Category Archives:
Content Archives

It’s not essential for every blog post to have a featured image, but a relevant, eye-catching, and compelling image enriches the reader’s experience and helps to make a post more noticeable — and clickable — on social media.

I like to add an image to every blog post I publish. Sometimes they’re directly related to the content, sometimes the only relationship is a vague association between the subject of the post and the picture, and sometimes I include an image just because I think it looks cool.

I write a lot of blog posts, which means searching through hundreds of images on both free and paid stock image sites, and, if the post is for my personal blog, searching through my own image catalogue.

For the most part I use free image sites: those that make images available under a Creative Commons license or in the public domain. The quality of public domain and CC images has improved enormously over the last few years, largely thanks to sites like Unsplash, which list the work of professional photographers.

But it’s not enough to rely solely on Unsplash and its peers. Everyone knows about these sites, which means the same images appear on dozens of posts. If you want originality, it’s a good idea to create your own images or throw the net a little wider.

For a long time, my WordPress image workflow wasn’t well organized. I’d finish a post, open up five or six image hosting sites in tabs, and spend the next twenty minutes running searches and perusing the results until I found the perfect image.

Today, I use three WordPress plugins that let me integrate WordPress with my most frequently used image sources.

Lightroom To WordPress

I use Adobe’s Lightroom to organize my personal image collection, and until recently there was no easy way to integrate my Lightroom collection and the WordPress Media Library.

I was very happy when Automattic released Lightroom To Adobe, a WordPress plugin that allows Lightroom users to choose and import images from within the WordPress dashboard.

If you want to use this plugin, you’ll need a WordPress.com account and have the Jetpack plugin installed.

Instant Images

I’ve already talked about how much I enjoy using Unsplash, and although I’m an admirer of the Unsplash interface, I prefer to be able to search for images from within WordPress.

Instant Images is a straightforward WordPress / Unsplash integration, allowing users to search the Unsplash catalogue and upload images to their Media Library.

This plugin is also great for WordPress developers who need filler or demo images.

Image Inject

When Unsplash doesn’t deliver or I want some variety, I use the Image Inject plugin, which performs a similar function to Instant Images, but includes both Flickr Creative Commons and images from Pixabay.

Neither source offers the same guaranteed high-quality images as Unsplash, but there are plenty of diamonds in the rough. Before Unsplash, Flickr CC search was my go-to source for blog images.

With these plugins, my image-searching workflow is more efficient, and I spend less time trawling through image hosting websites and more time writing.

Posted in:
Content, WordPress

When we think about WordPress, it usually brings to mind business sites, portfolios, and blogs, but as a fully fledged content management system, WordPress is flexible enough to be put to all sorts of different uses, including as a powerful educational tool.

With the proliferation of mobile devices and tablets, not to mention the explosion in online learning among people of all ages, teachers should seriously consider integrating a website into their educational workflows, both as a central location for course materials and as an educational tool that can be used by students to publish and collaborate. Educators who don’t embrace the preferred communication platforms of their students limit their potential and that of their students.

WordPress is the perfect foundation for building an education site, and developers in the WordPress community have created a number of plugins that make it straightforward to deploy education-focused features. I’d like to highlight five of them today.

Sensei

Sensei, from WooCommerce, provides a complete coursework solution that allows for the creation and publishing of courses, lessons, and quizzes. It integrates well with WooCommerce, so education entrepreneurs can charge for access to their content.

Other features include quick user registration, testing, quiz grading, and course analytics.

teachPress

This is also a course management system, but more suited to higher education and specifically designed to meet the needs of research groups, but it has useful features for any higher-level academic teaching. TeachPress is focused on academic publishing and provides comprehensive BibTeX integration for citation importing and exporting, as well as an integrated course enrollment system, and a variety of shortcodes for displaying publication lists, publication searches, and course overviews.

mTouch Quiz

There are any number of quiz plugins for WordPress, but I’m highlighting this one because it’s designed with touch interfaces in mind, so students can take multi choice quizzes from their tablets and phones.

Batch Create

This is a premium plugin from WPMUDev, so it isn’t free, but it can save a huge amount of time for educators who need to create lots of blogs or sites for their students to publish on. Doing it manually would be very time consuming, but with Batch Create, educators using WordPress Multisite can upload a CSV or XLS file exported from their enrollment records and the plugin will add users or create new sites.

