Category Archives for "Security"

Here’s the real reason you need website maintenance!

why you need WordPress maintenance

Photo by Victor Garcia on Unsplash

Do you want to know the real reason your website is not as safe or as fast as it could be? It’s the real reason you need website maintenance. And it has nothing to do with technology, knowledge or content.

It’s the same reason my garden isn’t the best garden in my neighbourhood, although there’s no reason it couldn’t be.

It’s the same reason my time to run 5 kilometres (3.1 miles) is unlikely to get better than 26 minutes any time soon.

And it’s the same reason I’m completely helpless if my motorbike breaks down on top of some Swiss mountain.

Website maintenance is not what you do

It’s because I’m not a gardener. I’m not a pro runner. I’m not a mechanic.

And the crucial thing is: I don’t want to be those things and that’s okay!

I don’t want to be a gardener. It’s fun and I enjoy learning how to grow my own veggies. But I only want to spend as much time as it takes to get to the point of harvesting those vegetables.

I enjoying reaping the benefits of exercising and feeling fit and healthy. Being fit is good enough for me. But I’m no elite runner and don’t have any desire to be the fastest runner on my block.

I enjoy driving my motorbike through the Alps or the Jura on a sunny day. I enjoy swinging into the corners and feeling the G force when I pull out of that corner with a smile on my face. I can ride the bike pretty well and I’ve never had an accident. But if it breaks down, God help me! I used to be able to dismantle the engine on my 1995 Shadow and put it back together. But it’s all electronics nowadays! I know nothing about modern bike electronics and don’t have any real drive to learn about it.

And that’s all okay! I don’t have to be ANY of those things.

The professionals can help me

Because if I need gardening advice I’ll go to the garden centre. I’ll ask one of their well-trained staff what kind of soil is best for this vegetable or how much water this shrub needs.

If I need advice on fitness training I’ll consult one of the health bloggers I respect. He or she obsesses enough with this stuff to spend most of their time on it. They don’t get caught up in the latest fads; fundamentals are the things that matter to them and that’s why I trust them.

If my bike has problems I’ll call the guy who sold it to me. I trust him. He’s very professional and he’s completely obsessed with motorbikes. That’s why he owns and runs a very successful bike shop.

But if my website speed drops or if I suspect there’s a security gap somewhere?

I’m a wordpress maintenance guy

Then I’ll happily spend hours poking around the server myself. I’ll analyse every bit of data a page loads to see what’s going on. And I’ll happily spend another few hours doing whatever it takes to fix it. I’ll read as much as I have to; I’ll experiment as much as I have to and I’ll spend as much money as I have to to get to a point I’m happy with.

But I’m a trained computer scientist. I’ve worked in that domain for 25 years because I love it. I really want to learn all I can about it. I really want to keep up with the crazy pace of change. I really want to see how far I can push a website to shave another millisecond off its’ loading time!

I do that because I obsess about it. It’s what I enjoy, it’s what I know very well and it’s what I’ve chosen to do every single day. I lie awake at night thinking about how to get a client site loading just that little bit faster (just ask my family!)

Because that’s what I do.

For the other stuff – I hand that over to people who know and care about it well. Finances, graphic design and motorcycle mechanics are some of the things I can’t or just don’t want to deal with. I pay other people to deal with them.

Conclusion

So, what are you obsessed about and spending your time on? Building a business that will genuinely help people and leave you feeling satisfied at the end of every day?

Or are you obsessed about learning the technology so you know exactly how to make your website that little bit faster, that little bit more secure?
If you aren’t obsessed about that, it’ll never be as fast and as safe as it can be.

And that’s okay. You should be obsessed with building and growing your great business. Leave the other stuff to other people.

What do you think? Do you delegate any of your tasks to others so that you can focus on what you do best? Let me know in the comments.

You're not a pro, but you want a super-fast WordPress website anyway?

No problem! This checklist will show how I get load times of 3 seconds or less. Even on cheap shared hosting!

Wordfence is not the best WordPress security plugin

Wordfence is NOT the best WordPress security plugin

Photo by Roi Dimor on Unsplash

Wordfence is NOT the best WordPress security plugin for this one simple reason.

Amazement! That's the reaction of most people when I tell them I know lots of people who don't lock the front door of their home. It seemed strange to me too until I realised it indicated a sense of certainty in their safety. Put another way, it indicates a lack of fear and it says as much about the person as it does about the environment.

Amazement is also my reaction when people tell me they aren't locking the doors to their websites. In the real world, leaving your door unlocked is quaint; online, it's nothing short of irresponsible.

Of course, the real world does have its thieves, but they are few and far between. The online world, in contrast, is literally teeming with automated bots whose only job is to find a way to get past your defences and creep inside your website.

As a WordPress site owner you're more vulnerable to these attacks than others. Vulnerable to DDos attacks, brute force attacks, cross site scripting, SQL injections, malware.

Using a security plugin should be up there among your priorities right after taking backups and installing updates . Among the best of these security plugins for WordPress are Sucuri and Wordfence. (Free and paid versions of both plugins exist. Here, I am talking about the paid service because that’s what we include for our clients in our maintenance plans.)

But which should you choose? At WPStrands we protect our clients using Sucuri and here I’ll explain why.

Why we focused on a firewall

The  security approach of most WordPress professionals is pretty standard. They look at what traffic they should block and on what actions they should prevent. Then they configure that from within your WordPress admin area.

That is, they are protecting your website from inside your website’s front door. They do this believing it provides sufficient protection. That’s because most of these people have never worked on real-life, enterprise-level security problems.

When I managed operations for the largest cloud provider in Switzerland, security was a real concern of every client; how could they ensure security in an always-on internet?

Of course, basic security fundamentals were a must (e.g. strong passwords, access control). But, apart from that, one of the best ways to achieve a predictable level of protection was via the use of a firewall.

The WPStrands approach to security

If a firewall sounds like overkill to you then it's time to change your perspective. Times have changed. The age of internet innocence is past.

Your website is accessible to all parties at all times and it’s vital to use an appropriate form of protection. For your WordPress website, this means filtering what you don’t want before that traffic even reaches your website.

The best protection is one that is independent of your website. i.e. one that does not run on the same server as your website. And the best way to do this is to use a firewall that is independent of your website.

A Web Application Firewall (WAF) filters all traffic to your website and allows only the traffic you want to get through. (How this is done is beyond the scope of this article but WAFs typically have a built-in list of known attack signatures. If a request contains content that matches any of these signatures it will be blocked. For more on this you can check Sucuri’s knowledge-base article here.) This extra layer of security is a sieve between the flotsam and jetsam of the internet and your website.

Our approach at WPStrands is to focus first on the big picture. First protect the perimeter of your online home. Then have a separate mechanism to secure the site itself.

It’s like having a separate security firm patrolling the borders of your home, while you deal with security inside the house.

How the WPStrands-Sucuri WAF works

At it’s most simple, the Sucuri firewall we install

  • takes ALL your website traffic

  • filters out the bad traffic

  • let’s through only the good traffic

WPStrands Sucuri WAF

So, why is this a superior approach?

Shortcomings of Wordfence and other security plugins

Wordfence is undeniably feature-rich. It includes a basic Firewall, malware scans and brute force protection out of the box. It can protect against backdoors, malware, core file tampering, brute force attacks and much more

But there are some big disadvantages to using a plugin-based firewall:

  • Every time someone visits your website the firewall must check that traffic using your web server resources. As a result, plugin-based firewalls like Wordfence are well-known for causing speed problems.
  • To compensate for this performance drop it’s recommended you use a CDN. This involves extra costs.
  • All plugins are useless against DDoS attacks. A DDoS attack is when a hacker floods a website with too much traffic. This increases the work for the web server and causes the website to slow down or even shut down. It’s an easy way to bring down a website.
    Wordfence admits this failing (see their response to a question on this here) but they claim that DDoS attacks are relatively rare.
    This is in contrast to what I see among our own customers at WPStrands. DDos attacks often make up over 50% of blocked attacks and are always among the most common attacks.
  • There’s a learning curve. Configuration can be difficult for less technical users.
  • Support is less than stellar. It can take days to get an answer to your query and more to get it resolved.
  • Cost. If you need to protect many sites, the cost quickly becomes significant. E.g Wordfence licences for 10 websites costs $792 at the time of writing.

