Is WordPress Safe for eCommerce Websites?

WordPress is not inherently built for eCommerce. In order to sell anything on your website, you need to use a theme and a series of plugins in order to tap into that functionality (or you need to code it all from scratch). But just because WordPress on its own is not eCommerce-ready doesn't make it any less of a good (or smart) choice to build your online store with.

That said, there are a number of concerns eCommerce companies might have when considering whether or not to use WordPress to build their online store. A few of them being:Limits on how big the store (i.e. number of products) can get.

Limits on how big the store (i.e. number of products) can get.

Limited functionality and features.

And, of course, whether or not the platform itself is secure enough.

We've already seen that there are a number of WordPress plugins (and not just WooCommerce) capable of handling the capacity concern. WPMU DEV's Upfront also supports both the WooCommerce and MarketPress plugins, so eCommerce-friendly themes are taken care of too.

However, if you're still concerned over the question, "How safe is WordPress for eCommerce?", then let's take quick look at what we do know to help put your mind at ease.

Is WordPress Safe for eCommerce?

In 2014, firas80 submitted that same exact question (and some answers based on research) to the WPMU DEV forum. firas80 and other members who responded all seemed to say the same thing: no eCommerce platform is going to be 100% safe. What matters are the precautions you take to secure it and also remain in compliance with PCI data security regulations.

Quora is another place where you'll find people wondering about this question often. It was brought up back in 2015 and again in 2017. Developers who have used WordPress to build eCommerce sites have nothing but good things to say about it. They simply suggest that you adhere to security best practices as you would otherwise do if you want to keep all parties safe.

It's not surprising, though, that this question about WordPress's viability as a safe eCommerce platform arises time and time again. Running a business online is scary stuff. Add to that the monetization aspect where you need to ensure that customers can make secure payments, that you actually receive payments, and that hackers don't find a way through in the meantime, and no wonder it's a concern.

For the most part, however, WordPress has security well covered with:

But most of those are tools you need to add onto your WordPress installation in order to secure your online store. What does the WordPress project team (those in charge of securing the core) do to actually ensure that WordPress is a safe platform for eCommerce sites? There are two key responsibilities they assume:

They regularly roll out minor releases with patches as security issues are detected on the platform.

They and the volunteer theme review team carefully vet every new theme and plugin submitted to the repository. When security issues are detected, they then work directly with developers to clean up the underlying problem and consequently release an update to users.

The rest is then up to you.

What Can You Do to Better Secure WordPress for Your eCommerce Site?

Okay, so this is where you come into the equation. WordPress will do whatever is in its power to secure the core and vet third-party integrations you might use. However, if you're building and running an eCommerce site, there's much more work to be done.

Here is what you can do to better secure WordPress for your eCommerce site:

1. PCI ComplianceUnderstand all the ins and outs of PCI compliance in eCommerce.

2. Web HostingUse web hosting that supports an eCommerce website. This means absolutely no shared hosting plan. VPS or dedicated servers are the way to go.

3. Content Delivery NetworkAdd a CDN to improve speed and an extra layer of security.

4. SSL CertificateGet an SSL certificate to help provide extra protection for your customers' transactions.

5. eCommerce PlatformEven if your host and WordPress installation are secured, it's still important to find an eCommerce plugin that will provide your users with a safe place to make a purchase. This all starts by choosing a secure eCommerce plugin.

These are the eCommerce plugins most known for their security and PCI compliance:

MarketPress integrates with 15 of the most well-known and secure payment gateways. And because it's part of the WPMU DEV family of plugins, it works beautifully with the Defender plugin.

WooCommerce, of course, is always a smart choice as it's made by Automattic.

For the sale of digital products, Easy Digital Downloads is the platform you'll want to use. It syncs with secure file storage tools like Amazon Web Services and Dropbox, adding an additional level of security to your site.

Also, don't forget to use reliable eCommerce plugins when adding advanced functionality to your store. Here are some examples of ones you can use for WooCommerce.

6. Payment GatewayCreate an even more secure checkout process for your customers by using payment gateways known for their security. You might even want to move your shopping cart and gateway off of your site if you're nervous about security.

7. Order Management SoftwareStore all sensitive customer information (basically, anything they input during the checkout process) in a secured CRM or order management software (like QuickBooks) and not in WordPress.

8. Transaction MonitoringPay close attention to any transactions that come in or out through your online store. Payment fraud might not seem like it poses a security risk to you, but your visitors sure as heck won't be happy to see they were hacked and no one on your side noticed anything was amiss.

One way to prevent this type of threat is by requiring that users input their card's Card Verification Value (CVV) number. Depending on the size of your store, you might also need to invest in anti-fraud security services.

9. Security PluginUse a WordPress security plugin to reinforce your site's security. These plugins can take care of everything from installing a firewall to managing anti-malware and spam monitoring for you. In addition, they'll help you put extra security precautions in place in the admin area.

10. Backup PluginDon't forget that a security plugin always needs a reliable backup plugin to support it.

11. UGCBe careful about what user-generated content (including reviews, ratings, and blog comments) you allow onto your site.

12. Core UpdatesKeep your WordPress core up-to-date. Even if you're not comfortable automating all of these upgrades, logging in at least once a day will ensure you know when they're ready so you can take care of them manually.

13. Plugin and Theme UpdatesKeep all plugins and themes updated as well. You can use Automate from WPMU DEV to simplify this process.

14. Integrations ReviewVerify the quality of your themes and plugins. You should also do regular sweeps of your plugin and theme stash to ensure that anything you're not using is deactivated and deleted.

15. Online ScannerCheck your WordPress site for vulnerabilities using an online scanner. This will tell you if there are issues with your code or the third-party integrations you've added to your site, among other things.

If you're nervous about remembering each of these steps for securing your eCommerce site, then be sure to integrate a security checklist into your process.

Proof that WordPress Is Safe for eCommerce

Look, it's easy to talk about how "secure" WordPress is for eCommerce, but those are just words. How can I actually show you that this platform is safe enough for you to conduct monetary transactions on it?

Probably the easiest way to do that would be to share with you a number of successful eCommerce sites that currently run on WordPress. Whether they sell digital or physical products, these websites have demonstrated how reliable a platform WordPress is for eCommerce.

Blue Star Coffee Roasters

Blue Star Coffee Roasters is an online purveyor of coffee, coffee accessories, as well as coffee subscription services. All purchases are made and processed right on their website and they offer customers an easy one-page checkout with a secure Stripe payment gateway to cap it all off.

BoardShorts.com

The BoardShorts website sells a variety of men's and women's board shorts online. The checkout process is clearly laid out, using three breadcrumbs to guide the user through each step. You'll also see the Authorize.net safety seal which adds extra assurance for visitors worried about safely making their purchases.

Edible Blossoms

Edible Blossoms is a UK-based online store, much like Edible Arrangements that we have here in the U.S. You can order a variety of different fruity arrangements and complete the purchase right there with their WooCommerce-enabled checkout.

Laughing Squid

Laughing Squid is an interesting company as it's part blog and part web hosting. Obviously, it's the web hosting side of the business that we're concerned with as that's the part that requires eCommerce functionality. The hosting order form appears to be fairly straight-forward and, at the end, they accept three different types of credit card payment.

