May 30 2024
WordPress Playground – A New Tool You Need To Try Right Now via @sejournal, @martinibuster

WordPress has been releasing innovative tools that helps users accomplish their goals and become more proficient users. One of the newest tools is called Playground, a tool that is designed to make a WordPress site instantly available for testing, learning and building.

Background On WordPress Playground

Playground is a tool that runs in your browser.

The official WordPress documentation for Playground suggests these uses:

  • Try a block, a theme, or a plugin
  • Build an entire site, save it, host it
  • Test your plugin with many specific WordPress and PHP versions
  • Embed a real, interactive WordPress site in your tutorial or course
  • Showcase a plugin or theme on your website
  • Build a native app running WordPress and put it in App Store
  • Preview pull requests from your repository

There is also a WordPress Plugin available, Playground By WordPress Contributors, that enables a user to clone their site to a private in-browser Playground version.

The WordPress plugin allows a user to create an exact website copy within a Playground instance, from which a user can do things like test a plugin or theme. Any changes made to the Playground instance do not affect the actual website. The cloned site is not uploaded to any cloud service, all the data remains private, residing within a user’s web browser, where it stays until the browser tab is closed.

Interview: Adam Zieliński, WordPress Playground Architect @ Automattic

I interviewed Adam Zieliński, the WordPress Playground Architect at Automattic, to learn more about what Playground is and how it can be useful for developers and regular users of WordPress.

The first thing I wanted to know is, what is Playground and why should anyone use it, what should people expect from it?

Adam Zieliński:

“Playground is WordPress in a single click. There are no tedious setup steps, webhosts account, or technical talk.

Playground is not the site at playground.wordpress.net. It is the groundbreaking technology that makes that site possible and also powers a new generation of interactive, single-click WordPress tools. There are interactive tutorials, QA (Quality Assurance) workflows, “try before you buy” previewers for plugins, collaboration tools, contribution workflows and so much more.

Here are two examples:

The site at playground.wordpress.net doubles as a QA tool – you can try the upcoming WordPress release, test your plugin or theme with five other plugins and then see how it performs on different WordPress and PHP versions. It proved useful for sourcing feedback during the WordPress 6.5 release cycle, the Font library call for testing, and more.

As a WordPress plugin, Playground can clone your existing WordPress site, including all content, plugins, and themes, inside a private Playground instance. This gives you a way of testing changes, new plugins, or updates before pushing them live and without needing a separate hosting.

The next example is a bit more technical but I’ll still go with it. Playground can be embedded on websites. There are companies out there showcasing a live version of their plugin or theme using a live WordPress Playground site embedded inside their actual site. That’s highly useful for their future customers – even if they have no clue about what Playground is.”

I followed up with a question asking how he would describe Playground to someone who uses WordPress but doesn’t dabble in the development part.

Adam Zieliński:

“Playground is a version of WordPress that runs directly on your device, not on a webhost. You can open Playground on your phone, turn off the internet, and continue using it.”

I next asked if it’s useful for migrating to a new template or testing plugin updates.

Adam Zieliński:

“Absolutely. You can clone your site using the Playground WordPress plugin and try the new template or the updated plugin there first without risking breaking your production site. That plugin also adds a “preview now” button to the plugins search in wp-admin so you can “try them on” before committing to installing one on your live site.”

Zieliński next recommended the following resources to view and read more about Playground:

WordPress Playground: the ultimate learning, testing, & teaching tool for WordPress

How to use WordPress Playground for interactive demos

How to start using WordPress Playground

Does Playground help regular WordPress users become familiar with developing sites themselves, is it a hands-on way to learn how to use WordPress?

Adam Zieliński:

“Playground makes a great learning tool. You can just hop on playground.wordpress.net and start exploring WordPress, whether that means creating your first post or installing fifteen plugins and building an entire site.

The experience is very self-guided today, which is useful in classes, workshops and meetups where an instructor can give you directions.

We’re also exploring an interactive and guided tutorials. Imagine visiting WordPress.org, clicking on, say, “I want to build my first WordPress site”, and getting clear directions and an interactive WordPress site to work on. That’s what we’re building towards.

And this doesn’t have to be a distant future. Anyone can start creating these interactive learning experiences today with the Playground Block – it’s a single-click way of embedding Playground in your WordPress content. You can play with that block right now if go to the plugin page and by click the Live Preview button. Oh, and that live preview? It’s also powered by WordPress Playground!”

Is Playground compatible with popular WordPress website builders?

Adam Zieliński:

“I haven’t tested Divi. Elementor mostly works, although there’s a technical issue in the onboarding flow that needs to be fixed in Elementor fix before it’s fully functional.”

Playground has a feature called Blueprints, configuration setting files. I asked Adam how he would describe Blueprints and how is it useful to users.

Adam Zieliński:

Blueprints are guidelines for Playground on how to create the WordPress site for you.

Blueprints are also like puzzle pieces. In fact, at WCEU 2024, you’ll build real WordPress sites with physical puzzle pieces. We’ve printed puzzle pieces representing site configuration steps like installing a plugin or changing the site name and attendees will be able to collect and scan them with an app that will load Playground with the configuration (Blueprint) they put together.

See also: What are Blueprints, and what can you do with them?

About the usefulness of Blueprints – there are two sides to that. You can either use a Playground site created based on an existing Blueprint, or you can create a new Blueprint.

If you just want to enjoy Playground-based tools, you don’t even need to know what Blueprints are. All you’ll experience is a button that opens a WordPress site preconfigured to do anything at all. It could help you test a theme, contribute a documentation page, or even build a slide deck and export it to PDF.

If you want to build new Blueprints, today you need to get your hands dirty and write some JSON code. Blueprints 101 and Technical Introduction to Playground will walk you through the steps and you can also preview the examples in the Blueprints Gallery. It’s worth noting we’re working on a visual tool where you’ll be able to just assemble these steps like puzzle pieces without any coding knowledge.”

Is this a way to create a site and then save or share the demo?