The weakest point of the Wordfence plugin

But here's the main reason we don’t recommend Wordfence and most other security plugins:

Wordfence runs only on your server.

This means the main protection for your website is running on your website. This is bad news for your site’s security and performance if you come under attack! While your site is trying to fend off an attack, it is also using resources to display your website. This can very quickly result in your server being overloaded and shut down by your hosting provider.

We’ve seen this happen so often - especially on shared hosting plans - that we decided to just include the best firewall in our plans at no extra cost to our customers.

Advantages of a cloud-based firewall

When you use a cloud-based firewall, the main protection for your website is NOT running on your website. This is great news for your site’s security and performance if you come under attack! Your web server is using only the resources needed to display your website. The firewall is independently fending off the attack. So, your server will not be overloaded and your site will not be shut down.

Who is Sucuri?

Sucuri is a Delaware-based company that offers complete website security via the cloud. They are veterans in the security world and have an excellent reputation. Their team of security experts monitors and protects 24x7 around the globe.

And, since I work with them regularly, I can tell you first hand that their support is excellent!  Knowledgeable, responsive and professional.

Sucuri is not just a WordPress plugin. They are a full-blown security platform used by businesses both large and small.

Sucuri Products

The company only has 2 main products; Sucuri Firewall and Website Security Platform. With such narrow focus, you can be sure they're serious about what they do.

Features:

The feature list is extensive and includes

  • Website Application Firewall (WAF) / Intrusion Prevention System (IPS),
  • Distributed Denial of Service (DDoS), Brute Force, and automated attack protection
  • continuous malware scanning for common malware, website errors, outdated themes and plugins. and whether your site has been blacklisted on any services that flag malware infected websites.
    They also provide a free SSL certificate to all customers

The free plugin also has a very simple user interface which cuts down the learning curve.

sucuri waf

As a WordPress user searching for solutions you have probably come across WPBeginner. It's the largest WordPress resource site with over 8 million visits each month, founded by Syed Balkhi. Read why he switched to Sucuri here. Said says:

We can honestly say that Sucuri is hands down the best and most cost effective security service in the WordPress industry.

Syed also says:

Whenever we’re asked about WordPress security tips, our top 2 recommendations are get a good WordPress backup solution and start using Sucuri website firewall.

It's not coincidence that these are the same two pillars of sound WordPress maintenance that I’m continuously preaching ...

There is another major advantage to using the Sucuri firewall that they should highlight more. Instead of slowing down your WordPress site, it makes it much, much faster. This is because Sucuri security services operate on top of a CDN. They block attacks and cache your static content at the nearest server, rather than on your web server.

Our choice

If you’ve read this far it’s probably clear to you why we chose Sucuri to protect our customers. Sucuri offers superior threat detection, a greater feature set and a large team of security experts at your disposal. But what I love most is that this is all delivered via the cloud.

I recommend Sucuri Security to any business that is serious about keeping their websites fast and secure.

That should be everyone, including you.

Disadvantages of Sucuri?

The Sucuri firewall costs more than the free version of Wordfence. But it is this paid version that we include in our packages - and it doesn’t cost you anything extra. These costs are borne by WPStrands, not passed on to you. In effect, for WPStrands customers there are no disadvantages to using the Sucuri firewall.

We couple this firewall with the Sucuri plugin on your website itself.  So Sucuri is protecting your website externally (with the firewall) and internally (with the Sucuri plugin).

Conclusion

Of course, there are advantages to using a plugin-based firewall. A free one is better than none at all (usually).  They are made especially for WordPress, so are generally easy to install and use.

But don't be fooled into following the majority. Wordfence is not the best WordPress security plugin simply because it cannot offer the level of protection provided by a real firewall like Sucuri can.

Keep in mind that nothing, firewalls included, can offer perfect protection. No firewall can protect against user issues like weak usernames and password.

Security is a shared measure. A good partner backing you up will relieve you of most of the burden. You must also do your part and take every precaution necessary.

Wordfence is NOT the best WordPress security plugin for this one simple reason

Wordfence is NOT the best WordPress security plugin

Photo by Roi Dimor on Unsplash

Wordfence is NOT the best WordPress security plugin for this one simple reason.

Amazement! That's the reaction of most people when I tell them I know lots of people who don't lock the front door of their home. It seemed strange to me too until I realised it indicated a sense of certainty in their safety. Put another way, it indicates a lack of fear and it says as much about the person as it does about the environment.

Amazement is also my reaction when people tell me they aren't locking the doors to their websites. In the real world, leaving your door unlocked is quaint; online, it's nothing short of irresponsible.

Of course, the real world does have its thieves, but they are few and far between. The online world, in contrast, is literally teeming with automated bots whose only job is to find a way to get past your defences and creep inside your website.

As a WordPress site owner you're more vulnerable to these attacks than others. Vulnerable to DDos attacks, brute force attacks, cross site scripting, SQL injections, malware.

Using a security plugin should be up there among your priorities right after taking backups and installing updates . Among the best of these security plugins for WordPress are Sucuri and Wordfence. (Free and paid versions of both plugins exist. Here, I am talking about the paid service because that’s what we include for our clients in our maintenance plans.)

But which should you choose? At WPStrands we protect our clients using Sucuri and here I’ll explain why.

Why we focused on a firewall

The  security approach of most WordPress professionals is pretty standard. They look at what traffic they should block and on what actions they should prevent. Then they configure that from within your WordPress admin area.

That is, they are protecting your website from inside your website’s front door. They do this believing it provides sufficient protection. That’s because most of these people have never worked on real-life, enterprise-level security problems.

When I managed operations for the largest cloud provider in Switzerland, security was a real concern of every client; how could they ensure security in an always-on internet?

Of course, basic security fundamentals were a must (e.g. strong passwords, access control). But, apart from that, one of the best ways to achieve a predictable level of protection was via the use of a firewall.

The WPStrands approach to security

If a firewall sounds like overkill to you then it's time to change your perspective. Times have changed. The age of internet innocence is past.

Your website is accessible to all parties at all times and it’s vital to use an appropriate form of protection. For your WordPress website, this means filtering what you don’t want before that traffic even reaches your website.

The best protection is one that is independent of your website. i.e. one that does not run on the same server as your website. And the best way to do this is to use a firewall that is independent of your website.

A Web Application Firewall (WAF) filters all traffic to your website and allows only the traffic you want to get through. (How this is done is beyond the scope of this article but WAFs typically have a built-in list of known attack signatures. If a request contains content that matches any of these signatures it will be blocked. For more on this you can check Sucuri’s knowledge-base article here.) This extra layer of security is a sieve between the flotsam and jetsam of the internet and your website.

Our approach at WPStrands is to focus first on the big picture. First protect the perimeter of your online home. Then have a separate mechanism to secure the site itself.

It’s like having a separate security firm patrolling the borders of your home, while you deal with security inside the house.

How the WPStrands-Sucuri WAF works

At it’s most simple, the Sucuri firewall we install

  • takes ALL your website traffic

  • filters out the bad traffic

  • let’s through only the good traffic

WPStrands Sucuri WAF

So, why is this a superior approach?

Shortcomings of Wordfence and other security plugins

Wordfence is undeniably feature-rich. It includes a basic Firewall, malware scans and brute force protection out of the box. It can protect against backdoors, malware, core file tampering, brute force attacks and much more

But there are some big disadvantages to using a plugin-based firewall:

  • Every time someone visits your website the firewall must check that traffic using your web server resources. As a result, plugin-based firewalls like Wordfence are well-known for causing speed problems.
  • To compensate for this performance drop it’s recommended you use a CDN. This involves extra costs.
  • All plugins are useless against DDoS attacks. A DDoS attack is when a hacker floods a website with too much traffic. This increases the work for the web server and causes the website to slow down or even shut down. It’s an easy way to bring down a website.
    Wordfence admits this failing (see their response to a question on this here) but they claim that DDoS attacks are relatively rare.
    This is in contrast to what I see among our own customers at WPStrands. DDos attacks often make up over 50% of blocked attacks and are always among the most common attacks.
  • There’s a learning curve. Configuration can be difficult for less technical users.
  • Support is less than stellar. It can take days to get an answer to your query and more to get it resolved.
  • Cost. If you need to protect many sites, the cost quickly becomes significant. E.g Wordfence licences for 10 websites costs $792 at the time of writing.

