WordPress is thirteen!

You could have knocked me over with a feather today when I read Matt’s post announcing that WordPress was celebrating a birthday!

It didn’t seem so long ago that we were working on b2++, hacking the multiuser bits in and doing all sorts of crazy things with it.

Now I’m “typing” this on a mobile phone by swiping my finger across a virtual keyboard. Back then the closest to this that I could imagine would be some sort of SMS integration!

WordPress today is unrecognisable from what it was back then, especially if you use the slick Calypso interface.

I’m looking forward to seeing what the next few years bring.

Related Posts

Redirect 404 errors to imported posts using path custom field

Are you importing posts from another CMS? Do you want to avoid an .htaccess file with a million redirects? Of course you do!

Step 1: store your old pages’ paths in a custom field during your import.

Step 2: adapt this little function to your site. When a user lands on a 404 error, WordPress checks to see if the requested path exists in a custom field. If so, it redirects the user to the correct post.

In this case, my posts imported from Drupal had the old paths stored in the ‘drupal_path’ field.  Change your ‘meta_key’ to match your custom field name.

Try visiting one of the old URLs. You should be whisked to the new location.

This function also prevents WordPress’s default behavior of trying to guess where to redirect an incorrect URL. If you want WordPress to keep doing that after it has checked for the custom field path, simply remove the “else return false;” lines.

Redirects for HTML Import

Since the HTML Import plugin stores the old URLs, you can use this to redirect your old files to the new WordPress pages:

Note the difference here: parse_url() isn’t used, because in this case the full URL has been stored, not just a relative path.

This works only if you have entered the old URL correctly in the plugin’s settings.

How to Change Akismet’s Delete Spam Schedule in WordPress

After we published our article on how to change WordPress trash schedule, one of our readers asked if it was possible to change the delete schedule for spam comments in Akismet. By default, Akismet keeps spam comments in your WordPress database for 15 days before deleting them. In this article, we will show you how to change Akismet’s delete spam schedule in WordPress.

How to Change Akismet's Spam Delete Schedule in WordPress

Why Change How Akismet Deletes Spam in WordPress?

This tutorial is for Akismet plugin only. If you are not using it, then check our guide on why you should start using Akismet.

Akismet allows you to combat comment spam in WordPress. It monitors all comments, pingbacks and trackbacks.

Spam comments reside in your database, which means they increase your database backup size. Deleting them sooner may help keep your database size a bit smaller.

While some users may believe that deleting spam comments improves database performance, we don’t think it has a major effect on database performance in most circumstances.

If you are receiving thousands of spam comments, and you try to delete them manually, then it could affect your site’s performance. See our guide on how to batch delete spam comments in WordPress.

On the other hand, some users may want to keep spam comments for a longer period, so that they can review them later to avoid false positives.

Having said that, let’s see how you can change the delete schedule for spam comment in WordPress with Akismet.

Changing Spam Comment Delete Schedule in WordPress with Akismet

Akismet automatically deletes spam comments after keeping them for 15 days in your database. This gives you time to manually review spam comments.

If it marked a genuine comment as spam, then you can mark it as not spam. This is how Akismet learns and improves it’s algorithms to catch spam comments more efficiently.

Comment spam folder

You can change the number of days Akismet should keep spam comments in your database. Simply add this code to your theme’s functions.php file or in a site-specific plugin.

add_filter( 'akismet_delete_comment_interval', 'custom_spam_delete_interval' );

function custom_spam_delete_interval() {
	return 7;

Change 7 with the number of days you want to keep a comment. This filter simply modifies Akismet’s spam deletion schedule.

Changing the number to 0, will allow Akismet to delete all comments on its next comment delete schedule. This will not give you much time to review spam comments.

You can see your changes in action by visiting Settings » Akismet page. Scroll down to the bottom of the page, and you will see a note in tiny letters saying ‘Spam in the spam folder older than 7 days is deleted automatically.’

Comment spam delete schedule shown in Akismet settings

It will replace 7 days with the number of days you used in your filter.

Note: When spam comments are deleted, they are not sent to trash, so you cannot retrieve them back.

We hope this article helped you change Akismet spam comment delete schedule in WordPress. You may also want to see our guide on how to how to block spam comment bots in WordPress with honeypot.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Change Akismet’s Delete Spam Schedule in WordPress appeared first on WPBeginner.

WordPress Security

WordPress security has always been food for thought. Even though most of the latest updates (including WordPress 4.5.2) deal with WordPress security issues, there is still a lot that can be done to improve that security, even by the less tech-savvy of us. In this article, I’d like to enumerate a number of suggestions on how to improve security on your own WordPress website.

wordpress security must read article by yoast

Table of contents

WordPress itself has a list on WordPress security you might want to read. Of course, some of the things in that list will be repeated in the article below. Personally, I prefer a more hands on list and direction, that’s why we decided to write this article.

Don’t use admin as a username

Think about this. This is perhaps the easiest baseline step for WordPress security you can take as a WordPress user. It costs you nothing, and the install makes it really easy to do. A majority of today’s attacks target your wp-admin / wp-login access points using a combination of admin and some password in what is known as Brute Force attacks. Common sense would dictate that if you remove admin you’ll also kill the attack outright.

Yes, the argument exists that the attacker can still enumerate the user ID and Name and can in some instances pull the new username. There is no denying this. Remember though, like our friends at Sucuri like to say, Security is not about risk elimination, it’s about risk reduction.

For the everyday, automated Brute Force attack, removing the default admin or administrator username will already help a lot. You’re at least making it a bit harder for the hacker to guess the username. For the sake of clarity, understand that when we say admin we are speaking specifically to the username only and not the role.

Simply create a new user in WordPress at Users > New User and make that a user with Administrator rights. After that, delete the admin user. Don’t worry about the post or pages the admin user has already created. WordPress will nicely ask you: “What should be done with content owned by this user?” and give you the option to delete all content or assign it to a new user, like the one you have just created.

Use a less common password

An easy thing to remember is CLU: Complex. Long. Unique.

This is where tools like 1Password and LastPass come into play, as they each have password generators. You type in the length, and it generates the password. You save the link, save the password, and move on with your day. Depending on how secure I want the password to be, I usually set length of the password (20 characters is always right) and decide on things like the inclusion of less usual characters like # or *.

‘123456’ isn’t a password. ‘qwerty’ is like writing your security code on your bank card. ‘letmein’; seriously? Shame on you. Even ‘starwars’ made the 2015 list of 25 most used passwords. Remember, you’re never as unique as you think you are…

Add Two-Factor Authentication

Even if you’re not using ‘admin’ and are using a strong, randomly generated password, Brute Force attacks can still be a problem. To address this, things like Two-Factor Authentication are key to helping to reduce the risk of such attacks.

Oh, I know, the hassle two-factor authentication is. But for now, it’s your Fort Knox. The essence of two-factor authentication for WordPress security is exactly as implied in the name, two forms of authentication. It’s the recognized standard today for enhanced security at your access points.  You are already using two-factor authentication for Gmail, Paypal, and the works (at least you should be), why not add it to your WordPress security toolkit as well. Ipstenu (Mika Epstein) did an article on the subject you might want to read: Two Factor Authentication.

There is a plugin for that: Google Authenticator. An alternative that takes a slightly different approach for the same purpose is the Rublon Plugin.

Employ Least Privileged principles

The WordPress.org team put together a great article in the WordPress Codex regarding Roles and Capabilities. We encourage you to read it and become familiar with it because it applies to this step.

The concept of Least Privileged is simple, give permissions to:

  • those that need it,
  • when they need it and
  • only for the time they need it.

If someone requires administrator access momentarily for a configuration change, grant it, but then remove it upon completion of the task. The good news is you don’t have to do much here, other than employ best practices.

Contrary to popular belief, not every user accessing your WordPress instance needs to be categorized under the administrator role. Assign people to the appropriate roles and you’ll greatly reduce your security risk.

Hide wp-config.php and .htaccess

No, thou less tech-savvy WordPress website owner, that is not hard to do. It’s actually really simple, especially when you are using Yoast SEO for WordPress > Tools > File Editor to edit your .htaccess.

For better WordPress security, you’d need to add this to your .htacces file to protect wp-config.php:

<Files wp-config.php>
order allow,deny
deny from all

That will prevent the file from being accessed. Similar code can be used for your .htacces file itself, by the way:

<Files .htaccess>
order allow,deny
deny from all

You can do it. It’s no rocket science.

Use WordPress security keys for authentication

Authentication Keys and Salts work in conjunction with each other to protect your cookies and passwords in transit between the browser and web server. These authentication keys are basically set of random variables, used to improve security (encryption) of information in cookies. Changing this in wp-config.php can be simply done by getting a new set of keys here and add these. These keys change on a refresh of that page, so you’ll always get a fresh set.

Syed Balkhi at WPBeginner did an article on WP security keys, in case you want some more background information. The Sucuri plugin can help you with these keys as well.

Disable file editing

If a hacker gets in, the easiest way to change your files would be to go to Appearance > Editor in WordPress. To lift your WordPress security, you could disable writing of these files via that editor. Again, open wp-config.php and add this line of code:

define('DISALLOW_FILE_EDIT', true);

You’ll still be able to edit your templates via your favorite FTP application, you just won’t be able to do it via WordPress itself.

