A SQL injection attack can allow malicious actors to make requests against your website which execute queries on the Magento database. These requests can potentially read or write to the Magento database, allowing unauthorized access or changes such as adding an administrative user or reading hashed passwords, encryption keys and encrypted credit card data.
This particular vulnerability is troubling due to the fact that it requires no authentication and any website visitor can potentially execute a malicious SQL injection request against your web store.
How Is Hostdedi Handling This Disclosure?
Soon after receiving notification about this vulnerability, our System Operations team immediately started investigating mitigation strategies.
We found that our existing Web Application Firewall (WAF) rules were successfully mitigating a proof of concept of this vulnerability. However, there was room for improvement and possible conditions under which the vulnerability could still be taken advantage of.
Our System Operations team created an improved set of WAF rules for this vulnerability and successfully deployed them across our managed platform on the morning of March 29th.
To be clear, this mitigation only filters the currently known attack strategies for this vulnerability. It still remains critically important that you patch your Magento installation as soon as possible.
What Should I Be Doing?
While we’ve implemented the mitigation strategy, we would highly recommend still ensuring that you update your Magento installation to the newest version or that you patch (via the patch “PRODSECBUG-2198”, which is available here) your site to ensure that you’re completely protected.
Additionally, we’d recommend that you or your development team review your existing codebase to ensure that no malicious code was injected into your site prior to this vulnerability is disclosed.
So you’ve weighed your choices and decided Drupal is the best fit for you!
As discussed in our recent Drupal Vs WordPress Cagematch, it takes a developer skill set to get the most out of Drupal. Even so, it can be worthwhile to explore Drupal and get an idea of what it has to offer. Or, perhaps you’re a developer-in-training looking to dip your toes into the CMS ocean.
This is part 1 of a short series designed to show you the basics of installing, updating, and backing up Drupal 8.
Our Drupal cloud solution makes it easy and quick, and we back every account with a 30-day money back guarantee. You can read about our Drupal cloud offering on our website, but the best place to start is our Knowledge Library with How to create Hostdedi Cloud accounts.
When choosing your platform, select Drupal, toggle the Auto-Install, and you’ll be up and running within minutes.
Once installed, you can view your live site by clicking on your secondary domain name from within your Client Portal.
When you visit your site for the first time, you’ll see something like:
Your site is live, albeit in a humble, uncooked state. Now, time update your installation to the latest version!
Updating Drupal 8
Although we install Drupal 8, it falls to you to update to the most current stable release. We strongly recommend staying current on releases. No content management system (CMS) is immune to exploits, and staying current is the first line of defense against malicious activity.
This entry provides two options for updating your installation: the command line (CLI) or Secure File Transfer Protocol (SFTP). Both methods require SSH access.
If you’re unfamiliar with the CLI, then SFTP is your best option. Many SFTP applications are available. This document features Cyberduck because it’s free, safe, and relatively easy to use, though many other suitable options are available. For details about how to use it, please see How to transfer files to a server with SFTP.
This process won’t update any modules or themes. If this is a new installation, this won’t matter now, but it will matter later. Third party extensions require separate updates, and overlooking them exposes your site to possible attack.
This process will remove any modifications to files like .htaccess, composer.json, and robots.txt.If and when you’ve modified these files, save them somewhere so you can reapply them post-update.
Step 1: Put Your Site Into Maintenance Mode
Log in to your Drupal admin panel. Click Manage > Configuration > Development.
Select the Put site into maintenance mode check box, then click Save configuration.
Step 2: Remove Old Files
Choose one of the below methods.
Using the CLI
Navigate to your Drupal installation:
Remove the core and vendor directories:
rm -rf core vendor
Remove all files in the top-level directory:
rm -f *.* .[a-z]*
Select your Drupal directory. In this example, it’s mydrupalsite.com.
Delete the core and vendor directories.
Step 3: Download and Extract Update Files
Choose your preferred method below.
Using the CLI
Issue the following, but replace x, y, and z with the updated Drupal version number; for example, /drupal-8-6-13.tar.gz:
wget https://ftp.drupal.org/files/projects/drupal-x-y-z.tar.gz tar zxf drupal-x.y.z.tar.gz
This command creates a new directory, drupal-x-y-z/, which contains all updated Drupal files and directories.
Change to the new directory, and copy the core and vendor directory and the files in the top-level directory to your Drupal installation directory. As before, replace x, y, and z with the updated Drupal version number:
Within Cyberduck or another SFTP application, upload the new core and vendor to your Drupal installation by clicking-and-dragging from your local machine to your top-level directory.
As mentioned in the Take note section, this is where you would reapply modifications to your .htaccess, composer.json, or robots.txt files. Since this is a new installation, you may skip this step.
Step 4: Update Database Tables
Verify you are logged in as your site admin.
In your browser, update your core database tables by visiting http://www.example.com/update.php, but replace www.example.com with your domain name.
Step 5: Run Status Report
From your Drupal admin panel, navigate to Manage > Reports > Status report.
Resolve any warnings or errors.
Step 6: Remove Your Site From Maintenance Mode
Return to your Drupal admin panel.
As in Step 1, from your admin panel, click Manage > Configuration > Development > Maintenance Mode, or just click Goonline from the green bar notification.