The weakest point of the Wordfence plugin

But here's the main reason we don’t recommend Wordfence and most other security plugins:

Wordfence runs only on your server.

This means the main protection for your website is running on your website. This is bad news for your site’s security and performance if you come under attack! While your site is trying to fend off an attack, it is also using resources to display your website. This can very quickly result in your server being overloaded and shut down by your hosting provider.

We’ve seen this happen so often - especially on shared hosting plans - that we decided to just include the best firewall in our plans at no extra cost to our customers.

Advantages of a cloud-based firewall

When you use a cloud-based firewall, the main protection for your website is NOT running on your website. This is great news for your site’s security and performance if you come under attack! Your web server is using only the resources needed to display your website. The firewall is independently fending off the attack. So, your server will not be overloaded and your site will not be shut down.

Who is Sucuri?

Sucuri is a Delaware-based company that offers complete website security via the cloud. They are veterans in the security world and have an excellent reputation. Their team of security experts monitors and protects 24x7 around the globe.

And, since I work with them regularly, I can tell you first hand that their support is excellent!  Knowledgeable, responsive and professional.

Sucuri is not just a WordPress plugin. They are a full-blown security platform used by businesses both large and small.

Sucuri Products

The company only has 2 main products; Sucuri Firewall and Website Security Platform. With such narrow focus, you can be sure they're serious about what they do.

Features:

The feature list is extensive and includes

  • Website Application Firewall (WAF) / Intrusion Prevention System (IPS),
  • Distributed Denial of Service (DDoS), Brute Force, and automated attack protection
  • continuous malware scanning for common malware, website errors, outdated themes and plugins. and whether your site has been blacklisted on any services that flag malware infected websites.
    They also provide a free SSL certificate to all customers

The free plugin also has a very simple user interface which cuts down the learning curve.

sucuri waf

As a WordPress user searching for solutions you have probably come across WPBeginner. It's the largest WordPress resource site with over 8 million visits each month, founded by Syed Balkhi. Read why he switched to Sucuri here. Said says:

We can honestly say that Sucuri is hands down the best and most cost effective security service in the WordPress industry.

Syed also says:

Whenever we’re asked about WordPress security tips, our top 2 recommendations are get a good WordPress backup solution and start using Sucuri website firewall.

It's not coincidence that these are the same two pillars of sound WordPress maintenance that I’m continuously preaching ...

There is another major advantage to using the Sucuri firewall that they should highlight more. Instead of slowing down your WordPress site, it makes it much, much faster. This is because Sucuri security services operate on top of a CDN. They block attacks and cache your static content at the nearest server, rather than on your web server.

Our choice

If you’ve read this far it’s probably clear to you why we chose Sucuri to protect our customers. Sucuri offers superior threat detection, a greater feature set and a large team of security experts at your disposal. But what I love most is that this is all delivered via the cloud.

I recommend Sucuri Security to any business that is serious about keeping their websites fast and secure.

That should be everyone, including you.

Disadvantages of Sucuri?

The Sucuri firewall costs more than the free version of Wordfence. But it is this paid version that we include in our packages - and it doesn’t cost you anything extra. These costs are borne by WPStrands, not passed on to you. In effect, for WPStrands customers there are no disadvantages to using the Sucuri firewall.

We couple this firewall with the Sucuri plugin on your website itself.  So Sucuri is protecting your website externally (with the firewall) and internally (with the Sucuri plugin).

Conclusion

Of course, there are advantages to using a plugin-based firewall. A free one is better than none at all (usually).  They are made especially for WordPress, so are generally easy to install and use.

But don't be fooled into following the majority. Wordfence is not the best WordPress security plugin simply because it cannot offer the level of protection provided by a real firewall like Sucuri can.

Keep in mind that nothing, firewalls included, can offer perfect protection. No firewall can protect against user issues like weak usernames and password.

Security is a shared measure. A good partner backing you up will relieve you of most of the burden. You must also do your part and take every precaution necessary.

Google Chrome will mark your WordPress website as insecure

Google is about to mark your website as insecure

Photo by Amir Mohammad HP on Unsplash

If you still aren't using HTTPS then Google is about to mark your website as insecure and scare away your visitors.

Update: Version 68 of the Chrome browser was released on July 24th 2018 and now identifies non-HTTPS websites as insecure!  Contact us if you need any help getting your website off the "insecure" list.

You know that feeling you get when you walk into a street with prominent warning signs?

Signs that let you know you’ve just crossed over into a high crime area...

“Beware of pickpockets” warns one. Another tells you that “We aren’t responsible” for what happens you in the area. Some might even warn you to “Shop here at your own risk”.

You know that feeling ? It’s not pleasant, is it?

What if every one of your website visitors got that same uncomfortable feeling when they visit your website?

If your website isn't using HTTPS by the next release of the Chrome browser, they will ...

warning this is not secure

Feeling insecure yet?

We've been forewarned

In April of 2017 Google mentioned - announced is too strong a word for it - that they’d start marking sites as insecure. But only in certain situations. For example, if you needed to enter a password or other data in a form that wasn’t protected with HTTPS, Chrome displayed a little warning in the address bar.

chromenotsecure

I wrote about it here.

In February of this year they stepped it up a notch: later in the year Chrome would mark all sites using HTTP as insecure.

​That time is nigh

So, that time has come. Or at least it’s very soon.

The change will come in Chrome version 68 due for release around 23rd July.

Why mark your website as insecure?

You know me, I love definitions ...

Encryption is the process of encoding information so that only authorised parties can access it. Those who are not authorised cannot.

HTTPS encrypts the data between a browser and a website.

Protecting the connection between your browser and the website you’re visiting with encryption is a good thing. It means no one in the middle can tamper with the traffic or spy on what you’re doing.

Without this encryption, someone could intercept information sent to websites. From there they could inject malware into that information or use it for their own gain.

Websites using HTTP are without this encryption.

Please note

HTTPS does not mean a website is secure. It means the connection to that website is encrypted, nothing more.

There's a misconception that HTTPS means a site is safe. It doesn't. A site using HTTPS can still infect you with malware.  Google will not necessarily mark your website as insecure because of that.

​Follow the sheep

If you STILL aren’t convinced of the need for better basic online security, then why not follow the crowd:

  • Over 68% of Chrome traffic on Android and Windows is over HTTPS
  • Over 78% of Chrome traffic on both Chrome OS and Mac over HTTPS
  • 81 of the top 100 sites on the web now use HTTPS

Of course, that still means 20-30% of traffic is NOT yet encrypted.  (Now out of date, this Google page shows that as of October 2017, traffic to many major sites was still not encrypted. )

By the end of this month that figure will be much less.

There has been a high adoption of SSL

But the adoption rate has been very strong, especially over the past year or two. That may denote either

  • Google’s power: Chrome has been the most popular browser since March 2012 and now commands around 60% of the browser market
chrome browser share growth
  • or that people are becoming more aware and more serious about online security.

Let’s say it’s a bit of both ...

Your customers already care about security

Research by Ipsos found that 87% of internet users will not complete a transaction if they see a browser warning.

More than half (58%) said they would go to a competitor's website to complete their purchase.

I'm guessing you don't want them to see that you let Google mark your website as insecure.

Download our security checklist & be among the top 1% of secure WordPress websites

Download our complete security checklist and subscribe to our mailing list

Conclusion - Hop To It

Along with the recent GDPR laws to protect personal data, this is a step in the right direction. And it’s about time. It’s likely other browsers will soon follow suit until HTTPS becomes the new norm. 

