10 Things I am Pretty Sure I am sure about WordPress



The title for this is inspired by Alton Brown who gives a talk called “10 Things I am pretty sure I am sure about Food”. It changes over time as he swaps out different elements but is very funny all the same.

See my Links page for links to all plugins mentioned in this article.

1. What the heck is WordPress?

WordPress is a web based content management system. There are four things it has to have to live. An OS, the operating system. This can be Linux, Windows, Mac OS. There are probably others but those are the top three. It has to have a web server, usually it is Apache but lately more and more providers are using Nginx. It needs to have a database, this is usually in 99% of the installs, MySQL an open source database platform. And lastly and this is non-negotiable, it has to have a programming language called PHP. Now you don’t really have to know much about any of that if you are using a hosting provider and they say they support WordPress and with WordPress powering 21+% of the Internet’s websites run on WordPress. According to managewp.com, 74.6 million websites depend on WordPress. Some of the biggest websites in the world depend and run their site on WordPress. NBC Sports, TED, TechCruch, CNN, CBS, Time, The New York Times, Dow Jones, UPS, just to name a few. Okay so some of you are probably stuck at the first sentence about WordPress, content management system. You give it content, a blog post, a picture, a video, whatever and WordPress makes it easy to publish.

2. WordPress is very easy to get started with.

WordPress has the famous five minute install. And if your hosting provider has Scriptalicious or other automation scripts, it could happen in three.

The issue with easy is that often you are given choices and lulled into a false sense of accomplishment because, hey, this is a wizard. I can’t pick a wrong answer, right? Also it is very customizable in that you can use themes to give it a certain look and you can use what are called plugins to give your WordPress functionality it either doesn’t have or that needs to be improved.

3. Every Picture tells a story.

Blogging is a visual art. WordPress makes it super easy to post pictures to your site. And pictures are often what draws people to read your content. Here are some easy ways to find “free” pictures for your site. Go to images.google.com in your browser, type in what you are searching for and then we need to change a search setting. You want to select, “Search tools” and then select “Labeled for reuse with modification” This means whoever posted the image said it was okay to download it and modify it for any purpose you want including commercial use. If you are blogging for fun and not for profit, you can choose “Labeled for noncommercial reuse with modification”. Granted this will mean there aren’t a lot of images as not every one designates. Additionally this isn’t foolproof but it does mean you tried in good faith to use an image no one would mind. Hubspot.com gives away a lot of great free advice on blogging and social media and it also gives away a fair amount of free stock images. You can also get images from flcker.com that are licensed under Creative Commons, but you must read each images licesning. Some give their pictures away but want a blurb about where they came from. Respect other people’s content and usually they will respect yours. Put dashes in your photo names so Google can use the image information to improve indexing of your site. Also, use Alt Text on every picture. This is good for those who can’t see well or at all and for search engines.

Google Image Search by license type

4. I have a need for speed.

Google doesn’t like slow sites and neither do readers on the Internet. Here are some quick tips on how to speed up your WordPress Site.

Squish your pictures. Most of the time we seem to post the largest picture in the world into our page. Sure everyone has fast Internet (or actually they don’t.) According to a Pew Study in August 2013, only 70% of America has access to broadband Internet. So assume someone is still looking at your site using a 56k modem with your site.

Two plugins I have used are “WP Smush It” which uses Yahoo’s image shrinker but doesn’t work with images over 2 Meg and “EWWW Image Optimizer” Both are free and work great.

Next, turn on gzip compression on your site. You can’t do this inside WordPress, instead this is done in Cpanel on your hosting providers site. The backend web server your hosting provider is using is probably Apache or Nginx. Inside Cpanel, there should be a place that says “Optimize Website” go there and turn on compression. Basically your web browser supports compressed web pages. The web server can send the pages to you compressed and your browser will decompress them on the fly. Smaller files, faster content delivery.
Optimize Website

There are more plugins that optimize your site by compressing JavaScript and CSS (Cascading Style Sheets) ahead of time for you by basically removing the white space from inside the file. I use the plugin AutoOptimize. The process of getting rid of the white space in the file is called minifying. It minifies and compresses your JavaScript and CSS files.