Limit login attempts

Attacks like a Brute Force attack, target your login form. Specifically for WordPress security, the All in One WP Security & Firewall plugin has an option to simply change the default URL (/wp-admin/) for that login form.

Next to that, you could also limit the number of attempts to login from a certain IP address. There are several WordPress plugins to help you to protect your login form from IP addresses that fire a multitude of login attempts your way. We haven’t tested all, but feel free to let me know your experiences.

Be selective with XML-RPC

XML-RPC is an application program interface (API) that’s been around for a while. It’s used by a number of plugins and themes, so we caution the less technical to be mindful how they implement this specific hardening tip.

While functional, disabling can come with a cost. Which is why we don’t recommend disabling for everything, but being more selective on how and what you allow to access it. In WordPress, if you use Jetpack you’ll want to be extra careful here.

There are a number of plugins that help you be very selective in the way you implement and disable XML-RPC by default.

Hosting & WordPress security

In the past years of website reviews, we have had our share of website owners stating that their hosting company couldn’t help with this, or knew jack about that. Hosting companies simply see your website differently. There is no simple rule to decide on your WordPress hosting company. But the choice of a hosting company does matter when optimizing your WordPress security.

Every article written on hosting or hosting companies seems to start by telling you that the cheapest one is probably not the best one. Most cheaper hosting plans won’t have support to help you out with a hacked site. These plans include little to secure your website, like for instance set up a Website Firewall (more on the Sucuri Website Firewall later). Shared hosting, for instance, does imply that your hosting server is also populated with other websites. These might have security issues of their own, which in turn might affect your own website’s security as well.

WordPress security seems to be one of the main USPs offered in specialized WordPress hosting products, like the one offered by GoDaddy. They offer backups, redundant firewalls, malware scanning and DDoS protection and automatic WordPress updates for very reasonable pricing (understatement).

Be mindful of host account

One of the biggest challenges with hosts is in their account configuration for website owners. Website owners are allowed to install and configure as many websites as they want, and this fosters “soup kitchen”-like environments.

This is challenging because, in many instances, a website is compromised via a concept known as cross-site contamination in which a neighboring site is used as the attack vector. The attacker penetrates the server, then moves laterally into neighboring sites on the server.

The best way to account for this is to create two accounts, one which you treat as a production environment – only live sites are published – and a staging one, in which you put everything else.

Stay up-to-date

Staying up-to-date is an easy statement to make, but for website owners in the day-to-day, we realize how hard this can be. Our websites are complex beings, we have 150 different things going at any given time, and sometimes it’s difficult to apply the changes quickly. A recent study shows that 56% of WordPress installations were running out of date versions of core.
Updates need to extend beyond WordPress core. The same study shows that a very large percentage of the website hacks came from out-of-date, vulnerable, versions of plugins.

This can be compounded in really complex environments in which dependencies make it so that backups can’t be achieved. This is why we personally employ Sucuri’s Firewall. This firewall virtually patches and hardens our website at the edge. It gives us the time we require to go back and apply updates in a more reasonable time frame, allowing us to test in our staging environments first, and only then push to production.

(Free) plugins & themes

Most WordPress users tend to apply themes and plugins at will to their posts. Unless you’re doing this on a test server for the sole purpose of testing that theme or plugin, that makes no sense, especially not with reference to WordPress security. Most plugins and a lot of themes are free, and unless you have a solid business model to accompany these free giveaways. If a developer is maintaining a plugin just because it’s good fun, chances are he or she did not take the time to do proper security checks.

We have teamed up with Sucuri years ago, to make sure every plugin is checked for security before release, and we have an agreement with them for ongoing checks as well. If you are creating a free theme or free plugin, you might not have the resources to add solid checks like that.

How to pick the right plugin

Ratings on WordPress.org exampleIf you want to be taken by the hand in selecting the right WordPress security plugin for your website, please read this in-depth article Tony Perez did on the subject: Understanding the WordPress Security Plugin Ecosystem.

Let me focus on the basics of plugin selection here. As explained above, free plugins and themes could be a possible vulnerability. When adding a plugin (or theme for that matter), always check the rating of that plugin. WordPress.org shows ratings, but one five star rating won’t tell you anything, so also check the number or ratings. Depending on the niche, a plugin should be able to get multiple reviews. If more people think a plugin is awesome and take the time to rate it, you could decide to use it too.

WordPress 4.5.2 compatible exampleThere is one other thing you want to check. If a plugin hasn’t been updated for two years, WordPress will tell you that. That doesn’t mean it’s a bad plugin, it could also mean there hasn’t been a need to update it, simply because the plugin still works. The ratings will tell you that, and the compatibility with the current WordPress version, which is also listed on the plugin page at wordpress.org. Having said that, Sucuri strongly recommends against using any plugins that haven’t been updated for that long. You should take their word for it.

Based on these ratings and compatibility, you could pick your plugins less random and have a larger chance of some kind of security being added.

Contact Sucuri

I’ve already mentioned our friends at Sucuri. Daniel and Tony have done a tremendous job on our plugins and have helped on several hacked websites in the past. If you’re not familiar with these gentlemen, they are the owners and managers of Sucuri.

Sucuri is a globally recognized website security company known for their ability to clean and protect websites, bringing peace of mind to website owners, including us here at Yoast.
We’ve partnered with Sucuri because we take security very seriously, it’s not and should not be an afterthought. There is a variety of ways to address WordPress security, and we found that security was best addressed remotely at the edge beyond the application. What Daniel and Tony have built is a product / service that lets you get back to running your business. They are our partners, the security team we lean on when we need help the most.

Failing to take the necessary precautions for your WordPress security, and leveraging the experts can lead to malware infections, branding issues, Google blacklists and possibly have huge impacts to your SEO (something dear to our hearts). Because of this, we turn to them for our needs, like they turn to us for website optimization.

Here is a webinar Sucuri put together on how websites get hacked:

A lot of the suggestions in this article can be dealt with by installing and configuring their free Sucuri Scanner plugin for WordPress or hiring them to handle your website’s security. At Yoast, we don’t think this is an ‘extra’, but consider it an absolute necessity. For us, security is not a DIY project, which is why we leave it to the professionals. Visit their website at sucuri.net for more information, and check your site now to see if you have been infected with malware or have been blacklisted.

Yoast recommends Sucuri

If you are serious about your website, you are serious about your security. Get the complete security package of Website Security Stack now:

Get your Sucuri Website Security Stack NOW.

Closing thoughts

If you have come this far in this article, you will have no excuse not to improve the WordPress security for your website. Like adding posts and pages, checking your WordPress security should be a regular routine for every WordPress site owner.

This isn’t the full list of all the things you can do to secure your website. I am aware that one should, for instance, create regular backups. And that WordPress has a number of plugins for this as well. But backups are not part of WordPress security per se, I think these are part of having a website in general – they are administrative/maintenance tasks.

I trust this article about WordPress security gives you a practical list of things you can and should do to secure at least the first layer of defense of your website. Remember, WordPress security isn’t an absolute, and it’s on us to make it harder for the hackers!

Tony, thanks again for your input and additions to this article!

How to Setup Facebook Instant Articles for WordPress (Step by Step)

Have you heard about Facebook Instant Articles? Want to add Facebook Instant Articles on your WordPress site? In this step by step tutorial, we will explain what are the pros and cons of Facebook Instant Articles as well as show you how to easily setup Facebook Instant Articles for WordPress.

Facebook Instant Articles

What is Facebook Instant Articles?

Instant Articles is a Facebook feature which allows you to load your content 10 times faster by using a customized mobile format. It is based on the same technology used in Facebook apps for mobile devices.

Instant Articles load up to 10 times faster than a normal web page. This incredible boost in speed provides a better user experience for mobile users.

Many popular media sites like BuzzFeed, TechCrunch, Mashable, and countless others are using it on their websites. You can easily spot instant articles in your Facebook feed by the lightning bolt icon.

Lightening bolt icon displayed on an Instant Article in Facebook feed

Pros and Cons of Facebook Instant Articles

Like everything else, there are some advantages and disadvantages of using instant articles on your website.

Pros of Using Facebook Instant Articles

  • Faster load time means significant improvement in user experience.
  • Due to speed, users are more likely to share your content.
  • Access to monetization options through Facebook Audience Network.
  • Boosted Facebook Page Reach.
  • Facebook’s massive user base can bring new wave of traffic to your site.

Cons of Using Facebook Instant Articles

  • Users will not see your sidebars. It will hide your useful widgets, email list forms, and everything else that is not part of the article.
  • You may witness a drop in advertising revenue, as Facebook instant articles limits the advertisers as well as the number of ads you can show on an article.
  • You can use some images and videos on your article, but Facebook instant articles will limit that as well.
  • Most shortcodes, custom fields, and other WordPress features will not be displayed in your articles.

Considering the pros and cons of using Facebook Instant Articles, it is a mix bag for publishers. It actually depends on the type of content you produce and your business goals.