HTTPS has also become much easier and most often free through automated services like Let’s Encrypt.

Check if your host offers a free SSL cert; the best ones do. If yours doesn’t at this stage, consider moving. It’s almost always less painful and disruptive than you think.

If you need help installing an SSL certificate on your website:

Otherwise, come the end of July, you'll have allowed Google to mark your website as insecure, even if it isn't.

Sources

https://www.theverge.com/2018/2/8/16991254/chrome-not-secure-marked-http-encryption-ssl
https://transparencyreport.google.com/https/top-sites?hl=en
http://www.ipsosresearch.com/
http://gs.statcounter.com/browser-market-share#monthly-200901-201807
https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html
https://en.wikipedia.org/wiki/Encryption

WordPress Salts and Security Keys explained

WordPress
salts and security keys explained

Photo by Jeff Nesanelis on Flickr

I couldn't find an article that clearly explains what WordPress salts are, how they work and how to change them. So I wrote this one.

I cringe every time I see this sentence:

A WordPress salt is a random string of data that hashes the WordPress security keys in the wp-config.php file.

What is that? What does it mean? What's it trying to tell me?

I don’t know who started it and I don’t know why they think it’s helpful.  But it appears in many articles attempting to explain WordPress salts and security keys and how they're used.

It actually explains nothing to anyone who has never studied cryptography, i.e. 99.999% of people?

I have never found a good article that explains what WordPress salts are and how they increase security. Never.

The reason is simple: hardly anyone knows anything about cryptography and how it works.  So most people don’t understand what WordPress security keys are and how they work. And that includes most of those writing those articles.

I enjoyed revisiting parts of my cryptography studies while researching this. Luckily, you don’t need to: everything you need to know about WordPress security keys and salts is right here.

TL;DR. If you don’t want to learn a bit of high-level computer cryptography, then jump to the section How to change them yourself.

A little history lesson

Computer systems used to store passwords in plain text. That’s fine in a world of two computers and no hackers.

But the world changes and security needs to change with it. Security elements were added over the years to protect passwords from being read from the system.

Salts, hashes and security keys are some of these security elements.

Some Definitions

Let's get these out of the way in plain English.

Cookie


A cookie is a small file that gets stored on your computer (or mobile device) when you go to a website. It contains little bits of information like whether you have logged in to the site and, somehow, your password.


Salt

In cryptography terms, a salt is random data added to a password. In WP it’s just a long string of gobbledygook.

WordPress uses salts to help protect passwords in storage as we'll see below.


Hash

Making a hash of something is usually not a good thing. Except in computer science.

The term "hash" is analagous to its non-technical meaning (to "chop" or "make a mess" out of something). (According to Donald Knuth).

Hash functions scramble their input data to get their output. The hashing function is a programmed routine that does the messing up. There are many hashing algorithms out there. WP used to use one called MD5 but now uses phphash.

The security problem

Your WordPress password needs to be stored somewhere. The main place is in your database, of course.

It’s also stored in cookies, which are plain text files on your computer.

So, how do you protect a password even when it’s in plain view in a text file?

WordPress salts solve that problem.

How these help to make WordPress secure

Most articles about WordPress salts mention passwords. But very few mention how important theses salts are to cookies.

WordPress keeps track of visitors using cookies. They are also used to verify the identity of logged-in users. (Most applications use PHP sessions to track users.)

If someone gets into your database or finds your cookies (e.g. on a public computer) then they could read your password.

But there’s no need for the password to be stored anywhere in a readable form. Here’s why:

How WordPress uses Salts for security

In very simple terms:

WordPress combines the salt with the password. The hash function mixes these up and gives a result.

Here's an example from Wikipedia:

user1 and user2 have the same password, password123 (I know, terrible!)

how wordpress salts work

Note that with the same password but with a different salt, the output is completely different. So changing your salt value actually has the same net effect as changing your password!

The resulting messed up output is what gets stored in a database or cookie. The password is not stored directly.

Later when a user logs in, the password they enter is again mixed with the salt and a hashed version is produced. If that hashed version matches the hashed version in the database, then the user gets in.

So, here's the nutshell version:

The details you use to log in are hashed (made cryptic) using the random variables (salts) specified in the WordPress security keys.

That's a simple, clear explanation, I think.

This adds a layer of security as it's almost impossible for anyone to guess your password. Even if they come across your cookies.

How to change them yourself

NOTE:
Changing your WordPress salts and security keys will invalidate all existing cookies, i.e. all users will be instantly logged out.

When you change them, the hashed values in your database will also change. So, all cookies will have mismatched hashed values and so no users can be authenticated.  Therefore WordPress logs them out just as if their password changed.

So, just be mindful that some users might be online.

Manually changing WordPress salts and security keys

  1. Go to https://api.wordpress.org/secret-key/1.1/salt/ and you will see a list of replacement keys and salts, something like this:
    define('AUTH_KEY',         'uaZ`N?bSEU_c/P9O<B%.1W#UnD8hN9=LasU?L*3g$-CFx[[email protected]:2#d;Hj[$_s/a0x'); define('SECURE_AUTH_KEY',  'l#@:shVMj6Kp-v59&]<YRK(U/NQd`$~r_BG=#p|h2t_y#aZ]e0PPCZh|W 4T$2VL'); define('LOGGED_IN_KEY',    '!T!:HA!GjIrcp$ovug{R*I3CC-|+N+3M=-^|*&DK#2>=bWFw~AuFX.-+=^TBW_:>'); define('NONCE_KEY',        '3maB-^OA+QV6|[email protected][email protected]]hIEryDFm[_UuuG#nK8|W(f-det,f%7G'); define('AUTH_SALT',        'zbk7U/IirB5p]*cfZD,pu<m_/N,RQ(m2l!T*`iT>!>0$gBC4b{i 0YcVsa,H(WM['); define('SECURE_AUTH_SALT', 'lkdo||aa(~/P;WfO:*$/A/h[~-f3>r=:(QH32T6+-:Ew-Xo]|:SI6j{d3ws<iuCI'); define('LOGGED_IN_SALT',   '0R!!GP~7$=nYjxD3C*B|;Cp13+OC([email protected]#kFxUS>+]o|P-4XbD)+-'); define('NONCE_SALT',       '|OQIP?u3fFy0NQ9_}6We4ey`p`l]}:f65I0VZ)i*&j*X|1-TjIhFu*n?sEWI}gD2');

    What these do isn't really important here but each key above has a different purposes e.g. the AUTH_KEY is used to determine if a user has access to the WordPress admin area, the LOGGED_IN_KEY is used to determine if a user is logged in etc.
  2. Copy these.
  3. Connect to your website using FTP. See this post to learn how
  4. Go to the root of your website and edit the file wpconfig.php
  5. Find the line * Authentication Unique Keys and Salts
  6. Select all these keys and replace them with the new ones you copied in step 2 above
  7. Save the file and upload it back to your website server

​​Done.

Plugins

To be honest I don't see the point of cluttering my WordPress installation with yet another plugin that I'll only use a few times a year. As I say, the more code in my site, the more ways someone can squeeze in.

But I understand not everyone feels comfortable editing an important file like wpconfig.php

Salt Shaker

I’ve never tried the Salt Shaker plugin but there are many tutorials online on how to use it. It seems to do its job well.

A benefit is that you can schedule the changes regularly so you can truly set it and forget it.

Ithemes Security 

As well as all the other great security features in the iThemes security plugin, you can use it to change your keys and salts. There's no built-in scheduling here, though.

Conclusion

I hope that clears up at least some of the confusion and half-truths about WordPress security keys and salts. It’s not all that complicated.

It true that, from an end-user's point of view, they aren't the most critical part of a good security routine. WordPress does all the important work of using them so it's all pretty transparent to us. But it's good practice to change them once or twice a year as an extra level of security.

Did you know that at WPStrands we change these keys for all new sites added to our dashboard on all our plans? Take a look at them here.