NGINX Much like WordPress, NGINX is an open source platform that helps power the web through server technology, load balancing equipment, and more. So, it's not all surprising to see that they've used WordPress to build out their shopping cart page where they collect credit card, debit card, and PayPal payments for their services and products. OptinMonster

No discussion about conversion optimization would be complete without discussing OptinMonster. Apparently, no discussion about using WordPress to sell your services would be complete without mentioning them either. The checkout process is easy and comes with a number of trust marks like Norton Secured and McAfee Secure clearly visible as you're about to make your purchase.

Rotimatic

For anyone who has ever wanted to make their own rotis (a type of flatbread), there is the Rotimatic. The website itself is a good example of what an eCommerce company can do with the right WordPress tools (including WooCommerce) to sell their unique product online.

Wakami Global

Wakami Global's mission is to empower women living in rural areas of Guatemala by giving them jobs and, in turn, selling their products online. Perhaps the nicest part about how they've set up the eCommerce part of the site is that they give customers the option to pay with Amazon. Of course, that's not to say that they don't trust WooCommerce or their payment gateway; they're simply giving customers a couple options in case any concerns about security remain.

WooCommerce

And, of course, WooCommerce uses WordPress–specifically, their WooCommerce software–to process sales on their own website. Like Blue Star, they've chosen to use Stripe to power their payment gateway. They've also enclosed a note at checkout ensuring that customers are aware that payments are processed over their secure SSL connection.

Wrapping Up

Of course, a WordPress eCommerce site will only be as secure as you make it be. While the WordPress security team can work day and night to detect and patch security issues in the core, they can't force you to keep plugins up-to-date or require all users to abide by better login practices.

If you're not already doing so, keep our Ultimate WordPress Security Checklist on hand. Every website you build–eCommerce or otherwise–deserves to be properly secured against threats and this will be your guide in providing that defense for them.

Source: Is WordPress Safe for eCommerce Websites?

Distributor Plugin Now in Beta: A New #WordPress Content Syndication Solution from 10up

Distributor Plugin Now in Beta: A New WordPress Content Syndication Solution from 10up | Latest News Distributor Plugin Now in Beta: A New WordPress Content Syndication Solution from 10up 10up published a preview of its Distributor plugin today, a new solution for syndicating content across WordPress multisite networks and the web. The plugin, which the company plans to release for free, is currently in final closed beta. It enables content ... read moreWhy Canned Wine Needs to Be Your Go-To BBQ Drink This Summer Like boxed wine, canned wine is looked down upon by wine snobs, but that shouldn't stop us regular folks from enjoying it. Canned wine is actually a much more convenient option for all your outdoor summer drinking than bottled, or even boxed, wine. These ... read moreWe're Not Totally Sure How Much the Planet Will Warm This Century—But We Still Need to Act A new study crunched some numbers and came to an alarming answer ... "In science, the leap from model to reality is always a dangerous leap," he told Gizmodo. "Few predicted the fall of the Soviet Union, the unprecedented rapidity of the rise ... read more

Bloomba Broadens Its E-Mail Search "Weve evolved into a real small-business solution." Bloomba Professional Edition taps into ... Much like Google Inc. has done with Gmail, its Web-based e-mail service now in beta, Bloomba makes its search query box a prominent feature in its e-mail client. read more

Buy AutoTrafficRSS script now for $27 only!

We will send the script to your PayPal email within few hours,Please add FullContentRSS@gmail.com to your email contact.
Source: Distributor Plugin Now in Beta: A New #WordPress Content Syndication Solution from 10up

How to Prevent Authors From Deleting Posts in WordPress

By default, users with the author user role can delete their own posts, even when these posts are already published. If you run a multi-author blog, then you may want to stop authors from deleting their own posts specially once it's published. In this article, we will show you how to easily prevent authors from deleting their own posts in WordPress.

Why Prevent Authors From Deleting Their Own Posts in WordPress

WordPress comes with a powerful user role management system. Each registered user on your WordPress website is assigned a user role, and each user role comes with different permissions.

Users with the 'author' role can write posts and publish them on your website. This role is generally used by multi-author WordPress blogs.

Authors can also delete their own posts, including those already published. As a website owner, you may want to prevent authors from doing that. The easiest way to do that is by modifying the author user role and changing its permissions in WordPress.

Let's take a look at how to easily prevent authors from deleting their own posts.

Method 1: Prevent Authors From Deleting Posts Using Plugin

This method is easier and recommended for all users.

First thing you need to do is install and activate the Capability Manager Enhanced plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to visit Users » Capabilities page. Here you can load any WordPress user role and change its capabilities and permissions.

You need to start by locating the 'Select Role to View / Edit' box in the right column, and then select 'Author' user role from the drop down menu. After that you need to click on the 'Load' button to load the author user role capabilities.

The plugin will now load the 'Author' user role capabilities. Under the deletion capabilities section, you need to uncheck the box next to delete and delete published options.

After that you can go to the bottom of the page and click on the save changes button to store your settings.

Now, users with the author user role will not longer be able to delete any posts on your WordPress site.

Giving Back Permissions

User role capabilities are defined explicitly. It means that once you remove a capability from a user role, it will not come back unless you explicitly define it again. Even if you uninstalled the plugin, the capability changes you made will not revert automatically.

If you want to give back authors permission to delete, then you will have to repeat the process and check the boxes next to the delete and delete published posts options.

If you want to uninstall the plugin and revert back to default WordPress capabilities, then first you need to visit Tools » Capability Manager page and click on 'Reset to WordPress defaults' link.

Method 2: Manually Prevent Authors From Deleting Their Own Posts

This method requires you to add code to your WordPress files. If you haven't done this before, then take a look at our guide on how to copy and paste code in WordPress.

You will need to add the following code to to your theme's functions.php file or a site-specific plugin.

function wpb_change_author_role(){ global $wp_roles; $wp_roles->remove_cap( 'author', 'delete_posts' ); $wp_roles->remove_cap( 'author', 'delete_published_posts' ); } add_action('init', 'wpb_change_author_role');

This code changes the author user role and removes their capability to delete their own posts.