I’ve only got space here to share a few educational plugins, but there are many more that I could have included. Instead, I’d like to open the floor to the educators out there: what are your favorite WordPress plugins and how have they contributed to your teaching?

About Graeme Caldwell – Graeme works as an inbound marketer for Hostdedi, a leading provider of Magento and WordPress hosting. Follow Hostdedi on Twitter at @nexcess, Like them on Facebook and check out their tech/hosting blog, http://blog.nexcess.net/.

Posted in:
Content, WordPress

Following several months of development, WordPress’s forthcoming new editor — named Gutenberg for the inventor of the printing press — is available as a plugin.

The plugin is still being developed and is nowhere near finished. WordPress hosting clients should not install Gutenberg on their production sites, because it’s likely to break things. That said, Gutenberg is well-worth taking a look at if you’re interested in the future of WordPress. Anyone who spends a lot of time in the WordPress editor is going to experience substantial changes to their writing workflows when Gutenberg is rolled into WordPress Core.

If you do take Gutenberg out for a spin, its development team are eager to hear about any bugs you find. You can report bugs on the project’s GitHub page.

Gutenberg has come a long way since we last wrote about it in February, and it’s worth spending some time thinking about the motivation behind the new editing experience and the problems Gutenberg is intended to solve.

As a writer, the writing and editing experience is important to me. If I wanted to, I could write everything in HTML, but burying the content in a forest of formatting and structuring markup isn’t ideal. The current WordPress editor offers an abstraction on top of the HTML approach, allowing writers to interact more naturally with their text while also providing much needed functionality like embeds, dividers, and other features that writing on the web makes necessary.

But, although WordPress offers a good enough editing interface, today, there’s room for improvement. Most of the features WordPress makes available to writers aren’t easy to find — they’re not discoverable in designer parlance. Using them takes writers out of the flow of their work to research shortcodes or futz around with formatting.

Gutenberg is intended to make it easy to both write and format a page in complex ways without having to reach for fragile shortcodes. With a few clicks and a bit of typing, it’s possible to create web pages that look like this.

The major change is from linear editing to a block-based experience. The page is divided into blocks, and each block has its own formatting options, controls, and positions on the screen. Making changes to a block is as simple as clicking in the block and editing it. Naturally, plugins will be able to add more blocks in the future.

One of the basic principles of web design insists that content should be kept separate from presentation, because it’s better to be able to control each independently. As a writer, I often choose to write in Markdown because I want to spend the least possible time messing around with formatting, leaving me free to focus on the message I want to communicate to readers.

Gutenberg mixes presentation and content, but it does so in a way that doesn’t impose much of a cognitive burden on writers. It also makes the WordPress editing experience intuitive to people who have grown up with WYSIWYG environments. We’re probably a few months away from Gutenberg being integrated into WordPress Core, but I for one am looking forward to being able to build beautiful layouts without shortcodes in an elegant modern editing environment.

Posted in:
Content, WordPress

WordPress sites constantly evolve as new content is published, new pages are created, and plugins and themes are installed or removed. Most of the time, those changes are for the good and don’t cause any problems for the health of the site.

But WordPress is a complicated piece of software, and, as with any complex system, it’s hard to predict how the parts interact. Any modification can cause a regression, a change for the worse. That’s why I like to run through regular health checks on any WordPress site I’m managing.

If something is wrong, I want to know about it sooner rather than later, so it’s not enough to deploy a site that works wonderfully and leave it at that. Every month or so, I run a series of tests to reassure myself that all is as it should be.

Performance

Site performance can be affected by any number of factors. Perhaps a new plugin interacts badly with existing functionality, introducing latencies to page load times. Maybe a CDN the site relies on to load JavaScript libraries isn’t as quick as it once was.

I use Pingdom Tools to perform a comprehensive scan of the site’s performance from various locations around the world. Pingdom provides the information I need to identify performance regressions and their likely cause.

Security

Last year, a security researcher published a list of eCommerce stores infected with credit card swiper malware capable of capturing card numbers and sending them to criminals.

Many of the stores had been infected for months.