If you’re a news media site, then it makes sense for you to add it. If you’re a business website, then it may not be a huge difference maker.

What Do You Need to Enable Facebook Instant Articles in WordPress?

There are a few requirements for setting up Facebook Instant articles on your WordPress site. You need a:

  • Facebook page for your WordPress website.
  • Facebook page app (we will show you how to create it later in this article).
  • At least 10 or more articles on your website.
  • Instant Articles for WP plugin (We will show you how to set it up later in this article).

Having said that, let’s get started by applying for Facebook Instant Articles.

Signing up for Facebook Instant Articles

First you need to visit Facebook Instant Articles website and click on the sign up button to get started.

Sign up for Facebook Instant Articles

Facebook will now ask you to select a page. Here you need to select the Facebook Page for your website.

After that check the box to agree with Instant Articles terms and then click on ‘Access Instant Articles Tools’ button.

Select your Facebook page

This will take you to the publisher tools on your Facebook page, which will now have an instant articles section.

First, you need to prove the ownership of your website by claiming your URL.

Claim your website URL

Scroll down a little to the Tools section on the page and click on the ‘Claim your URL’ to expand it. Facebook will show you a code snippet.

Meta tag to claim ownership of the URL

You need to copy the code and insert it into the <head> section of your WordPress site.

There are two ways you can add this code to your website.

You can edit the header.php file in your child theme and paste the code just before <head> tag.

But if you are not using a child theme, then you can use Insert Headers and Footers plugin. For more details, see our step by step guide on how to install a WordPress plugin.

After activating the plugin, go to Settings » Insert Headers and Footers page and paste the code into the header section.

Insert code in your header section

Click on save button to store your changes.

Once you have added the code to your website, you need to switch back to the publisher tools section of your Facebook page.

Add your website URL below the code you copied earlier and then click on the claim URL button.

URL claim success

The next step is to add an Instant Articles RSS feed for your website. Here is how you can generate an Instant Article feed for your WordPress site.

Simply install and activate the Instant Articles for WP plugin. Upon activation, the plugin will generate an instant articles feed for your WordPress site.

You can find the feed by adding /feed/instant-articles after your site’s URL, like this:


Copy your instant articles feed URL and switch back to your Facebook page’s publishing tool section. Scroll down to the Tools section and click on ‘Production RSS Feed’ to expand it.

Add instant articles feed

Paste your Instant Articles feed URL and click on the save button. Facebook will show you a success message that your feed is added.

Setting up Facebook Instant Articles plugin for WordPress

In the previous step we installed Instant Articles for WP plugin to generate RSS feed for instant articles. Now you need to set up rest of the plugin settings.

You will notice that upon activation the plugin added a new menu item in your WordPress admin bar labeled ‘Instant Articles’. Clicking on it will take you to the plugin’s settings page.

Instant Articles WP plugin settings

This plugin requires an App ID and Secret keys for activation. You will need to create a Facebook app for your page to get those keys. Let’s take a look at how you can do that.

Creating a Facebook App for Your Page

First, you need to visit the Facebook for Developers website. Click on the drop down menu next to My Apps menu on the upper right corner of the screen next to your profile photo.

Create a new Facebook app

This will bring up a popup on screen. You need to click on website.

Choose website for your app platform

This will take you to a quick setup wizard. You need to enter a name for your Facebook app. This could be anything that helps you identify the app.

Click on the ‘Create New Facebook App ID’ button to continue.

Enter a name for your FB app

A new popup will appear asking you to provide a contact email address and select a category for your app.

Enter an email address and select Apps for Pages as app category.

Provide an email and choose category for app

Click on create App ID button to continue.

The popup will disappear and Facebook will now create an app for you. On the quick start page, you will see new information about how to use the app.

You just need to scroll down a little to ‘Tell us about your website’ section.

Add your website URL

Enter your WordPress website address here and click on the next button to continue.

Even though Facebook will be showing you that there are more steps in the set up wizard, but that’s all the information you needed to enter.

You can now click on the ‘Skip Quick Start’ button at the top right corner of the page.

Finish quick start

You will be redirected to your newly created app’s dashboard. You will be able to see your App ID and to see your App secret key you will need to click on ‘Show’ button.

App ID and secret keys

Before you copy these keys, first you need to make your app live and publicly available.

Click on the ‘App Review’ link from the menu on your left.

Make your App live

On the next screen, you will see that your app is under development mode. Click on the toggle to switch it to ‘Yes’ and make your app live.

Now click on the dashboard link from the left hand column to go back to your app’s dashboard. Copy your App ID and Secret keys.

Return to your Instant Articles for WP plugin’ settings page on your WordPress site and paste your App ID and Secret keys there.

plugin settings

Click on the next button to continue.

The plugin’s settings page will now show you a login with Facebook button.

Login with Facebook to continue

This will take you to Facebook, and you will be asked to give the app permission to access your profile information.

After giving permissions, you will be redirected back to your WordPress site. Click on the ‘Select Page’ drop down menu to select your Facebook page.

Select your Facebook page

Your WordPress site is now ready for Instant Articles. There are still two more steps left.

Setup Style and Branding for Your Instant Articles

Visit your Facebook page and from the admin bar and click on Publishing Tools. From your left hand menu, click on ‘Configuration’ under Instant Articles.

Customizing style of Instant Articles for your website

Scroll down to the Tools section and then click on the Style tab to expand it. Facebook has already added a default style for your website.

Click on the default style to customize it.

This will open up a popup where you can upload your website logo. Facebook requires images that are 690 by 132 pixel minimum.

Upload logo and customize colors

After uploading the logo, click on Save and then click on Done.

Submit Your Instant Articles Feed for Review

Before you can submit your Instant Articles feed for review, you need to make sure that you have at least 10 articles in your Instant Articles feed.

If you have already published more than 10 articles on your website, but the feed is not showing all of them, then you need to edit your last 10 articles and simply click on the update button.

Once you are sure that you have 10 articles in your Instant Articles feed, you are now ready to submit it to Facebook for review.

Go to your Facebook page and click on Publishing Tools from the admin bar. After that click on the ‘Configuration’ link under Instant Articles on your left hand menu.

Look for ‘Step 2: Submit For Review’ on the configuration settings page.

Submit for review

If there are no errors with your Instant Articles feed, then you will see a ‘Submit for Review’ button. Go ahead and click on this button to send your feed for review.

That’s all, Instant Articles will become available for your website once Facebook team has reviewed and approved your feed.

Troubleshooting Tips:

Facebook requires that your Instant Articles feed match specifications described on their developer website. Instant Articles for WP plugin handles that part for you.

However depending on the theme or plugins you are using on your site, you might see some errors or warnings. An easier way to troubleshoot those errors is by editing a post and scrolling down to the Facebook Instant Articles meta box below the post editor.

Instant Articles for warnings

Most of the errors are caused by plugins or theme adding content into your posts that is not supported by transformer rules used by Instant Articles for WP plugin.

You can create your own custom transformer rules. Refer to the plugin’s documentation to learn how to add your custom transformer rules.

However, we feel that it would be difficult for most beginners to do that on their own, so you may need a developer. You can try to configure your other plugins and themes and stop them from adding content blocks into your posts.

Incorrect URLs

If you are continuously getting Empty Feed error when submitting your Instant Articles feed, then check the URL you are trying to add.



These are two different URLs, and depending on your WordPress setup, entering the incorrect URL may result into a 404 error.

If you are still seeing the empty feed error, then try updating the last ten posts on your site. This will change their time modified and will add them to the feed.

We hope this article helped you set up Facebook Instant Articles for WordPress. You may also want to see our list of 40 useful tools to manage and grow your WordPress blog.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Setup Facebook Instant Articles for WordPress (Step by Step) appeared first on WPBeginner.

How to Auto-Publish WordPress Posts to LinkedIn

Do you want to auto-publish your WordPress posts to LinkedIn? LinkedIn is a social network of professionals and a very strong platform to bring traffic to your WordPress site. In this article, we will show you how to auto-publish WordPress posts to LinkedIn.

Automatically publish WordPress posts to LinkedIn

Method 1: Auto Publish WordPress Posts to LinkedIn using IFTTT

IFTTT is short for If This Then That. It is a web service which allows you to connect your other online accounts and make them work for you. For more information, take a look at our guide on how to automate WordPress and social media with IFTTT.

First thing you need to do is sign up for an IFTTT account. Simply visit the IFTTT website and click on sign up.

IFTTT Signup

After signup, IFTTT will show you how it works. Just follow the on screen instructions until you reach the IFTTT dashboard.

It will look something like this:

IFTTT Dashboard

A process created by IFTTT is called a recipe. Click on ‘My Recipes’ link at the top to create your first IFTTT recipe.

IFTTT My Recipes

This is the page where all your IFTTT recipes will be displayed. Simply click on ‘Create a recipe’ button to continue.

IFTTT recipe

An IFTTT recipe consists of two parts. The first part is called ‘This’, which is a trigger that will start the IFTTT recipe. But before IFTTT can fire a trigger, you need to tell it where to look for the trigger.

Click on ‘this’ to get started.