If you want to revert back the permissions, then simply removing the code will not make any change. You will need to explicitly redefine the removed capabilities by replacing the first code snippet with the following code:

function wpb_change_author_role(){ global $wp_roles; $wp_roles->add_cap( 'author', 'delete_posts' ); $wp_roles->add_cap( 'author', 'delete_published_posts' ); } add_action('init', 'wpb_change_author_role');

We hope this article helped you learn how to prevent authors from deleting their own posts in WordPress. You may also want to see our ultimate step by step WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Source: How to Prevent Authors From Deleting Posts in WordPress

How to Completely Customize the #WordPress Admin Interface

How to Completely Customize the WordPress Admin Interface If you run a Multisite Network or any WordPress site that allows users to login and view the dashboard screens, you may be a bit frustrated with the WordPress admin screens. When your users log in, they'll see a set of dashboard widgets which might ... read moreHow to Style WordPress Navigation Menus CSS Hero will show you a simple interface ... you completely change the appearance of your navigation menu. However, there are other WordPress generated CSS classes automatically added to each menu and menu item. These classes allow you to customize ... read moreHow to Create Redirects with WordPress Instead of taking the page down completely, just use a 302 redirect to a related ... So, now let's look at how you can create redirects in WordPress. We'll be looking at how you can do it manually, using .htaccess or PHP, as well as automatically ... read more

How to Create Your Own NAS Storage with Openmdediavault One of the greatest facts about OpenMediaVault is that it can be completely configured and managed via its web admin interface, which makes it an ... software to burn the bootable image to a CD or create a bootable USB flash drive stick. read morecompletely noob The uploads won't go to your WordPress.com site's media library, but you'll be able to access them via JotForm(dashboard) interface. You can learn more ... it is more useful for users needing Custom design features. Hope this help, let me know if you ... read moreHow to Build a Basic WordPress Site in Five Minutes and a special software package will create the databases and files that you need automatically. Once you are setup, you can login by default at yoursite.com/wp-admin. You can change that login URL with a plugin or some manual steps in the WordPress code ... read moreHow To Make Your Own Events Listing Using Custom Post Types [WordPress] One of the advantages to using WordPress is its sheer flexibility ... For that purpose, let's create a new post type called event, which will have it's own separate section of the admin interface. We'll do this by adjusting your theme files directly. read moreThe Beginner's Guide to Tricking Out Your WordPress Blog Now, it's time to power it up, lock it down, and make your blog completely ... latest versions of WordPress offer drag-and-drop custom modules you can add to and remove from your blog. When you're logged into WordPress' admin interface, under Appearance ... read moreWordPress 4.9 Released with Major Improvements to Customizer Workflow, Updated Code Editors, and New Core Gallery Widget WordPress 4.9 "Tipton" was ... and preview themes directly in the Customizer. The search interface includes filters for subject, features, and layout, just like the ones on the "Add Themes" screen in wp-admin. It does not yet include the featured ... read more

Buy AutoTrafficRSS script now for $27 only!

We will send the script to your PayPal email within few hours,Please add FullContentRSS@gmail.com to your email contact.
Source: How to Completely Customize the #WordPress Admin Interface

Understand Caching with Transients in WordPress

Computer performance revolves, in large part, around the idea of caching: "storing something in a more-ready and quicker-to-access state," so that you can more quickly deliver the final result.

To take a real-life example: your kitchen cupboard is a kind of cache. You've got soup cans "cached" in your cupboard, ready for quick delivery to your stove—meaning that you don't have to drive to the supermarket every time you want soup.

The WordPress Transients API is a tool for caching, and an important way to improve performance in WordPress.

Why Use Transients for Caching

In a WordPress context, caching most often means "full page" caching: storing a full webpage just before it's sent out to a visitor, so that the next visitor to ask for that page will get the stored version without your server having to rebuild it. This is the approach of many caching plugins, such as WP Super Cache. In some situations this is ideal, and can have a major impact on site speed.

You can improve performance by caching things other than full pages, such as slow results from remote servers like Facebook's, or large database queries.

However, there's also the idea of "partial" or "object" caching: achieving performance gains by storing things other than full pages, such as the results of long-running computations, slow results from remote servers (such as Facebook or Twitter results), or large database queries which are likely to be both slow to run and very consistent in the results they yield.

In WordPress, the way to "partially cache" pages, one data object at a time, is the Transients API.

Understanding the WordPress Transients API

The WordPress Transients API creates its own, easy-to-use interface for the various means and methods of caching data in a given server environment, so that WordPress developers don't have to worry too much about the specifics of that environment.

With Transients, we want to be able to name and store a hunk of data, and to get it back quickly. This so-called "key-value store" is exactly what in-memory caching systems allow. Memcached (memcached.org) is one of these systems: a very fast, simple, and powerful way to store blobs of data and retrieve them later. However, Memcached and similar systems are not available everywhere—in fact, not even on most servers where WordPress runs.

The Transients API lets developers cache data as if Memcached or a similar key-value storage system is available—whether or not it actually is.

So the Transients API lets WordPress programmers cache data just like they would if Memcached or a similar key-value storage system were available—without needing to worry whether it actually is.

In-Memory Storage and In-Database Storage

As a note on how the Transients API actually works: when Memcached or other forms of caching aren't available, WordPress stores the cached data in the options table of its regular database. This lets WordPress provide the same functionality as an in-memory cache—although, unfortunately, somewhat slower, since the objects are cached all the way in the MySQL database, and not in the server's memory where they're easier to get to.

Transients Should Be Transient!

These "caches" or "transients" aren't meant to be permanent. (Permanent data should live in the Options API; see Mastering the Options API in WordPress.)

When we cache data, we want to set a defined expiration time for that data, after which it'll simply disappear.

How to use the Transients API

The Transients API is quite simple: you first store a name-value pair, and then you retrieve it.

set_transient()

Here's what setting a transient looks like:

$string = "Cache me for a day!"; $bool_response = set_transient( 'wpshout_cache_me', $string, 86400 );

Let's look at set_transient()'s three arguments:

The name of the transient, in this case wpshout_cache_me.

The value of the transient. In this case, that's the value of $string: the string "Cache me for a day!"

The length for which this transient will persist. This argument takes an integer number of seconds, in this case 86400.

The final result is that the wpshout_cache_me transient will persist with a value of "Cache me for a day!" for 86,400 seconds—that is, for one full day.

get_transient()

Retrieving a transient for use looks like this:

$transient_string = get_transient( 'wpshout_cache_me' ); if ( false === $transient_string ) { return; // In real life we'd want to set_transient() here } echo '<h1>' . $transient_string . '</h1>';

Here, we're using get_transient(), with the transient's name (wpshout_cache_me) as its only parameter, to retrieve the transient if it exists.

Be careful! get_transient() will return false if the transient doesn't exist. So it's really important to test for the transient's existence before using it. That's what our if-statement does. In real code, the lack of a transient would be our excuse to set_transient() all over again, but we've omitted that here.

If we have successfully retrieved the transient, you can do anything with it. In this case, we're printing it out, wrapped in an <h1> tag.

That's it! There are four other functions: delete_transient(), which manually clears transients out of the cache, and three alternative functions for use in WordPress Multisite. But there's plenty here to get you, as it were, "up and running" with transients.

An Example: Fun With Transients

Let's look at how transients work, in a full-fledged example called "WPShout Cache Hard Math."

How the Finished Product Works

Our plugin is a demo of object caching: it tells the server to do millions of complex calculations, and then to cache the results for ten seconds. So every ten seconds, the site loads painfully slowly—but in the seconds between, it loads quickly! That's caching at work.

(Note: since it intentionally hurts site performance for demo purposes, this isn't a plugin you'll want to deploy on your own sites, or on anyone's site that you'd like to stay on good terms with.)

The result at six seconds past the minute. This page took around ten seconds to load!

The same result, at twelve seconds past the minute. This page loaded quickly.

The result at twenty seconds past the minute. This page loaded very slowly again.

The Code

We're about to show you a whole plugin file, in chunks. Each chunk comes immediately after the previous chunk, so if you copy-paste them all you'll have a working—but silly and not-to-be-deployed—plugin.