Adam Zieliński:

“Yes! Playground sites are temporary by default but there’s many ways to save and share them. On playground.wordpress.net there’s a settings button where you can tell Playground to save your site in your web browser. Once you do that and refresh the page, you’ll return right to your site. You can also synchronize the site with a directory on your computer and all the Playground changes will show up there. Then you can also export your site as a zip file or to GitHub.

There are two ways of sharing a site with others.

The first one, is to create a Blueprint – so write down all the step by step instructions for Playground to recreate that site. You could then include that Blueprint in a link and share it with the world.

Blueprints are powerful but not always convenient, so there’s also a second way. A Playground site can be exported as a zip file. You can host that zip file, for example on GitHub, and create a Playground link to load it.”

Someone from the WordPress developer community passed this question along:

“Site builders often have one or more “starter sites”, which seem to squarely line up with blueprints, though they usually include premium themes and plugins. Drupal has “Distributions,” which are basically pre-configured starter sites often with a niche focus.

Imagine a preconfigured install of core, a theme, a membership plugin, and payment setup (waiting for gateway API keys). If you want a membership site then just install this and start adding content. Or a preconfigured help desk system and so on.

So, I’m wondering if the vision is that Blueprints will provide something similar?”

Adam Zieliński:

“Blueprints enable just that. Live previews in the WordPress plugin directory are an example – every time you get an identical site pre-configured for a particular plugin. It always installs a fresh WordPress and the latest versions of all the co-existing plugins and themes. You can prepare a Blueprint for your particular setup and work with it in the browser, or you can also use the Playground CLI tool to work with these starter sites on your local computer. We’re building a PHP library to enable webhosts to support Blueprints – template sites may then become a common feature in the WordPress hosting landscape.”

WordPress Playground

A playground is a place that is designed for and encourages activities. That’s exactly what WordPress Playground is about. Anyone who uses WordPress should give Playground a try or at the very least become familiar with it because knowledge broadens perspectives, aids in problem solving, and makes one a more effective competitor and business person.

Featured Image by Shutterstock/Leszek Czerwonka

Ecommerce MGMT 0 Comments
May 29 2024
WordPress Releases Way To Build Sites On A Windows Desktop via @sejournal, @martinibuster

Last month WordPress released a way to create or test WordPress sites on the desktop but the app was limited to Apple Mac devices. This month WordPress announces that WordPress Studio is now available for Microsoft Windows.

According to WordPress, Microsoft Windows users account for over 25% of WordPress developers. But it’s possible that non-developers who use WordPress for their websites may account for many more people who use WordPress and would like to learn how to create with it.

WordPress Studio is an easy to use development platform that will help developers who use Microsoft Windows as well as non-developers who want to learn how to use WordPress without messing anything up on a live website.

The official WordPress announcement explained:

“We recently launched Studio, our free and open source local WordPress development environment, for MacOS, and we’re happy to share that the Windows version of Studio is now available!

As a reminder, we’ve built Studio to be the fastest and simplest way to build WordPress sites locally.”

Local WordPress Development

Local development is a way to work on a website from the desktop (local) as opposed to working on the site on a webhost. There are many reasons to work on a website locally, with convenience being at the top of the list. Working on a website directly on a desktop environment makes it unlikely for a mistake that could cause the site to go public and causing unintended ranking consequences for the actual site that’s live on the web, which is a second reason why local development is popular.

A third reason for local development is that it’s cheaper, faster and for those with less development skills, it’s generally easier than creating an online testing site for the purpose of testing new plugins to verify they won’t break a site or simply for creating a demo site for sharing with a client or a team.

Until now, the downside of local development is that many of the most popular local development platforms have a steep learning curve which is inconvenient for publishers and SMBs who don’t have the time to devote to learning yet another skill. I know about the learning curve because I’ve used a few local development platforms in the past.

WordPress Studio

WordPress has now released a solution to the problem of local WordPress development that’s specific to WordPress and makes it easier for WordPress users to test, develop and learn how to become more comfortable with WordPress. It’s easy to break a WordPress site and until now there was never an easy way to test WordPress plugins without additional expense or to just plain old learn how to use WordPress.

WordPress lists the following benefits:

  • Demo sites
    Forget Ngrok-like tunnels—share interactive snapshots of your local sites with clients or colleagues, powered by WordPress.com.
  • Superfast WordPress installation
    Regardless of how many sites you’re working on, you can create unlimited local sites in Studio.
  • Dependency-free building
    Build lightweight and reliable local WordPress sites, powered by WordPress Playground, without the hassle of Docker, NGINX, Apache, or MySQL.
  • One-click admin
    Spend less time wrangling passwords—open WP Admin for each site with just one click.
  • Open your site anywhere
    Develop your sites your way. Open your site’s code in your favorite IDE, CLI, or file browser to fit your workflow.
  • Built by the biggest contributor to WordPress core
    With 109 active contributors, we know WordPress inside and out.

Create And Share A Demo Site

One of the fantastic features of WordPress Studio is the ability to share your demo sites with others on your team or with clients, to get feedback and iteratively improve the website. A user first needs to create a WordPress.com account and connect the local Studio desktop app to the WordPress account. Users are able to host five demo sites for free on a temporary domain (WP.build). Free demo sites last for 7 days after the last update to the demo site so if you need it to stay longer just update the demo site.

All demo sites can be manually deleted from the hosted demo and also on the desktop.

Screenshot Of How To Delete A Website In Studio

Support For Exporting A Theme

The WordPress Studio local development environment has the functionality for exporting a theme. Users can create a theme on their desktop environment and then select to export the theme. The Studio app will export the theme as a zip file which can then be uploaded to a live site (or a staging environment) online.

Full instructions on how to use Studio is available on WordPress.com. Judging by the instructions, using Studio appears to be a lot easier to use compared to other local development solutions that in general are made to accommodate a wide range of websites, not just WordPress sites. The learning curve appears to be relatively gentle compared to other local development environments.