Clear the Put site into maintenance mode check box, then click Save configuration.
Step 7: Clean Up Files (If Necessary)
If you used the CLI method in Step 3: Download and extract files, remove the Drupal release files by issuing the below command. As before, replace x.y.z with the release version number.
rm drupal-x.y.z.tar.gzrm -rf drupal-x.y.z/
Keeping Drupal Up to Date
It is best practice to stay current. There are several ways to stay informed, and we recommend using all of the below methods:
Backing Up Drupal
Backups are your failsafe. If you’re not already in the habit of doing so, we strongly recommend the best practice of making them regularly. As is often the case with Drupal, there are many possible methods. We will focus on two: Drush and the backup_migrate module
For those with developer skills, Drush may offer the most direct method. For details on Drush and additional resources, see the Drupal documentation.
Using the backup_migrate Module
If Drush and the CLI don’t appeal to you, it is possible to add a module that allows you to set up automatic backups.
How are leading eCommerce businesses optimizing for site speed in 2019? What build and design techniques are they implementing to stay ahead of the curve and deliver fast, flexible, and consistent experiences to consumers?
We took at look at a select group of over 30 leading eCommerce stores, and analyzed them for Eight key site speed optimization techniques. What we found reveals several opportunities for new and established eCommerce stores to get ahead.
96% of eCommerce Stores Are Not Considering Site Speed
In our test group, the number of sites that didn’t meet Google site speed requirements for both desktop and mobile was staggering. It’s surprising that only 4% made the effort to optimize their site speed, considering eCommerce stores are often battling it out for top spot in search engine results, and site speed being a ranking factor.
One of the reasons we’re seeing such a low number may be changes Google have made to their page speed tool in the last year. There is now a much larger focus on time to interact and first render, with older devices suffering under the hardware requirements of newer sites.
If you’re looking for a way to get ahead of the competition on the results page, optimizing your site’s speed may be how you do it.
60% of Merchants Think Uptime is the Most Important Concern
Beating out site speed, uptime is the most important concern for over 60% of businesses in the eCommerce space. This may be the reason why only 4% of stores in our sample met Google’s site speed standards, with many fearing unstable environments and user experiences with newer technology.
Uptime is an important metric, and it does take precedence over a lot of other factors you’ll find on your site. However, it is also important to keep your store modern and meet consumer expectations for speed and flexibility.
65% of Stores Do Not Use Lazy Loading
Lazy loading allows you to first pull low-resolution images and then replace them with higher-resolutions images once page content has been loaded. It is a great method for easing server load and optimizing content delivery.
While we’re only seeing 35% of stores implementing lazy loading, we’ve noticed this number has steadily increased over the past few years as more eCommerce developers have become aware of it. Consider implementing in your site build to improve site speed and user experience.
85% of Stores Do Not Use Hero Image Carousels
Hero image carousels are image slideshows that alternate between multiple images. They have long been the bane of site speed for two reasons. One, they require multiple high-resolution images. Two, they are usually situated at the top of the home page. These two factors can combine to make home page loads take a lot longer than they should.
It’s not surprising then, that 85% of stores have opted to remove them from their site. The stores that did implement them did not provide full page width images and only used a handful of slides. The hero image carousel is going away. If you’re still using one on your site, it may be time to rethink this part of your design.
77% of Stores Have a Responsive Site
Responsive sites are the norm. Over the last several years, site owners have continued to optimize their site designs for mobile users, and in several cases even offered offline apps.
What shocked us about this statistic is that 33% of sites do not have a responsive site. This is despite numerous warnings from Google, and more than a few metrics showing how many B2C consumers are using mobile devices. In the Asian Pacific, numbers indicate that over 75% of consumers used their mobile to make a purchase in 2018.
100% of Stores Have Not “Appified” Their Web-Based Store
Headless applications are here and with them has come the ability to make content and websites available offline. Instead of adding an app to multiple app stores, users can now save a website to their desktop for access at a later date (when they don’t have an internet connection).
However, none of the sites we surveyed have done this. One reason for the lack of adoption here may be that it’s such new technology, larger eCommerce sites don’t feel that all the kinks have been worked out. Alternatively, they may feel that it’s not a well-know feature and so wouldn’t deliver enough ROI on development costs… yet.
If you’re a smaller eCommerce store and are looking for something to differentiate your brand, and have considered taking a headless approach to eCommerce, see if appifying your site is the right way forward.
69% of Stores Have a Downloadable App
Despite no merchants having appified their web-based stores, 69% of eCommerce business have created and offer a downloadable app for either Android, IOS, or both. This is likely in an effort to keep up with consumer requirements without going too far out of established practices with an appified web-based store.
If you have the development resources, it’s recommended that you create an app for your store. However, there is also a lot of potential for appified web-based stores. If you want to stay ahead of the curve, that may be the better option.
58% of Stores Have a Multi-Step Checkout Process
Multi-step checkout processes are where the checkout process is divided between several pages. Historically, this has been a popular option for eCommerce stores, so consumers are accustomed to it. Moreover, despite having multiple pages, the process is usually kept short so consumers are not turned away by a lengthy checkout.