This first section does a huge amount of calculations, and returns an array with two elements: the input value before the calculations, and the output value after them:

<?php /* Plugin Name: WPShout Cache Hard Math */ function wpshout_do_hard_math( $int ) { // $start is the starting integer $start = $int; // Insanely processing-intensive calculations $i = 0; while( $i < 100000 ) { $int = pow( sqrt( sqrt( sqrt( sqrt( $int) ) ) ), 16.0001); $i++; } // Return our array: what we started with and what resulted return array ( $start, $int ); }

This next section attempts to get the transient that is the result of the wpshout_do_hard_math() calculations. If it finds there's no transient, it will try to set the transient, then get it. It then returns either the transient, or false if getting the transient failed:

function wpshout_get_hard_math_transient() { // Get the transient $result = get_transient( 'hard_math' ); if ( false !== $result ) { // Transient exists, so return it return $result; } // Get array from doing "hard math" (on seconds elapsed in current minute) $mathed = wpshout_do_hard_math( date( 's' ) ); // Attempt to set transient with array results; timeout is 10 seconds $bool_response = set_transient( 'hard_math', $mathed, 10 ); if( false === $bool_response ) { // Setting the transient didn't work, so return false for failure return false; } // Transient is now set, so get it and return it return get_transient( 'hard_math' ); }

This section attempts to retrieve the transient. If it succeeds, it hooks into the_content to print a string containing the transient's calculations at the top of the post's content:

function wpshout_filter_content_with_hard_math_transient( $content ) { // Get the transient $result = wpshout_get_hard_math_transient(); // If transient isn't an array, just return content unaltered if ( ! is_array( $result ) ) { return $content; } // Prepend string with transient data to content and return it return '<p>(<small>I did some terrifyingly inefficient math on the number ' . ltrim( $result[0], '0' ) . ', and the result was: ' . $result[1] . '</small>)</p>' . $content; } add_filter( 'the_content', 'wpshout_filter_content_with_hard_math_transient' );

If you understood this example right away, you're really getting WordPress at a deep level! If not, don't worry too much about the specifics—just try to absorb the basic uses of get_transient() and set_transient() that this example exists to show off.

A More Practical Example Use Case for Transients

In case you're having trouble picturing how transients could benefit a site (rather than make it virtually unusable), we'll link to a very beautiful real-world example of caching a nav menu, which includes a use of delete_transient() to invalidate the cache when the nav menu changes: https://leaves-and-love.net/blog/transients-speed-up-wordpress-theme/.

In general, in our experience, transients are a topic that comes up most often in plugin development, where the burden of making things fast is on you. So, for example, if you write a Twitter feed widget, transients are a great idea to make sure that the site isn't fetching from Twitter every single page load. If you're just using plugins, though, it's usually fine to go with the original developers' choices, and the need to create new transients doesn't come up especially often.

What We've Learned about WordPress Transients

We've learned how and why to use transients in WordPress, and gotten deep into an example that shows them at work. We're a lot better-equipped to cache expensive operations in WordPress—and our sites will be faster for it. Onward!

Image credit: anarchosyn

Related

Source: Understand Caching with Transients in WordPress

Can #WordPress handle A lot of #Traffic?

Can WordPress handle A lot of traffic? Hi, I am currently looking to save some money on web site creation and online marketing. I am the marketing director of a Music Festival Events company and we are looking for a way to minimize our budget regarding website creation. This is why we decided ... read more4 Ways a CDN Can Speed Up Your Website That boils it down to the most simple of terms, but there's a lot more information available about how ... A CDN is designed for scalability so that you can handle changes in traffic (up or down) with ease and without learning of a traffic change because ... read moreOne law professor's overview of the confusing net neutrality debate But with net neutrality being in the news a lot recently, I took to Twitter to ask if there were ... it's a big Internet and others can respond. I'll be happy to update this post with links at the bottom of this post to particularly helpful responses ... read more

Want More Traffic and Leads? Follow These WordPress Tips – Part 4 Welcome to Part 4 of my WordPress Traffic and Leads series ... and Google+ have enormous engagement and if you can tap into these platforms effectively, you can generate a lot of buzz quickly. To set these up, it's as easy as selecting these platforms ... read moreAsk the Times: Bettendorf is on top of traffic changes How is the city planning to handle what appears to be a traffic nightmare rapidly heading our way? – Robert A. We contacted the city of Bettendorf to find out. Brian Schmidt, Bettendorf public works director, responded: "There has been a lot of planning ... read moreSquareBoat.com introduces a unique server health monitoring tool Spectrum to offer a clean and simple user interface Apart from tracking and providing insightful updates on server health, Spectrum will also help website owners predict if their website's traffic is increasing ... services typically handle a lot of clients' servers, Spectrum can save them a lot of ... read moreOf Oysters and Obelisks: November Road Trips Report We have a lot of content today ... did the same thing for at least two games in 2014. As you can also see above, the Ravens went mono-black last night. It's one of the few mono looks I can handle, because real ravens are, you know, black. read moreMobile still a moving target "A lot of ... They handle casual games, mid-core games, and even some of the emerging hardcore mobile market (basically games that aren't social casino titles). Shpilberg said 2014's app installs were commonly driven by incentivized traffic, users ... read moreDAVID WEBBER: It's a traffic jungle out there We may have smartphones but we have a lot of not so many smart drivers ... That's about 10 percent of all traffic fatalities. Individuals who drive while sending or reading text messages are 23 more times likely to be involved in a car crash than ... read moreWooCommerce Tutorial: Everything You Need To Launch A Store I'll cover everything that you need to do to get started with WooCommerce while providing lots of screenshots so that you can easily follow along. There's a lot to cover so let ... resource intensive than regular WordPress sites, especially if ... read more

Buy AutoTrafficRSS script now for $27 only!

We will send the script to your PayPal email within few hours,Please add FullContentRSS@gmail.com to your email contact.
Source: Can #WordPress handle A lot of #Traffic?

How to Create Redirects with WordPress

5/5 (3)

Broken external links, outdated content, and 404 dead-ends are not conducive to a great user experience.

Too many of them, and you can wave goodbye to your audience as they run away bravely. Who's going to stick around and check out a site that doesn't deliver? No one, that's who.

So, you must fix these problems, right?

How do you do it? Luckily, that's the easy part. You can use a function known as redirection to not only fix the issues above but to also make sure you're still getting all the benefits of that old content.

Before we get into how to create a redirect, let's first take a closer look at:

what redirects are

types of redirects and how they can help you

when to redirect

when not to redirect.

To make the most of the redirects, you must know the right way to implement them and when to apply them.

Otherwise, you run the risk of harming the user experience.

Understanding Redirects

In the simplest terms, a redirect is an instruction telling the server to send a visitor to a different page than the one they clicked on.

Let's say you deleted a blog post entitled "5 New Windows Features" because it referred to Windows 7 and no one wants to know about Windows 7 anymore.

However, the post and address have been indexed and they keep showing up in the search engine results pages.

So, when someone clicks on the link, they see a 404 dead-end page. With a redirect, though, you can tell the server to send the visitor to a different page when they click on that link.

The best option is a related article, like "5 New Features in Windows 10", which is probably what they were looking for in the first place.

