Those of us who work with WordPress can empathize. The content management system’s (CMS) popularity makes for a tempting target. A deluge of automated attacks is sure to hit every installation.

It has also become clear that there are no bulletproof solutions. Security plugins that scan for malicious files aren’t perfect. They might miss an infected file. And some malware can elude detection.

It’s a reality check for web professionals. Taking proactive steps is a positive thing. But it could create a false sense of confidence. Eventually, you find yourself cleaning up after a successful attack.

Determining the cause of an attack can be difficult. That makes it harder to prevent the next one.

There is an often overlooked tool that can help, however. Tracking backend activity in the WordPress dashboard provides crucial information. And it may save you from a headache or two.

Keeping Track of Who Does What

WordPress websites require maintenance. Plugins, themes, and the core software should be updated as needed. Making frequent site backups is also recommended. But we can go deeper.

Activity tracking provides a different perspective on your website. And it’s not just for detecting intrusions.

Administrators can identify potential workflow issues. And it helps for troubleshooting a “broken” page or undesirable content change.

You can see all manner of information. For example, when a user logs in and updates a page. Or pinpoint when a plugin was installed or deactivated.

And that’s not all. Depending on the activity logging plugin used, you can track the following:

• Content creation, edits, or deletions;
• Failed login attempts;
• Password reset attempts;
• Plugin installation, activation, and deactivation;
• Updates applied to WordPress;
• User creation and deletion;

These actions could be typical user behavior. But they might also be a sign of something more sinister. Reviewing this data will help you confirm what happened.

Note that this data won’t likely tell you how your website was compromised. But it will tell you what actions an attacker took while logged in.

Log Dashboard Activity with a WordPress Plugin

There are several plugins available that track dashboard activity. Security suites like Wordfence and Solid Security (formerly iThemes Security) include some form of this capability.

For this example, we’ll use a niche plugin called Simple History. It’s free and tracks a wide array of activities by default. It also works with popular plugins like Jetpack and Advanced Custom Fields. There’s also an API for logging custom events.

Even better is that Simple History doesn’t require much setup. Install the plugin, activate it, and it just works. A widget will now display on the Home screen. You can see a more detailed log by visiting Dashboard > Simple History.

In addition, the plugin can optionally create an RSS feed. That lets you keep track of activity without having to log in.

Here are a few examples of how the plugin can boost security:

Track User Logins

Simple History will record when a user logs into your site. It will also report any actions the user took.

There are a lot of reasons why this data is helpful. For example, it can help you identify a compromised account.

The plugin provides a timestamp and the user’s IP address. If either of these items looks suspicious, you can take further action. You could then reset the user’s password and alert them to the issue.

Simple History provides details of user logins.

Find the Origins of a Suspicious User

It’s important to know who has access to your website. WordPress has several user roles – administrator being the highest. An administrator can perform potentially-damaging tasks. It could be catastrophic in the wrong hands.

Take note if you see that an unfamiliar administrative account has been created. It could mean that a malicious actor has gained access.

A suspicious user was created. Is it a sign of a compromised website?

How Did That Plugin Get Here?

Website administrators also need to keep track of installed plugins. But new plugins can go undetected. You can use activity logging to find out who installed a plugin and when they did it.

Pay close attention to plugins that have known vulnerabilities. Or those that enable file uploads or running code within the back end.

A malicious actor may install a plugin to take advantage of an exploit. They can use it to install malware, for instance.

Attackers may install plugins to help infect your website with malware.

Be Informed about Content Changes

Websites with multiple authors can get messy. It can be difficult to track changes to content. But knowing what’s changed has security implications.

For example, SEO spam is a popular type of attack. The attack adds hidden content to existing pages and posts. It may also contain redirects to malicious websites.

Simple History logs content changes. You’ll see who made changes, along with when.

The plugin also taps into the WordPress revisions feature. That provides a highlighted view of each change.

This tool may not catch every vector of attack. But it’s another way to stay on top of your content.

Simple History helps you see what content was changed and when it took place.

The More You Know

As it turns out, installing a WordPress security plugin isn’t enough. Your website still runs the risk of being compromised. Indeed, security is a 24/7 responsibility.

That’s why having backend activity data on hand is so important. Sure, it may help you clean up a hacked site. But it may also help you catch suspicious activity before it’s too late.

At the very least, you’ll have a list of user actions. It will come in handy if/when an incident occurs.

It’s just another proactive step we can take to stay safe. And it requires minimal effort. What’s not to love?

The post How Tracking Backend Activity Improves WordPress Security appeared first on Speckyboy Design Magazine.

There are also some responsibilities, though. Making sure your installation is up-to-date is among them. And software updates come frequently. Experts tell us to apply updates as they are released. Doing so improves website security, squashes bugs, and adds features.

We may assume that hitting the update button is the right thing to do. But what could go wrong? Is there a potential for harm?

That came to light during a supply chain attack on multiple WordPress plugins. Hackers infiltrated each plugin’s code repository. From there, they added malicious code to otherwise legitimate software. Once installed, that code created a shadow administrator account. It’s scary stuff.

Perhaps this isn’t a common scenario. But it’s a reminder to take precautions before installing an update.

Here are some tips to keep your site safe when updating WordPress.

Find out What’s Changing

Yes, you can automatically update WordPress core, plugins, and themes. That puts you at risk for a supply chain attack, however.

There’s nothing wrong with automatically updating minor versions of WordPress core. They often contain security fixes. But it’s safer to update plugins and themes manually.

You’ll want to know what’s changing and why. A little research will tell you everything you need to know.

First, take a look at what updates are available for your site. Navigate to Dashboard > Updates to see what’s available.

Next, take note of any plugin and theme updates. Plugins offer version details. Click the link next to each item to see them.