Read more about the Windows version of WordPress Studio:

Studio: Now Available for Windows

Download a Windows or Mac version of Studio, both versions are free:

Build Fast, Ship Faster with Studio

Ecommerce MGMT 0 Comments
May 28 2024
New WordPress Plugin Solves Site Navigation Problem via @sejournal, @martinibuster

Joost de Valk, the creator of Yoast SEO plugin, has created a new (and free) plugin for solving a site architecture problem that can silently diminish a website’s ability to rank.

Site Architecture

Site architecture is an important SEO factor because a well-organized website with clear navigation helps users quickly get to the content and products they’re looking for. Along the way it also helps Google find the most important pages and rank them.

The normal and common sense way to organize a website is by topic categories. While some newbie-SEOs believe that organizing a site by topic is an SEO strategy, it’s really just plain old common sense. Organizing a site by topic categories organizes a site in a way that makes it easy to drill-down and find specific things.

Tags: Contextual Site Navigation

Another way to organize a website is through contextual navigation. Contextual navigation is a way to offer a site visitor links to more webpages that are relevant to the webpage and to their interests in the moment. The way to provide a contextual link is through the concept of Tags. Tags are strongly relevant links to content that site visitors may find interesting.

For example, if someone is on a webpage about a new song by a pop star they may in that moment may be interested in reading more articles about that singer. A publisher can create a tag which links to a page that collects every article about that specific pop singer. Ordinarily it doesn’t make sense to create an entire category for hundreds of musical artists because that would defeat the purpose of a hierarchical site navigation (which is to make it easy to find content).

Tags solve the problem of making it easy to navigate to more content that one site visitor is specifically interested in at that moment. It’s contextually relevant navigation.

Too Many Good Things Isn’t Always Good

Creating a long-range plan for organizing a website can be undone by time as a website grows and trends wane. An artist that was trending several years ago may have dropped out of favor (as they often do) and people lose interest. But those tags remain, linking to content that isn’t important anymore, defeating the purpose of internal site navigation, which is to link to the most important content.

Joost de Valk researched a (very small) sample of WordPress sites and discovered that about two thirds of the websites contained overlapping tags, multiple tags linking to the same content while also generating thin content pages, which are webpages with little value.

A blog post sharing his findings noted:

“Tags are not used correctly in WordPress. Approximately two-thirds of WordPress websites using tags are using (way) too many tags. This has significant consequences for a site’s chances in the search engines – especially if the site is large. WordPress websites use too many tags, often forget to display them on their site, and the tag pages do not contain any unique content.”

The sample size was small and a reasonable argument can be made that his findings aren’t representative of most WordPress sites. But the fact remains that websites can be burdened by overlapping and outdated tags.

Here are the three main tag navigation problems that Joost identified:

1. Too Many Tags
He found that some publishers add a tag to an article with the expectation that they will add more articles to that tags when those articles are written which in many cases doesn’t happen, resulting in tags that link to just a few articles, sometimes only to one article.

2. Some Themes Are Missing The Tag Functionality
The next issue happens when websites upgrade to a new theme (or a new version of a theme) that doesn’t have the tag functionality. This creates orphaned tag pages, pages that site visitors can’t reach because the links to those tag pages are missing. But because those pages still exist the search engines will find them through the autogenerated XML sitemaps.

3. Tag Pages Can Become Thin Content
The third issue is that many publishers don’t take the time to add meaningful content to tag pages, they’re just pages of links with article excerpts that are also reproduced on category pages.

Use Fewer Tags

This is where Joost de Valk’s new WordPress plugin comes in handy. What it does is to automatically remove tags that aren’t linking to enough pages, which helps to normalize internal linking. This new plugin is called, The Fewer Tags WordPress Plugin. There’s a free version and a paid Pro version.

The free version of the plugin works automatically to remove all tag pages that contain less than ten posts, which can be adjusted to remove pages with five posts or less.

Added functionality of the Pro version allows greater control over tag management so that a publisher can merge tag pages, automatically create redirects or send a 404 Page Not Found server response.

These are the list of benefits for the Pro version:

  • “Merge & delete unneeded tag pages quickly & easily.
  • Creates redirects for removed tag pages on the fly, in your SEO plugin of choice.
  • Includes an online course in which Joost explains what you should do!
  • Fix a site’s tag issues long-term!
  • Uninstall the plugin when you’re done!”

Where To Download Fewer Tags Plugin

The free version of the plugin can be downloaded here:

Fewer Tags Free By Joost de Valk

Read more about the Pro version here.

Featured Image by Shutterstock/Simple Line

Ecommerce MGMT 0 Comments
May 22 2024
WP Rocket WordPress Plugin Now Optimizes LCP Core Web Vitals Metric via @sejournal, @martinibuster

WP Rocket, the WordPress page speed performance plugin, just announced the release of a new version that will help publishers optimize for Largest Contentful Paint (LCP), an important Core Web Vitals metric.

Large Contentful Paint (LCP)

LCP is a page speed metric that’s designed to show how fast it takes for a user to perceive that the page is loaded and read to be interacted with. This metric measures the time it takes for the main content elements has fully loaded. This gives an idea of how usable a webpage is. The faster the LCP the better the user experience will be.

WP Rocket 3.16

WP Rocket is a caching plugin that helps a site perform faster. The way page caching generally works is that the website will store frequently accessed webpages and resources so that when someone visits the page the website doesn’t have to fetch the data from the database, which takes time, but instead will serve the webpage from the cache. This is super important when a website has a lot of site visitors because that can use a lot of server resources to fetch and build the same website over and over for every visitor.

The lastest version of WP Rocket (3.16) now contains Automatic LCP optimization, which means that it will optimize the on-page elements from the main content so that they are served first thereby raising the LCP scores and providing a better user experience.

Because it’s automatic there’s really nothing to fiddle around with or fine tune.

According to WP Rocket:

  • Automatic LCP Optimization: Optimizes the Largest Contentful Paint, a critical metric for website speed, automatically enhancing overall PageSpeed scores.
  • Smart Management of Above-the-Fold Images: Automatically detects and prioritizes critical above-the-fold images, loading them immediately to improve user experience and performance metrics.

