I’m speaking at WordCamp Europe 2015

Avatars of the eight WordCamp Europe Speakers Announced today
Along with Tenko Nikolov, Silvan Hagen, Wouter Groenewold , Juliette Reinders Folmer, Eric Mann , Daniel Pataki , Bryce Adams who all were announced today as speakers at WordCamp Europe 2015

We have another group of speakers to introduce you to today. They come from across the WordPress community and around the world. We hope you’re as excited as we are about seeing them in Seville in just a few months!

Source: Welcome to another group of WordCamp Europe speakers | WordCamp Europe 2015

I’m excited to be heading to Seville this June to present at WordCamp Europe.  This is going to be my first time presenting to the European WordPress community.  I’m hoping to meet a number of people I’ve never met and also to hear about all the exciting things other people are working on.

Reporting Plugin Issues

Note: I’ll be using Hello Dolly as my example ‘bad’ plugin for this post. It’s fine and not (to my knowledge) vulnerable.

There are a few reasons people report plugins but the main two are as follows:

  • Guideline violations
  • Security vulnerabilities

If you report a plugin, you can make everyone’s life easier if you do the following:

Verify that it’s still applicable

Before you do anything, check if the exploit is on the latest version of the code or not. If it’s not, we may not do anything about it, depending on how popular the plugin is.

Use a good subject line

“Plugin Vulnerability” is actually not good at all. “Plugin Vulnerability in Hello Dolly – 0 Day” is great.

Send it in plain text

SupportPress is a simple creature. It doesn’t like your fancy fonts and inline images. Attachments are fine, but we cannot read your ‘Replies in-line in red’ so just keep it simple.

Link to the plugin

https://wordpress.org/plugins/hello-dolly/

Yes, it’s that easy. Put the URL on it’s own line, no punctuation around it, for maximum compatibility. With over 35k plugins, and a lot with similar names, don’t assume, link.

If the plugin is not hosted on WordPress.org, I’m sorry, but there’s nothing we can do, so please don’t bother reporting it to us. We have no power there.

Explain the problem succinctly

Keep it simple.

“Hello Dolly has an XSS vulnerability” or “The Author of Hello Dolly is calling people names in the forums” or “Hello Dolly puts a link back to casino sites in your footer.”

Think of your intro like a tweet. Boil it down to the absolutely basic ‘this is what’s wrong.’

Keep the details clear

If someone’s acting up in the forums, link to the forum threads.

If you know that on line 53, the plugin has a vulnerability (or a link back to that casino site), then you can actually link right to that line: https://plugins.trac.wordpress.org/browser/hello-dolly/tags/1.6/hello.php#L53

We love that. If you don’t have that line, it’s okay. Tell us exactly what you see. “When I activate the plugin using theme X, I see a link to a casino site by my ‘powered by WordPress’ link.” Perfect. Now we know where to look when we test.

Show us how to exploit it

Don’t ask us ‘Can I send you an exploit?’ Just send us all the information. If the exploit’s already up online, like on Secunia, link us to it.

If you know exactly how to exploit it, tell us with a walk through. If the walkthrough involves a lot of weird code, you may want to consider using a PDF.

We’re going to take that information and, often, pass it on directly to the developers.

Tell us if you want them to have your contact info

We default to not passing it on, out of privacy, so “If the developer needs more help, I can be reached at…” is nice. Even “You can give the developer my information so they can credit me…”

We’re probably not going to follow up with you

We love the report, we review them, but we’re not going to loop you back in and tell you everything that’s going on for one very simple reason. We don’t have the time. If you told us to give the dev your contact info, then we did, but we don’t have any way to promise they will, and we don’t have the time to play middle management.

Emailing us over and over asking for status gets your emails deleted. It’s not personal, it’s seriously a time issue. We’re nothing more than gatekeepers, we are not a security company and we’re not equipped for keeping everyone up to date. We don’t have an administrative assistant to handle that. We work with the developer to fix the issue and we work with the .org team to see if we need to force update the plugin, and that takes a lot of time.

We don’t do bounties

This is a little interesting but basically we’re not going to pay you. A lot of people ask for ‘credit’ so they can ‘earn’ a bounty, and that’s cool, but we’re not going to report that for you. We don’t have the time, again. Generally if you say you want a bounty, we give your info to the plugin dev, though, so they do know you’re interested.

How do you report?

You can report plugins by emailing plugins@wordpress.org

That’s it :) Thanks!

What’s new with the Customizer

Been a while since I wrote something. Let’s talk about some of the new stuff available in the Customizer.

Forget about some of part two

First, back in part two, I had a bit about Surfacing the Customizer. That bit is outdated now, WordPress does this for you in later versions. So, yeah, skip that.

Shiny new thing: Panels

Okay, so Panels aren’t that new. They were added in WordPress 4.0. Basically, they’re sliding containers for sections. Having trouble fitting all your settings on the screen? Group the various sections up into Panels. Panels show up as an item in the main list, and when you click the arrow next to them, the whole list glides off screen to show only those sections.

So, now we have four things: Panels, Sections, Controls, and Settings.

  • Panels group Sections together
  • Sections contain Controls
  • Controls are what the user changes
  • Settings define what the Controls change

Creating a panel is easy:

$wp_customize->add_panel( 'some_panel', array(
	'title' => 'Panel 1',
	'description' => 'This is a description of this panel',
	'priority' => 10,
) );

Adding a section to that panel is just as easy:

$wp_customize->add_section( 'themedemo_panel_settings', array(
	'title' => 'More Stuff',
	'priority' => 10,
	'panel'	=> 'some_panel',
) );

All that’s new is a panel setting to tell the section to go into that panel. Simple.

Active Callbacks

One of the problems with the Customizer was that it displayed settings and showed them changing on the site to your right, but the site being displayed is the actual site. Meaning that you can navigate on it. Sometimes, the controls being shown don’t necessarily apply to the actual site that you’re seeing.

Example: If you have a control to change the color of something in the sidebar, but then are looking at a page which has no sidebar, then you have no visual feedback to tell you what the change looks like.

To fix this, “active callbacks” are used.

The active_callback is simply a new parameter that you can pass into Panels, Sections, or Controls. It can contain the name of a function, and that function will be called when the page changes. The function should return true or false (or equivalent) to indicate whether or not the element of the customizer should be shown for that page.

So, if you have a whole Panel that only make sense when the user is looking at Front Page of the site (and not an individual post), then you can do this:

$wp_customize->add_panel( 'front_page_panel', array(
	'title' => 'Front Page Stuff',
	'description' => 'Stuff that you can change about the Front Page',
	'priority' => 10,
	'active_callback' => 'is_front_page',
) );

And voila, when the user is not looking at the front page, the panel simply disappears.

You can use any of the normal WordPress Template Tags for this, or write your own function if you want to be more specific about it.

If you do need to write your own callback function, note that the function receives the object in question when it’s called. So, if you attach an active_callback to a Panel, your function will get a argument of the WP_Customize_Panel object in question passed to it. Sections get WP_Customize_Section and such. You can use the information in these to decide whether the panel (or whatever) should be shown for that page.

So, how do we use that object? Well, you can use this to make whether certain controls show or not dependent on the values of other settings. All the various items you can use this on have a link back to the main WP_Customize_Manager. That class has a get_setting function, which you can use to determine what to do.

So, let’s make a control that causes other controls to appear, dependent on a setting.

First, let’s make a simple radio selection control:

$wp_customize->add_setting( 'demo_radio_control', array(
	'default'        => 'a',
) );

$wp_customize->add_control( 'demo_radio_control', array(
    'label'      => 'radio_control',
    'section'    => 'themedemo_panel_settings',
    'settings'   => 'demo_radio_control',
    'type'       => 'radio',
    'choices'    => array(
	'a' => 'Choice A',
	'b' => 'Choice B',
	),
) );

Now, we need to make two other controls, one for each choice. You can actually make as many as you like, we’ll keep it simple.

First, the control for choice A. Let’s make it a simple text control.

$wp_customize->add_setting( 'choice_a_text', array(
	'default' => '',
) );

$wp_customize->add_control( 'choice_a_text', array(
    'label'      => 'Choice A: ',
    'section'    => 'themedemo_panel_settings',
    'type'       => 'text',
    'active_callback' => 'choice_a_callback',
) );

We’ll need that callback function to detect if choice A is selected in the radio control, and return true if it is, and false otherwise. Like so:

function choice_a_callback( $control ) {
	if ( $control->manager->get_setting('demo_radio_control')->value() == 'a' ) {
		return true;
	} else {
		return false;
	}
}

You can simplify that if you like, I spelled it out with an if statement so as to be clear as to what is happening.

panel1

Now for choice B, let’s make it display a color control instead:

$wp_customize->add_setting( 'choice_b_color', array(
	'default' => '#123456',
) );

$wp_customize->add_control( new WP_Customize_Color_Control( $wp_customize, 'choice_b_color', array(
	'label'   => 'Choice B',
	'section' => 'themedemo_panel_settings',
	'settings'   => 'choice_b_color',
	'active_callback' => 'choice_b_callback',
) ) );

And its callback:

function choice_b_callback( $control ) {
	if ( $control->manager->get_setting('demo_radio_control')->value() == 'b' ) {
		return true;
	} else {
		return false;
	}
}

panel1-b
Now, note that the callbacks are very similar. Seems like repeated code, doesn’t it? Well, it is, but remember that the $control here is the whole WP_Customize_Control object. We can use the same callback and simply check which control is calling it here instead.

function choice_callback( $control ) {
	$radio_setting = $control->manager->get_setting('demo_radio_control')->value();
	$control_id = $control->id;
	
	if ( $control_id == 'choice_a_text'  && $radio_setting == 'a' ) return true;
	if ( $control_id == 'choice_b_color' && $radio_setting == 'b' ) return true;
	
	return false;
}

So, instead of using two different callbacks, we just point our controls to this callback, which figures out what should show up for which setting. I’m sure you can simplify this further, depending on your particular needs.