However, the one-step checkout has increased in popularity. More stores are offering consumers the ability to make instant purchases with just a few clicks of a button. A single-step checkout may become a differentiator between eCommerce stores in the coming years.
76% of Stores Offer a Desktop Search Bar But Only 36% Offer One on Mobile
Metrics have shown that site search is an important eCommerce store addition. Searchers are 200% more likely to convert. Yet despite this high number, only 36% of eCommerce stores in our survey offered a search bar on mobile devices.
One reason for this may be that the stores lacked a dedicated search engine. In the past, search has often remained unoptimized and more of an afterthought. However, with search offerings such as Elasticsearch making it more powerful than ever before, it may be time to start implementing search in both mobile and desktop views.
The Top eCommerce Stats
These nine stats give valuable insight into how eCommerce merchants are managing their sites in 2019 and optimizing for speed. While speed is clearly a concern, statistics like Uptime beat it out in almost every scenario. An increasing number of merchants are sticking with what they have, instead of adopting new technologies appearing on the scene such as headless. This may, in part, be due to worries about instability.
Merchants should be looking to compete in the area of site speed, and there are multiple opportunities and best practices for doing so. Merchants should implement lazy loading, remove hero image carousels, make sure their site is responsive, and conduct frequent audits through Google’s toolset.
Interested in learning more about site speed? We took a look at over 13,000 different online services to see what site owners and merchants care about. Download the state of hosting today.
Last year, Google announced that over 75% of Chrome traffic was protected by HTTPS, a large increase on the previous year. The pace of HTTPS adoption accelerated as the cost, complexity, and performance implications were addressed. With Let’s Encrypt, anyone can get a domain-validated SSL certificate for free. Configuring a WordPress site to use an SSL certificate is easier than ever. Performance overheads are negligible for all but the largest sites. But there are still challenges to HTTPS adoption on established WordPress sites: mixed content warnings top the list.
What Is A Mixed Content Warning?
Browsers display mixed content warnings when an HTML page contains both HTTP and HTTPS content. They won’t load unsafe content in a supposedly safe environment. A fully-protected page is safe from snooping, but that can’t be guaranteed if there are non-protected elements on the same page. Browser developers want users to be aware of the risk to avoid instilling a false sense of security, so, in addition to blocking unsafe content, they display a warning. Google’s Chrome displays a warning icon in the space a padlock icon would appear for a secure site and a warning notification instructing users not to enter sensitive information such as passwords.
Mixed content warnings are caused by lingering HTTP links on a WordPress site that should serve content over HTTPS. It is challenging to make sure every link to every script or image is changed to HTTPS. Theme and plugin developers are sometimes less careful than they should be when including assets. A single errant image file can raise a mixed content warning and give visitors a reason to doubt the security of a page that is, in fact, perfectly secure.
Fixing Mixed Content Warnings
The first step in solving mixed content problems is to find the offending URLs. On a WordPress site with only a few pages, it can be done manually. Open each page and look for a mixed content warning. When you trigger one, open the browser’s developer tools. In Chrome you will find them under the More Tools submenu of the main menu. At the far right is an indicator of errors and warnings; click on it and Chrome shows a list of errors, including the assets that caused the mixed content warning.
Changing the URL protocol from HTTP to HTTPS should eliminate the warnings. If the content is not available over HTTPS, which is unlikely, you will have to provide an alternative source that is available over HTTPS.
For larger sites, checking each page is not an option. Tools like the free SSL Check crawl a limited number of pages and identity problematic URLs. Fixing the URLs can be done via a search and replace tool such as the one built into the WP-CLI utility. Read this guide and be careful; try this out on a test installation before running it on your live site.
In most cases, the following command will do the job:
Whether you’re using them for lead collection, a means of contact, or registration pages, forms are an important part of your site. They help you manage leads and visitors more effectively, and – when done right – help to create incredible user experiences.
So, the question you should be asking is: What’s the best form plugin for WordPress? We’ve crawled through the list of over 9,000 plugins that appear when you type “form” into the WordPress plugin directory, to bring you 5 of the best.
You could just opt for the first one you see, but then you’ll probably miss out on some of the functionality and flexibility that come with alternatives. The plugins you’ll find below have been judged based on their effectiveness, user-friendliness, and ability to create a great looking form.
A powerful form plugin with a free version available for those who don’t need added features. Overall, a great form builder with a powerful interface, but the price starts to rise once you need access to its premium extensions.
One of the biggest advantages of Ninja Forms is that its free version is already incredibly well equipped to manage most form builds. Under the hood you’ll find integration capabilities, field control, and a translation service. Moreover, being free, you can download and install Ninja Forms on as many sites as you want.
If you’re looking for added functionality, Ninja Forms has established itself as a leading provider of form extensions. You can purchase modules for Salesforce integration, SMS notifications, and a campaign monitor.
Another advantage of Ninja Forms is its community. There to help and guide new users, it’s also comprised of a large number of devs who can help you to create custom functions easily.
Ninja Forms is a great plugin for versatility and, in general, is very easy to use. However, once you start working with action hooks and filters, the form builder can become very complicated.
Moreover, if you’re looking for specialist features such as Salesforce integration, you’re going to have to pay for it. But this is true with almost any form builder.
