Daily ArchivesSeptember 9, 2021

WordPress professionals often find they need to work on a copy of a client’s site. It’s almost never a good idea to work on a live site — too many things can go wrong. When changes are needed, it’s better to copy the client’s site, make the necessary changes, test them, and then integrate any modifications with the live site. In practice, copying WordPress sites to create staging or development versions is straightforward.

However, copying a live site does present some problems, especially where data privacy and security are concerned. Busy WordPress sites can be stuffed to the rafters with sensitive data. Site owners go to great lengths to keep this data secure, but staging and development environments are not usually under such stringent control. When WordPress professionals copy a site to their laptop or a dev server, private data, user records, hashed passwords, and lots of other data that the developer doesn’t strictly need come along for the ride.

WP Hammer is a useful tool for removing the privacy risks of creating testing sites that are exact copies of the live site. It is capable of stripping out specific types of private data while leaving the rest of the site’s data intact — developers usually want at least some of the site’s records in their dev versions for testing.

WP Hammer is capable of:

• Cleaning up user emails so they aren’t accessible in dev copies.
• Removing hashed user passwords from the database.
• Replacing existing posts with dummy posts generated by WP Hammer.
• Removing extra users — developers need some users so that testing sites accurately model the live site, but they don’t usually need all a site’s users.
• Removing extra posts.

The last of these examples shows how WP Hammer can be used for more than privacy and security. Large sites can have thousands or even tens of thousands of posts. Developers neither want nor need to copy every post on a large site. It doesn’t provide any particular advantage and it’s a lot of data to deal with. WP Hammer can remove extra posts and leave developers with a sample sufficient for testing and quality assurance.

Site owners often operate under strict data privacy and regulatory frameworks; they couldn’t share all of the information in their database with outside developers and WordPress professionals even if they were inclined to. WP Hammer gives site owners a fast and easy way to remove non-essential data from the WordPress database before handing it over to a third party.

If you’re new to WordPress and want to create custom page layouts, the learning curve is steep. At the very least you need a passing familiarity with PHP, HTML, and CSS — possibly JavaScript too. All of which might seem a bit much if all you want to do is create a custom landing page for a product or make some art-direction tweaks to a blog post.

WordPress page builder plugins — and themes that embed such plugins — might seem like the answer to your prayers. Page builders offer an intuitive drag-and-drop interface. You choose the elements you want on your page and drop them where you want them. A quick process that, most importantly, never requires you to fire up a text editor and mess about with code.

However, page builders are not without their downsides. Even if you take page builder developers at their marketing word and ignore the fact that the average user will have trouble building an effective page regardless of the tools they’re given, there remain difficulties inherent to how page builders work.

Lock-in

Once you have built your pages with a WordPress page builder, what happens when you want to change to a different plugin, or, even worse, if the plugin’s developer abandons it? The results are not pretty. If you uninstall the plugin you used to build your pages, the pages will break. Page builders rely on shortcodes, and once the plugin is removed, the shortcodes will stop working.

If you’ve used the plugin on only a couple of page, it’s no big deal. If you’ve used it across a site with hundreds or thousands of pages, bad times will ensue. The page builder plugin will become as essential to your site as WordPress itself — and I’d bet on WordPress being around for longer than the average page builder plugin or theme.

Slow Pages

Page builder plugins are not all equal in this regard, but most impose a performance penalty that can cause slow page loads. If you want to create a site with the fastest possible foundations, there are better options.

The most obvious choice is to work within the constraints of whichever theme you have chosen, or choose a different theme that offers the layouts and features you need. If that doesnt suit you, you can hire a developer to create a custom theme or layout for you — a custom page layout is a trivial task for an experienced WordPress developer. Or you could roll up your sleeves and learn how to build WordPress page layouts yourself. There are lots of excellent resources on this very topic.

It’s not my aim to discourage the use of page builders; they’re a useful tool, and have made WordPress accessible to people who would otherwise have been unable to turn their ideas into a website. However, I do want WordPress user to be aware of the potential problems they could face in the future.