One more thing: Customizing the Customizer

Not everybody likes the style of the Customizer. Maybe it clashes with your theme. Maybe you just want to tweak it a bit. Maybe you dislike that gray background color, and a more soothing blue would go better for your theme.

add_action( 'customize_controls_enqueue_scripts', 'themedemo_customizer_style');
function themedemo_customizer_style() {
	wp_add_inline_style( 'customize-controls', '.wp-full-overlay-sidebar { background: #abcdef }');
}

Or maybe you don’t think the Customizer area is wide enough… be careful with this one though, consider mobile users as well.

add_action( 'customize_controls_enqueue_scripts', 'themedemo_customizer_style');
function themedemo_customizer_style() {
	wp_add_inline_style( 'customize-controls', '.wp-full-overlay-sidebar { width: 400px } .wp-full-overlay.expanded { margin-left: 400px } ');
}

You can enqueue whole extra CSS files instead, if you like. Or, if you have special needs for javascript in some of your controls, and there’s libraries necessary to implement them, then you can enqueue those libraries here as well.

 

How to Restore the Link Title Attribute Removed in WordPress 4.2

WordPress 4.2 is a week old and has been downloaded more than six million times. One of the first things I noticed after updating is the change to the Insert/edit link modal box. Instead of having to apply a title to the URL, the title is replaced with Link Text. The text that is highlighted before adding a link is automatically inserted into the Link Text box.

LinkmodalChange
WordPress 4.2 Add Link Modal on the Left WordPress 4.1 on the Right

While I found this behavior to be annoying at first, it has quickly become one of my favorite changes. Adding links is quicker and more efficient. Several other people however, don’t like the change. WordPress user Enticknap created a ticket on Trac reporting the issue as a bug when in fact, the change was deliberate.

Drew Jaynes, who led the WordPress 4.2 development cycle, explained why the change was made.

The ‘Title’ field was intentionally removed from the wpLink modal in #28206 largely because it was often confused with the actual link text itself.

In recent years, we’ve begun to actively discourage the use of title attributes in links as they are largely useless outside of providing the “hover tooltip” many visual users enjoy, and more importantly, they don’t promote good accessibility.

If you’d like to continue using title attributes in links, you can add them manually using the Text mode in the editor.

Several people took part in the conversation, explaining why the Title box is an important part of their work flow. Andrew Nacin, who helped design the original Link dialog, said, “I wish this is how it worked from the start.” Nacin described the Title attribute as an edge case and that its bad for accessibility.

The discussion was heated at times, but the conclusion is that the Title attribute will not be added back to the dialog box. Instead, users are encouraged to use the Restore Link Title Field plugin developed by Samuel ‘Otto’ Wood and Sergey Biryukov.

Link Title Attribute Restored
Link Title Attribute Restored

With the plugin activated, the Insert/edit link dialog is restored to how it was in WordPress 4.1. According to the WordPress plugin directory, the plugin is activated on 100+ sites. I asked Wood if there are plans to add additional features.

“I don’t think adding new features is in the cards as there’s not much to add,” he said. “We might change it up as we fix some of the problems in core causing it to be difficult to do properly.”

WordPress is Continuously Evolving Software

I sympathize with those who are upset that the Link Title attribute was removed from WordPress 4.2. If a feature you depend on in WordPress is drastically changed or removed, the first instinct is to be upset. It forces you to change your workflow and the change is often unexpected.

I’ve traveled this path, but I’ve realized WordPress is continuously evolving software that tries to cater to the majority. Features removed from WordPress generally never go away as they’re replaced with plugins. A good example is when the ability to add borders and padding to images was removed in WordPress 3.9.

Advanced Image Editing Styles
Advanced Image Styles

This change lead to a lengthy discussion both on WordPress.org and WordPress.com support forums. Gregory Cornelius created the Advanced Image Styles plugin which re-adds the ability to adjust an image’s margins and borders as you could prior to WordPress 3.9. According to the plugin directory, it’s active on more than 20,000 sites.

I’m not saying you shouldn’t speak up when something you use in WordPress is removed. Rather, it’s a reminder that there is a way for everyone to get the features they want as WordPress core undergoes changes.

Note Before installing the plugin to restore the Link Title attribute, please read this post shared by Peter Wilson in the comments.

How Barış Ünver Lives and Works with Censorship in Turkey

Doc Pop of Torquemag.io has published a great article featuring WordPress developer, Barış Ünver. Ünver is 27 years old and a Tuts+ author living in Ankara, the capital of Turkey. In the article, Ünver describes what it’s like to live and work in Turkey. When asked whether WordPress being blocked in Turkey is a regular occurrence, he responded:

It’s not extremely common, but we experience downtime on large websites like Facebook, YouTube, and Twitter a couple times each year. WordPress.com is actually one of the first websites that was blocked back in 2007—you can read the story here.

There are other interesting tidbits within the article as well such as the number of people who know how to use VPN’s as if it’s common knowledge. Ünver also provides insight into the tools used to get around censorship. If the country you live in blocked access to WordPress.com or WordPress.org, what tools, services, and systems would you use to get around it?

WordPress 4.3 to Focus on Mobile Experience, Admin UI, Better Passwords, and Customizer Improvements

notes

WordPress 4.3 development kicked off this week with release lead Konstantin Obenland at the helm. The main focus of this release will be to improve the experience of using WordPress on touch and small-screen devices. Contributors will also be renewing efforts to improve the Admin UI and the Network Admin UI, particularly as it relates to the experience on narrow screens and responsive list tables.

Customizer Design and Architectural Improvements

The customizer will also be getting some attention. Weston Ruter published a summary of the three areas he proposes tackling:

  • Customizer Partial Refresh: This feature plugin aims to refresh parts of a Customizer preview instead of reloading the entire page when a setting changed without transport=postMessage.
  • Customizer Transactions: This proposal is dependent on the Partial Refresh and involves re-architecting the customizer to make way for the possibility of feature plugins like scheduled settings, setting revisions, and drafted/pending settings.
  • Customizer Concurrency/Locking: This proposal would add concurrency/locking support to prevent multiple users from overwriting each other’s changes while working in the customizer.

Nick Halsey also has a few ideas he is proposing for iterating on customizer development that was completed in 4.2.

“I would like to aim for adding theme install in 4.3, which would require a shiny install process, and shiny updates could work into that well too,” he said. Halsey is aiming to have a functional and tested proposal ready before the scheduled time to decide on which features to merge in to 4.3.

He’s also hoping to renew work on Customizer UI design changes, which would separate navigation from the options UI by removing accordion behavior for a better experience. It will be interesting to see how these changes, if selected to merge into 4.3, affect theme developer’s adoption of the customizer.

Better Passwords Coming to WordPress 4.3

Mark Jaquith will be spearheading an effort to improve password creation in WordPress 4.3 and discussion will take place in the #core-passwords channel on Slack. The first leg of his proposal would make “user chooses own password” non-default so that a user can choose his own password or opt to allow WordPress to generate one.

Jaquith is also proposing that the password strength meter, added in WordPress 3.7, offer feedback on why a user’s selected password might be measured as weak.

“Simple feedback like ‘too short — add more characters!’, ‘Try adding some numbers and symbols!’,” he suggested. “Not only that, we could actually make the addition for them, show them their password attempt with some additions that would make it better.”

Also, Jaquith proposes adding an option to make the password entry visible, eliminating the need for entering it twice. The fourth and final leg of his password improvement proposal is a major and long-overdue step toward improving the security of WordPress.

“Let’s not send passwords via e-mail anymore; it’s insecure,” he said “We’re not getting around ‘full access to e-mail means you can reset,’ but we can stop passwords from sitting around in e-mail accounts forever.”

Contributors are aiming to release WordPress 4.3 on Tuesday, August 18th. Follow the project schedule for approximate dates for feature merge, betas, and release candidate(s).

Your WordPress Business is Not There Yet

Given the large number of WordPress-based discussions on pricing, costs, consultant’s fees and product licenses, it’s no wonder why some people get frustrated about the Community and the understanding of Open Source.

grow-a-business-brainyquote

Other than the mentality and the usual incompetent statements such as: “But WordPress is free!” or “There should be a free plugin to do that!’, there’s another reason why some business owners can’t grasp the cost of building a WordPress solution.


Your WordPress Business is Not There Yet
Click To Tweet


Commodities or Needs?

There are usually two types of things that you need to do, build, use or have on a daily basis:

  1. commodities that just need to do basic work
  2. high-quality goods or services that are simply the best

Take any service or product as an example and try to apply it in two different contexts.

There are cheap and expensive cars, computers, tablets. There’s a low-cost Internet plan and a high-speed one. There are generic chairs and tables and authentic ones, too.

Would you buy a chair for $3000? Probably not since you’re not going to use it that much, or the difference with the $300 chair would not worth the extra $2700. But if you’re equipping an office that is to be rent for $40,000 a month for executives and funded companies, it may be a good investment.

You may need the highest plan from your Internet Service Provider if you make a living off the Internet, work with large files, manage plenty of servers remotely. But if you’re a general user who spends an hour or two on Facebook in the evening after business hours, and goes fishing over the weekend – it’s not worth the cost.

They just target different audience. There is a market for everything, which is why those service or product vendors are able to survive and make a good profit at the end of the day.

Pareto’s 80/20

I’m a great supporter of Pareto’s 80/20 principle and I’m currently listening to an audio book called 80/20 Sales and Marketing: The Definitive Guide to Working Less and Making More. It focuses on that given commodities vs. needs problem, and it also reflects the amount of time we spend on things that don’t matter.