Plugins hosted on WordPress.org also have a support forum. Check them to see if other users have reported issues. You may also find notes from the developer.

It will take a bit more research for items hosted elsewhere. You might check their documentation, private support forum, or GitHub repository.

These details will help you make an informed decision. Seeing bug reports, for example, may lead you to hold off on updating.

Feel free to ask questions if you have concerns. Knowledge is power, as they say.

Back up Your Website Frequently

Security isn’t the only potential issue here. A software update could cause other problems. You might find a compatibility issue. Or an update might introduce a conflict with another plugin or theme. There’s also a chance that the update will fail.

It’s never a bad idea to back up your site before applying updates. You’ll have peace of mind knowing you can roll back if needed.

Your web host may provide backup capabilities. If not, you can also use a backup plugin. These options are usually seamless. Choose one that fits your desired workflow.

A tool that creates incremental backups is preferred. The feature improves the efficiency of both backing up and restoring your site.

And don’t forget about backing up your database! Some updates make changes there as well.

Test Each Update for Issues

Don’t update and walk away. You’ll never know what sort of trouble you left behind. At least, not until a client discovers it.

Be sure to test updates after installing them. Ideally, you’ll have a staging environment to work with. That gives you the freedom to test without impacting users.

So, what should you test? That depends on the type of updates you installed.

If you updated WooCommerce, look at your site’s products. Add an item to your cart and test the checkout process. Edit a product or setting from the WordPress dashboard. Be on the lookout for anything that doesn’t work as expected.

Follow the same pattern for other items. Determine what could be impacted by the update. Then, test on both the front and back ends.

You can use your browser’s developer tools to help. For example, the console tab will alert you to issues like 404 and JavaScript errors. These can affect stability and site performance.

The process shouldn’t take more than a few minutes. And you’ll rest easy knowing that everything is working correctly.

A Holistic Approach to Updating WordPress

We all appreciate convenience – especially with mundane tasks. Such is the case with updating WordPress. It’s easy to hit the update button without a second thought.

That puts your site at risk, however. There are a myriad of things that can go wrong. Therefore, it’s worth paying attention.

Perform some research regarding each update. Get a sense of what is changing. From there, you can gauge the potential impact.

In some cases, you might want to delay installing an update. That’s OK. Only security-related updates should be considered an emergency.

Being proactive also means keeping site backups. That will be your safety net should something go wrong. Testing on a staging environment is also recommended.

The bottom line is to pay attention. Your site and its users will be glad you did.

The post How to Stay Safe When Updating WordPress appeared first on Speckyboy Design Magazine.

An experienced web designer knows better. A site launch is just the beginning. Content management systems (CMS) like WordPress are a case in point. A steady stream of updates keeps us on our toes.

It’s one reason why I believe a professional should manage WordPress sites. Even the tiniest of websites have significant maintenance needs.

Still, clients don’t always understand the stakes or the costs involved. Until something goes wrong, that is. But let’s not go that far.

The key to avoiding problems starts with education. Teaching clients the hows and whys of WordPress maintenance can do the trick. With that, here are some points worth driving home in your discussions.

Website Maintenance Is an Investment

There are two types of website investments. The first is the cost of the initial design and build. It covers everything from the idea phase to the site launch. That’s the big, expensive part.

The second comes after the site goes out into the world. It ensures both content and software are current. Clients can get tripped up by this one.

What clients may not understand is that websites require care – regardless of whether the content changes. They’re viewing the phrase “website updates” through a different lens.

How do we change their perspective? You could compare website maintenance to that of a car.

Cars need regular care to keep things running smoothly. Doing so prevents problems down the road. It’s an investment in safety and stability.

Websites need the same kind of investment. The goal is to keep it in tip-top shape – and avoid common pitfalls.

WordPress sees frequent updates to plugins, themes, and the core software. Together, they improve the overall security and performance of a website. It’s too important to ignore.

Standards and Best Practices Change

The web’s standards and best practices are subject to change. So, that shiny website from a few years ago is now behind the times.

We’ll see this in several areas of a typical WordPress site. Accessibility is a big one. An older WordPress theme may not be up to the current standard. Old or abandoned plugins might also lack accessible features.

Server technology also marches on. A website may run on an outdated version of PHP, for instance. That means you’re missing out on better performance and security.

These issues go beyond a website’s aesthetics. They are fundamental to things like usability and legal compliance. The more you fall behind, the greater the risk.

Resolving these issues requires time and money. We’ll need to review the website and determine what needs to be changed or fixed. From there, it’s time to perform the necessary tasks.

Clients may have a hard time grasping this concept. They can’t always see the need for such changes. Nor can they always measure the results.

However, it’s one of the costs of website ownership. Think of it this way: Brick-and-mortar locations must keep up with building codes. Websites need to do the same.

Vigilance Is an Important Part of the Plan

Website maintenance is not a once-per-year type of task. It’s an ongoing commitment. WordPress releases a new major version every few months. Plugin and theme updates can drop at any time.

Each update opens the door to potential change. For example, a plugin update might require a new version of PHP. You might also need to update any custom code.

Security is also a key factor. New vulnerabilities pop up frequently. They require us to act quickly. Otherwise, we increase the risk of a compromised site.

Vigilance is important. It comes at a cost, though. Web designers need to keep a watchful eye. That means a combination of manual intervention and automated tools.

These acts won’t guarantee a problem-free experience. But they can prevent a small problem from becoming a major one.

That peace of mind is worth the price – particularly for clients who depend on their website for sales. A broken or hacked eCommerce site could spell disaster.

A Well-Maintained Website Benefits All

In a nutshell, everyone benefits from a well-maintained website. Web designers can use it as a vehicle for recurring revenue. Users are less likely to encounter problems. And that should make website owners happy!

