Categories
WordPress

Choosing the Best WordPress Plugin

WordPress plugins offer a quick and easy way to expand the function of your WordPress website. When searching the WordPress.org plugin directory, or web for a suitable plugin, one has to factor in several criteria to ultimately decide which plugin to utilize.

By day I build WordPress powered websites for small business clients throughout the United States.  These clients have real budgets, and average tech abilities, making plugin selection important for long term client happiness.  Below are some of the factors I use when selecting a plugin for a project:

  1. Is this feature really needed? By far the most fundamental and important question when determining whether or not to install a WordPress plugin is this. If the client isn’t going to use the feature, or the feature isn’t essential for the site to operate, than it should be considered “extra” and only installed if there are limited existing plugins.
  2. Is the plugin popular? Thankfully WordPress does a great job of showing how popular a specific plugin is by showing “Active Installs” within the directory search.  A popular plugin is popular for a reason, and is more likely to do what is advertised.  A popular plugin also has a large user base useful for finding bugs, and testing the plugin in many diverse environments.
    WordPress Directory listing for BuddyPress showing number of Active Installs, total number of reviews and average star rating.

     

  3. Is the plugin well maintained? A popular (or not), plugin that is poorly maintained is a cause for concern. With quarterly WP core updates, changing browser specifications and evolving web standards, assuring the plugin you choose is well maintained is key.  I review the integrated support forum on WordPress.org, and see if the author responds to bug reports, and generally how well they handle support.
    You’ll want to see lots of these on the Support tab of the WordPress.org Plugin Directory.

     

  4. When was the plugin last updated?  Another key metric, again well highlighted by the folks at WordPress is the “Last Updated” report.  A plugin that hasn’t been updated in months, or even years should be avoided, or at least used with great caution.  Some legendary plugins last for years unchanged, but you shouldn’t base a website or critical feature on an abandoned plugin.
    WordPress Directory Listing for BuddyPress showing the Last Updated time frame.

     

  5. Who created the plugin? The team (or guy/gal) behind the plugin is going to be the resource to provide updates, and tech support if needed. A company with an actual business model and staff is preferable to an independent developer who is just creating a plugin for fun. That being said, a sole engineer with multiple WordPress plugins under his/her belt, and a passion for making them better can be as good, or better than a company sourced plugin.
  6. Is the plugin compatible?.  Low on the list but certainly important is the compatibility report.  WordPress does a great job here as usual, however often times the plugin will not have enough data to make this metric very useful.  WordPress updates so often, and the base of users who report compatibility so small, that you’ll find this hard to gauge for all but the most popular plugins.
  7. How usable is the plugin?  Often times you need to actually install and use a plugin before determining this.  However, sometimes the author does a great job with the “marketing” and instructional content to enable you to get an idea of how a plugin works and looks before installing.  Often I’ll install a plugin, attempt to configure and use it and find myself frustrated or turned off by the user interface or overall experience.
  8. Is there a paid version?  This ties into #3 and a little of #5 but a paid version, or license to entitle you to updates is a good sign that the plugin authors will stick around to support their product.  Often the price is low enough, that it makes more sense to pay for the plugin, just to get priority support.
  9. How heavy is the plugin?  Everyone loves a lean plugin but not all plugins stick to the core thing they do well.  Feature-creep is real, and a plugin that does one thing, and only one thing very well is always preferable.

Other lesser and/or more obscure criteria:

  1. Is there an alternative made by Automattic?  Automattic (the company behind WordPress) offers an entire suite of plugins (foremost being Jetpack) that might offer the features you’re looking for.  Check out their entire list by viewing their author page within the plugin directory.
  2. Could the plugin features be served by a third party?  A good example of this would be videos.  Yes you can host your own videos (HTML5 makes this super easy), and yes there exists many plugins that offer video players and more for your WordPress website.  However, with no plugins, and no additional maintenance you can host your videos on YouTube (for freee), AND get the benefit of having your videos discover-able on YouTube!
  3. Can the features of the plugin be replicated with theme functionality?  We all know that cramming PHP into functions.php is a bad idea (right?!?) but sometimes a plugin’s functionality can be duplicated using some creative theme work (you’re using a child theme right?!?) and/or HTML/JS/CSS.  Instead of a plugin brush up on your PHP and head on over to the theme codex to make a custom theme template with the features you want.
  4. Does the plugin get good reviews?  I don’t read individual reviews, but the “star” rating offered by the WordPress plugin directory is useful if the number of reviews is high enough.  We all know that reviews on the web are easily gamed, however in aggregate they can be useful for gauging overall customer/user happiness.