All new functionalities operate seamlessly in the background, requiring no direct intervention from the user. Upon installing or upgrading to WP Rocket 3.16, these optimizations are automatically enabled, though customization options remain accessible for those who prefer manual control.”

Read the official announcement:

WP Rocket 3.16: Improving LCP and PageSpeed Score Automatically

Featured Image by Shutterstock/ICONMAN66

Ecommerce MGMT 0 Comments
May 21 2024
WordPress 6.5 Enhances SEO With ‘Lastmod’ Support via @sejournal, @MattGSouthern

WordPress has rolled out an update with version 6.5, introducing native support for the lastmod element in sitemaps.

This move streamlines search engine crawl efficiency, potentially enhancing website visibility.

The announcement comes from Gary Illyes, a member of Google’s Search Relations team, who took to LinkedIn to commend the WordPress developer community for their efforts.

The Lastmod Element: A Key Signal for Crawlers

The lastmod metadata tag indicates the last significant modification date of a webpage, enabling search engine crawlers to prioritize and schedule crawls.

In Illyes’ words:

“The lastmod element in sitemaps is a signal that can help crawlers figure out how often to crawl your pages.”

By natively populating the lastmod field, WordPress 6.5 lets websites improve SEO efforts without additional manual configuration.

Illyes emphasizes that a “significant” change refers to updates that might matter to users and, consequently, to the website’s performance.

WordPress Community Collaboration

Lastmod support in WordPress 6.5 is possible due to the collaborative efforts of the developer community, spearheaded by Pascal Birchler.

Illyes acknowledged and praised their contributions, stating,

“If you’re on WordPress, since version 6.5, you have this field natively populated for you thanks to Pascal Birchler and the WordPress developer community.”

While applauding the new feature, Illyes urges website owners to upgrade their WordPress installations to take advantage of the lastmod support.

He adds:

“If you’re holding back on upgrading your WordPress installation, please bite the bullet and just do it (maybe once there are no plugin conflicts).”

As WordPress evolves, this update displays the platform’s commitment to complying with SEO best practices and providing users with needed tools.

FAQ

What is the significance of the lastmod element in sitemaps?

The lastmod metadata tag signifies the most recent modification date of a webpage. This information allows search engine crawlers to prioritize and schedule page crawls efficiently.

By indicating the latest updates, the lastmod tag helps search engines focus on the most current content, potentially improving a site’s visibility in search results.

How does WordPress 6.5 support the lastmod element?

With the release of WordPress 6.5, native support for the lastmod element in sitemaps is now available. This means that WordPress automatically includes this metadata in sitemaps without requiring additional manual configuration by the user.

This enhancement helps website owners improve their SEO efforts seamlessly by ensuring search engines receive accurate and updated information about their webpages.

Why should website owners upgrade to WordPress 6.5?

Website owners are encouraged to upgrade to WordPress 6.5 to use native lastmod support.

Upgrading ensures compatibility with the latest SEO practices and tools, providing users with a more effective and user-friendly platform. However, it is recommended to ensure no plugin conflicts before upgrading.

Featured Image: photosince/Shutterstock

Ecommerce MGMT 0 Comments
May 8 2024
Top 15 Ways To Secure A WordPress Site via @sejournal, @inmotionhosting

Thankfully, there are plenty of steps you can take to protect your WordPress website.

Easy WordPress Security Basics

When setting up your WordPress site security, there are some basic things you can do to beef up your protection.

Below, we will take a look at some of the first things you should do to help protect your website.

1. Implement SSL Certificates

Secure Sockets Layer (SSL) certificates are a standard technology that establishes an encrypted connection between a web server (host) and a web browser (client). This connection ensures all data passed between the two remains private and intrinsic.

SSL certificates are an industry-standard used by millions of websites to protect their online transactions with their customers, and obtaining one should be one of the first steps you take to secure your website.

2. Require & Use Strong Passwords

Along with obtaining an SSL certificate, one of the very first things you can do to protect your site is use strong passwords for all your logins.

It might be tempting to create or reuse a familiar or easy-to-remember password, but doing so puts both you and your website at risk. Improving your password strength and security decreases your chances of being hacked. The stronger your password, the less likely you are to be a victim of a cyberattack.

When creating a password, there are some general password best practices you should follow.

If you aren’t sure if you are using a strong enough password, you check the strength of one by using a free tool like this helpful Password Strength Checker.

3. Install A Security Plugin

WordPress plugins are a great way to quickly add useful features to your website, and there are several great security plugins available.

Installing a security plugin can add some extra layers of protection to your website without requiring much effort.

To get you started, check out this list of recommended WordPress security plugins.

4. Keep WordPress Core Files Updated

As of 2024, there are an estimated 1.09 billion total websites on the web with more than 810 million of those sites using WordPress.

Because of its popularity, WordPress websites are oftentimes a target for hackers, malware attacks, and data thieves.

Keeping your WordPress installation up to date at all times is critical to maintain the security and stability of your site.

Every time a WordPress security vulnerability is reported, the core team starts working to release an update that fixes the issue.

If you aren’t updating your WordPress website, then you are likely using a version of WordPress that has known vulnerabilities.

There is especially no excuse for using an outdated version of WordPress since the introduction of automatic updates.

Don’t leave yourself open to attack by using an old version of WordPress. Turn on auto updates and forget about it.

If you would like an even easier way to handle updates, consider a Managed WordPress solution that has auto updates built in.

5. Pay Attention To Themes & Plugins

Keeping WordPress updated ensures your core files are in check, but there are other areas where WordPress is vulnerable that core updates might not protect such as your themes and plugins.

For starters, only ever install plugins and themes from trusted developers. If a plugin or theme wasn’t developed by a credible source, you are probably safer not using it.

On top of that, make sure to update WordPress plugins and themes. Just like an outdated version of WordPress, using outdated plugins and themes makes your website more vulnerable to attack.