The other side effect is taking advantage of new features. WordPress is continually refining its core. The same goes for its theme and plugin ecosystem.

It’s an opportunity to do more online. Features that enhance performance, accessibility, or ease of use can mean more sales. That’s one way to increase the chances of customer loyalty.

Make an effort to discuss WordPress maintenance with your clients. Help guide them on the importance of staying on the cutting edge.

They’ll be more likely to commit once they learn the hows and whys. And they’ll be better prepared to adapt to the web’s ever-changing landscape.

The post How to Explain WordPress Maintenance to Clients in Simple Terms appeared first on Speckyboy Design Magazine.

They’re constantly scanning for outdated installations and zero-day vulnerabilities. Brute-force login attacks hit even the most lightly trafficked sites.

It has become absolutely imperative that site owners take extra security measures. Some of that is done at the server level, but you can do plenty within WordPress itself. In fact, there are a plethora of free plugins out there that will harden WordPress and provide you with an extra layer of protection.

Limit Login Attempts Reloaded for WordPress

Brute-force login attacks are such a nuisance that there is a whole category of plugins dedicated to stopping them. Limit Login Attempts Reloaded can help you take control of the situation. It provides the ability to set login limits and block offending IP addresses for a specified amount of time.

Additionally, you can choose to be notified when an IP is blocked. That may be a bit overwhelming for sites that see a lot of attacks. Thus, it might be more efficient to periodically check the log of blocked attempts.

Sucuri Security WordPress Plugin

Sucuri Security includes a suite of features aimed at keeping site administrators informed. The plugin will scan your files for suspicious code, known vulnerabilities, and notify you of any issues it finds. In addition, your site will be checked against blocklist engines and will report if it has been flagged.

You’ll also find a helpful log of security-related activities, helping you keep track of changes made to your site. Level up to the premium version to activate a firewall, performance optimization, and more.

WordFence WordPress Plugin

With millions of active installs, WordFence is one of the most popular plugins out there. It will routinely scan your WordPress install for malicious code and has a real-time firewall that will help secure your site from known (and unknown) threats.

Advanced features like IP blocking and brute-force login protection can give site owners some peace of mind. The premium version includes country blocking and two-factor authentication, and the firewall is updated in real-time.

JetPack WordPress Plugin

The WordPress jack-of-all-trades JetPack has added some great security features in recent years. Brute-force login protection is included (and will proudly display how many malicious login attempts have been thwarted on the WP Dashboard).

There’s also a single sign-on feature that works with your WordPress.com account. Paid plans add spam blocking, malware scanning, and more.

iThemes Security for WordPress

This security suite (in plugin form) will protect your site with brute-force protection, file change detection, requiring users to implement strong passwords, and even help you run your entire site in SSL. A Pro version enables malware scanning, password expiration, and much more.

All In One WP Security & Firewall Plugin

This plugin will scan your site’s user accounts to ensure that a user’s username and display name aren’t identical – a key method bots use to grab logins. User registration can also be set for admin approval – meaning you’ll have the ability to reject accounts you don’t trust.

You’ll also find brute-force protection, a firewall, malware scanning, and protection for configuration files.

BulletProof Security Plugin for WordPress

BulletProof Security will provide extra security for your site’s .htaccess file, logins, auth cookie expiration, and allow for database backups. You can also set a time limit on idle WordPress sessions, which will log the user out of the system after a specified period of inactivity.

Really Simple SSL for WordPress

One of the absolute best things you can do for security is to enable SSL on your site. Once you’ve acquired an SSL certificate and installed it on your server, Really Simple SSL will ensure your WordPress install is optimized to run under HTTPS.

Shield WordPress Security Plugin

Formerly known as WordPress Simple Firewall, this plugin will automatically block out malicious URLs and requests. It will also protect your blog from spambot comments and add two-factor authentication.

Hide My WordPress Plugin

One of the telltale signs a site is running WordPress is the use of the default /wp-admin/ and wp-login.php URLs. Hide My WordPress allows you to safely rename these login gateways to help avoid attacks.

Security Plugin Caution

Note that you should use caution when enabling more than one security plugin. Some can conflict with each other and lead to either a crashed site or a major performance hit. If you plan to use more than one security plugin, do some research to see how they coexist.

While there is no silver bullet for securing WordPress (or any other CMS), there are steps you can take to thwart malicious attacks. Most bots and hackers are looking for easy targets. Using a security plugin makes things much more difficult to crack.

The post 10 Best Free Security WordPress Plugins appeared first on Speckyboy Design Magazine.

Even so, we’re not out of the woods. To paraphrase the old saying: a website is only as secure as its weakest link. Beyond potential exploits due to code, the weakest link tends to be an uninformed user. Someone who, through no fault of their own, makes a bad choice that leaves their website vulnerable.

To use another cliché: the best defense is a good offense. In this case, it means being proactive when it comes to teaching clients about security best practices. Some things (like strong passwords) are universal, while others are more specific to WordPress itself. And that’s our focus for today.

With that, let’s review five things your clients need to know about WordPress security.

Don’t Install a WordPress Plugin Without Consulting a Professional

We get it: the temptation to install plugins is real. They are, after all, just a few clicks away.

But the risk is also real. WordPress plugins vary greatly in terms of quality and, thus, security. It’s not uncommon to find a plugin in the official repository that hasn’t been updated in a year or more. Maybe it’s harmless; maybe it’s not.

Because of this, web designers should encourage clients to perform a quick consultation before installing a plugin. Offer to take a look and review the particulars. This single step could prevent a nightmare scenario with regards to security and site stability.

