The payment processing industry will stop accepting payments from sites that use versions of TLS older than 1.2.

WordPress is an excellent eCommerce solution for smaller online retailers and for selling digital products. eCommerce on WordPress usually requires the use of a payment processor. It’s almost never a good idea to take money directly — payment processors like PayPal and Stripe are experts at the complexities of handling money online, and they take care of making sure you’re able to offer credit card transactions that conform to PCI DSS regulations.

To use a payment processor, WordPress sites must offer encrypted connections to the browsers of their customers. To do that, retailers use SSL certificates so they can offer encryption and identity validation to eCommerce customers.

SSL (which should really be called TLS) relies on a complex architecture of certificate authorities and cryptographic technologies. At the heart of SSL is an algorithm crucial to keeping connections secure. Over the years, that algorithm has evolved. Each generation is replaced by a better algorithm, because weaknesses are discovered in the earlier versions. There’s at least a theoretical chance that an attacker could breach the security of early versions of the algorithm, allowing them to trick eCommerce customers.

Because of that risk, PCI DSS has mandated the older versions of the algorithm are phased out. Originally, it mandated that versions older than TLS 1.2 should not be used after June of this year. Payment processors like PayPal, which require PCI DSS certification, will follow through on the PCI DSS regulations — stores using old versions of TLS will not be able to make credit card transactions.

That’s a problem for the WordPress store owners who are still using the older version. Before you panic, you’ve got a bit of wiggle room. The PCI DSS has extended the deadline to July 2017, but some payment processors will stop accepting payments over insecure connections earlier than that.

PayPal has extended its deadline in line with the PCI DSS deadline. Stripe however, intends to stop processing payments made over “insecure” connections from July 1st 2016 for new users. Existing users get until the end of the year to make the necessary changes. Other payment processors have their own timelines, and sellers using WordPress should investigate for themselves.

If you are unsure whether your WordPress eCommerce store uses an older version of the TLS algorithm, you can use the TLS 1.2 Compatibility Test plugin to find out. The plugin, developed by Jason Coleman of Paid Memberships Pro, will check that your WordPress site uses a recent version of OpenSSL (or another library that supports TLS 1.2), runs on a recent enough version of PHP, and has other requirements in place.

Posted in:
WordPress

At some point in the life of a WordPress site, its owner will want to make changes significant enough to justify blocking access to the site. It’s not a good idea to leave a site online when major changes are being implemented. A site with rough edges looks unprofessional and visitors won’t know that it’s because you’re renovating — they’ll think that’s just how your site looks. Also, when changes are being implemented, the site is in an unpredictable state — if you’re changing code while users are attempting to execute it, the results will not be pretty.

That said, taking a site offline should be the option of last resort. It inconveniences users and can result in lost revenue. In many cases, manually entering a maintenance mode isn’t necessary. Let’s look at the alternatives, and then discuss the best options for when taking a site offline is unavoidable.

WordPress’ Built-In Maintenance Mode

When you update a plugin or theme, WordPress enters a built-in maintenance mode. It will present a brief message to inform users that the site is unavailable. You don’t have to do anything; it’s automatic. Usually updates happen so quickly that your site will only be in maintenance mode for a few seconds. If you have a very busy site, that’s a significant amount of time, but, for the most part, it’s the best way to avoid showing users inconsistent state.

As an aside, if you do an update and something goes wrong, it’s possible that your site will get “stuck” in maintenance mode. To unstick it, delete the “.maintenance” file from the root directory of your site.

Use A Staging Site

A staging site is a copy of your WordPress site on which changes are made before they’re integrated with the live site. A staging site is usually a better option than putting a live site in maintenance mode, because you’ll be able to test any changes before showing them users.

If you plan on a long process of renovation, using a staging site will allow you to play with new designs and functionality while the old site continues to serve users.

Both WP Stagecoach and VersionPress make creating staging sites straightforward.

Maintenance Mode Plugins

If you’re absolutely determined to put your site into a maintenance mode, there are plugins that will help you. WP Maintenance Mode and the pithily named Coming Soon Page & Maintenance Mode let you design an attractive maintenance mode page with a custom message. They’ll also take care of making sure WordPress sends the right response codes to web browsers and search crawlers, letting them know that the down-time is only temporary.

If you do need to take your site offline, it’s better to use a plugin than blocking access by some other method, because a completely unavailable site has negative consequences for SEO.