IFTTT will now show you all the channels you can use for your trigger. You need to type WordPress in the search box and then select it as your trigger channel.

Select WordPress as your IFTTT trigger channel

IFTTT will ask you to connect your WordPress site. Simply click on the connect button to continue.

A popup window will appear on your screen, where IFTTT will ask for your WordPress website information.

Connecting your WordPress site to IFTTT

You need to enter your WordPress site’s address, your WordPress username and password. Click on the connect button to continue.

IFTTT will now try to connect to your WordPress site. Upon success it will show you a success message. Click on Done button to close the popup, and then click on ‘Continue to next step’ button.

IFTTT will now ask you to choose from the available triggers. You can launch an IFTTT trigger when any new post appears on your WordPress site or when a new post is published in a specific category or tag.

Right now we will be using ‘Any new post’ as our trigger. Simply click on the ‘Any new post’ box to continue.

Choose any new post as your trigger

IFTTT will now ask you to confirm. Simply click on Create trigger button to move on.

The next step is to choose what action to take when this trigger is fired. Click on ‘that’ link to define the action when a new post appears on your WordPress blog.


First you will need to choose a channel where your action will take place. Search and select LinkedIn as your action channel.

Choose LinkedIn as your action channel

IFTTT will ask you to connect your LinkedIn account. Simply click on the connect button and a popup will appear which will take you to the LinkedIn website.

Enter your LinkedIn login details and then click on ‘Ok, I’ll allow it’ button.

Authorize IFTTT to access your LinkedIn account

IFTTT will show you a success message. Click on the done button to close the popup and then click on continue to next step button.

You will now choose the action. You can share an update on your LinkedIn profile, or you can share a link.

Choose an action

Click on share an update on LinkedIn profile to continue.

IFTTT will ask you to choose action fields. It will automatically show your post title and URL fields in the status box.

Action fields

Simply click on create action button to finish your recipe.

IFTTT will now show you a summary of your recipe. You need to click on the create recipe button to make your recipe live.

Create and add recipe

That’s all, your IFTTT recipe is now live. It will automatically check your WordPress site for new posts and will share them as a status update on your LinkedIn profile.

When sharing a post, LinkedIn will automatically use your post’s featured image as thumbnail.

Your WordPress to LinkedIn recipe on IFTTT

You can always see your recipe by visiting my recipes page. You can also edit, stop, or pause a recipe at anytime.

Method 2: Auto Publish WordPress Posts to LinkedIn using Plugin

You can also automatically share your WordPress posts to your LinkedIn profile using a WordPress plugin.

First thing you need to do is install and activate LinkedIn Auto Publish plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, the plugin will add a new menu item labeled ‘LinkedIn Auto Publish’ to your WordPress admin menu. Clicking on it will take you to plugin’s settings page.

LinkedIn auto-publish settings

The settings page will show you two URLs from your own site and a link to create a new LinkedIn app. For this plugin, you will need to create a LinkedIn app to get client and secret API keys.

Simply visit LinkedIn Developer’s website and click on create application button.

Create a LinkedIn app

This will bring you to the application form for creating a new app. First you need to provide company name, a name for your application, and description.

You will also need to upload a logo for your application. You can use your blog’s logo or any other image for this purpose. The image needs to be square with the same width and height.

Create new app application form

Lastly, you need to provide your website address, business email, and a phone number. Check the terms and conditions box and then click on submit button.

LinkedIn will now create your app, and it will take you to the app dashboard. You will find your client ID and client secret keys there.

LinkedIn API Keys

But you still need to add authorized redirect url on your app’s dashboard.

Scroll down a little and you will find ‘OAuth 2.0 Authorized Redirect URLs’ field. Copy and paste the second URL from plugin’s settings page here and click on the Add button.

Redirect url

Don’t forget to click on the update button to store your app settings.

Now simply copy and paste Client ID and Client Secret keys from your app page to plugin’s settings page. After that, click on save button to store your plugin settings.

Your WordPress site is now ready to connect to your LinkedIn account. Click on the ‘Authorize’ button at the top of your plugin’s settings page.

Authorize app

This will take you to LinkedIn website where you will be asked to allow access to the app you created earlier.

Allow access

Enter your LinkedIn login credentials and click on Allow access button. LinkedIn will now redirect back to your WordPress plugin’s settings page which will show a success message. The authorize button will now change into reauthorize.

That’s all, LinkedIn Auto Publish plugin will now automatically share your WordPress posts to your LinkedIn profile.

You will also find a new meta box below your post editor screen when editing a post. You can disable or change sharing settings for individual posts from this meta box.

Linkedin Auto Publish meta box on post edit screen in WordPress

We hope this article helped you auto-publish WordPress posts to LinkedIn. You may also want to see our list of 10 LinkedIn WordPress plugins to win new customers.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Auto-Publish WordPress Posts to LinkedIn appeared first on WPBeginner.

Creating Excel .xlsx Files in PHP

Excel .xlsx files are actually a set of ZIP compressed XML files (here is the spec). I couldn’t find any examples of building the most basic .xlsx file with PHP so I created this snippet (a local copy) that some of you might find useful.

Here are some notes:

  • Requires the PHP ZipArchive extension to actually build the ZIP file.
  • Takes an array of rows which is an array of field values and builds a dictionary of shared strings sharedStrings.xml which are used as a reference in the sheet XML file xlsx_get_sheet_xml().
  • Also includes xml_save() for creating Excel XML files which doesn’t require the PHP Zip extension.

Here is how you would use it:

$fields = array(
	array( 'row 1, col1', 'row 1, col2' ),
	array( 'row 2, col1', 'row 2, col2' ),

$excel_builder = new cf7_export_excel();
$excel_builder->add_rows( $fields );

if ( $excel_builder->can_xlsx() ) {
	$excel_file = $excel_builder->xlsx_save();

	header( 'Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet; charset=utf-8' );
	header( 'Content-Disposition: attachment; filename=export.xlsx' );
} else {
	$excel_file = $excel_builder->xml_save();

	header( 'Content-Type: text/xml; charset=utf-8' );
	header( 'Content-Disposition: attachment; filename=export.xml' );

readfile( $excel_file );
unlink( $excel_file );

I used the PHP_XLSXWriter library as a reference.

Never lose a single business lead or enquiry again! Get my latest plugin Storage for Contact Form 7 now!

Buy now for only $19 →

Joost & Marieke visit California this summer

Are you living in the San Francisco Bay Area or in Los Angeles (or surroundings)? And, are you planning to organize a WP Meetup this summer? Joost de Valk would love to come, visit and speak at your WP Meetup this summer!

Marieke and Joost of Yoast visit the US

We (Joost and Marieke) will be traveling through California this summer. We’ll take our four children (aged 10, 6,4 and 1) along with us. It will be mostly fun, sightseeing and vacation, but we’d love to do some Meetups in California as well. So, please let us know if you’d like Joost de Valk to come to your Meetup!

Our timetable

What are the possibilities? From July 23 until July 29 we’ll stay in San Fransisco. Anything within an hour (or 90 minutes) drive is doable!

After July 29, we’ll be off the radar, doing some serious sightseeing. We’ll be in Los Angeles (well, Carlsbad to be precise) from August 12 to August 19.

Please contact us if you would like to have Joost de Valk come to your Meetup. Hope to see you soon!

Check out this video to see Joost present at WordCamp NL!

Better 404 error messages for private posts and pages

When a non-logged-in reader visits a private WordPress post or page, she gets a 404 “not found” error message, as if the post didn’t exist at all. That’s great if you don’t want the world to know that the post exists, but what if you’re doing something less clandestine, like members-only content?  You do want people to know the post is there–they haven’t followed a bad link!–but they need to log in to see it. Then “not found” is misleading.

There are two ways you could make the user experience better: redirecting private 404s to the login screen with a message, or changing the 404 error text.

Redirecting private 404s to the login screen

If you’re going with the redirect option, you’ll need two small functions in your custom plugin or your theme’s functions.php file. The first checks whether the queried object (in this case, the post/page) is private, and if so, redirects to the login URL with a custom query argument and instructions to return the user to the original page after they’ve logged in.

The second function runs on the login screen. If the custom query argument is set, it adds a message telling the user they need to log in before viewing the original page.

Changing the 404 error text (in Genesis)

If you want to be a little less presumptuous about whisking users off to a login screen, you can instead filter the error message and give them the option of following the login link.

In most WordPress themes, you can edit your template files directly to add a wp_login_url() link. In Genesis, you need to filter the noposts text instead:

WordPress 4.6 Improves the Accessibility of the Tag and Category Management Pages

Among the improvements coming in WordPress 4.6 are accessibility enhancements to the Category and Tag management pages. The flow of each page has been changed so that the visual order of elements match the tab order. This allows those who navigate with keyboards to access the Add New Tag or Add New Category area first.

Andrea Fercia, WordPress core committer and a member of the accessibility team, explains why the changes matter, “For accessibility, the visual order should always match the tab order. The main functionality in a page should just be the first thing in the source markup and other parts of the user interface should never be ‘skipped’.”

The following image shows the tab order of elements on the Tag management screen in WordPress 4.5. In order to reach the Add New Tag section, you need to tab through a number of checkboxes, each tag in the tag cloud, and various quick edit links. This is a time-consuming and frustrating process.