6. Run Frequent Website Backups

One way to protect your WordPress website is to always have a current backup of your site and important files.

The last thing you want is for something to happen to your site and you do not have a backup.

Backup your site, and do so often. That way if something does happen to your website, you can quickly restore a previous version of it and quickly get back up and running.

Intermediate WordPress Security Measures That Add More Protection

If you’ve completed all the basics but you still want to do more to protect your website, there are some more advanced steps you can take to bolster your security.

Let’s take a look at what you should do next.

7. Never Use The “Admin” Username

Never use the “admin” username. Doing so makes you susceptible to brute force attacks and social engineering scams.

Because “admin” is such a common username, it is easily-guessed and makes things much easier for scammers to trick people into giving away their login credentials.

Much like having a strong password, using a unique username for your logins is a good idea because it makes it much harder for hackers to crack your login info.

If you are currently using the “admin” username, change your WordPress admin username.

8. Hide Your WP Admin Login Page

On top of using a unique username another thing you can do to protect your login credentials is hide your WordPress admin login page with a plugin like WPS Hide Login.

By default, a majority of WordPress login pages can be accessed by adding “/wp-admin” or “/wp-login.php” to the end of a URL. Once a hacker or scammer has identified your login page, they can then attempt to guess your username and password in order to access your Admin Dashboard.

Hiding your WordPress login page is a good way to make you a less easy target.

9. Disable XML-RPC

WordPress uses an implementation of the XML-RPC protocol to extend functionality to software clients.

Most users don’t need WordPress XML-RPC functionality, and it’s one of the most common vulnerabilities that opens users up for exploits.

That’s why it’s a good idea to disable it. Thanks to the Wordfence Security plugin, it is really easy to do just that.

10. Harden wp-config.php File

The process of adding extra security features to your WordPress site is sometimes known as “hardening” because you are essentially giving your site some extra armor against hackers.

You can “harden” your website by protecting your wp-config.php file via your .htaccess file. Your WordPress wp-config.php file contains very sensitive information about your WordPress installation including your WordPress security keys and the WordPress database connection details, which is exactly why you don’t want it to be easy to access.

11. Run A Security Scanning Tool

Sometimes your WordPress website might have a vulnerability that you had no idea existed. That’s why it’s wise to use some tools that can find vulnerabilities and even fix them for you.

The WPScan plugin scans for known vulnerabilities in WordPress core files, plugins and themes. The plugin also notifies you by email when new security vulnerabilities are found.

Strengthen Your Server-Side Security

So you have taken all the above measures to protect your website but you still want to know if there is more you can do to make it as secure as possible.

The remaining actions you can take to beef up your security will need to be done on the server side of your website.

12. Look For A Hosting Company That Does This

One of the best things you can do to protect your site from the very get-go is to choose the right hosting company to host your WordPress website.

When looking for a hosting company, you want to find one that is fast, reliable, and secure, and will support you with great customer service.

That means they should have good, powerful resources, maintain an uptime of at least 99.5%, and use server-level security tactics.

If a host can’t check those basic boxes, they are not worth your time or money.

13. Use The Latest PHP Version

Like old versions of WordPress, outdated versions of PHP are no longer safe to use.

If you aren’t on the latest version of PHP, upgrade your PHP version to protect yourself from attack.

14. Host On A Fully-Isolated Server

Fully-isolated virtual private servers have a lot of advantages and one of those advantages is increased security.

The physical isolation offered from a cloud-based VPS is inherently secure, protecting your website against cross-infection from other customers. Combined with robust firewalls and DDoS protection, your data remains secure against potential threats and vulnerabilities.

Looking for the perfect cloud environment for your WordPress website? Look no further.

With InMotion Hosting’s Platform i, you receive unparalleled security features including managed server updates, real-time security patching, web application firewalls, and DDoS prevention, along with purpose-built high-availability servers optimized for fast and reliable WordPress sites.

15. Use A Web Application Firewall

One of the final things you can do to add extra security measures to your WordPress website is use a web application firewall (WAF).

A WAF is usually a cloud-based security system that offers another layer of protection around your site. Think of it as a gateway for your site. It blocks all hacking attempts and filters out other malicious types of traffic like distributed denial-of-service (DDoS) attacks or spammers.

WAFs usually require monthly subscription fees, but adding one is worth the cost if you place a premium on your WordPress website security.

Make Sure Your Website & Business Is Safe & Secure

If your website is not secure, you could be leaving yourself open to a cyber attack.

Thankfully, securing a WordPress site doesn’t require too much technical knowledge as long as you have the right tools and hosting plan to fit your needs.

Instead of waiting to respond to threats once they happen, you should proactively secure your website to prevent security issues.

That way if someone does target your website, you are prepared to mitigate the risk and go about your business as usual instead of scrambling to locate a recent backup.

Get Managed WordPress Hosting featuring robust security measures on high-performance servers, complete with free SSL, dedicated IP address, automatic server updates, DDoS protection, and included WAF.

Learn more about how Managed WordPress Hosting can help protect your website and valuable data from exposure to hackers and scammers.

Ecommerce MGMT 0 Comments
May 1 2024
What To Know About Medium-Level WordPress Vulnerabilities via @sejournal, @martinibuster

The majority of WordPress vulnerabilities, about 67% of them discovered in 2023, are rated as medium level. Because of they’re the most common, it makes sense to understand what they are and when they represent an actual security threat. These are the facts about those kinds of vulnerabilities what you should know about them.

What Is A Medium Level Vulnerability?

A spokesperson from WPScan, a WordPress Security Scanning company owned by Automattic, explained that they use the Common Vulnerability Scoring System (CVSS Scores) to rate the severity of a threat. The scores are based on a numbering system from 1 – 10 and ratings from low, medium, high, and critical.

The WPScan spokesperson explained:

“We don’t flag levels as the chance of happening, but the severity of the vulnerability based on FIRST’s CVSS framework. Speaking broadly, a medium-level severity score means either the vulnerability is hard to exploit (e.g., SQL Injection that requires a highly privileged account) or the attacker doesn’t gain much from a successful attack (e.g., an unauthenticated user can get the content of private blog posts).