Sources

https://api.wordpress.org/secret-key/1.1/salt/
https://www.elegantthemes.com/blog/tips-tricks/what-are-wordpress-salt-keys-and-how-can-you-change-them
https://en.wikipedia.org/wiki/Salt_(cryptography)
https://en.wikipedia.org/wiki/Hash_function
https://codex.wordpress.org/Editing_wp-config.php#Security_Keys
https://themegrill.com/blog/wordpress-salts-and-security-keys/
https://en.wikipedia.org/wiki/HTTP_cookie
https://en.wikipedia.org/wiki/MD5
http://www.openwall.com/phpass/
https://www.w3schools.com/php/php_sessions.asp

How to deal with WordPress Comment Spam

How to deal with
WordPress Comment Spam

What is WordPress comment spam, how do they do it and how can you stop it?

I remember when I got my very first comment on a blog.

It was flattering; I was beyond chuffed.

I was over the moon to think that someone found my site so fantastic that they stopped what they were doing just to write me a nice little note in the comments. 

"Hi, great post and I love your blog. Can you tell me what theme you are using? I wish mine looked as good."

Only when I looked at the links to a viagra site did I realise that this was spam.  Nice spam, yes.  But spam nonetheless.

this is spam

What is WordPress comment spam?

Spam, in general, is an unsolicited digital message. It can be commercial, malicious or used to try and gain traffic for another site (see below).

You'll recognise it as

  • unsolicited advertisements ( something you didn't ask for trying to sell you something)
  • links to malicious websites or 
  • general abusive information.

WordPress comment spam is a comment on your WordPress blog containing such a message.

Why does comment spam exist?

A lot of people have asked me why spam exists and I understand it can be tricky to see why people do it. What possible gain can there be? Well, as usual with abusive behaviour online the main driver is to make money.

How on earth can anyone make money from WordPress comment spam?

Well, for one thing, they will (hopefully) get a click back to their website. They certainly won’t get one from me but with millions of posted comments they’ll definitely get some. That means more traffic to their site.

But the main goal is to trick Google!

Links from other websites back to your website are an important ranking factor to Google. If you have lots of these “backlinks”, done properly, Google thinks your site is more popular. Thus, Google might rank you higher.

A higher rank means your site will come up in search results more often. That means more visitors to your website. If you get more visitors to your website you will make more money. Presto.

Google are continuously figuring out ways to detect these fake links. Of course, the spammers are, too.

How do they do comment spam?

Actually, it’s really easy to send spam. There are tools available that will do it for you, tools like Scrapebox or GScraper. (No links to them.) They'll find the websites and do the comment posting for you.

Now, Google isn't easy to fool.  If many comments with the same text get posted, they'll realise something fishy is going on and they'll penalise the linked site.  Therefore, to make the comments seem unique, spammers use lists of phrases like this one

Each time it generates a comment , the program will swap out some words for others. This can fool Google into thinking this is a unique comment.

I'm sure you've noticed this type of nonsensical comment:

Google the battle are money. That more are of these “backLinks to you higher. A higher. A higher rank means your website. If you get means more visitor to detect think”, done properly, Google the spammers. That more are more think”, doney.

That’s where this type of junk comment comes from.

How can I stop spam on my WordPress site?

There is actually no way to STOP spam. Once your website is connected to the internet it's open to receiving any traffic, including spam.  Just like you can't actually stop that guy coming round to your postbox with the poorly-spelled pizza brochure.  

But there are steps you can take to vastly reduce the time-sucking effect spam can have on your website maintenance.

There’s no one way to do it. Like dealing with your WordPress security, you need to take a multi-layered approach.

Speaking of security: 30 minutes to 

a more secure WordPress website

Follow our free walk-through to quickly (and easily) learn how to:

Keep hackers out, run backups automatically and save yourself hours of time

Stop comment spam with built-in WordPress tools

Akismet

Matt Mullenweg, creator of WordPress, created Akismet so that his mother could blog in safety.

Akismet works like this:

  • Someone posts a comment to your WordPress website
  • Akismet checks that comment against all the comments in the community database
  • If it's spam, it's deleted 
  • If spam gets through and a user later marks it as spam, the comment is added to the database

Thus, the pool of spam comments increases, making Akismet increasingly effective over time. By using Akismet you are actively helping combat spam.

Akismet comes as a default plugin with WordPress. This plugin is just the interface to the community-built database behind it.  Install it, use it. When you notice a spam comment, mark it as Spam, don’t delete it. That way it gets added to the database.

The only problem with Akismet is that you will need to register to use it, but it's well worth it.

Comment settings to help limit spam

There are a few settings that might limit the amount of spam you get but to be honest, the spambots are smarter than this nowadays.  Still, it's good practice to set the following:

In Settings > Discussion you'll see this panel of settings

settings to limit wordpress comment spam

Here you should force the author to at least enter a name and email address.  You can also close comments after a number of days or force users to login to comment but these are probably too restrictive for most WordPress websites.

Limit links in a comment

A common feature of spam comments is that they contain multiple links to another website.

settings to limit wordpress comment links

Again in Settings > Discussion, you can reduce the allowed number of links down to one to prevent this.

Stop WP comment spam with your own Comment Blacklist

WordPress also includes a comment blacklist that you can customise. 

Go to Settings > Discussion and add your blacklisted words there. Any comment containing these words will be removed.

Be careful, though.  This blacklist is pretty ruthless and it won't tell you when a comment is deleted.

Including words like "viagra" and "porn" in the list will be effective but partial matches work too.  This means e.g. "ass" will remove comments containing words like "assertion", "assonance" etc.

Stop WP comment spam with comment spam plugins

I’m not going to turn this post into yet another listicle of “The best WordPress anti-spam plugins of 2018”. The web is awash with such search-engine pleasers. 

Here are the two WordPRess anti-spam plugins I use and recommend for clients at the moment:

Akismet

https://wordpress.org/plugins/akismet/

Antispam bee 

https://wordpress.org/plugins/antispam-bee/

Stop WP comment spam with moderation

If you aren't getting too many spam comments you can decide to check them manually yourself. (Any number of spam comments is too many in my book.)

In Settings > Discussion, check the box next to "comment must be manually approved."

It's also a god idea to tick "Comment author must have a previously approved comment." 

D:UserssocDownloadssettings to approve comments

As usual, you should experiment with these settings to find the balance that works well for you and your website.

In more detail - getting technical

When someone leaves a genuine comment on your site, it's a nice gesture to let them know if their comment is in moderation.  Otherwise they may think comments aren't working on your site or they may enter multiple comments in frustration.

First, edit comments.php.  See how in this article.


Look for the following code:


<p> <input name="submit" type="submit" tabindex="5" value="<?php _e("Say it!"); ?>" /> </p>


Change this to something like the following, adding your own customisation:


<p> <blockquote> Comment moderation is in use and will be checked soon. Please do not submit your comment twice -- it will appear shortly. </blockquote> <input name="submit" type="submit" tabindex="5" value="<?php _e("Say it!"); ?>" /> </p>

Remember: do actually check your comments regularly!

Conclusion

The biggest problem with anti-spam plugins? Spammers will download them and figure out how they work!

Therefore, you should use multiple defences, as I mentioned above.  Akismet, coupled with something like Anti-spam bee, is a good setup.  Add to that some of the settings above to tighten control over your comments and you should be fine.  

Always check your comment queue regularly to make sure nothing gets through that shouldn't and nothing is blocked that should be allowed through.

And one last thing: watch out for the sneaky commenters, the ones who leave the ego-pleasing comments: "I love your site! I'm telling all my friends!”

Sorry, but they're fake, too!

Sources

https://en.wikipedia.org/wiki/Comment_spam

https://codex.wordpress.org/Comment_Spam

https://codex.wordpress.org/Combating_Comment_Spam

https://en.wikipedia.org/wiki/Akismet

https://www.shivarweb.com/2450/my-blog-comment-spam-is-too-high-heres-why/

https://gist.github.com/shanselman/5422230#file-gistfile1-txt

Choose a WordPress plugin for your website

How to Choose
a WordPress Plugin 
for your website

Photo by JOSHUA COLEMAN on Unsplash

This is how I choose a WordPress plugin - the best, most suitable WordPress plugin - for any website.

