Category Archives: Focus on WordPress

I’m back!

I’ve been writing, just not on THIS blog! I was invited to write articles for TorqueMag.io and have written several over the past few months. I’ve also been busy with other projects, and my grandchildren, and this blog has taken a backseat.

First, I’ll provide links to the articles I have written. They may prove useful to you, they may not, and if nothing else will provide me with a concise summary of my work!

Updating Client Sites to WordPress 3.6 – A bit dated now, since we are on 3.9, but it is what it is.

Widget UI Refresh for WordPress Core – Already in place in core WordPress

WordPress Multisite Case Study

Designing Responsively

Table Plugins for WordPress

Backup Plugins for WordPress

A series of articles on how WordPress is put together, and how you can make it do your bidding!

Dissecting WordPress: Customizing footer.php

Dissecting WordPress: Customizing header.php

Dissecting WordPress: page.php

Dissecting WordPress: single.php

In the works is an article about Heartbleed, although there has already been an overload of information. Still, we each bring a unique perspective, and I’ve learned from each article I have read. Maybe my writing will help someone else.

And I’m open to ideas for what you would like to see discussed here. Let me know!

Another Review – BuddyPress Child Themes

Once again, I was asked to review an e-book for Packt Publishing.  This was a how to on BuddyPress and how to develop a theme for BuddyPress.  Here is my review:

Maybe I was expecting a more in depth or detailed instructions, specifically directed to “how to build a theme” – what I got was (as the author admits) a whirlwind tour of both WordPress and BuddyPress, a lot of code thrown about with not much explanation, and a ton of links to the codex and other resources to get more in depth information.

The first third of the book is all about installing WordPress and BuddyPress, something I know how to do, and I would assume anyone considering BuddyPress would know as well. At least the WordPress part could be skippped, perhaps a section on how a BuddyPress install is different than a WordPress install.

Once into themes, and theme basics, and developing a theme, it got more interesting. However, I found a lot more allusions to the information I wanted than the information itself. Some teaser information was given, with a link to the codex to follow up. Many times, code was given to add with no breakdown as to what each line was for or what the code actually did. Instructions were to just copy this code to your functions.php or a template file, and such and such function is added. I suppose this is where the included files come in; you are free to tweak them and play with them to see what happens.
In short, I was hoping the book itself would be a guide or manual I could use to create a child theme for BuddyPress. Instead, it was more of an overview of where to get the information to create a child theme – ie, the codex. I was also surprised at the number of grammatical errors there were, and the lack of a coherent flow to the material. I was often confused as to why some things were included where they were. Granted, the reviewers likely were all coders or designers, not grammar experts or copy writers, but still….

If you are interested in this title or others relating to web design, and technology in general, check out the $5 sales, going on through January 3 at Packt Publishing.

Here’s Something Different!

I was recently asked to review an e-book (also available in hard copy). The title? WordPress Multisite Administration – hardly casual reading! Since I have worked with Multisite, I was hoping to learn what I have been doing right (or wrong) and glean some tips to make my work more efficient! I was a bit disappointed, though I did learn! I agreed to post my review on my own blog, so here it is:

Stated in the beginning of the book: This book is geared towards people who have some experience with WordPress already. And in the first section, it goes through a quick (5 minute install) of WordPress, and assumes the reader knows how to and has already uploaded the files to the server and edited wp-config with the database connection info, since it begins with the “Installing WordPress” by starting the install wizard.

Then, in the next section on configuring MultiSite, it goes through how to upload the files, edit wp-config.php, etc – why cover it now and not prior? This was confusing to me. I would simply say that installing a multisite is done by installing a single site (and go through the procedures here), and then what to edit in the wp-config.php to allow multisite. Go through the file upload, editing the wp-config with your database information, change the prefix for security, add salts, etc – get the single site installed and working. Then add the multisite code lines to wp-config to convert to a multisite and continue with the network setup. It should all be one chapter, and since readers *should* already be familiar with WP setup – the file unzipping, upload, and initial username and password setup does not need to be covered in such great detail. And if it is to be covered, put it in the single site section, since it needs to be done and a single site install working before multisite can be set up. It was confusing to me the way it was written.