There are several benefits. First, this keeps you in the loop as to what’s going on with the site. In addition, it allows you to point clients in the direction of good, reputable plugins. Not to mention that this trains clients to think before they click. That benefits everyone.

Create New User Accounts, Rather Than Sharing a Single One

Many organizations have more than one person who needs access to the WordPress dashboard. Too often, those users share a single account.

On the surface, this may seem like a simple matter of trust. And there certainly is an element of that. If a team member leaves the organization, there is the possibility of them still having access if the password hasn’t been changed. And a malicious person could do some damage.

The other real concern here is about device security. If you have, say, five people sharing a WordPress administrator account, all it takes is one of their devices to be exploited. For example, a keylogger on one user’s PC could compromise the account.

Therefore, it’s recommended that each user have their own account. This is easy to do within WordPress, and we can even create custom user roles that limit what someone can and can’t do.

Keep WordPress Core, Plugins and Themes Up-To-Date

Ideally, your clients will contract with you to handle software updates. But if they’re the ones taking responsibility, it’s important that they treat the issue very seriously.

As a developer, there are few things more irritating than troubleshooting a compromised website, only to log into WordPress and see that things are several versions out-of-date. It’s akin to leaving the front door of your house wide open, 24/7. You shouldn’t be too surprised when someone comes in and takes your fancy new TV.

The importance of keeping WordPress core, plugins, and themes updated cannot be overstated. Knowing that it still may be beyond the comfort level of some clients. That’s OK. Either they can hire you to deal with it or, at the very least, enable auto updates where possible.

Regardless of how updates are implemented, they must be taken care of. While it won’t guarantee security, it’s much better than the alternative.

Two-Factor Authentication Can Make a Big Difference

Adding two-factor authentication to WordPress is fairly simple. But it’s only worthwhile if stakeholders actually use it.

True, it’s not very convenient. Having to verify an email, a text message, or check a mobile app to login can be a major pain. But this extra step is vital. It puts up a huge barrier between a malicious actor and access to your website’s back end.

And the user experience is actually getting better. Some implementations are now combining device recognition with 2FA. This means that, so long as a user’s device is recognized, there won’t be a need to verify a login for a specified amount of time.

Plus, 2FA has become standard in so many places. Some online banking apps won’t let you login without it. There’s no reason why your website shouldn’t take advantage of this technology as well.

What’s Secure Today May Not Be Tomorrow

Regardless of the platform it runs on, a website is not a one-and-done affair. It requires frequent (if not constant) attention – with security playing a major role.

The web is constantly evolving. New technology gets old very quickly. And what was once thought to be a security best practice can sometimes be proven otherwise.

Because of that, website security is a challenge that really has no end. It’s a daily battle for small and large organizations alike.

The result is that websites need to change along with the times. When it comes to WordPress, that may mean replacing older security plugins with something better. Or doing away with abandoned themes and plugins to tighten things up. It could also require a change in hosts or server environments.

It’s important to understand that just because you’ve invested in security today doesn’t mean you won’t have to do so again tomorrow.

Educate Clients Today for a More Secure WordPress Website

Our clients often rely on us to provide some knowledge along with a killer website. And security may just be the most important subject we can educate them on.

Making an effort to do so from the beginning can pay long-term dividends. A client who understands how to keep their WordPress website secure is less likely to make one of those crucial mistakes. That alone may be the difference between cleaning up a hacked site and smooth sailing.

The post How to Educate Clients on WordPress Security Best Practices appeared first on Speckyboy Design Magazine.

And while there are plenty of best practices to follow, securing a website is a major challenge. Fending off automated attacks against content management systems (CMS), training clients, and continuously updating software take their toll. We can lessen the risks, but can’t fully mitigate them.

For years, security processes were primarily between a designer, host, and client. But increasingly, other third parties are taking an active interest. And web designers are getting caught in the middle.

If this hasn’t impacted you yet, it may be just a matter of time. Thus, freelancers and agencies need to take notice of this trend.

Let’s take a look at what’s happening and how web designers can be prepared.

Who’s Involved?

Granted, third-party interest in web security isn’t completely new. eCommerce sites have long had to deal with PCI compliance. And government regulations have aimed at areas such as user privacy – which could also be considered a security concern.

However, there seems to be increased input from other sources – particularly the insurance industry. They’re becoming keen on web security as it relates to their clients.

Organizations that require insurance, such as businesses and non-profits, are very likely to have a website as well. Just as they take a physical location’s well-being into account, insurance companies are starting to look at websites in the same way.

For example, let’s think about a typical brick-and-mortar retail store. Before providing insurance to a retailer, an insurer might consider:

• The structural integrity of the building;
• The types of merchandise being sold;
• Any anti-theft security measures the retailer has put in place;
• The number of employees;
• Yearly revenue;

We’re now seeing similar concerns being extended to websites.

What Aspects of Website Security Are They Looking At?

Securing a website requires constant effort and encompasses several areas. Some factors, such as web hosting and SSL certificates, are fairly universal. But others may depend on how the website was built.

That means a static HTML site will have different security needs from one built with WordPress. And then there’s integrating third-party APIs, data collection, and financial transactions. Each presents a unique challenge.

Yet, there’s no guarantee an insurer is going to take a realistic view of these nuances. They may well employ an all-of-the-above strategy, even if specific elements don’t apply to a client’s website.

Industry veteran (and a colleague of mine) Wayne Kessler opines, “My biggest concern is the creation of unnecessary work and cost due to contractor (which is what an insurance company or a security consultant is) specified ‘standards’ that are oversized to risk.  A cyber insurer’s job is to sell insurance that preferably won’t have any claims on it.”