Imagine you have 180 seconds to choose a WordPress plugin that will let your readers vote how good your site is by clicking on a few stars in a rating widget on your posts.

What's the first thing you would do?

  1. Search Google
  2. Search on WordPress.org
  3. Search from your WordPress Dashboard

At the end of this post you'll be able to find that plugin. Probably in 180 seconds.

So many plugins!

Now, in real life you'll rarely be restricted to just three minutes to pick a way to add an important function to your website.

But with almost 56,000 plugins to choose from, trying to pick the best WordPress plugin for your website might feel just as overwhelming. It's a daunting task for a lot of people. 

Let’s say you want to add a widget to allow your visitors to rate your blog posts. WordPress doesn’t do that out of the box.  But thanks to the modular design of WordPress (you can add extra bits of code to do extra things; think of it like Lego) and the power of plugins you can add this functionality.

First of all, you can write your own plugin quite easily. But, you might ask, with more than 55,000 WP plugins out there, surely someone has written something to do this already?

Chance are very high that they have. And you can find it. I'm not going to say this is how you should choose a WordPress plugin.  But here's how I select the best WordPress plugin for my needs.

how to choose a WordPress plugin among all the options

too much choice is paralysing

What's a plugin?  A definition

According to the WordPress Codex

​Plugins are ways to extend and add to the functionality that already exists in WordPress.

The core of WordPress is designed to be lean and lightweight, to maximize flexibility and minimize code bloat. Plugins then offer custom functions and features so that each user can tailor their site to their specific needs.

Sounds great and it is.  But we live in an imperfect world with imperfect software and there are a few problems with this approach.

The problems choosing a WordPress plugin

1. The sheer number

There are a lot of plugins for WordPress.  Like, A LOT! 55, 268 of them at the time I'm writing this. By the time you're reading this that number will be higher.

Anyone can write a plugin. Not all of them make it to the WordPress repository but clearly many do. And, as Barry Schwartz notes, more choice can make it harder to choose a WordPress plugin as well as make us less satisfied with our choices!

2. Similar functionality among many plugins

If you search the WordPress plugin repository for "sidebar widget" you get 468 pages of results.  How about something more obscure, like adding footnotes to your posts?  Still about 70 plugins in the results.  Clearly some or all of these could do just what you want it to so.  But which one?

3. Is the plugin any good?

And of course, when you choose a WordPress plugin, you need to know that it does it's job well instead of causing you more problems when you go to update. Or worse, security problems that leave a crack open for a hacker to squeeze through. Luckily, the repositories have a rating system can that can help here.

4. Is the plugin dangerous?

Ah, yes, is it safe to use the plugin you've selected?  Malware can creep into plugins even in the official WordPress repository so be vigilant as ever.  Last year a very common widget was removed from the WordPress plugin repository because the authors started adding malware to the code!

5. Is the plugin up to date?

As you know by now, WordPress gets updates pretty often so plugins need to keep up with the changes in WordPress core.  Not only that, they need to stay abreast of the latest security threats LINK and make sure their code is fairly safe.  A plugin that was last updated 2 years ago can't be relied on.

How to choose a WordPress plugin more easily

Note

These are general guidelines only; always use your own discretion and simple common sense. 

These are all equally important things to consider – we don’t want to choose a WordPress plugin based only on popularity. Nor do we want to install a plugin with the highest rating but which might not have been updated in 3 years!

1. Decide what you want to do

I usually make a list of must haves, nice to haves and must not haves. Even if it's only in my head. This helps me be more discriminating once I start sifting through the available plugins.

2. Where to find WordPress plugins?

These are some of the best places to find WordPress plugins.

  1. The official WordPress repository at https://wordpress.org/plugins/
    These plugins are official because they adhere to the WordPress coding guidelines, they've been checked as non malicious and work correctly with other WordPress code.
    Amazingly, though, even after a major overhaul of the repository, there is no way to sort the plugins based on different criteria!  This makes it extremely difficult to sort and choose from the available WordPress plugins
  2. The unofficial WordPress Plugin Directory at http://wpplugindirectory.org/
    Plugins can actually be sorted here. Great!  There's also less choice as the selection is curated by humans, which should make it easier for you to choose a WordPress plugin.
  3. Here's an interesting Periodic Table of the top 108 most popular WordPress plugins.  I don't find it particularly easy to use but the plugins listed here are most likely trustworthy and good at their job.
  4. Google

3. Check the number of active installs

A plugin's popularity should not be the main criteria to base your choice on; the masses can often be wrong.  But it's still important to know that the WordPress community in general know, like and trust this plugin.  

So first I look only for plugins that have lots of installs.  By lots I mean tens of thousands! If it is installed on lots of WordPress websites then chances are it's trustworthy and does it's job well.  

On the other hand, very few downloads doesn't necessarily mean it's bad; it could be relatively new and unknown.

In our example, for the search “ratings widget” in the official repository, a quick scroll through the first few pages of results shows us several plugins with 10,000 or more installs. These are good numbers.

Also, another plugin has just a few hundred installs – this isn’t a number that inspires confidence. Sure, it could be a new plugin or very specialised but we’re in a hurry here to get our website going – not to get it perfect.

choose a WordPress plugin - things to check

4. Check the plugin ratings

Obviously, high ratings are a good sign.  Obviously, low ratings are not.

A higher rating is better but don’t miss the important number of ratings.  A rating of 4 by 1,000 people is a better indication of quality than a rating of 5 by 3 people (developers have friends who will rate anything highly.)

5. Check when it was last updated

A plugin should be updated regularly to keep abreast of WordPress updates and security threats.  A recent update means the developers are on top of things and responding to feedback from users, fixing problems, adding new features and plugging security holes.  A plugin last updated two years ago is usually NOT worth a look; the WP community progresses quickly, so leave it behind!

In our example, the most installed plugins range from an update of a few days ago – great! – to to 6 months and more.

Advanced checks:

For those of you who want to be really thorough ...

6. Do a quick search for past problems

Some plugins have had major problems associated with them in the past.  For example, some extremely popular plugins are among the most hacked WordPress plugins out there. You might want to be aware of this!

7. Check in the vulnerability database

The WordPress vulnerability database at https://wpvulndb.com/ contains up-to-date information on the latest security problems found in WordPress plugins.  It's trusted by people like Sucuri so you can trust it too. But it can be fairly technical.

Rinse & Repeat

All of the above can be done in a matter of minutes by scrolling through the first few results pages of the official repository.  Using the unofficial repository will be even easier.

So, now that I’ve narrowed it down to three or four possibilities, only NOW do I spend any time reading about features, support etc. With this approach I’ve uncovered lots of great plugins that covered my needs pretty well.

A tip

I’ve found it pays to be knowledgeable about exactly what you need and what’s available.  You can do this by doing a Google search before searching the WordPress repository.  In this way, you might find, for example, that the kind of sidebar you want on your site is referred to as a custom sidebar.  Now you'll know what terms to search for in the repository.

One Final Tip — Test Before You Buy

Before you finally choose a WordPress plugin, I suggest that you put together a shortlist of candidates. Test each on a non-production version of your website. You’ll want to make sure that the plugins can do what you need without conflicts or causing any other problems for your WordPress site. 

Conclusion

So, back to our quiz.  You now know there are more options than just a Google search and a look in the official WordPress plugin repository.  

You can use those options as part of your more methodical search to choose a WordPress plugin. And you can be sure you've found a plugin that's secure, up to date, well tried and tested and useful.

It might seem like a lot to do but once you follow the steps above a few times you'll be able to find a suitable plugin in a few minutes. Maybe.

Is this overkill? Do you have a different way of choosing a WordPress plugin for your site?  Let me know below.

Sources

  • Many years of my own plugin frustration
  • https://www.liquidweb.com/blog/top-10-places-find-great-wordpress-plugins/
  • https://perihacks.com/wordpress-plugins-resources/

Top 3 most common WordPress technical errors and how to easily fix them step by step

<br />

How to Fix the 3 most common WordPress technical errors

Photo by Rob Schreckhise on Unsplash

Solve the most common WordPress technical errors. Here are the fixes for the white screen of death, error establishing database connection and 500 internal server error problems.