If anything, cover single site setup briefly. Then go right to editing the wp-config, reupload it, and on to the multisite dashboard and changes.

The later chapters on security, caching, optimizing, is good info, but not necessarily, specifically for multisite. Perhaps a note could be included that this can apply to all WP installs, not just multisite. And that there are many ways to accomplish the goals – plugins mentioned are suggestions only and each developer will find their own set of tools to use. (I have several not mentioned that I use for security, monitoring – and there are lots out there.)

I would suggest a chapter on subfolders vs subdomains, advantages and disadvantages of either setup, the difference between the two, and domain mapping (unique URLs for each sub site). The book “assumes” the sub sites will all be shown on your directory of sites, and are all interconnected. This is not always the case; each sub site may be a distinct site with its own URL. And that is where I, personally, had the biggest struggle in setting up my multisite – getting each subsite its own URL (site1.com, site2.com, etc).

The book does give info on multisite administration, but I feel it does not go into the depth I was expecting, and does not cover enough different situations to be considered a complete guide to multisite administration. Much of what is covered applies to ANY WordPress install, and the plugin suggestions, as I mentioned, were lacking. A good start, but there is room for improvement!

You can purchase the book here.

Word Camp San Francisco, July 26 & 27

I attended my first WordCamp last month, and I will very likely attend more WordCamps in the future!  What is Word Camp? WordCamp is a conference that focuses on everything WordPress. WordCamps are informal, community-organized events that are put together by WordPress users – everyone from casual users to core developers participate, share ideas, and get to know each other.

I learned, I networked, I met some of the names behind the code, ate some pretty awesome food, and picked up several T-shirts, sunglasses, stickers, and coupons for deals on hosting services! The sessions were informative and fast paced, so there was a lot of information packed into a very short time frame. It takes a few days after the event to process it all!

Tips and tools shared are now in my “arsenal”; I have more resources I can tap to build my business, and opportunities have come up as a result of people met and contacts made over that weekend. WordCamp is worth far more than the minimal registration fee – the “swag” I collected and the lunches alone were worth the cost!

WordPress, Attacks, Reactions

Recent news of a “brute force” attack on WordPress sites world wide left many scrambling to protect their sites. While I kept a close eye on the sites I manage (this one included!) none of those sites were significantly impacted. Yes, hundreds, and even thousands of attempts to gain access were made on some sites, and some websites were sluggish for users at times, but that seems to have been the extent of the attack on “my” sites! I am happy to report that none of the sites I manage were “hacked” and the attempts were limited to just that – attempts.

I’ve added the Limit Login Attempts plugin to my basic arsenal. While the Bad Behavior plugin blocks the attempts, and logs the numbers, IP addresses, and other information, it does not STOP the attempts. A site being overrun with login attempts will run sluggishly or be shut down by the server. Limit Login works to lock out an IP address after a set number of unsuccessful login attempts so no repeated attempts can be made, so it reduces the number of access attempts and lessens the traffic. I have installed this on all my sites and now include it as “standard”.

Just for your information, the following is a list of plugins that I typically install on websites as part of my standard setup:

  • All in One SEO/WordPress SEO
  • BackupBuddy/BackWPup
  • Bad Behavior
  • *Limit Login Attempts
  • Spam Free WordPress
  • Tailored Login
  • wp-jquery-lightbox

* added as a result of the recent attacks, as recommended by several WP gurus

Other plugins may be (and most likely WILL be) added to accomplish specific goals on your site. The above listed plugins provide security and functions I feel are necessary on ANY website and I consider them “standard”.