He continues, “So, they can want websites locked as tightly as possible without due consideration of the ramifications of functionality or cost. It is not always possible to limit login access to a small IP range. SFTP is still needed for sites. A client might need to be able to send files back and forth to their designer.  Workflow, site management, user functionality – these cannot be ignored when talking about security without the possibility of greatly reducing the value of the website.”

Advice for Web Designers

As is often the case, web designers are liaisons between our clients and a third party. In this case, insurers will hand clients a laundry list of website security considerations. From there, it’s up to us to make sense of them, implement what’s feasible, and effectively communicate.

There are a few potential roadblocks. The biggest is that you may not have control over every situation. For instance, some security measures may require the cooperation of a web host or plugin developer. Whether or not they comply is entirely up to them.

The potential cost is another consideration. The investment required to implement certain items may go beyond what your client is willing or able to pay.

Kessler says that web designers need to stay in the loop during the process, noting that “security standards seem to be expanding quickly with the growth of these industries, but that doesn’t mean these standards should apply to just any website. If you don’t take financial transactions on your website, or if you don’t keep user/customer data on your website, there are recommendations for these that should not apply. Beware of ‘oversizing’ the needs for security protection.”

It’s also important to recognize that many hands play a role in website security. According to Kessler, “Every story we read about identity theft comes from a gap in data protection. Web designers don’t want to be an identified gap. Similarly, you don’t want to manage a site that has a virus, is generating spam, or is locked up by rip-off artists. There are options to mitigate those risks. Web designers, and website owners, should take those options.”

The key is to control what you can and make sure your clients have an understanding of what’s involved.

Dealing with the Increasing Complexity of Web Security

As if web security wasn’t already a complex subject, the introduction of insurers and other third parties only adds to the stress. For web designers, it seems like yet another burden placed on our shoulders.

Still, this is part of our ever-evolving job description. As building and maintaining websites continue to change, it’s up to us to stay on top of best practices. In a sense, this development is a natural extension of that evolution.

Thankfully, the skills we’ve picked up in communicating with clients and adapting to new technologies can serve us well. Those experiences have prepared us to take this new challenge head-on.

The post Why Third Parties Are Taking an Interest in Your Client’s Website Security appeared first on Speckyboy Design Magazine.

WordPress is no stranger to various myths and conspiracy theories. Some people are suspicious of big changes to the content management system’s (CMS) core. And others simply have misconceptions about the ecosystem, community and the overall picture of how things work.

It’s time to set the record straight. Today, we’ll take a look at some of the most common myths floating around in the world of WordPress and attempt to uncover the truth. What will we find? Keep reading to find out!

Myth #1: WordPress Is Slow and Insecure

Let’s start with the double-whammy of performance and security. Social media clickbait often portrays WordPress as seriously lacking in both of these key areas.

The problem with this narrative is that it treats WordPress as a one-size-fits-all CMS. The fact is that, while a stock installation is universal, we rarely leave it that way.

There are so many ways to customize WordPress. For starters, third-party plugins and themes are a huge part of the experience. And seasoned developers may well craft their own. In addition, the CMS can be hosted in any number of different server environments.

Each one of these factors into both security and performance. For instance, equip your website with a bloated theme or buggy plugin and you open yourself up to potential issues. Opting for cheap web hosting can do the same.

Beyond that, WordPress is also incredibly popular. Thus, it has a target on its back from bots and other nasties. Much like hackers write viruses targeting the Windows operating system over others, they aim for WordPress as well. The bigger you are, the more they come after you.

The WordPress project is open-source and has a large number of volunteers who dedicate themselves to, among other things, performance and security. That’s not to say that there’s never a bug or security flaw – but the core software is quite well-maintained.

That said, WordPress by itself is neither particularly slow nor insecure. It’s what we add on to it after-the-fact that can lead to the biggest problems.

Myth #2: Automattic/Matt Mullenweg Own WordPress

There’s long been a misunderstanding regarding the “ownership” of WordPress. At least some of this is due to some self-inflicted branding confusion and a few blurred lines.

It’s true that Matt Mullenweg co-founded WordPress way back in 2003. This is the free, open-source project that can be downloaded by anyone and installed just about anywhere. It’s commonly referred to as “.ORG”, an homage to the project’s domain name.

Mullenweg is still very much active in the project. You’ll see his name pop up as a core contributor for various releases and he often takes part in community discussion. He also works with others in determining the software’s roadmap for future development as well. He does not, however, own the project itself. That is in the hands of the non-profit WordPress Foundation (which Mullenweg founded, by the way).

Now here’s the part that may confuse you. The similarly-named WordPress.com (“.COM”) is a place where you can host a blog for free or buy various levels of hosting. This is in fact owned by Mullenweg’s company, Automattic. And yes, it does run WordPress software.

If you’re curious as to the differences between WordPress.org and WordPress.com, there’s a handy guide to help you sort things out.

So, while Automattic (and thus, Mullenweg) are major contributors to the project, they do not own WordPress itself.

Clear enough? No? It’s best to not try and unravel it all at once.

Myth #3: WordPress Websites Are Too Cheap/Expensive

A bit of crowdsourcing brought this juxtaposition to the forefront. It’s a great example of how varied the perceptions of WordPress can be.

The reality is that WordPress can be either of these things or none at all. So much depends on how web designers choose to market and sell services. Then there is also the matter of how much a specific client is willing to pay. Oh, and project requirements have a good bit of say as well.

WordPress itself is free. And you can certainly grab a free theme, then sprinkle in any number of free plugins. It’s entirely possible to build a website for nothing (or next to it).

On the other hand, you could build your own custom theme that does exactly what you need. Then, invest in some high-end commercial plugins that provide crucial functionality. To top it off, add in some enterprise-grade web hosting. The costs will add up.

