have some idea of what you can afford. There is no formula for knowing exactly what it should cost so establishing a budget can be tough. Figure out what you can afford then do your due diligence, research a number of candidates and get quotes. When figuring out what you can afford try to be realistic, you are looking to hire a professional that makes a living doing this. Getting a full website, design, logo, SEO and whatever custom configuration you need is going to cost. If your budget is a few hundred dollars, don’t expect much. Many elements of building a professional site can be time consuming and take considerable thought and expertise and that is what you are paying for. Hiring the wrong person can cost you more in the long run. If you really need help and your budget really can’t get you far prioritize and get ready to learn to do as much as you can for yourself and pay for help where you need it most.
Setting Expectations: Be very clear about what you want and need. Before you even talk to someone spend time planning and outlining your requirements. Consultants aren’t mind readers but should be able to guide you as long as you have some idea(s). Break it down into must-haves and nice-to-haves which will give you some flexibility in budgeting and negotiating. Also, if you want a certain look and feel, find examples that are close to what you need, it will save a lot of back-and-forth. Most importantly, keep in mind that YOU still have some learning to do if you don’t already know the back end of WordPress. Knowing how to operate the site after your consultant is gone is up to you, but they should provide you with training if you need it.
Different skill sets/Different Services: Designers aren’t necessarily architects who aren’t necessarily developers… there are some that can do it all but they represent premium talent so be prepared. That said, you might need to break it down and hire different people for the different roles.
How to avoid becoming dependent on that consultant: Using WordPress means that you should be able to manage the content on your site yourself but you might still need help with design issues or other changes from time to time. Get as knowledgeable about WordPress as you can and have a couple of consultants you can call on if need be.
Of course there can be other considerations depending on what you need but this should get you started. WordPress experts can do amazing things for you but you need to know what you require to begin with. A little planning on your end will save you a lot of time and money. Do it right and you could build a great relationship with your consultant and they’ll always be there for you.
Today is Halloween here in the United States, so I figured to celebrate the holiday, I would switch from the usual content post and instead solicit input from the WordPress Hacks readership. I enjoy doing this from time to time to see what kind of discussion we can get going and the comment often end up offering a wealth of knowledge.
The question for today is for our readers who either run their own forums or enjoy visiting and commenting on forums. Which forum software do you prefer? Do you prefer PHPBB forums or VBulletin forums?
I’ve always loved forums because an active forum allows you to interact with a large number of people and get help quicker than commenting on a post or even doing a Google search (sometimes). I actually have experience being an administrator and a user of both forum types. Here is my experience with both types:
- Easy to setup.
- Easy for just about anyone to use.
- Options are limited.
- Not very SEO friendly (as of version 3.0).
- Generally better looking.
- More features.
- Plugins/Addons available.
- More SEO friendly than PHPBB
- Costs $100-$180.00 per license.
- Constant Maintenance/Updates required.
- Targeted by Spammers.
Both forum types have skins available for free and for sale, so I didn’t mention that above. It is also important to mention that you can easily convert your PHPBB forum into a VBulletin forum (I’ve read this, haven’t personally tried it).
In summary, as a user, I’ve always felt that to be considered a serious forum, you need to be using VBulletin. It just looks more professional, has more options, etc. From an administrator’s standpoint, however, I’ve enjoyed running PHPBB forums more. VBulletin forums seem to attract a ton of spammy posts and sometimes moderating posts and banning users can be overwhelming (in my experience) and I feel like I have to update the software every few weeks. It also seems to almost have to many options!
So that is my experience with both PHPBB and VBulletin. I would love to hear about your experiences and preferences between the two. Have any pros or cons to add to the list? You can write from the perspective of running either type of forum or from the user perspective (reading/posting) on either type of forum. If you haven’t used either, you are welcome to share your experiences with BBPress.
Wow, what an exciting couple of weeks this has been! This is a very exciting day for me personally as I have just finalized the move that took the blog formerly located at HackWordPress.com over to its new home at WPHacks.com.
After months of trying to acquire a “WP” domain that I felt was suitable for this website, I actually ended up acquiring the best one I could have possibly hoped for at an affordable price. I feel very fortunate as I had made offers much higher than what I ended up spending on domains that weren’t as good of a fit as this one.
So, what are the reasons behind the switch to this new domain name? Here are a few reasons, ranked in the order of importance:
- Having WordPress in your Domain is Trademark Infringement – At the time I registered HackWordPress.com, I was not aware that the term WordPress was trademarked. I was aware of trademarks of course and know that most products are trademarked, but WordPress was open source so I guess I just assumed it wasn’t. A few months after launching this blog I found out that it was in fact trademarked, but there wasn’t a lot I could do at that point. I had already established a blog and a brand of my own on that domain name. I had a brief discussion with Matt Mullenweg & Lorelle and learned that they were unhappy with my domain name, though to their credit I have never been actually asked to move to a new domain name.
- Better Domain Name – Though I will lose a little bit of that keyword value the old domain name carried (and all backlinks), this new domain name is a MUCH better domain in my opinion. I’ve dropped from 13 letters down to only 7, and I feel having the word “hack” after WordPress (WP) sounds much better than having it before. This new domain is also quick to type and very easy to remember.
A couple of things of note to our readers about the domain transfer:
- The feed URL will remain the same (which I’m sure will be a relief to all the sites that steal our content via our feed each day).
- Monday I plan to publish a very detailed post on how to transfer your blog to a new domain, so keep an eye out for that.
How Can I Help Your Transition to the New Domain Name?
From a readers perspective, nothing really should change. You’ll still get our content via our feed and the old URL will redirect to the new domain. The one thing you could do to help us out is to update your links on your blog to the new domain (or updating the domain part of the URL to the new domain if you linked to a specific post). All permalinks remain the same with the exception of the domain name itself.
Questions about the change? Thoughts on the new domain? Let us know in the comments below!