You benefit twice from this approach.

First, you pass on the link juice of the original article to the newer article, which will help its rank increase.

Secondly, you also pass along the traffic. In other words, instead of those visitors clicking the back button or closing the tab, they'll stick around because you offered them what they were looking for.

The redirect approach ensures you won't waste the organic traffic being driven to the original article, but also makes sure that traffic sticks around.

Types of Redirects

The most common types of redirects are:

301 server redirects

302 server redirects

Meta refresh browser redirects.

We've included meta redirects because they are still in use. However, if you want to offer your visitors a wonderful experience, we recommend staying away from them.

In fact, just pretend we never mentioned them.

What's a 301 Redirect?

The 301 redirect is the most commonly used and the one you'll be using in most cases.

It's a permanent redirect, which tells browsers and web crawlers that the URL will always redirect to the new address.

Forever and ever.

When a search engine comes across a 301, it automatically replaces the original URL with the new one. It also passes on the link juice, so the new URL will show up in the same SERP position as the old one if the content is similar.

What's a 302 Redirect?

A 302 redirect is temporary. When a search engine or browser comes across one of these, they won't replace the original URL or pass the link juice onto the new one. This occurs because the code in the 302 redirect is telling the search engine that the redirect is temporary, and the situation will revert to normal in the future.

An example of a situation when you'd use a temporary redirect is when you have a page with inaccurate information. Maybe you're getting a lot of negative feedback because of it.

Instead of taking the page down completely, just use a 302 redirect to a related page until you get the information sorted.

This way, you won't lose the link juice or traffic but will have time to fix the problem.

What's a Meta Refresh Browser Redirect?

A meta refresh redirect is the type of redirect where the browser shows the visitor a message saying, "you will be redirected in X seconds." That's why we never use them. They make for a horrible user experience.

And that's all we're going to say about them.

When to Use Redirects?

Here are the situations when a redirect makes sense:

You've created updated content and want to redirect visitors from the old content to the latest content;

You've deleted outdated content and want to send visitors to the new content;

You've changed the permalink structure of your website and need to send the old URLs to the new ones;

You are updating an existing page and want to send people to another page while you do so.

When You Shouldn't Use Redirects

Every redirect will slow down your site.

It won't necessarily be noticeable, if you only use redirects to point from old to new content, for example. However, if you start using redirects for every menu item, it will slow your site down to a crawl.

So, a good rule of thumb is only to use redirects when there is absolutely no other choice, and the benefits outweigh the drawbacks.

How to Create Redirects

So, now let's look at how you can create redirects in WordPress. We'll be looking at how you can do it manually, using .htaccess or PHP, as well as automatically using plugins.

How to Create a Redirect with Htaccess

The first step is to create a backup of your .htaccess file. One wrong character and you might find your website no longer works at all. So, always create a backup to restore to a previous point if something does go wrong.

If you are using an Apache server, you can create a 301 redirect in the .htaccess file with a simple line of code that includes the old address and the new address. It should look as follows:

Redirect 301 /outdatedcontent.html http://www.yoursite.com/updatedcontent.html

Similar code can be used to redirect whole folders. If you want to redirect your website, then use:

Redirect 301 / http://www.yourupdatedsite.com

To check if you've done it right, just go to the page you want to redirect from, and you should be taken immediately to the new page.

How to Create a Redirect with PHP

Since WordPress uses PHP, most of the scripts you integrate with this CMS will be PHP as well. Therefore you should use PHP if you want to create a redirect from a PHP page that is not part of your WordPress installation.

To create a redirect, include the code below in the header:

<?php header("HTTP/1.1 301 Moved Permanently"); header("Location: http://www.yournewwebsite.com"); ?>

The code must be at the top of the page for it to work properly. You must also include the 301 Moved Permanently line because that's what tells the search engines that it is a 301 redirect.

How to Create a Redirect Using Plugins

You can certainly use the manual approaches to create redirects.

But why would you when you can use a plugin?

There are quite a few great free plugins that will allow you to create redirects with absolutely no hassle. And without worrying about making a mistake that could break your site.

Redirection

Redirection is one of the most popular plugins of its type in the WordPress Plugin Directory as shown by the over half a million active installs it boasts. It also has a rating of 4.2 stars out of a total of 5 based on reviews from more than 300 users.

When you activate Redirection, you will see a new settings page has been added to your dashboard. You can access it via Tools > Redirection.

To create a redirect, create a new group in the Groups tab. You'll be able to choose from WordPress, Apache, and NGINX redirects.

If you're not sure which to choose, just go with WordPress.

Go back to the Redirects tab and go the Add new redirection form, where you can set up the rules. Note that this plugin only creates 301 redirects.

Other useful features include:

The ability to download redirects in various formats

A log of redirects

A log of how many 404 pages have been served up

The ability to import rules in .htaccess or CSV formats.

Redirection is a great plugin for anyone who needs to create redirects without the hassle involved in doing it manually.

It's also the best choice if you want to keep a record of all the redirects and how many times people have landed on 404 pages.

Simple 301 Redirects

This is the second most popular redirect plugin because it delivers. Over 200,000 sites use the plugin, and nearly 120 users have given it a 4.3-star rating.

These high figures show that the plugin works well. It makes creating redirects simple.

It's a simple plugin, and when activated, you will find a new screen in your admin dashboard. You can get it via Settings > 301 Redirects.

The new page has a form, where you will create manual redirect rules. You will have to do them one by one. To make life easier, you can download the plugin add-on so that you can import your rules in CSV.

Simple 301 Redirects is an excellent choice for anyone looking for a light-weight plugin that doesn't come with a ton of bells and whistles to get lost in.

Eggplant 301 Redirects

Eggplant 301 Redirects isn't quite as popular as the previous two. In fact, not a lot of people seem to know about it considering only 40,000 sites use it. It does have great reviews, though. Over 30 people have rated it 4.3 stars.

This plugin is excellent, though.

When you install it, a new page will be added to the dashboard. Access it via Settings > EPS Redirects.

The page has three tabs as follows:

Redirects – a form to manually enter your rules;

404 – this tab doesn't work for the free version of the plugin. Upgrade to the premium version for a log of 404 hits;

Import/Export – in this tab, you can import a list of redirect rules in CSV format, or you can export your existing list. You can also download a sample CSV file to help you figure out how to set up your file.

While the two previous plugins have similar features, Eggplant does offer two unique options.

First, you can create 302 redirects and not just 301 redirects, which is something neither Redirection nor Simple 301 Redirects offer.

Second, the form where you create redirect rules has a menu to help you out and ensure you avoid any mistakes when entering the destination URL. This way you can be sure you won't be sending your visitors to a 404 page.

Eggplant 301 Redirects is an excellent choice for websites that need to use 302 redirects and not just 301s. It's also a good choice if you want to make sure you don't make any mistakes when typing out the new URLs, which would send your visitors to a 404 page.

Auto Refresh Single Page

Though not a redirection plugin, we included it because it allows you to refresh pages with live feeds using a more elegant approach than a meta refresh.

When you activate the plugin, you will find a meta box has been added to your page editor. Enter a number in the box, which stands for the number of seconds between page refreshes.