Good developers never stop learning.

The best way to keep learning is to stay active within the community, and one of the best ways is Nomad Mage, a virtual user group for Magento developers, by Magento developers.

With monthly online webinars, Nomad Mage gives expert developers a way to share their expertise. While these webinars shouldn’t replace your local user group, it offers an easy way to mine the best talent for expand your knowledge your reach into the international development community.

Take, for example, two upcoming events, both of which can be watched live or downloaded later:

Though these sessions are not free, this á la carte format thrived at Nomad PHP under the guidance of Cal Evans, who enjoys over 30k Twitter followers at @NomadPHP. Both Nomad PHP and Nomad Mage pay their expert speakers a portion of all revenue.

The cost is $50 per session or $329 per year, but since we want to spread the word about this wonderful resource, we are offering 3 free tickets. To take part in our raffle, tweet #nomadmage and mention @nexcess and @noadmage.

While you’re at it, register for the free monthly Nomad Mage newsletter to help keep you current on the latest breaking Magento development news and trends.

For questions or comments, contact the NomadMage team on Twitter or with their contact form at nomadmage.com. Join them for the next session and keep your lifelong-learning habit alive and kicking!

Soliciting and collecting donations are the core fundraising activities of many nonprofits. It’s also the most expensive. Traditional nonprofit fundraising techniques include event hosting, direct solicitation, mass mailing, and cold calling. Some of these techniques have a high chance of securing donations, but also a high associated cost that eats into the money available for fulfilling the nonprofit’s core goals. Other strategies have a low success rate per person, but are reasonably successful if the nonprofit can reach out to enough people — a process which can also prove quite expensive.

If I were to design the perfect donation solicitation platform, it would look something like this. Firstly, it would be targeted to appeal to the audience which is most likely to donate to a particular cause. Secondly, it would be always available and not dependent on the donor and nonprofit’s staff being present in the same place at the same time. Thirdly, it would be easy to set up recurring donations so that donors can easily keep on giving if they want. Fourthly, it should be very easy for people to donate. Lastly, it should provide a source of donor data the nonprofit can use to refine its strategy and solicit further donations.

If you read the headline of this article, you might have guessed which platform has all of these features: a WordPress site or blog that publishes high-quality content alongside calls-to-action designed to solicit donations.

WordPress is a content management system and a publishing platform. With WordPress, it’s possible to build a content-rich site with writing and videos tailored to appeal to a specific audience. WordPress is an incredibly flexible platform with a large ecosystem of plugins — small modules of code that add extra features. There are many donation plugins that a nonprofit could quickly and easily integrate with their WordPress site to include donation calls-to-action within page content.

PayPal Donations

PayPal Donations is a simple but full-featured plugin that makes it easy to embed a PayPal donate button anywhere on a WordPress site. The button itself is configurable — you can use either the default button or one of your own design. PayPal donations are easy for donors to use, and they don’t need a PayPal account — a credit or debit card is all site visitors need to donate.

Seamless Donations

Seamless Donations has more features than the first plugin we looked at, but it’s still straightforward to both install and use. Donations can be given via PayPal, and this plugin also allows donors to create recurring donations with one click. Other features include the ability to automatically email a thank you message to donors, and comprehensive donor and donation tracking.

Total Donations

Total Donations is most appropriate for large-scale donation collection campaigns. It has a range of features that facilitate the running of large fundraising campaigns, including support for both Stripe and PayPal, the ability to set campaign targets, drag-and-drop form design, and customizable donate buttons.

Nonprofits that don’t solicit and collect donations via the web are missing out on a potentially massive source of donations. If you think your nonprofit would benefit from online donation collection, WordPress will give you a great foundation.