Posted in:
WordPress

Fall has officially started, which means one thing. You should have already started preparing your eCommerce store for the 2016 holiday shopping season. For those who haven’t started, we got together with our friends at Groove to create The Ultimate Guide to Prepping Your Magento Store for Around-the-Clock Holiday Sales. When you’re done reading the roundup, make sure to go download your free copy. Without further ado, get into the best from September below, and if you’re looking for the same great articles the rest of the year, follow us on Twitter, Facebook, and Google+. Enjoy and let us know if we missed anything important in the comment section.

WordPress and Blogging

• New Guide on How to Fix Hacked WordPress Sites – Our involvement in WordPress security has always been a core part of our mission here at Sucuri. We have teams who actively lend advice on WordPress support forums to hacked webmasters. We’ve taken a leadership role by creating sections of the official WordPress Codex relevant to security.
• How to Get Your WordPress Site Indexed By Google Quickly – You’ve done it. After a lot of decisions, time and effort, you’ve managed to launch a new website, and you’re ready for the world to see it.
• 7 Things You Need to Know for WordPress Development – WordPress never fails to surprise the web development community. Over time, it has evolved into one of the best Content Management Systems (CMS) out there. And currently, it powers more than 25% of the web. Besides its popularity, WordPress is also known for usability and an easy-to-develop environment.
• A Brief Timeline of the History of Blogging – Greetings, readers. Welcome to the HubSpot Marketing Blog. We’re very happy to have you here. You might not realize it, but getting here was no easy task. Today, in 2016, I blog for a living, which is pretty great. But were it not for the long, twisty journey that got blogging to its current state, I might not be here. You might not be reading this.
• 4 Most Common WordPress Attacks, and How to Defend – WordPress is the foundation of about a quarter of the sites on the web. As such, it’s a juicy target for hackers and other criminals. If they can find a vulnerability in WordPress, they have the key to millions of sites.

ExpressionEngine

• 10 Things Every ExpressionEngine Developer Should Know – “Do they know what they are talking about?” It doesn’t matter if it’s a plumber, surgeon or web developer – if you’re looking to farm out some work the first thing you worry about is finding someone who knows how to do the job.
• Extended End-of-Life for ExpressionEngine 2 – When we released ExpressionEngine 3, ExpressionEngine 2 was scheduled for end-of-life on October 13. In this past year, we continued to offer v2 as an alternative for all new purchases, in case you had a v2 project already planned.
• Prelude to ExpressionEngine Conference – In this episode, TJ and John Henry introduce themselves, talk about what Content Managed will be about, then they look forward to the upcoming ExpressionEngine conference and talk about how important community is to developers.
• ExpressionEngine 3.4.3 Released – ExpressionEngine 3.4.3 is available today. This is a patch release with over a dozen bug fixes, some optimization, and a couple of security-minded improvements. Take a look at the changelog for the full list and download 3.4.3 today!

Magento and eCommerce

• A Technical Guide to the Magento 2 Checkout – The checkout in Magento 2 has undergone a number of improvements and changes to its visual appeal and general flow. What’s more, a total overhaul means it’s now driven with Javascript and KnockoutJS.
• 10 Proven Ways to Increase ECommerce Conversions Using Magento & Beyond – Increasing conversions. It’s what every organization wants. There are literally dozens if not hundreds of ways to improve conversions and it can become overwhelming knowing where to start. So we wanted to offer a few ideas that we’ve tried with our clients that have seen success, many specifically with Magento, but will work with any ecommerce system.
• More Than 50% of Shoppers Turn First to Amazon in Product Search – More than half of U.S. online consumers begin their product searches on Amazon.com Inc.’s website or mobile app, a survey found. That means that heading into the busy holiday season, the company is advancing its lead over major retailers like Wal-Mart Stores Inc. and search engines as the starting point for online shopping.
• New E-Commerce Checkout Research – Why 68% of Users Abandon Their Cart – We have now tracked the global average cart abandonment rate for 7 years. Sadly, little has improved in those years, and the average cart abandonment rate currently sits at 68.8%.
• Former Magento CTO and Co-Founder Yoav Kutner Talks About Magento Development – Yoav Kutner is who you will call a serial entrepreneur, a person that creates solutions in order to solve problems. His name is synonymous with Magento. Together with Roy Rubin, they created a revolution in ecommerce industry by creating Magento.
• The Countdown To The eCommerce Holiday Season Starts Today – The holiday season is the busiest time of the year for eCommerce retailers. As we head into Fall, it’s time to start preparing your eCommerce business to make the most of the biggest shopping season of the year.