Another powerful form builder with some great functionality included for free. By far one of the most popular form plugins for WordPress, but also with additional fees if you require more.
You would be forgiven for thinking that WP Forms is the official form building plugin for WordPress – the name, the quality, and its simplicity. But it’s not. It’s just a really easy to use and well made form builder.
The free version is powerful and will suit most user’s needs, with paid extensions available for those who want to do more. Once you’ve installed the plugin, you’ll find geolocation functionality, form abandonment, conditional logic rules, the ability to connect the form for user-submitted content, login and user registration, and more.
WP Forms also come with the Surveys and polls add-on. We’ve found this to be an incredibly powerful and versatile add-on that allows you to easily generate interactive surveys and generate real-time reports. Highly recommended.
The main idea behind WP Forms is that it’s user friendly. To do that, it sacrifices some of the more complex form building features you’ll find in the other options listed.
Moreover, as far as free versions go, WP Forms’ free offering is powerful but lacks some of the versatility you’ll find in competitors like Ninja Forms.
A form plugin designed to make creating forms as easy as possible with a drag and drop interface and some advanced functionality.
This might just be the simplest form builder for WordPress. Everest forms allows you to create forms by dragging and dropping the elements you want, where you want. This makes the form creation process easy. Inside the form builder, you’ll find support for multiple columns, spam protection, multiple email recipients, and a huge array of possible form fields.
Everest forms also allows you to insert forms into your pages and posts by using shortcode – making page creation a lot simpler.
Everest comes with several form design templates to choose from, so you don’t have to start from nothing. You can also view form entries directly from your dashboard, instead of having to open the plugin every time.
Its drag and drop functionality makes Everest one of our favorite form builders for beginners looking for simplicity. However, that simplicity comes with the sacrifice of flexibility. There are some features you won’t be able to implement with Everest that you would with some of the alternatives on this list. Great for small and medium sized sites, but maybe not the right tool for bigger ones.
Easy forms for Mailchimp is designed so you can add unlimited Mailchimp sign up forms to your website. The only problem is you’ll need a Mailchimp account to run it properly.
Coming from Mailchimp, Easy Forms has a great pedigree. You can expect a premium and easy to manage experience, and a powerful toolset for list management. Moreover, with the ability to connect Easy Forms to you Mailchimp account, you’re able to better organize and coordinate your landing page and form experiences.
Easy Forms gives you easy form building functionality with the ability to use built-in CSS classes or add your own. It also allow for multiple fields, customizable success and error messages, and spam protection.
Easy Forms also allows for you to view all of your list statistics from your WordPress dashboard, a great feature for streamlining your list building efforts.
One of its biggest advantages is its biggest downfall. If you don’t have a Mailchimp account – or don’t want one – this is immediately not going to be the right plugin for you and your site.
The oldest and wisest of the contact form plugins. As the most downloaded contact form plugin in the WordPress plugin directory, Contact Form 7 holds a special place in the hearts of WordPress CMS builds everywhere. Unfortunately, it hasn’t kept up with the times and may be better served as a piece of nostalgia than a production site plugin.
It’s free and you can install it on as many sites are you want. That means it’s perfect for use with dev sites where you don’t need to test the form capabilities (or don’t want to pay for your license to be extended).
Unfortunately, that’s about where the pros stop. Contact Form 7 may be the grandad of form plugins, but age doesn’t always come with functionality. We are more likely to recommend the alternatives on this list if you’re looking for a powerful, production ready form builder.
What Is the Best WordPress Form Plugin?
If you’re looking for the best free form plugin for WordPress, then we highly recommend either WP Forms or Ninja forms. Both of these offer powerful free versions that provide great form building options. Contact Form 7 is also a good option, but doesn’t quite make it into the our top pick due to not having a great UI.
If you’re looking for something easy to use, then we would recommend Everest Forms. The UI is great and the drag and drop interface makes building any form simple.
When it comes to designing a worthwhile website, the choice of content management system (CMS) may not be readily apparent. Complicating this choice are the almost-tribal sentiments of each system’s loyalists, each convinced of the “rightness” of their favorite. But both are open source, free to use, and provide a multitude of plug-ins and modules. So which is the real winner of a Drupal vs WordPress standoff?
Drupal 8 just saw release, but it’s definitely not for everyone. Based on our experience, the go-to for nearly one-third of all websites is WordPress. It dominates 60% of the CMS market. Why deviate?
To find the answer, let’s toss Drupal 8 and WordPress into a cage and see who comes out on top!
Ease of Use
WordPress is known for its 5-minute install and for low barrier-to-entry. Many newbies cut their teeth on WordPress and end up with an adequate and reasonably fast, if not glamorous, website. As noted below, themes are plentiful and can easily turn a plain-Jane sight into something you’d be proud to show the public.
To get there with Drupal, you’ll need the skills of a developer. What Drupal lacks in simplicity, it makes up for in power and flexibility, but this is a deal-breaker for people that just want to publish a blog or make a small, functional website for their fledgling business.
