Categories
WordPress WPEngine

How to Clear the WP Engine Cache

WP Engine built-in caching is a breath of fresh air if you’re used to managing caching plugins, and their finicky settings and tendency to break.  Built into the WordPress dashboard, the WP Engine cache control is just two clicks away, which makes theme changes easy to see immediately.

This action can also be accomplished via the WP User Customer Portal which is a nice feature addition, allowing an administrator or network technician to clear the website cache, without having direct WordPress access.

WPEngine Cache Control User Portal
Categories
WordPress WPEngine

How to Access phpMyAdmin at WP Engine

WPEngine phpMyAdminIf you’ve run WordPress for any length of time, you’re no doubt familiar with phpMyAdmin.  Access to phpMyAdmin can often be critical to your WordPress debugging needs, and thankfully WP Engine makes this very easy.

Unlike some web hosts which hide phpMyAdmin, or put it behind an additional (and unknown) password – phpMyAdmin at WPEngine is accessible via one-click inside their User Portal.

Steps to Access phpMyAdmin at WP Engine

  1. Login to the WPEngine User Portal.
  2. Click PHPMyAdmin in the sidebar menu.
  3. That’s it!

phpMyAdmin will launch in a new tab, and you’ll have direct access to both the staging, and live databases.

Make sure to run a full backup before making any direct changes to your database.

Categories
WordPress

Choosing the Best WordPress Plugin

WordPress plugins offer a quick and easy way to expand the function of your WordPress website. When searching the WordPress.org plugin directory, or web for a suitable plugin, one has to factor in several criteria to ultimately decide which plugin to utilize.

By day I build WordPress powered websites for small business clients throughout the United States.  These clients have real budgets, and average tech abilities, making plugin selection important for long term client happiness.  Below are some of the factors I use when selecting a plugin for a project:

  1. Is this feature really needed? By far the most fundamental and important question when determining whether or not to install a WordPress plugin is this. If the client isn’t going to use the feature, or the feature isn’t essential for the site to operate, than it should be considered “extra” and only installed if there are limited existing plugins.
  2. Is the plugin popular? Thankfully WordPress does a great job of showing how popular a specific plugin is by showing “Active Installs” within the directory search.  A popular plugin is popular for a reason, and is more likely to do what is advertised.  A popular plugin also has a large user base useful for finding bugs, and testing the plugin in many diverse environments.

    WordPress Directory listing for BuddyPress showing number of Active Installs, total number of reviews and average star rating.

     

  3. Is the plugin well maintained? A popular (or not), plugin that is poorly maintained is a cause for concern. With quarterly WP core updates, changing browser specifications and evolving web standards, assuring the plugin you choose is well maintained is key.  I review the integrated support forum on WordPress.org, and see if the author responds to bug reports, and generally how well they handle support.

    You’ll want to see lots of these on the Support tab of the WordPress.org Plugin Directory.

     

  4. When was the plugin last updated?  Another key metric, again well highlighted by the folks at WordPress is the “Last Updated” report.  A plugin that hasn’t been updated in months, or even years should be avoided, or at least used with great caution.  Some legendary plugins last for years unchanged, but you shouldn’t base a website or critical feature on an abandoned plugin.

    WordPress Directory Listing for BuddyPress showing the Last Updated time frame.

     

  5. Who created the plugin? The team (or guy/gal) behind the plugin is going to be the resource to provide updates, and tech support if needed. A company with an actual business model and staff is preferable to an independent developer who is just creating a plugin for fun. That being said, a sole engineer with multiple WordPress plugins under his/her belt, and a passion for making them better can be as good, or better than a company sourced plugin.
  6. Is the plugin compatible?.  Low on the list but certainly important is the compatibility report.  WordPress does a great job here as usual, however often times the plugin will not have enough data to make this metric very useful.  WordPress updates so often, and the base of users who report compatibility so small, that you’ll find this hard to gauge for all but the most popular plugins.
  7. How usable is the plugin?  Often times you need to actually install and use a plugin before determining this.  However, sometimes the author does a great job with the “marketing” and instructional content to enable you to get an idea of how a plugin works and looks before installing.  Often I’ll install a plugin, attempt to configure and use it and find myself frustrated or turned off by the user interface or overall experience.
  8. Is there a paid version?  This ties into #3 and a little of #5 but a paid version, or license to entitle you to updates is a good sign that the plugin authors will stick around to support their product.  Often the price is low enough, that it makes more sense to pay for the plugin, just to get priority support.
  9. How heavy is the plugin?  Everyone loves a lean plugin but not all plugins stick to the core thing they do well.  Feature-creep is real, and a plugin that does one thing, and only one thing very well is always preferable.