We generally don’t see them being used as much in large-scale attacks because they are less useful than higher severity vulnerabilities and harder to automate. However, they could be useful in more targeted attacks, for example, when a privileged user account has already been compromised, or an attacker knows that some private content contains sensitive information that is useful to them.

We would always recommend upgrading vulnerable extensions as soon as possible. Still, if the severity is medium, then there is less urgency to do so, as the site is less likely to be the victim of a large-scale automated attack.

An untrained user may find the report a bit hard to digest. We did our best to make it as suitable as possible for all audiences, but I understand it’d be impossible to cover everyone without making it too boring or long. And the same can happen to the reported vulnerability. The user consuming the feed would need some basic knowledge of their website setup to consider which vulnerability needs immediate attention and which one can be handled by the WAF, for example.

If the user knows, for example, that their site doesn’t allow users to subscribe to it. All reports of subscriber+ vulnerabilities, independent of the severity level, can be reconsidered. Assuming that the user maintains a constant review of the site’s user base.

The same goes for contributor+ reports or even administrator levels. If the person maintains a small network of WordPress sites, the admin+ vulnerabilities are interesting for them since a compromised administrator of one of the sites can be used to attack the super admin.”

Contributor-Level Vulnerabilities

Many medium severity vulnerabilities require a contributor-level access. A contributor is an access role that gives that registered user the ability to write and submit content, although in general they don’t have the ability to publish them.

Most websites don’t have to worry about security threats that require contributor level authentication because most sites don’t offer that level of access.

Chloe Chamberland – Threat Intelligence Lead at Wordfence explained that most site owners shouldn’t worry about medium level severity vulnerabilities that require a contributor-level access in order to exploit them because most WordPress sites don’t offer that permission level. She also noted that these kinds of vulnerabilities are hard to scale because exploiting them is difficult to automate.

Chloe explained:

“For most site owners, vulnerabilities that require contributor-level access and above to exploit are something they do not need to worry about. This is because most sites do not allow contributor-level registration and most sites do not have contributors on their site.

In addition, most WordPress attacks are automated and are looking for easy to exploit high value returns so vulnerabilities like this are unlikely to be targeted by most WordPress threat actors.”

Website Publishers That Should Worry

Chloe also said that publishers who do offer contributor-level permissions may have several reasons to be concerned about these kinds of exploits:

“The concern with exploits that require contributor-level access to exploit arises when site owners allow contributor-level registration, have contributors with weak passwords, or the site has another plugin/theme installed with a vulnerability that allows contributor-level access in some way and the attacker really wants in on your website.

If an attacker can get their hands on one of these accounts, and a contributor-level vulnerability exists, then they may be provided with the opportunity to escalate their privileges and do real damage to the victim. Let’s take a contributor-level Cross-Site Scripting vulnerability for example.

Due to the nature of contributor-level access, an administrator would be highly likely to preview the post for review at which point any injected JavaScript would execute – this means the attacker would have a relatively high chance of success due to the admin previewing the post for publication.

As with any Cross-Site Scripting vulnerability, this can be leveraged to add a new administrative user account, inject backdoors, and essentially do anything a site administrator could do. If a serious attacker has access to a contributor-level account and no other trivial way to elevate their privileges, then they’d likely leverage that contributor-level Cross-Site Scripting to gain further access. As previously mentioned, you likely won’t see that level of sophistication targeting the vast majority of WordPress sites, so it’s really high value sites that need to be concerned with these issues.

In conclusion, while I don’t think a vast majority of site owners need to worry about contributor-level vulnerabilities, it’s still important to take them seriously if you allow user registration at that level on your site, you don’t enforce unique strong user passwords, and/or you have a high value WordPress website.”

Be Aware Of Vulnerabilities

While the many of the medium level vulnerabilities may not be something to worry about it’s still a good idea to stay informed of them. Security Scanners like the free version of WPScan can give a warning when a plugin or theme becomes vulnerable. It’s a good way to have a warning system in place to keep on top of vulnerabilities.

WordPress security plugins like Wordfence offer a proactive security stance that actively blocks automated hacking attacks and can be further tuned by advanced users to block specific bots and user agents. The free version of Wordfence offers significant protection in the form of a firewall and a malware scanner. The paid version offers protection for all vulnerabilities as soon as they’re discovered and before the vulnerability is patched. I use Wordfence on all of my websites and can’t imagine setting up a website without it.

Security is generally not regarded as an SEO issue but it should be considered as one because failure to secure a site can undo all the hard word done to make a site rank well.

Featured Image by Shutterstock/Juan villa torres

Ecommerce MGMT 0 Comments
Apr 27 2024
WordPress on Your Desktop: Studio By WordPress & Other Free Tools via @sejournal, @martinibuster

WordPress announced the rollout of Studio by WordPress, a new local development tool that makes it easy for publishers to not just develop and update websites locally on their desktop or laptop but is also useful for learning how to use WordPress. Learn about Studio and other platforms that are make it easy to develop websites with WordPress right on your desktop.

Local Development Environments

Local Environments are like web hosting spaces on the desktop that can be used to set up a WordPress site. They’re a fantastic way to try out new WordPress themes and plugins to learn how they work without messing up a live website or publishing something to the web that might get accidentally indexed by Google. They are also useful for testing if an updated plugin causes a conflict with other plugins on a website, which is useful for testing updated plugins offline before committing to updating the plugins on a live website.

Studio joins a list of popular local development environments that are specific for WordPress and more advanced platforms that are that can be used for WordPress on the desktop but have greater flexibility and options but may be harder to use for non-developers.

Desktop WordPress Development Environments

There are currently a few local environments that are specific to WordPress. The advantages of using a dedicated WordPress environment is that they make it easy to start creating  with WordPress for those who only need to work with WordPress sites and nothing more complicated than that.

Studio By WordPress.com

Studio is an open source project that allows developers and publishers to set up a WordPress site on their desktop in order to design, test or learn how to use WordPress.