Additionally you need a caching plugin of some time. WP Super Cache is one. There are many but that one gets a lot of buzz. Since WordPress pages are usually Dynamic, it takes your dynamic page and turns in into a static page. This means the PHP engine on your web server that creates the page on the fly and then sends it doesn’t have to do the rendering part. So pages are faster as the static pages are loaded into the memory of your hosting provider’s web servers. RAM is always faster than reading from a hard drive. If you have a page that really is dynamic, you can remove that page from caching so that it is rendered and them delivered. I will talk about another plugin that does caching in a minute. You can only run one caching plugin or bad things happen.

There are more ways to speed up your site but those are good starts.

Also test your site using Google Page Speed or Pingdom.com.

5. How to make search engines love you aka My Grandma uses the MSN search box

If rare exception, if Google doesn’t know about you, you don’t exist. In case you didn’t know it, all the cool kids run Chrome as their web browser of choice. But my Grandma’s computer came with Internet Explorer and it is the only browser she knows. And when she brings up IE, it brings up the MSN page by default. And as soon as the page loads it changes focus to the search box. How many of you have seen people type in the web address into the MSN search box aka Bing and then click on the first link on the search results page? And this is how they go everywhere. Also Grandma is running IE8 but that is another problem for another day. She is patient but I don’t look forward to explaining Chrome is also a browser to her.

MSN IE Search Box


So I worked on a site for an organization. Their hosting provider was super expensive and so when I took over I asked if I could move the hosting and move to WordPress. The last thing I said was it would be cheaper and easier to manage. And of course, they said yes. So I moved it. But how I surf the Internet is not how all people search the Internet. So I started getting complaints some of the group could not find their site. They said they were going to a another site with a similar name. So I called one of them up and they told me how they got to our site. MSN. So we were not the top hit on MSN. So I went into action. This meant I needed to do two things. 1)Put the site on MSN’s web crawler and 2)Put it on Google’s. While Google does 80% of search in the world, it is not the search engine of MSN, Bing is. Google and Bing both have webmaster tools. And both like sitemaps. A sitemap is an XML (extensible markup language) representation of the structure and layout of your site. So I use a plugin (that nags to get you to buy their pro version but the free one is fine) called “Google Sitemap”. This creates the XML file for you.

Here is a snippet of what mine looks like:

My Google Site Map

Or click this link to see the sitemap of this site. It changes as I add new content to the site.

In order to access Google webmaster tools, you have to have a Gmail account. Sorry, no way around it. Go to https://www.google.com/webmasters/tools That is where you go to register your site. It will make you download a file that you have to upload to the root of your website that Google will go and find to be sure you own the site. Because you put their special file in the right place, you must own the site, right? You can learn so much about your site after it has been online a bit. Google knows how many search and view your page. It actually knows how long people spend on your page as well. For Bing, you have to have an Outlook or Hotmail account. Go to http://www.bing.com/toolbox/webmaster login with your Microsoft account and basically same deal as Google, sitemap, upload special file. Dot Dot Dot. Google will tell you if your site has malware on it or if you have pages erroring out. All free stuff.

Google Webmaster Tools


Anyway, after I did that, the organization’s site was the first hit if they typed in the right keywords. Making sure your pages have good descriptive meta data is important too but I have more to cover. I told you about “Google Sitemap”. Also “Verify Bing Webmaster Tools” is another good plugin to have.

6. Locking the front door is a waste if you don’t lock the back door too.

When you setup your WordPress site, do not use the username admin. That used to be the default and well, hackers figured that out. I get two or three emails a day from my firewall telling me people are trying to log in with admin as the user. Good luck because it isn’t that. Don’t name your database the default names suggested by the WordPress install either. Sure this is “Security through Obscurity” which essentially means because you didn’t make it easy, most hackers will move along. I go into great detail about how I handle my security here.

7.  Always Backup before you go Forward

Before you allow that plugin to update or allow the latest version of WordPress to install, you must backup. I go into great detail about backups here.