If you’re not familiar with the basics, the short version is – 20% of something is responsible for 80% of something else, and vice versa. Like:

  • 20% of your clients pay 80% of your revenue
  • 20% of your tasks take 80% of your time
  • 80% of your users would use 20% of your WordPress plugin’s features

Now, the spicy thing here is: can you afford working with 20% of your customers if they make 80% of your profit?

pareto-principle-80-20

It’s a good philosophical discussion to have, but the answer, as usual, is: it depends. It depends on whether your 80% are higher than your costs, and whether you can spend a few months finding more of the 20%-type of customers. Or, applied to the plugin example – whether your plugin can survive with the essential 20% of the features, or it still needs the other 80%.

Either way, Pareto’s rule is often an indicator that there is a lot of room for improvement for your business. The questions is whether you have the resources to take it to the next level quickly, or take the long and safer route. Most entrepreneurs leverage 80-20 and build massive businesses, but some fail to implement it properly, or don’t do their math right.

Service Costs

This is applicable for products, but services are more interesting since they are often harder to compare on the outside, or assess before spending some time with several providers at once (which is not cost-effective).

And that’s the thing with WordPress freelancers and development agencies. 80% of the freelancers and WordPress agencies out there can handle 20% of the available work – which is setting up new websites, installing some themes and plugins, and applying some basic CSS changes here and there (if possible). And 80% of the remaining features could be built by the other 20% of the service providers. If we apply the math to the other 20%, we can utilize Pareto’s principle in a better way and find out how many of those 20% can work on the 20% of the 80% – which requires some calculations (that are done in the 80/20 book mentioned above).

I like the story of 10up – one of the WordPress.com VIP providers – since Jake shared in an interview that it resembles the “last 10%” – the finest details for usability, speed, security and everything else that make your business shine like a diamond. They work with great businesses around the world and hire reputable WordPress contributors since they provide value. And that value is way, way different than the one provided by a local freelancer with a few months of practical experience.

Whenever clients ask for WordPress development work, they often focus on the low-cost contractors or agencies. Which is fine as long as they aren’t building their business on top of that new site of theirs.

For example, if your 10-year old daughter wants a site where she can write some poems and collect them (and share them with friends) without planning to become a published author, it’s fine to have a cheap solution, or even a simple installation on a cheap shared hosting. It’s not essential – speed doesn’t matter that much, or even a downtime of 30-40min a month is hardly noticeable.

If your friend wants to build a gallery and store some of their old photos, and browse it once a month – it’s not a billable product, a running business or anything like that – it’s a pet project that doesn’t require some top quality.

Building a WordPress-driven Business

how-much-website-cost

The actual community problem is that business owners look for low-cost quality services in order to build a business that would make a fortune.

If you’ve been following Mad Men or any other TV Show for reputable experts from boutique agencies, you know how much they spend on expensive dinners, office parties, outstanding offices and so on. That presence sells to the high end customers. It conveys trust, profitability and stability, which automatically suggest that those companies are wealthy enough to afford all of that.

The common sense dictates that this economical state is generated by high paying customers who need top notch quality (why would they pay that much otherwise?). And those companies hire recognized experts, conduct internal training courses, take certification exams – you name it.

We’ve received hundreds of requests for completing a website that start with: “Our freelancer went broke”. Reputable companies cannot afford to work with partners and service providers that can’t deal with their own expenses – it’s bad for their internal processes, trainings and reputation.

And it’s important for you to convey trust – which is only natural to successful businesses and entrepreneurs who can afford it since their backlog is full of requests, they decline most of those and work only with the best clients out there.

Every business owner wants to be there. But building that reputation takes time and requires a certain investment. And a potential partner would definitely do a background check of that business, which in the Internet world is usually:

  • who works there
  • what’s the background of the founders
  • what’s the portfolio of the company
  • is the website appealing and helpful
  • is the business reputable – testimonials, social media following and so on

Your online presence is the front door to your business.
Click To Tweet


Business owners looking for cheap labor would end up with a cheap solution as well. No one will sell you the latest Porsche for $5,000 or $10,000. Quality costs money and if you need that quality in order to grow your business, you have to spend more, iterate and take it to the next level.

Otherwise your website will dictate “cheap”, and will most likely be much less usable, way slower and rank bad on search engines. Guess what would your potential partners think about how much you value your own business.

Training Courses and Licenses

Last week I took the HubSpot Inbound Marketing Certification. At DevriX I have to manage our team members working on content marketing and social media marketing, and work closely with our designer on our online presence, landing pages, free ebooks and so on. The course is free – so is the exam itself – and it was totally worth the time polishing my inbound skills that I’ve gained over the past two years.

However, I’m not a full-time marketer. I’m a developer by education and I’ve done that for more than 10 years. But as a business owner, marketing takes a consistent chunk of my time and it was rewarding getting certified and learning the ins and outs of the Inbound Marketing methodology.

But I wouldn’t invest in an expensive training or certification on Inbound Marketing. It’s not worth the money for me right now and I it doesn’t fully utilize the 20% of the things I do on a daily basis that brings 80% of our revenue.

You want to play with the ERP big boys (SAP and Oracle), instead of the so-called Tier II ERP providers (Epicor, Infor, Lawson)? Then you better be prepared to pay a lot more ($9 million to $13 million) and plan for a longer implementation (two to three months longer).

via cio.com

I did however invest time and part of the cost of mile2’s C)SWAE training. It’s total cost is about $3,500 now, I got most of that covered by mile2 since I had to train a few teams in Saudi Arabia for a month, but I paid for my certification and spent quite some time learning all of the details.

I received a direct profit opportunity from it – a well-paid training gig and potential training opportunities in other countries – and security is an essential part of the web development work that we have to implement on a daily basis. So it was totally worth it.

There are free solutions and high cost ones, and it’s up to you how much is that worth to you. It’s all a matter of costs vs. reward – is it worth paying $X in the short/long run for something? Take a look at landing page builders, CRM systems, or any other popular product that has a free version or a premium and expensive product sold by a large company. They sell the same outcome, but in a different way. And the cheap (or free) solution is not a good fit for a large business, let alone an enterprise.

There are also $500, $5,000, $50,000, $500,000 and $5,000,000 websites out there. They are built by different people with different processes, skill sets and usually provide different outcome. While it’s often hard for a non-educated business owner to assess the difference right away, it should be more than clear that the $500 solution is much more basic compared to the $5,000 one, and way tinier and generic than the $50,000. But if your $50,000 system automates some processes that could save you hiring three more people dealing with operations and administration, and looks stunning and appealing to larger partners – that brings a tremendous value to your business.

Are You There Yet?

And this is the main question you need to ask for everything around you. Of course, there are some things in the entertaining industry that you just need to decide for yourself – whether you need a large flat TV at home, an expensive car that you don’t use directly for work or an expensive trip to an exotic location.

Everything else falls in the “costs vs. reward” category. Which includes your WordPress website as well.

You can hire a $10/hr contractor for some basic changes, but they won’t deliver the quality that a $150/hr one will bring on the table. While geoeconomics are important to note here, the web development industry is completely international and experts can easily land projects anywhere around the world for any rate imaginable.

Take some time off and think about your business.

  1. What have you achieved so far?
  2. What is the next step?
  3. Where do you see your business in 3 years from now?

All of the above are essential for your growth, and the more professional you are, the easier it would be to grow your business without any unexpected obstacles.

The post Your WordPress Business is Not There Yet appeared first on Mario Peshev on WordPress Development.

How to Limit Comment Length in WordPress

WordPress comments encourage discussions around your topic. However you may find that comments below a certain length or above a certain length are not very helpful. In this article, we will show you how to limit comment length in WordPress, so you can set both minimum and maximum comment length limit for your WordPress site.

Why limit comment length in WordPress?

Set Comment Length Limits in WordPress

In our experience of moderating online discussions for the past decade, we have found that most helpful comments are above 60 characters and below 5000 characters in length.

When a person writes a one-word comment, it usually is not very helpful. In most cases, it is spam because the author is simply trying to earn a backlink from your site.

However when a person writes a comment above 5000 characters, its usually a rant / complaint that in most cases is not relevant to that particular article.

By setting comment length limits in WordPress, you can improve the quality of your comments.

Let’s take a look at how to control comment length in WordPress.

There are two methods to limit comment length in WordPress. The first method requires you to install a plugin. The second method uses a simple code snippet that you can add to your site.

Method 1: Limiting Comment Lenght Using a Plugin

First thing you need to do is install and activate Control Comment Length plugin. Upon activation, simply go to Settings » Control Comment Length to configure the plugin settings.

Controlling comment length in WordPress using a plugin

The plugin’s user interface is in German with English. You can set both minimum and maximum number of characters a comment can have. We recommend using 60 for minimum and 5000 for maximum character count.

You can also add messages that will be visible to users when there comments are either too short or too long. The plugin only provides these messages in the German language. You can replace it with your own message.

Method 2: Limit Comment Length Using Code Snippet

The second method is for users who don’t mind dealing with code code. We will add a filter hook to preprocess_comment. This filter is run before WordPress saves any comments to database or runs any other pre-processing on submitted comments. We will use it to check the comment length. If it is above or below the set comment length parameters, then we will show users an error message.

Simply add this code to your theme’s functions.php file or a site-specific plugin.

add_filter( 'preprocess_comment', 'wpb_preprocess_comment' );

function wpb_preprocess_comment($comment) {
    if ( strlen( $comment['comment_content'] ) > 5000 ) {
        wp_die('Comment is too long. Please keep your comment under 5000 characters.');
    }
if ( strlen( $comment['comment_content'] ) < 60 ) {
        wp_die('Comment is too short. Please use at least 60 characters.');
    }
    return $comment;
}

Comment too long error

We hope this article helped you limit comment length in WordPress. You may also want to checkout our guide on 12 vital tips and tools to combat comment spam in WordPress.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

To leave a comment please visit How to Limit Comment Length in WordPress on WPBeginner.

8 Proven Methods to Promote Old Posts in WordPress

Want to increase your website traffic? One of the easiest and smartest method to get more pageviews is to promote your old evergreen articles. In this article, we will show you some of the best ways to promote old posts in WordPress.