According to the WordPress announcement:

“Say goodbye to manual tool configuration, slow site setup, and clunky local development workflows, and say hello to Studio by WordPress.com, our new, free, open source local WordPress development environment.

Once you have a local site running, you can access WP Admin, the Site Editor, global styles, and patterns, all with just one click—and without needing to remember and enter a username or password.”

The goal of Studio is to be a simple and fast way to create WordPress sites on the desktop. It’s currently available for use on a Mac and a Windows version is coming soon.

Download the Mac version here.

Other Popular WordPress Local Development Environments

DevKinsta

DevKinsta, developed by Kinsta managed web host, is another development environment that’s specifically dedicated for quickly designing and testing WordPress sites on the desktop. It’s a popular choice that many developers endorse.

That makes it a great tool for publishers, SEOs and developers who just want a tool to do one thing, create WordPress sites. This makes DevKinsta a solid consideration for anyone who is serious about developing WordPress sites or just wants to learn how to use WordPress, especially the latest Gutenberg Blocks environment.

Download  DevKinsta for free here.

Local WP

Local WP is a popular desktop development environment specifically made for WordPress users by WP Engine, a managed WordPress hosting provider.

Useful Features of Local WP

Local WP has multiple features that make it useful beyond simply developing and testing WordPress websites.

  • Image Optimizer
    It features a free image optimizer add-on that optimizes images on your desktop which should be popular for those who are unable to optimize images on their own.
  • Upload Backups
    Another handy feature is the ability to upload backups to Dropbox and Google Drive.
  • Link Checker
    The tool has a built-in link checker that scans your local version of the website to identify broken links. This is a great way to check a site offline without using server resources and potentially slowing down your live site.
  • Import & Export Sites
    This has the super-handy ability to import WordPress website files and export them so that you can work on your current WordPress site on your desktop, test out new plugins or themes and if you’re ready you can upload the files to your website.

Advanced Local Development Environments

There are other local development environments that are not specific for WordPress but are nonetheless useful for designing and testing WordPress sites on the desktop. These tools are more advanced and are popular with developers who appreciate the freedom and options available in these platforms.

DDEV with Docker

An open source app that makes it easy to use the Docker software containerization to quickly install a content management system and start working, without having to deal with the Docker learning curve.

Download DDEV With Docker here.

Laragon

Laragon is a free local development environment that was recommended to me by someone who is an advanced coder because they said that it’s easy to use and fairly intuitive. They were right. I’ve used it and have had good experiences with it. It’s not a WordPress-specific tool so that must be kept in mind.

Laragon describes itself as an easy to use alternative to XXAMPP and WAMP.

Download DDEV here.

Mamp

Mamp is a local development platform that’s popular with advanced coders and is available for Mac and Windows.

David McCan (Facebook profile), a WordPress trainer who writes about advanced WordPress topics on WebTNG shared his experience with MAMP.

“MAMP is pretty easy to setup and it provides a full range of features. I currently have 51 local sites which are development versions of my production sites, that I use for testing plugins, and periodically use for new beta versions of WordPress core. It is easy to clone sites also. I haven’t noticed any system slowdown or lag.”

WAMP And XAMPP

WAMP is a Windows only development environment that’s popular with developers and WordPress theme and plugin publishers.

XAMPP is a PHP development platform that can be used on Linux, Mac, and Windows desktops.

Download Wamp here.

Download XAMPP here.

So Many Local Development Platforms

Studio by WordPress.com is an exciting new local development platform and I’m looking forward to trying it out. But it’s not the only one so it may be useful to try out different solutions to see which one works best for you.

Read more about Studio by WordPress:

Meet Studio by WordPress.com—a fast, free way to develop locally with WordPress

Featured Image by Shutterstock/Wpadington

Ecommerce MGMT 0 Comments
Apr 18 2024
2024 WordPress Vulnerability Report Shows Errors Sites Keep Making via @sejournal, @martinibuster

WordPress security scanner WPScan’s 2024 WordPress vulnerability report calls attention to WordPress vulnerability trends and suggests the kinds of things website publishers (and SEOs) should be looking out for.

Some of the key findings from the report were that just over 20% of vulnerabilities were rated as high or critical level threats, with medium severity threats, at 67% of reported vulnerabilities, making up the majority. Many regard medium level vulnerabilities as if they are low-level threats but they’re not and should be regarded as deserving attention.

The WPScan report advised:

“While severity doesn’t translate directly to the risk of exploitation, it’s an important guideline for website owners to make an educated decision about when to disable or update the extension.”

WordPress Vulnerability Severity Distribution

Critical level vulnerabilities, the highest level of threat, represented only 2.38% of vulnerabilities, which is (essentially good news for WordPress publishers. Yet as mentioned earlier, when combined with the percentages of high level threats (17.68%) the number or concerning vulnerabilities rises to almost 20%.

Here are the percentages by severity ratings:

  • Critical 2.38%
  • Low 12.83%
  • High 17.68%
  • Medium 67.12%

Authenticated Versus Unauthenticated

Authenticated vulnerabilities are those that require an attacker to first attain user credentials and their accompanying permission levels in order to exploit a particular vulnerbility. Exploits that require subscriber-level authentication are the most exploitable of the authenticated exploits and those that require administrator level access present the least risk (although not always a low risk for a variety of reasons).

Unauthenticated attacks are generally the easiest to exploit because anyone can launch an attack without having to first acquire a user credential.

The WPScan vulnerability report found that about 22% of reported vulnerabilities required subscriber level or no authentication at all, representing the most exploitable vulnerabilities. On the other end of the scale of the exploitability are vulnerabilities requiring admin permission levels representing a total of 30.71% of reported vulnerabilities.

Permission Levels Required For Exploits

Vulnerabilities requiring administrator level credentials represented the highest percentage of exploits, followed by Cross Site Request Forgery (CSRF) with 24.74% of vulnerabilities. This is interesting because CSRF is an attack that uses social engineering to get a victim to click a link from which the user’s permission levels are acquired. If they can trick an admin level user to follow a link then they will be able to assume that level of privileges to the WordPress website.