    WordPress Plugin Directory ratings overview for BuddyPress.
Categories
Analytics WordPress

Should You Use a Google Analytics WordPress Plugin

Many times I come across a website powered by WordPress rife with unused, out of date and abandoned plugins.  The first step in remedying this common situation is to review the plugins installed and identify candidates to eliminate.  Often I attempt to remove plugins that provide simple, easy to replicate features.  One example is Google Analytics.  Beginner web folks, and tech averse clients don’t feel comfortable editing a theme by hand, and this is why you typically find a plugin that merely inserts code into a theme – a task quite easy for even the most green web developer.

For a websites with existing performance or stability problems, removing a Google Analytics plugin, or similar is low hanging fruit.  However for websites without issues, WordPress plugins that offer connections to the Google Analytics system can provide added features, not easily available when using manual code.

Pros and Cons

Let’s explore the pros and cons of each.  First manual code:

Manual Code Pros

Simple to implement (copy+paste into your theme)

No plugin overhead

Manual Code Cons

Not simple to implement for those tech-averse or unfamiliar with WordPress themes.

Expanded features need to be coded manually.

You need to manually update code if Google Analytics changes.

Without picking a specific Google Analytics plugin, I’m going to highlight the overall pros and cons of this approach.

Plugin Pros

Simple setup process, usually aided by a graphical interface.

Added features such as outbound link tracking, traffic exclusions for logged in users, integrated reports & graphics.

Assuming the plugin is actively managed, changes to Google Analytics should be accommodated automatically.

Plugin Cons

Possible added performance overhead from running a plugin.

Plugin bugs could cause issues with the site in general.

Added maintenance related to updating plugin.

Most if not all of the cons associated with running a Google Analytics plugin are applicable to running any WordPress plugin.  You run the risk of the plugin wreaking havoc on your site, whether it be from WP core updates, plugin updates, or conflicts with other plugins.  As WordPress plugins go however, these are typically lightweight, having to only create necessary JavaScript.

Google Analytics WordPress Plugins

I’ll spare you a review of each service, as I’m sure that’s been done before.  For what it’s worth I’m trying out Yoast’s solution*.

Google Analytics by Yoast

Google Analytics Dashboard for WP

Google Analytics +

Conclusion

As I stated above, GA plugins are lightweight enough that you can consider running them without much maintenance or performance fear.  They keys to keep in mind are to choose a plugin that is actively managed, stay clear of plugin bloat (make sure this isn’t your one millionth plugin) and actually use the additional data enabled by this plugin.  If you’re not going to use the outbound link tracking, or if you’re not concerned with tracking logged in users, then manual code might be the way to go.

*Currently the Google Analytics by Yoast plugin is having troubles authenticating. It appears to authenticate, but when I return to the WP dashboard, the plugin warns me that I need to re-authenticate. This of course highlights one of the cons of using a plugin – with manual code I would not have to authenticate.

Categories
Security WordPress

WordPress Security Best Practices

A long overdue follow up to my immensely popular almost perfect WordPress htaccess file article.  This article of best practices should give you several more tricks up your sleeve to keep your WordPress installation secure and running smooth & below the radar of hackers and spammers.  This guide is not for WP beginners, but I also left out more advanced and obscure techniques, to keep these recommendations to the kind you could feasibly implement even if you’re not a veteran.

1.  Change $table_prefix:  By default WordPress uses a wp_ prefix to create the table names within your MySQL database.  Hackers exploit this default behavior and design their tools to look for this naming convention.  Changing this prefix from the default makes their attack tools less effective.

Ideally prior to your first install, change the prefix value in the /wp-config.php/ file to something else.  If you have already installed WordPress, there are a handful of plugins and tutorials available online to walk you through the process.  Beware! changing your table names after install is dangerous and you should follow thorough backup procedures to minimize possible down time.

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

Helpful Link: http://codex.wordpress.org/Editing_wp-config.php#Advanced_Options

2.  Remove the “admin” username / account:  This is a technique that is simple to execute and one that can be accomplished by almost any user.  By default WordPress creates an administrator account with the username “admin”.  This default behavior is one that is exploited by hackers who use brute force to guess your admin logic credentials.  Knowing one half of your login makes gaining access that much easier for an attacker.