WordPress 4.5 Tag Management Element Order
WordPress 4.5 Tag Management Element Order

In WordPress 4.6, the Add New Tag section is the first visual element as well as the first section accessed when pressing the tab key.

WordPress 4.6 Tag Management Screen
WordPress 4.6 Tag Management Screen

The new flow is more logical and provides consistency between the tag and category management screens, “From an accessibility point of view, the content structure and organization will be easier to understand and navigate,” Fercia said.

WordPress theme and plugin authors who have added custom functionality to these screens are advised to double-check their code against the bleeding edge version of WordPress 4.6. There’s also an in-depth ticket where developers and users can see how the team reached a consensus to implement the changes. If you have any questions or concerns please leave a comment on the announcement post.

The WordPress.org Recommended Hosting Page is Revamped, Features Flywheel for the First Time

DreamHost, Flywheel, and SiteGround have joined Bluehost on WordPress.org’s new recommended hosting page. In mid 2015, Matt Mullenweg, co-founder of the open source WordPress project, announced the page would be revamped. To have a chance at being listed webhosting companies needed to fill out a 40-question survey.

2016 Recommended Hosts Page
2016 Recommended Hosts Page

This is Flywheel’s first time on the page. Flywheel, launched in 2013, is a managed WordPress hosting company with an emphasis towards designers and agencies. I asked Dusty Davidson, co-Founder and CEO of Flywheel, what it means to be included on the page. “We’re obviously excited to be included, and think it really reflects on the work we’ve done to create a great experience for WordPress users,” he said.

The recommended webhosting page on WordPress.org is incredibly lucrative. Based on conversations I’ve had with employees of hosts listed, it can generate millions of dollars in revenue. I asked Davidson what impact this will have on his company, “I’m sure it will undoubtedly send a good deal of traffic, but honestly we’re just humbled and excited to be recognized,” he said.

A New Round of Controversy

Over the years, companies have come and gone from the recommended hosting page. However, Bluehost in particular has consistently appeared on the list, including the most recent iteration. Bluehost is owned by Endurance International Group who invested in Automattic in 2014. Because Mullenweg is the CEO of Automattic and controls who is listed on the page, it’s easy to see why it regularly generates controversy.

Kevin Ohashi of ReviewSignal.com, criticized the lack of transparency regarding the process for how hosts.

Who is responsible for this revamp? What were the selection criteria? How often will it be updated? Will existing companies be continuously re-evaluated?

These are important questions to ask and there are no publicly documented answers. In a follow up post, Ohashi investigated what criteria needs to be met for being listed on the page. The post contains a number of screenshots of his private conversation with James Huff, who has volunteered for the WordPress project for 12 years and has worked at Automattic for five years.

Huff was directly related to the project and influenced who was chosen thanks to his involvement on the WordPress Support Team. Within the conversation, he shares details of the process and mentions that no money exchanged hands. However, Huff had no idea that everything he said would be made public.

“I was invited to what sounded like a friendly chat over direct message from a concerned community member, after he was referred to me by a friend,” Huff said. “At no point was it clarified or even implied that anything discussed would be made public.”

Conversations held in a private matter should remain private unless given permission to publish them, something I discovered the hard way. Unfortunately, the post comes across as a public interrogation of Huff. I asked Huff, who was shaken by the experience, how it has affected him moving forward as it relates to the WordPress project.

“I’d be lying if I said my feelings weren’t at least shaken by the experience, especially considering how polite he was to my friend and how hostile he was towards me apparently just because I work for Automattic, but this isn’t the first time that has happened to me and I don’t expect it to be the last,” he said.

“There’s an usually prevalent negative bias against Automatticians who contribute to WordPress.”

Mullenweg Provides Clarification

Mullenweg commented on the post where he not only sticks up for Huff, but answers some of the controversial questions raised by Ohashi. Mullenweg explains how the applicants were chosen, how the criteria is weighted, who makes the final decisions, and how much money is involved. Here is his comment in full.

‘I would like to see some transparency in the process’

As stated on the page, the listing is completely arbitrary. The process was: There was a survey, four applicants were chosen, and the page was updated. That might repeat later in the year, or the process might change.

‘how criteria are weighted’

There is no criteria or weighting. It ultimately is one person’s opinion. Information that is important is reflected in the questions asked in the survey, but that is not everything that is taken into account. (I have looked at this site in the past, for example.)

‘who is making the decisions’

I am. James helped in sorting through the many submissions that came in, doing additional research, and digging on finalists, but ultimately the decision was mine. You can and should blame me fully for any issues you have with it. I appreciate James’ help in this go-round, but he will not be involved at all with any future updates. (So, please leave him alone.)

‘how much money is involved’

There was no money involved. Obviously being listed on the page is hugely valuable and impacts the listed (or unlisted) businesses a great deal. This is why I take full responsibility for the listing, now and in the future — I have been fortunate to be extraordinarily successful and no financial or business consideration any of the applicants could offer matters to me. A host could offer $100,000,000 to be listed on the page for 1 day, and I would say no.

It’s unfortunate that the information in Mullenweg’s comment is not published in an official post announcing the changes to the recommended hosting page. If an official post was published that included the same information in his comment, it’s possible it would have eliminated most of the confusion, uncertainty, and doubt surrounding it.

Should WordPress.org Have a Recommended Hosting Page?

Due to the investments EIG has made in Automattic, Mullenweg’s role at the company, and him making the final decisions, there will always be a potential conflict of interest despite taking full responsibility of the page and the processes associated with it.

Should WordPress.org have a recommended hosting page? What if the page was replaced with information people could use to make informed decisions on choosing a host? It would eliminate potential conflicts of interest and if there was a host Mullenweg felt strongly about, he could label it as a partner of the project. This would make it clear that any financial connection with the company is a business relationship.

Are you hosting with any of the companies listed on the recommended hosting page? If so, tell us about your experience in the comments.

WordPress Accessibility Team Seeks Testers Using Speech Recognition Technology

photo credit: Let's Read - (license)
photo credit: Let’s Read(license)

The World Health Organization estimates that 285 million people worldwide are living with some form of visual impairment and 39 million of those are estimated to be blind. Many people with low vision depend on speech recognition technology to navigate the web and communicate their thoughts. This type of software also assists people who have carpal tunnel, RSI (Repetitive Stress Injuries) and/or limited mobility in their hands and arms.

Rian Rietveld and the Accessibility team are working to improve the experience of using WordPress with speech recognition software, such as Dragon Naturally Speaking (widely considered as one of the best for desktop use.) In particular, the task of adding media to a post has a number of obstacles that make it nearly impossible for those using speech recognition software.

Rietveld posted three tests to the Accessibility team’s blog today, inviting those who use Dragon Naturally Speaking or other assistive technology to help the contributors determine the roadblocks that need to be removed for adding media. These tests include actions like adding media, editing attachment details, and creating a gallery.

If you use WordPress with assistive technology for speech recognition, completing these tests and offering your feedback is one way to get involved as a contributor. You don’t necessarily have to use Dragon Naturally Speaking, as there are many newer alternatives such as Windows Speech Recognition (Cortana) and Chrome’s speech recognition powered by Google Speech to Text. Testers can report their experiences, along with the assistive technology/browser/OS, in the comments on Rietveld’s post.

Policy Reminder: Tracking Users

Do not, under any circumstances, track usage of your plugin without explicit consent.

If you want to ask your users if you can track them, by all means ask. But you may not require it, and you shouldn’t make it look like they have to in order to use your plugin. That’s being dishonest.

This has been a guideline for a very long time, it’s not negotiable. Assume people do not want to be tracked and have it to be an opt-in feature.

If your plugin uses Google Analytics, emails you on plugin activation, triggers some complex check on your servers when a plugin is updated, or tracks usage in any other way when a user has not clearly said “Yes, I allow you to track me,” your plugin will be removed from the repository and you will have to correct this in order to get it back.

This extends to ads provided by a third party service. If your plugin includes advertising from a third party service, then it has to default to completely disabled. This is to prevent tracking information from being collected from the user without their consent. Again, this is all about people opting into being tracked.

(For those thinking about using Adsense, don’t. Re-read their Adsense Display Guidelines and note that they do not want you to put ads on non-content pages … which is what the whole WP Dashboard is.)

Don’t assume that just because someone said they agreed to have usage tracked by you that they’re okay with usage tracked by someone else. Don’t be shady or vague. Tell people upfront “This is who will get the following data…”

Remember, user trust is paramount to your plugin’s success. If people find out you’re sneaky tracking them, you will lose that trust in a heartbeat and there’s nothing anyone can do to help you restore it.

A better color scheme chooser for Genesis

Most Genesis themes come with several color schemes. However, most of the time, these feature one prominent color. The built-in color scheme chooser is therefore a simple dropdown list of color names: Red, Green, and so on.

When I started talking to the Berkeley College of Engineering‘s Marketing staff about creating a flexible WordPress theme for the College’s various divisions to use, they mentioned early on that they’d like several different color schemes based on the university’s brand guide. Berkeley, as it turns out, has a fantastic color guide.

colorgrid800I had so much fun mixing up the colors that I couldn’t stop, and I very quickly found myself with twelve color schemes. (Really six, but each has a light and dark variation.)