Themes and Plug-ins
The awesome thing about WordPress is the sheer number of plug-ins and themes, and the relative ease of deploying them. Many are free, though not all are created equal, and paying for premium items can yield better support and overall product. For example, WooCommerce is free and gives limited eCommerce capabilities to WordPress, but expect to dip into your wallet if you want to add features or payment types.
For brevity, we’ll extend the definition of “plug-ins” to include what Drupal calls “modules.” Drupal has plenty of options for plug-ins and themes, though nowhere near as many as WordPress, and you’ll once again need the “D” word to properly make use of them.
WordPress doesn’t have a great reputation for security. Its popularity makes it an attractive target for prospective attackers, as does its status as an amateur-friendly CMS. Furthermore, while WordPress is quick to respond to security threats, the same cannot be said from many of the same plug-ins that make it so popular. The more you add, the greater the threat becomes, as each plug-in serves as a possible vector for attack. Is it possible to maintain a secure WordPress site? Absolutely. It starts by choosing an experienced web host (*cough* we might know one *cough* *cough*), and finishes by you taking steps to stay current on each and every theme and plug-in on your site.
As long as you’re running Drupal 7 or later, you’re as safe as New York State, the Government of Australia, whitehouse.gov, Twitter, eBay, and NASA, all of whom use Drupal. This should not be interpreted to mean that Drupal sites are immune to security threats. Rather, the smaller number of poorly-coded plug-ins and themes, combined with the more developer-centric requirements, make it less vulnerable to Internet villany.
WordPress was born as a blogging platform. It tends to be best suited for websites presenting most of their information within articles, as opposed to albums of interconnected information. Time and the devoted efforts of the open source community have diversified it considerably, although you’ll need to rely on plug-ins to broaden its functionality.
Drupal can do anything. We advise against choosing it as your blogging platform, but if you have developer know-how or the resources to hire one, the potential is virtually limitless. Drupal is also innately mobile-friendly and has stronger core support for multilingual content. Finally. WordPress plug-ins themselves tend to be “plug-and-play” solutions, while Drupal plug-ins offer richer customization capabilities.
WordPress was designed with simplicity in mind, allowing for easy and swift editorial collaboration among a handful of team members. This is great for blogging, but won’t offer enough granularity for any enterprise requiring a team with numerous roles and permissions. This can be extended with a plug-in, of course, but that’s another one to find, watch for vulnerabilities, possibly even pay for.
With a built-in access control system that allows fine-tuned control, Drupal is the clear winner here. You can create custom roles, set multiple levels of user permissions with different degrees of access, and grant multiple roles to a single user. Even if such granularity doesn’t appeal to you now, it gives you scalability if and when your team grows.
Both WordPress and Drupal have eager and knowledgeable online communities that love nothing better than to bring others into the fold. You’ll find no shortage of online tutorials and documentation for either platform.
That said, if you’re looking for developer support — optional for WordPress but practically mandatory for Drupal — you’ll pay more for the latter than the former. This is simple supply and demand, as WordPress developers vastly outnumber their Drupal brethren.
Drupal vs WordPress: Who’s the Winner?
We know, we know! We don’t like ties, either.
Looks like you’ll have to play judge and cast the deciding vote for who has earned the right to build your site. If it helps, we’re happy to help you host WordPress or Drupal, and we’ll keep any “tribal sentiments” to ourselves.
Ease of Use
Not user-friendly to lay persons; developer assistance advised
Gets the job done easily and quickly; easy to install
Themes and Plug-ins
Not as many, harder to install
Many and easy to install
Favored by governments; user knowledge tends to make it more resilient to attack
Each theme and plug-in is a potential vulnerability; popularity makes it a favorite target of attackers
Better at anything other than blogging, provided you have dev skills; innate mobile and multilingual functionality
Great for blogging; needs plug-ins for everything else; effective plug-ins can be costly
Innate fine-tuned control
Limited without plug-ins
Helpful community, but developers are more costly than their WordPress counterparts
Helpful community, developers are optional and less costly
Slow sites crush eCommerce. Your customers will rebound quickly and forget about your lumbering load times when they flee to your competition. The same can’t be said for your site. Even if you dropped time and money on a sleek interface, marketing, and captivating copy, even a 2-second load time will send your customers for the hills and drive down your page ranking.
If you’re a developer, or have access to one, Mod_PageSpeed provides a relatively easy path toward addressing speed bumps before they drive away your business, not after.
Even better, if you’re a Hostdedi Cloud client, we can help you get Mod_PageSpeed up and running, or your developer can accomplish the same by modifying your htaccess file:
Slow websites wish they were as pretty as this gargantuan gastropod.
What is Mod_PageSpeed?
PageSpeed, or Mod_PageSpeed, is an open source plug-in for web servers using Apache or NGINX. Developed by Google as a counterpart of their PageSpeed Insights, which suggests ways to optimize your site, Mod_PageSpeed will automatically deploy many of these same optimizations.
These optimizations span five categories, and generally look for ways to reduce file sizes and apply best practices without changing your content:
Tracking activity filters
Each of these categories is divided into multiple filters, potentially giving you more direct control over the scope of optimization. For a detailed list of these filters, see the Google PageSpeed Wiki.
Not for Everyone
As you might guess, Mod_PageSpeed isn’t a good option for everyone. If you answer “no” to any of these questions, you may need another approach.