To address this simply create a new account and give it administrator rights.  Then logout of your “admin” account, re-login as this new user, and then delete the old admin account.  When you delete this account, make sure to assign all posts, comments etc. to the new administrator you created. If you’re installing WordPress fresh, the install procedure now allows you to change the username prior to install.

3.  Restrict wp-admin access to certain IPs:  Assuming you manage your WordPress from only a few locations and your IP address does not change frequently, restricting access to WP Admin based on a list of IP addresses can add a very thorough protection from remote attacks.

Create or modify your existing .htaccess file in /wp-admin/ to include the following.  You’ll need to customize to add your own IP

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName Access Control
AuthType Basic
order deny,allow
deny from all
# whitelist
#home
allow from 00.000.000.00
# work
allow from 00.000.000.000

4.  Remove unused themes and plugins:  This advice is incredibly easy to execute and a no-brainer for most who run a blog that has accumulated multiple themes over time.  Old, even inactive themes can present security risks to WordPress.  Removing them is as easy as deleting the theme via FTP from the wp-content/themes/ directory, or using the WP admin (Appearance>Themes>Delete).  If you need to possibly re-activate an older theme download the files and store it locally until needed again.

5.  Secure /wp-admin/ directory:  For most, this can be accomplished via your hosting control panel, most likely some version of cPanel, or Plesk.  For unfortunate Windows users, this type of directory protection isn’t quite as simple so you’re mostly SOL.  Simply choose the /wp-admin/ directory to protect, and assign a new user to this directory.  When you visit yourdomain.com/wp-admin you’ll be prompted with an additional username and password dialog.  If you don’t have a hosting control panel capable of creating this type of protection for you, the process can be done by hand but it involves a few more (but IMHO worthwhile) steps to complete.

Pro Tip:  Some of you may experience a 404 Page Not Found when attempting to access you newly protected admin direction.  To fix this you’ll need to add “ErrorDocument 401 default” to the top of your /wp-admin/ .htaccess file.

Helpful Link: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-admin

Your resulting .htaccess file should look something like this assuming you have nothing else custom present.  The AuthUserFile path should differ on your server, the AuthName can  read what ever you’d like.

ErrorDocument 401 default

AuthType Basic
AuthName "Go Away"
AuthUserFile "/home/username/.htpasswds/public_html/wp-admin/passwd"
require valid-user

6.  Lock down file permissions:  File permissions are many times loosened to make certain plugins work, or diagnose problems with a WordPress install.  Many times, they are simply wrong or too loose out of the gate.  Changing file and directory permissions however can be tricky, and can cause a multitude of problems.  The best technique is to change them slowly and test often.  Also, if you run secured permissions, don’t be surprised if your have troubles with newly installed plugins don’t work quite right without some adjustments.

Helpful Link: http://codex.wordpress.org/Changing_File_Permissions

Helpful Link:  http://codex.wordpress.org/Hardening_WordPress#File_Permissions

7.  Hide WordPress signature:  This is another “security through obscurity” technique similar to removing the admin account or changing your table prefixes.  By default, WordPress will report a “signature” identifying the website as powered by WP and displaying the version number in the code.  Knowing that you use WP, and what specific version gives a would-be hacker an advantage.

There are three ways to address this:

a.  Remove the following (actual format may vary) from your header code:


b. Add the following to your theme/functions.php file:

remove_action('wp_head', 'wp_generator');

c. Add the following to remove this signature from the blog *and* the RSS feed.

function wpbeginner_remove_version() {
return '';
}
add_filter('the_generator', 'wpbeginner_remove_version');

8.  Turn WP DB errors off.  Since version 2.3.1 WordPress has by default turned this value off.  The debug feature gives you the developer lots of helpful information if things aren’t quite right, but they should be disabled when you’re not actively diagnosing issues.

Helpful Link: http://codex.wordpress.org/Editing_wp-config.php#Debug

9. Strong passwords. An oldie but a goody.  Make sure every user has a strong password.  There are a whole host of WordPress plugins that enforce strict passwords on all users if you don’t have the option of creating the accounts yourself.

Helpful Link: http://codex.wordpress.org/Hardening_WordPress#Passwords

10. Monitor or disable user registration/comments.  User registration and participation via comments while great for your blog’s community and traffic, is bad for security.  Opening your WordPress blog to user registrations allows a hacker to gain access to your site that regular users don’t have, potentially revealing vital information about your blog they can use to gain access.  Monitoring user registrations and activity are key to minimizing this threat.  If things get very bad, disabling user registration can be done via the Admin> Settings > General control panel.