8. When Themes and Plugins Go Rogue

Sometimes bad things happen to good themes or plugins. Sometimes things get a little technical. To fix, sftp to your site and rename the theme or plugin. Go to this page to read about accessing your site via sftp using Filezilla. Sure the page is really about backups.

Your themes and plugins are located under your site folder under wp-content. Once you get into the directory, you should be able to rename the last plugin or theme you installed. Look at “Last modified” date for clues as to when your installed your last plugin or theme. Once you rename the rogue item, your WordPress site will disable it and revert to default since it isn’t where it remembers it being.

themes plugins directory

9. Feed the Content Monster

The SearchEngineLand website says 97% of blogs fail in the first year. Their owners just stop posting to them and they are zombies on the Internet until the hosting provider bulldozes them over when the last payment check clears. One piece of advice that many swear by and I am going to start following is, create a content calendar. Hubspot has an Excel spreadsheet they offer for free to help with planning. And WP Scheduled Posts is a good free plugin to use to allow you to schedule when posts will well, post. If you have a great day and write two or three blog posts, you won’t want to post them all at once as people will usually read the newest stuff. They may not scroll down to post number three. So schedule your posts (unless they are time sensitive) so they are paced out.

Your Fans will appreciate if you post on a consistent basis and perhaps at a regular interval say, twice a week. It is too much of a grind to create awesome content people want to read seven days a week. Not happening. But if you follow a pattern, people will notice and they will visit your site frequently to read what’s new.

10. Sharing is Caring

You know the best way to build a following for your website? Sharing on social media. So first up, you need to work to build a following using either Twitter, Facebook, Google+, or Pinterest. Now if you are familiar with Pinterest, you may be saying, what? Well, you can post links on Pinterest and it will put the top most picture in your blog and list it on Pinterest. If people click on the picture, it takes them to your blog. I would never have thought of this but Social Media Guru Peg Fitzsimmons, co-author with Guy Kawasaki, of the book The Art of Social Media: Power Tips for Power Users swears by it. She says she has gotten a lot of traction and new followers this way.

Anyway, there are several plugins that as soon as you publish a post, posts a link to Twitter or Facebook for you. “WP to Twitter” is a plugin I have used. Basically you give it access to your Twitter account, choose your favorite URL shortener, Bitly, Tiny.url or whatever and it will post a link to your new content to Twitter. For Facebook, the WordPress Jet Pack has an option to allow it to post to your Facebook page to let people know you have new content. It is a little technical to setup so not quite as easy as the Twitter one. Now the second thing you have to do it make it so your content is super easy to share. Using a plugin like “WP Social Share” or the free version of “Cresta Social Share Counter” are a couple of ways you can put share buttons for most social networks to make it easy for others to share your content. Every plugin I have told you about up until now has been free.

But recently I paid money for a plugin because some people I follow who I have come to respect created a plugin to allow easy sharing. This plugin is called Social Warfare. I am ramping up to get really serious about writing and social media next year and I felt I needed something to make my site very easy to share from. The “Social Warfare” plugin makes it so easy for visitors to share my content and I love the sharing counters which show others how much it was shared. Strangely the most something is shared the more people want to share it more. I have stock in this product. I bought it like everyone else who uses it. And I have noticed others whose sites I follow use it. When I accidently posted something popular once, I was able to see how many times people shared it using my plugin’s links.


Here is a links page to every plugin I mentioned.

Links January 2015 Edition



My WordPress Security Essentials

WordPress Security

If you have run a WordPress site a bit, you may (or maybe you haven’t) noticed that sometimes it feels like your site is a target. If you don’t view your logs, you may not even know. But once you start watching a little closer you will find just like every other site on the Internet people, bots, and zombies like to come and rattle our door knobs to make sure your doors are locked. And if they aren’t, they will just walk on in and if they are, some will try every key on their key ring to make sure your doors really are locked.

Having hosted many a WordPress site mostly for fun and rarely for profit, I have used a lot of free or nearly free tools to protect my sites. It is only in the last two years I have started to pay more money to be sure my sites were not easily compromised. So here are some suggestions on some good ways to protect your site.