Promote Old Posts in WordPress

But before we start, let’s take a look at why it’s important to promote old posts.

You see most people write a blog post, share it once or twice, and then leave it to die in their blog’s archive page.

Why let all your time, money, and efforts go to waste? Promoting older relevant articles allow you to maximize your traffic potential. Here are 8 proven methods to promote old posts in WordPress.

1. Regularly Share Your Old Posts on Social Media

Automatically share old WordPress posts

Most of your social media updates are seen by a fraction of your followers. Mainly because there is so much noise and not everyone is online at the same time.

That’s why it is recommended to share at various different times of the day. The Revive Old Post plugin automatically shares your old posts on social media networks like Twitter, Facebook, and LinkedIn. It spreads out your updates for different times allowing you to maximize your exposure.

For detailed instructions see our guide on how to automatically share your old WordPress posts.

2. Showcase Related Posts on Your Blog

Related Posts in WordPress

When you visit popular blogs like TechCrunch, Mashable, or even WPBeginner, you will notice that their is related content next to or below each article.

If a user has scrolled down to read your entire article, then they are engaged. Using a related posts plugin, you can provide them an opportunity to explore more of your website.

3. Display Your Popular Posts

List25 showing popular posts

It’s true that 20% of your website content gets 80% of your traffic. Some articles are simply more popular than others.

Why not get more traffic to them? You can start showcasing your most popular content with a few simple clicks. People coming to your website are more likely to read what many other users have already found interesting.

Here are some great popular posts plugins for WordPress that you can use.

4. Create Better 404 Pages

404 Error

Most WordPress themes come with a default 404 page template. A 404 page is displayed when a page that the user is looking for cannot be found.

You can use this opportunity to showcase the most important content of your website, and keep that visitor engaged. You can also add a search form on the page, so that users can locate the content they were looking for.

Here are detailed instructions on how to improve your 404 page template in WordPress.

5. Better WordPress Search

Improving WordPress search feature

The default search feature in WordPress is fairly limiting, but you can improve the search feature. There are two common approaches for that.

The first one is to use Google Custom Search form to replace the WordPress search. The other method is to use a search plugin like SearchWP.

Both of these solutions will help improve your WordPress search.

6. Custom Archive Pages

Custom archives page showing categories

Creating a custom archive page is one of the best way to highlight your old but still useful content.

You can show the most popular articles, most commented posts, recent posts, and so on. You can even display all your post categories / tags, add compact archives, and include a search form. This will help people not only in finding content, but will also help them understand what your blog is about. Don’t forget to add an email sign up form on the page.

You may also want to check out WPBeginner archives.

7. Interlink Old Articles

Interlink Your Articles

Building internal links is one of the most important SEO strategy. You need to make internal linking a habit.

It’s helpful to the user when you link to your old posts whenever it is relevant. People browse the web by clicking on one link to another. Make sure that there are plenty of your own links for them to click on.

Check out our guide on WordPress SEO tips for beginners for some more SEO advice.

8. Link Old Articles in Comments

Link to your articles in comments on your blog

When answering user comments on your own blog, you should try to use links to point them to other articles on your own website.

It’s not something you should force, rather it’s important to keep it in the back of your mind, and you will be surprised how many opportunities will come up.

This builds trust and increases your pageviews. This link you add is going to stay there and any future visitors with the same question will continue to click on that link.

We hope this article helped you fine some new ways to promote old posts on your WordPress site. You may also want to see our guide on 40 useful tools to manage and grow your WordPress blog.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

To leave a comment please visit 8 Proven Methods to Promote Old Posts in WordPress on WPBeginner.

New book! Content Strategy for WordPress is now available

This is an excerpt from Content Strategy for WordPress.
Content Strategy for WordPress is available for… Kindle | Nook | iBooks | Kobo | Smashwords

At long last, Content Strategy for WordPress is available everywhere! This is a relatively short book—less than half as long as WordPress for Web Developers was—and it’s aimed at a more general audience. Paradoxically, I’ve been working on it twice as long as on either of the long developer books. I’m delighted to share it with you all!

It’s a short book for content strategists and managers on implementing a complete content strategy in WordPress: evaluation, analysis, content modeling, editing and workflows, and long-term planning and maintenance.

Content Strategy, WordPress Tactics

  • evaluating your site with a content audit
  • content modeling to create structured content
  • providing context-aware content like related posts and contextual sidebars
  • rearranging content for mobile layouts
  • creating a better authoring experience, with clutter-free editing screens, inline help, and a style guide right in the dashboard
  • workflows and email notifications
  • sharing data with RSS feeds and a REST API
  • …and more

Read the sample chapter, Analyzing Content »

See the full Table of Contents »

You can buy it from…

Kindle Nook iBooks Kobo Smashwords

Is this a coding book?

No! Unlike my previous developer books, this book is for everyone: site owners, content editors, managers… If you own a WordPress site and you’ve been wanting to create more highly structured content, or to reorganize your pages for better long-term maintenance, this book will show you how.

Every step of the process uses plugins that allow you to set things up without writing any code. (In some cases, like creating your content model, I’ve provided the code as well—just in case you want it.)

There are a few small tweaks you can’t make without code; for those, I’ve provided short examples that you can copy and paste.

What about print?

There will be a paperback edition in a few weeks. If you’d like me to email you when it’s available, you can sign up for my book release announcement list.

See the WordCamp videos

Content Strategy for WordPress started out as a presentation for WordCamps San Francisco and Chicago in 2013. Visit those posts for the slides and the video of each session.

Huge thanks to everyone who attended those talks–especially everyone who came up to me afterward to say, “This should be a book!” I listened. I hope you like it.

How to Clone a WordPress Site in 7 Easy Steps

Generally speaking, cloning is considered an unethical practice. However, when you think of cloning in terms of making a duplicate WordPress site, a whole new world of completely ethical possibilities can open up for your business. In this article, we will show you how to clone a WordPress site in 7 easy steps.

What Is Cloning, and Why Use It?

The idea behind cloning a WordPress site is simple: you make an exact copy or duplicate of one WordPress site and apply it to another site. Are there any good reasons to actually do this? Absolutely!

Clone a WordPress Site

One practical scenario is when you are moving a WordPress site to a new web host or a new domain name. Cloning a site will save you hours of work.

Another possible use is when you are developing a site for a client. Once the project is done you can clone the WordPress site to the client site.

Lastly, you can clone a live WordPress site to your local server for testing and development purposes.

Cloning a WordPress site is not that difficult at all, here is how you can do it with these simple steps.

Using BackupBuddy To Clone A WordPress Website

BackupBuddy

For this article, we will be using BackupBuddy plugin. BackupBuddy is a WordPress backup plugin which allows you to not only just backup your WordPress site, it also allows you to easily restore your site from a backup. We will show you how to use this site restoration tool to easily clone any WordPress site.

1. Installing and Setting up BackupBuddy

First thing you need to install and activate the BackupBuddy plugin. Upon activation, the plugin will add a new menu item labeled ‘BackupBuddy’ in your WordPress admin bar. Clicking on it will take you to BackupBuddy setup wizard.

BackupBuddy Setup Wizard

The setup wizard is very straight forward. First you need to provide an email address. After that you need to enter a password.

This password will be used when you restore your site. The next option is to choose a location where you want to store your WordPress backups. The last option allows you to set up automatic backups.

BackupBuddy allows you to store your backups on cloud services like Stash, Amazon, Rackspace, and Dropbox. You can also store your backups on your own server or email them to yourself.

Once you are done with the setup wizard, click on save settings button to continue.

2. Backup Your WordPress Site

BackupBuddy will automatically initiate the backup process when you finish the setup wizard. Upon completion it will show you the option to download your backup or send the backup to a remote destination.

Backup process initiated and completed

You can always create a fresh backup by visiting the BackupBuddy » Backup page.

Creating new backups in BackupBuddy

3. Preparing To Clone Your WordPress Site

BackupBuddy provides a very easy site cloning / migration tool. Simply visit the BackupBuddy » Restore/Migrate page to begin the cloning process.

First you need to download the importbuddy.php file to your computer.

Download importbuddy.php file to your computer

After that, you need to download the backup zip file from your existing backups shown on the same page.

Download the backup zip file to your computer

4. Upload Backup and Importbuddy to New Location

Now that you have a complete backup of your site in a zip format and your importbuddy.php file, the next step is to upload them to the new location.

This new location can be a live website, or a site on your local server. If it is a site on your local server, then you just need to copy and paste the files into a subfolder inside your htdocs or www folder, like this:

C:wampwwwmynewsite

If it is a live site, then you need to upload these files to the root directory using an FTP client.

No matter where you are copying the files, you need to make sure that the folder is completely empty and has no other files or folders inside it except importbuddy.php file and your backup zip file.

5. Running The Import Script

After uploading both files, you need to visit the importbuddy.php file in a web browser. It will be located at a URL like this:

http://www.example.com/importbuddy.php

Replace example.com with your own domain name.

Importbuddy password

You will be asked to enter your importbuddy password. This the password you created during step 1 or the password you entered when downloading importbuddy file during step 3.

After entering your password, you will notice that importbuddy has already found your backup zip file. Simply click on the Next Step button to continue.

Backup found and selected

Importbuddy will now extract your backup file when it is done, you need to click on the next button.

You will now reach the URL and database settings section.

Database and URL settings section

Importbuddy will automatically guess your new URL. It will also show your previous URL. Below that, you need to enter the new database settings. Enter the new database name, database username and password.

If you have not created a new database yet, then you can always login to your hosting account and create a database using cPanel. If you are moving the site to local server then you can create a new database using phpmyAdmin.

After entering your database information, click on the test database settings button. If you entered all information correctly, then you will see test results like this:

Test database settings

Click on the next step button to continue. Importbuddy will now import your WordPress database and show you the success message. After that you can click on the next step button.

Importbuddy will run some tests and show your new cloned site’s URL to verify that everything is working fine.