Other lesser and/or more obscure criteria:

  1. Is there an alternative made by Automattic?  Automattic (the company behind WordPress) offers an entire suite of plugins (foremost being Jetpack) that might offer the features you’re looking for.  Check out their entire list by viewing their author page within the plugin directory.
  2. Could the plugin features be served by a third party?  A good example of this would be videos.  Yes you can host your own videos (HTML5 makes this super easy), and yes there exists many plugins that offer video players and more for your WordPress website.  However, with no plugins, and no additional maintenance you can host your videos on YouTube (for freee), AND get the benefit of having your videos discover-able on YouTube!
  3. Can the features of the plugin be replicated with theme functionality?  We all know that cramming PHP into functions.php is a bad idea (right?!?) but sometimes a plugin’s functionality can be duplicated using some creative theme work (you’re using a child theme right?!?) and/or HTML/JS/CSS.  Instead of a plugin brush up on your PHP and head on over to the theme codex to make a custom theme template with the features you want.
  4. Does the plugin get good reviews?  I don’t read individual reviews, but the “star” rating offered by the WordPress plugin directory is useful if the number of reviews is high enough.  We all know that reviews on the web are easily gamed, however in aggregate they can be useful for gauging overall customer/user happiness.

    WordPress Plugin Directory ratings overview for BuddyPress.
Categories
Analytics WordPress

Should You Use a Google Analytics WordPress Plugin

Many times I come across a website powered by WordPress rife with unused, out of date and abandoned plugins.  The first step in remedying this common situation is to review the plugins installed and identify candidates to eliminate.  Often I attempt to remove plugins that provide simple, easy to replicate features.  One example is Google Analytics.  Beginner web folks, and tech averse clients don’t feel comfortable editing a theme by hand, and this is why you typically find a plugin that merely inserts code into a theme – a task quite easy for even the most green web developer.

For a websites with existing performance or stability problems, removing a Google Analytics plugin, or similar is low hanging fruit.  However for websites without issues, WordPress plugins that offer connections to the Google Analytics system can provide added features, not easily available when using manual code.

Pros and Cons

Let’s explore the pros and cons of each.  First manual code:

Manual Code Pros

Simple to implement (copy+paste into your theme)

No plugin overhead

Manual Code Cons

Not simple to implement for those tech-averse or unfamiliar with WordPress themes.

Expanded features need to be coded manually.

You need to manually update code if Google Analytics changes.

Without picking a specific Google Analytics plugin, I’m going to highlight the overall pros and cons of this approach.

Plugin Pros

Simple setup process, usually aided by a graphical interface.

Added features such as outbound link tracking, traffic exclusions for logged in users, integrated reports & graphics.

Assuming the plugin is actively managed, changes to Google Analytics should be accommodated automatically.

Plugin Cons

Possible added performance overhead from running a plugin.

Plugin bugs could cause issues with the site in general.

Added maintenance related to updating plugin.

Most if not all of the cons associated with running a Google Analytics plugin are applicable to running any WordPress plugin.  You run the risk of the plugin wreaking havoc on your site, whether it be from WP core updates, plugin updates, or conflicts with other plugins.  As WordPress plugins go however, these are typically lightweight, having to only create necessary JavaScript.

Google Analytics WordPress Plugins

I’ll spare you a review of each service, as I’m sure that’s been done before.  For what it’s worth I’m trying out Yoast’s solution*.