It’s impossible to be completely certain that your WordPress site hasn’t been infected with malware or otherwise compromised. Prevention is better than cure, but if preventative measures have failed, I want to know about it as soon as possible.

There are several WordPress malware scanners available, but Sucuri’s free SiteCheck does the job quickly and well.

Links

Links have a tendency to break and 404 errors are a common occurrence on sites that change frequently. They’re bad for both user experience and search engine optimization. I use the excellent Broken Link Checker plugin to scan for broken links so I can repair or redirect them.

Backups

I’m going to assume everyone reading this article makes regular backups of their WordPress site and keeps those backups for an appropriate amount of time.

But going through the motions of keeping a backup isn’t enough. Site owners should also verify that backups are actually being made and that they’re viable. There’s nothing quite so frustrating as trying to restore a site from an earlier backup only to find it empty, corrupt, or otherwise useless.

To check backups, I do a full restore of a recent backup on a brand new WordPress installation. It’s possible to do this manually or with your existing backup plugin. It’s not really important how you check backups, but not checking them can lead to nasty surprises.

Altogether, running through these steps takes no more than half an hour, and I find the peace of mind well worth the time invested.

Posted in:
Content, WordPress

Setting up local WordPress development environments is an everyday task for WordPress professionals. Local development environments, which include WordPress and the full stack of software it needs to run, let WordPress pros work on sites without having to deal with the latencies and complications of working on remote staging or development installations.

Local development environments are great for developers, who will typically create environments for each of the projects they’re working on, but site owners with only one or two sites also benefit: local dev environments are useful for testing plugins, themes, beta versions, and site modifications without making potentially breaking changes to a production site.

As you might imagine, setting up a WordPress development environment on your Mac or Windows machine isn’t straightforward, a problem that tools like VVV — which we’ve written about before — are intended to solve. Chassis is a graphical tool that does much the same job as VVV, but with an intuitive user interface that’s more friendly to developers and site owners who aren’t comfortable with the command-line.

Chassis is a cross-platform application that hides much of the complexity involved in creating development environments. When you first launch Chassis, it will take care of installing the components it needs to build virtual machines to install WordPress on. Under-the-hood, Chassis uses VirtualBox, a popular free virtual server management application, and Vagrant, a tool used by developers to create configurable dev environments.

Once the basics have been installed, Chassis pulls down an Ubuntu disk image and builds a virtual machine, onto which the full software stack and configuration required by a WordPress site will be installed. Users can either create a virtual machine and WordPress installation from scratch, or use an existing virtual machine. Because the end result is just a WordPress site running on a server, site owners can replicate their production site in the same way they any other staging site.

The end result is a fully configured WordPress site running locally on your machine that you can interact with in your browser, just as you would with a remote WordPress site.

One of the nicest features of Chassis is its extension system. Extensions, which are installed from GitHub, let Chassis users add software to the virtual machine running their local WordPress site. Available extensions include Memcache, Redis, PHPMyAdmin, and Composer.

The extension system exemplifies one of the reasons you might want to try out Chassis even if you already use a tool like VVV for creating development environments. Chassis creates minimal dev environments containing only the software you need to get a WordPress site up and running, in contrast to the “everything you might possibly want” approach of related tools.

It should be noted that Chassis is still in beta, and the process of building virtual machines and installing WordPress isn’t as smooth as I would like, but once the wrinkles are ironed out, Chassis will be an excellent addition to the toolkit of WordPress site owners and developers who prefer to avoid the command line.

Posted in:
Content, WordPress

The WordPress development team has announced that WordPress 4.8 will be released on June 8th.

WordPress 4.8 will include editing enhancements with a focus on laying the groundwork for an improved text editing experience, but it won’t include the full version of Gutenberg, WordPress’s experimental editor, which is still being developed.

The release is on a much tighter schedule than previous releases, which typically have more than a month of lead-time. In fact, it’s somewhat surprising that there is a release at all, given the new project-based focus of WordPress development. It appears that some features are ready to go, and Matt Mullenweg – the release leader – wants to push out improvements that are already available without waiting for the larger project-based updates to be complete. Development on the larger block-based editor enhancements is likely to become the major focus after the release of WordPress 4.8.