WordPress can be made to do as much or as little as you like. A web professional can utilize it to create a massive corporate hub or a simple landing page. There is no single way to do things. Therefore, you can’t really peg WordPress as singularly cheap or expensive. It’s all about what you do with it.

Myth #4: WordPress Isn’t a “Real” CMS

Back in its early days, WordPress was purely a blogging platform. And, despite a whole lot of evolutionary changes since, some people still associate it with this purpose.

Running a super-cool blog is only the start of what a modern WordPress website is capable of. You can leverage the software to serve just about any purpose.

Celebrity eCommerce shop? Check. Major government portal? Check. Home for a corporate giant? Check. Well-known educational institution? Check that one, too.

We could go on and on. The point is that WordPress can be used for virtually any type of website – large, small or in-between.

Now, whether one personally thinks that WordPress is the best tool for a particular use case is up for debate. Everyone has their own preferences. But to say that it’s just a blogging platform is myth.

Myth #5: WordPress Maintenance Is Inherently Messy

When it comes to WordPress maintenance, there are two separate entities to consider:

• WordPress core software;
• Themes and plugins;

WordPress core generally releases a few major updates per year. 2019 and 2020 saw three such releases each. Beyond that, there several minor releases (which update automatically) that patch security holes and squash bugs. Consider core updates as a baseline for maintaining your website.

Third-party plugins and themes are a whole different animal. The number of updates (or lack thereof) is up to each developer. Some larger plugins may push updates every few weeks. Others might not see a change for a year or more.

In theory, the more third-party resources you add to your website, the more there is to maintain. But it goes a bit deeper than that.

So much depends upon the types of themes and plugins you’re implementing. A plugin that powers crucial functionality and has a large user base (such as WooCommerce) is going require a bit more maintenance. The same can be said for a theme that uses a lot of advanced JavaScript libraries and custom features.

That said, every CMS requires some form of maintenance. This is a positive in that we want to make sure everything is as functional and secure as possible. Can something go wrong? Yes. However, applying updates is still vital.

Maintenance needs can be cut quite a bit by eliminating unnecessary plugins. This will not only save you time, but also help you avoid software conflicts as well. Short of that, there’s an auto update feature that can do a lot of the hard work for you.

WordPress Is What You Make It

When going through these myths and misconceptions, it becomes clear that the WordPress experience is different for everyone. Whether you’ve used it to build hundreds of unique websites or played around with a single blog – we all have a story.

Those stories ultimately shape our perception of what the CMS can and can’t do. Even some confusion over the separation between WordPress.org and WordPress.com can lead us to assumptions about who’s in charge and what is possible.

The bottom line is that WordPress really is ours to bend and shape. Use it to build something big or small, cheap or expensive. Install enough plugins to keep maintenance needs high or go completely barebones. Customize it to your heart’s content. It’s your choice.

There is almost endless flexibility. That’s what has led so many of us to choose WordPress. Just know that, whatever it means to you, there are other perspectives out there worth considering.

The post 5 Common WordPress Myths Debunked appeared first on Speckyboy Design Magazine.

For instance, compare a WordPress website you built recently with one from a decade ago. You’ll likely notice a lot of differences – both cosmetically and under-the-hood. It can certainly lead you to better appreciate the progress that has been made.

This is a process I’ve found myself doing a lot lately. A few websites that I built way back in the early 2010’s are still in use. Beyond keeping those installs updated, part of my job has been to replace abandoned plugins and retrofit for newer features.

The experience has been interesting. Not only have these past projects offered perspective, but they’ve also been challenging. Figuring out what I did, why I did it and how to keep things moving forward. It’s akin to keeping a classic car running.

Maintaining a legacy WordPress website takes a keen eye and attention to detail. With that, here are some tips to make sure your old site is humming along.

Watch Out for Abandoned Plugins and Themes

One of the most common issues you’ll find with older WordPress websites is the use of abandoned software. Plugins and themes that were acceptable solutions back in the day may no longer be in active development. That’s a risk to both functionality and security.

How do you know if an item has been abandoned? If it originates from the official WordPress theme or plugin repository, you’ll usually see a message stating that it “hasn’t been tested with the latest 3 major releases of WordPress”. That’s not a guarantee that the developer has completely let go of the project, but it can be a solid indicator.

If the item doesn’t come from an official repository, it may require some extra snooping. Search around for changelogs (that hopefully have release dates included) or support forums. Anything that hasn’t seen an update or author forum response in a year or more is likely gathering dust.

Most times, an abandoned plugin should be replaced. It’s not always a huge emergency, though. A simple niche plugin that doesn’t do a whole lot may be able to stick around longer than a complex one. Use your best judgement and look for potential alternatives.

Themes can also vary. Sometimes it’s a matter of replacing or disabling old scripts that won’t pass muster.

Regardless, it’s important to know where these items stand. Even if they work today, tomorrow could be a different story.

Outdated JavaScript Can Be Problematic

WordPress comes bundled with the jQuery JavaScript library. This is great for leveraging special effects and other UI-related goodies on your website. But as new versions are included, some older scripts become obsolete.

This can be a problem. For example, a change in jQuery versions that came with WordPress 5.6 led to a large number of JavaScript errors – particularly with older plugins and themes. Certain code that had been deprecated was no longer supported. Thus, developers had to hunt down and fix each instance.

Leaving these items unfixed could cause a buggy experience on both the front and back ends. jQuery errors tend to interfere with how other plugins function and may even prevent them from working at all.

It always pays to stay on top of impending WordPress library changes. But it’s truly essential when dealing with a legacy site. Any item that hasn’t seen an update in a while is susceptible to breakage.