Google Analytics by Yoast

Google Analytics Dashboard for WP

Google Analytics +

Conclusion

As I stated above, GA plugins are lightweight enough that you can consider running them without much maintenance or performance fear.  They keys to keep in mind are to choose a plugin that is actively managed, stay clear of plugin bloat (make sure this isn’t your one millionth plugin) and actually use the additional data enabled by this plugin.  If you’re not going to use the outbound link tracking, or if you’re not concerned with tracking logged in users, then manual code might be the way to go.

*Currently the Google Analytics by Yoast plugin is having troubles authenticating. It appears to authenticate, but when I return to the WP dashboard, the plugin warns me that I need to re-authenticate. This of course highlights one of the cons of using a plugin – with manual code I would not have to authenticate.

Categories
Security WordPress

WordPress Security Best Practices

A long overdue follow up to my immensely popular almost perfect WordPress htaccess file article.  This article of best practices should give you several more tricks up your sleeve to keep your WordPress installation secure and running smooth & below the radar of hackers and spammers.  This guide is not for WP beginners, but I also left out more advanced and obscure techniques, to keep these recommendations to the kind you could feasibly implement even if you’re not a veteran.

1.  Change $table_prefix:  By default WordPress uses a wp_ prefix to create the table names within your MySQL database.  Hackers exploit this default behavior and design their tools to look for this naming convention.  Changing this prefix from the default makes their attack tools less effective.

Ideally prior to your first install, change the prefix value in the /wp-config.php/ file to something else.  If you have already installed WordPress, there are a handful of plugins and tutorials available online to walk you through the process.  Beware! changing your table names after install is dangerous and you should follow thorough backup procedures to minimize possible down time.

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

Helpful Link: http://codex.wordpress.org/Editing_wp-config.php#Advanced_Options

2.  Remove the “admin” username / account:  This is a technique that is simple to execute and one that can be accomplished by almost any user.  By default WordPress creates an administrator account with the username “admin”.  This default behavior is one that is exploited by hackers who use brute force to guess your admin logic credentials.  Knowing one half of your login makes gaining access that much easier for an attacker.

To address this simply create a new account and give it administrator rights.  Then logout of your “admin” account, re-login as this new user, and then delete the old admin account.  When you delete this account, make sure to assign all posts, comments etc. to the new administrator you created. If you’re installing WordPress fresh, the install procedure now allows you to change the username prior to install.

3.  Restrict wp-admin access to certain IPs:  Assuming you manage your WordPress from only a few locations and your IP address does not change frequently, restricting access to WP Admin based on a list of IP addresses can add a very thorough protection from remote attacks.

Create or modify your existing .htaccess file in /wp-admin/ to include the following.  You’ll need to customize to add your own IP

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName Access Control
AuthType Basic
order deny,allow
deny from all
# whitelist
#home
allow from 00.000.000.00
# work
allow from 00.000.000.000

4.  Remove unused themes and plugins:  This advice is incredibly easy to execute and a no-brainer for most who run a blog that has accumulated multiple themes over time.  Old, even inactive themes can present security risks to WordPress.  Removing them is as easy as deleting the theme via FTP from the wp-content/themes/ directory, or using the WP admin (Appearance>Themes>Delete).  If you need to possibly re-activate an older theme download the files and store it locally until needed again.

5.  Secure /wp-admin/ directory:  For most, this can be accomplished via your hosting control panel, most likely some version of cPanel, or Plesk.  For unfortunate Windows users, this type of directory protection isn’t quite as simple so you’re mostly SOL.  Simply choose the /wp-admin/ directory to protect, and assign a new user to this directory.  When you visit yourdomain.com/wp-admin you’ll be prompted with an additional username and password dialog.  If you don’t have a hosting control panel capable of creating this type of protection for you, the process can be done by hand but it involves a few more (but IMHO worthwhile) steps to complete.

Pro Tip:  Some of you may experience a 404 Page Not Found when attempting to access you newly protected admin direction.  To fix this you’ll need to add “ErrorDocument 401 default” to the top of your /wp-admin/ .htaccess file.

Helpful Link: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-admin

Your resulting .htaccess file should look something like this assuming you have nothing else custom present.  The AuthUserFile path should differ on your server, the AuthName can  read what ever you’d like.