1. Backup and Backup often.

Assume your site will be compromised. If your website were to magically disappear today with all of your content, what would you do to get it back? Re-setting up WordPress is easy. Remember the “famous five minute” install? But your content is irreplaceable. Backup and backup often. If you are self hosted most providers offer ways to backup your site and your database. Remember, you have to backup both pieces if you want to be able to restore everything about your site to original condition. Look for another post that goes into great details about backups and backup options.

2. Don’t make it easy for bots and zombies to log into your site.

Everybody probably hates reCAPTCHAs but they do make it harder for automated attacks to get into your website. One plugin I use is “Are you robot google recaptcha for wordpress“. That is the name of it. There are others but this one works well. Google recently simplified the whole reCAPTCHA process with this. This is what your login will look like after you add it. You will need to have a Google Gmail account so you can log into their API (Application Programming Interface) and get developer keys to run this. This is free and so is the plugin.

Are You A Robot Login

3. Update Update Update

Sure, it is a challenge. You can’t always be sure if you update your WordPress version to the latest your plugins or customization will still work. But if you installed WordPress 4.0, there was a major security flaw found and they quickly released 4.1. Meanwhile hackers discovered the flaw and began writing stuff to exploit it. The same is true with plugins. Sometimes well meaning plugins have major flaws. If you follow security bulletins offered by some security sites, you can almost keep up. But it is important to update and it is of course important to test after the update to be sure your site still works.

4. Two Factor Authentication

If you aren’t using Two Factor Authentication on every possible website you can, then you should be. It is super easy to add TFA to your WP site. First go and download the plugin “Google Authenticator” from WordPress.org. Second before you install it, go and download the Google Authenticator app for your mobile device (either Apple or Android). Before you activate this, you will want to be able to scan a QR code from your mobile device so that adding it to your phone (after you install the app) is easy. Secondly, once you enable this, it is kind of like locking one set of doors before the real set. You will have to know your Google Authentication code and your password to log in from now on once you enable it.

Note: To disable this in the event you some how lock your self out of your site, you can temporarily move or rename the Google Authenticator plugin out from under the plugins directory.

By default it does not enable itself on all accounts on your site. So you have to visit each account and enable it. Here are what the settings look like for each user.

Google Authenticator Settings

And after you enable it, your login screen looks like this. So when you login, go to the Google Authenticator app on your phone and get the current code to log on.

Google Authenticator Login


For security reasons I can’t show you my authenticator screen but here is what the screen looks like except there will be an entry for your WordPress site on your phone.


Google Authenticator Screenshoot


5. Don’t let “people” try to login over and over again.

WordPress does not by default limit the number of login attempts allowed. But a simple plugin called “Limit Login Attempts“. This sets limits on the number of times you allow someone (or something) to attempt to login. And it locks the account if they try so many times. And it can email you after so many attempts if you want. You can set time limits on lockouts and duration times as well.

Limit Login Attempts


6. Firewalls help keep the “evils” out

I looked for a free firewall plugin. I settled on “WordFence Security“. It has grown on me and is now my “Go To” plugin when someone says “Help! People are rattling my website”. WordFence scans your site, shows you when something has changed that shouldn’t have. Granted sometimes those alerts are false positives. It will block IP addresses from things that keep trying over and over to get into your site. It has advanced blocking features and also does Caching (if you want to speed up the performance of your site). A post on Caching and other performance tuning will be done at a later date. And lastly when my site was constantly under attack from certain countries, I was forced to buy the premium version of WordFence to allow me to block by country. I want my site to be viewable to the world but sometimes you have no choice so I paid for a license and I now block a few countries as they constantly rattled my doors. This cut down dramatically on any attacks I was receiving. Also, I like being able to easily see the logs of who has visited my site. It is always nice to see Google and Bing have visited me each day to index their site for their search engines.


There are certainly other products in the market to secure your site such as Sucuri, which scans your website and claims to be antivirus and firewall. I am also told they will help clean up your site in the event you have been hacked (for a fee of course). And there is iThemes Security Pro which has a plugin that works a lot like WordFence. I would certainly consider all three and decide what seems the best fit for you.

Stay Safe Out there!