Enhancements coming in WordPress 4.8 include better link handling, WYSIWYG features in text widgets, and new media widgets. The new media widgets were mooted for release some time ago. They’re intended to simplify the current multi-step process for adding media to pages and posts. The widgets are integrated with the Media Library, making it easier to drop images onto pages without having to go through the main Media Library interface.

The new image widgets are the first of a series of JavaScript-based widgets that are planned for release, including widgets for video, audio, slideshows, and galleries. All of these are part of the drive to improve the WordPress editing interface and bring it in line with modern user experience and interface design practices.

The Core Media Widgets are being developed as a plugin, so WordPress users can get a sneak peak of what’s in store.

All of the improvements are described as “low-hanging fruit” – features that are relatively easy to develop but will have a significant impact on the experience of WordPress users.

As I mentioned, the release schedule for WordPress 4.8 is substantially shorter than for typical releases. The first Beta will be available on May 12, followed by a second Beta on May 19, a release candidate on June 1, and the final release on June 8.

That gives WordPress site owners and plugin and theme developers about a month to test for compatibility issues. When Betas are released, the easiest way to test the new features is to use the WordPress Beta Tester plugin, which allows WordPress site owners to update to pre-release versions of WordPress. As always, it should be kept in mind that beta releases and release candidates are under active development and may contain bugs. It would be very unwise to upgrade your production site before the final release.

Posted in:
Content, WordPress

Matt Mullenweg has announced that from WordPress 4.8, which is expected to be released later this year, WordPress will no longer support Internet Explorer versions older than IE 11. Microsoft only supports IE 11, but WordPress supports IE 8, 9, and 10 because a small proportion of its users remain on older versions. In March 2015, Microsoft announced that the modern Edge browser would replace Internet Explorer on newer versions of its operating systems.

For a project with as many users as WordPress, backward compatibility with older software is both necessary and problematic. Even though only a small proportion of WordPress users manage their websites on older browsers, that proportion may translate to millions of individual users. Corporate policy and government policy or a lack of access to up-to-date hardware and operating systems means people may not be able to use the newest versions of software even if they want to.

But supporting older browsers has a cost for developers and users alike. If features must be compatible with older browsers, developers are obliged to avoid modern tools, libraries, and language capabilities, which limits new features and constrains the experience developers can build.

It’s unsurprising that the ending of support for older versions of IE was met with universal praise in the WordPress developer community. If developers have to support older versions of IE, they can’t take advantage of the newer features available in more modern browsers.

“Depending on how you count it, those browsers combined are either around 3% or under 1% of total users, but either way they’ve fallen below the threshold where it’s helpful for WordPress to continue testing and developing against. (The numbers surprised me, as did how low IE market share overall has gone.)”

This issue came to a head with the planned changes to the WordPress Editor. To build the editing experience Mullenweg and the WordPress developers want, they need to be able to use modern web technologies that aren’t available on older browsers.

Internet Explorer 8 was introduced in 2009, followed by IE 9 in 2011, and IE 10 in 2012. Five years is a long time on the web, and the state of the art in web technology has advanced enormously in that time. Older versions of IE aren’t capable of offering the experience modern web applications aspire to. By dropping support for older versions, WordPress’ developers are free to make use of recent innovations without having to test every change for compatibility with legacy software.

It’s worth emphasizing that WordPress won’t stop working on older versions of IE: functionality that works now should continue to work, but new features will not. And over time, the experience offered by unsupported browsers will stagnate.

Posted in:
Content, WordPress

WP-Base-SEO is a fake WordPress plugin that security researchers have found installed on over 4000 WordPress sites. WP-Base-SEO is a copy of a legitimate WordPress SEO plugin with added malicious code so the attacker can control infected sites.

When a hacker compromises a WordPress site, standard operating procedure is to inject malicious PHP or JavaScript code. The attackers’ code lets them access the site in the future and hijack its resources and traffic. But foreign code is easy to spot if you know what you’re looking for. A security researcher or automated malware scanner will find obviously out-of-place code quickly.

To avoid being discovered, the creators of WP-Base-SEO are using it as a Trojan horse. For the most part, it looks like a legitimate WordPress plugin. The difference lies in a few tweaks that allow the hackers to execute arbitrary code at will.

To see if your WordPress site has been infected with this malware, look in its /wp-content/plugins folder for directories containing “wp-base-seo”.