The problem was that none of the color schemes had one single standout color; they each had more like four. And that meant that the usual Genesis color-name dropdown was not going to cut it.

Instead, I removed the original Genesis Color Schemes meta box and replaced it with a new one based on the Layout Settings box. I created icon images for each color scheme, added a few lines of CSS to accommodate my images’ taller height, add space for captions, and make the selector border stand out a little more.

The end result gives site owners a much better idea of what the color schemes look like.


Here’s the PHP. You’d need to copy this to your theme (probably in functions.php) to create something like this for your site:

Note that there are images for each color scheme, all stored in the theme’s /images subdirectory. You might need to change the filename and path logic, depending on your setup.

And here’s the admin-style.css file referenced:

Read more about the Berkeley College of Engineering theme project.

Why should you focus on multiple keywords?

In Yoast SEO Premium you’re able to focus on multiple keywords. If you use our tool correctly, your text can be optimized for up to five keywords. In this post, I’ll explain to you why it’s important to use the multiple focus keyword functionality while optimizing your text.

how to use multiple focus keywords

Explaining (multiple) focus keywords

The Yoast SEO plugin helps you to optimize each and every post (or page) you write. Imagine yourself having a travel blog. For your travel blog, you’re writing a blog post about a road trip through California. The focus keyword is the word or phrase your audience will use in the search engines and for which you want your post to rank. In order to choose your focus keyword wisely, you should do some research! In our example, the most important keyword would be ‘road trip California’. Sometimes it’s hard to choose one keyword because you want a post to rank for more than one specific focus keyword. Perhaps you would also like to rank for a synonym or for a slightly different keyword. That’s when the multiple focus keywords come in handy! Let’s look at 4 examples in which optimizing for multiple keywords is the best strategy.


People search for different things. While some people will use the term road trip when searching for their vacation, others could very well use vacation, holiday or trip. To reach different groups of people, you should make sure that your post will rank for these different keywords.

More than one topic

Sometimes a post is about more than one topic or has a few subtopics. Our article about the road trip to California could be about planning for the road trip, as well as sightseeing in California. These two topics could very well fit into one article. In this case, you would like your article to rank for ‘sightseeing California’ as well as for ‘planning road trip’. And, you’d also like to rank for your most important keyword ‘road trip California’.

multiple focus keywords: multiple topics shown in google trends

Long tail keyword variants

A great strategy to get your content to rank in Google is to focus on long tail keywords. Long tail keywords will have far less competition and will be relatively easy to rank for.

If you were able to rank for multiple long tail keywords with one post, that would make it even more fruitful. Addressing multiple long tail variants of your focus keyword will be a great strategy. Optimizing your post for different long tail variants will give you the opportunity to be found for more search terms. In our example, one could, for instance, focus on road trip California and on two long tail variants: ‘road trip southern California’ and ‘road trip northern California’.

multiple focus keywords: long-tail keyword variants shown in Google trends

Key phrases

If people seek something rather specific, they tend to use key phrases. Sometimes, the word order of the words within these key phrases (and the use of stopwords) is important. If the word order and the use of stopwords is important, we would advise you to optimize your post on different variations of your focus keyword.

While investigating how Google handles stopwords, we found that a search term like ‘road trip California’ is handled in exactly the same manner as ‘California road trip’. The order of the words is irrelevant to Google. However, for the search [road trip in California], Google tries to find the exact match (and the order of the word is important). So, search queries with stopwords seem to be handled a bit different by Google.

multiple focus keywords: key phrases difference shown in google trends

How to use multiple focus keywords

Optimizing your post for multiple focus keywords is really easy! You should purchase Yoast SEO Premium and click on the tab in the Yoast SEO Premium box to add a new keyword:

multiple focus keywords: click plus sign to add a focus keyword

A new box will open and you can enter the second focus keyword you’d like to optimize your post for:

multiple focus keyword: input field

The plugin will run a check on the content to see if your post is optimized for all the focus keywords you entered.

Read more: ‘Blog SEO: befriend the long tail’ »

What Do You Think of the Recommended Plugins Page in WordPress?

In late 2014, WordPress 4.1 added a Recommended Plugins tab that takes into account the plugins you have installed and suggests plugins based on which ones are commonly used together. After nearly a year and a half since it was added, I asked the Tavern’s Twitter followers if they have ever installed plugins recommended by WordPress.

I was surprised to discover that some people don’t know the tab exists.

Steve Brown says the recommendations are useful.

Some people view the page as an opportunity for Automattic to advertise its plugins while others don’t trust the recommendations.

When I viewed the recommended plugins page in 2014, the results displayed plugins that weren’t updated in years.

Plugins Recommended To Me Based on Data of Sites with Similar Plugins Installed
Plugins Recommended To Me Based on Data of Sites with Similar Plugins Installed

Today, the page displays more relevant results with recently updated plugins. On the first page of results for WP Tavern, only one plugin from Automattic is recommended. The second page of results doesn’t list any plugins authored by Automattic.

Recommended Plugins in 2016
Recommended Plugin Results in 2016

To help determine how useful the recommended plugins page is, I’d like you to take this short survey. Results will be displayed on Tuesday, May 17th. In addition to the survey, you can leave your feedback in the comments.

WordPress Performance Issue Revisited

Following up on my recent performance report with essentially some conclusive results. Turns out that the reported issue is related more directly to the version of PHP than to the version of WordPress. So in other words, WordPress runs a bit faster on newer versions of PHP. As explained previously, after I upgraded my sites to WordPress 4.4, Googlebot reported slightly longer load times for my pages. The slower loading average was seen across numerous sites, and it looked like the WordPress 4.4 update was to blame.

Getting feedback

So I posted about the issue with some screenshots and put it out there to get some feedback and insight as to what was happening. Who knows, perhaps others were experiencing (or not experiencing) similar performance issues. Fortunately, a short time later readers were chiming in with all sorts of useful feedback and ideas:

Comment by Brandon:

Its very well that you have one plugin or theme used on all the sites that runs slower with version 4.4.

Comment by Pace:

Do they all run jetpack? Connected to your WP.com account?

Comment by Kristian:

Checked 9 of my sites, if anything my times have gone down like 5%.

Comment by Joan:

Just wondering if it’s some server configuration. Media Temple are pretty good though… PHP7?

Comment by Connie:

It seems that the reason for this is un outdated PHP-version, after updating PHP from 5.3.7 to 5.6.1 (if I remember right), the same installation got noticeable faster with PHP 5.6.1.

After ruling out some of these possibilities, it became clear that the performance decrease probably was due not to WordPress but rather to running an older version of PHP, version 5.4 (Media Temple’s default version). Soon thereafter I upgraded all sites to PHP 5.6 (the most recent version available running Plesk 12.0). After upgrading I waited about six weeks to give Googlebot plenty of time to collect more crawl data. Here are the results:

[ Google Webmaster Tools: WP-Mix.com ]

[ Google Webmaster Tools: Perishable Press ]

[ Google Webmaster Tools: WP-Tao.com ]

[ Google Webmaster Tools: eChunks.com ]

[ Google Webmaster Tools: htaccessbook.com ]

[ Google Webmaster Tools: Plugin-Planet.com ]

[ Google Webmaster Tools: DigWP.com ]

Compare with previous screenshots

As you can see, upgrading to PHP 5.6 eliminated extra loading time required by WordPress 4.4, thereby restoring my sites’ performance to their previous optimized baselines. So if you compare a set of before/after screenshots:

[ Google Webmaster Tools: PerishablePress.com ]
Perishable Press running PHP 5.4 & WP 4.4

[ Google Webmaster Tools: Perishable Press ]
Perishable Press running PHP 5.6 & WP 4.4

..you’ll see that running PHP 5.4 and upgrading to WP 4.4 in December resulted in a performance decrease. Then later running WP 4.4 and upgrading to PHP 5.6 in March resulted in a performance increase, thereby restoring load times to their previously recorded amounts. And on some sites, loading times are even faster than they were before.

Thrilling conclusion

I’m guessing at this point that upgrading to PHP 7+ would result in an even greater performance boost, especially as WordPress continues making strides toward the latest techniques and functionality. So that brings us to the moral of this two-part story:

WordPress runs a bit faster on newer versions of PHP.

If you’re running WordPress 4.4 or better and care about things like performance, optimization, and SEO, it is highly recommended that you run at least PHP 5.6 to keep your site operating at maximum efficiency.

Next year, I’ll be working on upgrading to PHP 7 or whatever is available by then, but for now I am satisfied with the improved performance of PHP 5.6 running latest WordPress.

Thank you to everyone who shared feedback and ideas to help resolve this issue :)

Complete Guide to WordPress Admin Notices

As you work in the WordPress Admin Area, you'll undoubtedly encounter "admin notices" that let you know about errors, updated settings, required actions, and so forth. Most default admin notices are provided by WordPress out of the box, but it's up to plugins and themes to provide any custom notices that may be required. This DigWP tutorial digs deep into WordPress admin notices and explains how to implement, customize, and everything in between.