Does your site use mostly dynamic content? Mod_PageSpeed optimizations have almost no effect on dynamic content, or content that adapts to how your site visitors behave. Sites that use static content — content that doesn’t change from visitor to visitor — will see far better results.
Are you done making short-term changes to your site’s content? Each change you make diminishes the effect of Mod_PageSpeed optimizations. If you’re still making changes, the need to re-configure Mod_PageSpeed each time can bury your development team under additional work and complicate the process.
Do you already have active website acceleration technology? If so, they tend not to play nice with Mod_PageSpeed, especially when both are optimizing your HTML. While it’s possible to disable HTML optimization in either Mod_PageSpeed or your alternate tech, any misstep will lead to HTML errors and an unpleasant experience for your visitors.
Do you have access to a developer? PageSpeed is open source, and so it takes some developer know-how to deploy and maintain properly. If you’re not planning upcoming changes to your site, this need is somewhat reduced — just remember any future changes will likely slow down your site without a developer’s assistance.
If you aren’t running your own Apache or Nginx server, do you host with a company that gives you the tools required for installation of Mod_Pagespeed? If you’re running your own show, you have root access. See Point #4. We can’t speak for other companies, but if you’re a Hostdedi Cloud client, we’ll install it for you and even assist with basic configuration. Or, if you know a developer, they can do it themselves by modifying your .htaccess file.
If you are a Hostdedi Cloud client, or are just the curious sort, read on to learn a little about what even the default configuration of Mod_Pagespeed can accomplish.
“CoreFilters” for Mod_PageSpeed
For non-developers and for review, remember “filter” is just PageSpeed jargon for a subcategory of the five available categories for optimization: CSS, JS, Images, HTML, and tracking activity filters. If a filter is present, then Mod_PageSpeed is optimizing that element.
We use “CoreFilters” default mode because it is considered safe for use on most websites.
add_head – Adds a <head> tag to the document if not already present
combine_css – Combines multiple CSS elements into one
convert_meta_tags – Adds a response header for each meta tag with an HTTP-equivalent attribute
fallback_rewrite_css_urls – Rewrites resources referenced in any CSS file that cannot otherwise be parsed and minified
flatten_css_imports – Sets CSS inline by flattening all @import rules
inline_css – Inlines small CSS files into the HTML document
inline_import_to_link – Inlines <style> tags with only CSS @imports by converting them to equivalent <link> tags
rewrite_css – Rewrites CSS files to remove excess whitespace and comments and, if enabled, rewrites or cache-extends images referenced in CSS files
rewrite_images – Optimizes images by re-encoding them, removing excess pixels, and inlining small images
rewrite_style_attributes_with_url – Rewrite the CSS in-style attributes if it contains the text “url(“ by applying the configured rewrite_css filter to it
If you’re already using Hostdedi Cloud, contact our 24/7 support team to make inquiries or install it for you today!
Is WordPress really a good choice for SEO? The short answer is yes.
As an application that powers over 32.5% of the internet (we’ve got stats), WordPress has to be optimized so search engines can easily find, index, and rank content. Many professionals even recommend WordPress for SEO purposes.
If you’re a site owner and on the fence about which CMS you should be managing your content in, keep reading for 10 reasons why WordPress will improve your search engine optimization strategy.
1.WordPress Makes Crawling Easy
Crawling is when a search engine combs the web for new content and indexes it for when people search. It does this by reading the code that a web page is based on. If the code is messy or hard to read, crawling can be a problem. If your site isn’t crawled properly, it’s almost impossible for it to begin ranking for the search terms you want.
WordPress sites are designed so the code looks standardized across all pages of a site, making it easy for Google’s spiders to find, index, and rank pages. You just have to put in your content.
2. Site Speed
While site speed itself isn’t a ranking factor, a slow site can lead to a decrease in conversions, a higher bounce rate, and other issues that can affect your search ranking. If you’re running a WordPress site and it’s running slowly, there is likely something wrong with how you’ve optimized your CMS or with your hosting infrastructure.
In general, WordPress sites are fast and lightweight because WordPress itself uses up limited resources. You can check your site speed by using lighthouse. If you find that your site is slower than it should be, it may be a good idea to check in with your hosting provider and see if they have any advise, or try optimizing your site for yourself.
3. Social Media Integration
In one report, 82% of agencies said that their social strategy was highly integrated with their SEO strategy. With Google’s modern focus on engagement and intent, this shouldn’t be surprising. Multiple studies have indicated that social media engagement leads to improved rankings. And the higher your ranking, the more you’re expected to engage with others.
Social media is also a great tool for analyzing and iterating on what works and with who. Built-in audience insight tools such as Facebook’s Audience Insights, make defining and discovering new audiences simple. Measuring engagement with your social content then makes finding the best and most relevant content even easier. If you haven’t started getting active on social, then it’s probably about time you did.
4. Meta Data
Meta data is information that will not be shown on a page but is associated with it. Title tags, meta descriptions, and URLs are good examples of meta data. This information is actually coded into the page itself, so it can be delivered to search engines and crawlers. While not always a direct ranking factor, meta data does influence a number of other factors that can lead to a higher or lower rankings.