Key Takeaway

You'll get the most direct solutions for these commonly-encountered errors when working with WordPress:

  • Internal Server (500) error
  • Error establishing database connection
  • White screen of death

don't panic

Photo by Jim Linwood via Flickr

Let me guess.

There you were, just about to check how wonderful your site looked after that little code change you'd just made. 

Your browser started loading the page.  

It's just about to come up.

And here it is and ... you get a ... wait.  Wait.  

What the!?  Your lovely page is still not there.

Your browser screen is still white! What's going on!?

That would be the so-called white screen of death.

Congratulations, you've just joined the millions gone before you on this frustrating WordPress journey.

So, what, if anything, can you do about it?

It does lots of things amazingly well, but WordPress is known to have a less than stellar error handling mechanism.

In this article is the solution to the three problems below - I have never needed anything else.  If you don't find the answer in here I'll take a look for you myself!

The biggest problem with WordPress error messages

​​WordPress is justifiably famous for it's ease of use and user-friendliness.  But it's not perfect.

Like all of us, WordPress sometimes has problems communicating exactly what it wants you to know.

The main problem with these common WordPress error messages is that they are not very clear.  Let's be honest, they are downright cryptic; the team at Bletchley park would have had their work cut out for them.  

They don't really tell you anything directly useful; this is pretty standard for technical error messages.  

Just for your information, these are usually NOT error messages directly from WordPress; they appear at a point where WordPress is not working and so come from a layer below WordPress.  Thus they can't really tell us much about the problem as it relates to WordPress.

There's always a way

Of course, it's not your fault that you don't understand these errors.  When my old motorbike used to just stop in the middle of the road for no apparent reason I didn't understand it and I didn't expect to - my mechanic took care of that.

Likewise with these common WordPress technical errors.  I’ve literally spent hours on each of these problems over the years. Below are the shortcuts I now use every time they crop up again.

​​​​P.S. Need some help?

If you’re afraid of dealing with these things problems then it’s best to get someone who knows their stuff to take a look. 

We'll happily check your site for free and let you know what your next step should be.  Just send us a message.

Error #1: Internal Server (500) Error

This isn't an actual common WordPress technical error; you'll find it all over the web, on any website platform.  But it's common to come across this when developing a WordPress site.

Background/Cause

All 500 errors are server-side errors, meaning it’s a problem on the server where the website is hosted.  So, it can occur on any website. It's also a common error with WordPress and it can have many causes.

If you check the list of HTTP error codes you’ll see error 500 means “A generic error message, given when an unexpected condition was encountered and no more specific message is suitable.” 

Not very helpful to know, is it?

WordPress runs using the PHP language.  Certain errors can generate a fatal error in PHP i.e. code execution just stops.  If your server is configured not to display error messages from PHP (which is usual), the error returned by the server will be 500.

Troubleshooting Internal Server (500) Error

To find a solution to the Internal Server Error message on a WordPress website here are the simple steps to check the problem.  Do the following in order as the most common solution comes first.

1. Check .htaccess

.htaccess is one of the more important files in your WordPress installation, being the configuration file for Apache web servers, still the most popular web server in existence.  The web server serves your website pages to a browser.  An incorrect entry in this configuration file can lead to unexpected results when viewing your website.

If you have FTP access (for instructions, see the post How to easily edit WordPress source code) or cPanel access (instructions from Siteground here) to your WordPress website, go to the root of your site (/) and rename the .htaccess file to .htaccess.old.

Reload the website in your browser (by pressing F5) - WordPress will rebuild a simple .htaccess file.  If the site now works it means you had a problem with .htaccess.

Go to your WordPress Dashboard > Settings > Permalinks and click save. This should rewrite a new .htaccess and all will be good.

2. Deactivate all plugins

A commonly suggested WordPress troubleshooting technique is to deactivate all plugins and see if that solves the problem.  To be honest I use it very, very rarely; it's messy but it can help.

The handiest way to deactivate all plugins is via FTP.  Connect to your site with an FTP client, go to the following directory

/wp-content

<yoursite.com>/wp-admin

Here you'll see a directory named plugins, among others. Rename this directory to something like plugins.old

Now log into your WorPress dashboard; WordPress won't be able to find your plugins and will simply deactivate them all. See this page at the WordPress codex for more details.

If your website now works when you view it, it means one of the plugins was to blame.  

Now you can go through the pain-staking process of re-enabling each plugin one by one, reloading the site and checking it still works.  When it stops working, the last plugin re-activated is usually the one causing the problem. (Actually, it's possible that another plugin is faulty and having conflicts with this latter one.  If this is the case, you might need some expert help.)

You can also solve this common WordPress technical error by disabling Plugins in your database but that’s tricky and risky so I won't cover it here.  Just keep in mind that someone technically adept can help you do this.

3. Change your theme

The default themes in WordPress are incredibly useful for troubleshooting theme problems.  

Even if the normal front end of your site doesn’t work, your dashboard will often continue to work.  If possible, log into your site at 

<yoursite.com>/wp-admin

and change your WordPress theme to one of the default themes like TwentySeventeen.

If you can't even log into your WordPress dashboard, use FTP to rename the current theme folder to NAME-old and see if that helps.  The themes for your site can be found at

/wp-content/themes/

If changing to a default theme solves the problem then undo any recent changes you made to your own theme.

4. Change your PHP memory limit 

PHP, the programming language that WordPress is written in. sets a limit on how much memory any of your website's scrip'ts is allowed to use.  This helps to stop scripts from eating up all available memory on the server your website runs on.

You can raise this limit via the wpconfig.php file but in my experience this doesn’t often work.  If you have a well configured server from your hosting provider this will rarely be the problem.  Still, it's a possibility worth trying.

You can edit the wpconfig.php file using FTP.  We've a post on how to do that here.

Next, paste the following code into wp-config.php right before the line that says ‘That’s all, stop editing! Happy blogging.’

define( 'WP_MEMORY_LIMIT', '256M'
);

This code tells WordPress to increase the PHP memory limit to 256MB.

Once you are done, save these changes and upload the wp-config.php file back to your server.

You can also set the PHP limit in .htaccess or php.ini. Learn how to raise the limit at this page.

5. Reinstall WordPress

If all else fails you can of course reinstall WordPress either from your server or by uploading a new full version of the software via FTP.

Usually uploading the wp-admin and wp-includes folders solves the problem.

Learn more about reinstalling WordPress at this page.

Error #2: Error establishing database connection

WordPress stores your website’s dynamic information in a database running on MySQL.  Obviously that connection is essential for your site.

Background/Cause

If that crucial connection fails, you’ll likely see this error.

WordPress Database Error

Troubleshooting WordPress database connections

1. Bad configuration in wpconfig.php

Nine times out of ten, the "Error establishing a database connection" problem is caused by an incorrect setting in the WordPress setup file wp-config.php.  Use FTP to open this file.

Near the top of the file you'll see this line

// ** MySQL settings - You can get this info from your web host ** //

Check the details here are correct for your site.

/** The name of the database for WordPress */
define('DB_NAME', 'databasename');

/** MySQL database username */
define('DB_USER', 'databaseusername');

/** MySQL database password */
define('DB_PASSWORD', 'databasepassword');

/** MySQL hostname */
define('DB_HOST', 'localhost');

2. High traffic

Your users might see this error if your WordPress website is on shared hosting, which most are, and gets swarmed with a lot of traffic. In that case it's best to get on the phone or live chat with your hosting provider and get them to check the problem.

Error #3: The White screen of death

The dramatically-named WordPress "White screen of death" is named after the infamous and equally dramatically-named Windows Blue screen of death.  If you're too young to remember that one don't worry, read on ...

Background/Cause

You're most likely to come across this problem if you're changing code on your WordPress website.  It can also pop up when installing or updating any site components like plugins or themes.