Redirects are a powerful tool, both for SEO purposes and to improve the user experience. To ensure you offer the best experience while taking full advantage of SEO, you need to understand redirects and how they work.

Hopefully, now you have a better understanding of when and where to use redirects to make the most of them. Just remember to weigh the benefits against the drawbacks if you aren't sure whether a redirect is right or not.

Related Posts

Beginner's Guide to WordPress Redirection or How to Deal With Annoying 404's

How to Use Redirect 301 Correctly on Various Server Platforms

7 Amazing WordPress Plugins That Actually Help You Run Your Business

6 Down and Dirty Secrets for Great SEO on WordPress

Source: How to Create Redirects with WordPress

Weekly #WordPress #News: #WordPress Black Friday Deals

Weekly WordPress News: WordPress Black Friday Deals Rejoice, fellow WordPress lovers! It's Black Friday – which means a ton of WordPress Black Friday deals. Save big on Elegant Themes, Beaver Builder, Elementor, SiteGround, and lots more. When you've reached the limit on all of your credit cards ... read moreBlack Friday / Cyber Monday 2017 WordPress Deals – Big Savings Are you looking for the best Black Friday and Cyber Monday deals on your favorite WordPress products. These next few days are the perfect time to buy premium WordPress plugins, themes, hosting, and other web tools to grow your business. To help you find ... read moreIt's Cyber Monday And Here Are 10 Design Deals For You wpDataTables has become so popular, that web designers have even switched over to WordPress to be able to use it ... You can also take advantage of pCloud's Black Friday specials on Cyber Monday. Two secure Swiss cloud storage packages have been marked ... read more

Customise sites with these responsive WordPress themes If you've seen our Black Friday 2017 and Cyber Monday 2017 deals pages, you'll know we're working hard to bring designers, illustrators and artists the best bargains on creative tools this November. And here's another one on WordPress themes... When ... read more21 tips from Ireland's savviest travellers - make a real difference to your next trip! The Wordpress ... Black Friday' being a single day jetted away this morning as Ryanair launched a week-long sales promotion. Magic Monday: Bargain breaks from €199pp in our Top 5 travel deals! Pól Ó Conghaile You might hate Monday, but you'll love our ... read moreElegant Themes Black Friday 2017 Deal: Get Flat 25% Discount on WordPress Themes Are you looking for the Elegant themes black Friday 2017 deals? You have landed on the right place ... So far, we've discussed the importance and features of using Elegant themes for WordPress sites, let's now talk about how you can use Elegant ... read moreMYTRICKSCHOOL.COM ANNOUNCES BEST BLACK FRIDAY HOSTING DEALS November 21, 2017: Great news has arrived in the blogging community around the world as MyTrickSchool.com has announced great discount deals for website hosting on this year's Black Friday ... have brought all the best WordPress website hosting deals ... read moreSee Target's 2017 Black Friday ad with all of the door-busting deals The retailer is also offering "early access" for Target credit card holders who will be able to shop on Target.com from "more than 100 Black Friday deals" on Wednesday, Nov. 22 Some of the largest discounts this year include televisions ... read moreThe Ultimate Guide at Toys R Us features hot deals ahead of Black Friday You can take advantage of the deals until November 18. If you want a first-hand look at the most sought-after toys ahead of Black Friday, there's good news: Toys R Us will open at 5 p.m. on Thanksgiving for 30-straight hours of holiday shopping. read moreWordPress Themes, Black Friday & Cyber Monday Deals 2017 November 2017 is here and it's time for great deals and discounts ... Grimag WordPress theme is one of the most popular themes for magazines and news websites. Get this stellar theme at a 50% discount only on Black Friday 2017. With a ready-made ... read more

Buy AutoTrafficRSS script now for $27 only!

We will send the script to your PayPal email within few hours,Please add FullContentRSS@gmail.com to your email contact.
Source: Weekly #WordPress #News: #WordPress Black Friday Deals

Domain keeps routing to wordpress.com website instead of wordpress.org.

When I visit your website https://zoptiks.com/, it seems to load right. It does not redirect me to your WordPress.com site zoptiks.WordPress.com.

Your site https://zoptiks.com/ is a self-hosted WordPress (WordPress.org) site and it seems to be working fine.

It's probably your devices' cache that's messing things up when you visit your website. I suggest that you clear your browsers' cache and things should be fine. Alternatively, you can consider visiting your website using the private mode to see that your website is working fine.

As for deleting a WordPress.com site, you can use this detailed guide. https://en.support.wordpress.com/delete-site/

I hope this helps. Feel free to get back if you have questions and I will be keen on helping you through it!

Source: Domain keeps routing to wordpress.com website instead of wordpress.org.

Free VR Image Gallery Plugin for Your #WordPress #Website

Free VR Image Gallery Plugin for Your WordPress Website VR technologies are on the rise, there's more and more websites centered around VR in various niches, from tourism and blogging to photography and real estate. An even though they are focused on different topics, they all aim to focus on images ... read more10 Best WordPress Themes for Recipe Blogs The Recipe theme supported gallery images and featured images for each post and users can search your ... theme's WordPress website, and information regarding the booking will be synced with the location in question. With Auberges Jetpack Plugin, you ... read moreTools to Automatically Share your Blog Content in Social Media You can turn them on with Jetpack, a freemium plugin from Automattic, the company that makes WordPress. Jetpack is loaded with features including site stats, rich galleries ... scrolling through your posts, options to share images directly to social ... read more

The Benefits Of Using WordPress As A Content Management System In simple terms, a content management ... fading image galleries, make your pages printable, add sitemaps for visitors and search engines, block spam, and much, much more. And best of all, you can expand your WordPress site with thousands of plugins ... read moreThe History of WordPress The ability to update plugins ... your WP site.... In the web development world, the most popular open source platforms for creating websites include WordPress, Joomla and Drupal. But what is open source exactly? It refers to software and platforms that ... read more40+ Free Blog Hosts Freevlog - Designed for video blogging and completely free. Trippert.com - Create and share blogs of your travels. Ufem.com - Blogging site specifically geared towards women. Offers multiple themes and plugins ... with photo galleries and more. read more20 WordPress Plugins for Your Photography Website (2017) In this list, I have collected 20 the best free and useful WordPress plugins for photographers which will help you to compress your images without losing quality, secure your website from hacks, tell stories with your images, optimize your site for SEO and ... read moreWordPress Black Friday & Cyber Monday 2017 Sales, Coupons & Deals Save 50% on hundreds of premium and top selling WordPress themes on Themeforest, no code needed. Offer ends November 29, 2017. Take33% off your annual membership for Envato Elements – a monthly web design ... Instagram gallery plugin created by Looks ... read more7 PayPal Alternatives for Freelancers to Collect Payments in WordPress PayPal has made online transactions fast and hassle free. Allowing WordPress site owners to make money ... All popular eCommerce plugins for WordPress have addons to integrate 2Checkout as your payment gateway. You can also add it to your online store ... read moreThe Benefits Of Using WordPress As A Content Management System animated graphics and fading image galleries, make your pages printable, add sitemaps for visitors and search engines, block spam, and much, much more. And best of all, you can expand your WordPress site with thousands of plugins that will cost you ... read more

Buy AutoTrafficRSS script now for $27 only!