WordPress makes meta data simple, especially if you download and install a WordPress SEO plugin.
Permalinks are the URLs on your site. You can easily edit permalinks through your WordPress dashboard, giving them the format your want.
Permalinks can affect your rankings through the keywords that they contain. The click-through rate on them also has an influence. The less they are clicked, the lower they will be ranked. As permalinks are shown in Google search results, users may be put off by something that looks overly complicated or irrelevant, thereby leading to a lower click-through rate.
The ability to customize WordPress permalinks is an incredibly powerful feature, and one that can help a site in danger of being lost to low rankings get back on top.
6. User Experience
Good user experiences can lead to sites that do exceptionally well. The opposite is true as well. A good user experience (UX) is more complicated than just making it easy to navigate a site; it means optimizing site speed, streamlining the buyer’s journey, and more.
And these factors do contribute to a site’s ranking. If on-page content is optimized around a searched-for keyword but the bounce rate is high, it’s a clear indicator that a site’s UX isn’t up to scratch. Similarly, if a site has a less than stellar time on page, there’s probably an issue with the page’s content or the experience a user has.
WordPress makes user experience a little easier with its pre-built themes. These generally follow web design best practices and make important elements of your site clear and easy to find. All you have to worry about is on-page content.
7. Blockable Spam Comments
One of WordPress’ strengths is the ability for visitors to leave comments and communicate with one another. This functionality increases engagement, time on page, and can have a positive effect on reducing bounce rate. However, not all comments are positive. Enter the dreaded spam comment.
Spam comments can have a detrimental affect on SEO by including keywords and content that are irrelevant to a page’s keyword goals. A spam post that tries to promote baby shoes on a tech blog is not what you want.
WordPress makes preventing spam comments easy through a combination of three steps:
Akismet – the WordPress stock comment checker for automatically removing and blocking spam.
Cookies for Comments – Detects bots and stops them from posting spam in the comments section.
“Nofollow” to links in the comments – By default, WordPress makes links in the comments section “Nofollow”, meaning you don’t have to worry about passing PageRank to negative sites.
WordPress, if you’re running on the latest version and taking advantage of an up-to-date theme, is responsive out of the box. This means that instead of having to focus on design that includes mobile users, you’re able to focus on your content. WordPress will do the rest.
9. SEO Optimized Images
How can an image be optimized for SEO? Easy, by being quick to load and including relevant “alternative text”.
WordPress makes alternative text easy by having a box dedicated to it in the image details screen. For optimized images, installing an image optimization plugin will help you to provide site visitors with images that are quick to load while also maintaining image quality.
10. WordPress SEO Plugins
One of the reasons WordPress can be a good CMS for getting started with SEO is the collection of SEO plugins available to help content creators optimize their posts and pages. Plugins like Yoast and All In One SEO make adding meta data, keywords, and tags simple.
There are also a number of other useful WordPress plugins available that can help with SEO indirectly.
W3 Cache is a great plugin for optimizing site speed and improving user experience.
Nested Pages is great for optimizing your URL structure and making content easy to navigate.
Speed Booster Pack helps to increase your site’s speed quickly and easily.
Remember, too many plugins and your site can become too slow. If that happens, you’re more likely to end up losing rankings as opposed to gaining them.
Improving Your WordPress Strategy
If you came to this page wondering whether WordPress is bad for SEO, you now know that it’s not. In fact, between stock features, feature-filled plugins, and a huge number of content and UX possibilities, WordPress may be one of the best CMS applications if you want to focus on SEO.
That doesn’t mean that you should stop here though. There are a number of optimizations you can implement yourself to make your site rank number 1; from optimizing your site for conversions to employing a hosting foundation that helps you to deliver the performance visitors expect.
Wonder what hosting solution is best for you? See what other users have to say by reading 2019’s State of Hosting. Download it for free now.
In the nineteen years we’ve been in the hosting industry, we’ve seen a lot of different sites grow and prosper. Over the last few years, however, we’ve started to see a shift in the way that sites are doing so. New technology and infrastructure options, combined with industry changes to security and privacy, have seen development and hosting take on a whole new meaning.
Released today, the State of Hosting 2019 marks the first annual deep dive into the hosting solutions site owners and merchants are choosing, along with their hopes and concerns for the future. The aim of this report is to help make business owners aware of how hosting solutions are changing for the better, and how they can keep up.
Below you’ll find a quick look at some of the most compelling takeaways from this year’s report. Alternatively, you can download the full report now.
Magento Continues to Dominate the eCommerce Market
eCommerce applications have long been in competition over top spot. Each offers its own experience with unique selling points that appeal to specific merchants. Coming into 2019, Magento continues to lead the charge, being the application of choice for 64% of hosting solutions and dominating over competitor WooCommerce.
There are several reasons for this, with one being the functionality and flexibility offered by Magento solutions. Magento also seems to line up with site owners’ top issue of development. However, a new competitor has entered the market in 2019 and with it a potentially new candidate for top eCommerce spot. Read the report to find out who and what it may mean for your eCommerce store.
PWA Is the Future
PWA took the world by storm in 2018, and it’s only going to continue to see an increase. We found that 67% of store owners plan to adopt PWA development in the future. The reasons are many, with development capabilities standing at top spot.