Therefore, it’s important to check the changelogs for WordPress core and for jQuery itself. Additionally, test out updates on a staging environment before applying them to a production site. This could save you from some serious usability issues.

Research Before Removing Code

Whether you built a website years ago or inherited it from another developer, chances are you’ll run into some questionable code. It might be a snippet inside a theme template or even an ambiguous plugin.

This is all the more reason to document your projects. But if there’s no documentation, you might be left to wonder why a particular item was included. Was it just poor practice or does this code still serve a purpose?

While it may seem safe to deactivate a plugin or remove code – do some research first. I can’t tell you the number of times I’ve jettisoned something I thought was useless only to find that it facilitated some obscure function. That resulted in putting things back the way they were (be sure to keep backups, too).

The research all depends on the item itself. If it’s a plugin, a web search can be a big help. For snippets, analyze the code and try to figure out what it does. Either way, don’t touch anything on a production site until you know for sure and have done some testing.

Look for Missing Features

Things change quickly on the web. Thus, an older website might be missing some crucial features. Things that could leave you lagging behind or worse.

Perhaps the two biggest items on this list are accessibility and responsive styling. A website built in 2010 may not have taken these things into account.

For instance, I found that a few older projects were using a plugin to serve up a separate mobile theme. There wasn’t anything particularly bad about this practice – and it worked well enough. But even aging desktop themes can be retrofitted to work nicely on smaller screens. It takes some CSS and maybe even reconfiguring of templates, but it’s worth doing if a redesign isn’t in the budget.

Bringing accessibility up to snuff may require a lot of manual and automated testing. You’ll want to ensure that the website covers the basics like color contrast ratios, legibility and keyboard-friendly navigation. Utilizing the ALT attribute on images is also important.

Even if you have limited resources to work with, a little effort in these areas can have a positive impact.

Making an Old WordPress Website (Almost) New Again

It’s a credit to both WordPress and its ecosystem that websites built many years ago keep on working. Much of the code and styling involved is more resilient than one might think.

Still, time marches on. Themes, plugins and scripts will eventually break if not maintained. We can certainly hope that the developers of these items are keeping up with the latest standards. But sometimes that job falls to us.

If a legacy site is in your care – don’t worry. By doing some homework and being on the lookout for potential issues, you can still provide a great experience for users.

The post Tips for Maintaining a Legacy WordPress Website appeared first on Speckyboy Design Magazine.

What’s really surprising is that even sites with relatively low traffic are not immune to this phenomenon. Bots care nothing about the size of your website, rather the software it’s running.

This isn’t the fault of WordPress, per se. Its popularity makes it the biggest target out there for nefarious actors. Much the same way Windows wears the bullseye for viruses and malware when it comes to personal computers. When you’re the most popular option, you’re likely to face the most aggression.

For those responsible for maintaining these websites, being proactive when it comes to security is mandatory. And one of the simplest steps we can take is adding two-factor authentication.

Let’s explore what two-factor authentication is and look at a few plugins that will help you add this feature with minimal effort.

Two Layers Is Better Than One

Two-factor authentication (2FA) is becoming a standard across a number of industries. Everything from online banking to social media companies are recommending it for increased security.

In a nutshell, this is a measure that goes beyond a standard username and password – thus, the name “two-factor.” It forces users to take additional action to verify their identity.

The additional action can vary by system. This might be entering a randomly generated alphanumeric security code, solving a simple math equation, requiring a user to scan a QR code with their mobile device, or verify a previously chosen image. Biometrics such as fingerprint or retina scans are also possibilities, although they aren’t widely used on the web just yet.

While this does make the user’s login process more laborious, it also adds a crucial layer of security. It’s a tradeoff well worth making. And the technology is getting better. Some systems will remember your device so that two-factor is only required when a login attempt comes from an unrecognized gadget.

The bottom line is that two-factor makes it more difficult for a bot or other unauthorized user from forcing their way into your website and doing damage.

Two-Factor Authentication Plugins for WordPress

Now that we know a bit more about what two-factor authentication is and why we’d want to use it, it’s time to integrate it into our WordPress website. Fortunately, the process is simple, thanks to several available plugins.

Here are a few of the best options out there:

Two-Factor

While officially still a beta plugin, Two-Factor does one thing and does it pretty well. It allows you to choose from a variety of authentication methods right from your WordPress user profile. The plugin will email you a security code, use time-based passwords, FIDO Universal 2nd Factor, and more. It’s still in development, so look for more handy features to come.

Two Factor Authentication

Two Factor Authentication is a more polished and flexible option. It includes support for the popular Google Authenticator app, QR code scanning and the ability to require specific roles to use the extra verification procedure. The premium version even offers integration for front-end logins, which is useful if you are running a membership site.

Jetpack

Yes, Jetpack is the plugin suite that tries to do a bit of everything. So, if you’re only looking for two-factor functionality, it’s probably not worth installing for that alone. But if you’re one of the millions who already have it installed, their Protect feature is activated by default. It helps to block brute-force attempts but also includes a math-based CAPTCHA which is included on your site’s login form. It is one of the more user-friendly methods out there, provided you know a little math!

Google Authenticator – WordPress Two Factor Authentication (2FA)

This plugin adds 2FA to any login field, including the front end. But don’t let the name fool you – it works with more than just Google Authenticator. You can also use LastPass Authenticator, push notifications, and security questions, among others. In addition to the free version, there are premium versions and add-ons that offer more features. It also integrates with many popular plugins.

Keyy Two Factor Authentication

Keyy looks to pick up where the innovative Clef service left off. Clef (which is no longer with us) allowed users to login by scanning a pattern on their screen with their mobile device. Keyy does much the same thing and requires you to download an app to use the service. This eliminates the need for users to enter their passwords altogether, which could be a good thing. Just note that this plugin is in its early stages, so there may be a few “rough edges.”