The following is the percentages of exploits ordered by roles necessary to launch an attack.

Ascending Order Of User Roles For Vulnerabilities

  • Author 2.19%
  • Subscriber 10.4%
  • Unauthenticated 12.35%
  • Contributor 19.62%
  • CSRF 24.74%
  • Admin 30.71%

Most Common Vulnerability Types Requiring Minimal Authentication

Broken Access Control in the context of WordPress refers to a security failure that can allow an attacker without necessary permission credentials to gain access to higher credential permissions.

In the section of the report that looks at the occurrences and vulnerabilities underlying unauthenticated or subscriber level vulnerabilities reported (Occurrence vs Vulnerability on Unauthenticated or Subscriber+ reports), WPScan breaks down the percentages for each vulnerability type that is most common for exploits that are the easiest to launch (because they require minimal to no user credential authentication).

The WPScan threat report noted that Broken Access Control represents a whopping 84.99% followed by SQL injection (20.64%).

The Open Worldwide Application Security Project (OWASP) defines Broken Access Control as:

“Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. These checks are performed after authentication, and govern what ‘authorized’ users are allowed to do.

Access control sounds like a simple problem but is insidiously difficult to implement correctly. A web application’s access control model is closely tied to the content and functions that the site provides. In addition, the users may fall into a number of groups or roles with different abilities or privileges.”

SQL injection, at 20.64% represents the second most prevalent type of vulnerability, which WPScan referred to as both “high severity and risk” in the context of vulnerabilities requiring minimal authentication levels because attackers can access and/or tamper with the database which is the heart of every WordPress website.

These are the percentages:

  • Broken Access Control 84.99%
  • SQL Injection 20.64%
  • Cross-Site Scripting 9.4%
  • Unauthenticated Arbitrary File Upload 5.28%
  • Sensitive Data Disclosure 4.59%
  • Insecure Direct Object Reference (IDOR) 3.67%
  • Remote Code Execution 2.52%
  • Other 14.45%

Vulnerabilities In The WordPress Core Itself

The overwhelming majority of vulnerability issues were reported in third-party plugins and themes. However, there were in 2023 a total of 13 vulnerabilities reported in the WordPress core itself. Out of the thirteen vulnerabilities only one of them was rated as a high severity threat, which is the second highest level, with Critical being the highest level vulnerability threat, a rating scoring system maintained by the Common Vulnerability Scoring System (CVSS).

The WordPress core platform itself is held to the highest standards and benefits from a worldwide community that is vigilant in discovering and patching vulnerabilities.

Website Security Should Be Considered As Technical SEO

Site audits don’t normally cover website security but in my opinion every responsible audit should at least talk about security headers. As I’ve been saying for years, website security quickly becomes an SEO issue once a website’s ranking start disappearing from the search engine results pages (SERPs) due to being compromised by a vulnerability. That’s why it’s critical to be proactive about website security.

According to the WPScan report, the main point of entry for hacked websites were leaked credentials and weak passwords. Ensuring strong password standards plus two-factor authentication is an important part of every website’s security stance.

Using security headers is another way to help protect against Cross-Site Scripting and other kinds of vulnerabilities.

Lastly, a WordPress firewall and website hardening are also useful proactive approaches to website security. I once added a forum to a brand new website I created and it was immediately under attack within minutes. Believe it or not, virtually every website worldwide is under attack 24 hours a day by bots scanning for vulnerabilities.

Read the WPScan Report:

WPScan 2024 Website Threat Report

Featured Image by Shutterstock/Ljupco Smokovski

Ecommerce MGMT 0 Comments
Apr 11 2024
WordPress Releases A Performance Plugin For “Near-Instant Load Times” via @sejournal, @martinibuster

WordPress released an official plugin that adds support for a cutting edge technology called speculative loading that can help boost site performance and improve the user experience for site visitors.

Speculative Loading

Speculative loading is a technique that fetches pages or resources before a user clicks a link to navigate to another webpage.

The official WordPress page about this new functionality describes it:

“The Speculation Rules API is a new web API… It allows defining rules to dynamically prefetch and/or prerender URLs of certain structure based on user interaction, in JSON syntax—or in other words, speculatively preload those URLs before the navigation.

This API can be used, for example, to prerender any links on a page whenever the user hovers over them. Also, with the Speculation Rules API, “prerender” actually means to prerender the entire page, including running JavaScript. This can lead to near-instant load times once the user clicks on the link as the page would have most likely already been loaded in its entirety. However that is only one of the possible configurations.”

The new WordPress plugin adds support for the Speculation Rules API. The Mozilla developer pages, a great resource for HTML technical understanding describes it like this:

“The Speculation Rules API is designed to improve performance for future navigations. It targets document URLs rather than specific resource files, and so makes sense for multi-page applications (MPAs) rather than single-page applications (SPAs).

The Speculation Rules API provides an alternative to the widely-available feature and is designed to supersede the Chrome-only deprecated feature. It provides many improvements over these technologies, along with a more expressive, configurable syntax for specifying which documents should be prefetched or prerendered.”

Performance Lab Plugin

The new plugin was developed by the official WordPress performance team which occasionally rolls out new plugins for users to test ahead of possible inclusion into the actual WordPress core. So it’s a good opportunity to be first to try out new performance technologies.

The new WordPress plugin is by default set to prerender “WordPress frontend URLs” which are pages, posts, and archive pages. How it works can be fine-tuned under the settings:

Settings > Reading > Speculative Loading

Browser Compatibility

The Speculative API is supported by Chrome 108 however the specific rules used by the new plugin require Chrome 121 or higher. Chrome 121 was released in early 2024.

Browsers that do not support will simply ignore the plugin and will have no effect on the user experience.

Check out the new Speculative Loading WordPress plugin developed by the official core WordPress performance team.

Speculative Loading By WordPress Performance Team

Ecommerce MGMT 0 Comments