However, PWA development will likely lead to a number of organizational changes with regards to how websites and online properties are manages. Many agencies are still working on what this will look like, and trying to decide which clients will really benefit from PWA. Download the report to see what else merchants and developers have to say about PWA.
Uptime Remains a Primary Concern for Content Producers
Site outages and downtime can lead to huge losses in revenue. Just a 1-second delay in load time can lead to a 7% decrease in conversions. For content producers, that number can have a huge effect on conversion goals and is a very real threat to the success of a website.
Consequently, uptime remains a primary concern for content application owners. However, price is still the top value. This means that while site owners are looking for reliable hosting solutions, they are still aiming to keep the price down. However, finding the right balance between the two is integral, with many site owners claiming that their move to Hostdedi came after reliability concerns with cheaper providers.
A Significant Number of Websites Run On WordPress
Automattic place the number of sites that use WordPress as making up 32.5% of all websites globally. Internally, we have found that number to be closer to 24% across all solutions, and 67% across content solutions. That is still no small number.
Site owners choose WordPress due to its ease of use and the sheer amount of content it allows for owners to create and publish easily. Read the report to find out why WordPress was also 2018’s fastest adopter of cloud technology.
We invite you to learn more about hosting in 2018 and the decisions other merchants and site owners made throughout the year. Download the report now.
This article looks at Headless Drupal, providing an overview of what it is, and what some of the pros and cons are to implementing it.
Traditional Drupal website have often been monolithic. This has meant that Drupal is responsible for both content management on the back-end and content rendering on the front-end.
Headless architecture changes this by implementing a decoupled approach to site design. For many, the new approach is seen as innovative and the future of web development. For others, headless architecture brings a worrying lack of clarity to development processes and business practices.
If you’re thinking about moving to a headless Drupal environment, then keep reading to find out what the pros, cons, and facts are.
What is Headless Drupal?
Headless Drupal (also know as decoupled Drupal) is a new way to develop and deliver websites.
Traditional CMS website models use PHP rendering to deliver website content through a user’s browser.
Headless Drupal instead allows content to be delivered to users through a separate front-end application. This means that a Drupal instance does not decide on the styling for a website. Rather, a separate application decides how data from the Drupal instance is displayed. This allows for an added layer of functionality and customization. In the example below, that application runs on ReactJS.
What this front-end application runs on is different depending on the developer. We’ve displayed ReactJS above as it is currently one of the prefered technologies for headless implementations.
What Are the Benefits of Headless Drupal?
There are several reasons to adopt headless Drupal, the most common of which is because site owners and developers want to integrate technologies and designs that are otherwise incompatible with a standard Drupal installation.
This is especially true when a developer wants to implement multiple front-ends. There may be one desktop front-end, one mobile front-end, a widget front-end, and an app front-end. Each of these are able to render and display the same information in unique ways.
And when it comes to apps and widgets, headless also allows for offline access. Site contents can be downloaded and rendered quickly through the “application” front-end itself. This changes the typical web server / user connection relationship, and also means that content is delivered much more quickly, even when online.
Due the restructuring of the CMS / front-end relationship, security is also improved. It is easier for system administrators to limit access to areas of the infrastructure. Content is created and published through one system, and delivered to readers through another.
What Is Limiting Decoupled Drupal?
Fully decoupled Drupal has several advantages, but all new technologies come with downsides, and headless is no exception. One of the main disadvantages is that much of Drupal’s out-of-the-box functionality is lost instantly. The ability to preview content before it is published goes away without additional coding, as does control over styling through the editing interface.
From an application perspective, competition over which app is in charge of how and what content is displayed can also potentially become an issue. This especially true when you’re dealing with multiple front-ends.
Which front-end delivers to mobile? Which delivers to desktop? Which delivers to an app? Managing this process can be complicated and requires additional work for it to be implemented properly.
From a business perspective, responsibilities take on a new meaning. Cooperation between web design and creation becomes more of a priority. Appropriate access also needs to be distributed to different teams, especially if there are multiple decoupled front-end interfaces present.
To avoid these issues, it’s important to understand the breadth of a move to headless and map out what the shift will look like from both a technology level, as well as a business one.
Headless Pros and Cons
Faster, more flexible content delivery
New Implementation Procedures
Future-proof design for CMS/front-end updates
Can’t see live previews
Relies on multiple technologies
Easier 3rd party integrations
More complex to to configure and deploy
Examples of Headless Drupal Projects
There are numerous examples of headless Drupal websites. A short list includes:
The Tonight Show with Jimmy Fallon makes use of a headless Drupal instance to great effect. The site loads quickly and you can see unique web design features and animations throughout the site.
Lullabot also implemented a headless instance on their site. However, they encountered routing issues during the setup. Routing is where an application or CMS decides where to send a visitor’s requests. They go into more detail in their article on this, but it’s an important problem to keep in mind when thinking of making the move to a complex decoupled Drupal site.
Hostdedi and Headless Drupal
We are currently able to support headless Drupal instances on our cloud infrastructure. We also currently offer Node.js support. At this point in time we’re working to improve support for Node.js and other languages such as Python.