This month we’ll leave you with a video that reimagines what Excel can be.

Posted in:
Monthly Roundups

Every November, aspiring novelists come together online to write 50,000 words of a novel. National Novel Writing Month — which attracts participants from around the world — helps writers put aside their trepidation and focus on getting the words out. 2016 will be NanoWriMo’s 17th year, and it’s expected to be just as popular as ever.

Writers are preparing for the month-long sprint, including a brave contingent who will publish as they write. NanoWriMo is all about overcoming procrastination and one of the best ways to do that is to write in public.

That might seem counter-intuitive, but making a public declaration of intent, and letting your readers see how well you’re keeping up is a powerful motivator. And, even if you don’t want to publish as you write, WordPress makes a great publishing platform after you’ve edited and tweaked your magnum opus.

WordPress offers a solid writing environment, but out-of-the-box it’s better suited to writing and publishing articles than novels. Let’s look at few tweaks you can make to turn WordPress into the perfect NanoWriMo platform.

Chapter For Authors

Chapter for Authors is a new plugin with a number of excellent features for novelists. The headline feature is a new chapter custom post type. It’s possible to organize your chapters using WordPress’s built-in post types, but Chapter for Authors’ chapter posts are enhanced with per chapter character lists, introductory quotes, and other features.

One benefit of using this plugin is that you can publish non-book blog articles alongside your novel while keeping a clear separation.

WP Word Count

Words are the aim of the game in NanoWriMo, so you need to be able to keep track of how much you’ve written each day and in total. WP Word Count is the most flexible word count tool for WordPress. With a shortcode, writers can insert a word count into any piece of content on their site. The plugin also allows writers to keep track of the total words published, both across the whole site and for specific post types.

WP Markdown Editor

I’m a big fan of Markdown. After all, writing is about getting the words onto the page, not futzing with formating. Markdown is a simple markup language that lets writers quickly indicate headings, quotes, links, and images without having to take their hands off the keyboard.

WP Markdown Editor is the most sophisticated Markdown integration for WordPress. It includes an excellent minimal fullscreen mode with a side-by-side editor and preview.

If you prefer to work in the default editor interface, Jetpack includes a Markdown module.

While we’re on the subject of Jetpack, the plugin’s built-in grammar and spell-checking are well worth taking a look at.

Writing Outside Of WordPress

Many writers prefer to use a dedicated text editor, publishing to WordPress after they’re comfortable with what they’ve written. There are any number of excellent text editors that integrate with with WordPress so content can be quickly uploaded without any copy-pasting.

First off, I have to mention the official WordPress apps. The desktop app in particular deserves attention.

For Mac and iOS users, I recommend Ulysses which is a powerful Markdown(ish) text editor with excellent WordPress integration.

I’m less familiar with writing tools for Windows, but feel free to suggest your favorite WordPress-friendly Windows text editor in the comments.

Posted in:
WordPress

Images make up a large chunk of the bandwidth used by most websites. That makes them an obvious target for optimization. Any reduction in the size of images can have a positive impact on the performance of a website.

Over the last couple of releases, WordPress has introduced several new image optimizations that happen by default. I’ve found that some WordPress users don’t quite understand what is being optimized and what isn’t. An understanding of how WordPress optimizes images is important if site owners are to maximize the opportunity for performance gains, so let’s take a look at what WordPress does with the images you upload to your site.

Responsive Images

Responsive images were introduced in WordPress 4.4. They allow WordPress to serve images that are the right size for the screen on which they will be viewed. There’s no need to send an image 2000px across if it will be displayed on the screen of a 4-inch phone.

WordPress has always generated multiple copies of uploaded images in various sizes, but they were only used when the theme called for smaller images — thumbnails are the obvious example. WordPress now uses the images to provide a responsive experience for visitors.

The main limitation of WordPress’ responsive image implementation is that the image sizes generated by WordPress may not be ideal. WordPress’ developers added an extra size — medium — when they implemented responsive images, but the range of sizes may not be appropriate for every design. It’s up to theme developers to make sure that the right image sizes are being generated.

Image Compression And Optimization

WordPress has always carried out some optimizations on the images it generates, but there were changes in WordPress 4.5 that users should be aware of.

Increased Compression

By default, images are created with a quality of 82 rather than the previous 90. The numbers are given to the underlying image processing library and indicate how high the quality of the image should be, with 100 being the best.