It appears the plugin is not being installed by WordPress users. Botnets trawl the internet for vulnerable WordPress sites, hack them, and inject malware. In this case the malware is hidden in a WordPress plugin. This technique depends on the availability of insecure sites: those where WordPress, plugins, and themes haven’t been updated to a recent version.

Many of the sites infected with WP-Base-SEO also have older versions of the RevSlider plugin installed. Older versions of RevSlider contain a critical and easily exploited vulnerability. It’s believed that the RevSlider vulnerability was the vector for the Panama Papers leaks. The attackers are exploiting the RevSlider vulnerability, installing their malware plugin, and using it to control WordPress sites.

The best way to secure your WordPress site is to ensure it’s always kept up-to-date. WordPress Core, plugins, and themes should be updated to the most recent version. There’s a wrinkle where RevSlider is concerned because it’s often bundled with themes and only updated when the theme’s developer chooses to do so. If you have any doubt, contact your theme’s developer.

In this case, the malicious plugin is installed by the attackers to hide their presence, but it’s not unusual for criminals to manipulate WordPress users into installing malware-infested plugins. That’s why it’s important to only install plugins from trusted and reputable sources. If you have any doubts about whether a plugin or theme comes from a trustworthy source, do not install it.

Pirated premium plugins are a particular favorite of criminals. They take the code from a genuine premium plugin, add malware to it, and make it available for free. As a general rule, avoid downloading plugins from anywhere other than the official WordPress Repository, well-regarded theme and plugin marketplaces, or a reputable WordPress developer’s website.

Posted in:
Content, WordPress

A huge botnet of home routers has targeted WordPress sites with brute-force attacks over the last few weeks. Brute-force attacks are a risk for WordPress websites with insecure passwords, and they can cause problems even if a site has secure passwords by consuming a significant proportion of its resources.

A botnet is a collection of compromised internet-connected machines under the control of a malicious actor. Botnets are nothing new, but until recently, creating a large botnet was a difficult technical challenge. They were usually made up of hacked Windows PCs. Attackers compromise PCs and install malware, which is used to control the machine. Botnets are used for a wide variety of online crimes, including brute force attacks, distributed denial of service attacks, and spamming.

But in recent years, it’s become more common to see Internet of Things devices used in botnets. In this case, home routers shipped with vulnerable software accessible to the internet. You can see the full technical details in this WordFence post, but, in a nutshell, the routers expose a web server so that ISPs can send instructions to the device. Unfortunately, the web server is easily hacked, allowing criminals to install malicious software.

Tens of thousands of these routers have been used to target WordPress sites with brute-force attacks. Brute force attacks aren’t particularly sophisticated; they simply attempt to login to WordPress sites with guessed username and password combinations. Criminals know which passwords people are most likely to use, which increases their chances of finding the right combination.

Once the attackers figure out a valid username and password combination, they are able to take over the site and install software, deface pages, redirect users to malware sites, send spam, and so on.

If a WordPress site uses strong passwords on all accounts, the chance that a brute-force attack finds the right combination of credentials is minute. Brute-force attacks have an extremely low chance of success against properly secured WordPress sites. However, it’s impossible to guarantee that every user with an account understands how to create and use a decent password, so the best way to combat brute-force attacks is two-factor authentication.

Two-factor authentication combines the traditional username and password with a second factor: usually a one-time code delivered to a mobile device. Without the one-time passwords — which can only be used for a short period of time — the attacker will not be able to authenticate even if they manage to guess the username and password. Two-factor authentication effectively mitigates brute-force attacks.

There are several excellent two-factor authentication plugins for WordPress, including Duo Two-Factor Authentication and Google Authenticator – Two Factor Authentication.

But there remains the problem of resource use. Every time a WordPress site rejects a login attempt, resources are consumed. If a botnet decides to make thousands of login attempts in a short period of time, a substantial proportion of the site’s available resources can be wasted.

To avoid that happening, WordPress users can install a rate limiting plugin like WP Limit Login Attempts, which limits the number of failed login attempts that can be made from an IP address. Rate limiting isn’t a surefire way to beat botnet brute-force attacks, botnets have IPs by the thousand, but it can reduce the resources consumed by malicious login attempts.

Posted in:
Content, WordPress