6. Test Your Cloned Site

Test your new site by visiting the link shown on the last step of importbuddy process. Check that your single posts links are working fine. Visit the WordPress admin area to see if you can perform all administration tasks.

If you run into any issues check out our guide on how to fix common WordPress errors.

7. Delete Temporary Files

On the importbuddy screen, click on the cleanup and remove temporary files button. This will delete importbuddy and all temporary files it created during the cloning process.

That’s all, you have successfully cloned your WordPress site. You may also want to check out our list of 40 useful tools to manage and grow your WordPress blog.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

To leave a comment please visit How to Clone a WordPress Site in 7 Easy Steps on WPBeginner.

WordPress 4.2.1 Released to Patch Comment Exploit Vulnerability

photo credit: Will Montague - cc
photo credit: Will Montaguecc

This morning we reported on an XSS vulnerability in WordPress 4.2, 4.1.2, 4.1.1, and 3.9.3, which allows an attacker to compromise a site via its comments. The security team quickly patched the vulnerability and released 4.2.1 within hours of being notified.

WordPress’ official statement on the security issue:

The WordPress team was made aware of a XSS issue a few hours ago that we will release an update for shortly. It is a core issue, but the number of sites vulnerable is much smaller than you may think because the vast majority of WordPress-powered sites run Akismet, which blocks this attack. When the fix is tested and ready in the coming hours WordPress users will receive an auto-update and should be safe and protected even if they don’t use Akismet.

That auto-update is now being rolled out to sites where updates have not been disabled. If you are unsure of whether or not your site can perform automatic background updates, Gary Pendergast linked to the Background Update Tester plugin in the security release. This is a core-supported plugin that will check your site for background update compatibility and explain any issues.

Since Akismet is active on more than a million websites, the number of affected users that were not protected is much smaller than it might have been otherwise.

WordPress 4.2.1 is a critical security release for a widely publicized vulnerability that you do not want to ignore. Users are advised to update immediately. The background update may already have hit your site. If not, you can update manually by navigating to Dashboard → Updates.

Insight into the Jamaican WordPress Community with Bianca Welds

bianca_edi1Last week, I met Bianca Welds who lives in Jamaica. She’s used WordPress for more than 10 years and has knowledge of the developing tech scene in Jamaica. In this interview, we learn how she discovered WordPress, the Jamaican WordPress community, and if the country will ever host a WordCamp.

How long have you used WordPress?

I just celebrated my 10th anniversary. I started using WordPress in 2005 and my first post was on April 2nd, 2005.

What is your WordPress origin story?

As seen on the WordPress profile page
As seen on the WordPress profile page

I was working at IBM at the time and finally decided I liked the idea of having my own personal website. The more I thought about it, the more I realized I wanted to have a blog as well as a static site. I knew I could build an HTML site myself, so I researched this blogging thing, and I found Blogspot. Within a day of signing up, I became frustrated at not being able to customize it, so I looked for alternatives. I came across WordPress and fell in love, purchased a hosting account, installed it, and never looked back.

What is the tech scene like in Jamaica?

The tech scene is currently developing nicely. There has been a lot of slow foundation growth over the last decade, but in the last few years, we have seen some dramatic acceleration. The tech meetup, Kingston Beta, grew to hosting a regional conference called Caribbean Beta.

The Slash Roots Developer Community saw the formation of the Slash Roots Foundation which does a lot of work in the Open Data space. It expanded to organize the Developing the Caribbean conference, and was instrumental in the formation of Code for the Caribbean.

Startup events have been growing with our first Startup Weekend taking place in 2013. The Digital Jam Mobile Application competition was held for three years along with several other initiatives. The first Venture Capital Conference was held in 2013 where the first formal angel investor group, First Angels, was created. StartUpJamaica is our first accelerator and it launched last year with over 200 applications, where 36 teams participated in boot camps and training. This is a small sample of the things that are happening in our space.

Is there a vibrant WordPress community in Jamaica?

Vibrant on an individual level perhaps. There is no active WordPress community at present. There are a lot of WordPress sites being built and a lot of WordPress blogs being run, but they are more or less individual efforts with no real communication or collaboration to grow and develop a community.

I have recently started putting out feelers to see if there is enough interest in starting a regular WordPress meetup. In the last week, I’ve had interest from about two dozen people.

To date, there has not been a WordCamp in Jamaica. Do you think there will ever be one and will you help organize it?

I hope there will be and I definitely want to be a part of it. The first goal though would be to get the meetups going and gather a core community, so that’s my focus now.

Have you ever attended a WordCamp? If not, which one will be your first?

Unfortunately, I have never attended any WordCamps. I am working on changing that in the near future by going to WordCamp Miami which is the nearest one to Jamaica.

WordCamp Miami Featured Image
WordCamp Miami Swag

What do you like most about WordPress and what do you like the least?

My favorite thing about WordPress is its flexibility. While it may not be the perfect solution for every challenge, there are few things that cannot be done. My least favorite thing is how much there is to learn to truly take full advantage of its power.

If you wanted people to know something about Jamaica, what would it be?

The one thing I always try to share when I am the Jamaican in the crowd is that, Jamaica is so much more than beaches, weed and reggae. It definitely has those, but there are so many other aspects to our geography, our culture and our people who outsiders don’t yet fully grasp. But the world is learning.

Take the Jamaican WordPress Survey

Welds is trying to figure out the size and composition of the Jamaican WordPress community. Please help her out, especially if you’re a WordPress user living in Jamaica, by taking this short survey. Information will remain confidential and will help Welds develop a better picture of the size and skill level of her local community.

Why Some Sites Automatically Updated to WordPress 4.1.3

Since WordPress 4.2 was released, some users are questioning why their sites have automatically updated to WordPress 4.1.3. There’s no information about the release on the Make WordPress Core site or the official WordPress news blog. However, this Codex article explains what’s in 4.1.3 and the reason it was released.

Fix database writes for esoteric character sets, broken in the WordPress 4.1.2 security release. Neither UTF-8 nor latin1 were affected. For more information, see ticket #32051.

The ticket contains a lengthy technical discussion of a critical bug and what was done to fix it. In addition to 4.1.3, the patch was merged into the following versions:

  • 3.7.7
  • 3.8.7
  • 3.9.5
  • 4.0.3

Since these are point releases, sites running WordPress 3.7 and higher will automatically update unless the server doesn’t support it or they’re disabled. If you’re running an old version of WordPress, I highly encourage you to update to 4.2. Not only does it have some nifty new features, but it also fixes 231 defects.

WordPress 4.2 “Powell” is Now Available for Download

WordPress 4.2 “Powell” has arrived and is now ready for download. It is named for Earl Rudolph “Bud” Powell, an American jazz pianist. This release, led by 10up engineer Drew Jaynes, offers a balanced mix of front-facing features that users will enjoy, as well as improvements for developers. Here is a tour of the highlights.

Press This Overhauled

press-this-new

WordPress 4.2 contributors have brought the Press This feature back to life with a completely revamped interface that makes it easy to share content from any website. It allows you to grab text, images, and videos, quickly add your thoughts, and publish. Any media is automatically added to your media library during the process. Add the bookmarklet from the Tools screen to your browser’s bookmark bar or your mobile desktop to jump start your publishing.

Switch Themes in the Customizer

customizer-theme-switcher

WordPress 4.2 makes it possible to switch themes in the customizer. Users can now browse through themes that have already been installed and activate a new one without ever leaving the frontend. This further streamlines the UI for customizing your site and paves the way for the theme installation process to be added to the customizer in the future.

Expanded 4-Byte Unicode Character Support, Including Emoji

emoji-support

This release changes database character encoding from utf8mb3 to utf8mb4, which makes it possible for WordPress to natively support Chinese, Japanese, and Korean characters. The character encoding update also opens up a whole new world for using musical and mathematical symbols, hieroglyphs, and emoji. Emjoji support has been added everywhere, and you can even use them in URLs, if you’re adventurous.

Enhanced Plugin Updates

new-plugin-updates

After you update to 4.2, you will be able to update plugins on the plugins screen without refreshing the page and without being whisked away to a new update screen. This makes it a more intuitive process and cuts down on the clicking required to manage your site in the admin. It is also the first stepping stone toward improving the plugin installation process to provide the same convenient experience.

Improvements Under the Hood

In addition to all the front-facing improvements, WordPress 4.2 includes some equally exciting updates for developers.

  • Taxonomy Term Splitting – terms shared across multiple taxonomies will now be split when one of them is updated.
  • Complex Query Ordering – WP_Query, WP_Comment_Query, and WP_User_Query now support complex ordering with named meta query clauses.
  • JavaScript Accessibility – Send audible notifications to screen readers in JavaScript with wp.a11y.speak(). Pass it a string, and an update will be sent to a dedicated ARIA live notifications area.
  • TinyMCE views API improvements – this API is not yet ready for production but developers are welcome to test and experiment with it.

Check out Aaron Jorbin’s WordPress 4.2 Field Notes post for a more comprehensive overview of what’s new for developers.

Many More Small Improvements

WordPress 4.2 is also packed full of subtle refinements that make it more beautiful and easier to use. The default admin color scheme has been updated every so slightly to be more harmonious to the eyes and more consistent with WordPress’ branding.

Pretty permalinks are now automatically enabled for new sites on installation. In most cases, administrators on new sites will never be greeted with ugly permalinks again, saving a step in the setup process.

The oEmbed white list has been updated to include Tumblr.com and Kickstarter, so you can easily paste links into the post editor and have the content instantly appear.