I’m sure you’re all aware of the Panama Papers: a leak of epic proportions that exposed the offshore dealings of the rich and famous. Panamanian law firm Mossack Fonseca was breached, and well over a terabyte of data handed over to journalists, who are going through it with a fine-tooth comb. The leak has given rise to headlines and embarrassments from Washington to Reykjavik. It’s not known exactly how the data was leaked, but we do know that Mossack Fonseca is surprisingly bad at online security. As Forbes and WP Tavern have reported, the Mossack Fonseca site ran an outdated version of WordPress, and their client portal ran on a very outdated version of Joomla!

I’m not going to delve into the ethical and financial details of the leak, but I do want to have a look at one thing businesses can do to limit the risk that their company’s data will find its way onto the web. It’s quite simple: update your content management system!

As we’ve discussed many times before, an out-of-date content management system is an open invitation to hackers, but businesses don’t realize the potential risk. I’ve seen many argue that an old WordPress site is a risk for the site itself, but it isn’t a danger to a business’s internal networks. Many businesses don’t keep private data on the same server as their web hosting account. The web hosting server may well be hacked, but data in the company’s internal network will be safe.

It’s almost never true that there is a complete separation between a business’s internal networks and their site. Business sites are often deeply integrated with the rest of an organization’s operations, and an island-hopping attack that takes the content management system as a staging post for an attack on the rest of the business’s network is fairly standard practice for hackers.

Let’s take a simple example. An attacker targets your business. He looks for security weaknesses, and finds that your website is running an old version of WordPress with known vulnerabilities. He targets the site, compromises it, and embeds scripts in the site’s admin area and public pages that cause any visitors to be redirected to malware sites. Next, he sends out emails to all the site’s administrators within the company (gleaned by comparing admin usernames to company employees discovered on social media). The emails cause admin users to go to the site, login, and become infected with the attacker’s malware. If the attacker is lucky, he now has malware installed on your company’s internal network, and from there it’s a short hop to a data leak.

An attacker could do more-or-less the same thing with any compromised site, but using the business’s own site increases the chances of success, and increases the likelihood that someone of importance will have malware placed on their machine.

Many critics of the WordPress breach hypothesis point out that it’s far more likely that the attacker started with a phishing attack or some other form of social engineering. Perhaps they did, I have no evidence one way or another. The important point is that failing to update your WordPress site gives attackers a potent tool that — perhaps combined with a social engineering attack — can be used to breach internal networks.

The moral of the story: keep your WordPress and Joomla! sites — and any other web application your business uses — updated. It doesn’t take much of your time to make life much more difficult for online criminals.

Passwords are an unquestionable means of defense against hackers. A compromised WordPress site can damage your clients’ business reputation — the kind of harm that takes a long time to recover from. Yet no matter how complicated you make a password (adding numbers and symbols), it’s still not the strongest form of protection. Hackers can be brutish, so to speak, about breaking into websites and apps, and while it’s important to devise complicated passwords, hackers can still break that code. This blog post will look at the method that you should use to beef up your clients’ WordPress security: two-factor authentication. Read More »

If it seems as if WordPress websites are hacked more often than others, there’s some truth to that theory. WordPress vulnerabilities are common – the security firm Sucuri found that a significantly large portion of websites compromised during the first three months of 2016 ran on WordPress. Sucuri investigated 11,485 compromised sites, and 78% of them were supported by WordPress. Read More »

One of WordPress’s great strengths is the plugin ecosystem. Developers have created thousands of plugins — most of which are free — that add any functionality you can imagine. Many businesses are built on WordPress, and some of those businesses depend on the plugins they use. What happens if those plugins go away?

What do I mean by “go away”? Once you download a plugin, you have the code and no one can take it away from you. But software is not a physical object that never changes. Software, particularly software exposed to the Internet, needs regular updates. If a plugin isn’t regularly updated, it will become a liability.

There are two main problems with plugins that aren’t updated. Firstly, an outdated plugin is almost certainly an insecure plugin. Updates supply patches that fix the bugs that cause vulnerabilities. Secondly, an outdated plugin will eventually stop working. WordPress Core will be updated regularly, and some of the changes will break plugin compatibility. That’s why the WordPress Plugin Repository shows you the WordPress versions with which a plugin is compatible.