ErrorDocument 401 default

AuthType Basic
AuthName "Go Away"
AuthUserFile "/home/username/.htpasswds/public_html/wp-admin/passwd"
require valid-user

6.  Lock down file permissions:  File permissions are many times loosened to make certain plugins work, or diagnose problems with a WordPress install.  Many times, they are simply wrong or too loose out of the gate.  Changing file and directory permissions however can be tricky, and can cause a multitude of problems.  The best technique is to change them slowly and test often.  Also, if you run secured permissions, don’t be surprised if your have troubles with newly installed plugins don’t work quite right without some adjustments.

Helpful Link: http://codex.wordpress.org/Changing_File_Permissions

Helpful Link:  http://codex.wordpress.org/Hardening_WordPress#File_Permissions

7.  Hide WordPress signature:  This is another “security through obscurity” technique similar to removing the admin account or changing your table prefixes.  By default, WordPress will report a “signature” identifying the website as powered by WP and displaying the version number in the code.  Knowing that you use WP, and what specific version gives a would-be hacker an advantage.

There are three ways to address this:

a.  Remove the following (actual format may vary) from your header code:


b. Add the following to your theme/functions.php file:

remove_action('wp_head', 'wp_generator');

c. Add the following to remove this signature from the blog *and* the RSS feed.

function wpbeginner_remove_version() {
return '';
}
add_filter('the_generator', 'wpbeginner_remove_version');

8.  Turn WP DB errors off.  Since version 2.3.1 WordPress has by default turned this value off.  The debug feature gives you the developer lots of helpful information if things aren’t quite right, but they should be disabled when you’re not actively diagnosing issues.

Helpful Link: http://codex.wordpress.org/Editing_wp-config.php#Debug

9. Strong passwords. An oldie but a goody.  Make sure every user has a strong password.  There are a whole host of WordPress plugins that enforce strict passwords on all users if you don’t have the option of creating the accounts yourself.

Helpful Link: http://codex.wordpress.org/Hardening_WordPress#Passwords

10. Monitor or disable user registration/comments.  User registration and participation via comments while great for your blog’s community and traffic, is bad for security.  Opening your WordPress blog to user registrations allows a hacker to gain access to your site that regular users don’t have, potentially revealing vital information about your blog they can use to gain access.  Monitoring user registrations and activity are key to minimizing this threat.  If things get very bad, disabling user registration can be done via the Admin> Settings > General control panel.

11. Secure FTP.  Sometimes security isn’t about trying to stop someone across the globe but rather someone much closer.  This intruder or snooper could be sniffing network traffic and could intercept your username and/or password.  Secure FTP or SFTP encrypts the connection between you and your web server, ensuring know one in between can sniff your logic credentials.

Helpful Link: http://codex.wordpress.org/Hardening_WordPress#FTP

12. Administration over SSL.  Likewise the advice for FTP, it is wise to use the WordPress admin interface over a secure connection.  Forcing SSL with the WP Admin is a little more involved than most admins will tolerate, but it should not be ignored when attempting a comprehensive security plan.

Helpful Link: http://codex.wordpress.org/Administration_Over_SSL

13. Secure wp-config.php with htaccess.  Most don’t know this but you can actually move the all important wp-config.php file one directory above the WP install.  This gives you another level of obscurity from attackers looking to nab that file.  Even if you don’t move wp-config.php, you should protect it with an .htaccess file.

Here’s what you add to your root directory .htaccess file:

order allow,deny
deny from all

Helpful Link: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php

——

If you made it this far congratulations, you now have a good primer on WordPress security.  Not all of these best practices are required to run a secure WordPress site, but the more important your website becomes, the more essential these types of defenses become.

Other things to worry about:

Plugins.  Even if you prune old plugins, existing even up-to-date plugins can present security risks.  Keep them to a minimum.

Flash:  Flash can be hacked.  I’ve had personal experience bailing our website owners with compromised Flash galleries.  Drop the flash and use Javascript.

Your computer:  Your computer could be compromised.  Scan often and with different software.

Edits:

Twitter user @BoiteAWeb reminded me that the WP version number is stored in your root directory readme.html file. Delete it to further obscure this useful information.