WordPress White Screen of Death

The famous WordPress white screen of death (yes, there's an image there)

Like the 500 error above, there can be many causes that might take some time to track down. Still, there's always a solution.

Troubleshooting WordPress database connections

To be honest there is really only one method worth trying here - using WordPress's debugging feature.

Turn on debugging

Many articles dealing with the white screen of death will give you a list of things to try. Once you've tried all of those, then they'll tell you to switch on debugging.  

But guessing is not an efficient use of your time so let's start with the debugging option.  This is the troubleshooting step that will lead you to a solution 90% of the time.

For this you use the wpconfig.php file again. Open it via FTP and search for the following line:

define('WP_DEBUG', false);

To turn on debugging, change the false to true.

Now go to your website again in your browser.  With this setting switched on, instead of a blank screen you should get an error message.  That error message is often cryptic, yes, but it can point you to where you need to look.

Usually that error message will contain the name of the file that caused the problem.  If you see something like

/wp-content/plugins/XXXX....

in the error string then you should try disabling that plugin XXXX that's named there.

If that's not possible then search for the error with Google. This often leads you directly to the source of the problem and how to fix it.

Conclusion

Hopefully you never reach this part of the article because you found what you were looking for above.

For more about common errors I haven't covered here check out the ever-helpful WordPress Codex at https://codex.wordpress.org/Common_WordPress_Errors

If you have any other tips for dealing with these errors then let me know in the comments below.

Thanks for reading and if you found this useful hit one of the share buttons.  It would mean a lot to me and it helps others find the article.

Make WordPress more secure right now by doing this 1 thing!

The best way to make WordPress more secure right now

Photo by Ben White on Unsplash

The easiest and quickest way to make WordPress more secure and prevent 90% of hack attempts is child's play!

Do you remember something called the "Panama Papers" from a few years back?  It was the biggest leak of confidential data in history, as far as we know. It involved the financial and personal data from over 214,000 offshore accounts.

An outdated WordPress plugin was part of what made that leak possible.

And do you recall in February 2017, when hackers defaced 1.5 million web pages? A WordPress flaw allowing malicious users to change WordPress page contents was responsible. The attacks happened despite the fact that a fix for the problem was already published.

Or maybe you remember when celebrity chef, Jamie Oliver's, blog was hacked? Some of his 10 million monthly visitors were infected with malware.  An outdated WordPress plugin is also presumed to have been the cause (though not yet confirmed.)

Such stories of internet attacks are making it onto mainstream media more often. This is a trend that will continue.

It's inevitable that some of these stories involve the most popular software of the day.  For example, it's common to hear of malware and viruses on the Windows operating system. This because it's hugely popular and most people are familiar with it.

The same holds true for websites.  WordPress runs about 30% of websites on the internet these days, so it's only natural that it's involved in many of these attacks.

The cause of most website hacks

The vast majority of website hacks such as those mentioned above involve WordPress. Do you know the other major thing they have in common?

The websites are usually running software that's out of date.

Read on for the one simple - and hopefully now obvious - tip that could have prevented all of these attacks.  This tip is guaranteed to make WordPress more secure.  

For all you know, it could even prevent the next attack on your own website.

If you're short on time, then skip to the step-by-step details to securing WordPress below.

Why are there so many WordPress updates?

First, a bit of background.  If you log into your WordPress dashboard often, you’ve noticed that releases are frequent. There were just two new WordPress versions released in 2017.  But there were a whopping ninety-five updates released. (These releases were for all currently maintained versions!)

There’s a good reason for all these updates.  WordPress is a popular target for hackers (see Fact 3 on this page).  They are always looking for - and finding - new problems in the software. They can then exploit these security cracks to gain access to WordPress websites.

adding bricks to make wordpress more secure

Photo by Namroud Gorguis on Unsplash

Because of this, the WordPress development team are continuously repairing any problems found.  Hence the large number of updates they release.  Take a quick look at the changelog for each release (e.g. herehere and here). You'll notice the vast majority of updates deal with security problems found in earlier versions of WordPress.

Each of these updates is designed to make WordPress more secure; each one is another brick in the wall keeping out the intruders.

Why WordPress is popular for hackers

There is one big reason for WordPress being the most hacked website platform in the world right now. It’s popularity. There are around 80 million published sites on the internet.  An estimated 30% of these run on WordPress. That’s 23 million sites for WordPress hackers to mess with!

The second reason for its popularity with hackers is WordPress’s ease of use.  

Today, anyone with very little technical knowledge can build and run a WordPress website. As a result, many of these WordPress sites aren't maintained properly. Their owners don't know the steps they should be taking to make WordPress more secure.

Back to my favourite analogy of a car; once the engine is running, even a child can drive it.  (They're very unlikely to drive it well and very unlikely to drive it safely.  But they could probably drive it at least a short distance before something stopped it.)

So, the main reasons WordPress is the most attacked website platform are

  • This low barrier to entry caused by WordPress’s ease of use
  • It’s resulting popularity

Why would Hackers attack MY little WordPress website?

I’m often asked “why would hackers be interested in my little site?”

There are several answers I usually give to this:

  • They aren’t.  Not really.  At least, not specifically in your site; it's just another website to them.  They rarely care about the individual site. Robots crawling the web, looking for known problems with past versions of WordPress perform the hacks.
  • Hacking your site could give them further access to anyone you might work with online.
  • Just because they can.

Granted, there is increasing awareness surrounding cyber threats. But it's evident that the motivations driving online crime go far beyond financial gain.  They can include political, ideological or even I-just-want-to-break-something reasons.

These are not mischievous minors using your website for harmless pranks.  There's no need to panic, but take the threats they pose to your website seriously.

So, what’s a bewildered site owner to do?  Well, here’s the very first thing you need to do.

The one thing to do right now to make WordPress more secure

It's child's play ...

1. Log in to your WordPress site.  This will bring you to your WordPress dashboard.

2. Go to Updates at the top of the menu on the left. https://<yourwebsite.tld>/wp-admin/update-core.php

Find WordPress Updates to make wordpress more secure

All the updates available for your site are listed here.

Install WordPress Updates to make wordpress more secure

3. Update WordPress to the latest version by clicking Update Now.

Strictly speaking, this is the second step.  

The first step before ever working on your site is to take a backup.  But you knew that already.  I've removed it from the sequence of steps you should take here because

  • backups are such a fundamental step and
  • they should be running automatically and repeatedly in the background anyway

Precautions

As usual when dealing with any technology, there are some things to watch out for

  1. Always check through your website after installing updates.  You may not notice any error messages. But older plugins sometimes don't work too well with a newer version of WordPress. There is an almost infinite* number of plugin combinations. You can see why you must check manually by going through the site and testing its functionality and appearance. (*Infinite for all practical purposes. I tried to calculate the number of possible combinations. the result was too big for my calculator!)
  2. You should read the changelog for each update.  This is a text file that comes with the new release. It explains what changes were made and any known problems already found.
  3. It's always possible that an update can introduce problems. These could be even more dangerous than those it tries to fix.  Stay up to date with the latest WordPress news. Visit the WordPress.org site and your plugin authors' pages.

Conclusion

Now you know the single best thing you can do right now to make your WordPress website more secure.  Trust me, your site is now much less likely to be hacked and defaced by an automated program.

Next, why not make your site even more secure by following the tips in this article:

MAke your wordpress website more secure in 30 minutes

make wordpress more secure in 30 minutes

Take just half an hour and a few easy steps to making your WordPress website more secure.

Sources

  1. Panama Papers: Email Hackable via WordPress, Docs Hackable via Drupal. (2016, April 08). Retrieved March 16, 2017, from https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-connection/
  2. Constantin, L. (2017, February 10). Recent WordPress vulnerability used to deface 1.5 million pages. Retrieved April 10, 2017, from http://www.pcworld.com/article/3168846/security/recent-wordpress-vulnerability-used-to-deface-1-5-million-pages.html
  3. https://blog.malwarebytes.com/threat-analysis/2015/02/celebrity-chef-jamie-olivers-website-hacked-redirects-to-exploit-kit/