Additional steps I have taken since the “attacks”:

  1. Implemented strong, randomly generated passwords for all my Administrator logins on WordPress sites
  2. Put my site on CloudFlare CDN to improve both security and efficiency of website performance – I will be adding client sites if this works as I expect
  3. More frequent site checks to ensure sites are functioning properly (twice or more weekly rather than just weekly)

It’s been an interesting month, and I have learned a few things, and made my site(s) and yours safer and more secure. And that’s a good thing!

Recent WordPress happenings

On April 11 I became aware of “brute force” login attempts on WordPress sites world-wide – I read of it on a few LinkedIn discussions, followed some of the links, and realized this was a major assault on WP sites. The focus of the attack was on sites that use “admin” as the username and easily guessed passwords for the password for the Administrator account(s). One of the first things I learned when working with WordPress is that you should NEVER use “admin” as a username and use SECURE passwords. I have never used “admin”, but have been inconsistent in using truly strong passwords.

I did a quick check of the multiple WP sites I manage (on Thursday afternoon/evening). They are on a variety of hosting services, including GoDaddy, which seemed to be one of the primary targets. Yes, there was evidence that the sites were under attack. My basic WP setup includes a plugin called Bad Behavior, and it was logging (in some cases) hundreds of attempts to log in to sites using “admin” and passwords such as 123456789, aaaaaa, a1b2c3b4, password, etc. But that’s all these were, attempts. In some cases, the sites had slowed to a crawl for visitors. None of the sites were “down”, just slow, and none of the sites were compromised.

I read voraciously to find out what else I could do to protect the sites, and one plugin was highly recommended – Limit Logins. It would lock out the IP someone attempting to login after 3 unsuccessful tries, and log the IP, thereby halting repeat attempts from that particular IP. I installed that plugin on sites also, on April 12-13. Reviewing the logs over the next few days, several of the sites have had IP’s locked, which means less spam traffic trying to log in, and site performance improvement in spite of the “attack”.

Not all, but several of the WP administrator accounts were inaccessible for a few hours on Friday morning, April 12, due to hosting providers blocking backend access to everyone. Access was restored by afternoon, and no sites actually went down.

Over the weekend I continued to read and follow the news and monitor the websites under my control – the attack continues, as evidenced by the Bad Behavior logs and lockout stats on multiple sites.
During the first few days of this week I have taken two more steps to further secure my own computer and sites – LastPass and CloudFlare. If successful, I will be contacting clients and recommending actions.

LastPass is a random password generator that creates very strong, very secure passwords, and remembers them so you don’t have to. All you need is ONE password (the “last” password you’ll need to remember!) to access and activate LastPass and it does the rest. I’ve actually had it on my computer and started to use it on a couple of sites some time ago, but did not use it consistently. I am making a determined effort to get ALL my passwords secure and safe in LastPass. The Premium version syncs across your mobile devices (tablets and smartphones) and is only $12 a year (that’s $1 a month!!) http://lastpass.com

CloudFlare is a CDN (Content Delivery Network) that filters out bad traffic, and optimizes the delivery of your website to legitimate visitors. A simple DNS change routes visitors through CloudFlare’s network, with a significant improvement in performance and a decrease in spam and other attacks. Of interest – sites on CloudFlare were protected from the recent brute force attacks and have little to no “attempts” or lockouts. I added my business site today (April 17) and look forward to improved speed on the site and lower stats on Bad Behavior and Limit Logins. http://cloudflare.com

Security of any website, WordPress or otherwise, is an ongoing battle. Because WordPress is so widely used, it’s a frequent target for spammers and hackers, but there are steps you can take to make your WordPress installation unique, less susceptible to spam, and more difficult to “hack”. Using CloudFlare’s CDN adds a layer of protection to whatever steps you choose to implement in your WordPress installation.

I will be following up with each of my clients and providing a report on how sites were affected (or not affected) by this recent activity, and recommending steps to improve security. It’s “all in a day’s work”, but one part of my workday that could be eliminated and I would not miss it one bit.