WordPress 4.2 fixes 231 defects, thanks to the volunteer efforts of 283 contributors. A complete list of all the changes in this release is available in the 4.2 codex page. For a quick tour of all the highlights in 4.2, check out the video created for this release:

WordPress 4.2 Field Notes 

WordPress 4.2 includes both new and improved features. It also includes changes under the hood.  While I’m sure you’ve been testing your themes, plugins, and sites in preparation for the release, you may have missed the announcements of all the changes. Here is a quick rundown of developer related things you should know:

Source: WordPress › WordPress 4.2 Field Notes « Make WordPress Core

For the second release in a row, I put together some Field Notes to help developers for the Make WordPress Core blog.  The most fun thing I found is that in 4.2 231 bugs reported vs previous versions of WordPress were fixed. This is up from 174 in 4.1.  Every release WordPress improves.

Everyday Website Optimization for WordPress

Everyday Website OptimizationYou might be a WordPress developer, WordPress plugin developer or WordPress theme developer. You may have worked with WordPress for over a decade. But have you ever wondered what it’s like to purchase a website without any knowledge of WordPress or whatever other CMS? Still, that’s probably true for the vast majority of all WordPress users.

The discussion was triggered a couple of weeks ago in this brilliant post by Morten Rand-Hendriksen about the average WordPress user. You know, when WordPress pushed an automatic update of our WordPress SEO plugin to cover an unfortunate security issue.

This post is about making everyday website optimization super easy for your customer. And yourself.

Everyday Website Optimization

WordPress is the Word-like tool a website owner can use to update text and images on the website. That is basically it. The rest, so will your customers assume, is taken care of. Plugins? Post Types? They don’t know and don’t care about these. They just want to change the content. That’s their everyday website optimization. So what are the things you should or could take care of?

Logging in and security

It’s already hard to remember that login URL for your customer, to be honest. /wp-admin/ you say? What does that stand for? Can’t that just be /login/? And that customer hasn’t even logged in yet. You might want to create a 301 redirect from a simpler URL. Don’t just add that WordPress meta widget in the footer – don’t you think that looks lame as well? It’s just not that professional.

Luckily, you have already changed the default admin username to a client specific one. Note that I’ve seen my share of Brute Force attacks over the last few weeks that target my exact first name instead of the admin user. Perhaps that has something to do with my login name being the same as my first name… I could have done that differently. I did just update the password again, something I do on a frequent basis.

Of course you have also installed the Sucuri plugin and configured that for your customer. They don’t even need to know it’s in there. Your main job towards your customer is to inform him that trustno1 isn’t a password. Make it CLU: Complex, Long, Unique.

tony perez sucuri smallTony Perez is one of the Co-Founders and CEO at Sucuri, a globally recognized website security company focused on providing security services to website owners. Sucuri is known for their ability effectively clean hacked websites, and protect them from malicious actors.

Did we mention Tony Perez of Sucuri is speaking at YoastCon? I’m sure we did! Be sure to join us on the 27th of May in Nijmegen (The Netherlands).

Writing and editing

Now that the user is able to log in, he or she just wants to write posts or pages and add images. Posts or pages. Explain the difference. If the client doesn’t want to add news articles (posts), explain that dynamic content really helps the website’s rankings in Google. Besides that, regular posting will also make sure the client visits the website itself on a frequent basis. That will help keeping the website up to date, of course. Your job in this is to make sure there is a news or blog page that will display the blog posts in WordPress › Settings › Reading:

WordPress > Settings > Reading

WordPress > Settings > Reading

“My customer still doesn’t want a news section on his website.” Consider it a service to set this up anyway. It’s a minute’s work. I have seen agencies charge hundreds of dollars to create a news section that is just two templates in WordPress. Especially when you’re creating a child theme, this is a no-brainer to me.

Just to be sure: there is a catch. If you do this, the blog page will probably display entire posts and that means duplicate content: a post is available via the blog page (in the list of posts) and on the actual page of the article itself. Just a few weeks ago, I took Easy Custom Auto Excerpt (plugin) for a spin. Found some room for improvement for a personal project I was working on, and the guys at Tonjoo fixed these within a few days. Try it for yourself.

SEO

Do I have to go there with you, frequent visitor? Probably not. But you should tell your client about our free Page Analysis (in WordPress SEO). It’s the easiest way to optimize a page and at least give some guidance to your client. Just a few things you really have to mention:

Perhaps most important, as mentioned on our blog earlier this week, that you should develop an Holistic SEO approach. Our blog helps you fill in the blank, and I think most articles are written in a way that even the less tech-savvy (WordPress) user will understand how to optimize his website.

Internal linking

We’ve been discussing internal linking a lot. Internal links help your visitor navigate the site and search engine to find valuable connections between pages. These links are almost always relevant. Besides related posts, you should also focus on adding internal links in your texts itself.
There are a number of plugins that automatically link certain words in articles and pages, but at Yoast, we prefer a less automated approach. If you feel a topic needs background information, add an internal link.

You can use the internal link creator in WordPress (Add link > ‘Or link to existing content’), but that one tend to flood you with suggestions and the most relevant ones are not always at the top. We have been testing Better Internal Link Search:

The most basic feature limits results to posts and pages that contain your search term in the title, rather than returning every post that contains the term in the title or content field — this greatly reduces the number of results on sites with a lot of content and should improve accuracy.

Simple features make this plugin really nice, like the option to just type ‘home’ to quickly link the homepage. You should give it a try, as this will really help your client to create valuable internal links.

Mobile Friendly

Responsive webdesign / mobile friendly websitesLet’s not forget that one. With Google’s clear focus on mobile friendly websites, this is a no-brainer. The website needs to be responsive, and easy to visit and browse on a mobile device.

A common question is if a website should be responsive by default or if a web developer can charge extra for that. Tough question, but from a website optimization point of view not really relevant. That’s up to you and your customers budget. The least you can do is point them to WP Touch, just to have that covered. Be sure to tell him mobile friendliness is an important factor for Google these days.

Responsive images

I’ve seen more than one responsive website that breaks on images. A couple of weeks ago I attended WordCamp London and visited an awesome talk by Bruce Lawson about responsive images and the use of the picture attribute. He also brought this plugin to our attention as an alternative: RICG Responsive Images For WordPress. The plugin adds the srcset attribute to your images, making it possible to serve a different image per screen width. This already improves the mobile user experience a lot.

Social

Back in the days (4-5 years ago) when I was building (WordPress) websites myself, most clients did not care much about social media. Only the larger ones did. Nowadays, everybody seems to understand the ease and importance of social marketing. There are two things to consider:

  1. Social sharing: What platforms is the target audience using and is the client already on this platform?
  2. Subscriptions: What platforms is the client on, and which of these are easy to maintain for him.

Social sharing is nice, but too often the client wants to be on all social platforms, where only a few are appropriate for his business. If the social sharing options below an article or post are for more than say three or four platforms, chances are that the reader will only use one or two of these. For us, Facebook and Twitter work best. That is why we decided to cut down social sharing options to just these two.

Subscription options also vary per website and per website owner. One thing I really dislike when reviewing the use of social media in our site reviews, is adding social buttons to a site that link to a Facebook page that has not been updated since 2010. Just don’t link that Facebook page, see what IFTTT can do for you and only add that link back when you are adding content to your Facebook page on a regular basis. Replace ‘Facebook’ with any other social platform in the previous sentences.
Bottom line is that your social effort should make that subscription valuable. It’s not just about linking that social website.

Next to that, make sure to leverage a newsletter. Newsletters are great for both return traffic and bringing current events, breaking news and other interesting stuff to the attention of an interested visitor. Double opt-ins will make sure the subscriber really wants your news in his or her inbox. We send ours using Mailchimp.

Speed

The cherry on the icing on the website and SEO cake is of course speed. Speed is really important these days, both for Google and visitors. Although this is a really technical subject, WordPress plugins make it really easy to optimize the larger part of your site’s speed.

A rather new, but promising kid on the block is WP Rocket. After meeting Julio Potier of WP Rocket, we had the pleasure of testing the plugin and the simplicity of it is really appealing. Just by clicking some simple checkboxes, this happened in Google PageSpeed:

Google PageSpeed before and after WP Rocket

That a lot, right… Took me about 5 minutes to configure WP Rocket to achieve that result.

Now speed optimization isn’t just about optimizing it once, but you really want to do that on an ongoing basis. Clients adding images of multiple MBs in size in a blog post happens every day, right? A plugin like EWWW can help. If you have a steady relationship with your customer, you could check, or have him check this on a monthly frequency, for instance. That way you can easily monitor if anything has a negative effect on the site’s speed.

That pretty much rounds it up for your everyday website optimization. There’s just one more thing regarding your WordPress website that you should do everyday: update your WordPress install and all plugins whenever there is an update available. It’s helps a lot in keeping your website secure. But we have written quite a lot on that subject this week already! Managed WordPress hosting could be a solution to this issue.

If you have any additions to the tips above, feel free to share these in the comments!

This post first appeared as Everyday Website Optimization for WordPress on Yoast. Whoopity Doo!

I am this years WordCamp Philly Keynote Speaker

cheesesteak wapuu
Cheesesteak Wapuu designed by Tracy Levesque

We’re pleased to announce that Aaron Jorbin will be the Keynote speaker for WordCamp Philly 2015!

Source: WordCamp Philly Keynote Speaker – Aaron Jorbin | WordCamp Philly 2015

On Saturday, I got a phone call asking if I would be interested in presenting the Keynote address at WordCamp Philly.  I didn’t have to think very long.  WordCamp Philly has long been one of my favorite WordCamps.  It’s a great community and they put on a solid event year after year. On a personal note, It’s also the place I met the woman I love.

If you are near Philadelphia, get your ticket today.

 

The Challenges Of Building a Site For a Friend

Over the last month I had several friends asking me to set up a WordPress website for them. It’s usually something fairly small – a 5-page business website or so, they are close friends (or people we can barter some work with each other) and they have received some offers, but are looking for a reliable solution instead of a shady freelancer or website building company.

I usually price services in one of the two categories:

  • Free help for friends and family for small tasks and quick solutions
  • High-end work for customers – the one that includes everything that we believe is right for a professional solution

There’s a fine line between both, and if my rough estimate crosses a certain number of hours, I just let them know that this would take too much time and I can’t simply help them, and at the same time they are not a good fit for the types of services we offer at DevriX.