We will send the script to your PayPal email within few hours,Please add FullContentRSS@gmail.com to your email contact.
Source: Free VR Image Gallery Plugin for Your #WordPress #Website

wordpress SEO help

as the site you're referring flexistamps.com is not hosted on WordPress.com

Thanks for flagging this up, tarunvijwani!

As much as I appreciate you flagging up my error, I would like to call out the fact that SEO guides mentioned for WordPress.com will be of help for self-hosted WordPress (WordPress.org) sites too. The portal that enables blogging on a WordPress.com site might be different, but SEO guidelines laid by WordPress.com for WordPress.com sites will work for self-hosted WordPress (WordPress.org) sites too.

It's only in the billing, management and feature-availability where self-hosted WordPress (WordPress.org) sites differ from WordPress.com sites.

Source: wordpress SEO help

UNLOQ Two Factor Authentication WordPress Plugin

A website's login page is like the door to your house: you don't think it will actually be cracked, so you go with the average protection. That is, until one day you regret your decision. You can add more locks on your doors, and you can also add more verification layers to your authentication, hence two factor authentication, or 2FA.

WordPress is the most popular publishing platform, being used by bloggers, small and large businesses alike. Its popularity is partially given by its flexibility, allowing the use of third-party plugins and themes which provide infinite website possibilities. All is great up to this point, but this enormous flexibility also brings along huge vulnerabilities.

As I was mentioning the login page, that is the first gate to hacking a website. The traditional way of doing it is through passwords, but they have proven to be extremely weak and defenceless in the face of brute-force attacks, keylogging and phishing.

Password reuse is an "internal" vulnerability, as users tend to recycle passwords and use them for more than one online account (if you're curious to see if your password was hacked, you can check haveibeenpwned.com).

Taking all these vulnerabilities into account, passwords are no longer recommended for safeguarding accounts and data, being replaced by two factor authentication (2FA) or multi-factor authentication (MFA).

These authentication mechanisms add a second or more layers of security, requiring the person attempting to login to confirm his identity with more than just a simple password.

Two factor authentication adoption by the general public is relatively slow, mostly caused by the perception that it takes more time and is difficult to use. This is why a smooth user experience is so important in eliminating reluctance to new technologies, and helping users see the global advantage of a more secure authentication mechanism.

Two factor authentication for WordPress

With user convenience in mind, the guys at UNLOQ have created an updated, more user-friendly version of their WordPress plugin.Version 2.x of the two factor authentication plugin version brings new security features, along with full login page customisation options, in a natural user experience.The greatest advantages that the plugin brings are:

Fast and easy to install.

Flexibility in setting an authentication mechanism, as login can be performed exclusively through their widget, use it as a second factor, or if it is the case, using passwords.

The ability to disable the default WordPress login URL altogether, or use 2 different login paths: one using the plugin, and the other one using the WP classical login page using username & password.

Full login page customisation, allowing you to set your brand's colours and images and making other page customisation plugins obsolete.

How to add the UNLOQ 2FA plugin to WordPress

The version 2.x of the two factor authentication plugin is a major upgrade from the previous one, 1.x, allowing anybody to install and set it up in under 1 minute. In addition to this, everything is done from within the plugin, without requiring users to leave the WordPress dashboard to create an account and configure it.

Installing and setting up the plugin

Installation requires you to be the admin of that WP website, and be logged in as such. After searching for the plugin in the database, installing and activating it, you will be asked to insert your e-mail address. Keep in mind that you need to insert your admin e-mail address in order for the installation to be successful.

After inserting your admin e-mail address, you'll receive an activation code via e-mail, which you will need to c/p at the next step.

That's pretty much it. Installation is extremely simple for this plugin.

Here's a video with the installation process:

Authentication settings

To set up the two factor authentication (2FA) flow, you need to go to the Settings tab. You can also set custom messages for the push notification and login request:

A cool feature is that you can disable the default WordPress authentication URL (wp-admin), as it is insecure and doesn't do anyone a favour. I'll just keep the UNLOQ login URL (which can also be customised).

< /p>

I'm going with 2fa all the way and just leave the plugin to handle the whole login mechanism. I have selected all the 3 options that the plugin has: push notifications, TOTP and email:

Customisation

In the customise tab of the plugin, you can change the colours for the login widget, push notification buttons as well as the application colours. Also, you can upload custom logos and background images that will be displayed on the login page and in the mobile app:

I tested to see how it works with a custom background, so this is how it would look like:

Logging in with two factor authentication

In order to use the 2FA plugin you need to download the authentication mobile app, which you can protect with a PIN, PIN or Fingerprint or PIN and Fingerprint. Basically, before you can approve or deny a login request, you need to "login" in the app first:

For my site I have chosen to login with push notifications, so to login I need to Confirm the request I get on my phone:

It is not very often when a security plugin for WordPress makes users' experience easier, and the this 2fa plugin has achieved that through all its security, customisation and usability features. This plugin combines into one, features that otherwise would require the installation of at least 3 different plugins. It is definitely worth testing by anyone looking to secure their or their client's WP site.

The plugin is a keeper, and the team at UNLOQ have done a good job in upgrading their WordPress plugin. There's also a detailed documentation of the plugin available here.

About Elena Leu

Elena is a digital marketer for UNLOQ.io. She has been working in online marketing since 2013, focusing on developing brand awareness, blogging and growth hacking, with a soft spot for analytics.

Source: UNLOQ Two Factor Authentication WordPress Plugin

How to Easily Auto Update #WordPress, Themes, and Plugins

How to Easily Auto Update WordPress, Themes, and Plugins Wouldn't you agree that one of the greatest annoyances about working in WordPress is that little nag at the top of the admin dashboard that screams, "Update me!"? I mean, it's not like you aren't aware that there are updates that need to be ... read moreHow to Style WordPress Navigation Menus Do you want to style your WordPress navigation menus to change their colors or appearance? While your WordPress theme handles the appearance of your navigation menus, you can easily customize ... beginners because it uses a plugin and does not require ... read moreWhy You Should Back Up Your Blog and How to Do It WordPress forums are filled with tales of people who've lost posts by adjusting their theme ... backup plugins to help save your posts from being lost. Some cloud backups can be set up to sync automatically from your computer as you update your work. read more

WordPress Black Friday & Cyber Monday 2017 Sales, Coupons & Deals Get 50% off a membership (plus 50% off lifetime updates) from ThemeBounce with code BlackFriday50.Offer ends December 10, 2017. You can also save 60% off all theme memberships ... Rocket – an easy to use caching plugin to speed up your WordPress site. read moreWhat to Know Before Starting a WordPress Plugin Business Most WordPress Developers Can't Jump (Do Not Monetize) Technically speaking, developing open-source distributed software like a WordPress plugin or a theme is fairly easy. A combination ... version download link, or to automatically email the zip after ... read moreHow To Start A Travel Blog: Beginner's Guide But if you want to create your own travel blog, you're going to need your own website…and that might not be as easy ... WordPress on your site Where to find something called a "theme" to make your travel blog look awesome Some cool "plugins ... read more10 Best Social Sharing Plugins For WordPress In 2017 There are thousands of plugins in the WordPress ... you to easily add sharing buttons for 6 of the main social networks. This includes the likes of Facebook, Twitter, LinkedIn and Pinterest. In the settings you will find the option to automatically display ... read moreMust have plugins for building a Listify Rentals Website Listify is the most versatile directory theme for WordPress ... update his/her listing. With such lucrative plugins in one single bundle, this purchase would be a guaranteed steal. You can buy this bundle here. With Labels, you can allow your users to ... read moreHow to Build a Basic WordPress Site in Five Minutes It really is that easy! Follow along ... and files that you need automatically. Once you are setup, you can login by default at yoursite.com/wp-admin. You can change that login URL with a plugin or some manual steps in the WordPress code, but in most ... read moreWordPress.com is opening itself up to third-party plugins and themes Similarly, it'll mean that WordPress Business users will be able to more easily customize their site ... why WordPress.com has held such a strong line against third-party plugins and themes, as they're often exploited as an avenue of ingress by ... read more

Buy AutoTrafficRSS script now for $27 only!