The reduction in quality is largely theoretical. The images look almost identical to the untrained eye. However, images produced at the lower quality use much less storage space and bandwidth.

Metadata Stripping

Most images contain metadata that isn’t useful to a person looking at the image in a blog article or page. The metadata carries information about the image that is useful in various ways — copyright information, color information, data generated by the camera — that don’t benefit the casual website visitor.

WordPress will now strip out much of that data by default.

What WordPress Doesn’t Do To Optimize Images

In addition to understanding what WordPress does to images, it’s useful to know what it doesn’t do.

Plenty Of Metadata Left

Some of the metadata in images is useful to some people — photographers, for example, aren’t happy if EXIF data is removed. In fact, WordPress doesn’t strip all the metadata from the images it creates. The following data is left alone: EXIF, xmp, and iptc data, and icc and icm color profiles.

If you want to stop WordPress stripping any metadata, you can use the image_strip_meta hook, as explained here.

Your Original Image Is Not Altered

When you upload an image, WordPress creates several versions of that image with different sizes, depending on defaults and theme settings. The increased compression and metadata stripping happen when the new images are being generated. They’re not applied to the original image, which remains the same. If you want the original image, which may well be sent to users, to be optimized, you’ll have to do it yourself with a tool like ImageOptim or a WordPress plugin like EWWW Image Optimizer.

Over the last few years, WordPress has become much better at image optimization, and for the most part, users can just go with the defaults.

Posted in:
WordPress

Google uses incoming links as a signal of the quality of a web page. Working under the assumption that links to a page are a vote in its favor, Google uses links to determine where pages should appear in the search engine results. Links are only one of the signals Google uses for ranking, but they’re an important one.

The ideal link for determining the quality of a web page is one freely given by the writer or publisher because they found something useful in the content they are linking to.

In reality, many of the links on the web are not of that sort. People link to sites for many different reasons — because they want to promote a business, because they’ve been paid, or because the link appears in an advert.

Google doesn’t want to consider that type of link when it’s deciding where a site should appear in the search engine results, so it asks site owners to “nofollow” them. Nofollowed links include a property in the HTML link that tells Google’s crawlers not to follow the links to their target.

Nofollowed links look like this:

Don't follow me!

Google asks site owners to nofollow various categories of links.

• All links that were paid for. It doesn’t have to be a direct handover of cash. If the linker gains some concrete advantage — especially financial — the link should be nofollowed.
• Links in press releases. Press releases are promotional content; they’re often distributed specifically to generate links in the publications that syndicate them.
• Advertorials and native advertising. This one should be fairly straightforward: both are promotional content published only because they’ve been paid for.
• Affiliate links. Again, affiliate links stand to financially benefit the linker, which means they’re unlikely to be a freely given sign of approval of the linked-to page.

You don’t have to mark links nofollow. Google doesn’t own the web and individual site owners can do as they please. However, Google does own the biggest search engine in the world, and it can rank pages according to its own standards. If you sell links, Google is likely to express its displeasure by imposing a penalty that will restrict your site’s potential to rank well.

Nofollowing In WordPress

There are any number of WordPress plugins to help you nofollow links that fall into the category that we’ve discussed below. I find Ultimate Nofollow to be among the best.

Are Nofollowed Links Worthless

Nofollowed links to your site will not positively influence its search ranking, but that’s not the only benefit links have. A link on a prominent site will drive plenty of traffic, even if it’s nofollowed. And it’s more than likely that some of that traffic will create genuine editorial links if the content justifies it.

Posted in:
WordPress

Successful WordPress sites follow a fairly predictable path. They begin with an idea, which — because no one has a clue it will be successful — is built on a small shared hosting plan. Shared hosting plans are perfect for moderately trafficked sites, but as the sites grow, they need something more.

A WordPress site is a combination of many different pieces of software and hardware. It includes the WordPress application itself, the PHP interpreter that runs the WordPress code, a database to store the site’s content and other data, a web server to serve the pages WordPress generates, an operating system that manages the filesystem, network interface, and dozens of other components — and that’s the simplified list. Each of those components consumes some of the server’s resources. As a site grows and gains more traffic, the resources it uses will eventually grow beyond that which an individual hosting account can cope with. At that point, it’s time to think about scaling.

Let’s start with the simplest WordPress scaling scenario, and then progress to more advanced configurations.