However, I’m comfortable with people starting with a basic and simple solution when they are just starting with their business (or it’s in their initial phase). Once they get some traction, they could get a more professional website and a refined selling strategy that pays off.

Either way, once I start with some of my friends, I face several different challenges. I’ll list the major ones down and how I deal with them.

Building the WordPress Frontend

Choosing a WordPress Theme Framework - from WPMU DEV

Choosing a WordPress Theme Framework – from WPMU DEV

Since I have technical background and business experience and I often help them on my spare time, I don’t specialize in design and frontend work. That said, I have to pick a solution for them that is good enough, but doesn’t take forever to build. There are few possible options for small sites:

  • Custom design + Theme
  • Use a theme framework
  • Build a child theme for a free WP theme
  • Get a premium template

Building a good looking and mobile friendly website from scratch is not trivial for me and usually takes more time than I would like to invest for a small site for a friend. So I usually rule this option out until they could afford it.

Using a theme framework or a base theme is somewhere in the middle. It includes some basic library or structure, but the design is far from complete and requires some work – unless it’s a theme based on a framework, of course.

Lately I’ve been fairly disappointed by the majority of the premium themes that I’ve tried out – some of them from some popular marketplaces. I either disagree with their strategy – the way they build their page templates or the architecture of their theme options, or something else.

I also have various ideas in the MVP phase that I’d like to quickly push and try out in practice, before there’s any need to invest in a better scaled and automated option. However, our main requirements is conventional and compatible code and clean look and feel, and it’s incredibly hard to find something good looking that isn’t bloated and doesn’t take forever to configure and set up.

What I usually end up is a WordPress.org theme that is extended with a Child Theme. I could easily try it out with some sample data, the code has been reviewed by the WPTRT and it’s a great start for everyone. Over the past year and a half a number of freelancers and agencies have contributed appealing and even functional themes that are light, extensible, well-coded and easy to use, which is a great start for a small business or trying out a business idea.

Standard Plugins vs. Custom Solutions

Each website is unique in its own way. Sometimes an integration with a given service is needed, or even simple things such as a contact form, social media box, stats engine or so forth.

Some of these may be available in Jetpack or other WordPress.org plugins (or affordable premium solutions), but occasionally that’s not the case.

In this case I have a conversation with my friend discussing the pros and cons of both options. If a good, well-coded plugin exists that does 80% or 90% of the work, we’ll use it. Otherwise a custom plugin would have to be coded, which would cost a lot, so it’s up to them whether they really depend on that feature.

They usually don’t. Especially comparing “free” to “free + $1500 for two specific features that are to be added in plugin X”.

I also don’t allow the usage of any bloated and poorly coded WordPress plugins. Often it’s trivial to find security and performance issues in the first 10-15min of browsing the code, and different deprecated or incompatible functions that would cause problems later on.

Marketing Strategy

Building a successful business is a combination of high quality service + marketing and sales efforts. Even if your service is the best out there, it means nothing if no one has ever heard of it.

But it also requires continuous work and effort in order to bring it to the larger market. Even if advertising is not on the table, there are things that could be done from the clients’ perspective that could boost a business with zero investment (or at a small cost). And if you could earn $5 for each dollar you invest in, you’d be more than happy to invest a thousand if that results in $5,000.

My main go-to resource is KISSmetrics’ list of 35 Growth Hacking Tools for non-coders. The list includes different marketing tools, social media automators, email capture forms, advanced analytics, landing page builders, polls, email newsletter services and more. The list allows my friends to dig more into the power of the Internet when it comes to promotion, inbound marketing and conversion rate tracking, which is a great start for their selling strategy as well.

Preparing the Copy

Sitemap and copy for the average website

Sitemap and copy for the average website

Copywriting is a pretty specific craft. Let’s face it – everyone can write content. We learn that at the age of 4, 6, 7, but at the end of the day, all of us are capable of producing text.

It’s not the same with design, programming or anything else – writing a page is doable by a first grade student as well.

That’s why people assume that writing copy for their site is straight forward. But it isn’t. I’ve seen plenty of ugly websites with engaging copy that convert much better than beautiful websites with poor copy.

Which is why I forward Copy Hackers, copyblogger and several other resources to my friends. It’s their niche and they should know their target audience and buyer persona. They know what people look for, what they desperately need, and what’s in for them.

I help them with some basic copy based on the theme that we pick, and point them to some of their competitors for ideas and inspiration regarding the copy style and what would they need to cover.

Hosting Setup

Hosting is essential for anyone. I tell my clients that it’s their website’s house – you can live in the suburbs, in a dangerous neighborhood where everything could happen to your website, or in a comfy and convenient house with a great balcony. When people visit them, they would rather go to a safe and beautiful place instead of a dangerous and half-broken house.

Which is why I set up my friends with SiteGround. They’ve been involved with the WordPress community for quite some time now, and I know most of the technical folks there – some of them contribute to various open source platforms including the Linux kernel itself. Their starter plan is around $5/month which is a good fit for a starting business, allows for growing later on and includes SSH access and other important features out of the box, which makes the deployment and maintenance a bit easier.

Combined with CloudFlare and a caching engine, things get much better for a starting business on WordPress.

Ongoing Support

All of the above could be done in a matter of hours, or a weekend (realistically) without too much trouble. However, supporting a WordPress website may be a challenge.

Speaking at conferences and teaching people at courses over the years, lately I’ve been noticing a growing percentage of users being unable to work with WordPress. What we find trivial – such as editing a page, adding a menu element, uploading an image or changing the permalinks – seems to be quite a challenge for new users.

A while back WordPress was the most usable platform in comparison to its competitors; however, with Wix, Squarespace, Tumblr and other blogging/website platforms, people got used to clean and simplified interface, fewer options, lesser menus and simplified process overall.

In addition to the large number of free plugins adding more and more options and the process of updating WordPress, it gets challenging for people.

So I do several things to help them start:

  • Install Video User Manuals inside of their dashboard – a collection of 80+ videos for starters, which seems to save a lot of time and teach users on WordPress basics
  • Set them up with ManageWP or automated backups with BackUpWordPress
  • Add an UptimeRobot monitor for website availability and possible site issues

At the end, I sign them up for our Webmasters newsletter on DevriX that teaches newbie users on the basics of user experience, SEO, the difference between a “lego” website and a custom solution, caching, security and more. The newsletter is sent once a week, which doesn’t waste too much of their time, but helps them to learn more about the craft, why some websites costs hundreds of thousands (or millions) and how is that related to a successful business.

From there on, once their business get some traction, they could appreciate the value and invest in the right solution that would automate their process and grow with their business.


 

What type of setup do you use for your MVPs or how do you build your friends’ ones? 

The post The Challenges Of Building a Site For a Friend appeared first on Mario Peshev on WordPress Development.

The Challenges Of Building a Site For a Friend

Over the last month I had several friends asking me to set up a WordPress website for them. It’s usually something fairly small – a 5-page business website or so, they are close friends (or people we can barter some work with each other) and they have received some offers, but are looking for a reliable solution instead of a shady freelancer or website building company.

I usually price services in one of the two categories:

  • Free help for friends and family for small tasks and quick solutions
  • High-end work for customers – the one that includes everything that we believe is right for a professional solution

There’s a fine line between both, and if my rough estimate crosses a certain number of hours, I just let them know that this would take too much time and I can’t simply help them, and at the same time they are not a good fit for the types of services we offer at DevriX.

However, I’m comfortable with people starting with a basic and simple solution when they are just starting with their business (or it’s in their initial phase). Once they get some traction, they could get a more professional website and a refined selling strategy that pays off.

Either way, once I start with some of my friends, I face several different challenges. I’ll list the major ones down and how I deal with them.

Building the WordPress Frontend

Choosing a WordPress Theme Framework - from WPMU DEV

Choosing a WordPress Theme Framework – from WPMU DEV

Since I have technical background and business experience and I often help them on my spare time, I don’t specialize in design and frontend work. That said, I have to pick a solution for them that is good enough, but doesn’t take forever to build. There are few possible options for small sites:

  • Custom design + Theme
  • Use a theme framework
  • Build a child theme for a free WP theme
  • Get a premium template

Building a good looking and mobile friendly website from scratch is not trivial for me and usually takes more time than I would like to invest for a small site for a friend. So I usually rule this option out until they could afford it.

Using a theme framework or a base theme is somewhere in the middle. It includes some basic library or structure, but the design is far from complete and requires some work – unless it’s a theme based on a framework, of course.

Lately I’ve been fairly disappointed by the majority of the premium themes that I’ve tried out – some of them from some popular marketplaces. I either disagree with their strategy – the way they build their page templates or the architecture of their theme options, or something else.

I also have various ideas in the MVP phase that I’d like to quickly push and try out in practice, before there’s any need to invest in a better scaled and automated option. However, our main requirements is conventional and compatible code and clean look and feel, and it’s incredibly hard to find something good looking that isn’t bloated and doesn’t take forever to configure and set up.

What I usually end up is a WordPress.org theme that is extended with a Child Theme. I could easily try it out with some sample data, the code has been reviewed by the WPTRT and it’s a great start for everyone. Over the past year and a half a number of freelancers and agencies have contributed appealing and even functional themes that are light, extensible, well-coded and easy to use, which is a great start for a small business or trying out a business idea.

Standard Plugins vs. Custom Solutions

Each website is unique in its own way. Sometimes an integration with a given service is needed, or even simple things such as a contact form, social media box, stats engine or so forth.

Some of these may be available in Jetpack or other WordPress.org plugins (or affordable premium solutions), but occasionally that’s not the case.

In this case I have a conversation with my friend discussing the pros and cons of both options. If a good, well-coded plugin exists that does 80% or 90% of the work, we’ll use it. Otherwise a custom plugin would have to be coded, which would cost a lot, so it’s up to them whether they really depend on that feature.