Wordfence Security – Firewall & Malware Scan

Wordfence is one of the most-used security plugins out there and offers a full suite of different protections. But for our purposes, let’s talk about its two-factor feature. It’s now available in the free version of the plugin and has been completely revamped. Like others on this list, it supports TOPT-based authenticator apps, like Google Authenticator. There’s also an option to add RECAPTCHA to your login form as well. Also of note is the ability to require 2FA for specific user roles and allowing the system to remember devices for up to 30 days.

A Simple Way to Boost Security

When it comes to securing your WordPress website, every little enhancement can make a positive difference. Implementing two-factor authentication will make it that much more difficult for an attacker to access the back end of your site.

Even better is the ease with which this feature can be added. Any one of the plugins above can increase your protection for free and with minimal effort on your part. Choose your favorite and keep bad actors at bay.

The post 6 Best Plugins for Adding Two-Factor Authentication to WordPress appeared first on Speckyboy Design Magazine.

In some cases, they’ve led to government-based regulations such as the EU’s GDPR. However, worldwide there still seems to be quite a lot of confusion, resulting in inaction. Unfortunately, web designers seem to be caught in the middle.

What makes things even more difficult is how much we rely on third-party providers that enable all manner of different functionality. Each provider is another link in a privacy chain that may or may not be collecting/using data in an undesirable way.

Nowhere is this more of a challenge than when it comes to building sites with WordPress. That’s not because the CMS doesn’t take privacy seriously – it does. Rather, it’s a combination of being the web’s most-used platform and its ability to tie in with an untold number of services via plugins and themes.

That begs the question: How do we build WordPress websites with privacy in mind?

First, Have Realistic Expectations

Perhaps the obvious answer is to disable anything and everything related to tracking users. That means disabling cookies, not utilizing any third-party plugin or theme, and forget about showing ads. But that’s not going to meet the needs of most websites – especially if you’re building them for clients.

Therefore, we have to keep our expectations based on reality. And it’s also important to understand that if a site is expected to comply with some legal standard, lawyers, or some other party who can verify adherence should be involved.

Regardless, in almost all circumstances, some user data will be collected – either directly by your own site (form submissions, cookies, etc.) or through the outside services you connect with. This is life as we know it and may be impossible to avoid.

That doesn’t mean, however, that we are completely powerless. Together with clients, there are some decisions we can make that do keep the well-being of users in mind.

Choose Your Company Carefully

The one area where we have a significant amount of say is in what types of functionality we add to our website. This covers everything from the theme we use, the plugins we install, along with the outside APIs and code libraries we integrate.

Themes

There are some themes that do send data back to its developers, although it may not be user-specific. Usually, you can turn such functionality off via a setting. However, it’s best to check any data collection policies they have before making a commitment.

One of the best ways to ensure that a theme won’t collect user data is to build your own. There are plenty of great barebones starter themes and frameworks that help get projects up-and-running relatively quickly. It may not make sense for everybody, but it can be a great option if you want to exercise further control.

Plugins

When it comes to plugins, more and more, we are seeing them ask to collect data. It may be that they’re only interested in anonymous data that shows what other plugins you’re using, your hosting environment, and so on. Again, you’ll want to review exactly what they are looking to harvest from your site.

Reputable plugins should have these functions turned off by default and allow you to opt-in. If not, the beauty of the WordPress community is that there are usually plenty of alternative options. Look for a plugin that either doesn’t collect data or allows you to turn it off.

It’s also worthwhile to look for plugins that are compatible with the WordPress personal data export and erase tools, launched in version 4.9.6. This allows users to take ownership of their data and provides a means to have it removed from your site if they so wish.

It also makes for easier management when it comes to plugins that store user-related content in the site’s database. The last thing you want is to poke around a huge database, looking for extra bits of information to remove.

Third-Party Services

Many of us want to integrate Google Fonts or social media tools into our websites. Beyond that, there are many additional services that provide maps, analytics, video, script libraries, or APIs that we might want to tap into.

Odds are, the majority of these services will want to track users in one way or another. But there are some possible solutions:

• In the case of Google Fonts, you can always download the fonts you need and host them directly on your web server. The same goes for other remotely-hosted scripts.
• Some services will allow you to opt out of certain tracking behaviors. For instance, when embedding media from YouTube, it’s possible to turn on Privacy-Enhanced Mode, which lets users watch without the service tracking their viewing habits.

Also, note that some functionality may not work as expected without cookies or other tracking methods enabled. Be sure to read up on policies and documentation for details. Depending on your needs, this may or may not be worth the compromise.

Dealing with What Is, While Striving for Better Solutions

Certainly, all of this puts a lot of weight on the shoulders of web designers. It’s hard enough balancing the desires of our clients with the concerns of users. When you throw in all of the various privacy-related policies of governments and service providers, it all seems like mission impossible. In short: It’s a mess.

We can’t be expected to know exactly what Facebook does with user data while also keeping up with Twitter, Google, and advertising networks. It’s doubtful that even the people who work for these providers can keep up with their own jargon.

Yet, we’re still obligated to try. That means assessing the situation and attempting to know more about what it is we’re building. We need to encourage clients to adopt privacy policies of their own while making it clear that legal professionals are required to keep things on the up and up.

The modern website demands a lot of advanced functionality – much more than even a decade ago. And since so many of us use WordPress to build those sites, we must be aware of the various parts we’re piecing together.

Will it ever be completely cohesive? Maybe not. But it’s our job to try and put it all into as neat of a package as possible. It’s the best we can do until a better solution comes along.

The post Building WordPress Websites That Better Respect User Privacy appeared first on Speckyboy Design Magazine.