We will send the script to your PayPal email within few hours,Please add FullContentRSS@gmail.com to your email contact.
Source: How to Easily Auto Update #WordPress, Themes, and Plugins

Securing WordPress with WPScan

WordPress is the world's favorite content management system used to power millions of websites, ecommerce stores, blogs, and web applications.

Its ease of use and ability to launch beautiful websites with minimal effort has made WordPress a standard in modern web design, powering nearly 30 percent of the internet. But because of its popularity, WordPress has also become a common target for hackers.

Securing and understanding the flaws of a WordPress website is a task often overlooked by website owners. However, with a handy tool called WPScan, entrepreneurs and web developers can easily evaluate their installation's security and keep their prized website safer.

What is WPScan?

WPScan is a black box vulnerability scanner. Written in the Ruby programming language, WPScan helps detect problems with security configurations, themes, plugins, and user permissions. On Kali, Pentoo, and Samurai WTF WPScan is pre-installed. But the application can easily be installed on a Linux machine such as Ubuntu, Fedora, and Debian – the screenshots for this article were taken on a personal computer running on Ubuntu 16.04.

Before we started looking at examples, I thought we should get a better understanding of the benefits and features of WPScan.

Creating a modern WordPress website, in most cases, involves trying out a few themes and installing a series of plugins to enhance your website's functionality. Once you get the hang of it, it becomes second nature and you will often find yourself with more themes and plugins than you need. However, uploading all that software can leave your website vulnerable, especially when updates are ignored, and when the software does not come from reliable sources to begin with.

When WPScan performs a scan, the application will make a list of all your themes and plugins, evaluate their version number and then check if there are any known vulnerabilities present.

Beyond providing crucial information about your WordPress version, themes, and plugins, WPScan can also compile a list of users. Which we can then test to see if anyone is using a weak password. And the beauty of the application is that also this information can be acquired remotely without having administrator access!

Setup

Instructions on setting up WPScan can be found on the website's homepage. If you have Ubuntu installed (like me), you can run these commands.

First, we'll want to install Git. Git is a tool that allows easy access for installation and updates to a code repository.

Then a few prerequisites.

sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev

1

sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev

Now to use git you clone the main branch of WPScan code, this will create a folder on your system with the code.

git clone https://github.com/wpscanteam/wpscan.git cd wpscan sudo gem install bundler && bundle install --without test development

1

git clone https://github.com/wpscanteam/wpscan.git cd wpscan sudo gem install bundler && bundle install --without test development

Then launch it with ruby.

Working with WPScan

To run a simple scan, use the following command:

ruby wpscan.rb --url www.example.com

1

ruby wpscan.rb --url www.example.com

You will also want to consider using an HTTP proxy, you don't want your hosting provider to flag your IP as suspicious.

ruby wpscan.rb --url www.example.com --proxy <[protocol://]host:port>

1

ruby wpscan.rb --url www.example.com --proxy <[protocol://]host:port>

If your scan is being blocked, you can use the application's built in random user-agent feature:

ruby wpscan.rb --url www.example.com -r

1

ruby wpscan.rb --url www.example.com -r

Running a basic scan will reveal plenty of useful information about the installation. Vulnerabilities are highlighted in red.

Now you can start digging a little deeper by enumerating users, themes and plugins.

User Enumeration

The idea is to collect a list of valid usernames. Once we have a list of usernames, we can test to see if anyone of our users is using a weak password.

WPScan iterates through user ids by appending them to your site's URL.

For example, www.yourwebsite.com/?author=1, adding 2, and 3 etc… in the URL, will reveal the user's login id.

ruby wpscan.rb --url www.example.com --enumerate u

1

ruby wpscan.rb --url www.example.com --enumerate u

By default, this will look for ids 1 to 10. For more usernames, you will want to use the following command: u[10-20].

Now that we have compiled our list of usernames we can test to see if any of our users are using weak passwords by running a brute force test:

ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin --threads 50

1

ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin --threads 50

In others target the website www.example.com and test to see if admin's password is in our darkc0de list and limit our connection to 50 threads.

Plugin Enumeration

Most WordPress websites have plenty of plugins installed. In many cases, more than needed. If you want to find which plugins are running on the site, use the following command:

ruby wpscan.rb --url www.example.com --enumerate p

1

ruby wpscan.rb --url www.example.com --enumerate p

WPScan maintains a huge database containing many of the known vulnerable plugins and their version numbers. To find the find the vulnerable plugins you can run the following command:

ruby wpscan.rb --url www.example.com --enumerate vp

1

ruby wpscan.rb --url www.example.com --enumerate vp

If WPScan is not able to determine the plugin version, it will list all the past vulnerabilities and when they were fixed.

Theme Enumeration

A WordPress website comes with many default themes and often webmasters like to experiment with their website's design by installing a few more themes from trusted and untrusted sources. Like the plugin command, we can compile a list of themes like this:

ruby wpscan.rb --url www.example.com --enumerate t

1

ruby wpscan.rb --url www.example.com --enumerate t

Likewise, for vulnerable themes:

ruby wpscan.rb --url www.example.com --eunumerate vt

1

ruby wpscan.rb --url www.example.com --eunumerate vt

Basic Countermeasures

As you can see WPscan is a great tool to evaluate the overall security of your WordPress installation and patch security weaknesses before they are exploited by a hacker.

Moving forward to keep your WordPress website safe you should try to:

Stay up to date.

Keep your themes and plugins up to date.

Delete unnecessary themes and plugins (especially if they have not been updated in a while).

Delete the default admin user.

Naturally, use strong passwords.

Configure a security plugin to limit login attempts and thwart away malicious requests.

Host with a reliable company!

On a positive note, the overwhelming majority of raids on sites are made by automated bots. So, in many cases, it's not a person who enters your site and spends many hours trying to break it, but rather, software that is surfing the net looking for vulnerable websites. So if your website is carefully set up and well configured, you should have no problem!

William Hagerty

William is a WordPress mechanic at Fix my site, where he spends most of his time fixing bugs and repairing hacked websites. When he is not working behind his computer screen, you can find him tendering to his olive trees, listening to progressive classic rock or working out.

Source: Securing WordPress with WPScan