They usually don’t. Especially comparing “free” to “free + $1500 for two specific features that are to be added in plugin X”.

I also don’t allow the usage of any bloated and poorly coded WordPress plugins. Often it’s trivial to find security and performance issues in the first 10-15min of browsing the code, and different deprecated or incompatible functions that would cause problems later on.

Marketing Strategy

Building a successful business is a combination of high quality service + marketing and sales efforts. Even if your service is the best out there, it means nothing if no one has ever heard of it.

But it also requires continuous work and effort in order to bring it to the larger market. Even if advertising is not on the table, there are things that could be done from the clients’ perspective that could boost a business with zero investment (or at a small cost). And if you could earn $5 for each dollar you invest in, you’d be more than happy to invest a thousand if that results in $5,000.

My main go-to resource is KISSmetrics’ list of 35 Growth Hacking Tools for non-coders. The list includes different marketing tools, social media automators, email capture forms, advanced analytics, landing page builders, polls, email newsletter services and more. The list allows my friends to dig more into the power of the Internet when it comes to promotion, inbound marketing and conversion rate tracking, which is a great start for their selling strategy as well.

Preparing the Copy

Sitemap and copy for the average website

Sitemap and copy for the average website

Copywriting is a pretty specific craft. Let’s face it – everyone can write content. We learn that at the age of 4, 6, 7, but at the end of the day, all of us are capable of producing text.

It’s not the same with design, programming or anything else – writing a page is doable by a first grade student as well.

That’s why people assume that writing copy for their site is straight forward. But it isn’t. I’ve seen plenty of ugly websites with engaging copy that convert much better than beautiful websites with poor copy.

Which is why I forward Copy Hackers, copyblogger and several other resources to my friends. It’s their niche and they should know their target audience and buyer persona. They know what people look for, what they desperately need, and what’s in for them.

I help them with some basic copy based on the theme that we pick, and point them to some of their competitors for ideas and inspiration regarding the copy style and what would they need to cover.

Hosting Setup

Hosting is essential for anyone. I tell my clients that it’s their website’s house – you can live in the suburbs, in a dangerous neighborhood where everything could happen to your website, or in a comfy and convenient house with a great balcony. When people visit them, they would rather go to a safe and beautiful place instead of a dangerous and half-broken house.

Which is why I set up my friends with SiteGround. They’ve been involved with the WordPress community for quite some time now, and I know most of the technical folks there – some of them contribute to various open source platforms including the Linux kernel itself. Their starter plan is around $5/month which is a good fit for a starting business, allows for growing later on and includes SSH access and other important features out of the box, which makes the deployment and maintenance a bit easier.

Combined with CloudFlare and a caching engine, things get much better for a starting business on WordPress.

Ongoing Support

All of the above could be done in a matter of hours, or a weekend (realistically) without too much trouble. However, supporting a WordPress website may be a challenge.

Speaking at conferences and teaching people at courses over the years, lately I’ve been noticing a growing percentage of users being unable to work with WordPress. What we find trivial – such as editing a page, adding a menu element, uploading an image or changing the permalinks – seems to be quite a challenge for new users.

A while back WordPress was the most usable platform in comparison to its competitors; however, with Wix, Squarespace, Tumblr and other blogging/website platforms, people got used to clean and simplified interface, fewer options, lesser menus and simplified process overall.

In addition to the large number of free plugins adding more and more options and the process of updating WordPress, it gets challenging for people.

So I do several things to help them start:

  • Install Video User Manuals inside of their dashboard – a collection of 80+ videos for starters, which seems to save a lot of time and teach users on WordPress basics
  • Set them up with ManageWP or automated backups with BackUpWordPress
  • Add an UptimeRobot monitor for website availability and possible site issues

At the end, I sign them up for our Webmasters newsletter on DevriX that teaches newbie users on the basics of user experience, SEO, the difference between a “lego” website and a custom solution, caching, security and more. The newsletter is sent once a week, which doesn’t waste too much of their time, but helps them to learn more about the craft, why some websites costs hundreds of thousands (or millions) and how is that related to a successful business.

From there on, once their business get some traction, they could appreciate the value and invest in the right solution that would automate their process and grow with their business.


 

What type of setup do you use for your MVPs or how do you build your friends’ ones? 

The post The Challenges Of Building a Site For a Friend appeared first on Mario Peshev on WordPress Development.

WordPress 4.1.2 is a Critical Security Release, Immediate Update Recommended

WordPress 4.1.2 is available and is a critical security update for all previous versions of WordPress. The release has eight security fixes, one of which is high risk, three are medium-low risk, and the last four added to harden WordPress. This is the first major security update to WordPress core since WordPress 4.0.1 released in late 2014. Three of the security issues addressed include:

  • In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
  • In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
  • Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

The team is aware of two update prompts being shown and is expected behavior. Users are encouraged to click the colored update button. The color of the button will be different depending upon the admin color scheme you use.

Red Update Button
Red Update Button

WordPress 4.1.2 is not affiliated with the cross site scripting vulnerability discovered in a number of plugins reported yesterday. You’re encouraged to update as soon as possible if you’ve disabled automatic updates for point releases. Auto updates are being pushed out, but if you don’t want to wait, you can manually update WordPress by browsing to Dashboard – Updates.

Reminder: Please Test Your Plugins With 4.2

WordPress 4.2 is being released this week. Are your plugins ready?

After testing your plugins and ensuring compatibility, it only takes a few moments to change the readme “Tested up to:” value to 4.2. This information provides peace of mind to users and helps encourage them to update to the latest version.

For each plugin that is compatible, you don’t need to release a new version — just change the stable version’s readme value.

In the same vein, please take the time to make sure the people listed as committers on your plugin are only the people who are actively developing the plugin.

Finally, if the email associated with your wordpress.org plugin author’s account has an auto-reply, please for the love of peanut butter change that or put plugins@wordpress.org on a magic whitelist that doesn’t get the auto-replies. We very rarely send you out important emails, but when we do, they’re related to security or upgrades. When you give us an auto-reply, it delays things and makes our in-box insanely large.

XSS Vulnerability Affects More Than a Dozen Popular WordPress Plugins

For the past week, security firm Sucuri has worked with the WordPress core security team to address a cross site scripting vulnerability discovered in more than a dozen popular WordPress plugins. The vulnerability stems from the improper use of the add_query_arg() and remove_query_arg() functions. Inaccurate information within the WordPress Codex lead many developers to assume these functions would properly escape user input.

The Codex pages were created in 2009, but earlier this year, Samuel ‘Otto’ Wood updated both pages to include information on using esc_url(). Inaccurate information has existed on both pages for more than five years, leading hundreds, if not thousands, of developers to use insecure code in plugins.

The Updated Codex Pages
The Updated Codex Pages

The vulnerability was first reported by Joost de Valk who has an excellent post describing the issue. Sucuri worked with Yoast and discovered the problem affects a lot more plugins than just WordPress SEO. Sucuri has audited the top 300-400 plugins in the directory and found at least 15 plugins to contain vulnerable code.

With over 37,000 plugins in the directory, 400 is just scratching the surface. Gary Pendergast, who is helping to manage the coordinated effort says, he doesn’t have an official headcount of the number of plugins affected. “There is no official head count on how many plugins are affected, as it’s a case-by-case thing to check.” Some of the vulnerable plugins within the list have opted-out of automatic updates. “Jetpack, EDD, P3, Download Monitor and Related Posts for WP opted-in to auto updates. I didn’t keep track of who opted out,” he said.

So far, there is no evidence that suggests the vulnerability is being actively exploited. It’s extremely important that plugin authors revisit your code to make sure you’re not improperly using the add_query_arg() and remove_query_arg() functions. The Make WordPress Plugins site has a post that provides in-depth information on how to check and fix your plugins.

This Vulnerability is Not New

Mike Jolly, lead developer for WooThemes, published a post in 2013 on the use of WordPress’ URL manipulation functions. The post features add_query_arg() and remove_query_arg(), but near the end of the post, Jolly reminds developers to escape everything.

This caught me out a few weeks ago when I found out (the hard way) that WordPress doesn’t automatically sanitize the current URL if you don’t pass in your own. You need to use esc_url during output:

echo esc_url( add_query_arg( $key, $value ) );

If you forget to do this, a malicious URL, for example one containing some JavaScript, could potentially be output and executed on your page. Escape all the things to be safe!

Battle Testing the Automatic Updater

To date, this is the largest coordinated effort between an outside party, the WordPress core and security teams, and plugin developers. According to Sucuri, affected plugin developers banded together for the common good. Pendergast confirmed that the auto updates only contain code needed to fix the security vulnerability. This should limit the possibility of auto updates breaking sites.

The plugins listed above have already been patched and updates should be available to all users. Browse to Dashboard – Updates to check for and install any available updates.

Google Analytics 5.4 release notes

This release is mostly a security release. After last months security update we decided to have Sucuri do another in-depth review of the plugin, we found another issue ourselves that was common in many plugins and we were informed of another issue by Jouko. For that reason, you should update immediately. The release contains a few more improvements, which I’ll highlight below.

Use the WP Settings API

When we re-built the Google Analytics plugin end of last year we left one bit of the old code intact: the way it stored settings. We’ve now fully migrated the plugin to use the WordPress Settings API. This makes sure we won’t suffer security issues in our own code as we’re relying on the core code to handle options saving.

More accessible forms

A pull request by Steve Repsher added for attributes to our labels, making them correspond with their form fields. A good accessibility change for which we’re thankful!

Universal is the default

Now that Google Analytics’ Universal rollout has completed, we’ve made Universal the default for all new installs.

Fixed an annoying bug: scripts everywhere

We also fixed an annoying bug in this release. Our plugin was loading its scripts on every page, instead of on just its own pages. This lead to slow loads and annoying interaction problems, those should now all be solved.

This post first appeared as Google Analytics 5.4 release notes on Yoast. Whoopity Doo!