WordPress 4.5.2 Patches Two Security Vulnerabilities

The WordPress core team has released WordPress 4.5.2 which patches two security vulnerabilities in WordPress versions 4.5.1 and below. The first is a SOME vulnerability (Same-Origin Method Execution) in Plupload, the third-party library WordPress uses for uploading files. The second is a reflected cross-site-scripting vulnerability in MediaElement.js, the third-party library used for media players.

Auto updates are rolling out to sites but if you don’t want to wait, browse to Dashboard > Updates and click the Update Now button. Mario Heiderich, Masato Kinugawa, and Filedescriptor of Cure53 are credited with responsibly disclosing the vulnerabilities.

In addition to the release, the core team has published a post concerning the multiple vulnerabilities discovered in ImageMagick, a popular image processing script used on thousands of webhosting servers. The post describes how WordPress is affected and what the team is doing to mitigate issues.

Handling Bad Reviews

In general, the Plugin Review team is not the go-to recourse for bad reviews.  Instead, we have a totally brilliant forum support team! There’s some overlap of jurisdiction of course, and some of us are on both teams, but the point here is you should go to the right group to get the right help.

I’m also going to put this out there. You will get a bad review. Most of the time, it will not be deleted. So before you get any further in this post, know that the way you chose to respond, in public, to a 1-star review of your plugin is your own choice.

Our goal with the WordPress.org repository is to have a good place for users to get plugins that fulfill their needs. The reviews are an extension of that, and should viewed as a way for users to educate other users on their experiences. Also a review is about an experience. If someone’s experience with your product is poor, that doesn’t make their review invalid. And to go back to that previous statement, the way you react to those poor experiences is going to impact your reputation, and that of your plugin, a heck of a lot more than that review.

Now, that said, we have a few ‘common’ types of problems with reviews. This post is going to help you handle them and explain when you should call for help, as well as from whom. Later on we’ll be adding it to our documentation, once it’s refined as best we can make it. Please remember, we do not want to make a ‘rule’ for everything. That just invites people to play rules-lawyers and tip over everyone’s cornflakes.

Here’s how you do it and when and why.

First off… How to add a tag!

99.999999% of the time, you’re going to be adding ‘tags’ to posts. This is so easy, you may kick yourself for missing it. On a post, look on the right hand side, under About this Topic and you’ll see a section for Tags

Tags are listed on the right hand side of a post

This is a free-form field where you can add any tag you want. Anyone can add any tag. The forum moderators have an easy way to know who added what, though, so keep in mind we do monitor that. If you want to add a tag to a post and reply, add the tag, press the Add button, and THEN come back to reply. It works better.

Tag abuse (that is calling moderators needlessly) is not okay. Be smart. Be thoughtful. Remember that every last member of the forum and plugin teams is a volunteer. We’re not being paid by Automattic to do this.

The spam review

This is easy. Don’t reply, just add the tag modlook to the post and walk away. The forum team will delete it. If you think it may not be obvious spam, add the tag spam as well.

The sockpuppet review

When a person (or group of persons) makes multiple accounts with the sole intention of leaving reviews on their own plugins (or leaving poor reviews on their competitors), this is called being a Sock Puppet.

This behavior is expressly NOT welcome on the WordPress Forums as it is spamming. But it comes in two flavors:

  1. Someone 5-star spamming their own plugin
  2. Someone 1-star spamming their competition

Both are bad behavior. Both will get plugins removed from the repository and a stern email from us. If you’re doing this, stop right away. Contact your team and tell them ‘Don’t do this!’ Also keep in mind, asking everyone in your company to 5-star review your own plugins is gauche. I mean, really. You’re stacking the deck on purpose and that’s not beneficial to anyone.

Again, do not reply! Add the tag modlook AND sockpuppet to the post and walk away.

The attack/troll review

These are the worst. When someone attacks you and the review seems like all it exists for is to make you feel terrible, you’re going to have to take a deep breath and walk away. An attack is a troll, regardless of how the original poster (OP) feels, they’ve basically been a troll. They’re writing something they know will make you mad and hurt and angry, and they’re doing it on purpose. That’s a troll. And you shouldn’t feed the trolls. You won’t win, and you’ll just make yourself look bad.

Again, do not reply! Add the tag modlook to the post and walk away. These are usually pretty self evident after all.

The review that should have been a support post

This includes the sub-genre “People who submit 1-star reviews in order to emotionally blackmail you for support.”

We all get them.

  1. Reply with a link to the support section of your plugin (or directions on how to get support, or even a note that you don’t provide free support) and remind them that next time, they should ask for help before reviewing.
  2. See if you can fix the problem, but give it no more or less priority than you would any other support request.
  3. If you can solve it, ask them to modify their review. If they go back to https://wordpress.org/support/view/plugin-reviews/PLUGINNAME and scroll to the bottom, they can edit their reviews!

You’ll notice we’re not telling you to tag the post? Right now we can’t move a review into the support forums and vice versa, so there’s really no point. The forum moderators won’t do anything about it except say “Well, that does suck.” If we could move them, we would, but right now we technically don’t have that ability.

The review about your premium/pro version

If you upsell your plugin’s pro version in the free one, and someone leaves a bad review because the pro version they bought, on the basis of your free one, is bad, congratulations. The review stays. You opened the door with your upsell, encouraging them to do this, and that experience reflects on your plugin as a whole.

If you do not upsell, and there’s no direct link between the free and pro version, or the plugin having the issue is a premium only add-on, tag it modlook and someone will come take a look.

The review about someone else’s plugin

This one can be fixed! Reply and let them know it’s not your plugin, it’s the other one, and then tag it modlook and then use the tag wrongplugin (all one word) to let the mods know what’s going on.

But I really need a plugin moderator!

Okay. So you think you’re an exception? Use the tag pluginmod and a plugin admin will come take a look. Be prepared, though, as we generally will perform a full review on your plugin and any and all guideline violations will result in your plugin being removed until you fix them. Including using too many tags.

How to Show Confirm Navigation Popup for Forms in WordPress

Accidentally closing a page without submitting your comment or with a half filled form is annoying. Recently, one of our users asked us if it was possible to show their readers a confirm navigation popup? This tiny little popup alert users and prevent them from accidentally leaving half filled and unsubmitted form. In this article, we will show you how to show confirm navigation popup for WordPress forms.

Confirm navigation popup when user leaves a form unsubmitted

What is Confirm Navigation Popup?

Let’s suppose a user is writing a comment on your blog. They have already written quite a few lines, but they get distracted and forget to submit comment. Now if they closed their browser, then the comment will be lost.

The confirm navigation popup gives them a chance to finish their comment.

You can see this feature in action in the WordPress post editor screen. If you have unsaved changes, and you try to leave the page or close the browser, then you will see a warning popup.

Unsaved changes warning popup in WordPress post editor

Let’s see how we can add this warning feature to WordPress comments and other forms on your site.

Show Confirm Navigation popup for Unsubmitted Forms in WordPress

For this tutorial, we will be creating a custom plugin, but don’t worry you can also download the plugin at the end of this tutorial to install on your website.

However, for better understanding of the code, we will ask that you try to create your own plugin. You can do this on a local install or a staging site first.

Let’s get started.

First you need to create a new folder on your computer and name it confirm-leaving. Inside the confirm-leaving folder, you need to create another folder and name it js.

Now open a plain text editor like Notepad and create a new file. Inside, simply paste the following code:

 * Confirm Leaving 
 * Plugin Name: Confirm Leaving
 * Plugin URI:  https://www.wpbeginner.com
 * Description: This plugin shows a warning to users when try they forget to hit submit button on a comment form. 
 * Version:     1.0.0
 * Author:      WPBeginner
 * Author URI:  https://www.wpbeginner.com
 * License:     GPL-2.0+
 * License URI: http://www.gnu.org/licenses/gpl-2.0.txt
function wpb_confirm_leaving_js() { 

     wp_enqueue_script( 'Confirm Leaving', plugins_url( 'js/confirm-leaving.js', __FILE__ ), array('jquery'), '1.0.0', true );
add_action('wp_enqueue_scripts', 'wpb_confirm_leaving_js'); 

This php function simply adds a JavaScript file to the front-end of your website.

Go ahead and save this file as confirm-leaving.php inside the main confirm-leaving folder.

Now we need to create the JavaScript file that this plugin is loading.

Create a new file and paste this code inside it:

jQuery(document).ready(function($) { 

$(document).ready(function() {
    needToConfirm = false; 
    window.onbeforeunload = askConfirm;

function askConfirm() {
    if (needToConfirm) {
        // Put your custom message here 
        return "Your unsaved data will be lost."; 
$("#commentform").change(function() {
    needToConfirm = true;


This JavaScript code detects if user has unsaved changes in comment form. If a user tries to navigate away from the page or close the window, it will show a warning popup.

You need to save this file as confirm-leaving.js inside the js folder.

After saving both files, this is what your folder structure should look like:

Plugin file structure

Now you need to connect to your WordPress site using an FTP client. See our guide on how to use FTP to upload WordPress files.