A plugin can be abandoned by its developer for all sorts of reasons; perhaps they don’t have the time to work on it, or maybe they simply aren’t interested any longer. It’s important that once it’s determined that a plugin has been abandoned, you do something about it. Inaction is not an option.

Find An Alternative

For any popular plugin or widely used functionality, there will be plenty of alternatives. I got the idea for this article from a recent discussion of the popular W3 Total Cache plugin having been abandoned. Apparently, it hasn’t, but if it had, WordPress users would have had plenty of other cache plugins to choose from, including WP Super Cache and WP Rocket.

If the plugin provides niche functionality required by only a small number of WordPress users, you may not find an adequate alternative, in which case it’s time to consider other options.

Hire A Developer To Keep The Plugin Going

Most WordPress plugins are distributed under the GPL license, which means it’s perfectly fine to change the code yourself. If you really need the functionality the plugin offers, you can hire a PHP or specialist WordPress developer to make the necessary changes to keep it working.

Adopt The Plugin

If the plugin has been abandoned, and your company wants to contribute to the WordPress ecosystem, you could either adopt or fork the plugin, pay for continued development, and make your changes available to other WordPress users. Adoption requires coming to an agreement with the original developer and taking over the code repository and other accounts associated with the plugin. To fork a plugin, you simply take an existing GPL plugin and create a new version based on the existing code.

Whichever option you choose, you should be aware of the potential risks of continuing to use an outdated plugin, and take the necessary action to keep your site safe.

In preparation for the imminent opening up of Instant Articles to all publishers, Facebook and Automattic have teamed up to develop an Instant Articles plugin for WordPress. Instant Articles is Facebook’s answer to slow websites — compatible web pages will load much more quickly within the Facebook app than on the web (assuming that the web experience is slow).

Although Instant Articles will be opened to all publishers in early April, it’s intended mainly for news publishers. Publishers who want to use Instant Articles will have to pass a review process to ensure content meets Facebook’s content policies and community guidelines. If your content isn’t to Facebook’s taste, you’ll have to find a different way to make your site faster on mobile.

We all know that the web has become too slow. Even the publishers who load their websites with advertising and tracking scripts, the weight of which outstrips content by orders of magnitude, understand that many modern websites don’t provide an optimal experience. In the modern content economy publishers don’t have much choice. Producing high-quality content is expensive, and it has become increasingly difficult for publishers to make money on the web.

Instant Articles is intended to give publishers another option: faster sites along with an advertising program (Facebook’s advertising program) that doesn’t lead to a poor user experience.

From a publisher’s perspective Instant Articles is a mixed bag. Facebook has over a billion users, but it isn’t the web. If publishers become too dependent on Facebook — or any platform — for revenue, it puts them in an invidious position and gives Facebook a lot of control. Of course, Instant Articles isn’t the only game in town. Google’s AMP project, which we wrote about earlier this year, is more open than Instant Articles — largely because the web is Google’s play field. Apple News, which has not met with unalloyed praise, has similar aims. Web giants are trying to make the web — or at least the web as they want it to appear to their users — faster, because they rely on the web experience for content and for revenue. To avoid being trapped into one of these ecosystems (or excluded from them), are publishers going to have to support all of them?

The alternative, of course, is to make sure that news sites and blogs are fast enough that they don’t need the speed boost offered by Instant Articles, AMP, Apple News, and the like. With performance optimized WordPress hosting, a decent content distribution network, restraint about the volume of JavaScript embedded into pages, and a commitment to following performance-optimization best practices, it’s possible to build WordPress sites every bit as fast as anything Instant Articles or AMP can provide.

Your client has a hacked WordPress site. It’s finally happened. You’ve read about it happening to other businesses, but thought, “It won’t happen to my clients.” Their websites don’t get enough traffic; they are kept up-to-date enough, etc. Somehow, it still happened.

It’s OK! The first thing you need to do is not panic. Usually, a hacked WordPress site can be fixed in a few steps. First, however, you should understand the consequences of a hacked WordPress site. Read More »