11. Secure FTP.  Sometimes security isn’t about trying to stop someone across the globe but rather someone much closer.  This intruder or snooper could be sniffing network traffic and could intercept your username and/or password.  Secure FTP or SFTP encrypts the connection between you and your web server, ensuring know one in between can sniff your logic credentials.

Helpful Link: http://codex.wordpress.org/Hardening_WordPress#FTP

12. Administration over SSL.  Likewise the advice for FTP, it is wise to use the WordPress admin interface over a secure connection.  Forcing SSL with the WP Admin is a little more involved than most admins will tolerate, but it should not be ignored when attempting a comprehensive security plan.

Helpful Link: http://codex.wordpress.org/Administration_Over_SSL

13. Secure wp-config.php with htaccess.  Most don’t know this but you can actually move the all important wp-config.php file one directory above the WP install.  This gives you another level of obscurity from attackers looking to nab that file.  Even if you don’t move wp-config.php, you should protect it with an .htaccess file.

Here’s what you add to your root directory .htaccess file:

order allow,deny
deny from all

Helpful Link: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php

——

If you made it this far congratulations, you now have a good primer on WordPress security.  Not all of these best practices are required to run a secure WordPress site, but the more important your website becomes, the more essential these types of defenses become.

Other things to worry about:

Plugins.  Even if you prune old plugins, existing even up-to-date plugins can present security risks.  Keep them to a minimum.

Flash:  Flash can be hacked.  I’ve had personal experience bailing our website owners with compromised Flash galleries.  Drop the flash and use Javascript.

Your computer:  Your computer could be compromised.  Scan often and with different software.

Edits:

Twitter user @BoiteAWeb reminded me that the WP version number is stored in your root directory readme.html file. Delete it to further obscure this useful information.

Categories
Business Web Development

19 Things A Business Owner Can Do to Torpedo Their Website Project

In my 14+ years of professional website design and development experience I have seen and heard it all when it comes to client and business owner web project dysfunction.

Categories
Crazy Ideas

I’m Stuck – Random Design Idea Generator

I fashion myself a bit of a web designer, and sometimes after slaving away on a client’s web design proof for hours, I run into a wall of uncreative energy or as I call it “shit out of ideas”.  I have found that many times the path around or through this wall is not always that complicated and can sometimes be as simple as a random one-line suggestion.

So as usual I had an idea for a very simple web application that web designers could bookmark, and when completely out of ideas they could visit and get a quick suggestion that they would then apply to their design proof.

The humor in this comes in two areas: the web application has no idea what the designer is working on, nor does it care.  It’s simply pre-loaded with canned/design specific suggestions that may or not apply to the designer.  The point is that sometimes this may be enough, or the suggestion may re-enforce an idea you were already considering in your head or on the screen/paper.  The other humor angle is the suggestions themselves which can be as simple and benign as “It needs more red” to as wacky and insulting as “Throw it out and start over you idiot” or whatever else we (or you, see below) may think up.

Check out the demo version of this web app we call I’m Stuck over at josefresco.com/imstuck.

But wait, there’s more …

The demo I whipped up at josefresco.com is simple, ugly, took less than an hour to make, and really is just the basis for a site that could be much more fun.  Here are some ways that someone could expand on the idea and provide more functionality and humor:

1.  Social Rating: Give users the ability to rate the suggestions and allow the user to filter to show top rated suggestions.

2.  User Participation:  Allow users to submit their own (crazy) suggestions and give them a weblink as an inventive.

3.  Filters:  Categorize the suggestions and give the users a filter to further tailor the now less-random suggestion to their project.

Those ideas are fun, but what if we took it further:

4.  Community:  Allows users to upload proofs of their work and have other users give their own customized suggestions.  Integrate a way for authors to thank users (PayPal/badges etc.)

5.  Mobile: All the cool kid are doing it, and I could see a I’m Stuck mobile app being useful for those designers on the go needing inspiration.

6.  Beyond Design:  This idea and web application could be expanded beyond just design to encompass other subjects such as; Pick Up Lines, Economic Policy, Sitcom Plots.

So there you have it.  Not only a working proof of concept but some basic ideas for 2 or more generations of a web application and service just begging to be made.

In case you missed it above check out the demo of I’m Stuck and leave me your feedback.