Shared WordPress Hosting

Shared WordPress hosting is perfectly capable of supporting moderate traffic sites, but if your WordPress site grows beyond a certain level, you are likely to experience performance degradations as the server attempts to keep up with the load.

If your hosting account is only just consuming its available resources, it may be possible to squeeze a bit of extra performance out it with aggressive caching and a CDN, but the best option is to plan for the future and scale up to a larger shared hosting plan.

Once your site has grown to the point at which no shared hosting plan can support it, it’s time to think about moving away from shared hosting altogether.

Dedicated WordPress Hosting

With a shared hosting plan, your site shares a physical server and its resources with other sites. With a dedicated WordPress server, your site has access to all the resources of the physical machine. It doesn’t compete with other sites. Dedicated servers are available in a huge range of specifications that range from less powerful than your laptop to enormously powerful servers with many processor cores and dozens of gigabytes of memory.

But what if that isn’t enough to support your site’s traffic?

Here we’ll take a digression to discuss two fundamental types of scaling: horizontal scaling and vertical scaling. With vertical scaling, a server’s resources are scaled up — in essence, you keep moving to a more powerful server when the site outgrows its current home. Obviously, there’s a limit to how far one can go with vertical scaling. A server can only get so powerful, and the more powerful they get, the more expensive they are.

Which brings us to horizontal scaling. Horizontal scaling adds more resources by increasing the number of servers. A group of dedicated servers is called a cluster.

WordPress Clusters

Earlier I said that a WordPress site is built from many different components. When scaling to a cluster, instead of all those components occupying a single physical machine, they are spread across several. The web server might live on one machine, the database on another (or several others), the fileserver on yet another, and so on. The nice thing about WordPress server clusters is that they can, in theory, be scaled indefinitely. There is no absolute limit on how large a cluster can grow (in theory at least, there are practical limitations.)

Clusters have another benefit: they’re great for redundancy and load balancing. If your site grew to epic proportions, it might need ten web servers, in front of which would be placed a load balancer that decides which web server to send each request to. If one of the web servers fails, the load balancer can just send requests to the other web servers until it’s fixed. Clusters are scalable, resilient, and and capable of growing to meet the needs of even the largest WordPress websites.

Posted in:
WordPress

WordPress is a complex piece of software comprising many thousands of lines of code — a mixture of PHP, HTML, CSS, and JavaScript. It’s under constant development, which means that all those files are subject to change. Often, those changes will address security issues; that is, they are edits to code that caused a vulnerability.
These changes are often referred to as security patches or simply patches. Have you ever wondered exactly what a patch is and how it got its name? You might think it’s an analogy to patching your clothes when they get a hole in them, but that’s not quite right.

Imagine you have a chunk of code — let’s take a snippet of text from a randomly chosen WordPress PHP file as an example.

You want to change the function name and various other parts of the file and then have it included in the source code that lives in the main WordPress source repository. You could just make your changes and send the whole file to the repository, but that’s not typically how it’s done. We’re really only interested in what’s changed between the file currently in the repository and the new file.

Often, the process of applying changes is handled by a version control system like Git, which takes care of the sticky details for us, but in the old days, we’d probably have used a program called “diff”. Diff will take a pair of files and spit out another file that contains the differences between the two files. Diff outputs the following for our two files.

The output of diff (or whichever tool is used) is sometimes called a diff, but it’s often just called a patch. As you can see, only the changes are included; all the lines that didn’t change aren’t relevant.

If our developer wanted to send the changes he made to his friend, he would only send the patch. The second developer would take look at the patch, and if she decided that she wanted the changes in her own source code, she’d use a tool called — can you guess? — “patch” to apply the differences to her own file.

All of which is interesting, but it doesn’t explain why patches are called patches. To understand that, we have to look back to the early days of computing. Back then, instructions to computers were stored on cards with holes in them that the computer was able to read. You’d “program” a computer by feeding it a stack of punch cards. If you wanted to change the instructions on the card, instead of making a new punch card, you could just stick a small piece of cardboard with different holes in it onto the larger punch card — you would literally patch the punch card.

WordPress updates typically don’t contain patches as we’ve discussed — they contain replacement files. But those replacement files were made by patching the files in the WordPress version control repository. If you don’t update a WordPress site regularly, its source code doesn’t get the changes that were in the patches. If those patches fixed a security vulnerability, your site will remain vulnerable to exploitation because the source code hasn’t been fixed.

Posted in:
WordPress