Once connected, you need to upload confirm-leaving folder to /wp-contents/plugins/ folder on your website.

Uploading plugin files to your WordPress site

After that you need to login to the WordPress admin area and visit Plugins page. Locate the ‘Confirm Leaving’ plugin in the list of installed plugins and click on ‘activate’ link below it.

Activate plugin

That’s all. You can now visit any post on your website, write some text in any field of the comment form and then try leaving the page without submitting. A popup would appear, warning you that you are about to leave a page with unsaved changes.

popup notification warning user about unsaved changes

Adding The Warning to Other Forms in WordPress

You can use the same code base to target any forms on your WordPress site. Here we will show you an example of using it to target a contact form.

In this example, we are using the WPForms plugin to create a contact form. The instructions will be the same if you are using a different contact form plugin on your website.

Go to the page where you have added your contact form. Take the mouse over to the first field in your contact form, right click, and then select Inspect from the browser menu.

Finding form ID

Locate the line that starts with the <form> tag. In the form tag, you will find the ID attribute.

In this example, our form’s ID is wpforms-form-170. You need to copy the ID attribute.

Now edit the confirm-leaving.js file and add the ID attribute after #commentform.

Make sure you separate #commentform and your form’s ID with a comma. You will also need to add # sign as prefix to your form’s ID attribute.

Your code will now look like this:

jQuery(document).ready(function($) { 

$(document).ready(function() {
    needToConfirm = false; 
    window.onbeforeunload = askConfirm;

function askConfirm() {
    if (needToConfirm) {
        // Put your custom message here 
        return "Your unsaved data will be lost."; 

$("#commentform,#wpforms-form-170").change(function() {
    needToConfirm = true;


Save your changes and upload the file back to your website.

Now you can enter any text into any field of your contact form and then try to leave the page without submitting the form. A popup will appear with a warning that you have unsaved changes.

You can download the confirm-leaving plugin here. It only targets the comment form, but feel free to edit the plugin to target other forms.

That’s all, we hope this article helped you show confirm navigation popup for WordPress forms. You may also want to try your hands on these 8 best jQuery tutorials for WordPress beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Show Confirm Navigation Popup for Forms in WordPress appeared first on WPBeginner.

What the Queries

I’ve never been a fan of IDEs, complex debugging tools with breakpoints, variable watch lists and all that fancy stuff. var_dump() and print_r() have always been my best friends.

Recently I was playing around with the caching arguments in WP_Query, trying to combine that with update_meta_cache() while sticking wp_suspend_cache_addition() somewhere there in the middle, and it quickly became a mess, so I wanted to know what queries am I actually running under the hood.

I came up with this little piece, which I think I’ll use more often from now on:

// Assuming SAVEQUERIES in set to true.
$GLOBALS['wpdb']->queries = array();

// All the magic goes here

var_dump( $GLOBALS['wpdb']->queries );

This gives you a nice list of SQL queries that were triggered only by that magic code in between. Works great when you need a quick sanity check on all those caching arguments, priming meta or term caches, splitting queries and whatnot.

Obviously it empties the initial set of queries, so anything in Debug Bar, Query Monitor, etc. will no longer be accurate.

What’s your favorite way to keep track of queries?

Click here to comment

More from Konstantin Kovshenin

How to use the content analysis of Yoast SEO

The Content Analysis Tool in the Yoast SEO plugin measures many aspects of the text you’re writing. These checks run real-time, so you’ll receive feedback while writing! The content analysis helps you to make your text SEO-friendly. In this post, I’ll first describe the most important features of the Content Analysis Tool. After that, I’ll explain how to use and interpret these features.

Yoast SEO content analysis

Most important features

1.  The plugin allows you to formulate a meta description. This description has to be a short text describing the main topic of the page. If the meta description contains the search term people use, the exact text will be shown by Google below your URL in the search results.

2.  The plugin analyzes the text you write. It calculates the Flesch reading-ease score, which indicates the readability of your article. The Flesch reading-ease score takes into account sentence length, for example. In the future, we’ll add more checks on readability. This will allow you to check the SEO and readability of your text simultaneously.

3. The plugin does numerous content checks on your page. It checks whether you use your focus keyword in:

The plugin also checks the presence of links and images in the article. It calculates the number of words and the density of usage of the focus keyword in the article. Moreover, the plugin checks whether you’re using the same focus keyword on other pages of your website. This should prevent you from competing with yourself.

If you write a relatively SEO-friendly text (based on the aspects mentioned above) the plugin will indicate this with a green bullet. Writing pages that are rewarded with green bullets will help you improve the ranking of those pages.

Two warnings before you start!

When you optimize your post for a certain keyword, keep two things in mind:

  • The first thing is that in this phase (the final, optimizing phase) you shouldn’t change any major things in your article. If you’ve put effort into writing an attractive, structured and readable text, the optimization process should in no way jeopardize that.
  • The second thing is that you shouldn’t change your keyword strategy in this phase. If you’ve done your keyword research properly and you’ve written your post or your article with a focus keyword in mind, don’t go change your focus keyword now! Read The temptation of the green bullet for more in-depth information about that.

7 simple steps to optimize your text

Step 1: Put your text in the WordPress backend

Distraction free writing

WordPress has a distraction-free writing mode that enables you to write in the WordPress backend without being distracted by the menu, the toolbar, the categories box, etc.Distraction free writing mode

You’ve written your article or your blog post. You can write directly in the backend of WordPress or write in any kind of text editor and copy your text into the WordPress backend. Do whatever you like!
If you choose to copy your text in the WordPress backend, copy without the layout. You should adapt the layout in the backend, as otherwise you might run into some layout problems. Make sure to set subheadings into heading 2, sub-subheadings to heading 3 and so on. Then put the title of your post in the title box.

Step 2: Enter your focus keyword

Scroll down to the Content Analysis Tool in the WordPress backend. Enter your focus keyword in the appropriate field of the Yoast SEO Metabox. Your focus keyword is the keyword you would like your post to rank for. Ideally, this should be a keyword which emerged from your keyword research and which you have kept in mind during the entire writing process.

Read more: ‘How to choose the perfect focus keyword’ »

Snippet editor in Yoast SEO

Yoast SEO premium offers the possibility to optimize one article for more than one focus keyword. Optimizing your post for more than one search term allows you to rank for more keywords and to gain traffic to your site through more keywords.

Step 3: Write a meta description

Enter the meta description of your post. Describe clearly what your post or article is about. And make sure you use the exact phrase of your focus keyword. The meta description will be shown by Google below the URL if people search for your focus keyword.

The meta description in the Yoast SEO content analysis

It’s important that the meta description contains the focus keyword. Not because it will improve your rankings, but because otherwise Google usually won’t show your meta description in the search results. Google will try to match the search query with the description. If the focus keyword isn’t mentioned in the meta description, Google will just grab a random piece of content from your page containing the keyword.

The meta description shouldn’t be too long. On the other hand, there’s no ‘penalty’ for having too long meta descriptions either. What you should pay attention to is: 1. the logical bits of it are of the right length and, 2. when it’s cut in half, it still makes sense and still entices people to click.

Keep reading: ‘How to create the right meta description’ »

Step 4: Fine-tune your headings

Look critically at your title, the headings and subheadings of your article. Do these contain your focus keyword? If not, can you alter them (without changing the structure or content of your article) in such a way that they will contain your focus keyword? Don’t put your focus keyword in all of your headings though! That is too much. Using your focus keyword in one heading and in your title should be enough. You can read more about headings in one of Michiel’s posts.

Step 5: Fine-tune your body text

You should also mention the focus keyword in your text a couple of times. Make sure to mention it in the first paragraph. Throughout the text, you should mention it again. As a general rule of thumb: try to use your search terms in about 1 to 2 percent of your text. Say your article has 300 words, that means you should mention your search terms 3 to 6 times. 300 words isn’t the exact goal, nor is the amount of keyword mentions. However, 300 is a decent minimum for the number of words of an article that needs to show authority.

Step 6: Check your bullets!

Clicking on the Content Analysis tab will allow you to see which aspects of the search engine optimization process were successful. The green bullets show which aspects are good. Orange and red bullets indicate where you can improve your SEO strategy. You don’t have to keep on optimizing until all of the bullets are green. Posts on Yoast.com, often have a few orange bullets and sometimes even one or two red bullets. The important thing is that the overall bullet (the one on the upper right in the backend of your post) should be green. The overall bullet will become green if the majority of your SEO aspects are covered.

Overall SEO score in the publish box

Overall SEO score in the publish box


Step 7: Fill out the Social data

The final step to take in the Yoast SEO meta box is filling the Social data. If you fill out a description or title for a social network on this tab, it’s shown in the metadata for the page. This means this description, title or image will be shown when the page is shared on the respective social network. These descriptions basically have the same requirement as the meta description (which is what they fall back to), but usually can be longer. They should tell people what to expect and why they should click.

Social previews

The preview screenshots on the left are taken from Yoast SEO Premium, in free, you won’t see those previews, just the fields!

Twitter preview  Facebook social preview

Read on: ‘10 tips for an awesome and SEO-friendly blog post’ »